loop abort faults on supersingular isogeny cryptosystems
play

Loop-abort faults on supersingular isogeny cryptosystems Alexandre - PowerPoint PPT Presentation

Feb 25, 2024 •368 likes •955 views

Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski Laboratoire dInformatique de Paris 6 Sorbonne Universits UPMC, France cole Polytechnique Fdrale de Lausanne, EPFL IC LACAL, Switzerland

  1. Loop-abort faults on supersingular isogeny cryptosystems Alexandre Gélin Benjamin Wesolowski Laboratoire d’Informatique de Paris 6 – Sorbonne Universités UPMC, France École Polytechnique Fédérale de Lausanne, EPFL IC LACAL, Switzerland PQCrypto 2017 – Utrecht 2017/06/26 Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  2. Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  3. Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  4. Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] The isogeny graph of a supersingular elliptic curve: Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  5. Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] The isogeny graph of a supersingular elliptic curve: Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  6. Supersingular elliptic curves Definition A supersingular elliptic curve is a curve E defined over F p k such that � � # E F p k = 1 mod p . Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  7. Supersingular elliptic curves Definition A supersingular elliptic curve is a curve E defined over F p k such that � � # E F p k = 1 mod p . Interesting properties: All supersingular elliptic curves can be defined over F p 2 p About 12 supersingular elliptic curves, up to isomorphism Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  8. Isogenies Definition An isogeny φ between two elliptic curves E 1 and E 2 is a surjective group homomorphism with a finite kernel. The degree is defined by deg φ = # Ker φ . Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  9. Isogenies Definition An isogeny φ between two elliptic curves E 1 and E 2 is a surjective group homomorphism with a finite kernel. The degree is defined by deg φ = # Ker φ . Interesting properties: ⇒ a unique E 2 and φ such that G ⊂ E 1 = φ : E 1 → E 2 and Ker φ = G � � E 2 = E / G is obtained in O deg φ Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  10. Key-Exchange Protocol A prime p such that p + 1 = ℓ n A ℓ m B Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  11. Key-Exchange Protocol A prime p such that p + 1 = ℓ n A ℓ m B A supersingular elliptic curve E with ℓ n A ℓ m B points E Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  12. Key-Exchange Protocol A prime p such that p + 1 = ℓ n A ℓ m B A supersingular elliptic curve E with ℓ n A ℓ m B points E � � ℓ n A point R A chosen randomly in E A Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  13. Key-Exchange Protocol A prime p such that p + 1 = ℓ n A ℓ m B A supersingular elliptic curve E with ℓ n A ℓ m B points E � � ℓ n A point R A chosen randomly in E A A } 2 random, → ( m A , n A ) ∈ {1,..., ℓ n − � � ℓ n R A = m A P A + n A Q A for 〈 P A , Q A 〉 = E A Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  14. Key-Exchange Protocol A prime p such that p + 1 = ℓ n A ℓ m B A supersingular elliptic curve E with ℓ n A ℓ m B points E � � ℓ n A point R A chosen randomly in E A φ A A } 2 random, → ( m A , n A ) ∈ {1,..., ℓ n − � � ℓ n R A = m A P A + n A Q A for 〈 P A , Q A 〉 = E A ⇒ the curve E A = E / 〈 R A 〉 and φ A : E → E A E A = Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  15. Key-Exchange Protocol A prime p such that p + 1 = ℓ n A ℓ m B A supersingular elliptic curve E with ℓ n A ℓ m B points E � � ℓ n A point R A chosen randomly in E A φ A φ B A } 2 random, → ( m A , n A ) ∈ {1,..., ℓ n − � � ℓ n R A = m A P A + n A Q A for 〈 P A , Q A 〉 = E A ⇒ the curve E A = E / 〈 R A 〉 and φ A : E → E A E A E B = � � ℓ m A point R B = m B P B + n B Q B random in E = 〈 P B , Q B 〉 , B the curve E B = E / 〈 R B 〉 and φ B : E → E B Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  16. Key-Exchange Protocol � � Bob sends E B , φ B ( P A ), φ B ( Q A ) E where 〈 φ B ( P A ), φ B ( Q A ) 〉 = E B [ ℓ n A ] φ A φ B E A E B Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  17. Key-Exchange Protocol � � Bob sends E B , φ B ( P A ), φ B ( Q A ) E where 〈 φ B ( P A ), φ B ( Q A ) 〉 = E B [ ℓ n A ] φ A φ B Alice computes E AB = E B / 〈 m A φ B ( P A ) + n A φ B ( Q A ) 〉 E A E B E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  18. Key-Exchange Protocol � � Bob sends E B , φ B ( P A ), φ B ( Q A ) E where 〈 φ B ( P A ), φ B ( Q A ) 〉 = E B [ ℓ n A ] φ A φ B Alice computes E AB = E B / 〈 m A φ B ( P A ) + n A φ B ( Q A ) 〉 E A E B Bob computes E BA = E A / 〈 m B φ A ( P B ) + n B φ A ( Q B ) 〉 E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  19. Key-Exchange Protocol � � Bob sends E B , φ B ( P A ), φ B ( Q A ) E where 〈 φ B ( P A ), φ B ( Q A ) 〉 = E B [ ℓ n A ] φ A φ B Alice computes E AB = E B / 〈 m A φ B ( P A ) + n A φ B ( Q A ) 〉 E A E B Bob computes E BA = E A / 〈 m B φ A ( P B ) + n B φ A ( Q B ) 〉 E AB ≃ E / 〈 R A , R B 〉 ≃ E BA so j ( E AB ) = j ( E BA ) E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  20. Key-Exchange Protocol � � Bob sends E B , φ B ( P A ), φ B ( Q A ) E where 〈 φ B ( P A ), φ B ( Q A ) 〉 = E B [ ℓ n A ] φ A φ B Alice computes E AB = E B / 〈 m A φ B ( P A ) + n A φ B ( Q A ) 〉 E A E B Bob computes E BA = E A / 〈 m B φ A ( P B ) + n B φ A ( Q B ) 〉 E AB ≃ E / 〈 R A , R B 〉 ≃ E BA so j ( E AB ) = j ( E BA ) � ⇒ j ( E AB ) secret shared by Alice and Bob = E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  21. Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2 , find an isogeny between them of degree ℓ n A . Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  22. Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2 , find an isogeny between them of degree ℓ n A . Equivalent to find a path of fixed length in the isogeny graph Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  23. Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2 , find an isogeny between them of degree ℓ n A . Equivalent to find a path of fixed length in the isogeny graph � � � � p � ℓ n Brute-force attack in O ≈ O A Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  24. Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2 , find an isogeny between them of degree ℓ n A . Equivalent to find a path of fixed length in the isogeny graph � � � � p � ℓ n Brute-force attack in O ≈ O A � � � � n � p Claw finding: Find a collision in O 2 ℓ ≈ O 4 A Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  25. Attack framework Alice uses a static private key ( m A , n A ) E φ A φ B E A E B E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  26. Attack framework Alice uses a static private key ( m A , n A ) E ⇒ E A and φ A can be precomputed = φ A φ B E A E B E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  27. Attack framework Alice uses a static private key ( m A , n A ) E ⇒ E A and φ A can be precomputed = φ A φ B The attacker plays the role of Bob E A E B E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  28. Attack framework Alice uses a static private key ( m A , n A ) E ⇒ E A and φ A can be precomputed = φ A φ B The attacker plays the role of Bob Focus on the isogeny from E B to E B / 〈 m A P ′ A + n A Q ′ A 〉 , E A E B where P ′ A = φ B ( P A ) and Q ′ A = φ B ( Q A ) E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland AsiaCrypt 2016, 5th of December 1/17 Outline Joint work with Steven Galbraith , Christophe Petit and Barak Shani . 1

242 views • 23 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and

Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and

Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and evolutionQ, Inc. Full list of submitters: Reza Azarderakhsh, FAU Amir Jalali, LinkedIn Michael Naehrig, MSR Matt Campagna, Amazon David Jao, UW

365 views • 10 slides
The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO

The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO

The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO Kickoff meeting, Bordeaux, February 2020 Microsoft Research and Inria + cole polytechnique 1 g = 1 A directed multigraph (but almost a graph)

408 views • 25 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi

593 views • 36 slides
Supersingular Isogeny Key Encapsulation Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca

Supersingular Isogeny Key Encapsulation Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca

Supersingular Isogeny Key Encapsulation Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, Vladimir Soukharev November 14 ECC 2017 Nijmegen,

769 views • 75 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de Mathmatiques de Marseille Journes Nationales de Calcul Formel 2019 CIRM, Luminy, 7 February 2019 Leonardo COL ( I2M-AMU ) OSIDH 7 February 2019 2

966 views • 73 slides
The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this

The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this

The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this talk 1. Highlight some of the complications with assessing the cost of known attacks on computational problems. 2. Highlight some of the

640 views • 35 slides
Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr ager (Penn State), Sean Hallgren (Penn State), Kristin Lauter (Microsoft Research), Travis Morrison (Penn State), Christophe Petit (Birmingham)

427 views • 38 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques de Marseille Number-Theoretic Methods in Cryptology 2019 Sorbonne Universit, Institut de Mathmatiques de Jussieu Paris, 26 June 2019 Leonardo

739 views • 53 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
On supersingular varieties Ichiro Shimada Hiroshima University 24 September, 2010, Nagoya 1 /

On supersingular varieties Ichiro Shimada Hiroshima University 24 September, 2010, Nagoya 1 /

On supersingular varieties On supersingular varieties Ichiro Shimada Hiroshima University 24 September, 2010, Nagoya 1 / 28 On supersingular varieties Frobenius supersingular varieties Definition Let X be a smooth projective variety over F q

601 views • 28 slides
PURPOSE: To calculate dose accidentally absorbed by a live fetus during diagnostic CT

PURPOSE: To calculate dose accidentally absorbed by a live fetus during diagnostic CT

The unintentional irradiation of a live human fetus: assessing the likelihood of a radiation-induced abortion Eduardo Galiano Laurentian University Marcelo Godin Hospital del Cancer Asuncion Paraguay Jeffrey Frimeth Sunnybrook Medical Centre

197 views • 15 slides
A world post Roe v. Wade Daniel Grossman, MD October 2019 UCSF Obstetrics and Gynecology Update

A world post Roe v. Wade Daniel Grossman, MD October 2019 UCSF Obstetrics and Gynecology Update

Disclosures I have nothing to disclose A world post Roe v. Wade Daniel Grossman, MD October 2019 UCSF Obstetrics and Gynecology Update University of California, San Francisco | Bixby Center for Global Reproductive Health 1 2 Objectives

426 views • 8 slides
Patient centered approach to pregnancy options counseling and abortion referral and care Jody

Patient centered approach to pregnancy options counseling and abortion referral and care Jody

Disclosures July 6, 2017 I have no financial disclosures. Patient centered approach to pregnancy options counseling and abortion referral and care Jody Steinauer, MD, MAS Professor Dept. of Obstetrics, Gynecology & Reproductive

499 views • 22 slides
DHS/USCIS/RAIO OVERVIEW Department of Homeland Security 2 We are USCIS. We are America. We

DHS/USCIS/RAIO OVERVIEW Department of Homeland Security 2 We are USCIS. We are America. We

DHS/USCIS/RAIO OVERVIEW Department of Homeland Security 2 We are USCIS. We are America. We are the 18,000 government employees and contractors of USCIS working at 250 offices across the world. Achieving our goals becomes possible when the

379 views • 26 slides
FIT: A Distributed Database Performance Tradeoff Jose M. Faleiro, Yale University Daniel J.

FIT: A Distributed Database Performance Tradeoff Jose M. Faleiro, Yale University Daniel J.

FIT: A Distributed Database Performance Tradeoff Jose M. Faleiro, Yale University Daniel J. Abadi, Yale University Presented by Bojun Wang FAIRNESS THROUGHPUT ISOLATION 1 Isolation v.s. Throughput and Fairness Strong isolation

542 views • 20 slides
Session II Examples and Paradigms Thomas J. Leeper Government Department London School of

Session II Examples and Paradigms Thomas J. Leeper Government Department London School of

Hypotheses > Design Assessing Quality Examples More Designs Session II Examples and Paradigms Thomas J. Leeper Government Department London School of Economics and Political Science Hypotheses > Design Assessing Quality Examples

1.39k views • 122 slides
Stress Factors for Disaster Victims Effects Future uncertainty Uncertainty about residence

Stress Factors for Disaster Victims Effects Future uncertainty Uncertainty about residence

Psychological Stress Factors for Disaster Victims Effects Future uncertainty Uncertainty about residence and workplace security Social prejudice Media influences Differences of climates and customs Characteristics unique to

407 views • 18 slides
And It All Went Horribly Wrong: Debugging Production Systems Bryan Cantrill VP, Engineering

And It All Went Horribly Wrong: Debugging Production Systems Bryan Cantrill VP, Engineering

And It All Went Horribly Wrong: Debugging Production Systems Bryan Cantrill VP, Engineering bryan@joyent.com @bcantrill Thursday, November 17, 2011 In the beginning... Thursday, November 17, 2011 In the beginning... Sir Maurice Wilkes,

605 views • 29 slides

More recommend