Magical parallel variant of SIDH Daniel Cervantes-V azquez - - PowerPoint PPT Presentation

A ✘✘✘✘

✘ ❳❳❳❳ ❳

Magical parallel variant of SIDH

Daniel Cervantes-V´ azquez Eduardo Ochoa-Jim´ enez Francisco Rodr´ ıguez-Henr´ quez September 10, 2018

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 1 / 6

Story plot

We present here a ✘✘✘ ✘ ❳❳❳ ❳ magical parallel variant of the Supersingular Isogeny Diffie-Hellman (SIDH) protocol, which is also applicable to the Supersingular Isogeny Key Encapsulation (SIKE) protocol.

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 2 / 6

Story plot

We present here a ✘✘✘ ✘ ❳❳❳ ❳ magical parallel variant of the Supersingular Isogeny Diffie-Hellman (SIDH) protocol, which is also applicable to the Supersingular Isogeny Key Encapsulation (SIKE) protocol. This variant is illustrated by Hermione, Ron and Harry, who have learned from their charm class how to cast the “Curvaverto” spell.

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 2 / 6

Story plot

We present here a ✘✘✘ ✘ ❳❳❳ ❳ magical parallel variant of the Supersingular Isogeny Diffie-Hellman (SIDH) protocol, which is also applicable to the Supersingular Isogeny Key Encapsulation (SIKE) protocol. This variant is illustrated by Hermione, Ron and Harry, who have learned from their charm class how to cast the “Curvaverto” spell. Given a magical stone called Kernel (a bunch of points belonging to an Elliptic Curve), then the Curvaverto spell transforms an Elliptic Curve and two magical stones into another Curve.

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 2 / 6

Story plot

We present here a ✘✘✘ ✘ ❳❳❳ ❳ magical parallel variant of the Supersingular Isogeny Diffie-Hellman (SIDH) protocol, which is also applicable to the Supersingular Isogeny Key Encapsulation (SIKE) protocol. This variant is illustrated by Hermione, Ron and Harry, who have learned from their charm class how to cast the “Curvaverto” spell. Given a magical stone called Kernel (a bunch of points belonging to an Elliptic Curve), then the Curvaverto spell transforms an Elliptic Curve and two magical stones into another Curve. Don’t ruin it! Bye!

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 2 / 6

Parameters

p := 2e2 3e3 5e5 f − 1 Such that 3e35e5 ≈ 2e2 and 3e3 ≈ 5e5

Parameters

p := 2e2 3e3 5e5 f − 1 Such that 3e35e5 ≈ 2e2 and 3e3 ≈ 5e5 Choose P2 and Q2 such thatP2, Q2 = E[2e2] Choose P3 and Q3 such that P3, Q3 = E[3e3] Choose P5 and Q5 such that P5, Q5 = E[5e5] Define S := P3 + P5 and T := Q3 + Q5 to be the public parameters of Ron and Harry

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 3 / 6

eSIDH

K2 := P2 + [n2]Q2 Get φH and EH E0 EH

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 4 / 6

eSIDH

K3 := P3 + [n3]Q3 K5 := P5 + [n5]Q5 Parallel Get φR and ER. Send φR(K5) to Harry. E0 EH ER

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 4 / 6

eSIDH

Use φR(K5) to get ERH and φRH E0 EH ER ERH

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 4 / 6

eSIDH

(ERH, φRH(P2), φRH(Q2)) E0 EH ER ERH

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 4 / 6

eSIDH

(EH, φH(S), φH(T)) E0 EH ER ERH ERH EH

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 4 / 6

eSIDH

K ′

2 := φRH(P2) + [n2]φRH(Q2)

Get ERHH E0 EH ER ERH ERH EH ERHH

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 4 / 6

eSIDH

K ′

3 := [5e5](φH(S) + [n3]φH(T))

K ′

5 := [3e3](φH(S) + [n5]φH(T))

Parallel Get φ′

R and E ′

• R. Send φ′

R(K ′ 5) to Harry.

E0 EH ER ERH ERH EH ERHH EHR

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 4 / 6

eSIDH

Use φ′

R(K ′ 5) to get EHRH

E0 EH ER ERH ERH EH EHR ERHH ∼ = EHRH

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 4 / 6

Primes and Times

Our proposals [SIKE17] proposals P509 = 225037955526 − 1 P503 = 22503159 − 1 P765 = 23723119581216 − 1 P751 = 23723239 − 1 P1013 = 248631575108226 − 1 P964 = 24863301 − 1

Table: Our proposals for eSIDH primes in comparison with the current state-of the art

Protocol phase SIKE17 Ours SIKE17 Ours Ours p503 p509 p751 p765 p1013 Non Parallel Non Parallel Non Parallel AF AF KeyGen Alice 8.24 7.48 1.10 23.68 22.21 1.06 49.24 Bob 9.26 8.26 1.12 26.67 24.53 1.08 55.18 KeyAgr Alice 6.71 6.08 1.10 19.44 18.20 1.06 40.83 Bob 7.82 7.73 1.01 22.76 22.98 0.99 52.05

Table: Performance comparison of this proposal against SIKE17 (using the version 3 of the CLN library). Reported running time (in 106 clock cycles) was measured in an Intel Skylake proccessor at 4.0 GHz. We report here the sequential version performance using 1 core.

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 5 / 6

Primes and Times

Our proposals [SIKE17] proposals P509 = 225037955526 − 1 P503 = 22503159 − 1 P765 = 23723119581216 − 1 P751 = 23723239 − 1 P1013 = 248631575108226 − 1 P964 = 24863301 − 1

Table: Our proposals for eSIDH primes in comparison with the current state-of the art

Protocol phase SIKE17 Ours SIKE17 Ours Ours p503 p509 p751 p765 p1013 Parallel Parallel Parallel AF AF KeyGen Alice 8.24 5.91 1.39 23.68 16.68 1.42 36.35 Bob 9.26 5.58 1.66 26.67 15.99 1.67 34.73 KeyAgr Alice 6.71 5.40 1.24 19.44 15.20 1.28 32.88 Bob 7.82 5.74 1.36 22.76 16.55 1.37 35.75

Table: Performance comparison of this proposal against SIKE17 (using the version 3 of the CLN library). Reported running time (in 106 clock cycles) was measured in an Intel Skylake proccessor at 4.0 GHz. We report here the parallel version performance using 3 cores.

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 5 / 6

Work in Progress

Working on Ron-Harry side (Bob’s side), extend this proposal to other combinations of small primes [instead of the current (3, 5)]. Look for more Montgomery-friendly primes. Further optimize the single-core version of this proposal.

Cervantes-Ochoa-Rodr´ ıguez A✘✘

❳❳

Magical parallel variant of SIDH September 10, 2018 6 / 6