SLIDE 1
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
1
Where we are
Protocols Attacks SIDH GPST
attacks
SIKE k-SIDH
FO k instances
JU scheme
automorphisms
On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol - - PowerPoint PPT Presentation
On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol - - PowerPoint PPT Presentation
On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea Basso 1 , P eter Kutas 1 , Simon-Philipp Merz 2 , Christophe Petit 1 , Charlotte Weitk amper 1 University of Birmingham, UK Royal Holloway,
SLIDE 2
SLIDE 3
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
2
SIDH
SIDH is a key-exchange protocol over supersingular elliptic curves defined over Fp2, where p = 2eA3eBf ± 1. E0 EA EB EAB φ
A
φB φ′
B
φ′
A EA, φA(PB), φA(QB) EB, φB(PA), φB(QA)
PA, QA = E0[2eA] and ker φA = PA + [α]QA, PB, QB = E0[3eB] and ker φB = PB + [β]QB.
SLIDE 4
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
3
GPST attack
◮ Static secret keys in SIDH can be recovered by a
dishonest participant Bob with the adaptive GPST attack
◮ An attacker uses the key exchange as an oracle to retrieve
the static key α of Alice iteratively
◮ The oracle: returns true if EB/R + [α]S = EAB, where
R, S are the torsion points sent by the attacker Bob
◮ Sending malicious torsion points R, S the dishonest
participant Bob retrieves one bit of α per oracle query
◮ Countermeasure: Fujisaki-Okamoto (as in SIKE)
SLIDE 5
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
4
Where we are
Protocols Attacks SIDH GPST
attacks
SIKE k-SIDH
FO k instances
JU scheme
automorphisms
DGLTZ
attacks generalizes to
SLIDE 6
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
5
k-SIDH
k-SIDH avoids attacks such as GPST by performing k2 instances of SIDH during a single execution of the static-static key exchange protocol.
E0 EA1 EB1 EA1B1 φA1 φB1 φ′
B1
φ′
A1
E0 EAk EBk EAkBk φ
A
k
φ
B
k
φ′
Bk
φ
′ A
k
. . .
Using each combination EAi, EBj for i, j = 1, . . . , k of the two parties’ k different public curves yields shared secret Hash(j(EA1B1), j(EA1B2), . . . , j(EAkBk)).
SLIDE 7
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
6
The DGLTZ-attack on k-SIDH
◮ The attacker queries with the same curve and same extra
points for each SIDH instance
◮ New oracle: returns true if an attacker guesses all the
common computed curves correctly
◮ First step: query with (EB, P, [1 + 2n−1]Q),
- ne has to query 6 · 7k−1 times to get the first bit
◮ With this approach, even for k = 2, one needs an
exponential number of queries
◮ DGLTZ solves the issue by computing the intermediate
curves and additional points on those curves
◮ Computing these additional points requires 24k queries
SLIDE 8
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
7
Where we are
Protocols Attacks SIDH GPST
attacks
SIKE k-SIDH
FO k instances
JU scheme
automorphisms
DGLTZ
attacks generalizes to
[This work]
attacks generalizes to
SLIDE 9
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
8
The Jao-Urbanik protocol – I
The protocol improves on k-SIDH by using automorphisms to obtain three instances for each key.
◮ Starting curve: E0, j(E0) = 0,
with non-trivial automorphism η of order six
◮ For any subgroup B ⊂ E0,
E0/B ∼ = E0/η(B) ∼ = E0/η2(B)
◮ Fix bases:
{PA, QA = η(PA)} of E0[2eA], {PB, QB = η(PB)} of E0[3eB] E0 EA EB EA,B φA φB φ′
A
φ′
B
E0 EA Eη(B) EA,η(B) φA φη(B) φ′
A
φ′
η(B)
E0 EA Eη2(B) EA,η2(B) φA φη2(B) φ′
A
φ′
η2(B)
SLIDE 10
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
9
The Jao-Urbanik protocol – II
◮ Alice and Bob perform SIDH-instance with public keys
(EA, φA(PB), φA(QB)) and (EB, φB(PA), φB(QA))
◮ Alice and Bob obtain as shared secret information
◮ EA,B } as in standard SIDH ◮ EA,η(B) ◮ EA,η2(B)
- using η during computation
◮ Bob uses his secret key β to compute
◮ EA,B = EA/φB(PA) + [β]φB(η(PA)) ◮ EA,η(B) = EA/−φB(PA) + [β + 1]φB(η(PA)), ◮ EA,η2(B) = EA/−[β + 1]φB(PA) + [β]φB(η(PA))
SLIDE 11
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
10
Applying DGLTZ to Jao-Urbanik’s protocol
◮ DGLTZ treats each curve separately ◮ Secret kernel generators occurring in Jao-Urbanik
protocol are not of the required form to straightforwardly apply DGLTZ
◮ If issues with kernel generators can be overcome,
attacking the Jao-Urbanik protocol with k keys and 3k2 SIDH-instances would require O(243k) queries = ⇒ This work uses relationships between curves and kernel generators to reduce number of queries.
SLIDE 12
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
Attacking Jao-Urbanik’s protocol
SLIDE 13
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
11
Our attack - First bit recovery
◮ Goal: get least significant bit α0 of Alice’s secret key α,
i.e. determine first curve on isogeny path EA → E0.
◮ Query with (EB, [1 + 2n−1]PB, QB), so Alice computes all
three 2-neighboring curves of E/2A.
◮ Underlying relationship between kernel generators of
corresponding curves helps to match up triples of candidate curves instead of exhaustively searching over all possibilities.
E ′′
A ∼
= EA,2 E/2A ∼ = EA,1 EA E ′
A
. . . E0
2 2 2
n − 1 partial isogenies of φA
SLIDE 14
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
12
Our attack - Pullbacks
◮ Main idea: Let A be a secret kernel, let EA,i, E ′
A,i, E ′′ A,i be
the ith curves on the three corresponding paths. Then for all i, the curves EA,i, E ′
A,i, E ′′ A,i are isomorphic
◮ Instead of using the DGLTZ attack directly, we compute
a pullback candidate for each curve and shift them with the corresponding isomorphisms
◮ We query the oracle with these related points which saves
a lot of time and exploits the extra structure of the scheme
SLIDE 15
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
13
Our results – I
◮ We provide a concrete attack against the JU scheme ◮ We exploit the additional structure between curves in the
JU scheme to reduce the security level to almost a third
◮ The attack is polynomial in key length, but exponential in
number of instances and base primes
SLIDE 16
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
14
Our results – II
◮ Our attack does NOT break the JU scheme for the
proposed parameters...
◮ ...but it shows that at the same security level the JU
scheme requires almost twice the computations of k-SIDH to reduce the public-key size by 20%
SLIDE 17
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
15
Our results – III
# SIDH instances # keys per party Attack cost Jao-Urbanik with k keys 3k2 k O(ℓ5k) k-SIDH with 5
4k keys
1.56k2
5 4k
O(ℓ5k) At the same security level, the JU scheme requires almost 2x computations to reduce the public key size by 20%.
SLIDE 18
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020
16
References I
[1] Azarderakhsh, R., Jao, D., Leonardi, C.: Post-quantum static-static key agreement using multiple protocol instances. In: Adams, C., Camenisch, J. (eds.) Selected Areas in Cryptography – SAC 2017,
- vol. 10719, pp. 45–63. Springer International Publishing (2017),
http://link.springer.com/10.1007/978-3-319-72565-9_3 [2] Dobson, S., Galbraith, S.D., LeGrow, J., Ti, Y.B., Zobernig, L.: An adaptive attack on 2-SIDH (2019), http://eprint.iacr.org/2019/890 [3] Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) Advances in Cryptology – ASIACRYPT 2016. pp. 63–91. Lecture Notes in Computer Science, Springer (2016)
SLIDE 19
On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020