on adaptive attacks against jao urbanik s isogeny based
play

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol - PowerPoint PPT Presentation

Oct 19, 2022 •369 likes •575 views

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea Basso 1 , P eter Kutas 1 , Simon-Philipp Merz 2 , Christophe Petit 1 , Charlotte Weitk amper 1 University of Birmingham, UK Royal Holloway,

  1. On Adaptive Attacks against Jao-Urbanik’s Isogeny-Based Protocol Africacrypt, July 2020 Andrea Basso 1 , P´ eter Kutas 1 , Simon-Philipp Merz 2 , Christophe Petit 1 , Charlotte Weitk¨ amper 1 University of Birmingham, UK Royal Holloway, University of London, UK

  2. Where we are Protocols SIKE FO SIDH k instances k -SIDH JU scheme automorphisms attacks Attacks GPST 1 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  3. SIDH SIDH is a key-exchange protocol over supersingular elliptic curves defined over F p 2 , where p = 2 e A 3 e B f ± 1. E A φ ′ φ A B E B , E A , E 0 E AB φ B ( P A ), φ A ( P B ), φ B ( Q A ) φ A ( Q B ) φ B φ ′ A E B � P A , Q A � = E 0 [2 e A ] and ker φ A = � P A + [ α ] Q A � , � P B , Q B � = E 0 [3 e B ] and ker φ B = � P B + [ β ] Q B � . 2 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  4. GPST attack ◮ Static secret keys in SIDH can be recovered by a dishonest participant Bob with the adaptive GPST attack ◮ An attacker uses the key exchange as an oracle to retrieve the static key α of Alice iteratively ◮ The oracle: returns true if E B / � R + [ α ] S � = E AB , where R , S are the torsion points sent by the attacker Bob ◮ Sending malicious torsion points R , S the dishonest participant Bob retrieves one bit of α per oracle query ◮ Countermeasure: Fujisaki-Okamoto (as in SIKE) 3 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  5. Where we are Protocols SIKE FO SIDH k instances k -SIDH JU scheme automorphisms attacks attacks Attacks GPST DGLTZ generalizes to 4 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  6. k -SIDH k -SIDH avoids attacks such as GPST by performing k 2 instances of SIDH during a single execution of the static-static key exchange protocol. E A 1 φ ′ φ A 1 B 1 E 0 E A 1 B 1 Using each combination E A i , φ B 1 φ ′ E B 1 A 1 E B j for i , j = 1 , . . . , k of the . . . two parties’ k different public curves yields shared secret E A k φ ′ φ Hash( j ( E A 1 B 1 ) , j ( E A 1 B 2 ) , . . . , j ( E A k B k )). A B k k E 0 E A k B k φ φ ′ B E B k A k k 5 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  7. The DGLTZ-attack on k -SIDH ◮ The attacker queries with the same curve and same extra points for each SIDH instance ◮ New oracle: returns true if an attacker guesses all the common computed curves correctly ◮ First step: query with ( E B , P , [1 + 2 n − 1 ] Q ), one has to query 6 · 7 k − 1 times to get the first bit ◮ With this approach, even for k = 2, one needs an exponential number of queries ◮ DGLTZ solves the issue by computing the intermediate curves and additional points on those curves ◮ Computing these additional points requires 24 k queries 6 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  8. Where we are Protocols SIKE FO SIDH k instances k -SIDH JU scheme automorphisms attacks attacks attacks Attacks [This work] GPST DGLTZ generalizes to generalizes to 7 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  9. The Jao-Urbanik protocol – I E 0 E A The protocol improves on k -SIDH by φ A using automorphisms to obtain three φ ′ φ B B φ ′ instances for each key. A E B E A , B ◮ Starting curve: E 0 , j ( E 0 ) = 0, E 0 E A with non-trivial automorphism φ A φ η ( B ) φ ′ η of order six η ( B ) φ ′ ◮ For any subgroup B ⊂ E 0 , A E η ( B ) E A ,η ( B ) E 0 / B ∼ = E 0 /η ( B ) ∼ = E 0 /η 2 ( B ) E 0 E A φ A ◮ Fix bases: φ ′ φ η 2 ( B ) η 2 ( B ) { P A , Q A = η ( P A ) } of E 0 [2 e A ], φ ′ A E η 2 ( B ) E A ,η 2 ( B ) { P B , Q B = η ( P B ) } of E 0 [3 e B ] 8 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  10. The Jao-Urbanik protocol – II ◮ Alice and Bob perform SIDH-instance with public keys ( E A , φ A ( P B ) , φ A ( Q B )) and ( E B , φ B ( P A ) , φ B ( Q A )) ◮ Alice and Bob obtain as shared secret information ◮ E A , B } as in standard SIDH ◮ E A ,η ( B ) � using η during computation ◮ E A ,η 2 ( B ) ◮ Bob uses his secret key β to compute ◮ E A , B = E A / � φ B ( P A ) + [ β ] φ B ( η ( P A )) � ◮ E A ,η ( B ) = E A / �− φ B ( P A ) + [ β + 1] φ B ( η ( P A )) � , ◮ E A ,η 2 ( B ) = E A / �− [ β + 1] φ B ( P A ) + [ β ] φ B ( η ( P A )) � 9 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  11. Applying DGLTZ to Jao-Urbanik’s protocol ◮ DGLTZ treats each curve separately ◮ Secret kernel generators occurring in Jao-Urbanik protocol are not of the required form to straightforwardly apply DGLTZ ◮ If issues with kernel generators can be overcome, attacking the Jao-Urbanik protocol with k keys and 3 k 2 SIDH-instances would require O (24 3 k ) queries = ⇒ This work uses relationships between curves and kernel generators to reduce number of queries. 10 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  12. Attacking Jao-Urbanik’s protocol On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  13. Our attack - First bit recovery ◮ Goal: get least significant bit α 0 of Alice’s secret key α , i.e. determine first curve on isogeny path E A → E 0 . ◮ Query with ( E B , [1 + 2 n − 1 ] P B , Q B ), so Alice computes all three 2-neighboring curves of E / � 2 A � . ◮ Underlying relationship between kernel generators of corresponding curves helps to match up triples of candidate curves instead of exhaustively searching over all possibilities. E A A ∼ 2 E ′′ = E A , 2 E 0 . . . E / � 2 A � ∼ = E A , 1 2 2 E ′ A n − 1 partial isogenies of φ A 11 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  14. Our attack - Pullbacks ◮ Main idea: Let A be a secret kernel, let E A , i , E ′ A , i , E ′′ A , i be the i th curves on the three corresponding paths. Then for all i , the curves E A , i , E ′ A , i , E ′′ A , i are isomorphic ◮ Instead of using the DGLTZ attack directly, we compute a pullback candidate for each curve and shift them with the corresponding isomorphisms ◮ We query the oracle with these related points which saves a lot of time and exploits the extra structure of the scheme 12 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  15. Our results – I ◮ We provide a concrete attack against the JU scheme ◮ We exploit the additional structure between curves in the JU scheme to reduce the security level to almost a third ◮ The attack is polynomial in key length, but exponential in number of instances and base primes 13 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  16. Our results – II ◮ Our attack does NOT break the JU scheme for the proposed parameters... ◮ ...but it shows that at the same security level the JU scheme requires almost twice the computations of k -SIDH to reduce the public-key size by 20% 14 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  17. Our results – III # SIDH # keys Attack cost instances per party Jao-Urbanik 3 k 2 O ( ℓ 5 k ) k with k keys k -SIDH 5 1 . 56 k 2 O ( ℓ 5 k ) 4 k with 5 4 k keys At the same security level, the JU scheme requires almost 2x computations to reduce the public key size by 20%. 15 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  18. References I [1] Azarderakhsh, R., Jao, D., Leonardi, C.: Post-quantum static-static key agreement using multiple protocol instances. In: Adams, C., Camenisch, J. (eds.) Selected Areas in Cryptography – SAC 2017, vol. 10719, pp. 45–63. Springer International Publishing (2017), http://link.springer.com/10.1007/978-3-319-72565-9_3 [2] Dobson, S., Galbraith, S.D., LeGrow, J., Ti, Y.B., Zobernig, L.: An adaptive attack on 2-SIDH (2019), http://eprint.iacr.org/2019/890 [3] Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) Advances in Cryptology – ASIACRYPT 2016. pp. 63–91. Lecture Notes in Computer Science, Springer (2016) 16 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

  19. References II [4] Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: International Workshop on Post-Quantum Cryptography. pp. 19–34. Springer (2011) [5] Urbanik, D., Jao, D.: New techniques for SIDH-based NIKE (accepted at MathCrypt 2018, to appear in J. Math. Cryptol.; personal communication) 17 On Adaptive Attacks against Jao-Urbanik’s Protocol — Africacrypt 2020

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

856 views • 81 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
From passivity-based adaptive control to LMI tuned adaptive control or how Alexander Fradkov

From passivity-based adaptive control to LMI tuned adaptive control or how Alexander Fradkov

From passivity-based adaptive control to LMI tuned adaptive control or how Alexander Fradkov convinced me that direct adaptive control can be robust Dimitri Peaucelle FRontiers of ADaptive and nonlinear CONtrol (FRADCON 2018) ECC Workshop,

628 views • 19 slides
Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
Components in an Adaptive and QoS QoS- -based Architecture based Architecture Components in an

Components in an Adaptive and QoS QoS- -based Architecture based Architecture Components in an

Components in an Adaptive and QoS QoS- -based Architecture based Architecture Components in an Adaptive and Claudia Raibulet, Francesca Arcelli, Mussino Stefano, Mario Riva, Francesco Tisato, Luigi Ubezio Universit degli Studi di

431 views • 16 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ & Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

1.07k views • 84 slides
The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this

The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this

The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this talk 1. Highlight some of the complications with assessing the cost of known attacks on computational problems. 2. Highlight some of the

640 views • 35 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
BiANE: Bipartite Attributed Network Embedding 1 2 2 1 3 Wentao Huang, Yuchen Li, Yuan Fang,

BiANE: Bipartite Attributed Network Embedding 1 2 2 1 3 Wentao Huang, Yuchen Li, Yuan Fang,

BiANE: Bipartite Attributed Network Embedding 1 2 2 1 3 Wentao Huang, Yuchen Li, Yuan Fang, Ju Fan, Hongxia Yang 1 School of Information, Renmin University of China 2 School of Information System, Singapore Management University 3 Damo

496 views • 36 slides
On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit at Darmstadt)

On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit at Darmstadt)

On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit at Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology) 1 Non-Interactive Key Exchange (NIKE) pk 1 , pk

884 views • 59 slides
Inheritance Ch 15.1-15.2 Highlights - Creating parent/child classes (inheritance) Story time

Inheritance Ch 15.1-15.2 Highlights - Creating parent/child classes (inheritance) Story time

Inheritance Ch 15.1-15.2 Highlights - Creating parent/child classes (inheritance) Story time Story time Story time Story time Story time Derived classes Let's make this story into code! To create create a child class from a parent class,

348 views • 17 slides
Welcome to CSSE 220 We are excited that you are here: Start your computer and get ready for

Welcome to CSSE 220 We are excited that you are here: Start your computer and get ready for

Welcome to CSSE 220 We are excited that you are here: Start your computer and get ready for our first class session If you havent followed the instructions in the email I sent last night, please do that now Pick up a quiz from

397 views • 20 slides
Peter Bromberg Executive Director, Salt Lake City Public Library Peter Bromberg and Marilee Moon

Peter Bromberg Executive Director, Salt Lake City Public Library Peter Bromberg and Marilee Moon

Marilee Moon Assistant Director of Customer Experience, Salt Lake City Public Library Peter Bromberg Executive Director, Salt Lake City Public Library Peter Bromberg and Marilee Moon Salt Lake City Public Library pbromberg@slcpl.org |

781 views • 77 slides
Doing Good and Doing Well: B-Corp & GGOB Jess Craft, Managing Director Anne-Claire Broughton,

Doing Good and Doing Well: B-Corp & GGOB Jess Craft, Managing Director Anne-Claire Broughton,

Doing Good and Doing Well: B-Corp & GGOB Jess Craft, Managing Director Anne-Claire Broughton, Principal Spencer Williams, CEO, Owner The Black Sheep Agency Broughton Consulting, LLC West Paw Houston, TX Durham, NC Bozeman, MT What is a

429 views • 21 slides
COMMUNICATION STYLES AND TECHNIQUES Leadership on Demand AGENDA 3 Types of Effective

COMMUNICATION STYLES AND TECHNIQUES Leadership on Demand AGENDA 3 Types of Effective

COMMUNICATION STYLES AND TECHNIQUES Leadership on Demand AGENDA 3 Types of Effective Communication Knowing Your Style Communication Caucuses Behind the Back Questions and Wrap-Up 3 TYPES OF COMMUNICATION VERBAL

273 views • 15 slides
Issues in Cross Cultural Communication 4-1 Meckler, U. Portland, 2000 Learning Objectives

Issues in Cross Cultural Communication 4-1 Meckler, U. Portland, 2000 Learning Objectives

Issues in Cross Cultural Communication 4-1 Meckler, U. Portland, 2000 Learning Objectives Explain the basic communication process and define cross-cultural communication Understand how language affects communication and how different

1.66k views • 39 slides

More recommend