Post-Quantum Static-Static Key Agreement Using Multiple Protocol - - PowerPoint PPT Presentation

Post-Quantum Static-Static Key Agreement Using Multiple Protocol Instances

Reza Azarderakhsh 1 David Jao 2,3 Christopher Leonardi 2

Department of Computer and Electrical Engineering and Computer Science, Florida Atlantic University Department of Combinatorics and Optimization, University of Waterloo evolutionQ, Inc., Waterloo, Ontario, Canada

August 2017

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 1 / 21

1

Isogeny-Based Key Agreement Elliptic Curve Background Jao-De Feo Key Agreement Active Attack

2

Multiple Instances of Key Agreement Protocol Security

3

k-SIDH Security Conclusion

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 2 / 21

Isogeny-Based Key Agreement Elliptic Curve Background

An elliptic curve over a finite field Fpn, E(Fpn) = {(x, y) ∈ (Fpn)2 : y2 = x3 + ax + b} ∪ {O}, is a finite Abelian group.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 3 / 21

Isogeny-Based Key Agreement Elliptic Curve Background

An elliptic curve over a finite field Fpn, E(Fpn) = {(x, y) ∈ (Fpn)2 : y2 = x3 + ax + b} ∪ {O}, is a finite Abelian group. The m-torsion subgroup E[m] = {P ∈ E(Fp) : [m]P = O}.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 3 / 21

Isogeny-Based Key Agreement Elliptic Curve Background

An elliptic curve over a finite field Fpn, E(Fpn) = {(x, y) ∈ (Fpn)2 : y2 = x3 + ax + b} ∪ {O}, is a finite Abelian group. The m-torsion subgroup E[m] = {P ∈ E(Fp) : [m]P = O}. E is called supersingular if ∀r ∈ N, E[pr] = {O} (otherwise E is called ordinary).

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 3 / 21

Isogeny-Based Key Agreement Elliptic Curve Background

An elliptic curve over a finite field Fpn, E(Fpn) = {(x, y) ∈ (Fpn)2 : y2 = x3 + ax + b} ∪ {O}, is a finite Abelian group. The m-torsion subgroup E[m] = {P ∈ E(Fp) : [m]P = O}. E is called supersingular if ∀r ∈ N, E[pr] = {O} (otherwise E is called ordinary). The j-invariant is a unique element of Fpn associated to each Fpn-isomorphism family of elliptic curves. j(E) = 1728 4a3 4a3 + 27b2 ∈ Fpn

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 3 / 21

Isogeny-Based Key Agreement Elliptic Curve Background

An isogeny φ : E → E ′ over Fq is a non-constant rational map defined over Fq such that φ(OE) = OE ′, and is a group homomorphism from E(Fpn) to E ′(Fpn).

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 4 / 21

Isogeny-Based Key Agreement Elliptic Curve Background

An isogeny φ : E → E ′ over Fq is a non-constant rational map defined over Fq such that φ(OE) = OE ′, and is a group homomorphism from E(Fpn) to E ′(Fpn). For each subgroup G of E, there is up to isomorphism a unique isogeny φ with domain E and kernel G. We denote the codomain curve by E/G.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 4 / 21

Isogeny-Based Key Agreement Elliptic Curve Background

An isogeny φ : E → E ′ over Fq is a non-constant rational map defined over Fq such that φ(OE) = OE ′, and is a group homomorphism from E(Fpn) to E ′(Fpn). For each subgroup G of E, there is up to isomorphism a unique isogeny φ with domain E and kernel G. We denote the codomain curve by E/G. The degree, deg(φ), is its degree as a rational map which is equal to the size of its kernel (for our purposes).

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 4 / 21

Isogeny-Based Key Agreement Jao-De Feo Key Agreement

Global Parameters: Let p = 2m3nf ± 1, where f is a small prime, and E be a supersingular elliptic curve over Fp2.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 5 / 21

Isogeny-Based Key Agreement Jao-De Feo Key Agreement

Global Parameters: Let p = 2m3nf ± 1, where f is a small prime, and E be a supersingular elliptic curve over Fp2. Points PA, QA which generate the subgroup E[2m] ∼ = Z/2mZ × Z/2mZ

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 5 / 21

Isogeny-Based Key Agreement Jao-De Feo Key Agreement

Global Parameters: Let p = 2m3nf ± 1, where f is a small prime, and E be a supersingular elliptic curve over Fp2. Points PA, QA which generate the subgroup E[2m] ∼ = Z/2mZ × Z/2mZ Points PB, QB which generate the subgroup E[3n] ∼ = Z/3nZ × Z/3nZ

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 5 / 21

Isogeny-Based Key Agreement Jao-De Feo Key Agreement

Key Generation: Alice: α ←R Z/2mZ, φA : E → EA = E/PA + [α]QA, (R, S) ← (φA(PB), φA(QB)).

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 6 / 21

Isogeny-Based Key Agreement Jao-De Feo Key Agreement

Key Generation: Alice: α ←R Z/2mZ, φA : E → EA = E/PA + [α]QA, (R, S) ← (φA(PB), φA(QB)). Bob: β ←R Z/3nZ, φB : E → EB = E/PB + [β]QB, (U, V ) ← (φB(PA), φB(QA)).

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 6 / 21

Isogeny-Based Key Agreement Jao-De Feo Key Agreement

Alice can compute: EB/U + [α]V = EB/φB(PA) + [α]φB(QA) = EB/φB(PA + [α]QA) = E/PB + [β]QB, PA + [α]QA

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 7 / 21

Isogeny-Based Key Agreement Jao-De Feo Key Agreement

Alice can compute: EB/U + [α]V = EB/φB(PA) + [α]φB(QA) = EB/φB(PA + [α]QA) = E/PB + [β]QB, PA + [α]QA Similarly Bob can compute: EA/R + [β]S = EA/φA(PB) + [β]φA(QB) = EA/φA(PB + [β]QB) = E/PA + [α]QA, PB + [β]QB

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 7 / 21

Isogeny-Based Key Agreement Jao-De Feo Key Agreement E EA EB EAB ∼ = EBA

ker(φA) = PA + [α]QA ker(φB) = PB + [β]QB ker(φ′

B) = φA(PB) + [β]φA(QB)

ker(φ′

A) = φB(PA) + [α]φB(QA)

(EA, φA(PB), φA(QB)) (EB, φB(PA), φB(QA))

✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟ ✯ ✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟ ✯ ❄ ❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍ ❥ ❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍ ❥ ✻

Figure: SIDH Key Agreement

The shared secret is the j-invariant, j(EAB) ∈ Fp2.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 8 / 21

Isogeny-Based Key Agreement Active Attack

This protocol is susceptible to an active attack when Alice reuses her key across multiple sessions.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 9 / 21

Isogeny-Based Key Agreement Active Attack

This protocol is susceptible to an active attack when Alice reuses her key across multiple sessions. Lemma [Galbraith, Petit, Shani, Ti, 2016] Let P, Q ∈ E[2m] be linearly independent points of order 2m, and let α ∈ Z/2mZ. Then, P + [α]Q = P + [α](Q + [2m−1]P) if and only if α is even.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 9 / 21

Isogeny-Based Key Agreement Active Attack

This protocol is susceptible to an active attack when Alice reuses her key across multiple sessions. Lemma [Galbraith, Petit, Shani, Ti, 2016] Let P, Q ∈ E[2m] be linearly independent points of order 2m, and let α ∈ Z/2mZ. Then, P + [α]Q = P + [α](Q + [2m−1]P) if and only if α is even. Suppose Alice and Bob verify they have the same shared secret.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 9 / 21

Isogeny-Based Key Agreement Active Attack

This protocol is susceptible to an active attack when Alice reuses her key across multiple sessions. Lemma [Galbraith, Petit, Shani, Ti, 2016] Let P, Q ∈ E[2m] be linearly independent points of order 2m, and let α ∈ Z/2mZ. Then, P + [α]Q = P + [α](Q + [2m−1]P) if and only if α is even. Suppose Alice and Bob verify they have the same shared secret. Bob can be dishonest and use (EB, U, V + [2m−1]U) as his public key.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 9 / 21

Isogeny-Based Key Agreement Active Attack

Alice will compute the elliptic curve EB/U + [α](V + [2m−1]U).

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 10 / 21

Isogeny-Based Key Agreement Active Attack

Alice will compute the elliptic curve EB/U + [α](V + [2m−1]U). Bob can still compute the curve EA/R + [β]S.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 10 / 21

Isogeny-Based Key Agreement Active Attack

Alice will compute the elliptic curve EB/U + [α](V + [2m−1]U). Bob can still compute the curve EA/R + [β]S. Bob learns the parity of α based on whether or not Alice computes the same curve.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 10 / 21

Isogeny-Based Key Agreement Active Attack

Alice will compute the elliptic curve EB/U + [α](V + [2m−1]U). Bob can still compute the curve EA/R + [β]S. Bob learns the parity of α based on whether or not Alice computes the same curve. This attack can be extended adaptively to learn each bit of α efficiently

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 10 / 21

Isogeny-Based Key Agreement Active Attack

Alice will compute the elliptic curve EB/U + [α](V + [2m−1]U). Bob can still compute the curve EA/R + [β]S. Bob learns the parity of α based on whether or not Alice computes the same curve. This attack can be extended adaptively to learn each bit of α efficiently This modified public key is guaranteed to pass all known direct validation methods.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 10 / 21

Isogeny-Based Key Agreement Active Attack

Alice will compute the elliptic curve EB/U + [α](V + [2m−1]U). Bob can still compute the curve EA/R + [β]S. Bob learns the parity of α based on whether or not Alice computes the same curve. This attack can be extended adaptively to learn each bit of α efficiently This modified public key is guaranteed to pass all known direct validation methods. This suggests that static keys can not be used for SIDH.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 10 / 21

Multiple Instances of Key Agreement Protocol

We let KeyEst be a key establishment function. A key agreement protocol, KeyAgree, for Alice and Bob consists of: Setup: Both members obtain a valid copy of the global parameters.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 11 / 21

Multiple Instances of Key Agreement Protocol

We let KeyEst be a key establishment function. A key agreement protocol, KeyAgree, for Alice and Bob consists of: Setup: Both members obtain a valid copy of the global parameters. Key Generation: Alice generates a secret key sA and public key pA, likewise Bob generates sB and pB.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 11 / 21

Multiple Instances of Key Agreement Protocol

We let KeyEst be a key establishment function. A key agreement protocol, KeyAgree, for Alice and Bob consists of: Setup: Both members obtain a valid copy of the global parameters. Key Generation: Alice generates a secret key sA and public key pA, likewise Bob generates sB and pB. Communication: Alice obtains pB and Bob obtains pA.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 11 / 21

Multiple Instances of Key Agreement Protocol

We let KeyEst be a key establishment function. A key agreement protocol, KeyAgree, for Alice and Bob consists of: Setup: Both members obtain a valid copy of the global parameters. Key Generation: Alice generates a secret key sA and public key pA, likewise Bob generates sB and pB. Communication: Alice obtains pB and Bob obtains pA. Key Establishment: Alice computes KA = KeyEst(pB, sA) and Bob computes KB = KeyEst(pA, sB).

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 11 / 21

Multiple Instances of Key Agreement Protocol

We let KeyEst be a key establishment function. A key agreement protocol, KeyAgree, for Alice and Bob consists of: Setup: Both members obtain a valid copy of the global parameters. Key Generation: Alice generates a secret key sA and public key pA, likewise Bob generates sB and pB. Communication: Alice obtains pB and Bob obtains pA. Key Establishment: Alice computes KA = KeyEst(pB, sA) and Bob computes KB = KeyEst(pA, sB). Verification: If applicable, each participant test the validity of the

• thers public key. Alice and Bob verify that KA = KB and terminate

communication if any test fails.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 11 / 21

Multiple Instances of Key Agreement Protocol

Alice and Bob interact twice, during communication and verification. We consider the attack model where Bob can act dishonestly in both phases.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 12 / 21

Multiple Instances of Key Agreement Protocol

Alice and Bob interact twice, during communication and verification. We consider the attack model where Bob can act dishonestly in both phases. Bob can send a specially chosen public key, p∗

B, and send some K ∗ B

during verification.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 12 / 21

Multiple Instances of Key Agreement Protocol

Alice and Bob interact twice, during communication and verification. We consider the attack model where Bob can act dishonestly in both phases. Bob can send a specially chosen public key, p∗

B, and send some K ∗ B

during verification. This attack gives Bob access to an oracle OracleKeyAgree(p∗

B, K ∗ B)

which returns 1 if K ∗

B = KeyEst(p∗ B, sA), and returns 0 otherwise.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 12 / 21

Multiple Instances of Key Agreement Protocol

Alice and Bob interact twice, during communication and verification. We consider the attack model where Bob can act dishonestly in both phases. Bob can send a specially chosen public key, p∗

B, and send some K ∗ B

during verification. This attack gives Bob access to an oracle OracleKeyAgree(p∗

B, K ∗ B)

which returns 1 if K ∗

B = KeyEst(p∗ B, sA), and returns 0 otherwise.

When Bob acts dishonestly, this oracle may leak some information about Alice’s secret key sA. Our work will present such leakage.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 12 / 21

Multiple Instances of Key Agreement Protocol

Let k be a positive integer, and let H be a preimage resistant hash

• function. The key agreement protocol between Alice and Bob, called

k − KeyAgree: Setup: Both members obtain a valid copy of the global parameters.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 13 / 21

Multiple Instances of Key Agreement Protocol

Let k be a positive integer, and let H be a preimage resistant hash

• function. The key agreement protocol between Alice and Bob, called

k − KeyAgree: Setup: Both members obtain a valid copy of the global parameters. Key Generation: Alice generates k secret key/public key pairs (sAi, pAi), 1 ≤ i ≤ k. Likewise Bob generates (sBi, pBi) for 1 ≤ i ≤ k.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 13 / 21

Multiple Instances of Key Agreement Protocol

Let k be a positive integer, and let H be a preimage resistant hash

• function. The key agreement protocol between Alice and Bob, called

k − KeyAgree: Setup: Both members obtain a valid copy of the global parameters. Key Generation: Alice generates k secret key/public key pairs (sAi, pAi), 1 ≤ i ≤ k. Likewise Bob generates (sBi, pBi) for 1 ≤ i ≤ k. Communication: Alice initiates communication and sends all k of her public keys to Bob. Bob then sends all k of his public keys to Alice.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 13 / 21

Multiple Instances of Key Agreement Protocol

Key Establishment: Alice computes zi,j ← KeyEst(pBi, sAj) for every pair 1 ≤ i, j ≤ k, then computes KA ← H(z1,1, . . . , z1,k, z2,1, . . . , z2,k, . . . , zk,1, . . . , zk,k). Similarly, Bob computes z′

i,j ← KeyEst(pAj, sBi) for each pair

1 ≤ i, j ≤ k, and then computes KB ← H(z′

1,1, . . . , z′ 1,k, z′ 2,1, . . . , z′ 2,k, . . . , z′ k,1, . . . , z′ k,k).

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 14 / 21

Multiple Instances of Key Agreement Protocol

Key Establishment: Alice computes zi,j ← KeyEst(pBi, sAj) for every pair 1 ≤ i, j ≤ k, then computes KA ← H(z1,1, . . . , z1,k, z2,1, . . . , z2,k, . . . , zk,1, . . . , zk,k). Similarly, Bob computes z′

i,j ← KeyEst(pAj, sBi) for each pair

1 ≤ i, j ≤ k, and then computes KB ← H(z′

1,1, . . . , z′ 1,k, z′ 2,1, . . . , z′ 2,k, . . . , z′ k,1, . . . , z′ k,k).

Verification: If applicable, Alice and Bob test the validity of each

• thers public keys. Alice and Bob verify that KA = KB. Either party

terminates the session if their validity or verification tests fail.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 14 / 21

Multiple Instances of Key Agreement Protocol

Bob (pB1, sB1) (pB2, sB2) . . . (pBk, sBk) Alice (pA1, sA1) z1,1 z1,2 . . . z1,k (pA2, sA2) z2,1 z2,2 . . . z2,k . . . . . . . . . ... . . . (pAk, sAk) zk,1 zk,2 . . . zk,k

Figure: Honest k-Key Agreement

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 15 / 21

Multiple Instances of Key Agreement Protocol

Bob (p∗

B, sB1)

(pB2, sB2) . . . (pBk, sBk) Alice (pA1, sA1) z1,1 z1,2 . . . z1,k (pA2, sA2) z2,1 z2,2 . . . z2,k . . . . . . . . . ... . . . (pAk, sAk) zk,1 zk,2 . . . zk,k

Figure: Dishonest k-Key Agreement

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 16 / 21

Multiple Instances of Key Agreement Security

Definition If Bob has a public key/secret key pair (pB, sB) for KeyAgree and is given two public keys pA1 and pA2 (derived from some secret keys sA1, sA2 which are unknown to Bob). A modified public key p∗

B is called malicious if:

p∗

B passes all validation tests Alice performs in the verification phase,

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 17 / 21

Multiple Instances of Key Agreement Security

Definition If Bob has a public key/secret key pair (pB, sB) for KeyAgree and is given two public keys pA1 and pA2 (derived from some secret keys sA1, sA2 which are unknown to Bob). A modified public key p∗

B is called malicious if:

p∗

B passes all validation tests Alice performs in the verification phase,

KeyEst(p∗

B, sA1) = KeyEst(pB, sA1),

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 17 / 21

Multiple Instances of Key Agreement Security

Definition If Bob has a public key/secret key pair (pB, sB) for KeyAgree and is given two public keys pA1 and pA2 (derived from some secret keys sA1, sA2 which are unknown to Bob). A modified public key p∗

B is called malicious if:

p∗

B passes all validation tests Alice performs in the verification phase,

KeyEst(p∗

B, sA1) = KeyEst(pB, sA1),

KeyEst(p∗

B, sA2) = KeyEst(pB, sA2), and

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 17 / 21

Multiple Instances of Key Agreement Security

Definition If Bob has a public key/secret key pair (pB, sB) for KeyAgree and is given two public keys pA1 and pA2 (derived from some secret keys sA1, sA2 which are unknown to Bob). A modified public key p∗

B is called malicious if:

p∗

B passes all validation tests Alice performs in the verification phase,

KeyEst(p∗

B, sA1) = KeyEst(pB, sA1),

KeyEst(p∗

B, sA2) = KeyEst(pB, sA2), and

repsonses from OracleKeyAgree(p∗

B, ·) leak information about Alice’s

private keys with non-negligible probability.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 17 / 21

Multiple Instances of Key Agreement Security

Theorem Let KeyAgree be a key agreement protocol using KeyEst in which it is computationally infeasible to create a malicious public key. Let p∗

B be a

modified public key that passes all validity tests of KeyAgree and may leak information about private keys. Suppose that in k-KeyAgree one of the k parts to Bob’s public key is p∗

B.

Associated to the equation OracleKeyAgree(p∗

B, ·) = 1 is a probability

distribution among all dishonest shared secrets. Let ρ denote the largest such probability. Then for all choices of K ∗

B for k − KeyAgree the equation

Oraclek−KeyAgree(p∗

B, K ∗ B) = 1 holds with probability bounded above by

ρk−1.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 18 / 21

k-SIDH Security

Definition Let p = 2m3nf ± 1 be prime and E a supersingular elliptic curve over Fp2. Let ℓr be 2m or 3n, and P, Q ∈ E(Fp2) be such that P, Q = E[ℓr]. Given an elliptic curve E ′ defined over Fp2 which is isogenous to E of degree ℓr, the Supersingular Isogeny (SSI) problem is to find an isogeny

• ver Fp2 from E to E ′ of the degree ℓr.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 19 / 21

k-SIDH Security

Definition Let p = 2m3nf ± 1 be prime and E a supersingular elliptic curve over Fp2. Let ℓr be 2m or 3n, and P, Q ∈ E(Fp2) be such that P, Q = E[ℓr]. Given an elliptic curve E ′ defined over Fp2 which is isogenous to E of degree ℓr, the Supersingular Isogeny (SSI) problem is to find an isogeny

• ver Fp2 from E to E ′ of the degree ℓr.

Theorem Under the assumption that the SSI problem is intractable, it is computationally infeasible to find a malicious public key for SIDH with non-negligible probability.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 19 / 21

k-SIDH Security

Classical Security: The expected number of hashes before Bob determines the first bit of each of Alice’s k secret keys is

k−2 2

• i=0

k − 1 i

• (ℓ(ℓ + 1))i.

To achieve 2128: k = 60 when ℓ = 2, and k = 50 when ℓ = 3.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 20 / 21

k-SIDH Security

Classical Security: The expected number of hashes before Bob determines the first bit of each of Alice’s k secret keys is

k−2 2

• i=0

k − 1 i

• (ℓ(ℓ + 1))i.

To achieve 2128: k = 60 when ℓ = 2, and k = 50 when ℓ = 3. Quantum Security: Applying Grover’s algorithm over a non-uniform search space results in 2128 operations when ℓ = 2, k = 92, and ℓ = 3, k = 70.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 20 / 21

k-SIDH Security

Classical Security: The expected number of hashes before Bob determines the first bit of each of Alice’s k secret keys is

k−2 2

• i=0

k − 1 i

• (ℓ(ℓ + 1))i.

To achieve 2128: k = 60 when ℓ = 2, and k = 50 when ℓ = 3. Quantum Security: Applying Grover’s algorithm over a non-uniform search space results in 2128 operations when ℓ = 2, k = 92, and ℓ = 3, k = 70. Key Sizes: An SIDH public key can be represented in 331 bytes at the 128-bit quantum security level. A k-SIDH pubic key requires 331 × k bytes, or 31 kb at the same level.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 20 / 21

k-SIDH Conclusion

Security against specific active attacks grow exponentially in k, key size increases by a factor of k, and computation cost increases by a factor of k2 for each participant.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 21 / 21

k-SIDH Conclusion

Security against specific active attacks grow exponentially in k, key size increases by a factor of k, and computation cost increases by a factor of k2 for each participant. No other currently known post-quantum scheme achieves secure static-static key agreement.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 21 / 21

k-SIDH Conclusion

Security against specific active attacks grow exponentially in k, key size increases by a factor of k, and computation cost increases by a factor of k2 for each participant. No other currently known post-quantum scheme achieves secure static-static key agreement. Transformation for key agreement protocols to protect against such active attacks which use verification.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 21 / 21

k-SIDH Conclusion

Security against specific active attacks grow exponentially in k, key size increases by a factor of k, and computation cost increases by a factor of k2 for each participant. No other currently known post-quantum scheme achieves secure static-static key agreement. Transformation for key agreement protocols to protect against such active attacks which use verification. Future work includes reducing the quadratic cost, using economies of scale to optimize implementations, reducing k, determining the generality of our transformation requirement.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 21 / 21

k-SIDH Conclusion

Security against specific active attacks grow exponentially in k, key size increases by a factor of k, and computation cost increases by a factor of k2 for each participant. No other currently known post-quantum scheme achieves secure static-static key agreement. Transformation for key agreement protocols to protect against such active attacks which use verification. Future work includes reducing the quadratic cost, using economies of scale to optimize implementations, reducing k, determining the generality of our transformation requirement. Thank you.

Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 21 / 21