post quantum static static key agreement using multiple
play

Post-Quantum Static-Static Key Agreement Using Multiple Protocol - PowerPoint PPT Presentation

Feb 14, 2023 •216 likes •807 views

Post-Quantum Static-Static Key Agreement Using Multiple Protocol Instances Reza Azarderakhsh 1 David Jao 2 , 3 Christopher Leonardi 2 Department of Computer and Electrical Engineering and Computer Science, Florida Atlantic University Department

  1. Post-Quantum Static-Static Key Agreement Using Multiple Protocol Instances Reza Azarderakhsh 1 David Jao 2 , 3 Christopher Leonardi 2 Department of Computer and Electrical Engineering and Computer Science, Florida Atlantic University Department of Combinatorics and Optimization, University of Waterloo evolutionQ, Inc., Waterloo, Ontario, Canada August 2017 Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 1 / 21

  2. Isogeny-Based Key Agreement 1 Elliptic Curve Background Jao-De Feo Key Agreement Active Attack Multiple Instances of Key Agreement 2 Protocol Security k -SIDH 3 Security Conclusion Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 2 / 21

  3. Isogeny-Based Key Agreement Elliptic Curve Background An elliptic curve over a finite field F p n , E ( F p n ) = { ( x , y ) ∈ ( F p n ) 2 : y 2 = x 3 + ax + b } ∪ {O} , is a finite Abelian group. Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 3 / 21

  4. Isogeny-Based Key Agreement Elliptic Curve Background An elliptic curve over a finite field F p n , E ( F p n ) = { ( x , y ) ∈ ( F p n ) 2 : y 2 = x 3 + ax + b } ∪ {O} , is a finite Abelian group. The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = O} . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 3 / 21

  5. Isogeny-Based Key Agreement Elliptic Curve Background An elliptic curve over a finite field F p n , E ( F p n ) = { ( x , y ) ∈ ( F p n ) 2 : y 2 = x 3 + ax + b } ∪ {O} , is a finite Abelian group. The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = O} . E is called supersingular if ∀ r ∈ N , E [ p r ] = {O} (otherwise E is called ordinary). Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 3 / 21

  6. Isogeny-Based Key Agreement Elliptic Curve Background An elliptic curve over a finite field F p n , E ( F p n ) = { ( x , y ) ∈ ( F p n ) 2 : y 2 = x 3 + ax + b } ∪ {O} , is a finite Abelian group. The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = O} . E is called supersingular if ∀ r ∈ N , E [ p r ] = {O} (otherwise E is called ordinary). The j -invariant is a unique element of F p n associated to each F p n -isomorphism family of elliptic curves. 4 a 3 j ( E ) = 1728 4 a 3 + 27 b 2 ∈ F p n Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 3 / 21

  7. Isogeny-Based Key Agreement Elliptic Curve Background An isogeny φ : E → E ′ over F q is a non-constant rational map defined over F q such that φ ( O E ) = O E ′ , and is a group homomorphism from E ( F p n ) to E ′ ( F p n ). Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 4 / 21

  8. Isogeny-Based Key Agreement Elliptic Curve Background An isogeny φ : E → E ′ over F q is a non-constant rational map defined over F q such that φ ( O E ) = O E ′ , and is a group homomorphism from E ( F p n ) to E ′ ( F p n ). For each subgroup G of E , there is up to isomorphism a unique isogeny φ with domain E and kernel G . We denote the codomain curve by E / G . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 4 / 21

  9. Isogeny-Based Key Agreement Elliptic Curve Background An isogeny φ : E → E ′ over F q is a non-constant rational map defined over F q such that φ ( O E ) = O E ′ , and is a group homomorphism from E ( F p n ) to E ′ ( F p n ). For each subgroup G of E , there is up to isomorphism a unique isogeny φ with domain E and kernel G . We denote the codomain curve by E / G . The degree, deg( φ ), is its degree as a rational map which is equal to the size of its kernel (for our purposes). Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 4 / 21

  10. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Global Parameters: Let p = 2 m 3 n f ± 1, where f is a small prime, and E be a supersingular elliptic curve over F p 2 . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 5 / 21

  11. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Global Parameters: Let p = 2 m 3 n f ± 1, where f is a small prime, and E be a supersingular elliptic curve over F p 2 . Points P A , Q A which generate the subgroup E [2 m ] ∼ = Z / 2 m Z × Z / 2 m Z Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 5 / 21

  12. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Global Parameters: Let p = 2 m 3 n f ± 1, where f is a small prime, and E be a supersingular elliptic curve over F p 2 . Points P A , Q A which generate the subgroup E [2 m ] ∼ = Z / 2 m Z × Z / 2 m Z Points P B , Q B which generate the subgroup E [3 n ] ∼ = Z / 3 n Z × Z / 3 n Z Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 5 / 21

  13. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Key Generation: Alice: α ← R Z / 2 m Z , φ A : E → E A = E / � P A + [ α ] Q A � , ( R , S ) ← ( φ A ( P B ) , φ A ( Q B )) . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 6 / 21

  14. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Key Generation: Alice: α ← R Z / 2 m Z , φ A : E → E A = E / � P A + [ α ] Q A � , ( R , S ) ← ( φ A ( P B ) , φ A ( Q B )) . Bob: β ← R Z / 3 n Z , φ B : E → E B = E / � P B + [ β ] Q B � , ( U , V ) ← ( φ B ( P A ) , φ B ( Q A )) . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 6 / 21

  15. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Alice can compute: E B / � U + [ α ] V � = E B / � φ B ( P A ) + [ α ] φ B ( Q A ) � = E B / � φ B ( P A + [ α ] Q A ) � = E / � P B + [ β ] Q B , P A + [ α ] Q A � Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 7 / 21

  16. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Alice can compute: E B / � U + [ α ] V � = E B / � φ B ( P A ) + [ α ] φ B ( Q A ) � = E B / � φ B ( P A + [ α ] Q A ) � = E / � P B + [ β ] Q B , P A + [ α ] Q A � Similarly Bob can compute: E A / � R + [ β ] S � = E A / � φ A ( P B ) + [ β ] φ A ( Q B ) � = E A / � φ A ( P B + [ β ] Q B ) � = E / � P A + [ α ] Q A , P B + [ β ] Q B � Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 7 / 21

  17. Isogeny-Based Key Agreement Jao-De Feo Key Agreement ker ( φ ′ ❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍ ✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟ ✯ E A B ) = � φ A ( P B ) + [ β ] φ A ( Q B ) � ✻ ker ( φ A ) = � P A + [ α ] Q A � ❥ ( E B , φ B ( P A ) , φ B ( Q A )) E AB ∼ E = E BA ❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍ ( E A , φ A ( P B ) , φ A ( Q B )) ✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟ ✯ ker ( φ B ) = � P B + [ β ] Q B � A ) = � φ B ( P A ) + [ α ] φ B ( Q A ) � ❄ ❥ ker ( φ ′ E B Figure: SIDH Key Agreement The shared secret is the j -invariant, j ( E AB ) ∈ F p 2 . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 8 / 21

  18. Isogeny-Based Key Agreement Active Attack This protocol is susceptible to an active attack when Alice reuses her key across multiple sessions. Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 9 / 21

  19. Isogeny-Based Key Agreement Active Attack This protocol is susceptible to an active attack when Alice reuses her key across multiple sessions. Lemma [ Galbraith , Petit , Shani , Ti , 2016] Let P , Q ∈ E [2 m ] be linearly independent points of order 2 m , and let α ∈ Z / 2 m Z . Then, � P + [ α ] Q � = � P + [ α ]( Q + [2 m − 1 ] P ) � if and only if α is even. Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 9 / 21

  20. Isogeny-Based Key Agreement Active Attack This protocol is susceptible to an active attack when Alice reuses her key across multiple sessions. Lemma [ Galbraith , Petit , Shani , Ti , 2016] Let P , Q ∈ E [2 m ] be linearly independent points of order 2 m , and let α ∈ Z / 2 m Z . Then, � P + [ α ] Q � = � P + [ α ]( Q + [2 m − 1 ] P ) � if and only if α is even. Suppose Alice and Bob verify they have the same shared secret. Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 9 / 21

  21. Isogeny-Based Key Agreement Active Attack This protocol is susceptible to an active attack when Alice reuses her key across multiple sessions. Lemma [ Galbraith , Petit , Shani , Ti , 2016] Let P , Q ∈ E [2 m ] be linearly independent points of order 2 m , and let α ∈ Z / 2 m Z . Then, � P + [ α ] Q � = � P + [ α ]( Q + [2 m − 1 ] P ) � if and only if α is even. Suppose Alice and Bob verify they have the same shared secret. Bob can be dishonest and use ( E B , U , V + [2 m − 1 ] U ) as his public key. Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 9 / 21

  22. Isogeny-Based Key Agreement Active Attack Alice will compute the elliptic curve E B / � U + [ α ]( V + [2 m − 1 ] U ) � . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 10 / 21

  23. Isogeny-Based Key Agreement Active Attack Alice will compute the elliptic curve E B / � U + [ α ]( V + [2 m − 1 ] U ) � . Bob can still compute the curve E A / � R + [ β ] S � . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 10 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static and Method Overloading static One per class, not per object static variables

Static and Method Overloading static One per class, not per object static variables

Static and Method Overloading static One per class, not per object static variables all instances of the class share the same static variable example: serial/VIN number for Car static methods invoked through class

324 views • 7 slides
1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

Static/ Dynamic Deformation I ntroduction to Static deformation Dynamic deformation Static/ Dynamic Deformation with Mass-Spring Systems undeformed shape f internal + = f inertia = 0 f external Min Gyu Choi deformed

426 views • 4 slides
Static and dynamic verification Static and dynamic V&V Software inspections Concerned

Static and dynamic verification Static and dynamic V&V Software inspections Concerned

1 2 Static and dynamic verification Static and dynamic V&V Software inspections Concerned with analysis of the static system Static representation to discover problems (static verification verification) May be supplement by

107 views • 6 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
static vs automatic storage classes Three types of memory allocations static storage class

static vs automatic storage classes Three types of memory allocations static storage class

static vs automatic storage classes Three types of memory allocations static storage class means variable persists through static allocation: for globals and any static the life of the program variables in functions automatic storage

569 views • 9 slides
Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New

Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New

Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New transactions, new friends, stop following somebody in T witter, But most data mining algorithms assume static data Even a minor change requires

925 views • 44 slides
Libraries In C++ its possible to create static libraries and shared libraries Static

Libraries In C++ its possible to create static libraries and shared libraries Static

Libraries In C++ its possible to create static libraries and shared libraries Static libraries (end in .a) are combined/linked into an executable Executables are large. If library is updated in a binary compatible way, programs

297 views • 8 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Specication and Enforcement of Static Specication and Enforcement of Static Separation-of-Duty

Specication and Enforcement of Static Specication and Enforcement of Static Separation-of-Duty

Specication and Enforcement of Static Specication and Enforcement of Static Separation-of-Duty Policies in Usage Control Jianfeng Lu, Ruixuan Li, Zhengding Lu, Ji Jinwei Hu, and Xiaopu Ma i H d Xi M Huazhong University of Science and

625 views • 25 slides
static file cache Static file caching using realurl, mod_rewrite and mod_expires. . . . It slows

static file cache Static file caching using realurl, mod_rewrite and mod_expires. . . . It slows

static file cache Static file caching using realurl, mod_rewrite and mod_expires. . . . It slows down the warming of the earth. Michiel Roos Netcreators What does it do? Ehrm . . . it caches static files? I mean . . . it statically caches

607 views • 46 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

488 views • 37 slides
1 STATIC BILLBOARDS ARE IMPORTANT TO OOH INTERNAL USE ONLY - DO NOT INCLUDE THIS PAGE WITH

1 STATIC BILLBOARDS ARE IMPORTANT TO OOH INTERNAL USE ONLY - DO NOT INCLUDE THIS PAGE WITH

TAKE YOUR MESSAGE FURTHER WITH STATIC OOH 1 STATIC BILLBOARDS ARE IMPORTANT TO OOH INTERNAL USE ONLY - DO NOT INCLUDE THIS PAGE WITH CLIENT PRESENTATION Static billboards are a key foundation of the OOH ad industry and will continue to be for

1.23k views • 93 slides
Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of Computer Science CAV 2017 ETH Zurich July 22-28, Heidelberg Writing a Static Analyzer Framework for Java Static Type Checker Static Type

805 views • 46 slides
Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static

Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static

Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static properties 2.2 Generative models for random graphs 2.3 Measures of node importance Summer Term 2010 Web Dynamics 2-1 Notation: Graphs

890 views • 58 slides
Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static

Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static

Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static properties 2.2 Generative models for random graphs 2.3 Measures of node importance Summer Term 2009 Web Dynamics 2 1 Notation: Graphs G=(V(G),E(G))

766 views • 57 slides
PV System Design and Sizing 2 3 Designing PV Systems Determine how much energy you want to

PV System Design and Sizing 2 3 Designing PV Systems Determine how much energy you want to

1 ESCI61 Introduction to Photovoltaic Technology Ridha Hamidi, Ph. D. Ridha Hamidi, Ph. D. PV System Design and Sizing 2 3 Designing PV Systems Determine how much energy you want to generate per year (or for specific time periods if

921 views • 46 slides
Agile Design and Development A Roundtable Discussion 2017 Exchange Network National Meeting

Agile Design and Development A Roundtable Discussion 2017 Exchange Network National Meeting

Agile Design and Development A Roundtable Discussion 2017 Exchange Network National Meeting Innovation and Partnership May 15-18, 2017 Sheraton Philadelphia Society Hill Hotel Philadelphia, Pennsylvania #EN2017

528 views • 7 slides
Power BI Administration Devin Knight dknight@pragmaticworks.com Assuming this goes well.

Power BI Administration Devin Knight dknight@pragmaticworks.com Assuming this goes well.

Power BI Administration Devin Knight dknight@pragmaticworks.com Assuming this goes well. President, Pragmatic Works Training Popup books about Microsoft Data Platform MVP maintaining a healthy Author of 7 books relationship with your

502 views • 13 slides
Encryption for Lawyers : The Time Has Come David G. Ries John W. Simek David G. Ries

Encryption for Lawyers : The Time Has Come David G. Ries John W. Simek David G. Ries

Encryption for Lawyers : The Time Has Come David G. Ries John W. Simek David G. Ries dries@clarkhill.com 412.394.7787 John W. Simek jsimek@senseient.com 703.359.0700 2 Why Encryption Is Needed Up to 70% of data breaches involve

455 views • 22 slides
The PBI Format Re-implemented for Free/PC-BSD Kris Moore PC-BSD / iXsystems kris@pcbsd.org

The PBI Format Re-implemented for Free/PC-BSD Kris Moore PC-BSD / iXsystems kris@pcbsd.org

The PBI Format Re-implemented for Free/PC-BSD Kris Moore PC-BSD / iXsystems kris@pcbsd.org http://www.pcbsd.org/~kris/pbi9-slides.pdf The PBI Format Re-implemented for Free/PC-BSD The legacy PBI format The PBI Format Re-implemented for

715 views • 37 slides
w = 0 l h x ijl s l Elena Mumford In total we move from v i to v i +1 x ij = 0 l

w = 0 l h x ijl s l Elena Mumford In total we move from v i to v i +1 x ij = 0 l

( x + pA + qB, y + qA pB ) for all A, B Z 16 th Q ( s ) E = Q ( s ) e 1 , . . . , e k We have Every element of Q ( s ) International Symposium i x = 0 y i = j y ij e j for all y i Y on Graph can be

1.39k views • 95 slides
CTE FACULTY FLEX DAY MEETING January 14, 2015 Dr. Karen Engel Director of Economic &

CTE FACULTY FLEX DAY MEETING January 14, 2015 Dr. Karen Engel Director of Economic &

CTE FACULTY FLEX DAY MEETING January 14, 2015 Dr. Karen Engel Director of Economic & Workforce Development Agenda Welcome & Introductions Workforce Innovation & Opportunity Act (WIOA) Whats trending in CTE funding and

501 views • 16 slides
Orient ntatio ion W Webina inar Fri riday, No November 1 r 17 2: 2:00 00-3: 3:30 E 30

Orient ntatio ion W Webina inar Fri riday, No November 1 r 17 2: 2:00 00-3: 3:30 E 30

Orient ntatio ion W Webina inar Fri riday, No November 1 r 17 2: 2:00 00-3: 3:30 E 30 EDT 1 2 3 HISTORY OF COLLABORATION T he issue o f c o o rdina tio n a c ro ss syste ms to se rve disa dva nta g e d yo uth ha s b e e n the

584 views • 30 slides

More recommend