Postquantum Cryptography: what, why, and how? SIMBA Enric Florit - - PowerPoint PPT Presentation

postquantum cryptography what why and how
SMART_READER_LITE
LIVE PREVIEW

Postquantum Cryptography: what, why, and how? SIMBA Enric Florit - - PowerPoint PPT Presentation

Nov 07, 2023 536 likes •1.32k views

. . . . . . . . . . . . . . . . . Postquantum Cryptography: what, why, and how? SIMBA Enric Florit Zacaras . . . . . . . . . . . . . . . . . . . . . . . November 27, 2019 . . . . . . . . . . .

slide-1
SLIDE 1

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Postquantum Cryptography: what, why, and how?

SIMBA Enric Florit Zacarías November 27, 2019

slide-2
SLIDE 2

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH

2 / 35

slide-3
SLIDE 3

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Public-key cryptography

Imagine Alice and Bob want to communicate through a channel, but they’ve never met before. How can they agree on a secret key to encrypt their communications, using e.g. AES?

3 / 35

slide-4
SLIDE 4

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Public-key cryptography

Imagine Alice and Bob want to communicate through a channel, but they’ve never met before. How can they agree on a secret key to encrypt their communications, using e.g. AES?

3 / 35

slide-5
SLIDE 5

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Diffje and Hellman (1976)

Use the group (Z/pZ)× = ⟨α⟩. Alice chooses a private key 1 a p, and publishes A

a

p. Bob chooses a private key 1 b p, and publishes B

b

p. They may use the shared secret Ab Ba

ab

p.

4 / 35

slide-6
SLIDE 6

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Diffje and Hellman (1976)

Use the group (Z/pZ)× = ⟨α⟩. Alice chooses a private key 1 < a < p, and publishes A = αa mod p. Bob chooses a private key 1 b p, and publishes B

b

p. They may use the shared secret Ab Ba

ab

p.

4 / 35

slide-7
SLIDE 7

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Diffje and Hellman (1976)

Use the group (Z/pZ)× = ⟨α⟩. Alice chooses a private key 1 < a < p, and publishes A = αa mod p. Bob chooses a private key 1 < b < p, and publishes B = αb mod p. They may use the shared secret Ab Ba

ab

p.

4 / 35

slide-8
SLIDE 8

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Diffje and Hellman (1976)

Use the group (Z/pZ)× = ⟨α⟩. Alice chooses a private key 1 < a < p, and publishes A = αa mod p. Bob chooses a private key 1 < b < p, and publishes B = αb mod p. They may use the shared secret Ab ≡ Ba ≡ αab mod p.

4 / 35

slide-9
SLIDE 9

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Computational problems

Problem (Discrete Logarithm - DLP)

Given a cyclic group G = ⟨α⟩ and an element β ∈ G, fjnd x ∈ Z such that β = αx.

Problem (Diffje-Hellman - DHP)

Given a cyclic group G and elements

a, b

G, fjnd

ab.

5 / 35

slide-10
SLIDE 10

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Computational problems

Problem (Discrete Logarithm - DLP)

Given a cyclic group G = ⟨α⟩ and an element β ∈ G, fjnd x ∈ Z such that β = αx.

Problem (Diffje-Hellman - DHP)

Given a cyclic group G = ⟨α⟩ and elements αa, αb ∈ G, fjnd αab.

5 / 35

slide-11
SLIDE 11

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH

6 / 35

slide-12
SLIDE 12

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Why? Solving the DLP

Let’s see some algorithms to solve for discrete logarithms!

Problem (Discrete Logarithm - DLP)

Given a cyclic group G = ⟨α⟩ and an element β ∈ G, fjnd x ∈ Z such that β = αx.

7 / 35

slide-13
SLIDE 13

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Baby step – giant step

Let m > √ N be an integer. Then for every x ≤ N, x = am + b, with 0 ≤ a, b < m.

  • 1. Compute and store

b, for 0

b m.

  • 2. Compute

am, for 0

a m, and check for a match

am b.

  • 3. If so,

am b and x

am b.

8 / 35

slide-14
SLIDE 14

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Baby step – giant step

Let m > √ N be an integer. Then for every x ≤ N, x = am + b, with 0 ≤ a, b < m.

  • 1. Compute and store αb, for 0 ≤ b < m.
  • 2. Compute

am, for 0

a m, and check for a match

am b.

  • 3. If so,

am b and x

am b.

8 / 35

slide-15
SLIDE 15

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Baby step – giant step

Let m > √ N be an integer. Then for every x ≤ N, x = am + b, with 0 ≤ a, b < m.

  • 1. Compute and store αb, for 0 ≤ b < m.
  • 2. Compute βα−am, for 0 ≤ a < m, and check for a match

βα−am = αb.

  • 3. If so,

am b and x

am b.

8 / 35

slide-16
SLIDE 16

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Baby step – giant step

Let m > √ N be an integer. Then for every x ≤ N, x = am + b, with 0 ≤ a, b < m.

  • 1. Compute and store αb, for 0 ≤ b < m.
  • 2. Compute βα−am, for 0 ≤ a < m, and check for a match

βα−am = αb.

  • 3. If so, β = αam+b and x = am + b.

8 / 35

slide-17
SLIDE 17

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Pohlig-Hellman

Idea: factor N = ∏r

i=1 pei i , and obtain x mod pei i for each i.

Then use the Chinese Remainder Theorem to combine the information. If pe N, then

N pe has order pe, and N pe N pe

  • x. We

can compute x pe! *Only useful if N is smooth (all prime factors are small).

9 / 35

slide-18
SLIDE 18

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Pohlig-Hellman

Idea: factor N = ∏r

i=1 pei i , and obtain x mod pei i for each i.

Then use the Chinese Remainder Theorem to combine the information. If pe | N, then αN/pe has order pe, and βN/pe = ( αN/pe)x. We can compute x mod pe! *Only useful if N is smooth (all prime factors are small).

9 / 35

slide-19
SLIDE 19

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Pohlig-Hellman

Idea: factor N = ∏r

i=1 pei i , and obtain x mod pei i for each i.

Then use the Chinese Remainder Theorem to combine the information. If pe | N, then αN/pe has order pe, and βN/pe = ( αN/pe)x. We can compute x mod pe! *Only useful if N is smooth (all prime factors are small).

9 / 35

slide-20
SLIDE 20

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Index calculus

It applies to fjnite fjelds: Z/pZ and Fpr.

  • 1. Choose a factor base

. For each gi we will compute the integer yi for which gi

yi.

  • 2. Find a relation of the form

k t i 1 gei i .

  • 3. The discrete logarithm will be

x

t i 1

ei gi k

t i 1

eiyi k

10 / 35

slide-21
SLIDE 21

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Index calculus

It applies to fjnite fjelds: Z/pZ and Fpr.

  • 1. Choose a factor base S. For each gi ∈ S we will

compute the integer yi for which gi = αyi.

  • 2. Find a relation of the form

k t i 1 gei i .

  • 3. The discrete logarithm will be

x

t i 1

ei gi k

t i 1

eiyi k

10 / 35

slide-22
SLIDE 22

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Index calculus

It applies to fjnite fjelds: Z/pZ and Fpr.

  • 1. Choose a factor base S. For each gi ∈ S we will

compute the integer yi for which gi = αyi.

  • 2. Find a relation of the form αkβ = ∏t

i=1 gei i .

  • 3. The discrete logarithm will be

x

t i 1

ei gi k

t i 1

eiyi k

10 / 35

slide-23
SLIDE 23

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Index calculus

It applies to fjnite fjelds: Z/pZ and Fpr.

  • 1. Choose a factor base S. For each gi ∈ S we will

compute the integer yi for which gi = αyi.

  • 2. Find a relation of the form αkβ = ∏t

i=1 gei i .

  • 3. The discrete logarithm will be

x = logα(β) =

t

i=1

ei logα(gi) − k =

t

i=1

eiyi − k.

10 / 35

slide-24
SLIDE 24

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Index calculus

This algorithm has the best complexity: it is subexponential! Ln[t, γ] = e(γ+o(1))(log n)t(log log n)1−t If t 0, then Ln 0 n

  • 1 is polynomial in

n. If t 1, then Ln 1 n

  • 1 is exponential in

n.

11 / 35

slide-25
SLIDE 25

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Index calculus

This algorithm has the best complexity: it is subexponential! Ln[t, γ] = e(γ+o(1))(log n)t(log log n)1−t If t = 0, then Ln[0, γ] = (log n)γ+o(1) is polynomial in log n. If t 1, then Ln 1 n

  • 1 is exponential in

n.

11 / 35

slide-26
SLIDE 26

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Index calculus

This algorithm has the best complexity: it is subexponential! Ln[t, γ] = e(γ+o(1))(log n)t(log log n)1−t If t = 0, then Ln[0, γ] = (log n)γ+o(1) is polynomial in log n. If t = 1, then Ln[1, γ] = nγ+o(1) is exponential in log n.

11 / 35

slide-27
SLIDE 27

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Summary of complexities

Algorithm Complexity Exhaustive search O(N) Baby step – giant step Time O( √ N), memory O( √ N) Pohlig-Hellman O(∑r

i=1 ei(log N + √pi))

Index calculus in Fpn Lpn[1/2, √ 2] NFS-DLP in Fpn Lpn[1/3, c]

Table: Algorithms solving DLP in a group of order N = ∏r

i=1 pei i .

12 / 35

slide-28
SLIDE 28

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Shor’s algorithm

In 1994, Peter Shor [Sho94] published a quantum algorithm that would factor integers and solve discrete logarithms in polynomial time... ... but don’t worry, because quantum computers are just theoretical.

Right?

Right?

13 / 35

slide-29
SLIDE 29

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Shor’s algorithm

In 1994, Peter Shor [Sho94] published a quantum algorithm that would factor integers and solve discrete logarithms in polynomial time... ... but don’t worry, because quantum computers are just theoretical.

Right?

Right?

13 / 35

slide-30
SLIDE 30

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Shor’s algorithm

In 1994, Peter Shor [Sho94] published a quantum algorithm that would factor integers and solve discrete logarithms in polynomial time... ... but don’t worry, because quantum computers are just theoretical.

Right?

Right?

13 / 35

slide-31
SLIDE 31

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Shor’s algorithm

In 1994, Peter Shor [Sho94] published a quantum algorithm that would factor integers and solve discrete logarithms in polynomial time... ... but don’t worry, because quantum computers are just theoretical.

Right?

Right?

13 / 35

slide-32
SLIDE 32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Why Post-Quantum Cryptography, then?

PQCRYPTO EU-Project “The EU and governments around the world are investing heavily in building quantum computers; society needs to be prepared for the consequences, including cryptanalytic attacks accelerated by these computers.” [Lan15]

14 / 35

slide-33
SLIDE 33

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Why Post-Quantum Cryptography, then?

NIST’s Report on Post-Quantum Cryptography “Some experts even predict that within the next 20 or so years, suffjciently large quantum computers will be built to break essentially all public key schemes currently in use.” [Moo+16]

14 / 35

slide-34
SLIDE 34

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH

15 / 35

slide-35
SLIDE 35

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

What is Postquantum Cryptography?

A postquantum cryptosystem must meet two requirements:

  • 1. It must be effjcient to use with existing hardware.
  • 2. It must be resistent both to classical and quantum

adversaries.

16 / 35

slide-36
SLIDE 36

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

What is Postquantum Cryptography?

A postquantum cryptosystem must meet two requirements:

  • 1. It must be effjcient to use with existing hardware.
  • 2. It must be resistent both to classical and quantum

adversaries.

16 / 35

slide-37
SLIDE 37

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

What is Postquantum Cryptography?

A postquantum cryptosystem must meet two requirements:

  • 1. It must be effjcient to use with existing hardware.
  • 2. It must be resistent both to classical and quantum

adversaries.

16 / 35

slide-38
SLIDE 38

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

What do we need to develop?

We can’t use ciphers based on discrete logarithms (Diffje-Hellman) or integer factorization (RSA). That is, we need to look for new kinds of asymmetric encryption. However, ”symmetric algorithms [...] should be usable in a quantum era”, because breaking them usually involves brute-force search in the key space, and ”doubling the key size will be suffjcient to preserve security” [Moo+16].

17 / 35

slide-39
SLIDE 39

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

What do we need to develop?

We can’t use ciphers based on discrete logarithms (Diffje-Hellman) or integer factorization (RSA). That is, we need to look for new kinds of asymmetric encryption. However, ”symmetric algorithms [...] should be usable in a quantum era”, because breaking them usually involves brute-force search in the key space, and ”doubling the key size will be suffjcient to preserve security” [Moo+16].

17 / 35

slide-40
SLIDE 40

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

What techniques are involved in PQ Cryptography?

  • Lattice-based cryptography
  • Code-based cryptography
  • Isogeny-based cryptography

18 / 35

slide-41
SLIDE 41

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH

19 / 35

slide-42
SLIDE 42

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Elliptic curves

Let K be a fjeld of characteristic difgerent from 2, 3, and A, B ∈ K ⊆ L with 4A3 + 27B2 ̸= 0. An elliptic curve E is the set of points (x, y) that satisfy the equation E: y2 = x3 + Ax + B. More precisely, we defjne the set of L-rational points, E L x y L L y2 x3 Ax B In homogeneous coordinates, the equation is y2z x3 Axz2 Bz3, and 1 0 is the only point at infjnity.

20 / 35

slide-43
SLIDE 43

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Elliptic curves

Let K be a fjeld of characteristic difgerent from 2, 3, and A, B ∈ K ⊆ L with 4A3 + 27B2 ̸= 0. An elliptic curve E is the set of points (x, y) that satisfy the equation E: y2 = x3 + Ax + B. More precisely, we defjne the set of L-rational points, E(L) := {(x, y) ∈ L × L | y2 = x3 + Ax + B} ∪ {O}. In homogeneous coordinates, the equation is y2z = x3 + Axz2 + Bz3, and O = (0 : 1 : 0) is the only point at infjnity.

20 / 35

slide-44
SLIDE 44

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Elliptic curves are groups

Given two points P, Q ∈ E(K), we defjne an operation on the points:

Theorem

The set E K with the operation is an abelian group.

21 / 35

slide-45
SLIDE 45

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Elliptic curves are groups

Given two points P, Q ∈ E(K), we defjne an operation on the points:

Theorem

The set E(K) with the operation + is an abelian group.

21 / 35

slide-46
SLIDE 46

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

The j-invariant

Given a curve E: y2 = x3 + Ax + B, its j-invariant is j(E) = 1728 4A3 4A3 + 27B2. Two curves are isomorphic over K if and only if they have the same j-invariant. For each j0 K, there exists a curve E with j E j0.

22 / 35

slide-47
SLIDE 47

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

The j-invariant

Given a curve E: y2 = x3 + Ax + B, its j-invariant is j(E) = 1728 4A3 4A3 + 27B2. Two curves are isomorphic over ¯ K if and only if they have the same j-invariant. For each j0 K, there exists a curve E with j E j0.

22 / 35

slide-48
SLIDE 48

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

The j-invariant

Given a curve E: y2 = x3 + Ax + B, its j-invariant is j(E) = 1728 4A3 4A3 + 27B2. Two curves are isomorphic over ¯ K if and only if they have the same j-invariant. For each j0 ∈ ¯ K, there exists a curve E with j(E) = j0.

22 / 35

slide-49
SLIDE 49

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Isogenies

Given two elliptic curves E1, E2 over K, an isogeny between them is a non-constant map ϕ: E1(¯ K) → E2(¯ K) that is both a morphism of algebraic curves and a group homomorphism. Isogenies can be put in a standard form: x y p x q x ys x t x

23 / 35

slide-50
SLIDE 50

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Isogenies

Given two elliptic curves E1, E2 over K, an isogeny between them is a non-constant map ϕ: E1(¯ K) → E2(¯ K) that is both a morphism of algebraic curves and a group homomorphism. Isogenies can be put in a standard form: ϕ(x, y) = (p(x) q(x), ys(x) t(x) )

23 / 35

slide-51
SLIDE 51

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Multiplication by n

The multiplication-by-n map [n]: E → E is an isogeny for all non-zero n ∈ Z. Its kernel is written as E[n], the group of n-torsion points. Let p

  • K. For any prime

p, we have E

n n n . This group has n 1

1 cyclic subgroups of order

n.

24 / 35

slide-52
SLIDE 52

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Multiplication by n

The multiplication-by-n map [n]: E → E is an isogeny for all non-zero n ∈ Z. Its kernel is written as E[n], the group of n-torsion points. Let p = char K. For any prime ℓ ̸= p, we have E[ℓn] ∼ = Z/ℓnZ × Z/ℓnZ. This group has ℓn−1(ℓ + 1) cyclic subgroups of order ℓn.

24 / 35

slide-53
SLIDE 53

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Quotient curve

Every isogeny ϕ: E1 → E2 has fjnite kernel, a subgroup G ⊂ E1(¯ K).

Theorem

Let E1 be an elliptic curve over K, and let G be a fjnite subgroup of E1 K . There exist a curve E2 and an isogeny E1 E2, such that

  • G. Moreover,

and E2 are unique up to isomorphism. We will write E2 E1 G.

25 / 35

slide-54
SLIDE 54

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Quotient curve

Every isogeny ϕ: E1 → E2 has fjnite kernel, a subgroup G ⊂ E1(¯ K).

Theorem

Let E1 be an elliptic curve over K, and let G be a fjnite subgroup of E1(¯ K). There exist a curve E2 and an isogeny ϕ: E1 → E2, such that ker ϕ = G. Moreover, ϕ and E2 are unique up to isomorphism. We will write E2 = E1/G.

25 / 35

slide-55
SLIDE 55

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Hasse’s theorem

Theorem

Let E be an elliptic curve defjned over a fjnite fjeld Fq, q = pr. The number of Fq-rational points of E is #E(Fq) = q + 1 − t, with |t| ≤ 2√q.

26 / 35

slide-56
SLIDE 56

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Supersingular curves

Theorem

Let E be a curve over a fjnite fjeld Fq, q = pr. TFAE:

  • E is supersingular.
  • E[p] = {O}.
  • [p] is purely inseparable.
  • #E(Fq) = q + 1 − t, with t ≡ 0 mod p.
  • End(E) ⊗Z Q is a quaternion algebra.

Given a prime p, there are about p/12 supersingular elliptic curve isomorphism classes defjned over ¯ Fp.

27 / 35

slide-57
SLIDE 57

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Supersingular Isogeny Diffje Hellman - Setting

Let p = 2eA3eB − 1 be a prime with 2eA ≈ 3eB, set K = Fp2. The curve E0 y2 x3 x is supersingular, and E0

p2

p 1 2 2eA3eB 2 We have E0 2eA PA QA , E0 3eB PB QB E0

p2 .

28 / 35

slide-58
SLIDE 58

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Supersingular Isogeny Diffje Hellman - Setting

Let p = 2eA3eB − 1 be a prime with 2eA ≈ 3eB, set K = Fp2. The curve E0 : y2 = x3 + x is supersingular, and #E0(Fp2) = (p + 1)2 = (2eA3eB)2. We have E0 2eA PA QA , E0 3eB PB QB E0

p2 .

28 / 35

slide-59
SLIDE 59

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Supersingular Isogeny Diffje Hellman - Setting

Let p = 2eA3eB − 1 be a prime with 2eA ≈ 3eB, set K = Fp2. The curve E0 : y2 = x3 + x is supersingular, and #E0(Fp2) = (p + 1)2 = (2eA3eB)2. We have E0[2eA] = ⟨PA, QA⟩, E0[3eB] = ⟨PB, QB⟩ ⊂ E0(Fp2).

28 / 35

slide-60
SLIDE 60

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

SIDH - Private keys

Alice chooses a pair (mA, nA) ∈ Z/2eAZ × Z/2eAZ (not both divisible by 2). This is her private key. Bob chooses a pair mB nB 3eB 3eB (not both divisible by 3). This is his private key.

29 / 35

slide-61
SLIDE 61

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

SIDH - Private keys

Alice chooses a pair (mA, nA) ∈ Z/2eAZ × Z/2eAZ (not both divisible by 2). This is her private key. Bob chooses a pair (mB, nB) ∈ Z/3eBZ × Z/3eBZ (not both divisible by 3). This is his private key.

29 / 35

slide-62
SLIDE 62

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

SIDH - Key exchange

E0/⟨[mA]PA + [nA]QA⟩ E0

φA

  • r

r r r r r r r r r r r r r r r r r r r r r r

φB

▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲

E0/⟨[mB]PB + [nB]QB⟩

30 / 35

slide-63
SLIDE 63

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

SIDH - Key exchange

EA E0

φA

✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉

φB

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

EB

30 / 35

slide-64
SLIDE 64

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

SIDH - Key exchange

EA

EA φA(PB) φA(QB)

✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤

E0

φA

✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉

φB

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

EB

EB φB(PA) φB(QA)

✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤

30 / 35

slide-65
SLIDE 65

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

SIDH - Key exchange

EA

φ′

B

❏ ❏ ❏ ❏ ❏ ❏ ❏ ❏ ❏ ❏ ❏ ❏ ❏ ❏ ❏ ❏ ❏ ❏ ❏ ❏

EA φA(PB) φA(QB)

✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤

E0

φA

✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉ ✉

φB

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

EAB

  • jAB

EB

φ′

A

  • t

t t t t t t t t t t t t t t t t t t t t

EB φB(PA) φB(QA)

✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤ ✤

30 / 35

slide-66
SLIDE 66

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

SIDH - Key exchange

Figure: SIDH graph with p = 2533 − 1 = 863.

30 / 35

slide-67
SLIDE 67

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Computational problems

Problem (Supersingular Isogeny problem (CSSI))

Let ϕA : E0 → EA be an isogeny with kernel ⟨[mA]PA + [nA]QA⟩, where mA, nA are chosen randomly in Z/ℓeA

A Z and not both divisible by ℓA.

Given the curves E0, EA and the values ϕA(PB) and ϕA(QB), fjnd a generator RA of ⟨[mA]PA + [nA]QA⟩. Analog to DLP in the Diffje-Hellman setting.

31 / 35

slide-68
SLIDE 68

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Computational problems

Problem (Supersingular D.-H. problem (SSCDH))

Let { ϕA : E0 → EA = E0/⟨[mA]PA + [nA]QA⟩, ϕB : E0 → EB = E0/⟨[mB]PB + [nB]QB⟩ be isogenies defjned as in the SIDH protocol. Given the curves EA, EB and the points ϕA(PB), ϕA(QB), ϕB(PA), ϕB(QA), fjnd the j-invariant of the curve E0/⟨[mA]PA + [nA]QA, [mB]PB + [nB]QB⟩. Analog to DHP in the Diffje-Hellman setting.

31 / 35

slide-69
SLIDE 69

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

SIDH security

  • The same problems in the ordinary case (e.g.,

non-supersingular) can be solved with a quantum computer in subexponential time.

  • The best strategy to break SIDH is almost brute-force, at

O( 4 √p) and O( 6 √p) (exponential in log p ∼ eA, eB).

  • It looks like the auxiliary points (ϕA(PB) and so on) are

revealing too much information, but so far nobody* has been able to exploit them.

32 / 35

slide-70
SLIDE 70

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

SIDH/SIKE in production

Figure: Comparison between lattice-based HRSS-SXY and isogeny-based SIKE [Kwi19].

33 / 35

slide-71
SLIDE 71

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

SIDH/SIKE in production

Figure: Ostrich vs turkey [KV19].

33 / 35

slide-72
SLIDE 72

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Conclusions

  • Public-key cryptosystems based in RSA and

Diffje-Hellman could be broken in a few years.

  • Current efgorts in fjnding and testing new postquantum

standards.

  • SIDH/SIKE is the most prominent isogeny-based

cryptography proposal, however there are other constructions to explore (CGL, CSIDH, higher genus...).

34 / 35

slide-73
SLIDE 73

References I

[FJP11] Luca De Feo, David Jao, and Jérôme Plût. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. Cryptology ePrint Archive, Report 2011/506. https://eprint.iacr.org/2011/506. 2011. [Gor11] Dan Gordon. “Discrete Logarithm Problem”. In: Encyclopedia of Cryptography and Security.

  • Ed. by Henk C. A. van Tilborg and Sushil Jajodia.

Boston, MA: Springer US, 2011, pp. 352–353. isbn: 978-1-4419-5906-5. url: https://doi.org/10.1007/978-1-4419- 5906-5_445. . . . . . ... .. .. .... .. .. .... .. .. ... . . .. . . . . .

slide-74
SLIDE 74

References II

[KV19] Kris Kwiatkowski and Luke Valenta. The TLS Post-Quantum Experiment. Last accessed 24 November 2019. Oct. 2019. url: https://blog.cloudflare.com/the-tls- post-quantum-experiment/. [Kwi19] Kris Kwiatkowski. Towards Post-Quantum Cryptography in TLS. Last accessed 24 November

  • 2019. June 2019. url:

https://blog.cloudflare.com/towards- post-quantum-cryptography-in-tls/. [Lan15] Tanja Lange. “Initial recommendations of long-term secure post-quantum systems”. In: 2015. . . . . . ... .. .. .... .. .. .... .. .. ... . . .. . . . . .

slide-75
SLIDE 75

References III

[Moo+16] Dustin Moody et al. “NIST Report on Post-Quantum Cryptography”. In: (Apr. 2016). doi: 10.6028/NIST.IR.8105. [Ngu11] Kim Nguyen. “Index Calculus Method”. In: Encyclopedia of Cryptography and Security.

  • Ed. by Henk C. A. van Tilborg and Sushil Jajodia.

Boston, MA: Springer US, 2011, pp. 597–600. isbn: 978-1-4419-5906-5. url: https://doi.org/10.1007/978-1-4419- 5906-5_454. . . . . . ... .. .. .... .. .. .... .. .. ... . . .. . . . . .

slide-76
SLIDE 76

References IV

[Sho94] Peter W. Shor. “Algorithms for Quantum Computation: Discrete Logarithms and Factoring”. In: Proceedings of the 35th Annual Symposium on Foundations of Computer Science. SFCS ’94. Washington, DC, USA: IEEE Computer Society, 1994, pp. 124–134. isbn: 0-8186-6580-7. [Sil09] J.H. Silverman. The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics. Springer New York, 2009. isbn: 9780387094946. [Was08] Lawrence Washington. Elliptic Curves Number Theory and Cryptography. 2008. isbn: 1420071467. . . . . . ... .. .. .... .. .. .... .. .. ... . . .. . . . . .

slide-77
SLIDE 77

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction: Diffje-Hellman Why? Solving the DLP What? Postquantum Cryptography How? Isogenies and SIDH References

Thank you!

35 / 35