Quantum-resistant Cryptography based on Isogenies between Elliptic - - PowerPoint PPT Presentation

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves

A Brief Survey

Jo˜ ao Paulo da Silva, Ricardo Dahab, Julio L´

• pez

Institute of Computing – University of Campinas

Latin American Week on Coding and Information 2018 1

Agenda

Introduction Isogenies Cryptographic Constructions Underlying Problems and Cryptanalysis Remarks Bibliography

Latin American Week on Coding and Information 2018 2

Introduction

Motivation

Latin American Week on Coding and Information 2018 4

In Agust 2015, NSA announces plans to transition to quantum-resistant algorithms NIST published call for post-quantum candidate algorithms with deadline on November 30, 2017

Motivation

Why Isogenies?

• Possibility of the emergence of a large-scale quantum computer:

Shor’s algorithm;

• It emerges as a new candidate in the construction of cryptographic

primitives for the post-quantum world;

• Using supersingular elliptic curves, the problem of computing

isogenies between two curves remains exponential in the quantum model.

Latin American Week on Coding and Information 2018 5

Retrospective

1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction.

Latin American Week on Coding and Information 2018 6

Retrospective

1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction.

Latin American Week on Coding and Information 2018 7

Retrospective

1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction.

Latin American Week on Coding and Information 2018 8

Retrospective

1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction.

Latin American Week on Coding and Information 2018 9

Retrospective

1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction.

Latin American Week on Coding and Information 2018 10

Retrospective

1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction.

Latin American Week on Coding and Information 2018 11

Retrospective

1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction.

Latin American Week on Coding and Information 2018 12

Elliptic Curves

An elliptic curve E over a field K = Fq is a plane algebric curve defined by an equation of the form y 2 + a1xy + a3y = x3 + a2x2 + a4x + a6 with a1, a2, ..., a6 ∈ Fq.

• Short Weierstrass Model: y 2 = x3 + Ax + B with A, B ∈ Fq;
• 4A3 + 27B2 = 0;
• E(Fq) = {(x, y) ∈ Fq × Fq : y 2 = x3 + Ax + B} ∪ O forms an

abelian group;

• Hasse Theorem: #E(Fq) = q + 1 − t with |t| ≤ 2√q;
• E is a supersingular curve over Fq if, and only if,

t ≡ 0 mod p, q = pn.

Latin American Week on Coding and Information 2018 13

Isogenies

Isogenies

• An isogeny is a non-constant rational map with the property of

being a group homomorphism: φ : E1 → E2 such that φ(P + Q) = φ(P) + φ(Q), P, Q ∈ E(Fq);

• We can identify, up to isomorphisms, an isogeny by its kernel;
• For a separable isogeny, its degree is the number of points in its

kernel; φ(x, y) =

• f1(x, y)

g1(x, y), f2(x, y) g2(x, y)

• with φ(O) = O and fi, gi, i ∈ {1, 2}, polynomials.

Latin American Week on Coding and Information 2018 15

Isogenies: V`

elu Formula

Let E : y 2 = x3 + Ax + B and E ′ be elliptic curves. In order to compute the l-isogeny between these curves with kernel F = F + ∪ F − we use the V` elu formula φx(x, y) = x +

• P∈F +
• vP

x − xP + uP (x − xQ)2

• φy(x, y) = y −
• P∈F +
• uP

2y (x − xP)3 + vP y − yP − g x

Pg y P

(x − xP)2

• where P = (xP, yP),

uP = (g y

Q)2,

vP = 2g x

P,

g x

P = 3x2 P + A,

g y

P = −2yP v = P∈F + vP, w = P∈F + uP + xPvP.

The expression for E ′ will be E ′ : y 2 = x3 + (A − 5v)x + (B − 7w).

Latin American Week on Coding and Information 2018 16

Cryptographic Constructions

Cryptographic Constructions

• Hash
• Javad Doliskani and Geovandro C. C. F. Pereira and Paulo S. L. M.

Barreto [DPB2018]

• Denis X. Charles and Eyal Z. Goren and Kristin E. Lauter [CGL06].
• Digital Signature
• Steven D. Galbraith and Christophe Petit and Javier Silva [GPS16].
• Encryption
• Castryck, W., Lange, T., Martindale, C., Panny, L., and Renes, J.

[CLMPR2018]

• Takeshi Koshiba and Katsuyuki Takashima [KT16].
• Luca De Feo and David Jao and J´

erˆ

• me Plˆ

ut [FJP11].

Latin American Week on Coding and Information 2018 18

SIDH - Supersingular Isogeny based Diffie-Hellman

Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies [FJP11]

• Public Parameters:
• p = leA

A leB B f ± 1, where lA, lB are small primes and eA, eB ∈ N.

• E0 a supersingular elliptic curve over Fp2
• PA, QA, PB, QB ∈ E0(Fp2) such that PA, QA = E0[leA

A ] and

PB, QB = E0[leB

B ]

• Private Parameters:
• mA, nA ∈R ZleA

A

such that lA ∤ mA or lA ∤ nA

• mB, nB ∈R ZleB

B

such that lB ∤ mB or lB ∤ nB

Latin American Week on Coding and Information 2018 19

SIDH - Supersingular Isogeny based Diffie-Hellman

Figure 1: SIDH [FJP11].

Latin American Week on Coding and Information 2018 20

SIDH Computations

There are two main computations need to perform the SIDH protocol

• Kernel Point Generation:
• PA, QA ∈ E0(Fp2) compute

RA = [mA]PA + [nA]QA

• PB, QB ∈ E0(Fp2) compute

RB = [mB]PB + [nB]QB

Latin American Week on Coding and Information 2018 21

Figure 2: SIDH computations [FJP11].

SIDH Computations

There are two main computations need to perform the SIDH protocol

• Kernel Point Generation:
• PA, QA ∈ E0(Fp2) compute

RA = [mA]PA + [nA]QA

• PB, QB ∈ E0(Fp2) compute

RB = [mB]PB + [nB]QB

• Smooth Large-Degree

Isogenies:

• Given a supersingular

elliptic curve E and the kernel points

• Compute the isogenies φA

and φB by interatively computing degree lA and lB-isogenies

Latin American Week on Coding and Information 2018 22

Figure 2: SIDH computations [FJP11].

Underlying Problems and Cryptanalysis

Underlying Problems

• Decisional Supersingular Isogeny (DSSI) Problem: Let E0 be an

supersingular elliptic curve. Given EA a second supersingular elliptic curve defined over Fp2, decide if EA is leA

A -isogenous to E0.

• Computational Supersingular Isogeny (CSSI) Problem: Let

φA : E0 → EA an isogeny with kernel [mA]PA + [nA]QA, where mA, nA ∈R Zl

eA A and not both divisible by lA. Given EA and the

values φA(PB), φA(QB), find a generator for [mA]PA + [nA]QA.

Latin American Week on Coding and Information 2018 24

Cryptanalysis

CSSI solutions

• Meet-in-the-Middle via Claw Finding Problem [Tani09]
• time complexity: O(p1/4) classical, O(p1/6) quantum
• space complexity: O(p1/4)

Latin American Week on Coding and Information 2018 25

Cryptanalysis

CSSI solutions

• Meet-in-the-Middle via Claw Finding Problem [Tani09]
• time complexity: O(p1/4) classical, O(p1/6) quantum
• space complexity: O(p1/4)
• Van Oorschot- Wiener collision search [ACCMR18]
• time complexity: O(p3/8) classical
• space complexity: O(p1/4)

Latin American Week on Coding and Information 2018 26

Remarks

Remarks

• SIDH has very small public/private keys: about 330 bytes in

compressed version. Only 64 bytes for CSIDH;

• A construction (SIKE) with IND-CCA security level;
• There is no complicated error distributions, rejection sampling as in

lattice based algorithms;

• The known constructions of digital signatures based on Isogenies are

slow;

• Unlike SIKE, SIDH has some concerns if static keys are reused.

Latin American Week on Coding and Information 2018 28

Bibliography

Bibliography

FJP11 Feo, L. D., Jao, D., and Plˆ ut, J. (2011). Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. Cryptology ePrint Archive, Report 2011/506. MS11 Moody, D. and Shumow, D. (2011). Analogues of V` elus formulas for isogenies on alternate models of elliptic curves. Cryptology ePrint Archive, Report 2011/430. Velu71 V` elu, J. (1971).Isog´ enies entre courbes elliptiques.C.R. Acad. Sc. Paris, S´ erie A(273):238241. CLMPR18 Castryck, W., Lange, T., Martindale, C., Panny, L., and Renes, J. (2018). Csidh: An efficient post-quantum commutative group

• action. Cryptology ePrint Archive, Report 2018/383.

https://eprint.iacr.org/2018/383.

Latin American Week on Coding and Information 2018 30

Bibliography

FJP11 Javad Doliskani and Geovandro C. C. F. Pereira and Paulo S. L. M. Barreto (2017). Faster Cryptographic Hash Function From Supersingular Isogeny Graphs. Cryptology ePrint Archive, Report 2017/1202. https://eprint.iacr.org/2017/1202 Tani09 Tani, S. (2009). Claw finding algorithms using quantum walk. Theoretical Computer Science, 410(50):5285 5297. Mathematical Foundations of Computer Science (MFCS 2007). ACCMR18 Adj, G., Cervantes-Vzquez, D., Chi-Domnguez, J.-J., Menezes, A., and Rodrguez-Henrquez, F. (2018). On the cost of computing isogenies between supersingular elliptic curves. Cryptology ePrint Archive, Report 2018/313.

Latin American Week on Coding and Information 2018 31

Thank you!

Contact: jsilva@lasca.ic.unicamp.br

Latin American Week on Coding and Information 2018 32