si said why csidh
play

["si:saId] Why CSIDH? Drop-in post-quantum replacement for - PowerPoint PPT Presentation

Jan 21, 2023 •357 likes •934 views

CSIDH : An Efficient Post-Quantum Commutative Group Action Wouter Castryck 1 Tanja Lange 2 Chloe Martindale 2 Lorenz Panny 2 Joost Renes 3 1 KU Leuven 2 TU Eindhoven 3 Radboud Universiteit Brisbane, 6 December 2018 ["si:saId] Why CSIDH?

  2. CSIDH : An Efficient Post-Quantum Commutative Group Action Wouter Castryck 1 Tanja Lange 2 Chloe Martindale 2 Lorenz Panny 2 Joost Renes 3 1 KU Leuven 2 TU Eindhoven 3 Radboud Universiteit Brisbane, 6 December 2018

  3. ["si:­saId]

  4. Why CSIDH? ◮ Drop-in post-quantum replacement for (EC)DH. https://csidh.isogeny.org 1/15

  5. Why CSIDH? ◮ Drop-in post-quantum replacement for (EC)DH. ◮ Non-interactive key exchange (full public-key validation); previously only slow solutions post-quantumly. https://csidh.isogeny.org 1/15

  6. Why CSIDH? ◮ Drop-in post-quantum replacement for (EC)DH. ◮ Non-interactive key exchange (full public-key validation); previously only slow solutions post-quantumly. ◮ Small keys: 64 bytes at conjectured AES-128 security level https://csidh.isogeny.org 1/15

  7. Why CSIDH? ◮ Drop-in post-quantum replacement for (EC)DH. ◮ Non-interactive key exchange (full public-key validation); previously only slow solutions post-quantumly. ◮ Small keys: 64 bytes at conjectured AES-128 security level ◮ Competitive speed: ∼ 35 ms per operation. (Skylake i5 w / TurboBoost) https://csidh.isogeny.org 1/15

  8. Why CSIDH? ◮ Drop-in post-quantum replacement for (EC)DH. ◮ Non-interactive key exchange (full public-key validation); previously only slow solutions post-quantumly. ◮ Small keys: 64 bytes at conjectured AES-128 security level ◮ Competitive speed: ∼ 35 ms per operation. (Skylake i5 w / TurboBoost) ◮ Clean mathematical structure: a true group action. (No noise, no auxiliary points, no compromises.) https://csidh.isogeny.org 1/15

  9. Why CSIDH? ◮ Drop-in post-quantum replacement for (EC)DH. ◮ Non-interactive key exchange (full public-key validation); previously only slow solutions post-quantumly. ◮ Small keys: 64 bytes at conjectured AES-128 security level ◮ Competitive speed: ∼ 35 ms per operation. (Skylake i5 w / TurboBoost) ◮ Clean mathematical structure: a true group action. (No noise, no auxiliary points, no compromises.) ◮ By the way: not ‘better’ or ‘worse’ than SIDH. It’s simply different and likely to be useful for different applications. https://csidh.isogeny.org 1/15

  10. Ordinary isogeny graphs Nodes: Ordinary elliptic curves defined over k up to ∼ = k . Edges: 3-, 5-, and 7-isogenies defined over k up to ∼ = k . Components look something like this: https://csidh.isogeny.org 2/15

  11. Ordinary isogeny graphs (cycles) Nodes: Ordinary elliptic curves defined over k up to ∼ = k . Edges: 3-, 5-, and 7-isogenies defined over k up to ∼ = k . https://csidh.isogeny.org 2/15

  12. Ordinary isogeny graphs (cycles) Nodes: Ordinary elliptic curves defined over k up to ∼ = k . Edges: 3-, 5-, and 7-isogenies defined over k up to ∼ = k . ??? Easy: Compute a random path, output the final node. Hard problem: Find a path between two given nodes. https://csidh.isogeny.org 2/15

  13. Alice vs. Eve Intuition: Combining edges from different cycles allows taking shortcuts to remote parts of the graph! https://csidh.isogeny.org 3/15

  14. Alice vs. Eve g 0 g 1 · g 1 g 3 · g 2 · g 8 g 11 Intuition: Combining edges from different cycles allows taking shortcuts to remote parts of the graph! cf. Square-&-Multiply: Alice gets an advantage over Eve. https://csidh.isogeny.org 3/15

  15. Point counting De Feo–Kieffer–Smith want an ordinary curve E / F q with many small primes ℓ | E ( F q ) . This seems difficult. https://csidh.isogeny.org 4/15

  16. https://csidh.isogeny.org 5/15

  17. Pictures: https://github.com/CardsAgainstCryptography https://csidh.isogeny.org 5/15

  18. I’ve been experimenting with supersingular curves in this context, because they have all the properties Kieffer was looking for. Are there any security issues with using supersingular curves? Hope I did not overlook anything stupid here! — an anonymous CSIDH coauthor Pictures: https://github.com/CardsAgainstCryptography https://csidh.isogeny.org 5/15

  19. I’ve been experimenting with supersingular curves in this context, because they have all the properties Kieffer was looking for. Are there any security issues with using supersingular curves? Hope I did not overlook anything stupid here! — an anonymous CSIDH coauthor Wouter, you are a genius! — me Pictures: https://github.com/CardsAgainstCryptography https://csidh.isogeny.org 5/15

  20. Supersingular isogeny graphs Nodes: Supersingular elliptic curves defined over k up to ∼ = k . Edges: 3-, 5-, and 7-isogenies defined over k up to ∼ = k . https://csidh.isogeny.org 6/15

  21. Supersingular isogeny graphs Nodes: Supersingular elliptic curves defined over k up to ∼ = k . Edges: 3-, 5-, and 7-isogenies defined over k up to ∼ = k . k = F 419 2 (same as F 419 ) https://csidh.isogeny.org 6/15

  22. Supersingular isogeny graphs Nodes: Supersingular elliptic curves defined over k up to ∼ = k . Edges: 3-, 5-, and 7-isogenies defined over k up to ∼ = k . k = F 419 2 (same as F 419 ) k = F 419 https://csidh.isogeny.org 6/15

  23. Supersingular isogeny graphs Theorem. The F p -rational endomorphism ring of an elliptic curve defined over F p is an imaginary quadratic order. https://csidh.isogeny.org 7/15

  24. Supersingular isogeny graphs Theorem. The F p -rational endomorphism ring of an elliptic curve defined over F p is an imaginary quadratic order. ...even in the supersingular case! https://csidh.isogeny.org 7/15

  25. Supersingular isogeny graphs Theorem. The F p -rational endomorphism ring of an elliptic curve defined over F p is an imaginary quadratic order. ...even in the supersingular case! Theorem/fact/definition. Let p > 3. An elliptic curve E over F p is supersingular if and only if # E ( F p ) = p + 1. https://csidh.isogeny.org 7/15

  26. Supersingular isogeny graphs Theorem. The F p -rational endomorphism ring of an elliptic curve defined over F p is an imaginary quadratic order. ...even in the supersingular case! Theorem/fact/definition. Let p > 3. An elliptic curve E over F p is supersingular if and only if # E ( F p ) = p + 1. = ⇒ We can simply craft a curve with a good number of points. https://csidh.isogeny.org 7/15

  27. Reminder The class group action is defined as follows: ◮ Inputs : An elliptic curve E with endomorphism ring O , an ideal a ⊆ O of prime norm ℓ . ◮ Output : The elliptic curve [ a ] E . 1. Compute the subgroup E [ a ] = � α ∈ a ker α killed by a . → E ′ with kernel E [ a ] . 2. Compute an ℓ -isogeny E − 3. Output E ′ . https://csidh.isogeny.org 8/15

  28. Reminder The class group action is defined as follows: ◮ Inputs : An elliptic curve E with endomorphism ring O , an ideal a ⊆ O of prime norm ℓ . ◮ Output : The elliptic curve [ a ] E . 1. Compute the subgroup E [ a ] = � α ∈ a ker α killed by a . → E ′ with kernel E [ a ] . 2. Compute an ℓ -isogeny E − 3. Output E ′ . Typically E [ a ] is only defined over F q m for m ≈ ℓ . = ⇒ Complexity of computing with E [ a ] is exponentia ℓ ... : ( https://csidh.isogeny.org 8/15

  29. CSIDH in one cslide (terrible pun totally intended) https://csidh.isogeny.org 9/15

  30. CSIDH in one cslide (terrible pun totally intended) ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . 1. ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { supersingular y 2 = x 3 + Ax 2 + x defined over F p } . https://csidh.isogeny.org 9/15

  31. CSIDH in one cslide (terrible pun totally intended) ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . 1. ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { supersingular y 2 = x 3 + Ax 2 + x defined over F p } . ◮ All curves in X have F p -endomorphism ring O = Z [ √ p ] . 2. Define the ideals l i = ( ℓ i , π − 1 ) of O . ◮ Let K = { [ l e 1 1 · · · l e 1 n ] | ( e 1 , ..., e n ) is ‘short’ } ⊆ cl ( O ) . https://csidh.isogeny.org 9/15

  32. CSIDH in one cslide (terrible pun totally intended) ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . 1. ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { supersingular y 2 = x 3 + Ax 2 + x defined over F p } . ◮ All curves in X have F p -endomorphism ring O = Z [ √ p ] . 2. Define the ideals l i = ( ℓ i , π − 1 ) of O . ◮ Let K = { [ l e 1 1 · · · l e 1 n ] | ( e 1 , ..., e n ) is ‘short’ } ⊆ cl ( O ) . 3. magic math happens! ∗ ∗ see next slides https://csidh.isogeny.org 9/15

  33. CSIDH in one cslide (terrible pun totally intended) ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . 1. ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { supersingular y 2 = x 3 + Ax 2 + x defined over F p } . ◮ All curves in X have F p -endomorphism ring O = Z [ √ p ] . 2. Define the ideals l i = ( ℓ i , π − 1 ) of O . ◮ Let K = { [ l e 1 1 · · · l e 1 n ] | ( e 1 , ..., e n ) is ‘short’ } ⊆ cl ( O ) . 3. magic math happens! ∗ ∗ see next slides 4. ◮ cl ( O ) acts on X and the action of K is very efficient! https://csidh.isogeny.org 9/15

  34. Magic (base field arithmetic) ◮ All the ideals ℓ i O split as l i · l i where l i = ( ℓ i , π − 1 ) . = ⇒ We can use all ℓ i we started with (generally: about 1/2) . https://csidh.isogeny.org 10/15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum Cryptanalysis of Post-Quantum Cryptography Simons Institute 24 February 2020 1 / 16 He Gives C-Sieves on the CSIDH Chris Peikert University of Michigan

1.61k views • 85 slides
Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org Key bits where all known attacks take 2 operations (naive serial attack metric,

412 views • 16 slides
Stronger and Faster Side-Channel Protections for CSIDH azquez 1 Mathilde Chenu 2,3 Daniel

Stronger and Faster Side-Channel Protections for CSIDH azquez 1 Mathilde Chenu 2,3 Daniel

Stronger and Faster Side-Channel Protections for CSIDH azquez 1 Mathilde Chenu 2,3 Daniel Cervantes-V nguez 1 and Luca De Feo 4 and Jes us-Javier Chi-Dom quez 1 and Benjamin Smith 2,3 Francisco Rodr guez-Henr 1 Computer Science

1.25k views • 93 slides
Side channel protections for CSIDH Luca De Feo IBM Research Zrich October 16, 2019, PHISIC,

Side channel protections for CSIDH Luca De Feo IBM Research Zrich October 16, 2019, PHISIC,

Side channel protections for CSIDH Luca De Feo IBM Research Zrich October 16, 2019, PHISIC, Gardanne based on joint work with D. Cervantes-Vzquez, M. Chenu, J.J. Chi-Domnguez, F. Rodrguez-Henrquez, B. Smith Slides online at

944 views • 90 slides
Towards Optimized and Constant-Time CSIDH on Embedded Devices Amir Jalali 1 , Reza Azarderakhsh 1

Towards Optimized and Constant-Time CSIDH on Embedded Devices Amir Jalali 1 , Reza Azarderakhsh 1

Towards Optimized and Constant-Time CSIDH on Embedded Devices Amir Jalali 1 , Reza Azarderakhsh 1 , Mehran Mozaffari Kermani 2 , and David Jao 3 Department of Computer and Electrical Engineering and Computer Science Florida Atlantic University

252 views • 14 slides
Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org Non-interactive key exchange Alice: secret a , public aG . Bob: secret b , public bG

499 views • 28 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides
for Sustainable Development arnulf gruebler@iiasa.ac.at IIT Bombay, January 22, 2018 101 of

for Sustainable Development arnulf gruebler@iiasa.ac.at IIT Bombay, January 22, 2018 101 of

Technological Innovations for Sustainable Development arnulf gruebler@iiasa.ac.at IIT Bombay, January 22, 2018 101 of Technological Change Technological change is a process involving multiple steps and feedbacks Uncertainty pervasive at

387 views • 19 slides
Classification Classification and Prediction Classification: predict categorical class labels

Classification Classification and Prediction Classification: predict categorical class labels

Classification Classification and Prediction Classification: predict categorical class labels Build a model for a set of classes/concepts Classify loan applications (approve/decline) Prediction: model continuous-valued functions

554 views • 31 slides
Historical Transitions in Transport Systems iTEAM4 Workshop, IIASA October 30, 2018 Arnulf

Historical Transitions in Transport Systems iTEAM4 Workshop, IIASA October 30, 2018 Arnulf

Historical Transitions in Transport Systems iTEAM4 Workshop, IIASA October 30, 2018 Arnulf Grubler Technological/Infrastructural Transitions: Main Messages End-use innovation driven (people!) Involves Hardware + Software + Orgware

648 views • 34 slides
Torsion subgroups of rational elliptic curves over the compositum of all cubic fields Andrew V.

Torsion subgroups of rational elliptic curves over the compositum of all cubic fields Andrew V.

Torsion subgroups of rational elliptic curves over the compositum of all cubic fields Andrew V. Sutherland Massachusetts Institute of Technology October 2, 2015 joint work with Harris B. Daniels, Alvaro Lozano-Robledo, and Filip Najman

379 views • 19 slides
Math 211 Math 211 Lecture #37 The Linearization in Higher Dimension November 21, 2003 2

Math 211 Math 211 Lecture #37 The Linearization in Higher Dimension November 21, 2003 2

1 Math 211 Math 211 Lecture #37 The Linearization in Higher Dimension November 21, 2003 2 Higher Dimensional Systems Higher Dimensional Systems Autonomous equation y = f ( y ) . y = ( y 1 , y 2 , , y n ) T , y 0 is an

661 views • 4 slides
APNA 30th Annual Conference Session 4017: October 22, 2016 Guenzel 1 APNA 30th Annual

APNA 30th Annual Conference Session 4017: October 22, 2016 Guenzel 1 APNA 30th Annual

APNA 30th Annual Conference Session 4017: October 22, 2016 Guenzel 1 APNA 30th Annual Conference Session 4017: October 22, 2016 Therapists/Psychologists 1800 1600 1400 1200 1000 800 600 400 200 0 White Black AI Hispanic Asian

468 views • 9 slides
IMPACT of COVID-19 on All Palliative Care Conference Impact of Trauma, Grieving & Loss

IMPACT of COVID-19 on All Palliative Care Conference Impact of Trauma, Grieving & Loss

IMPACT of COVID-19 on All Palliative Care Conference Impact of Trauma, Grieving & Loss Raymond F. Hanbury, PhD, ABPP Chief Psychologist, Department of Psychiatry Director of Psychology Education Program Director, Pediatric Psychiatry

915 views • 47 slides
Deconstructing Data Science David Bamman, UC Berkeley Info 290 Lecture 8: Naive Bayes Feb

Deconstructing Data Science David Bamman, UC Berkeley Info 290 Lecture 8: Naive Bayes Feb

Deconstructing Data Science David Bamman, UC Berkeley Info 290 Lecture 8: Naive Bayes Feb 17, 2016 elements of probability in many of these methods Linear regression Decision trees Ordinal regression Probabilistic graphical

913 views • 74 slides
Lecture 1: Introduction Information Visualization CPSC 533C, Fall 2011 Tamara Munzner UBC

Lecture 1: Introduction Information Visualization CPSC 533C, Fall 2011 Tamara Munzner UBC

Lecture 1: Introduction Information Visualization CPSC 533C, Fall 2011 Tamara Munzner UBC Computer Science Wed, 7 September 2011 1 / 62 Course Home Page main source readings, lecture slides, all information reload frequently, updates

861 views • 62 slides
Reforming the public sector: Public providers, or private providers, of public goods? CESifo,

Reforming the public sector: Public providers, or private providers, of public goods? CESifo,

Reforming the public sector: Public providers, or private providers, of public goods? CESifo, Munich, September 26, 2012 (This lecture is based on a joint work with Apostolis Philippopoulos (AUEB and CESifo), and Vanghelis Vassilatos (AUEB))

1.03k views • 102 slides
Bhandari, Evans, Golosov, Sargent On The Role of Public Debt in Economies with Heterogeneous

Bhandari, Evans, Golosov, Sargent On The Role of Public Debt in Economies with Heterogeneous

Bhandari, Evans, Golosov, Sargent On The Role of Public Debt in Economies with Heterogeneous Agents Dirk Niepelt Study Center Gerzensee; U of Bern; CEPR October 2016 A Nice Paper Two themes Ricardian equivalence Ramsey policy (using

566 views • 12 slides
The Bio-PanPipe Software Package Daniel Ortiz Genome Data Science Group Institute for Research

The Bio-PanPipe Software Package Daniel Ortiz Genome Data Science Group Institute for Research

The Bio-PanPipe Software Package Daniel Ortiz Genome Data Science Group Institute for Research in Biomedicine Table of Contents 1. Introduction 2. Package Overview 3. Main Tools and File Formats 4. Whole Pipeline Example Introduction

509 views • 32 slides
The effects of birth environment on planetary systems Melvyn B. Davies Department of Astronomy

The effects of birth environment on planetary systems Melvyn B. Davies Department of Astronomy

The effects of birth environment on planetary systems Melvyn B. Davies Department of Astronomy and Theoretical Physics Lund Observatory www.astro.lu.se Five things to remember about exoplanetary systems Melvyn B. Davies Department of

668 views • 14 slides
Modeling the Underlying Event Modeling the Underlying Event Peter Skands Theoretical Physics,

Modeling the Underlying Event Modeling the Underlying Event Peter Skands Theoretical Physics,

Terascale Meeting, U of Oregon, Eugene, February 2009 Modeling the Underlying Event Modeling the Underlying Event Peter Skands Theoretical Physics, Fermilab Models Classic Example Classic Example Models UA5 @ 540 GeV, single pp,

679 views • 34 slides
Classicalization, Scrambling and Thermalization in QCD at high energies Raju Venugopalan

Classicalization, Scrambling and Thermalization in QCD at high energies Raju Venugopalan

Classicalization, Scrambling and Thermalization in QCD at high energies Raju Venugopalan Brookhaven National Laboratory Galileo Institute School, February 27-March 3, 2020 Outline of lectures Lecture I: Classicalization: The hadron

434 views • 32 slides
Rate and Orientation Effects in Electrophilic Aromatic Substitution Reactions CH 3 CH 3 CH 3 NO 2

Rate and Orientation Effects in Electrophilic Aromatic Substitution Reactions CH 3 CH 3 CH 3 NO 2

Rate and Orientation Effects in Electrophilic Aromatic Substitution Reactions CH 3 CH 3 CH 3 NO 2 HNO 3 + H 2 SO 4 rate = 40 NO 2 NO 2 HNO 3 H 2 SO 4 rate = 1 CF 3 CF 3 HNO 3 H 2 SO 4 NO 2 rate = 2.5 x 10 -6 Activating Substituents Deactivating

315 views • 17 slides
Dynamic Large Pages Dave Hansen IBM Linux Technology Center Why Large Pages? Fewer objects

Dynamic Large Pages Dave Hansen IBM Linux Technology Center Why Large Pages? Fewer objects

Dynamic Large Pages Dave Hansen IBM Linux Technology Center Why Large Pages? Fewer objects to manage Fit more objects in CPU caches Per-page operations become cheaper Per-page structures become smaller Any cache miss is

583 views • 30 slides

More recommend