supersingular isogeny graphs and endomorphism rings
play

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and - PowerPoint PPT Presentation

Jan 26, 2024 •46 likes •427 views

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr ager (Penn State), Sean Hallgren (Penn State), Kristin Lauter (Microsoft Research), Travis Morrison (Penn State), Christophe Petit (Birmingham)

  1. Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr¨ ager (Penn State), Sean Hallgren (Penn State), Kristin Lauter (Microsoft Research), Travis Morrison (Penn State), Christophe Petit (Birmingham) Merge from the papers Hard and Easy Problems for Supersingular Isogeny Graphs Petit-Lauter [PL17] On the Hardness of Computing Endomorphism Rings of Supersingular Elliptic Curves Eisentr¨ ager-Hallgren-Morrison [EHM17] 1 Christophe Petit - Eurocrypt - May 2018

  2. The threat of quantum computers 2 Christophe Petit - Eurocrypt - May 2018

  3. Isogeny Problems ◮ Recently proposed for post-quantum cryptography ◮ Natural problems from a number theory point of view ◮ Classical and quantum algorithms still exponential time 3 Christophe Petit - Eurocrypt - May 2018

  4. Isogeny Problems ◮ Recently proposed for post-quantum cryptography ◮ Natural problems from a number theory point of view ◮ Classical and quantum algorithms still exponential time ◮ But still rather new, need further study ◮ Our results : ◮ Efficient reductions between three hard problem variants ◮ Efficient solutions for two (other) problems 3 Christophe Petit - Eurocrypt - May 2018

  5. Outline Isogenies and related problems Motivation : Charles-Goren-Lauter hash function New results and techniques 4 Christophe Petit - Eurocrypt - May 2018

  6. Outline Isogenies and related problems Motivation : Charles-Goren-Lauter hash function New results and techniques 5 Christophe Petit - Eurocrypt - May 2018

  7. Supersingular curves and isogenies ◮ Let p be a prime. Up to isomorphism, any supersingular elliptic curve is defined over F p 2 ◮ An isogeny from a curve E 1 is a non trivial morphism φ : E 1 → E 2 sending 0 to 0 ◮ In Weierstrass affine coordinates we can write � � ψ 2 ( x , y ) , ω ( x , y ) ϕ ( x ) φ : E 1 → E 2 : φ ( x , y ) = ψ 3 ( x , y ) ◮ Isogeny degree is deg φ = max { deg ϕ, deg ψ 2 } ◮ An endomorphism of E is an isogeny φ : E → E (examples : scalar multiplications, Frobenius) 6 Christophe Petit - Eurocrypt - May 2018

  8. Isogeny problems ◮ Isogeny problems with potential interest for cryptography are about “computing” isogenies between two curves, or some variant of this problem 7 Christophe Petit - Eurocrypt - May 2018

  9. Isogeny problems ◮ Isogeny problems with potential interest for cryptography are about “computing” isogenies between two curves, or some variant of this problem ◮ A bit tricky to define : degree must be large for security, but then natural output representation is not efficient 7 Christophe Petit - Eurocrypt - May 2018

  10. Isogeny problems ◮ Isogeny problems with potential interest for cryptography are about “computing” isogenies between two curves, or some variant of this problem ◮ A bit tricky to define : degree must be large for security, but then natural output representation is not efficient ◮ Endomorphism computation case : hard in general but ◮ Easy for special curves ◮ Scalar multiplications and Frobenius known trivially 7 Christophe Petit - Eurocrypt - May 2018

  11. Endomorphism rings ◮ The endomorphisms of a curve E have a ring structure, operations are addition law on E and composition ◮ The endomorphism ring of a supersingular curve over ¯ F p is a maximal order in the quaternion algebra B p , ∞ 8 Christophe Petit - Eurocrypt - May 2018

  12. Endomorphism rings ◮ The endomorphisms of a curve E have a ring structure, operations are addition law on E and composition ◮ The endomorphism ring of a supersingular curve over ¯ F p is a maximal order in the quaternion algebra B p , ∞ ◮ Deuring correspondence [D31] : bijection from supersingular curves over F p 2 (up to Galois conjugacy) to maximal orders in B p , ∞ (up to conjugation) E → O ≈ End( E ) 8 Christophe Petit - Eurocrypt - May 2018

  13. Isogeny graphs ◮ Over ¯ F p the ℓ -torsion E [ ℓ ] is isomorphic to Z ℓ × Z ℓ ◮ There are ℓ + 1 cyclic subgroups of order ℓ ; each one is the kernel of a degree ℓ isogeny 9 Christophe Petit - Eurocrypt - May 2018

  14. Isogeny graphs ◮ Over ¯ F p the ℓ -torsion E [ ℓ ] is isomorphic to Z ℓ × Z ℓ ◮ There are ℓ + 1 cyclic subgroups of order ℓ ; each one is the kernel of a degree ℓ isogeny ◮ ℓ -isogeny graph : each vertex is a j -invariant over ¯ F p , each edge corresponds to one degree ℓ isogeny ◮ Isogeny graphs are undirected 9 Christophe Petit - Eurocrypt - May 2018

  15. Isogeny graphs ◮ Over ¯ F p the ℓ -torsion E [ ℓ ] is isomorphic to Z ℓ × Z ℓ ◮ There are ℓ + 1 cyclic subgroups of order ℓ ; each one is the kernel of a degree ℓ isogeny ◮ ℓ -isogeny graph : each vertex is a j -invariant over ¯ F p , each edge corresponds to one degree ℓ isogeny ◮ Isogeny graphs are undirected ◮ In supersingular case all j and isogenies defined over F p 2 and graphs are Ramanujan (optimal expansion graphs) ◮ Isogeny problems ∼ finding paths in these graphs 9 Christophe Petit - Eurocrypt - May 2018

  16. Outline Isogenies and related problems Motivation : Charles-Goren-Lauter hash function New results and techniques 10 Christophe Petit - Eurocrypt - May 2018

  17. Charles-Goren-Lauter hash function Hash of the Future? Have you ever struggled to solve a maze? Then imagine trying to find a path through a tangled, three-dimensional maze as large as the Milky Way. By incorporating such a maze into a hash function, Kristin Lauter of Microsoft Research in Redmond, Washington, is betting that neither you nor anyone else will solve that problem. Technically, Lauter’s maze is called an “expander graph” (see figure, right). Nodes in the graph corre- spond to elliptic curves, or equations of the form y 2 = x 3 + a x + b . Each curve leads to three other curves by a mathematical relation, now called isogeny, that Pierre de Fermat discovered while trying to prove his famous Last Theorem. To hash a digital file using an expander graph, you would convert the bits of data on March 13, 2008 into directions: 0 would mean “turn right,” 1 would mean “turn left.” In the maze illustrated here, after the initial step 1-2, the blue path encodes the directions 1, 0, 1, 1, 0, 0, 0, 0, 1, ending at point 24, which would be the digital signature of the string 101100001. The red loop shows a collision of two paths, which would be practically impossible to find in the immense maze www.sciencemag.org envisioned by Lauter. Although her hash function (developed with colleagues Denis Charles and Eyal Goren) is provably secure, Lauter admits that it is not yet fast enough to compete with iterative hash func- tions. However, for applications in which speed is less of an issue— for example, where the files to be hashed are relatively small—Lauter believes it might be a winner. –D.M. Downloaded from 11 Christophe Petit - Eurocrypt - May 2018

  18. Strategy to break CGL hash function ◮ Idea : use Deuring’s correspondence ( E ↔ O ≈ End( E )) 1. Translate collision and preimage resistance properties from the elliptic curve setting to the quaternion setting 2. Break collision and preimage resistance for quaternions 3. Translate the attacks back to elliptic curve setting 12 Christophe Petit - Eurocrypt - May 2018

  19. Strategy to break CGL hash function ◮ Idea : use Deuring’s correspondence ( E ↔ O ≈ End( E )) 1. Translate collision and preimage resistance properties from the elliptic curve setting to the quaternion setting 2. Break collision and preimage resistance for quaternions 3. Translate the attacks back to elliptic curve setting ◮ Steps 1 and 2 were solved in [KLPT14] : algorithms to compute elements in a given ideal with a given norm 12 Christophe Petit - Eurocrypt - May 2018

  20. Outline Isogenies and related problems Motivation : Charles-Goren-Lauter hash function New results and techniques 13 Christophe Petit - Eurocrypt - May 2018

  21. Results in this paper ◮ Polynomial time collision attack on CGL hash function for “special” initial curves [PL17] ◮ Constructive Deuring correspondence in one direction : given a maximal order in B p , ∞ , can efficiently compute the corresponding j -invariant [PL17] ◮ Equivalence of hard problems [PL17] ◮ Constructive Deuring correspondence in other direction ◮ Endomorphism ring computation for random curves ◮ Collision and preimage resistance of CGL hash function for random initial curves ◮ Other approach for some of these reductions, using an oracle for the action on ℓ -torsion problem [EHM17] 14 Christophe Petit - Eurocrypt - May 2018

  22. Key tools ◮ Converting quaternion ideals to isogenies [W69] ◮ Let E 0 with known End( E 0 ) ≈ O 0 ⊂ B p , ∞ ◮ Isogenies from E 0 correspond to left ideals of O 0 ◮ Correspondence computed by identifying kernels ◮ Efficient for powersmooth norms/degrees ◮ “Quaternion ℓ -isogeny algorithm” [KLPT14,GPS17] ◮ Replace ideal by equivalent one with powersmooth norm 15 Christophe Petit - Eurocrypt - May 2018

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de Mathmatiques de Marseille Journes Nationales de Calcul Formel 2019 CIRM, Luminy, 7 February 2019 Leonardo COL ( I2M-AMU ) OSIDH 7 February 2019 2

966 views • 73 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques de Marseille Number-Theoretic Methods in Cryptology 2019 Sorbonne Universit, Institut de Mathmatiques de Jussieu Paris, 26 June 2019 Leonardo

739 views • 53 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril

Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril

Reminder on elliptic curves Endomorphism ring Volcano of -isogeny and Frobenius endomorphism -adic tower Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril Hugounenq, Jerome Plut, Eric Schost

472 views • 28 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland AsiaCrypt 2016, 5th of December 1/17 Outline Joint work with Steven Galbraith , Christophe Petit and Barak Shani . 1

242 views • 23 slides
Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and

Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and

Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and evolutionQ, Inc. Full list of submitters: Reza Azarderakhsh, FAU Amir Jalali, LinkedIn Michael Naehrig, MSR Matt Campagna, Amazon David Jao, UW

365 views • 10 slides
The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO

The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO

The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO Kickoff meeting, Bordeaux, February 2020 Microsoft Research and Inria + cole polytechnique 1 g = 1 A directed multigraph (but almost a graph)

408 views • 25 slides
Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski

Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski

Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski Laboratoire dInformatique de Paris 6 Sorbonne Universits UPMC, France cole Polytechnique Fdrale de Lausanne, EPFL IC LACAL, Switzerland

955 views • 58 slides
SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi

593 views • 36 slides
Supersingular Isogeny Key Encapsulation Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca

Supersingular Isogeny Key Encapsulation Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca

Supersingular Isogeny Key Encapsulation Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, Vladimir Soukharev November 14 ECC 2017 Nijmegen,

769 views • 75 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this

The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this

The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this talk 1. Highlight some of the complications with assessing the cost of known attacks on computational problems. 2. Highlight some of the

640 views • 35 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher

Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher

Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher Leonardi 1 Anzo Teh 1 David Jao 1,2 Kunpeng Wang 3,4,5 Wei Yu 3,4,5 Reza Azarderakhsh 6 [1] Department of Combinatorics and Optimization, University of

911 views • 72 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019 Mathematical foundations of asymmetric cryptography Aussois, Savoie Slides online at https://defeo.lu/docet/ Overview Isogeny graphs 1 Elliptic Curves

1.96k views • 156 slides
SIMPSONS for beam modelling in high intensity rings Shinji Machida STFC/Rutherford Appleton

SIMPSONS for beam modelling in high intensity rings Shinji Machida STFC/Rutherford Appleton

SIMPSONS for beam modelling in high intensity rings Shinji Machida STFC/Rutherford Appleton Laboratory 19 September 2019 Many thanks to H. Hotchi for his contribution to the code and letting me show his results. Based on the presentation at

520 views • 40 slides
IPORPR WG (IP over Resilient Packet Rings) Chairs: F. Kastenholz; A. Herrera IETF IPoRPR Mar

IPORPR WG (IP over Resilient Packet Rings) Chairs: F. Kastenholz; A. Herrera IETF IPoRPR Mar

IPORPR WG (IP over Resilient Packet Rings) Chairs: F. Kastenholz; A. Herrera IETF IPoRPR Mar 2001 IPoRPR Work Group F.Kastenholz; A. Herrera IPoRPR WG Status Current Charter focused on IP over IEEE 802.17 RPR WG deliverable is a

320 views • 11 slides
On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet 1/35

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet 1/35

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet 1/35 A. Wallet About todays talk Its post-quantum (public-key) crypto time! Cryptography = building secure schemes Theoretical security = reduction

659 views • 49 slides
On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet Alexandre Wallet 1 / 37 ApproxSVP ApproxSVP ( O K -modules) ( O K -ideals) [LS15] [PRS17] [AD17] decision decision RLWE search RLWE

959 views • 54 slides
Supertubes Supersymmetric Black Black Rings Rings Supertubes Supersymmetric and and S 2 S 1

Supertubes Supersymmetric Black Black Rings Rings Supertubes Supersymmetric and and S 2 S 1

Supertubes Supersymmetric Black Black Rings Rings Supertubes Supersymmetric and and S 2 S 1 David Mateos Mateos David Emparan & DM , to appear Microscopic Entropy of the Black Ring [hep-th/0411187] M. Cyrier, M. Guica, DM

431 views • 16 slides
Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel

Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel

Schur-rings (S-rings) Automorphism groups of S-rings Final (personal) remarks Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel joint work with Mikhail Klin Institut fr Algebra Technische

1.47k views • 98 slides
COSIC A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 /

COSIC A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 /

A Framework for Cryptographic Problems from Linear Algebra Carl Bootland , Wouter Castryck, Alan Szepieniec and Frederik Vercauteren Dept. of Electrical Engineering, COSIC KU Leuven COSIC A Framework for Cryptographic Problems from Linear

731 views • 48 slides
Rings of singularities ICTP-Trieste Lectures, January 2010 Helmut Lenzing Institut f ur

Rings of singularities ICTP-Trieste Lectures, January 2010 Helmut Lenzing Institut f ur

Rings of singularities ICTP-Trieste Lectures, January 2010 Helmut Lenzing Institut f ur Mathematik, Universit at Paderborn, 33095 Paderborn, Germany E-mail address : helmut@math.uni-paderborn.de Abstract. We show how to associate to a

306 views • 30 slides

More recommend