[PPT] - Supersingular Isogeny Key Encapsulation Reza Azarderakhsh, Matthew PowerPoint Presentation

SLIDE 1

Supersingular Isogeny Key Encapsulation

November 14 ECC 2017 Nijmegen, The Netherlands

Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, Vladimir Soukharev

SLIDE 2

Supersingular Isogeny Key Encapsulation

November 14 ECC 2017 Nijmegen, The Netherlands

Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, Vladimir Soukharev

SLIDE 3

Part 1: Quick re-motivation Part 2: Quick tutorial recap Part 3: SIKE

SLIDE 4

Quantum computers break elliptic curves, finite fields,

factoring, everything currently used for PKC

NIST calls for quantum-secure key exchange and
signatures. Deadline Nov 30, 2017.

Quantum computers ↔ Cryptopocalypse

SLIDE 5

Diffie-Hellman instantiations

𝑕𝑏 mod 𝑟 𝑕𝑐 mod 𝑟 𝑏 𝑄 𝑐 𝑄 𝜚𝐵(𝐹) 𝜚𝐶(𝐹)

ℤ𝑟 ℤ𝑟

SLIDE 6

Diffie-Hellman instantiations

DH DH ECDH SIDH Elem ements ents integers 𝑕 modulo prime points 𝑄 in curve group curves 𝐹 in isogeny class Secr crets ets exponents 𝑦 scalars 𝑙 isogenies 𝜚 co comp mputatio ions ns 𝑕, 𝑦 ↦ 𝑕𝑦 𝑙, 𝑄 ↦ 𝑙 𝑄 𝜚, 𝐹 ↦ 𝜚(𝐹) hard d pr probl blem given 𝑕, 𝑕𝑦 find 𝑦 given 𝑄, 𝑙 𝑄 find 𝑙 given 𝐹, 𝜚(𝐹) find 𝜚

SLIDE 7

Part 1: Quick re-motivation Part 2: Quick tutorial recap Part 3: SIKE

SLIDE 8

W. Castryck (GIF): ”Elliptic curves are dead: long live elliptic curves” https://www.esat.kuleuven.be/cosic/?p=7404

SLIDE 9

Supersingular isogeny graph for ℓ = 2: 𝑌(𝑇2412,2)

Credit to Fre Vercauteren for example and pictures…

SLIDE 10

Supersingular isogeny graph for ℓ = 3: 𝑌(𝑇2412,3)

Credit to Fre Vercauteren for example and pictures…

SLIDE 11

𝐹0 𝐹𝐵 = 𝐹0/〈𝐵〉 𝐹0/〈𝐶〉 = 𝐹𝐶 𝐹𝐵𝐶 = 𝐹0/〈𝐵, 𝐶〉

𝜚𝐵 𝜚𝐶 𝜚𝐵′ 𝜚𝐶

′

params public private 𝐹’s are isogenous curves 𝑄’s, 𝑅’s, 𝑆’s, 𝑇’s are points

SIDH: in a nutshell

SLIDE 12

𝐹0 𝐹𝐵 = 𝐹0/〈𝑄

𝐵 + 𝑡𝐵 𝑅𝐵〉

𝐹0/〈𝑄𝐶 + 𝑡𝐶 𝑅𝐶〉 = 𝐹𝐶 𝐹𝐵𝐶 = 𝐹0/〈𝐵, 𝐶〉

𝜚𝐵 𝜚𝐶 𝜚𝐵′ 𝜚𝐶

′

params public private 𝐹’s are isogenous curves 𝑄’s, 𝑅’s, 𝑆’s, 𝑇’s are points

SIDH: in a nutshell

(𝜚𝐶(𝑄

𝐵), 𝜚𝐶(𝑅𝐵)) = (𝑆𝐶, 𝑇𝐶)

(𝑆𝐵, 𝑇𝐵) = (𝜚𝐵(𝑄𝐶), 𝜚𝐵(𝑅𝐶))

𝐹𝐵/〈𝑆𝐵 + 𝑡𝐶 𝑇𝐵〉 ≅ 𝐹0/〈𝑄

𝐵 + 𝑡𝐵 𝑅𝐵 , 𝑄𝐶 + 𝑡𝐶 𝑅𝐶〉 ≅ 𝐹𝐶/〈𝑆𝐶 + 𝑡𝐵 𝑇𝐶〉

Key: : Alice sends her isogeny evaluated at Bob’s generators, and vice versa

SLIDE 13

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝑄 𝐹6 = 𝐹0/⟨𝑄

0⟩

SLIDE 14

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

[2]𝑄 𝐹5 = 𝐹0/⟨[2]𝑄

0⟩

𝑄

SLIDE 15

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

[4]𝑄 𝐹4 = 𝐹0/⟨[4]𝑄

0⟩

𝑄

SLIDE 16

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

[8]𝑄 𝐹3 = 𝐹0/⟨[8]𝑄

0⟩

𝑄

SLIDE 17

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

[16]𝑄 𝐹2 = 𝐹0/⟨[16]𝑄

0⟩

𝑄

SLIDE 18

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

[32]𝑄 𝐹

1 = 𝐹0/⟨[32]𝑄 0⟩

= 𝜚0(𝐹0) 𝑄

SLIDE 19

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝑄

1 = 𝜚0(𝑄 0)

𝑄 𝑄

1

𝜚0 𝐹

1 = 𝐹0/⟨[32]𝑄 0⟩

= 𝜚0(𝐹0)

SLIDE 20

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝑄

1

𝜚0 𝐹6 = 𝐹

1/⟨𝑄 1⟩

SLIDE 21

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

[2]𝑄

1

𝜚0 𝐹5 = 𝐹

1/⟨[2]𝑄 1⟩

𝑄

1

SLIDE 22

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

[4]𝑄

1

𝜚0 𝐹4 = 𝐹

1/⟨[4]𝑄 1⟩

𝑄

1

SLIDE 23

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

[8]𝑄

1

𝜚0 𝐹3 = 𝐹

1/⟨[8]𝑄 1⟩

𝑄

1

SLIDE 24

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

[16]𝑄

1

𝜚0 𝐹2 = 𝐹

1/⟨[16]𝑄 1⟩

= 𝜚1(𝐹

1)

𝑄

1

SLIDE 25

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹2 = 𝐹

1/⟨[16]𝑄 1⟩

= 𝜚1(𝐹

1)

𝑄

1

𝑄

2 = 𝜚1(𝑄 1)

𝑄

2

𝜚1

SLIDE 26

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹6 = 𝐹2/⟨𝑄

2⟩

𝑄

2

𝜚1

SLIDE 27

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹5 = 𝐹2/⟨[2]𝑄

2⟩

𝑄

2

𝜚1 [2]𝑄

2

SLIDE 28

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹4 = 𝐹2/⟨[4]𝑄

2⟩

𝑄

2

𝜚1 [4]𝑄

2

SLIDE 29

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹3 = 𝐹2/⟨[8]𝑄

2⟩

= 𝜚2(𝐹2) 𝑄

2

𝜚1 [8]𝑄

2

SLIDE 30

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹3 = 𝐹2/⟨[8]𝑄

2⟩

= 𝜚2(𝐹2) 𝑄

2

𝜚1 [8]𝑄

2

𝑄

3 = 𝜚2(𝑄 2)

𝑄

3

𝜚2

SLIDE 31

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹6 = 𝐹3/⟨𝑄

3⟩

𝜚1 𝑄

3

𝜚2

SLIDE 32

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹5 = 𝐹3/⟨[2]𝑄

3⟩

𝜚1 𝑄

3

𝜚2 [2]𝑄

3

SLIDE 33

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹4 = 𝐹3/⟨[4]𝑄

3⟩

𝜚1 𝑄

3

𝜚2 [4]𝑄

3

SLIDE 34

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹4 = 𝐹3/⟨[4]𝑄

3⟩

𝜚1 𝑄

3

𝜚2 [4]𝑄

3

𝑄

4 = 𝜚3(𝑄 3)

𝑄

4

𝜚3

SLIDE 35

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹6 = 𝐹4/⟨𝑄

4⟩

𝜚1 𝜚2 𝑄

4

𝜚3

SLIDE 36

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹5 = 𝐹4/⟨[2]𝑄

4⟩

𝜚1 𝜚2 𝑄

4

𝜚3 [2]𝑄

4

SLIDE 37

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹5 = 𝐹4/⟨[2]𝑄

4⟩

𝜚1 𝜚2 𝑄

4

𝜚3 [2]𝑄

4

𝑄

5 = 𝜚4(𝑄 4)

𝑄

5

𝜚4

SLIDE 38

Computing ℓ𝑓 degree isogenies

𝐹0 𝐹

1

𝐹2 𝐹3 𝐹4 𝐹5 𝐹6

(suppose ℓ = 2 and 𝑓 = 6) 𝜚 ∶ 𝐹

0 → 𝐹 6 is degree 64

64 elements in its kernel ker 𝜚 = ⟨𝑄

0⟩

𝜚0 𝐹6 = 𝐹5/⟨𝑄

5⟩

𝜚1 𝜚2 𝜚3 𝑄

5

𝜚4 𝜚5

SLIDE 39

Computing ℓ𝑓 degree isogenies 𝜚 ∶ 𝐹0 → 𝐹6 𝜚 = 𝜚5 ∘ 𝜚4 ∘ 𝜚3 ∘ 𝜚2 ∘ 𝜚1 ∘ 𝜚0 𝜚0 𝜚1 𝜚2 𝜚3 𝜚4 𝜚5 𝐹0 𝐹6

SLIDE 40

𝐹 𝐹′

?

SLIDE 41

Claw algorithm

𝐹 𝐹′

Given 𝐹 and 𝐹′ = 𝜚(𝐹), with 𝜚 degree ℓ𝑓, find 𝜚

SLIDE 42

Claw algorithm

𝐹 𝐹′

Compute and store ℓ𝑓/2-isogenies on one side

SLIDE 43

Claw algorithm

𝐹 𝐹′

Compute and store ℓ𝑓/2-isogenies on one side

SLIDE 44

Claw algorithm

𝐹 𝐹′

… until you have all of them

SLIDE 45

Claw algorithm

𝐹 𝐹′

Now compute ℓ𝑓/2-isogenies on the other side

SLIDE 46

Claw algorithm

𝐹 𝐹′

… discarding them until you find a collision

SLIDE 47

Claw algorithm

𝐹 𝐹′

… discarding them until you find a collision

SLIDE 48

Claw algorithm

𝐹 𝐹′

… discarding them until you find a collision

SLIDE 49

Claw algorithm

𝐹 𝐹′

Collision will most likely be unique shortest path

SLIDE 50

Claw algorithm

𝐹 𝐹′ This path describes secret isogeny 𝜚 ∶ 𝐹 → 𝐹′

SLIDE 51

Claw algorithm: classical analysis

There are 𝑃(ℓ𝑓/2) curves ℓ𝑓/2-isogenous to 𝐹′ (the blue nodes

) thus 𝑃(ℓ𝑓/2) = 𝑃(𝑞1/4) classical memory

There are 𝑃(ℓ𝑓/2) curves ℓ𝑓/2-isogenous to 𝐹′ (the blue nodes ), and

there are 𝑃(ℓ𝑓/2) curves ℓ𝑓/2-isogenous to 𝐹 (the purple nodes ) thus 𝑃(ℓ𝑓/2) = 𝑃(𝑞1/4) classical time

Best

st (known)

wn) att

ttack cks: s: classical 𝑃(𝑞1/4) and quantum 𝑃(𝑞1/6)

Conf

nfid iden ence ce: : both complexities are optimal for a black-box claw attack

SLIDE 52

SIDH protocol summary

Se

Settin ing: g: supersingular elliptic curves 𝐹/𝔾𝑞2 where 𝑞 = 2𝑗3𝑘 − 1

Param

ameter eters: s: 𝐹0/𝔾𝑞2 ∶ 𝑧3 = 𝑦3 + 𝑦 with #𝐹0 = 2𝑗3𝑘 2 𝑄

𝐵, 𝑅𝐵 ∈ 𝐹0 2𝑗

and 𝑄𝐶, 𝑅𝐶 ∈ 𝐹0[3𝑘]

Public

lic key y generatio eration n (A (Alic ice): e): 𝑡 ∈ 0, 2𝑗 𝑇𝐵 = 𝑄

𝐵 + 𝑡 𝑅𝐵

𝜚𝐵 ∶ 𝐹0 → 𝐹𝐵: = 𝐹0/⟨𝑇𝐵⟩ send 𝐹𝐵, 𝜚𝐵 𝑄𝐶 , 𝜚𝐵(𝑅𝐶) to Bob

Sh

Shared ed key y generation ration (A (Alice): lice): 𝑇𝐵𝐶 = 𝜚𝐶 𝑄

𝐵 + 𝑡 𝜚𝐶 𝑅𝐵 ∈ 𝐹𝐶

𝜚𝐵′ ∶ 𝐹𝐶 → 𝐹𝐵𝐶: = 𝐹𝐶/⟨𝑇𝐵𝐶⟩ 𝑘𝐵𝐶 = 𝑘(𝐹𝐵𝐶)

𝐹 𝐹

1

𝐹

2

𝐹

3

𝐹

𝐵

𝑇

𝐵

𝐹

𝐶

𝐹

1′

𝐹

2′

𝐹

3′

𝐹

𝐵𝐶

𝑇

𝐵𝐶

𝐹0 𝐹𝐵 = 𝐹0/〈𝑇𝐵〉 𝐹0/〈𝑇𝐶〉 = 𝐹𝐶 𝜚𝐵 𝜚𝐶 𝜚𝐵′ 𝜚𝐶

′

SLIDE 53

SIDH security summary

Se

Setting ting: : supersingular elliptic curves 𝐹/𝔾𝑞2 where 𝑞 is a large prime

Hard problem

blem: Given 𝑄, 𝑅 ∈ 𝐹 and 𝜚 𝑄 , 𝜚 𝑅 ∈ 𝜚(𝐹), compute 𝜚 (where 𝜚 has fixed, smooth, public degree)

Be

Best st (kno nown) n) atta tacks ks: classical 𝑃(𝑞1/4) and quantum 𝑃(𝑞1/6)

SLIDE 54

Part 1: Quick re-motivation Part 2: Quick tutorial recap Part 3: SIKE

SLIDE 55

“The poor user is given enough rope with which to hang himself – something a standard should not do.”

Ron Rivest, 1992 (on DSA standard)

SLIDE 56

public key compression

SLIDE 57

𝐹𝑏,𝑐 ∶ 𝑐𝑧2 = 𝑦3 + 𝑏𝑦2 + 𝑦

Point and isogeny arithmetic in ℙ1

𝐹𝐵

𝐷,𝐶 𝐷

: 𝐶𝑍2𝑎 = 𝐷𝑌3 + 𝐵𝑌2𝑎 + 𝐷𝑌𝑎2 𝑦, 𝑧 ↔ (𝑌 ∶ 𝑍 ∶ 𝑎) 𝑏, 𝑐 ↔ (𝐵 ∶ 𝐶 ∶ 𝐷) ℙ1 point arithmetic: 𝑌 ∶ 𝑎 ↦ (𝑌′: 𝑎′) ℙ1 isogeny arithmetic: 𝐵 ∶ 𝐷 ↦ 𝐵′: 𝐷′ ECDH: move around different points on a fixed curve. SIDH: move around different points and different curves

𝐶 coefficient only fixes the quadratic twist, but 𝑘 𝐹 = 𝑘(𝐹′)

SLIDE 58

𝜚3 ∶ 𝐹𝑏,𝑐 → 𝐹𝑏′,𝑐′

Point and isogeny arithmetic in ℙ1

𝑦, 𝑧 ↦ 𝑦 ⋅ 𝑦 ⋅ 𝑦3 − 1 𝑦 − 𝑦3

2

, 𝑦 ⋅ 𝑦3 − 1 𝑦2 ⋅ 𝑦3 − 3𝑦 ⋅ 𝑦3

2 + 𝑦 + 𝑦3

𝑦 − 𝑦3 3 𝑏′, 𝑐′ = 𝑏 ⋅ 𝑦3 −6𝑦3

2 + 6 ⋅ 𝑦3, 𝑐 ⋅ 𝑦3 2

𝜚3 ∶ 𝐹𝐵/𝐷 ,𝐶/𝐷/{±1} → 𝐹𝐵′/𝐷′,𝐶′/𝐷′/{±1}

𝑌 ∶ 𝑎 ↦ 𝑌 𝑌3𝑌 − 𝑎3𝑎 2 ∶ 𝑎 𝑎3𝑌 − 𝑌3𝑎 2 𝐵′: 𝐷′ = 𝑎3

4 + 18𝑌3 2𝑎3 2 − 27𝑌3 2

∶ 4𝑌3𝑎3

3

SLIDE 59

Public keys are in 𝔾𝑞2

3

𝑄𝐿

𝐵 =

𝑦𝜚𝐵 𝑄𝐶 , 𝑦𝜚𝐵 𝑅𝐶 , 𝑦𝜚𝐵 𝑅𝐶−𝑄𝐶

Conversely, if 𝑆 = ±(𝑅 − 𝑄) on 𝐹𝑏 ∶ 𝑧2 = 𝑦3 + 𝑏𝑦2 + 𝑦, then 𝑏 = 1 − 𝑦𝑄𝑦𝑅 − 𝑦𝑄𝑦𝑆 − 𝑦𝑅𝑦𝑆

2

4𝑦𝑄𝑦𝑅𝑦𝑆 − 𝑦𝑄 − 𝑦𝑅 − 𝑦𝑆

SLIDE 60

The starting curve

𝐹0 ∶ 𝑧2 = 𝑦3 + 𝑦

Computing 𝜚 ∶ 𝐹0 → 𝐹′ is broadly equivalent to computing End(𝐹′)

(see Kohel’s thesis, Galbraith-Vercauteren survey, Galbraith-Petit-Shani-Ti)

Computing 𝜚 ∶ 𝐹0 → 𝐹′ is subexponential if 𝐹′ is defined over 𝔾𝑞

(see Biasse-Jao-Sankar, Galbraith-Delfs)

Known security not damaged, but perhaps we’d prefer to start on 𝐹0/𝔾𝑞2 when End 𝐹 is not known. Don’t know how?

SLIDE 61

Generating secret kernels

Recall We take

𝑄

𝐵, 𝑅𝐵 ∈ 𝐹0[2𝑓𝐵] and 𝑄𝐶, 𝑅𝐶 ∈ 𝐹0[3𝑓𝐶] with full order Weil pairings

Alice’s secret is 𝑛𝐵 𝑄

𝐵 + 𝑜𝐵 𝑅𝐵 , Bob’s is ⟨ 𝑛𝐶 𝑄𝐶 + 𝑜𝐶 𝑅𝐶⟩

𝑛𝐵 = 𝑛𝐶 = 1, 𝑜𝐵 ∈ [0,2ℓ) and 𝑜𝐶 ∈ [0,2ℓ′)
𝑅𝐵 = [3𝑓𝐶] 𝑨1, − and 𝑄

𝐵 = [3𝑓𝐶](𝑨2 + 𝑗, −)

𝑅𝐶 = 2𝑓𝐵

𝑨3, − and 𝑄𝐶 = [2𝑓𝐵](𝑨4 + 𝑗, −) Consequences

Simple, uniform “3 point ladder” for computing 𝑄 + 𝑜 𝑅 [see FLOR’17]
𝑆 = 𝑄 + 𝑜 𝑅 can never be such that [2𝑨]𝑆 = 0,0 , so one 4-isogeny function
Don’t reach all possible subgroups. Problem?

𝑨𝑗 ∈ ℕ smallest such that points span torsions 𝔾𝑞 𝔾𝑞2

SLIDE 62

The main loop

Optimal strategy [DJP’11] is harder , but much faster Simple, but slow e.g. 𝟑𝟗𝟓𝟓𝟐 × 3 + 𝟑𝟒𝟘 × 𝜚3 𝑦 e.g. 𝟗𝟐𝟐 × 3 + 𝟐𝟐𝟑𝟓 × 𝜚3 𝑦 Spec/code gives concrete algorithm for deriving, checking and executing the optimal strategy

SLIDE 63

Galbraith-Petit-Shani-Ti: 𝑄, 𝑅 both order 2𝑓𝐵, and Alice’s static secret 𝛽 ∈ ℤ

𝑄 + 𝛽 𝑅 = ⟨𝑄 + 𝛽 𝑅 + 2𝑓𝐵−1 𝑄 ⟩ iff 𝛽 is even

Send Alice ෨

𝑄 = 𝑄 and ෨ 𝑅 = (𝑅 + 2𝑓𝐵−1 𝑄), if DH works fine, then 𝛽 is even, else odd

Even

n case (𝛽 = 2 ො 𝛽): 𝑄 + 2 ො 𝛽 𝑅 = ⟨𝑄 + 2 ො 𝛽 𝑅 + 2𝑓𝐵−2 𝑄 ⟩ iff ො 𝛽 is even so send ෨ 𝑄 = 𝑄and ෨ 𝑅 = (𝑅 + 2𝑓𝐵−2 𝑄)

Odd case (𝛽 = 2 ො

𝛽 + 1): 𝑄 + 2 ො 𝛽 + 1 𝑅 = ⟨𝑄 − 2𝑓𝐵−2 𝑅 + 2 ො 𝛽 + 1 𝑅 + 2𝑓𝐵−2 𝑅 ⟩ iff ො 𝛽 is even so send ෨ 𝑄 = 1 − 2𝑓𝐵−2 𝑄 and ෨ 𝑅 = 1 + 2𝑓𝐵−2 𝑅

… continuing yields 𝛽 in log2𝛽 adaptive interactions!!!

No known Weil to detect foul play, provided ෨ 𝑄, ෨ 𝑅 are scaled correctly!

The problem with reusing static keys

SLIDE 64

Alice Passively secure encryption (IND-CPA PKE), à la ElGamal Bob

𝑄𝐿

𝐵 =

𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 𝑄𝐿𝐶 = 𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵

𝑘 = 𝑘 𝐹𝐶𝐵 = 𝑘 𝜚𝐶 𝜚𝐵 𝐹0 𝑄𝐿𝐶 , 𝐼1 𝑘 ⊕ 𝑛 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘 𝜚𝐵 𝜚𝐶 𝐹0

SLIDE 65

Actively secure key encapsulation (IND-CCA KEM) Alice Bob

𝑄𝐿

𝐵 =

𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 𝑄𝐿𝐶 = 𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵

𝑘 = 𝑘 𝐹𝐶𝐵 = 𝑘 𝜚𝐶 𝜚𝐵 𝐹0 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘 𝜚𝐵 𝜚𝐶 𝐹0 𝑄𝐿𝐶 , 𝐼1 𝑘 ⊕ 𝑛

SLIDE 66

Actively secure key encapsulation (IND-CCA KEM) Alice Bob

𝑄𝐿

𝐵 =

𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 𝑄𝐿𝐶(𝑠) = 𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵

𝑘 = 𝑘 𝐹𝐶𝐵 = 𝑘 𝜚𝐶 𝜚𝐵 𝐹0 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘 𝜚𝐵 𝜚𝐶 𝐹0 𝑄𝐿𝐶(𝑠) , 𝐼1 𝑘 ⊕ 𝑛 𝑡 ∈𝑆 0,1 ℓ 𝑛 ∈𝑆 0,1 ℓ 𝑠 = 𝐼2(𝑄𝐿

𝐵, 𝑛)

SLIDE 67

Actively secure key encapsulation (IND-CCA KEM) Alice Bob

𝑄𝐿

𝐵 =

𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 𝑄𝐿𝐶(𝑠) = 𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵

𝑘 = 𝑘 𝐹𝐶𝐵 = 𝑘 𝜚𝐶 𝜚𝐵 𝐹0 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘 𝜚𝐵 𝜚𝐶 𝐹0 𝑑 = 𝑄𝐿𝐶(𝑠) , 𝐼1 𝑘 ⊕ 𝑛 𝑡 ∈𝑆 0,1 ℓ 𝑛 ∈𝑆 0,1 ℓ 𝑠 = 𝐼2(𝑄𝐿

𝐵, 𝑛)

𝐿 = 𝐼3(𝑑, 𝑛)

SLIDE 68

Actively secure key encapsulation (IND-CCA KEM) Alice Bob

𝑄𝐿

𝐵 =

𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 𝑄𝐿𝐶(𝑠) = 𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵

𝑘 = 𝑘 𝐹𝐶𝐵 = 𝑘 𝜚𝐶 𝜚𝐵 𝐹0 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘 𝜚𝐵 𝜚𝐶 𝐹0 𝑑 = 𝑄𝐿𝐶(𝑠) , 𝐼1 𝑘 ⊕ 𝑛 𝑡 ∈𝑆 0,1 ℓ 𝑛 ∈𝑆 0,1 ℓ 𝑠 = 𝐼2(𝑄𝐿

𝐵, 𝑛)

𝐿 = 𝐼3(𝑑, 𝑛) 𝑛′ = 𝑑 2 ⊕ 𝐼1(𝑘)

SLIDE 69

Actively secure key encapsulation (IND-CCA KEM) Alice Bob

𝑄𝐿

𝐵 =

𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 𝑄𝐿𝐶(𝑠) = 𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵

𝑘 = 𝑘 𝐹𝐶𝐵 = 𝑘 𝜚𝐶 𝜚𝐵 𝐹0 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘 𝜚𝐵 𝜚𝐶 𝐹0 𝑑 = 𝑄𝐿𝐶(𝑠) , 𝐼1 𝑘 ⊕ 𝑛 𝑡 ∈𝑆 0,1 ℓ 𝑛 ∈𝑆 0,1 ℓ 𝑠 = 𝐼2(𝑄𝐿

𝐵, 𝑛)

𝐿 = 𝐼3(𝑑, 𝑛) 𝑛′ = 𝑑 2 ⊕ 𝐼1(𝑘) 𝑠′ = 𝐼2(𝑄𝐿

𝐵, 𝑛′)

SLIDE 70

Actively secure key encapsulation (IND-CCA KEM) Alice Bob

𝑄𝐿

𝐵 =

𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 𝑄𝐿𝐶(𝑠) = 𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵

𝑘 = 𝑘 𝐹𝐶𝐵 = 𝑘 𝜚𝐶 𝜚𝐵 𝐹0 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘 𝜚𝐵 𝜚𝐶 𝐹0 𝑑 = 𝑄𝐿𝐶(𝑠) , 𝐼1 𝑘 ⊕ 𝑛 𝑡 ∈𝑆 0,1 ℓ 𝑛 ∈𝑆 0,1 ℓ 𝑠 = 𝐼2(𝑄𝐿

𝐵, 𝑛)

𝐿 = 𝐼3(𝑑, 𝑛) 𝑛′ = 𝑑 2 ⊕ 𝐼1(𝑘) 𝑠′ = 𝐼2(𝑄𝐿

𝐵, 𝑛′)

if if 𝑄𝐿𝐶 𝑠′ = 𝑑[1] then 𝐿 = 𝐼3(𝑑, 𝑛′) else se 𝐿 = 𝐼3(𝑑, 𝑡)

SLIDE 71

Actively secure key encapsulation (IND-CCA KEM) Alice Bob

𝑄𝐿

𝐵 =

𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 𝑄𝐿𝐶(𝑠) = 𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵

𝑘 = 𝑘 𝐹𝐶𝐵 = 𝑘 𝜚𝐶 𝜚𝐵 𝐹0 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘 𝜚𝐵 𝜚𝐶 𝐹0 𝑑 = 𝑄𝐿𝐶(𝑠) , 𝐼1 𝑘 ⊕ 𝑛 𝑡 ∈𝑆 0,1 ℓ 𝑛 ∈𝑆 0,1 ℓ 𝑠 = 𝐼2(𝑄𝐿

𝐵, 𝑛)

𝐿 = 𝐼3(𝑑, 𝑛) 𝑛′ = 𝑑 2 ⊕ 𝐼1(𝑘) 𝑠′ = 𝐼2(𝑄𝐿

𝐵, 𝑛′)

if if 𝑄𝐿𝐶 𝑠′ = 𝑑[1] then 𝐿 = 𝐼3(𝑑, 𝑛′) else se 𝐿 = 𝐼3(𝑑, 𝑡)

𝐼1 𝑘 = cSHAKE256(𝑘, 𝑙, " ", 2) 𝐼2 𝑄𝐿

𝐵, 𝑛 = cSHAKE256(𝑛||𝑄𝐿 𝐵, 𝑓2, " ", 0)

𝐼3 𝑑, 𝑛 = cSHAKE256(𝑛||𝑑, 𝑙, " " , 1)

SLIDE 72

The curves and their security estimates

Name (SIKEp+ ⌈log2 𝑞⌉) (𝒇𝑩, 𝒇𝑪) 𝒍 𝟑𝒍−𝟐 𝐧𝐣𝐨 ( 𝟑𝒇𝑩, 𝟒𝒇𝟒) √𝟑𝒍 𝐧𝐣𝐨 (∛𝟑𝒇𝟑, ∛𝟒𝒇𝟒) SIKEp503 (250,159) 128 2127 2125 264 283 SIKEp761 (372,239) 192 2191 2186 296 2124 SIKEp964 (486,301) 256 2255 2238 2128 2159 𝑞 = 2𝑓𝐵3eB − 1

SLIDE 73

SIKE vs. IND-CCA lattice KEMs

Name Primitive Quantum sec (bits) Encaps+ Decaps (ms) Size of Encaps. (KB) NTRU-KEM NTRU 123 0.03 1.3 Kyber M-LWE 161 0.07 1.2 FrodoKEM LWE 103-150 1.2 – 2.3 9.5 – 15.4 SIKE Supersingular Isogeny 84-125 10 – 30 0.4 – 0.6

Results obtained on 3.4GHz Intel Haswell (Kyber and NTRU-KEM) or Skylake (FrodoKEM and SIKE)

SLIDE 74

Easy ECDH hybrid

There are exponentially many 𝑏 such that 𝐹𝑏 /𝔾𝑞2: 𝑧2 = 𝑦3 + 𝑏𝑦2 + 𝑦 is in the supersingular isogeny class. These are all unsuitable for ECDH. There are also exponentially many 𝐵 such that 𝐹𝑏 /𝔾𝑞: 𝑧2 = 𝑦3 + 𝑏𝑦2 + 𝑦 is suitable for ECDH. E.g., smallest 𝑏 ∈ 𝔾𝑞 such that 𝐹𝑏 is twist-secure.

Public keys only 1.17x larger , slowdown less than this, but…. e.g., on smallest curve we replace 128-bit classical security (SSDDH) with 256-bit classical security (ECDLP)

SLIDE 75