twitter patricklonga outline
play

Twitter: @PatrickLonga Outline Motivation: the quantum menace - PowerPoint PPT Presentation

Apr 07, 2023 β€’269 likes β€’1.82k views

https://microsoft.com/en-us/research/people/plonga http://patricklonga.com Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange from supersingular isogenies: Preliminaries SIDH SIKE

  1. Ell lliptic curves and is isogenies β€’ Let 𝐹 1 and 𝐹 2 be elliptic curves defined over an extension field 𝑀 . β€’ An isogeny is a (non-constant) rational map 𝜚 : 𝐹 1 β†’ 𝐹 2 that preserves identity, i.e., 𝜚(𝒫 𝐹 1 ) β†’ 𝒫 𝐹 2 . Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 12

  2. Ell lliptic curves and is isogenies β€’ Let 𝐹 1 and 𝐹 2 be elliptic curves defined over an extension field 𝑀 . β€’ An isogeny is a (non-constant) rational map 𝜚 : 𝐹 1 β†’ 𝐹 2 that preserves identity, i.e., 𝜚(𝒫 𝐹 1 ) β†’ 𝒫 𝐹 2 . Relevant properties: β€’ Isogenies are group homomorphisms. β€’ For every finite subgroup 𝐻 βŠ† 𝐹 1 , there is a unique curve 𝐹 2 (up to isomorphism) and isogeny 𝜚 : 𝐹 1 β†’ 𝐹 2 with kernel 𝐻 . Write 𝐹 2 = 𝜚 𝐹 1 = 𝐹 1 / 𝐻 . β€’ (Separable) isogenies have deg 𝜚 = # ker 𝜚 . Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 12

  3. Supersingular curves β€’ An elliptic curve 𝐹/𝑀 is supersingular if #𝐹(𝑀) ≑ 1(mod π‘ž) . β€’ All supersingular curves can be defined over 𝔾 π‘ž 2 . β€’ There are ~ 𝒒/πŸπŸ‘ isomorphism classes of supersingular curves. Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 13

  4. Supersingular is isogeny graphs β€’ Vertices: the ~ π‘ž/12 isomorphism classes of supersingular curves over 𝔾 π‘ž 2 . Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

  5. Supersingular is isogeny graphs β€’ Vertices: the ~ π‘ž/12 isomorphism classes of supersingular curves over 𝔾 π‘ž 2 . Same j-invariant Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

  6. Supersingular is isogeny graphs β€’ Vertices: the ~ π‘ž/12 isomorphism classes of supersingular curves over 𝔾 π‘ž 2 . β€’ Edges: isogenies of a fixed prime degree 𝓂 ∀ π‘ž 𝓂 = 2 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

  7. Supersingular is isogeny graphs β€’ Vertices: the ~ π‘ž/12 isomorphism classes of supersingular curves over 𝔾 π‘ž 2 . β€’ Edges: isogenies of a fixed prime degree 𝓂 ∀ π‘ž 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝓂 = 2 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

  8. Supersingular is isogeny graphs β€’ Vertices: the ~ π‘ž/12 isomorphism classes of supersingular curves over 𝔾 π‘ž 2 . β€’ Edges: isogenies of a fixed prime degree 𝓂 ∀ π‘ž For any prime 𝓂 ∀ π‘ž , there exist (𝓂 + 1) isogenies of degree 𝓂 originating from every supersingular curve. 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝓂 = 2 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

  9. Supersingular is isogeny graphs β€’ Vertices: the ~ π‘ž/12 isomorphism classes of supersingular curves over 𝔾 π‘ž 2 . β€’ Edges: isogenies of a fixed prime degree 𝓂 ∀ π‘ž For any prime 𝓂 ∀ π‘ž , there exist (𝓂 + 1) isogenies of degree 𝓂 originating from every supersingular curve. 𝜚 3 𝜚 2 𝜚 2 𝜚 2 𝜚 3 𝜚 3 𝜚 2 𝜚 3 𝜚 2 𝜚 3 𝜚 3 𝜚 2 𝜚 3 𝜚 3 𝜚 2 𝜚 2 𝜚 3 𝜚 2 𝜚 3 𝜚 2 𝜚 3 𝜚 3 𝜚 2 𝜚 2 𝜚 3 𝜚 2 𝜚 3 𝜚 3 𝓂 = 2 𝓂 = 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

  11. SID IDH in in a nutshell Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

  12. SID IDH in in a nutshell 𝐹 0 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

  13. SID IDH in in a nutshell 𝐹 𝐡 𝐹 0 𝐹 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

  14. SID IDH in in a nutshell 𝐹 𝐡 𝐹 𝐢𝐡 𝐹 0 𝐹 𝐡𝐢 Same j-invariant 𝐹 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

  15. SID IDH: : setup Set 𝓂 ∈ 2,3 , supersingular curve 𝐹 0 /𝔾 π‘ž 2 with a prime π‘ž = 𝑔 βˆ™ 2 𝑓 𝐡 3 𝑓 𝐢 βˆ’ 1 such that 2 𝑓 𝐡 β‰ˆ 3 𝑓 𝐢 and 𝑔 small. β€’ Then: 𝐹 2 𝑓 𝐡 , 𝐹[3 𝑓 𝐢 ] βŠ‚ 𝐹 0 (𝔾 π‘ž 2 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 16

  16. SID IDH: : setup Set 𝓂 ∈ 2,3 , supersingular curve 𝐹 0 /𝔾 π‘ž 2 with a prime π‘ž = 𝑔 βˆ™ 2 𝑓 𝐡 3 𝑓 𝐢 βˆ’ 1 such that 2 𝑓 𝐡 β‰ˆ 3 𝑓 𝐢 and 𝑔 small. β€’ Then: 𝐹 2 𝑓 𝐡 , 𝐹[3 𝑓 𝐢 ] βŠ‚ 𝐹 0 (𝔾 π‘ž 2 ) works over 𝐹[2 𝑓 𝐡 ] using 2-isogenies and linearly independent points 𝑄 𝐡 , 𝑅 𝐡 . works over 𝐹[3 𝑓 𝐢 ] using 3-isogenies and linearly independent points 𝑄 𝐢 , 𝑅 𝐢 . Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 16

  17. SID IDH protocol private Alice private Bob public params E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  18. SID IDH protocol private Alice private Bob public params E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  19. SID IDH protocol private Alice private Bob public params 𝐹 𝐡 = 𝐹 0 / 𝐡 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  20. SID IDH protocol private Alice private Bob public params 𝐹 𝐡 = 𝐹 0 / 𝐡 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 𝐢 = 𝐹 0 / 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  21. SID IDH protocol private Alice private Bob public params 𝐹 𝐡 = 𝐹 0 / 𝐡 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 𝐢 = 𝐹 0 / 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  22. SID IDH protocol private Alice private Bob 𝑆 𝐡 , 𝑇 𝐡 = {𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 (𝑅 𝐢 )} public params 𝐹 𝐡 = 𝐹 0 / 𝐡 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 𝐢 = 𝐹 0 / 𝐢 𝑆 𝐢 , 𝑇 𝐢 = {𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 (𝑅 𝐡 )} Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  23. SID IDH protocol private Alice private Bob 𝑆 𝐡 , 𝑇 𝐡 = {𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 (𝑅 𝐢 )} public params 𝐹 𝐡 = 𝐹 0 / 𝐡 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 β€² ) = 𝐡′ = 𝑆 𝐢 + [𝑑 𝐡 ]𝑇 𝐢 𝑙𝑓𝑠(𝜚 𝐡 𝐹 𝐢𝐡 = 𝐹 𝐢 / 𝐡′ β€² 𝜚 𝐡 𝐹 𝐢 = 𝐹 0 / 𝐢 𝑆 𝐢 , 𝑇 𝐢 = {𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 (𝑅 𝐡 )} 𝐡′ = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝜚 𝐢 𝑅 𝐡 = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝑅 𝐡 = 𝜚 𝐢 𝐡 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  24. SID IDH protocol private Alice private Bob 𝑆 𝐡 , 𝑇 𝐡 = {𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 (𝑅 𝐢 )} public params 𝐹 𝐡 = 𝐹 0 / 𝐡 β€² 𝜚 𝐢 E ’ s are isogenous curves 𝐹 𝐡𝐢 = 𝐹 𝐡 / 𝐢 β€² P ’ s, Q ’ s, R ’ s, S ’ s are points β€² 𝑙𝑓𝑠 𝜚 𝐢 = 𝐢′ = 𝑆 𝐡 + [𝑑 𝐢 ]𝑇 𝐡 𝐹 0 β€² ) = 𝐡′ = 𝑆 𝐢 + [𝑑 𝐡 ]𝑇 𝐢 𝑙𝑓𝑠(𝜚 𝐡 𝐹 𝐢𝐡 = 𝐹 𝐢 / 𝐡′ β€² 𝜚 𝐡 𝐹 𝐢 = 𝐹 0 / 𝐢 𝑆 𝐢 , 𝑇 𝐢 = {𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 (𝑅 𝐡 )} 𝐡′ = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝜚 𝐢 𝑅 𝐡 = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝑅 𝐡 = 𝜚 𝐢 𝐡 𝐢 β€² = 𝜚 𝐡 𝑄 𝐢 + [𝑑 𝐢 ]𝜚 𝐡 𝑅 𝐢 = 𝜚 𝐡 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 = 𝜚 𝐡 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  25. SID IDH protocol private Alice private Bob 𝑆 𝐡 , 𝑇 𝐡 = {𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 (𝑅 𝐢 )} public params 𝐹 𝐡 = 𝐹 0 / 𝐡 β€² 𝜚 𝐢 E ’ s are isogenous curves 𝐹 𝐡𝐢 = 𝐹 𝐡 / 𝐢 β€² P ’ s, Q ’ s, R ’ s, S ’ s are points β€² 𝑙𝑓𝑠 𝜚 𝐢 = 𝐢′ = 𝑆 𝐡 + [𝑑 𝐢 ]𝑇 𝐡 𝐹 0 β€² ) = 𝐡′ = 𝑆 𝐢 + [𝑑 𝐡 ]𝑇 𝐢 𝑙𝑓𝑠(𝜚 𝐡 𝐹 𝐢𝐡 = 𝐹 𝐢 / 𝐡′ β€² 𝜚 𝐡 𝐹 𝐢 = 𝐹 0 / 𝐢 𝑆 𝐢 , 𝑇 𝐢 = {𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 (𝑅 𝐡 )} 𝐡′ = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝜚 𝐢 𝑅 𝐡 = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝑅 𝐡 = 𝜚 𝐢 𝐡 𝐢 β€² = 𝜚 𝐡 𝑄 𝐢 + [𝑑 𝐢 ]𝜚 𝐡 𝑅 𝐢 = 𝜚 𝐡 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 = 𝜚 𝐡 𝐢 β€² (𝜚 𝐡 (𝐹 0 )) β‰… 𝐹 0 / 𝑄 β€² (𝜚 𝐢 𝐹 0 ) 𝐹 𝐡𝐢 = 𝜚 𝐢 𝐡 + [𝑑 𝐡 ]𝑅 𝐡 , 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 β‰… 𝐹 𝐢𝐡 = 𝜚 𝐡 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  26. SID IDH protocol private Alice private Bob 𝑆 𝐡 , 𝑇 𝐡 = {𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 (𝑅 𝐢 )} public params 𝐹 𝐡 = 𝐹 0 / 𝐡 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 0 / 𝐡, 𝐢 𝐹 𝐢 = 𝐹 0 / 𝐢 𝑆 𝐢 , 𝑇 𝐢 = {𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 (𝑅 𝐡 )} 𝐡′ = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝜚 𝐢 𝑅 𝐡 = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝑅 𝐡 = 𝜚 𝐢 𝐡 𝐢 β€² = 𝜚 𝐡 𝑄 𝐢 + [𝑑 𝐢 ]𝜚 𝐡 𝑅 𝐢 = 𝜚 𝐡 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 = 𝜚 𝐡 𝐢 β€² (𝜚 𝐡 (𝐹 0 )) β‰… 𝐹 0 / 𝑄 β€² (𝜚 𝐢 𝐹 0 ) 𝐹 𝐡𝐢 = 𝜚 𝐢 𝐡 + [𝑑 𝐡 ]𝑅 𝐡 , 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 β‰… 𝐹 𝐢𝐡 = 𝜚 𝐡 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  27. SID IDH protocol Drawback: β€’ SIDH is not secure when keys are reused (Galbraith-Petit-Shani-Ti 2016) β€’ Only recommended in ephemeral mode Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 18

  29. Supersingular is isogeny key encapsulation (S (SIK IKE) β€’ IND-CCA secure key encapsulation: no problem reusing keys! β€’ Uses a variant of Hofheinz – HΓΆvelmanns – Kiltz (HHK) transform: IND-CPA PKE β†’ IND-CCA KEM β€’ HHK transform is secure in both the classical and quantum ROM models β€’ Offline key generation gives performance boost (no perf loss SIDH β†’ SIKE) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 19

  30. Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑑 𝐢 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐢 ) 2. Set 𝑙𝑓𝑠 𝜚 𝐢 = 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 3. pk 𝐢 = {𝜚 𝐢 𝐹 0 , 𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 𝑅 𝐡 } 4. 𝑑 ∈ 𝑆 {0,1} π‘œ 5. keypair: sk 𝐢 = (𝑑, 𝑑 𝐢 ) , pk 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

  31. Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑑 𝐢 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐢 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐢 = 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 3. pk 𝐢 = {𝜚 𝐢 𝐹 0 , 𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 𝑅 𝐡 } 1. message 𝑛 ∈ 𝑆 0,1 π‘œ 4. 𝑑 ∈ 𝑆 {0,1} π‘œ 2. 𝑠 = 𝐻 𝑛, pk 𝐢 mod 2 𝑓 𝐡 pk 𝐢 5. keypair: sk 𝐢 = (𝑑, 𝑑 𝐢 ) , pk 𝐢 3. Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠]𝑅 𝐡 4. pk 𝐡 = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } β€² (𝜚 𝐢 (𝐹 0 ))) 5. π‘˜ = π‘˜ 𝐹 𝐡𝐢 = π‘˜(𝜚 𝐡 6. Shared key: 𝑑𝑑 = 𝐼(𝑛, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

  32. Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑑 𝐢 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐢 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐢 = 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 3. pk 𝐢 = {𝜚 𝐢 𝐹 0 , 𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 𝑅 𝐡 } 1. message 𝑛 ∈ 𝑆 0,1 π‘œ 4. 𝑑 ∈ 𝑆 {0,1} π‘œ 2. 𝑠 = 𝐻 𝑛, pk 𝐢 mod 2 𝑓 𝐡 pk 𝐢 encryption 5. keypair: sk 𝐢 = (𝑑, 𝑑 𝐢 ) , pk 𝐢 3. Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠]𝑅 𝐡 4. pk 𝐡 = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } β€² (𝜚 𝐢 (𝐹 0 ))) 5. π‘˜ = π‘˜ 𝐹 𝐡𝐢 = π‘˜(𝜚 𝐡 6. Shared key: 𝑑𝑑 = 𝐼(𝑛, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

  33. Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑑 𝐢 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐢 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐢 = 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 3. pk 𝐢 = {𝜚 𝐢 𝐹 0 , 𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 𝑅 𝐡 } 1. message 𝑛 ∈ 𝑆 0,1 π‘œ 4. 𝑑 ∈ 𝑆 {0,1} π‘œ 2. 𝑠 = 𝐻 𝑛, pk 𝐢 mod 2 𝑓 𝐡 pk 𝐢 encryption 5. keypair: sk 𝐢 = (𝑑, 𝑑 𝐢 ) , pk 𝐢 3. Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠]𝑅 𝐡 Decaps 4. pk 𝐡 = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } 𝑑 = (pk 𝐡 , 𝐺(π‘˜) βŠ• 𝑛) β€² (𝜚 𝐢 (𝐹 0 ))) β€² (𝜚 𝐡 (𝐹 0 ))) 5. π‘˜ = π‘˜ 𝐹 𝐡𝐢 = π‘˜(𝜚 𝐡 1. π‘˜β€² = π‘˜ 𝐹 𝐢𝐡 = π‘˜(𝜚 𝐢 6. Shared key: 𝑑𝑑 = 𝐼(𝑛, 𝑑) 2 . 𝑛 β€² = 𝐺(π‘˜β€²) βŠ• 𝑑[2] 3 . 𝑠 β€² = 𝐻 𝑛 β€² , pk 𝐢 mod 2 𝑓 𝐡 4 . Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠′]𝑅 𝐡 β€² = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } 5. pk 𝐡 β€² = 𝑑[1] then 6. If pk 𝐡 Shared key: 𝑑𝑑 = 𝐼(𝑛 β€² , 𝑑) 7 . Else 𝑑𝑑 = 𝐼(𝑑, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

  34. Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑑 𝐢 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐢 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐢 = 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 3. pk 𝐢 = {𝜚 𝐢 𝐹 0 , 𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 𝑅 𝐡 } 1. message 𝑛 ∈ 𝑆 0,1 π‘œ 4. 𝑑 ∈ 𝑆 {0,1} π‘œ 2. 𝑠 = 𝐻 𝑛, pk 𝐢 mod 2 𝑓 𝐡 pk 𝐢 encryption 5. keypair: sk 𝐢 = (𝑑, 𝑑 𝐢 ) , pk 𝐢 3. Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠]𝑅 𝐡 Decaps 4. pk 𝐡 = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } 𝑑 = (pk 𝐡 , 𝐺(π‘˜) βŠ• 𝑛) β€² (𝜚 𝐢 (𝐹 0 ))) β€² (𝜚 𝐡 (𝐹 0 ))) 5. π‘˜ = π‘˜ 𝐹 𝐡𝐢 = π‘˜(𝜚 𝐡 1. π‘˜β€² = π‘˜ 𝐹 𝐢𝐡 = π‘˜(𝜚 𝐢 6. Shared key: 𝑑𝑑 = 𝐼(𝑛, 𝑑) 2 . 𝑛 β€² = 𝐺(π‘˜β€²) βŠ• 𝑑[2] 3 . 𝑠 β€² = 𝐻 𝑛 β€² , pk 𝐢 mod 2 𝑓 𝐡 decryption 4 . Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠′]𝑅 𝐡 β€² = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } 5. pk 𝐡 β€² = 𝑑[1] then 6. If pk 𝐡 Shared key: 𝑑𝑑 = 𝐼(𝑛 β€² , 𝑑) 7 . Else 𝑑𝑑 = 𝐼(𝑑, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

  35. Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑑 𝐢 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐢 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐢 = 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 3. pk 𝐢 = {𝜚 𝐢 𝐹 0 , 𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 𝑅 𝐡 } 1. message 𝑛 ∈ 𝑆 0,1 π‘œ 4. 𝑑 ∈ 𝑆 {0,1} π‘œ 2. 𝑠 = 𝐻 𝑛, pk 𝐢 mod 2 𝑓 𝐡 pk 𝐢 encryption 5. keypair: sk 𝐢 = (𝑑, 𝑑 𝐢 ) , pk 𝐢 3. Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠]𝑅 𝐡 Decaps 4. pk 𝐡 = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } 𝑑 = (pk 𝐡 , 𝐺(π‘˜) βŠ• 𝑛) β€² (𝜚 𝐢 (𝐹 0 ))) β€² (𝜚 𝐡 (𝐹 0 ))) 5. π‘˜ = π‘˜ 𝐹 𝐡𝐢 = π‘˜(𝜚 𝐡 1. π‘˜β€² = π‘˜ 𝐹 𝐢𝐡 = π‘˜(𝜚 𝐢 6. Shared key: 𝑑𝑑 = 𝐼(𝑛, 𝑑) 2 . 𝑛 β€² = 𝐺(π‘˜β€²) βŠ• 𝑑[2] 3 . 𝑠 β€² = 𝐻 𝑛 β€² , pk 𝐢 mod 2 𝑓 𝐡 decryption 4 . Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠′]𝑅 𝐡 β€² = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } 5. pk 𝐡 β€² = 𝑑[1] then partial re-encryption 6. If pk 𝐡 Shared key: 𝑑𝑑 = 𝐼(𝑛 β€² , 𝑑) 𝐺, 𝐻, 𝐼 instantiated with cSHAKE256. 7 . Else 𝑑𝑑 = 𝐼(𝑑, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

  37. Computation la layers protocol SIDH, SIKE Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

  38. Computation la layers protocol SIDH, SIKE high-level point and 𝑄 + 𝑑 𝑅 , 𝓂 𝑓 -degree isogenies curve arithmetic Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

  39. Computation la layers protocol SIDH, SIKE high-level point and 𝑄 + 𝑑 𝑅 , 𝓂 𝑓 -degree isogenies curve arithmetic low-level point and 2 𝑄, 3 𝑄, 𝑄 + 𝑅, 𝜚(𝑄) curve arithmetic Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

  40. Computation la layers protocol SIDH, SIKE high-level point and 𝑄 + 𝑑 𝑅 , 𝓂 𝑓 -degree isogenies curve arithmetic low-level point and 2 𝑄, 3 𝑄, 𝑄 + 𝑅, 𝜚(𝑄) curve arithmetic 𝔾 π‘ž 2 add, mul, sqr, inv extension field arithmetic Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

  41. Computation la layers protocol SIDH, SIKE high-level point and 𝑄 + 𝑑 𝑅 , 𝓂 𝑓 -degree isogenies curve arithmetic low-level point and 2 𝑄, 3 𝑄, 𝑄 + 𝑅, 𝜚(𝑄) curve arithmetic 𝔾 π‘ž 2 add, mul, sqr, inv extension field arithmetic 𝔾 π‘ž add, mul, inv field arithmetic Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

  43. Hig igh-level point and curve ari rithmetic Two main internal computations: β€’ Double-scalar multiplications to construct kernels 𝑄 + 𝑑 𝑅 β€’ Smooth, 𝓢 𝒇 -degree isogeny computations 𝜚: 𝐹 0 β†’ 𝐹′ Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 22

  44. Computing 𝑄 + 𝑑 𝑅 Three-point differential ladder (x-only, variable point) β€’ De Feo-Jao-PlΓ»t (2014), step cost = 1DBL + 2ADD β€’ Faz-HernΓ‘ndez et al. (2018), step cost = 1DBL + 1ADD Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 23

  45. Computing 𝑄 + 𝑑 𝑅 [F [Faz-HernΓ‘ndez – LΓ³pez – Ochoa-JimΓ©nez – RodrΓ­g Γ­guez-HenrΓ­quez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 πŸ‘ = 𝑹 βˆ’ 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) πŸ‘ Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

  46. Computing 𝑄 + 𝑑 𝑅 [F [Faz-HernΓ‘ndez – LΓ³pez – Ochoa-JimΓ©nez – RodrΓ­g Γ­guez-HenrΓ­quez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 πŸ‘ = 𝑹 βˆ’ 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) πŸ‘ 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 βˆ’ 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

  47. Computing 𝑄 + 𝑑 𝑅 [Faz-HernΓ‘ndez – LΓ³pez – Ochoa-JimΓ©nez – RodrΓ­g [F Γ­guez-HenrΓ­quez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 πŸ‘ = 𝑹 βˆ’ 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) πŸ‘ 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 βˆ’ 𝑄 𝒕 𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 βˆ’ 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

  48. Computing 𝑄 + 𝑑 𝑅 [Faz-HernΓ‘ndez – LΓ³pez – Ochoa-JimΓ©nez – RodrΓ­g [F Γ­guez-HenrΓ­quez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 πŸ‘ = 𝑹 βˆ’ 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) πŸ‘ 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 βˆ’ 𝑄 𝒕 𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 βˆ’ 𝑄 𝒕 πŸ‘ = 𝟐 𝑄 + 4 𝑅 8 𝑅 [4]𝑅 βˆ’ 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

  49. Computing 𝑄 + 𝑑 𝑅 [Faz-HernΓ‘ndez – LΓ³pez – Ochoa-JimΓ©nez – RodrΓ­g [F Γ­guez-HenrΓ­quez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 πŸ‘ = 𝑹 βˆ’ 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) πŸ‘ 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 βˆ’ 𝑄 𝒕 𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 βˆ’ 𝑄 𝒕 πŸ‘ = 𝟐 𝑄 + 4 𝑅 8 𝑅 [4]𝑅 βˆ’ 𝑄 𝒕 πŸ’ = 𝟐 𝑄 + 12 𝑅 16 𝑅 [4]𝑅 βˆ’ 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

  50. Computing 𝑄 + 𝑑 𝑅 [Faz-HernΓ‘ndez – LΓ³pez – Ochoa-JimΓ©nez – RodrΓ­g [F Γ­guez-HenrΓ­quez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 πŸ‘ = 𝑹 βˆ’ 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) πŸ‘ 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 βˆ’ 𝑄 𝒕 𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 βˆ’ 𝑄 𝒕 πŸ‘ = 𝟐 𝑄 + 4 𝑅 8 𝑅 [4]𝑅 βˆ’ 𝑄 𝒕 πŸ’ = 𝟐 𝑄 + 12 𝑅 16 𝑅 [4]𝑅 βˆ’ 𝑄 𝒕 πŸ“ = 𝟏 𝑸 + πŸπŸ‘ 𝑹 32 𝑅 [20]𝑅 βˆ’ 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

  51. Computing 𝓂 𝑓 -degree is isogenies β€’ Construct it as a composition of multiple (small, prime-degree) isogenies 𝐹 𝐡 𝐹 0 𝐹 0 / 𝐡, 𝐢 𝐹 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 25

  52. Computing 𝓂 𝑓 -degree is isogenies β€’ Construct it as a composition of multiple (small, prime-degree) isogenies 𝐹 𝐡 𝐹 0 𝐹 0 / 𝐡, 𝐢 𝐹 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 25

  53. Computing 𝓂 𝑓 -degree is isogenies β€’ Construct it as a composition of multiple (small, prime-degree) isogenies 𝐹 𝐡 𝐹 0 𝐹 0 / 𝐡, 𝐢 𝐹 𝐢 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 𝐢 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ β‹― βˆ™βˆ™ 𝜚 π‘“βˆ’1 𝐹 0 𝐹 1 𝐹 2 𝐹 3 𝐹 4 𝐹 𝐢 𝜚 π‘“βˆ’1 𝜚 0 𝜚 2 𝜚 1 𝜚 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 25

  54. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  55. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  56. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 Compute 3 4 -degree isogeny: 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  57. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 𝐹 4 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  58. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 β€’ Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 π‘“βˆ’π‘—βˆ’1 ]𝑄 𝑗 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  59. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 β€’ Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 π‘“βˆ’π‘—βˆ’1 ]𝑄 𝑗 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  60. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 β€’ Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 π‘“βˆ’π‘—βˆ’1 ]𝑄 𝑗 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  61. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 β€’ Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 π‘“βˆ’π‘—βˆ’1 ]𝑄 𝑗 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  62. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 β€’ Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 π‘“βˆ’π‘—βˆ’1 ]𝑄 𝑗 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 ( + ) slope: point operations Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  63. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 β€’ Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 π‘“βˆ’π‘—βˆ’1 ]𝑄 𝑗 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 ( + ) slope: point operations ( βˆ’ ) slope: isogeny operations Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  64. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 𝐹 4 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  65. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 𝐹 4 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  66. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 3 𝐹 4 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  67. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 3 𝐹 4 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  68. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 3 𝐹 4 𝜚 0 = 𝐹 0 / 81𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  69. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 3 𝐹 4 𝜚 0 = 𝐹 0 / 81𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 1 = 𝜚 0 (𝐹 0 ) 3 𝑄 3 𝑄 1 = 𝜚 0 (𝑄 0 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  70. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 3 𝐹 4 𝜚 0 = 𝐹 0 / 81𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 1 = 𝜚 0 (𝐹 0 ) 3 𝑄 3 𝑄 1 = 𝜚 0 (𝑄 0 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  71. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 3 𝐹 4 𝜚 1 = 𝐹 1 / 27𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  72. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 3 𝐹 4 𝜚 1 = 𝐹 1 / 27𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 2 = 𝜚 1 (𝐹 1 ) 3 𝑄 3 𝑄 2 = 𝜚 1 (𝑄 1 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  73. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 1 = 𝐹 1 / 27𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 2 = 𝜚 1 (𝐹 1 ) 3 𝑄 3 𝑄 2 = 𝜚 1 (𝑄 1 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  74. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 2 = 𝐹 2 / 9𝑄 2 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  75. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝑄 3 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 2 = 𝐹 2 / 9𝑄 2 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 3 = 𝜚 2 (𝐹 2 ) 3 𝑄 3 𝑄 3 = 𝜚 2 (𝑄 2 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  76. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 3 3 𝑄 0 𝑄 3 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 2 = 𝐹 2 / 9𝑄 2 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 3 = 𝜚 2 (𝐹 2 ) 3 𝑄 3 𝑄 3 = 𝜚 2 (𝑄 2 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  77. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝑄 3 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 3 = 𝐹 3 / 3𝑄 3 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  78. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝑄 3 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 3 = 𝐹 3 / 3𝑄 3 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 4 = 𝜚 3 (𝐹 3 ) 3 𝑄 3 𝑄 4 𝑄 4 = 𝜚 3 (𝑄 3 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Large-Scale Machine Learning at Twitter 2 Large-Scale Machine Learning at Twitter Jimmy Lin and

Large-Scale Machine Learning at Twitter 2 Large-Scale Machine Learning at Twitter Jimmy Lin and

Large-Scale Machine Learning at Twitter 2 Large-Scale Machine Learning at Twitter Jimmy Lin and Alek Kolcz Twitter, Inc. 1 Image source:google.com/images Large-Scale Machine Learning at Twitter Outline Outline Is twitter big data?

582 views β€’ 40 slides
Using Twitter for your CPD Janet Thomas November 2019 #PHYSIO19 Why twitter for CPD?

Using Twitter for your CPD Janet Thomas November 2019 #PHYSIO19 Why twitter for CPD?

Using Twitter for your CPD Janet Thomas November 2019 #PHYSIO19 Why twitter for CPD? Twitter is free! Twitter is flexible CPD from your phone Twitter crosses professional, hierarchical and geographical boundaries You

595 views β€’ 13 slides
WYSI (not always) WYG (but it can be) d.o./twitter: Andrew_Mallis ideograph OUTLINE

WYSI (not always) WYG (but it can be) d.o./twitter: Andrew_Mallis ideograph OUTLINE

WYSI (not always) WYG (but it can be) d.o./twitter: Andrew_Mallis ideograph OUTLINE context modules! concepts (distro) demo site google doc https://bit.ly/d7wysiwyg what you want http://bit.ly/WlUqcd what you get

671 views β€’ 36 slides
Sentiment Analysis in Twitter Rohit Kumar Jha, Sakaar Khurana Sentiment Analysis in Twitter

Sentiment Analysis in Twitter Rohit Kumar Jha, Sakaar Khurana Sentiment Analysis in Twitter

Sentiment Analysis in Twitter Rohit Kumar Jha, Sakaar Khurana Sentiment Analysis in Twitter Outline Introduction Problem Statement Motivation Previous Works Bag of Words Model Feature Extraction Unigrams Unigram+Bigram POS Tagging Naive

727 views β€’ 24 slides
Use of Java / JVM at Twitter @TonyPrintezis | @TwitterBoston tprintezis@twitter.com #JCP EC

Use of Java / JVM at Twitter @TonyPrintezis | @TwitterBoston tprintezis@twitter.com #JCP EC

Use of Java / JVM at Twitter @TonyPrintezis | @TwitterBoston tprintezis@twitter.com #JCP EC Twitter reps Tony Printezis VM Team | Infrastructure Org | Twitter ex-HotSpot (Sun / Oracle, 6+ years), ex-SunLabs (3+ years) Ramki

192 views β€’ 15 slides
Join the Conversation on Twitter Use #AMSSAevents to follow the conversation on Twitter and

Join the Conversation on Twitter Use #AMSSAevents to follow the conversation on Twitter and

Join the Conversation on Twitter Use #AMSSAevents to follow the conversation on Twitter and connect with other webinar participants. AMSSA can be found on Twitter @amssabc Tim Foran Immigration, Refugees and Citizenship Canada (IRCC)

1.53k views β€’ 116 slides
ML at Twitter: A Deep Dive into Twitters Timeline Cibele Montez Halasz, Twitter Cortex

ML at Twitter: A Deep Dive into Twitters Timeline Cibele Montez Halasz, Twitter Cortex

Twitter Cortex Twitter Timelines Quality ML at Twitter: A Deep Dive into Twitters Timeline Cibele Montez Halasz, Twitter Cortex Satanjeev Bano Banerjee, Twitter Timelines Quality OReilly AI Conference April 2019 Agenda 1 ML at

814 views β€’ 66 slides
Operations at Twitter John Adams Twitter Operations John Adams / @netik Early Twitter

Operations at Twitter John Adams Twitter Operations John Adams / @netik Early Twitter

Operations at Twitter John Adams Twitter Operations John Adams / @netik Early Twitter employee Lead engineer: Application Services (Apache, Unicorn, SMTP, etc...) Keynote Speaker: OReilly Velocity 2009 OReilly Web 2.0

771 views β€’ 46 slides
Twitter and Your (Academic) Job Search Goals Increase your awareness of Twitter and its

Twitter and Your (Academic) Job Search Goals Increase your awareness of Twitter and its

Twitter and Your (Academic) Job Search Goals Increase your awareness of Twitter and its features that are designed to help you in your job search and build your network Teach you how to STRATEGICALLY navigate Twitter and all of

879 views β€’ 55 slides
Twitter: #empower18 1 VUCA Volatile Uncertain Complex Ambiguous 2 Ed Catmull Because

Twitter: #empower18 1 VUCA Volatile Uncertain Complex Ambiguous 2 Ed Catmull Because

Li Listen, Imagine, Act: Bu Building a a Co Community o y of Th Thin inkers an and Doers Bena Kallick Email: kallick.bena@gmail.com Twitter: @benakallick Allison Zmuda Email: allison@allisonzmuda.com Twitter: @allison_zmuda Twitter:

586 views β€’ 20 slides
//Dashboard //Twitter Panel //Twitter Panel Context and Actions Act based on the document

//Dashboard //Twitter Panel //Twitter Panel Context and Actions Act based on the document

//Dashboard //Twitter Panel //Twitter Panel Context and Actions Act based on the document Act on the document I cant understand! Bring more context. //Twitter Panel Fill-in survey //Twitter Panel Link Restaurant //Twitter Panel

202 views β€’ 7 slides
@TwitterSports #NGBSummit @TJay August 21 2017 Agenda About Twitter Video on Twitter Best

@TwitterSports #NGBSummit @TJay August 21 2017 Agenda About Twitter Video on Twitter Best

@TwitterSports #NGBSummit @TJay August 21 2017 Agenda About Twitter Video on Twitter Best from IAAF Worlds 2017 Opportunities for NGBs Twitter is whats happening in the world and what people are talking about right now. 94 Billion

851 views β€’ 35 slides
Fixing Twitter ... and Finding your own Fail Whale John Adams Twitter Operations

Fixing Twitter ... and Finding your own Fail Whale John Adams Twitter Operations

Fixing Twitter ... and Finding your own Fail Whale John Adams Twitter Operations <jna@twitter.com> Operations Small team, growing rapidly. What do we do? Software Performance (back-end) Availability Capacity Planning

1.16k views β€’ 49 slides
Twitter Data Processing with MongoDB By Ama & Sameera Introduction Create twitter

Twitter Data Processing with MongoDB By Ama & Sameera Introduction Create twitter

Twitter Data Processing with MongoDB By Ama & Sameera Introduction Create twitter developer account Get access key Access REST API Execute some POST and GET queries Download a sample of twitter streaming data

464 views β€’ 30 slides
MySQL @Twitter: No More Forkin - Migrating to MySQL Community Version Twitter, Inc. MySQL

MySQL @Twitter: No More Forkin - Migrating to MySQL Community Version Twitter, Inc. MySQL

Twitter, Inc. MySQL @Twitter: No More Forkin - Migrating to MySQL Community Version Twitter, Inc. MySQL @Twitter Background Migration Process Migration Challenges Post-Deployment Challenges Future Plans Q&A

703 views β€’ 44 slides
Twitter in Mobile Mobile users do more and engage more 73% Mobile is the heart of the Twitter 6

Twitter in Mobile Mobile users do more and engage more 73% Mobile is the heart of the Twitter 6

TWITTER Twitter in Mobile Mobile users do more and engage more 73% Mobile is the heart of the Twitter 6 @TwitterAdsUK | Confidential http://www.pg.com.tr/procter/index.htm TWITTER DUAL SCREENING @TwitterAdsUK | Confidential

451 views β€’ 34 slides
CSE 447/547: Natural Language Processing Deep Learning Winter 2018 Yejin Choi University of

CSE 447/547: Natural Language Processing Deep Learning Winter 2018 Yejin Choi University of

CSE 447/547: Natural Language Processing Deep Learning Winter 2018 Yejin Choi University of Washington Next several slides are from Carlos Guestrin, Luke Zettlemoyer Human Neurons Switching time ~ 0.001 second Number of neurons

1.42k views β€’ 139 slides
The Early Church (33-476 A.D.) The Roman Church: Christianity on the Rise Did anything about

The Early Church (33-476 A.D.) The Roman Church: Christianity on the Rise Did anything about

The Early Church (33-476 A.D.) The Roman Church: Christianity on the Rise Did anything about early Church history surprise you? If so, what and why? Monasticism Movement away from the world to pursue holiness through prayer St. Antony of

604 views β€’ 48 slides
CRASH/SAFE Benjamin C. Pierce March 11, 2011 Present-day

CRASH/SAFE Benjamin C. Pierce March 11, 2011 Present-day

CRASH/SAFE Benjamin C. Pierce March 11, 2011 Present-day compuCng plaForms are distressingly insecure! One culprit: legacy requirements complex instrucCon

655 views β€’ 21 slides
https://www.microsoft.com/en-us/research/people/plonga/ Quick motivation recap Quantum

https://www.microsoft.com/en-us/research/people/plonga/ Quick motivation recap Quantum

https://www.microsoft.com/en-us/research/people/plonga/ Quick motivation recap Quantum computers break public -key cryptography currently in use: cryptosystems based on factoring and (elliptic curve) discrete logarithms NIST launches

693 views β€’ 40 slides
Timepix3 SRS readout SOFTWARE STATUS 02.07.2018 MARKUS GRUBER 1 Basics of implementation

Timepix3 SRS readout SOFTWARE STATUS 02.07.2018 MARKUS GRUBER 1 Basics of implementation

Timepix3 SRS readout SOFTWARE STATUS 02.07.2018 MARKUS GRUBER 1 Basics of implementation Implementation in Python with usage of Basil framework (https://github.com/SiLab-Bonn/basil) GNU General Public License v3.0 Testing in

393 views β€’ 5 slides
Computable functionals over non-flat data types Helmut Schwichtenberg (j.w.w. Basil Karadais,

Computable functionals over non-flat data types Helmut Schwichtenberg (j.w.w. Basil Karadais,

Partial continuous functionals Non-flat data types Computable functionals Definability Computable functionals over non-flat data types Helmut Schwichtenberg (j.w.w. Basil Karadais, Simon Huber) Mathematisches Institut, LMU, M unchen Kyoto

531 views β€’ 29 slides
12/11/2018 PIXEL 2018, Taipei - vogt@physik.uni-bonn.de The RD53 collaboration is a common

12/11/2018 PIXEL 2018, Taipei - vogt@physik.uni-bonn.de The RD53 collaboration is a common

12/11/2018 PIXEL 2018, Taipei - vogt@physik.uni-bonn.de The RD53 collaboration is a common effort, shared between ATLAS and CMS Goal: Development of designs and methods for a hybrid pixel detector readout chip in a 65 nm technology

414 views β€’ 28 slides
CMOS Monolithic Pixel Sensors based on the Column-Drain Architecture for the HL-LHC Upgrade K.

CMOS Monolithic Pixel Sensors based on the Column-Drain Architecture for the HL-LHC Upgrade K.

CMOS Monolithic Pixel Sensors based on the Column-Drain Architecture for the HL-LHC Upgrade K. Moustakas 1 , M.Barbero 3 , I. Berdalovic 2 , C. Bespin 1 , P. Breugnon 3 , I. Caicedo 1 , R. Cardella 2 , Y. Degerli 4 , N. Egidos Plaja 2 , S. Godiot

304 views β€’ 27 slides

More recommend