Twitter: @PatrickLonga Outline Motivation: the quantum menace - - PowerPoint PPT Presentation

https://microsoft.com/en-us/research/people/plonga http://patricklonga.com Twitter: @PatrickLonga

Outline

• Motivation: the quantum menace
• Post-quantum key exchange from supersingular isogenies:
• Preliminaries
• SIDH
• SIKE
• Computational aspects:
• Point and curve arithmetic
• Field arithmetic
• Security and parameters
• Implementation results

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 1

Quantum computing

Modeling of nature

Computational optimization

Database search

Machine learning

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 2

Quantum computing

Database search

Computational optimization Machine learning

Breaking of cryptographic schemes

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 2

Cryptography in in use today

Public-key cryptography Symmetric-key cryptography RSA encryption and signatures (EC)DSA signatures (EC)DH key- exchange AES SHA-2/SHA-3 factoring (elliptic curve) discrete logs

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 3

Cryptography in in use today

Public-key cryptography Symmetric-key cryptography RSA encryption and signatures (EC)DSA signatures (EC)DH key- exchange AES SHA-2/SHA-3 factoring (elliptic curve) discrete logs Efficiently solved by a large-scale quantum computer (total break using Shor’s algorithm)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 3

Cryptography in in use today

Public-key cryptography Symmetric-key cryptography RSA encryption and signatures (EC)DSA signatures (EC)DH key- exchange AES SHA-2/SHA-3 factoring (elliptic curve) discrete logs Efficiently solved by a large-scale quantum computer (total break using Shor’s algorithm) Only square-root speedup on a large- scale quantum computer (using Grover’s algorithm)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 3

When will a large-scale, fault-tolerant quantum computer be built?

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 4

When will a large-scale, fault-tolerant quantum computer be built?

I estimate a “1/6 chance of breaking RSA-2048 within 10 years”.

Michael Mosca, September 2017 ETSI/IQC Workshop on Quantum-Safe Cryptography 2017

“Recent improvements in control of quantum systems make it seem feasible to finally build a quantum computer within a decade. ”

Bela Bauer et al., October 2015 – August 2016 arXiv:1510.03859v2

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 5

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 6

What do we need to protect now?

Assuming a large-scale, fault tolerant quantum computer will be developed in, say, 10–15 years:

• Attacker records encrypted data today…

… uses quantum computer to access secret data in 10–15 years from now.

• Integrity of authentication only matters at the time of connection
• Keep using classical digital signature schemes for now

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 7

What do we need to protect now?

Assuming a large-scale, fault tolerant quantum computer will be developed in, say, 10–15 years:

• Attacker records encrypted data today…

… uses quantum computer to access secret data in 10–15 years from now.

• Integrity of authentication only matters at the time of connection
• Keep using classical digital signature schemes for now

Need quantum-resistant key agreement and encryption for long-term security

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 7

NIS IST PQC standardization

• NIST launches the post-quantum cryptography standardization project:

https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/ call-for-proposals-final-dec-2016.pdf

“The goal of this process is to select a number of acceptable candidate cryptosystems for standardization.” (This includes: key encapsulation, encryption and digital signatures).

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 8

Post-quantum families

Code-based Lattice-based Hash-based Multivariate Isogeny-based

Classic McEliece, QC-MDPC codes (BIKE) NTRU, LWE (FrodoKEM), M-LWE (Kyber), R-LWE (NewHope) Merkle hash-tree signatures (SPHINCS+) MQDSS, Rainbow SIDH (SIKE)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 9

Post-quantum families: : in this talk…

Code-based Lattice-based Hash-based Multivariate Isogeny-based

Classic McEliece, QCMDPC codes (BIKE) NTRU, LWE (FrodoKEM), M-LWE (Kyber), R-LWE (NewHope) Merkle hash-tree signatures (SPHINCS+) MQDSS, Rainbow SIDH (SIKE)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 9

Supersingular is isogeny key exchange

Supersingular isogeny Diffie-Hellman key exchange (SIDH)

• Proposed by Jao and De Feo in 2011.
• Compared to “predecessors” based on ordinary isogenies, SIDH has:
• Much better performance
• Exponential complexity of best classical and quantum attacks.

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 10

Supersingular is isogeny key exchange

Supersingular isogeny Diffie-Hellman key exchange (SIDH)

• Proposed by Jao and De Feo in 2011.
• Compared to “predecessors” based on ordinary isogenies, SIDH has:
• Much better performance
• Exponential complexity of best classical and quantum attacks.

Supersingular isogeny key encapsulation (SIKE)

• Designed by Costello–De Feo–Jao–L–Naehrig–Renes in 2017.
• IND-CCA secure key encapsulation protocol based on SIDH.
• Submitted to the NIST PQC standardization process.

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 10

Ell lliptic curves and is isogenies

• Every elliptic curve over a field 𝐿 with char(𝐿) > 3 can be defined in (short)

Weierstrass form by 𝐹: 𝑧2= 𝑦3 + 𝑏𝑦 + 𝑐, where 𝑏, 𝑐 ∈ 𝐿 and ∆ = −16(4𝑏3 + 27𝑐2) ≠ 0.

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 11

Ell lliptic curves and is isogenies

• Every elliptic curve over a field 𝐿 with char(𝐿) > 3 can be defined in (short)

Weierstrass form by 𝐹: 𝑧2= 𝑦3 + 𝑏𝑦 + 𝑐, where 𝑏, 𝑐 ∈ 𝐿 and ∆ = −16(4𝑏3 + 27𝑐2) ≠ 0.

• For an extension field 𝑀 of 𝐿, the set of 𝑀-rational points on 𝐹

𝐹 𝑀 = 𝑦, 𝑧 ∈ 𝑀 × 𝑀: 𝑧2−𝑦3 − 𝑏𝑦 − 𝑐 = 0 ∪ {𝒫}, together with the group addition law, forms an abelian group with identity 𝒫.

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 11

Ell lliptic curves and is isogenies

• Every elliptic curve over a field 𝐿 with char(𝐿) > 3 can be defined in (short)

Weierstrass form by 𝐹: 𝑧2= 𝑦3 + 𝑏𝑦 + 𝑐, where 𝑏, 𝑐 ∈ 𝐿 and ∆ = −16(4𝑏3 + 27𝑐2) ≠ 0.

• For an extension field 𝑀 of 𝐿, the set of 𝑀-rational points on 𝐹

𝐹 𝑀 = 𝑦, 𝑧 ∈ 𝑀 × 𝑀: 𝑧2−𝑦3 − 𝑏𝑦 − 𝑐 = 0 ∪ {𝒫}, together with the group addition law, forms an abelian group with identity 𝒫.

• Isomorphism classes are determined by the 𝒌-invariant: 𝑘 𝐹 = 1728 ∙

4𝑏3 4𝑏3+27𝑐2

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 11

Ell lliptic curves and is isogenies

• Let 𝐹1 and 𝐹2 be elliptic curves defined over an extension field 𝑀.
• An isogeny is a (non-constant) rational map

𝜚: 𝐹1 → 𝐹2 that preserves identity, i.e., 𝜚(𝒫𝐹1) → 𝒫𝐹2.

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 12

Ell lliptic curves and is isogenies

• Let 𝐹1 and 𝐹2 be elliptic curves defined over an extension field 𝑀.
• An isogeny is a (non-constant) rational map

𝜚: 𝐹1 → 𝐹2 that preserves identity, i.e., 𝜚(𝒫𝐹1) → 𝒫𝐹2. Relevant properties:

• Isogenies are group homomorphisms.
• For every finite subgroup 𝐻 ⊆ 𝐹1, there is a unique curve 𝐹2 (up to isomorphism)

and isogeny 𝜚: 𝐹1 → 𝐹2 with kernel 𝐻 . Write 𝐹2 = 𝜚 𝐹1 = 𝐹1/ 𝐻 .

• (Separable) isogenies have deg 𝜚 = # ker 𝜚 .

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 12

Supersingular curves

• An elliptic curve 𝐹/𝑀 is supersingular if #𝐹(𝑀) ≡ 1(mod 𝑞).
• All supersingular curves can be defined over 𝔾𝑞2.
• There are ~ 𝒒/𝟐𝟑 isomorphism classes of supersingular curves.

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 13

Supersingular is isogeny graphs

• Vertices: the ~ 𝑞/12 isomorphism classes of supersingular curves over 𝔾𝑞2.

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

Supersingular is isogeny graphs

• Vertices: the ~ 𝑞/12 isomorphism classes of supersingular curves over 𝔾𝑞2.

Same j-invariant

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

Supersingular is isogeny graphs

• Vertices: the ~ 𝑞/12 isomorphism classes of supersingular curves over 𝔾𝑞2.
• Edges: isogenies of a fixed prime degree 𝓂 ∤ 𝑞

𝓂 = 2

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

Supersingular is isogeny graphs

• Vertices: the ~ 𝑞/12 isomorphism classes of supersingular curves over 𝔾𝑞2.
• Edges: isogenies of a fixed prime degree 𝓂 ∤ 𝑞

𝓂 = 2

𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

Supersingular is isogeny graphs

• Vertices: the ~ 𝑞/12 isomorphism classes of supersingular curves over 𝔾𝑞2.
• Edges: isogenies of a fixed prime degree 𝓂 ∤ 𝑞

For any prime 𝓂 ∤ 𝑞, there exist (𝓂 + 1) isogenies of degree 𝓂

• riginating from every supersingular curve.

𝓂 = 2

𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

Supersingular is isogeny graphs

• Vertices: the ~ 𝑞/12 isomorphism classes of supersingular curves over 𝔾𝑞2.
• Edges: isogenies of a fixed prime degree 𝓂 ∤ 𝑞

For any prime 𝓂 ∤ 𝑞, there exist (𝓂 + 1) isogenies of degree 𝓂

• riginating from every supersingular curve.

𝓂 = 2 𝓂 = 3

𝜚3 𝜚3 𝜚3 𝜚3 𝜚3 𝜚3 𝜚3 𝜚3 𝜚3 𝜚3 𝜚3 𝜚3 𝜚3 𝜚3 𝜚3 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2 𝜚2

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

SID IDH in in a nutshell

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

SID IDH in in a nutshell

𝐹0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

SID IDH in in a nutshell

𝐹0 𝐹𝐵 𝐹𝐶

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

𝐹𝐶𝐵 𝐹𝐵𝐶

SID IDH in in a nutshell

𝐹0 𝐹𝐵 𝐹𝐶

Same j-invariant

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

SID IDH: : setup

Set 𝓂 ∈ 2,3 , supersingular curve 𝐹0/𝔾𝑞2 with a prime 𝑞 = 𝑔 ∙ 2𝑓𝐵3𝑓𝐶 − 1 such that 2𝑓𝐵 ≈ 3𝑓𝐶 and 𝑔 small.

• Then: 𝐹 2𝑓𝐵 , 𝐹[3𝑓𝐶] ⊂ 𝐹0(𝔾𝑞2)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 16

SID IDH: : setup

Set 𝓂 ∈ 2,3 , supersingular curve 𝐹0/𝔾𝑞2 with a prime 𝑞 = 𝑔 ∙ 2𝑓𝐵3𝑓𝐶 − 1 such that 2𝑓𝐵 ≈ 3𝑓𝐶 and 𝑔 small.

• Then: 𝐹 2𝑓𝐵 , 𝐹[3𝑓𝐶] ⊂ 𝐹0(𝔾𝑞2)

works over 𝐹[2𝑓𝐵] using 2-isogenies and linearly independent points 𝑄

𝐵, 𝑅𝐵.

works over 𝐹[3𝑓𝐶] using 3-isogenies and linearly independent points 𝑄𝐶, 𝑅𝐶.

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 16

SID IDH protocol

𝐹0

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

𝐹0

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

SID IDH protocol

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

𝐹0 𝐹𝐵= 𝐹0/ 𝐵

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

SID IDH protocol

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

𝐹0 𝐹𝐵 𝐹𝐶= 𝐹0/ 𝐶

= 𝐹0/ 𝐵

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

SID IDH protocol

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

𝐹0 𝐹𝐵 𝐹𝐶= 𝐹0/ 𝐶

= 𝐹0/ 𝐵

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

SID IDH protocol

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

𝐹0 𝐹𝐵 𝐹𝐶

𝑆𝐵, 𝑇𝐵 = {𝜚𝐵 𝑄𝐶 , 𝜚𝐵(𝑅𝐶)} 𝑆𝐶, 𝑇𝐶 = {𝜚𝐶 𝑄

𝐵 , 𝜚𝐶(𝑅𝐵)}

= 𝐹0/ 𝐶 = 𝐹0/ 𝐵

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

SID IDH protocol

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

𝐹0 𝐹𝐵 𝐹𝐶

𝜚𝐵

′

𝐹𝐶𝐵

𝑆𝐵, 𝑇𝐵 = {𝜚𝐵 𝑄𝐶 , 𝜚𝐵(𝑅𝐶)} 𝑆𝐶, 𝑇𝐶 = {𝜚𝐶 𝑄

𝐵 , 𝜚𝐶(𝑅𝐵)}

= 𝐹0/ 𝐶 = 𝐹0/ 𝐵

𝑙𝑓𝑠(𝜚𝐵

′ ) = 𝐵′ = 𝑆𝐶 + [𝑡𝐵]𝑇𝐶

= 𝐹𝐶/ 𝐵′

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

𝐵′ = 𝜚𝐶 𝑄

𝐵 + [𝑡𝐵]𝜚𝐶 𝑅𝐵

= 𝜚𝐶 𝑄

𝐵 + [𝑡𝐵]𝑅𝐵

= 𝜚𝐶 𝐵

SID IDH protocol

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

𝐹0 𝐹𝐵 𝐹𝐶

𝜚𝐶

′

𝜚𝐵

′

𝑙𝑓𝑠 𝜚𝐶

′

= 𝐶′ = 𝑆𝐵 + [𝑡𝐶]𝑇𝐵

𝐹𝐵𝐶 𝐹𝐶𝐵

= 𝐹𝐵/ 𝐶′ 𝑆𝐵, 𝑇𝐵 = {𝜚𝐵 𝑄𝐶 , 𝜚𝐵(𝑅𝐶)} 𝑆𝐶, 𝑇𝐶 = {𝜚𝐶 𝑄

𝐵 , 𝜚𝐶(𝑅𝐵)}

= 𝐹0/ 𝐶 = 𝐹0/ 𝐵

𝑙𝑓𝑠(𝜚𝐵

′ ) = 𝐵′ = 𝑆𝐶 + [𝑡𝐵]𝑇𝐶

= 𝐹𝐶/ 𝐵′

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

𝐶′ = 𝜚𝐵 𝑄𝐶 + [𝑡𝐶]𝜚𝐵 𝑅𝐶 = 𝜚𝐵 𝑄

𝐶 + [𝑡𝐶]𝑅𝐶

= 𝜚𝐵 𝐶 𝐵′ = 𝜚𝐶 𝑄

𝐵 + [𝑡𝐵]𝜚𝐶 𝑅𝐵

= 𝜚𝐶 𝑄

𝐵 + [𝑡𝐵]𝑅𝐵

= 𝜚𝐶 𝐵

SID IDH protocol

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

𝐹0 𝐹𝐵 𝐹𝐶

𝜚𝐶

′

𝜚𝐵

′

𝑙𝑓𝑠 𝜚𝐶

′

= 𝐶′ = 𝑆𝐵 + [𝑡𝐶]𝑇𝐵

𝐹𝐵𝐶 𝐹𝐶𝐵

= 𝐹𝐵/ 𝐶′ 𝑆𝐵, 𝑇𝐵 = {𝜚𝐵 𝑄𝐶 , 𝜚𝐵(𝑅𝐶)} 𝑆𝐶, 𝑇𝐶 = {𝜚𝐶 𝑄

𝐵 , 𝜚𝐶(𝑅𝐵)}

= 𝐹0/ 𝐶 = 𝐹0/ 𝐵

𝑙𝑓𝑠(𝜚𝐵

′ ) = 𝐵′ = 𝑆𝐶 + [𝑡𝐵]𝑇𝐶

= 𝐹𝐶/ 𝐵′

𝐹𝐵𝐶 = 𝜚𝐶

′ (𝜚𝐵(𝐹0)) ≅ 𝐹0/ 𝑄 𝐵 + [𝑡𝐵]𝑅𝐵, 𝑄𝐶 + [𝑡𝐶]𝑅𝐶 ≅ 𝐹𝐶𝐵 = 𝜚𝐵 ′ (𝜚𝐶 𝐹0 )

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

𝐶′ = 𝜚𝐵 𝑄𝐶 + [𝑡𝐶]𝜚𝐵 𝑅𝐶 = 𝜚𝐵 𝑄

𝐶 + [𝑡𝐶]𝑅𝐶

= 𝜚𝐵 𝐶 𝐵′ = 𝜚𝐶 𝑄

𝐵 + [𝑡𝐵]𝜚𝐶 𝑅𝐵

= 𝜚𝐶 𝑄

𝐵 + [𝑡𝐵]𝑅𝐵

= 𝜚𝐶 𝐵

SID IDH protocol

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

𝐹0 𝐹𝐵 𝐹𝐶

𝑆𝐵, 𝑇𝐵 = {𝜚𝐵 𝑄𝐶 , 𝜚𝐵(𝑅𝐶)} 𝑆𝐶, 𝑇𝐶 = {𝜚𝐶 𝑄

𝐵 , 𝜚𝐶(𝑅𝐵)}

= 𝐹0/ 𝐶 = 𝐹0/ 𝐵

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

𝐹0/ 𝐵, 𝐶

𝐹𝐵𝐶 = 𝜚𝐶

′ (𝜚𝐵(𝐹0)) ≅ 𝐹0/ 𝑄 𝐵 + [𝑡𝐵]𝑅𝐵, 𝑄𝐶 + [𝑡𝐶]𝑅𝐶 ≅ 𝐹𝐶𝐵 = 𝜚𝐵 ′ (𝜚𝐶 𝐹0 )

𝐶′ = 𝜚𝐵 𝑄𝐶 + [𝑡𝐶]𝜚𝐵 𝑅𝐶 = 𝜚𝐵 𝑄

𝐶 + [𝑡𝐶]𝑅𝐶

= 𝜚𝐵 𝐶 𝐵′ = 𝜚𝐶 𝑄

𝐵 + [𝑡𝐵]𝜚𝐶 𝑅𝐵

= 𝜚𝐶 𝑄

𝐵 + [𝑡𝐵]𝑅𝐵

= 𝜚𝐶 𝐵

SID IDH protocol

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

Drawback:

• SIDH is not secure when keys are reused (Galbraith-Petit-Shani-Ti 2016)
• Only recommended in ephemeral mode

SID IDH protocol

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 18

• IND-CCA secure key encapsulation: no problem reusing keys!
• Uses a variant of Hofheinz–Hövelmanns–Kiltz (HHK) transform:

IND-CPA PKE → IND-CCA KEM

• HHK transform is secure in both the classical and quantum ROM models
• Offline key generation gives performance boost (no perf loss SIDH → SIKE)

Supersingular is isogeny key encapsulation (S (SIK IKE)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 19

KeyGen

• 1. 𝑡𝐶 ∈𝑆 [0, 2 log23𝑓𝐶 )
• 2. Set 𝑙𝑓𝑠 𝜚𝐶 = 𝑄𝐶 + [𝑡𝐶]𝑅𝐶
• 3. pk𝐶 = {𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵 }

• 4. 𝑡 ∈𝑆 {0,1}𝑜
• 5. keypair: sk𝐶 = (𝑡, 𝑡𝐶), pk𝐶

Supersingular is isogeny key encapsulation (S (SIK IKE)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

KeyGen

• 1. 𝑡𝐶 ∈𝑆 [0, 2 log23𝑓𝐶 )
• 2. Set 𝑙𝑓𝑠 𝜚𝐶 = 𝑄𝐶 + [𝑡𝐶]𝑅𝐶
• 3. pk𝐶 = {𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵 }

• 4. 𝑡 ∈𝑆 {0,1}𝑜
• 5. keypair: sk𝐶 = (𝑡, 𝑡𝐶), pk𝐶

pk𝐶

Encaps

• 1. message 𝑛 ∈𝑆 0,1 𝑜
• 2. 𝑠 = 𝐻 𝑛, pk𝐶 mod 2𝑓𝐵
• 3. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠]𝑅𝐵

• 4. pk𝐵 = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }
• 5. 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘(𝜚𝐵

′ (𝜚𝐶(𝐹0)))

• 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑)

Supersingular is isogeny key encapsulation (S (SIK IKE)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

KeyGen

• 1. 𝑡𝐶 ∈𝑆 [0, 2 log23𝑓𝐶 )
• 2. Set 𝑙𝑓𝑠 𝜚𝐶 = 𝑄𝐶 + [𝑡𝐶]𝑅𝐶
• 3. pk𝐶 = {𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵 }

• 4. 𝑡 ∈𝑆 {0,1}𝑜
• 5. keypair: sk𝐶 = (𝑡, 𝑡𝐶), pk𝐶

pk𝐶

Encaps

• 1. message 𝑛 ∈𝑆 0,1 𝑜
• 2. 𝑠 = 𝐻 𝑛, pk𝐶 mod 2𝑓𝐵
• 3. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠]𝑅𝐵

• 4. pk𝐵 = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }
• 5. 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘(𝜚𝐵

′ (𝜚𝐶(𝐹0)))

• 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑)

encryption

Supersingular is isogeny key encapsulation (S (SIK IKE)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

KeyGen

• 1. 𝑡𝐶 ∈𝑆 [0, 2 log23𝑓𝐶 )
• 2. Set 𝑙𝑓𝑠 𝜚𝐶 = 𝑄𝐶 + [𝑡𝐶]𝑅𝐶
• 3. pk𝐶 = {𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵 }

• 4. 𝑡 ∈𝑆 {0,1}𝑜
• 5. keypair: sk𝐶 = (𝑡, 𝑡𝐶), pk𝐶

pk𝐶

Encaps

• 1. message 𝑛 ∈𝑆 0,1 𝑜
• 2. 𝑠 = 𝐻 𝑛, pk𝐶 mod 2𝑓𝐵
• 3. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠]𝑅𝐵

• 4. pk𝐵 = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }
• 5. 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘(𝜚𝐵

′ (𝜚𝐶(𝐹0)))

• 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑)

encryption 𝑑 = (pk𝐵, 𝐺(𝑘) ⊕ 𝑛)

Decaps

• 1. 𝑘′ = 𝑘 𝐹𝐶𝐵 = 𝑘(𝜚𝐶

′ (𝜚𝐵(𝐹0)))

• 2. 𝑛′ = 𝐺(𝑘′) ⊕ 𝑑[2]
• 3. 𝑠′ = 𝐻 𝑛′, pk𝐶 mod 2𝑓𝐵
• 4. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠′]𝑅𝐵

• 5. pk𝐵

′ = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }

• 6. If pk𝐵

′ = 𝑑[1] then

Shared key: 𝑡𝑡 = 𝐼(𝑛′, 𝑑)

• 7. Else 𝑡𝑡 = 𝐼(𝑡, 𝑑)

Supersingular is isogeny key encapsulation (S (SIK IKE)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

KeyGen

• 1. 𝑡𝐶 ∈𝑆 [0, 2 log23𝑓𝐶 )
• 2. Set 𝑙𝑓𝑠 𝜚𝐶 = 𝑄𝐶 + [𝑡𝐶]𝑅𝐶
• 3. pk𝐶 = {𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵 }

• 4. 𝑡 ∈𝑆 {0,1}𝑜
• 5. keypair: sk𝐶 = (𝑡, 𝑡𝐶), pk𝐶

pk𝐶

Encaps

• 1. message 𝑛 ∈𝑆 0,1 𝑜
• 2. 𝑠 = 𝐻 𝑛, pk𝐶 mod 2𝑓𝐵
• 3. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠]𝑅𝐵

• 4. pk𝐵 = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }
• 5. 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘(𝜚𝐵

′ (𝜚𝐶(𝐹0)))

• 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑)

encryption 𝑑 = (pk𝐵, 𝐺(𝑘) ⊕ 𝑛)

Decaps

• 1. 𝑘′ = 𝑘 𝐹𝐶𝐵 = 𝑘(𝜚𝐶

′ (𝜚𝐵(𝐹0)))

• 2. 𝑛′ = 𝐺(𝑘′) ⊕ 𝑑[2]
• 3. 𝑠′ = 𝐻 𝑛′, pk𝐶 mod 2𝑓𝐵
• 4. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠′]𝑅𝐵

• 5. pk𝐵

′ = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }

• 6. If pk𝐵

′ = 𝑑[1] then

Shared key: 𝑡𝑡 = 𝐼(𝑛′, 𝑑)

• 7. Else 𝑡𝑡 = 𝐼(𝑡, 𝑑)

decryption

Supersingular is isogeny key encapsulation (S (SIK IKE)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

KeyGen

• 1. 𝑡𝐶 ∈𝑆 [0, 2 log23𝑓𝐶 )
• 2. Set 𝑙𝑓𝑠 𝜚𝐶 = 𝑄𝐶 + [𝑡𝐶]𝑅𝐶
• 3. pk𝐶 = {𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵 }

• 4. 𝑡 ∈𝑆 {0,1}𝑜
• 5. keypair: sk𝐶 = (𝑡, 𝑡𝐶), pk𝐶

pk𝐶

Encaps

• 1. message 𝑛 ∈𝑆 0,1 𝑜
• 2. 𝑠 = 𝐻 𝑛, pk𝐶 mod 2𝑓𝐵
• 3. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠]𝑅𝐵

• 4. pk𝐵 = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }
• 5. 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘(𝜚𝐵

′ (𝜚𝐶(𝐹0)))

• 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑)

encryption 𝑑 = (pk𝐵, 𝐺(𝑘) ⊕ 𝑛)

Decaps

• 1. 𝑘′ = 𝑘 𝐹𝐶𝐵 = 𝑘(𝜚𝐶

′ (𝜚𝐵(𝐹0)))

• 2. 𝑛′ = 𝐺(𝑘′) ⊕ 𝑑[2]
• 3. 𝑠′ = 𝐻 𝑛′, pk𝐶 mod 2𝑓𝐵
• 4. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠′]𝑅𝐵

• 5. pk𝐵

′ = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }

• 6. If pk𝐵

′ = 𝑑[1] then

Shared key: 𝑡𝑡 = 𝐼(𝑛′, 𝑑)

• 7. Else 𝑡𝑡 = 𝐼(𝑡, 𝑑)

partial re-encryption 𝐺, 𝐻, 𝐼 instantiated with cSHAKE256. decryption

Supersingular is isogeny key encapsulation (S (SIK IKE)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

Computation la layers

protocol

SIDH, SIKE

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

Computation la layers

𝑄 + 𝑡 𝑅, 𝓂𝑓-degree isogenies

high-level point and curve arithmetic protocol

SIDH, SIKE

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

Computation la layers

𝑄 + 𝑡 𝑅, 𝓂𝑓-degree isogenies

high-level point and curve arithmetic low-level point and curve arithmetic protocol

2 𝑄, 3 𝑄, 𝑄 + 𝑅, 𝜚(𝑄)

SIDH, SIKE

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

Computation la layers

𝑄 + 𝑡 𝑅, 𝓂𝑓-degree isogenies

high-level point and curve arithmetic low-level point and curve arithmetic

𝔾𝑞2 add, mul, sqr, inv

extension field arithmetic protocol

2 𝑄, 3 𝑄, 𝑄 + 𝑅, 𝜚(𝑄)

SIDH, SIKE

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

Computation la layers

𝑄 + 𝑡 𝑅, 𝓂𝑓-degree isogenies 2 𝑄, 3 𝑄, 𝑄 + 𝑅, 𝜚(𝑄)

𝔾𝑞2 add, mul, sqr, inv 𝔾𝑞 add, mul, inv

field arithmetic extension field arithmetic low-level point and curve arithmetic high-level point and curve arithmetic protocol

SIDH, SIKE

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

Hig igh-level point and curve ari rithmetic

Two main internal computations:

• Double-scalar multiplications to construct kernels 𝑄 + 𝑡 𝑅
• Smooth, 𝓶𝒇-degree isogeny computations 𝜚: 𝐹0 → 𝐹′

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 22

Computing 𝑄 + 𝑡 𝑅

Three-point differential ladder (x-only, variable point)

• De Feo-Jao-Plût (2014), step cost = 1DBL + 2ADD
• Faz-Hernández et al. (2018), step cost = 1DBL + 1ADD

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 23

Computing 𝑄 + 𝑡 𝑅

[F [Faz-Hernández–López–Ochoa-Jiménez–Rodríg íguez-Henríquez 20 2018 18]

𝒕 = (𝟏𝟐𝟐𝟏𝟏)𝟑

𝑺𝟐 = 𝑸 𝑺𝟏 = 𝑹 𝑺𝟑 = 𝑹 − 𝑸

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

𝒕 = (𝟏𝟐𝟐𝟏𝟏)𝟑

𝑺𝟐 = 𝑸 𝑺𝟏 = 𝑹 𝑺𝟑 = 𝑹 − 𝑸

𝒕𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 − 𝑄

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

Computing 𝑄 + 𝑡 𝑅

[F [Faz-Hernández–López–Ochoa-Jiménez–Rodríg íguez-Henríquez 20 2018 18]

𝒕 = (𝟏𝟐𝟐𝟏𝟏)𝟑

𝑺𝟐 = 𝑸 𝑺𝟏 = 𝑹 𝑺𝟑 = 𝑹 − 𝑸

𝒕𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 − 𝑄 𝒕𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 − 𝑄

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

Computing 𝑄 + 𝑡 𝑅

[F [Faz-Hernández–López–Ochoa-Jiménez–Rodríg íguez-Henríquez 20 2018 18]

𝒕 = (𝟏𝟐𝟐𝟏𝟏)𝟑

𝑺𝟐 = 𝑸 𝑺𝟏 = 𝑹 𝑺𝟑 = 𝑹 − 𝑸

𝒕𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 − 𝑄 𝒕𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 − 𝑄 𝒕𝟑 = 𝟐 𝑄 + 4 𝑅 8 𝑅 [4]𝑅 − 𝑄

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

Computing 𝑄 + 𝑡 𝑅

[F [Faz-Hernández–López–Ochoa-Jiménez–Rodríg íguez-Henríquez 20 2018 18]

𝒕 = (𝟏𝟐𝟐𝟏𝟏)𝟑

𝑺𝟐 = 𝑸 𝑺𝟏 = 𝑹 𝑺𝟑 = 𝑹 − 𝑸

𝒕𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 − 𝑄 𝒕𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 − 𝑄 𝒕𝟑 = 𝟐 𝑄 + 4 𝑅 8 𝑅 [4]𝑅 − 𝑄 𝒕𝟒 = 𝟐 𝑄 + 12 𝑅 16 𝑅 [4]𝑅 − 𝑄

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

Computing 𝑄 + 𝑡 𝑅

[F [Faz-Hernández–López–Ochoa-Jiménez–Rodríg íguez-Henríquez 20 2018 18]

𝒕 = (𝟏𝟐𝟐𝟏𝟏)𝟑

𝑺𝟐 = 𝑸 𝑺𝟏 = 𝑹 𝑺𝟑 = 𝑹 − 𝑸

𝒕𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 − 𝑄 𝒕𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 − 𝑄 𝒕𝟑 = 𝟐 𝑄 + 4 𝑅 8 𝑅 [4]𝑅 − 𝑄 𝒕𝟒 = 𝟐 𝑄 + 12 𝑅 16 𝑅 [4]𝑅 − 𝑄 𝒕𝟓 = 𝟏 𝑸 + 𝟐𝟑 𝑹 32 𝑅 [20]𝑅 − 𝑄

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

Computing 𝑄 + 𝑡 𝑅

[F [Faz-Hernández–López–Ochoa-Jiménez–Rodríg íguez-Henríquez 20 2018 18]

• Construct it as a composition of multiple (small, prime-degree) isogenies

Computing 𝓂𝑓-degree is isogenies

𝐹𝐵 𝐹0 𝐹𝐶 𝐹0/ 𝐵, 𝐶

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 25

• Construct it as a composition of multiple (small, prime-degree) isogenies

Computing 𝓂𝑓-degree is isogenies

𝐹𝐵 𝐹0 𝐹𝐶 𝐹0/ 𝐵, 𝐶

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 25

• Construct it as a composition of multiple (small, prime-degree) isogenies

Computing 𝓂𝑓-degree is isogenies

𝐹𝐵 𝐹0 𝐹𝐶 𝐹0/ 𝐵, 𝐶

𝐹0 𝐹1 𝐹2 𝐹3 𝐹4 𝐹𝐶

𝜚0 𝜚1 𝜚2 𝜚3 𝜚𝑓−1

𝜚𝐶: 𝐹0 → 𝐹𝐶 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ ⋯ ∙∙ 𝜚𝑓−1

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 25

Computing 𝓂𝑓-degree is isogenies

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂𝑓-degree is isogenies

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂𝑓-degree is isogenies

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂𝑓-degree is isogenies

𝑄0

𝜚0 𝜚1 𝜚2 𝜚3

𝐹0 𝐹1 𝐹2 𝐹3 𝐹4

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂𝑓-degree is isogenies

𝑄0

𝜚0 𝜚1 𝜚2 𝜚3

𝐹0 𝐹1 𝐹2 𝐹3 𝐹4

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

• Iteratively compute:

𝐹𝑗+1 = 𝐹𝑗/ [𝓂𝑓−𝑗−1]𝑄𝑗

Computing 𝓂𝑓-degree is isogenies

𝑄0

𝜚0 𝜚1 𝜚2 𝜚3

𝐹0 𝐹1 𝐹2 𝐹3 𝐹4

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

• Iteratively compute:

𝐹𝑗+1 = 𝐹𝑗/ [𝓂𝑓−𝑗−1]𝑄𝑗

Computing 𝓂𝑓-degree is isogenies

𝑄0

𝜚0 𝜚1 𝜚2 𝜚3

𝐹0 𝐹1 𝐹2 𝐹3 𝐹4

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

• Iteratively compute:

𝐹𝑗+1 = 𝐹𝑗/ [𝓂𝑓−𝑗−1]𝑄𝑗

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

𝑄0

𝜚0 𝜚1 𝜚2 𝜚3

𝐹0 𝐹1 𝐹2 𝐹3 𝐹4

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

• Iteratively compute:

𝐹𝑗+1 = 𝐹𝑗/ [𝓂𝑓−𝑗−1]𝑄𝑗

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

𝑄0

𝜚0 𝜚1 𝜚2 𝜚3

𝐹0 𝐹1 𝐹2 𝐹3 𝐹4

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

• Iteratively compute:

𝐹𝑗+1 = 𝐹𝑗/ [𝓂𝑓−𝑗−1]𝑄𝑗

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

(+) slope: point operations

Computing 𝓂𝑓-degree is isogenies

𝑄0

𝜚0 𝜚1 𝜚2 𝜚3

𝐹0 𝐹1 𝐹2 𝐹3 𝐹4

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0 (+) slope: point operations (−) slope: isogeny operations

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

• Iteratively compute:

𝐹𝑗+1 = 𝐹𝑗/ [𝓂𝑓−𝑗−1]𝑄𝑗

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 𝑄0

𝜚0 𝜚1 𝜚2 𝜚3

𝐹0 𝐹1 𝐹2 𝐹3 𝐹4

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 𝑄0

𝜚0 𝜚1 𝜚2 𝜚3

𝐹0 𝐹1 𝐹2 𝐹3 𝐹4

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 33 𝑄0 𝑄0

𝜚0 𝜚1 𝜚2 𝜚3

𝐹0 𝐹1 𝐹2 𝐹3 𝐹4

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 33 𝑄0 𝑄0

𝜚0 𝜚1 𝜚2 𝜚3

𝐹0 𝐹1 𝐹2 𝐹3 𝐹4

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 33 𝑄0 𝑄0

𝜚1 𝜚2 𝜚3

𝐹0

𝜚0 = 𝐹0/ 81𝑄

𝜚0

𝐹1 𝐹2 𝐹3 𝐹4

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 33 𝑄0 𝑄0

𝜚1 𝜚2 𝜚3

𝐹0 𝐹1

𝜚0 = 𝐹0/ 81𝑄 𝐹1 = 𝜚0(𝐹0) 𝑄

1 = 𝜚0(𝑄0)

𝜚0

𝐹2 𝐹3 𝐹4 𝑄

1

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 33 𝑄0 𝑄0

𝜚1 𝜚2 𝜚3

𝐹0 𝐹1

𝜚0 = 𝐹0/ 81𝑄 𝐹1 = 𝜚0(𝐹0) 𝑄

1 = 𝜚0(𝑄0)

𝜚0 𝜚0 𝜚0

𝐹2 𝐹3 𝐹4 𝑄

1

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 33 𝑄0 𝑄0

𝜚1 𝜚2 𝜚3

𝐹0 𝐹1

𝜚1 = 𝐹1/ 27𝑄

𝜚0 𝜚0 𝜚0

𝐹2 𝐹3 𝐹4 𝑄

1

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 33 𝑄0 𝑄0

𝜚1 𝜚2 𝜚3

𝐹0 𝐹1

𝜚1 = 𝐹1/ 27𝑄 𝐹2 = 𝜚1(𝐹1) 𝑄2 = 𝜚1(𝑄

1)

𝜚0 𝜚0 𝜚0

𝐹2 𝐹3 𝐹4 𝑄

1

𝑄2

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 33 𝑄0 𝑄0

𝜚1 𝜚2 𝜚3

𝐹0 𝐹1

𝜚1 = 𝐹1/ 27𝑄 𝐹2 = 𝜚1(𝐹1) 𝑄2 = 𝜚1(𝑄

1)

𝜚0 𝜚0 𝜚0

𝐹2 𝐹3 𝐹4 𝑄

1

𝑄2

𝜚1

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 33 𝑄0 𝑄0

𝜚1 𝜚2 𝜚3

𝐹0 𝐹1

𝜚2 = 𝐹2/ 9𝑄2

𝜚0 𝜚0 𝜚0

𝐹2 𝐹3 𝐹4 𝑄

1

𝑄2

𝜚1

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 33 𝑄0 𝑄0

𝜚1 𝜚2 𝜚3

𝐹0 𝐹1

𝜚2 = 𝐹2/ 9𝑄2 𝐹3 = 𝜚2(𝐹2) 𝑄3 = 𝜚2(𝑄2)

𝜚0 𝜚0 𝜚0

𝐹2 𝐹3 𝐹4 𝑄

1

𝑄2

𝜚1

𝑄3

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 33 𝑄0 𝑄0

𝜚1 𝜚2 𝜚3

𝐹0 𝐹1

𝜚2 = 𝐹2/ 9𝑄2 𝐹3 = 𝜚2(𝐹2) 𝑄3 = 𝜚2(𝑄2)

𝜚0 𝜚0 𝜚0

𝐹2 𝐹3 𝐹4 𝑄

1

𝑄2

𝜚1

𝑄3 33 𝑄0

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 33 𝑄0 𝑄0

𝜚1 𝜚2 𝜚3

𝐹0 𝐹1

𝜚3 = 𝐹3/ 3𝑄3

𝜚0 𝜚0 𝜚0

𝐹2 𝐹3 𝐹4 𝑄

1

𝑄2

𝜚1

𝑄3

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

3 𝑄0 32 𝑄0 33 𝑄0 𝑄0

𝜚1 𝜚2 𝜚3

𝐹0 𝐹1

𝜚3 = 𝐹3/ 3𝑄3 𝐹4 = 𝜚3(𝐹3) 𝑄

4 = 𝜚3(𝑄3)

𝜚0 𝜚0 𝜚0

𝐹2 𝐹3 𝐹4 𝑄

1

𝑄2

𝜚1

𝑄3 𝑄

4

• Example: Bob (𝓂 = 3) computes 𝐹𝐶 = 𝜚𝐶(𝐹0)

Let base point 𝑄0 ∈ 𝐹0. Assume 𝑓 = 4 Compute 34-degree isogeny: 𝜚𝐶: 𝐹0 → 𝐹4 𝜚𝐶 = 𝜚0 ∙ 𝜚1 ∙ 𝜚2 ∙ 𝜚3 𝐹4 = 𝐹0/ 𝑄0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

34 𝑄0 33 𝑄

1 32 𝑄2

3 𝑄3

Computing 𝓂𝑓-degree is isogenies

𝐹0 Optimal strategy: reduction from 𝒫(𝑓2) operations to 𝒫(𝑓 log 𝑓) 𝑄0 𝐹0 𝐹4 𝐹4

naïve

• ptimal

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 27

𝑄0

Ext xtension fi field ari rithmetic

Constructing degree-2 extension field 𝔾𝒒𝟑 of a finite field 𝔾𝒒:

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 28

Ext xtension fi field ari rithmetic

Constructing degree-2 extension field 𝔾𝒒𝟑 of a finite field 𝔾𝒒: Fix 𝔾𝑞2 = 𝔾𝑞(𝛽), with degree-2 irreducible polynomial 𝑔(𝑦) in 𝔾𝑞[𝑦] s.t. 𝑔 𝛽 = 0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 28

Ext xtension fi field ari rithmetic

Constructing degree-2 extension field 𝔾𝒒𝟑 of a finite field 𝔾𝒒: Fix 𝔾𝑞2 = 𝔾𝑞(𝛽), with degree-2 irreducible polynomial 𝑔(𝑦) in 𝔾𝑞[𝑦] s.t. 𝑔 𝛽 = 0 In our case: for a prime 𝑞 ≡ 3 mod 4, take 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 28

Ext xtension fi field ari rithmetic

Assume 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0 Let 𝑏 = 𝑏0, 𝑏1 , 𝑐 = (𝑐0, 𝑐1) ∈ 𝔾𝑞2, then:

• 𝑏 ± 𝑐 = (𝑏0 ± 𝑐0, 𝑏1 ± 𝑐1)
• cost: 2 𝔾𝑞 add/sub
• 𝑏 × 𝑐 = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 × 𝑐1 + 𝑏1 × 𝑐0
• cost: 4 𝔾𝑞 mul + 2 𝔾𝑞 add/sub
• = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 + 𝑏1 × 𝑐0 + 𝑐1 − 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1
• cost: 3 𝔾𝑞 mul + 5 𝔾𝑞 add/sub or 3 mul + 5 add/sub + 2 rdc
• 𝑏2 =

𝑏0 + 𝑏1 × 𝑏0 − 𝑏1 , 2𝑏0 × 𝑏1

• cost: 2 𝔾𝑞 mul + 3 𝔾𝑞 add/sub
• 𝑏−1 = 𝑏0 × 𝑏0

2 + 𝑏1 2 −1, −𝑏1 × 𝑏0 2 + 𝑏1 2 −1

cost: 2 𝔾𝑞 mul + 2 𝔾𝑞 sqr + 1 𝔾𝑞 add + 1 𝔾𝑞 neg + 1 𝔾𝑞 inv

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 29

Ext xtension fi field ari rithmetic

Assume 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0 Let 𝑏 = 𝑏0, 𝑏1 , 𝑐 = (𝑐0, 𝑐1) ∈ 𝔾𝑞2, then:

• 𝑏 ± 𝑐 = (𝑏0 ± 𝑐0, 𝑏1 ± 𝑐1)

cost: 2 𝔾𝑞 add/sub

• 𝑏 × 𝑐 = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 × 𝑐1 + 𝑏1 × 𝑐0

cost: 4 𝔾𝑞 mul + 2 𝔾𝑞 add/sub = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 + 𝑏1 × 𝑐0 + 𝑐1 − 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1 cost: 3 𝔾𝑞 mul + 5 𝔾𝑞 add/sub or 3 mul + 5 add/sub + 2 rdc

• 𝑏2 =

𝑏0 + 𝑏1 × 𝑏0 − 𝑏1 , 2𝑏0 × 𝑏1 cost: 2 𝔾𝑞 mul + 3 𝔾𝑞 add/sub

• 𝑏−1 = 𝑏0 × 𝑏0

2 + 𝑏1 2 −1, −𝑏1 × 𝑏0 2 + 𝑏1 2 −1

cost: 2 𝔾𝑞 mul + 2 𝔾𝑞 sqr + 1 𝔾𝑞 add + 1 𝔾𝑞 neg + 1 𝔾𝑞 inv

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 29

Ext xtension fi field ari rithmetic

Assume 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0 Let 𝑏 = 𝑏0, 𝑏1 , 𝑐 = (𝑐0, 𝑐1) ∈ 𝔾𝑞2, then:

• 𝑏 ± 𝑐 = (𝑏0 ± 𝑐0, 𝑏1 ± 𝑐1)

cost: 2 𝔾𝑞 add/sub

• 𝑏 × 𝑐 = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 × 𝑐1 + 𝑏1 × 𝑐0

cost: 4 𝔾𝑞 mul + 2 𝔾𝑞 add/sub = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 + 𝑏1 × 𝑐0 + 𝑐1 − 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1 cost: 3 𝔾𝑞 mul + 5 𝔾𝑞 add/sub or 3 mul + 5 add/sub + 2 rdc

• 𝑏2 =

𝑏0 + 𝑏1 × 𝑏0 − 𝑏1 , 2𝑏0 × 𝑏1 cost: 2 𝔾𝑞 mul + 3 𝔾𝑞 add/sub

• 𝑏−1 = 𝑏0 × 𝑏0

2 + 𝑏1 2 −1, −𝑏1 × 𝑏0 2 + 𝑏1 2 −1

cost: 2 𝔾𝑞 mul + 2 𝔾𝑞 sqr + 1 𝔾𝑞 add + 1 𝔾𝑞 neg + 1 𝔾𝑞 inv

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 29

Ext xtension fi field ari rithmetic

Assume 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0 Let 𝑏 = 𝑏0, 𝑏1 , 𝑐 = (𝑐0, 𝑐1) ∈ 𝔾𝑞2, then:

• 𝑏 ± 𝑐 = (𝑏0 ± 𝑐0, 𝑏1 ± 𝑐1)

cost: 2 𝔾𝑞 add/sub

• 𝑏 × 𝑐 = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 × 𝑐1 + 𝑏1 × 𝑐0

cost: 4 𝔾𝑞 mul + 2 𝔾𝑞 add/sub = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 + 𝑏1 × 𝑐0 + 𝑐1 − 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1 cost: 3 𝔾𝑞 mul + 5 𝔾𝑞 add/sub or 3 mul + 5 add/sub + 2 rdc

• 𝑏2 =

𝑏0 + 𝑏1 × 𝑏0 − 𝑏1 , 2𝑏0 × 𝑏1 cost: 2 𝔾𝑞 mul + 3 𝔾𝑞 add/sub

• 𝑏−1 = 𝑏0 × 𝑏0

2 + 𝑏1 2 −1, −𝑏1 × 𝑏0 2 + 𝑏1 2 −1

cost: 2 𝔾𝑞 mul + 2 𝔾𝑞 sqr + 1 𝔾𝑞 add + 1 𝔾𝑞 neg + 1 𝔾𝑞 inv

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 29

Ext xtension fi field ari rithmetic

Assume 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0 Let 𝑏 = 𝑏0, 𝑏1 , 𝑐 = (𝑐0, 𝑐1) ∈ 𝔾𝑞2, then:

• 𝑏 ± 𝑐 = (𝑏0 ± 𝑐0, 𝑏1 ± 𝑐1)

cost: 2 𝔾𝑞 add/sub

• 𝑏 × 𝑐 = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 × 𝑐1 + 𝑏1 × 𝑐0

cost: 4 𝔾𝑞 mul + 2 𝔾𝑞 add/sub = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 + 𝑏1 × 𝑐0 + 𝑐1 − 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1 cost: 3 𝔾𝑞 mul + 5 𝔾𝑞 add/sub or 3 mul + 5 add/sub + 2 rdc

• 𝑏2 =

𝑏0 + 𝑏1 × 𝑏0 − 𝑏1 , 2𝑏0 × 𝑏1 cost: 2 𝔾𝑞 mul + 3 𝔾𝑞 add/sub

• 𝑏−1 = 𝑏0 × 𝑏0

2 + 𝑏1 2 −1, −𝑏1 × 𝑏0 2 + 𝑏1 2 −1

cost: 2 𝔾𝑞 mul + 2 𝔾𝑞 sqr + 1 𝔾𝑞 add + 1 𝔾𝑞 neg + 1 𝔾𝑞 inv

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 29

Ext xtension fi field ari rithmetic

Assume 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0 Let 𝑏 = 𝑏0, 𝑏1 , 𝑐 = (𝑐0, 𝑐1) ∈ 𝔾𝑞2, then:

• 𝑏 ± 𝑐 = (𝑏0 ± 𝑐0, 𝑏1 ± 𝑐1)

cost: 2 𝔾𝑞 add/sub

• 𝑏 × 𝑐 = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 × 𝑐1 + 𝑏1 × 𝑐0

cost: 4 𝔾𝑞 mul + 2 𝔾𝑞 add/sub = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 + 𝑏1 × 𝑐0 + 𝑐1 − 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1 cost: 3 𝔾𝑞 mul + 5 𝔾𝑞 add/sub or 3 mul + 5 add/sub + 2 rdc

• 𝑏2 =

𝑏0 + 𝑏1 × 𝑏0 − 𝑏1 , 2𝑏0 × 𝑏1 cost: 2 𝔾𝑞 mul + 3 𝔾𝑞 add/sub

• 𝑏−1 = 𝑏0 × 𝑏0

2 + 𝑏1 2 −1, −𝑏1 × 𝑏0 2 + 𝑏1 2 −1

cost: 2 𝔾𝑞 mul + 2 𝔾𝑞 sqr + 1 𝔾𝑞 add + 1 𝔾𝑞 neg + 1 𝔾𝑞 inv

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 29

Ext xtension fi field ari rithmetic

Assume 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0 Let 𝑏 = 𝑏0, 𝑏1 , 𝑐 = (𝑐0, 𝑐1) ∈ 𝔾𝑞2, then:

• 𝑏 ± 𝑐 = (𝑏0 ± 𝑐0, 𝑏1 ± 𝑐1)

cost: 2 𝔾𝑞 add/sub

• 𝑏 × 𝑐 = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 × 𝑐1 + 𝑏1 × 𝑐0

cost: 4 𝔾𝑞 mul + 2 𝔾𝑞 add/sub = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 + 𝑏1 × 𝑐0 + 𝑐1 − 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1 cost: 3 𝔾𝑞 mul + 5 𝔾𝑞 add/sub or 3 mul + 5 add/sub + 2 rdc

• 𝑏2 =

𝑏0 + 𝑏1 × 𝑏0 − 𝑏1 , 2𝑏0 × 𝑏1 cost: 2 𝔾𝑞 mul + 3 𝔾𝑞 add/sub

• 𝑏−1 = 𝑏0 × 𝑏0

2 + 𝑏1 2 −1, −𝑏1 × 𝑏0 2 + 𝑏1 2 −1

cost: 2 𝔾𝑞 mul + 2 𝔾𝑞 sqr + 1 𝔾𝑞 add + 1 𝔾𝑞 neg + 1 𝔾𝑞 inv

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 29

Ext xtension fi field ari rithmetic

Assume 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0 Let 𝑏 = 𝑏0, 𝑏1 , 𝑐 = (𝑐0, 𝑐1) ∈ 𝔾𝑞2, then:

• 𝑏 ± 𝑐 = (𝑏0 ± 𝑐0, 𝑏1 ± 𝑐1)

cost: 2 𝔾𝑞 add/sub

• 𝑏 × 𝑐 = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 × 𝑐1 + 𝑏1 × 𝑐0

cost: 4 𝔾𝑞 mul + 2 𝔾𝑞 add/sub = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 + 𝑏1 × 𝑐0 + 𝑐1 − 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1 cost: 3 𝔾𝑞 mul + 5 𝔾𝑞 add/sub or 3 mul + 5 add/sub + 2 rdc

• 𝑏2 =

𝑏0 + 𝑏1 × 𝑏0 − 𝑏1 , 2𝑏0 × 𝑏1 cost: 2 𝔾𝑞 mul + 3 𝔾𝑞 add/sub

• 𝑏−1 = 𝑏0 × 𝑏0

2 + 𝑏1 2 −1, −𝑏1 × 𝑏0 2 + 𝑏1 2 −1

cost: 2 𝔾𝑞 mul + 2 𝔾𝑞 sqr + 1 𝔾𝑞 add + 1 𝔾𝑞 neg + 1 𝔾𝑞 inv

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 29

Ext xtension fi field ari rithmetic

Assume 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0 Let 𝑏 = 𝑏0, 𝑏1 , 𝑐 = (𝑐0, 𝑐1) ∈ 𝔾𝑞2, then:

• 𝑏 ± 𝑐 = (𝑏0 ± 𝑐0, 𝑏1 ± 𝑐1)

cost: 2 𝔾𝑞 add/sub

• 𝑏 × 𝑐 = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 × 𝑐1 + 𝑏1 × 𝑐0

cost: 4 𝔾𝑞 mul + 2 𝔾𝑞 add/sub = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 + 𝑏1 × 𝑐0 + 𝑐1 − 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1 cost: 3 𝔾𝑞 mul + 5 𝔾𝑞 add/sub or 3 mul + 5 add/sub + 2 rdc

• 𝑏2 =

𝑏0 + 𝑏1 × 𝑏0 − 𝑏1 , 2𝑏0 × 𝑏1 cost: 2 𝔾𝑞 mul + 3 𝔾𝑞 add/sub

• 𝑏−1 = 𝑏0 × 𝑏0

2 + 𝑏1 2 −1, −𝑏1 × 𝑏0 2 + 𝑏1 2 −1

cost: 2 𝔾𝑞 mul + 2 𝔾𝑞 sqr + 1 𝔾𝑞 add + 1 𝔾𝑞 neg + 1 𝔾𝑞 inv

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 29

Ext xtension fi field ari rithmetic

Assume 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0 Let 𝑏 = 𝑏0, 𝑏1 , 𝑐 = (𝑐0, 𝑐1) ∈ 𝔾𝑞2, then:

• 𝑏 ± 𝑐 = (𝑏0 ± 𝑐0, 𝑏1 ± 𝑐1)

cost: 2 𝔾𝑞 add/sub

• 𝑏 × 𝑐 = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 × 𝑐1 + 𝑏1 × 𝑐0

cost: 4 𝔾𝑞 mul + 2 𝔾𝑞 add/sub = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 + 𝑏1 × 𝑐0 + 𝑐1 − 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1 cost: 3 𝔾𝑞 mul + 5 𝔾𝑞 add/sub or 3 mul + 5 add/sub + 2 rdc

• 𝑏2 =

𝑏0 + 𝑏1 × 𝑏0 − 𝑏1 , 2𝑏0 × 𝑏1 cost: 2 𝔾𝑞 mul + 3 𝔾𝑞 add/sub

• 𝑏−1 = 𝑏0 × 𝑏0

2 + 𝑏1 2 −1, −𝑏1 × 𝑏0 2 + 𝑏1 2 −1

cost: 2 𝔾𝑞 mul + 2 𝔾𝑞 sqr + 1 𝔾𝑞 add + 1 𝔾𝑞 neg + 1 𝔾𝑞 inv

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 29

Ext xtension fi field ari rithmetic

Assume 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0 Let 𝑏 = 𝑏0, 𝑏1 , 𝑐 = (𝑐0, 𝑐1) ∈ 𝔾𝑞2, then:

• 𝑏 ± 𝑐 = (𝑏0 ± 𝑐0, 𝑏1 ± 𝑐1)

cost: 2 𝔾𝑞 add/sub

• 𝑏 × 𝑐 = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 × 𝑐1 + 𝑏1 × 𝑐0

cost: 4 𝔾𝑞 mul + 2 𝔾𝑞 add/sub = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 + 𝑏1 × 𝑐0 + 𝑐1 − 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1 cost: 3 𝔾𝑞 mul + 5 𝔾𝑞 add/sub or 3 mul + 5 add/sub + 2 rdc

• 𝑏2 =

𝑏0 + 𝑏1 × 𝑏0 − 𝑏1 , 2𝑏0 × 𝑏1 cost: 2 𝔾𝑞 mul + 3 𝔾𝑞 add/sub

• 𝑏−1 = 𝑏0 × 𝑏0

2 + 𝑏1 2 −1, −𝑏1 × 𝑏0 2 + 𝑏1 2 −1

cost: 2 𝔾𝑞 mul + 2 𝔾𝑞 sqr + 1 𝔾𝑞 add + 1 𝔾𝑞 neg + 1 𝔾𝑞 inv

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 29

Ext xtension fi field ari rithmetic

Assume 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0 Let 𝑏 = 𝑏0, 𝑏1 , 𝑐 = (𝑐0, 𝑐1) ∈ 𝔾𝑞2, then:

• 𝑏 ± 𝑐 = (𝑏0 ± 𝑐0, 𝑏1 ± 𝑐1)

cost: 2 𝔾𝑞 add/sub

• 𝑏 × 𝑐 = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 × 𝑐1 + 𝑏1 × 𝑐0

cost: 4 𝔾𝑞 mul + 2 𝔾𝑞 add/sub = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 + 𝑏1 × 𝑐0 + 𝑐1 − 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1 cost: 3 𝔾𝑞 mul + 5 𝔾𝑞 add/sub or 3 mul + 5 add/sub + 2 rdc

• 𝑏2 =

𝑏0 + 𝑏1 × 𝑏0 − 𝑏1 , 2𝑏0 × 𝑏1 cost: 2 𝔾𝑞 mul + 3 𝔾𝑞 add/sub

• 𝑏−1 = 𝑏0 × 𝑏0

2 + 𝑏1 2 −1, −𝑏1 × 𝑏0 2 + 𝑏1 2 −1

cost: 2 𝔾𝑞 mul + 2 𝔾𝑞 sqr + 1 𝔾𝑞 add + 1 𝔾𝑞 neg + 1 𝔾𝑞 inv

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 29

Ext xtension fi field ari rithmetic

Assume 𝔾𝑞2 = 𝔾𝑞(𝑗), with 𝑗2 + 1 = 0 Let 𝑏 = 𝑏0, 𝑏1 , 𝑐 = (𝑐0, 𝑐1) ∈ 𝔾𝑞2, then:

• 𝑏 ± 𝑐 = (𝑏0 ± 𝑐0, 𝑏1 ± 𝑐1)

cost: 2 𝔾𝑞 add/sub

• 𝑏 × 𝑐 = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 × 𝑐1 + 𝑏1 × 𝑐0

cost: 4 𝔾𝑞 mul + 2 𝔾𝑞 add/sub = 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1, 𝑏0 + 𝑏1 × 𝑐0 + 𝑐1 − 𝑏0 × 𝑐0 − 𝑏1 × 𝑐1 cost: 3 𝔾𝑞 mul + 5 𝔾𝑞 add/sub or 3 mul + 5 add/sub + 2 rdc

• 𝑏2 =

𝑏0 + 𝑏1 × 𝑏0 − 𝑏1 , 2𝑏0 × 𝑏1 cost: 2 𝔾𝑞 mul + 3 𝔾𝑞 add/sub

• 𝑏−1 = 𝑏0 × 𝑏0

2 + 𝑏1 2 −1, −𝑏1 × 𝑏0 2 + 𝑏1 2 −1

cost: 2 𝔾𝑞 mul + 2 𝔾𝑞 sqr + 1 𝔾𝑞 add + 1 𝔾𝑞 neg + 1 𝔾𝑞 inv

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 29

Fie ield multiplication

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 30

Fie ield multiplication

• Two main approaches to implement integer multiplication + reduction:

separated or integrated

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 30

Fie ield multiplication

• Two main approaches to implement integer multiplication + reduction:

separated or integrated

• Separated (integer multiplication and reduction) approach is preferred in most

software platforms

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 30

In Integer multiplication

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 31

In Integer multiplication

• At SIDH/SIKE sizes, multi-level implementation is typically best
• Karatsuba at highest levels
• Schoolbook or Comba at lowest levels

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 31

In Integer multiplication

• At SIDH/SIKE sizes, multi-level implementation is typically best
• Karatsuba at highest levels
• Schoolbook or Comba at lowest levels

Some representative cases:

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 31

In Integer multiplication

• At SIDH/SIKE sizes, multi-level implementation is typically best
• Karatsuba at highest levels
• Schoolbook or Comba at lowest levels

Some representative cases:

• x64: limited number of registers, availability of carry-preserving instructions

(e.g., mulx)

• Can use one-level Karatsuba (top), two-level schoolbook (bottom)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 31

In Integer multiplication

• At SIDH/SIKE sizes, multi-level implementation is typically best
• Karatsuba at highest levels
• Schoolbook or Comba at lowest levels

Some representative cases:

• x64: limited number of registers, availability of carry-preserving instructions

(e.g., mulx)

• Can use one-level Karatsuba (top), two-level schoolbook (bottom)
• 64-bit ARMv8: plenty of registers, relatively expensive mul
• Can use two-level Karatsuba (top), one-level Comba (bottom)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 31

Modular reduction

• SIDH primes are amenable for a simplified Montgomery reduction

𝑑 = (𝑏 + 𝑏𝑞′mod 𝑆 · 𝑞)/𝑆 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137 − (𝑏𝑞′ mod 2448))/2448 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137)/2448

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 32

Modular reduction

• SIDH primes are amenable for a simplified Montgomery reduction
• Take 𝑞 = 2216 ∙ 3137 − 1

𝑑 = (𝑏 + 𝑏𝑞′mod 𝑆 · 𝑞)/𝑆 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137 − (𝑏𝑞′ mod 2448))/2448 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137)/2448

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 32

Modular reduction

• SIDH primes are amenable for a simplified Montgomery reduction
• Take 𝑞 = 2216 ∙ 3137 − 1
• Let 𝑆 = 2448, 𝑞′ = −𝑞−1mod 𝑆

𝑑 = (𝑏 + 𝑏𝑞′mod 𝑆 · 𝑞)/𝑆 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137 − (𝑏𝑞′ mod 2448))/2448 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137)/2448

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 32

Modular reduction

• SIDH primes are amenable for a simplified Montgomery reduction
• Take 𝑞 = 2216 ∙ 3137 − 1
• Let 𝑆 = 2448, 𝑞′ = −𝑞−1mod 𝑆
• Then, for an input 𝑏 < 𝑞𝑆:

𝑑 = (𝑏 + 𝑏𝑞′mod 𝑆 · 𝑞)/𝑆 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137 − (𝑏𝑞′ mod 2448))/2448 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137)/2448

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 32

Modular reduction

• SIDH primes are amenable for a simplified Montgomery reduction
• Take 𝑞 = 2216 ∙ 3137 − 1
• Let 𝑆 = 2448, 𝑞′ = −𝑞−1mod 𝑆
• Then, for an input 𝑏 < 𝑞𝑆:

𝑑 = (𝑏 + 𝑏𝑞′mod 𝑆 · 𝑞)/𝑆 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137 − (𝑏𝑞′ mod 2448))/2448 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137)/2448

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 32

Modular reduction

• SIDH primes are amenable for a simplified Montgomery reduction
• Take 𝑞 = 2216 ∙ 3137 − 1
• Let 𝑆 = 2448, 𝑞′ = −𝑞−1mod 𝑆
• Then, for an input 𝑏 < 𝑞𝑆:

𝑑 = (𝑏 + 𝑏𝑞′mod 𝑆 · 𝑞)/𝑆 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137 − (𝑏𝑞′ mod 2448))/2448 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137)/2448

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 32

Modular reduction

• SIDH primes are amenable for a simplified Montgomery reduction
• Take 𝑞 = 2216 ∙ 3137 − 1
• Let 𝑆 = 2448, 𝑞′ = −𝑞−1mod 𝑆
• Then, for an input 𝑏 < 𝑞𝑆:

𝑑 = (𝑏 + 𝑏𝑞′mod 𝑆 · 𝑞)/𝑆 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137 − (𝑏𝑞′ mod 2448))/2448 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137)/2448

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 32

Modular reduction

• SIDH primes are amenable for a simplified Montgomery reduction
• Take 𝑞 = 2216 ∙ 3137 − 1
• Let 𝑆 = 2448, 𝑞′ = −𝑞−1mod 𝑆
• Then, for an input 𝑏 < 𝑞𝑆:

Also: 𝑞′mod 2𝑥 ≡ 1 for 𝑥 = 32, 64 𝑑 = (𝑏 + 𝑏𝑞′mod 𝑆 · 𝑞)/𝑆 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137 − (𝑏𝑞′ mod 2448))/2448 𝑑 = (𝑏 + (𝑏𝑞′mod 2448) ∙ 2216 ∙ 3137)/2448

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 32

SID IDH security

Setting: supersingular curves 𝐹1/𝔾𝑞2 and 𝐹2/𝔾𝑞2, a large prime 𝑞, and isogeny 𝜚: 𝐹1 → 𝐹2 with fixed, smooth, public degree. Supersingular isogeny problem: given 𝑄, 𝑅 ∈ 𝐹1 and 𝜚 𝑄 , 𝜚 𝑅 ∈ 𝐹2, compute 𝜚.

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 33

SID IDH security

Setting: supersingular curves 𝐹1/𝔾𝑞2 and 𝐹2/𝔾𝑞2, a large prime 𝑞, and isogeny 𝜚: 𝐹1 → 𝐹2 with fixed, smooth, public degree.

• Adj–Cervantes-Vázquez–Chi-Domínguez–Menezes–Rodríguez-Henríquez (2018):

best classical attack is van Oorschot–Wiener (vOW) collision finding algorithm. For SIDH/SIKE: number of order-𝓂𝑓/2 subgroups of 𝐹 𝓂𝑓 = 𝑇 ≈ 𝑞 Τ

1 4

Assume storage 𝑥 ≈ 280

𝒫

𝑇

3 2

𝑥

Supersingular isogeny problem: given 𝑄, 𝑅 ∈ 𝐹1 and 𝜚 𝑄 , 𝜚 𝑅 ∈ 𝐹2, compute 𝜚.

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 33

• Eight parameter sets submitted to NIST:
• SIKEp434, SIKEp503, SIKEp610, SIKEp751, and their corresponding compressed variants

Scheme (SIKEp + log𝟑𝒒 ) 𝑓𝐵, 𝑓𝐶 Security level Standard (bytes) Compressed (bytes) pk ct pk ct SIKEp434 (216,137) AES-128 (level 1) 330 346 196 209 SIKEp503 (250,159) SHA3-256 (level 2) 378 402 224 248 SIKEp610 (305,192) AES-192 (level 3) 462 486 273 297 SIKEp751 (372,239) AES-256 (level 5) 564 596 331 363 Starting curve 𝐹0/𝔾𝑞2: 𝑧2= 𝑦3 + 6𝑦2 + 𝑦, where 𝑞 = 2𝑓𝐵3𝑓𝐶 − 1.

SIK IKE parameters (r (round 2)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 34

• Eight parameter sets submitted to NIST:
• SIKEp434, SIKEp503, SIKEp610, SIKEp751, and their corresponding compressed variants

Scheme (SIKEp + log𝟑𝒒 ) 𝑓𝐵, 𝑓𝐶 Security level Standard (bytes) Compressed (bytes) pk ct pk ct SIKEp434 (216,137) AES-128 (level 1) 330 346 196 209 SIKEp503 (250,159) SHA3-256 (level 2) 378 402 224 248 SIKEp610 (305,192) AES-192 (level 3) 462 486 273 297 SIKEp751 (372,239) AES-256 (level 5) 564 596 331 363 Starting curve 𝐹0/𝔾𝑞2: 𝑧2= 𝑦3 + 6𝑦2 + 𝑦, where 𝑞 = 2𝑓𝐵3𝑓𝐶 − 1.

SIK IKE parameters (r (round 2)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 34

• Eight parameter sets submitted to NIST:
• SIKEp434, SIKEp503, SIKEp610, SIKEp751, and their corresponding compressed variants

Scheme (SIKEp + log𝟑𝒒 ) 𝑓𝐵, 𝑓𝐶 Security level Standard (bytes) Compressed (bytes) pk ct pk ct SIKEp434 (216,137) AES-128 (level 1) 330 346 196 209 SIKEp503 (250,159) SHA3-256 (level 2) 378 402 224 248 SIKEp610 (305,192) AES-192 (level 3) 462 486 273 297 SIKEp751 (372,239) AES-256 (level 5) 564 596 331 363 Starting curve 𝐹0/𝔾𝑞2: 𝑧2= 𝑦3 + 6𝑦2 + 𝑦, where 𝑞 = 2𝑓𝐵3𝑓𝐶 − 1.

SIK IKE parameters (r (round 2)

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 34

• Current release: version 3.2

https://github.com/Microsoft/PQCrypto-SIDH

SID IDH Lib ibrary ry

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 35

• Current release: version 3.2

https://github.com/Microsoft/PQCrypto-SIDH

• Implements SIDH and SIKE with the four standard parameter sets:

SIDH/SIKE{p434, p503, p610, p751}

SID IDH Lib ibrary ry

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 35

• Current release: version 3.2

https://github.com/Microsoft/PQCrypto-SIDH

• Implements SIDH and SIKE with the four standard parameter sets:

SIDH/SIKE{p434, p503, p610, p751}

• Implements a faster variant of the four compressed parameter sets,

by Naehrig and Renes (2019)

SID IDH Lib ibrary ry

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 35

• Current release: version 3.2

https://github.com/Microsoft/PQCrypto-SIDH

• Implements SIDH and SIKE with the four standard parameter sets:

SIDH/SIKE{p434, p503, p610, p751}

• Implements a faster variant of the four compressed parameter sets,

by Naehrig and Renes (2019)

• Included implementations:
• Portable C
• High-performance 64-bit CPUs
• With high-speed x64 assembly for the field arithmetic
• With high-speed ARMv8-A assembly for the field arithmetic

SID IDH Lib ibrary ry

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 35

• Current release: version 3.2

https://github.com/Microsoft/PQCrypto-SIDH

• Implements SIDH and SIKE with the four standard parameter sets:

SIDH/SIKE{p434, p503, p610, p751}

• Implements a faster variant of the four compressed parameter sets,

by Naehrig and Renes (2019)

• Included implementations:
• Portable C
• High-performance 64-bit CPUs
• With high-speed x64 assembly for the field arithmetic
• With high-speed ARMv8-A assembly for the field arithmetic
• No secret branches, no secret memory accesses: protected against cache and

timing attacks

SID IDH Lib ibrary ry

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 35

Performance on x64 (S (SIDH v3.2)

Primitive Standard Compressed Cycles (× 𝟐𝟏𝟕) Time Cycles (× 𝟐𝟏𝟕) Time

SIKEp434 21.8 6.4 ms 32.3 9.5 ms SIKEp503 30.6 9.0 ms 44.7 13.1 ms SIKEp610 57.0 16.8 ms 77.6 22.8 ms SIKEp751 87.6 25.8 ms 128.4 37.8 ms

(*) Obtained on a 3.4GHz Intel Core i7-6700 (Skylake) processor. Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 36

very small large

Performance on x64

Primitive PQ security Problem Speed Comm. Classical RSA 3072 ~0 bits factoring 4.6 ms 0.8 KB ECDH NIST P-256 ~0 bits EC dlog 1.4 ms 0.1 KB Passively secure key-exchange SIDHp434 128 bits isogenies 6.6 ms 0.6 KB IND-CCA secure KEMs Kyber 100 bits M-LWE 0.03 ms 0.7 KB FrodoKEM 108 bits LWE 1.1 ms 9.5 KB SIKEp434 128 bits isogenies 6.4–9.5 ms 0.2–0.3 KB very fast slow

(*) Obtained on 3.4GHz Intel Haswell (Kyber) or Skylake (FrodoKEM and SIKE). Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 37

very small large

Performance on x64

Primitive PQ security Problem Speed Comm. Classical RSA 3072 ~0 bits factoring 4.6 ms 0.8 KB ECDH NIST P-256 ~0 bits EC dlog 1.4 ms 0.1 KB Passively secure key-exchange SIDHp434 128 bits isogenies 6.6 ms 0.6 KB IND-CCA secure KEMs Kyber 100 bits M-LWE 0.03 ms 0.7 KB FrodoKEM 108 bits LWE 1.1 ms 9.5 KB SIKEp434 128 bits isogenies 6.4–9.5 ms 0.2–0.3 KB very fast slow

(*) Obtained on 3.4GHz Intel Haswell (Kyber) or Skylake (FrodoKEM and SIKE). Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 37

Performance on 64-bit ARM (S (SIDH v3.2)

Primitive NIST sec level Cycles (× 𝟐𝟏𝟕) Time @1.992GHz Passively secure key-exchange SIDHp434 1 60.8 30.5 ms SIDHp503 2 88.4 44.4 ms IND-CCA secure KEMs SIKEp434 1 59.4 29.8 ms SIKEp503 2 82.7 41.5 ms

(*) Obtained on a 1.992GHz ARM Cortex-A72 (ARMv8-A) processor. Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 38

Performance on 32-bit ARM

[S [Seo–Liu iu–L–Hu 20 2018 18]

Primitive NIST sec level Cycles (× 𝟐𝟏𝟕) Time @2.0GHz Passively secure key-exchange SIDHp503 2 176.0 88.0 ms IND-CCA secure KEMs SIKEp503 2 172.5 86.3 ms

(*) Obtained on a 2.0GHz ARM Cortex-A15 (ARMv7-A) processor. Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 39

SIK IKE in in the NIS IST post-quantum “competition”

• SIKE website: http://sike.org/
• SIKE specification: http://sike.org/files/SIDH-spec.pdf
• SIDH Library: https://github.com/Microsoft/PQCrypto-SIDH
• Package (protocol specification and implementations) submitted to NIST:

https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/ documents/round-2/submissions/SIKE-Round2.zip

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 40

The fu full SIK IKE team

Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, David Jao, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, Vladimir Soukharev

Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 41

https://microsoft.com/en-us/research/people/plonga http://patricklonga.com Twitter: @PatrickLonga