20 years of isogeny based cryptography
play

20 years of isogeny-based cryptography Luca De Feo feat. Jean - PowerPoint PPT Presentation

Jan 20, 2023 •218 likes •1.07k views

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ & Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

  1. 20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Université Paris Saclay, UVSQ & Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/

  2. Overview Isogenies 1 Isogeny graphs in cryptography 2 Recent work 3 Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 2 / 49

  3. Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... R Q P P ✰ Q Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 3 / 49

  4. Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve...forget it! R Q P P ✰ Q Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 3 / 49

  5. ✰ ✰ Elliptic curves Let ✦ 1 ❀ ✦ 2 ✷ ❈ be linearly independent complex numbers. Set ✄ ❂ ✦ 1 ❩ ✟ ✦ 2 ❩ ✦ 2 ❈ ❂ ✄ is an ❈ ❂ ✄ elliptic curve. ✦ 1 Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 4 / 49

  6. ✰ ✦ ❈ ❂ ✄ ✰ ✦ Elliptic curves Addition law induced by addition on ❈ . b a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 4 / 49

  7. ✦ ❈ ❂ ✄ ✰ ✦ Elliptic curves Addition law induced by a ✰ b addition on ❈ . b a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 4 / 49

  8. ✦ ❈ ❂ ✄ ✰ ✦ Elliptic curves Addition law induced by a ✰ b addition on ❈ . b a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 4 / 49

  9. ✰ ✦ ❈ ❂ ✄ ✦ Elliptic curves Addition law induced by addition on ❈ . b a a ✰ b Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 4 / 49

  10. ❬ ❪ ❬ ❪ Multiplication a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 5 / 49

  11. ❬ ❪ Multiplication ❬ 3 ❪ a a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 5 / 49

  12. ❬ ❪ Multiplication ❬ 3 ❪ a a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 5 / 49

  13. Torsion subgroups The ❵ -torsion subgroup is made up by the points ✒ i ✦ 1 ✓ ❵ ❀ j ✦ 2 ❵ It is a group of rank two E ❬ ❵ ❪ ❂ ❤ a ❀ b ✐ b ✬ ✭ ❩ ❂❵ ❩ ✮ 2 a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 6 / 49

  14. Isogenies Let a ✷ ❈ ❂ ✄ 1 be an ❵ -torsion point, and let ✄ 2 ❂ a ❩ ✟ ✄ 1 Then ✄ 1 ✚ ✄ 2 and we define a degree ❵ cover p ✣ ✿ ❈ ❂ ✄ 1 ✦ ❈ ❂ ✄ 2 ✣ is a morphism of complex Lie a groups and is called an isogeny. Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 7 / 49

  15. Isogenies Let a ✷ ❈ ❂ ✄ 1 be an ❵ -torsion point, and let ✄ 2 ❂ a ❩ ✟ ✄ 1 Then ✄ 1 ✚ ✄ 2 and we define a degree ❵ cover p ✣ ✿ ❈ ❂ ✄ 1 ✦ ❈ ❂ ✄ 2 ✣ is a morphism of complex Lie a groups and is called an isogeny. Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 7 / 49

  16. Isogenies Let a ✷ ❈ ❂ ✄ 1 be an ❵ -torsion point, and let ✄ 2 ❂ a ❩ ✟ ✄ 1 Then ✄ 1 ✚ ✄ 2 and we define a degree ❵ cover p ✣ ✿ ❈ ❂ ✄ 1 ✦ ❈ ❂ ✄ 2 ✣ is a morphism of complex Lie a groups and is called an isogeny. Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 7 / 49

  17. Isogenies Taking a point b not in the kernel of ✣ , we obtain a new degree ❵ cover ❫ ✣ ✿ ❈ ❂ ✄ 2 ✦ ❈ ❂ ✄ 3 The composition ❫ ✣ ✍ ✣ has degree ❵ 2 p and is homothetic to the b multiplication by ❵ map. ❫ ✣ is called the dual isogeny of ✣ . Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 7 / 49

  18. Isogenies Taking a point b not in the kernel of ✣ , we obtain a new degree ❵ cover ❫ ✣ ✿ ❈ ❂ ✄ 2 ✦ ❈ ❂ ✄ 3 The composition ❫ ✣ ✍ ✣ has degree ❵ 2 p and is homothetic to the b multiplication by ❵ map. ❫ ✣ is called the dual isogeny of ✣ . Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 7 / 49

  19. Isogenies Taking a point b not in the kernel of ✣ , we obtain a new degree ❵ cover ❫ ✣ ✿ ❈ ❂ ✄ 2 ✦ ❈ ❂ ✄ 3 The composition ❫ ✣ ✍ ✣ has degree ❵ 2 and is homothetic to the b multiplication by ❵ p map. ❫ ✣ is called the dual isogeny of ✣ . Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 7 / 49

  20. Isogenies over arbitrary fields Isogenies are just the right notion of morphism for elliptic curves Surjective group morphisms. Algebraic maps (i.e., defined by polynomials). (Separable) isogenies ✱ finite subgroups: ✦ E ✵ ✦ 0 ✣ 0 ✦ H ✦ E The kernel H determines the image curve E ✵ up to isomorphism def ❂ E ✵ ✿ E ❂ H Isogeny degree Neither of these definitions is quite correct, but they nearly are: The degree of ✣ is the cardinality of ❦❡r ✣ . (Bisson) the degree of ✣ is the time needed to compute it. Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 8 / 49

  21. Easy and hard problems In practice: an isogeny ✣ is just a rational fraction (or maybe two) x n ✰ ✁ ✁ ✁ ✰ n 1 x ✰ n 0 N ✭ x ✮ with n ❂ ❞❡❣ ✣❀ D ✭ x ✮ ❂ ✷ k ✭ x ✮ ❀ x n � 1 ✰ ✁ ✁ ✁ ✰ d 1 x ✰ d 0 and D ✭ x ✮ vanishes on ❦❡r ✣ . ⑦ Vélu’s formulas ❖ ✭ n ✮ Input: A generator of the kernel H of the isogeny. Output: The curve E ❂ H and the rational fraction N ❂ D . The explicit isogeny problem Input: The curves E and E ❂ H , the degree n . Output: The rational fraction N ❂ D . Algorithms a ⑦ Elkies’ algorithm (and variants); ❖ ✭ n ✮ ⑦ Couveignes’ algorithm (and variants). ❖ ✭ n 2 ✮ a Elkies 1998; Couveignes 1996. Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 9 / 49

  22. Easy and hard problems Isogeny evaluation Input: A description of the isogeny ✣ , a point P ✷ E ✭ k ✮ . Output: The curve E ❂ H and ✣ ✭ P ✮ . Examples Input = rational fraction; O ✭ n ✮ ⑦ Input = composition of low degree isogenies; ❖ ✭❧♦❣ n ✮ The isogeny walk problem O ✭❄❄✮ Input: Isogenous curves E , E ✵ . Output: A path of low degree isogenies from E to E ✵ . Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 10 / 49

  23. Easy and hard problems Isogeny evaluation Input: A description of the isogeny ✣ , a point P ✷ E ✭ k ✮ . Output: The curve E ❂ H and ✣ ✭ P ✮ . Examples Input = rational fraction; O ✭ n ✮ ⑦ Input = composition of low degree isogenies; ❖ ✭❧♦❣ n ✮ The isogeny walk problem O ✭❄❄✮ Input: Isogenous curves E , E ✵ . Output: A path of low degree isogenies from E to E ✵ . Exponential separation... Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 10 / 49

  24. Easy and hard problems Isogeny evaluation Input: A description of the isogeny ✣ , a point P ✷ E ✭ k ✮ . Output: The curve E ❂ H and ✣ ✭ P ✮ . Examples Input = rational fraction; O ✭ n ✮ ⑦ Input = composition of low degree isogenies; ❖ ✭❧♦❣ n ✮ The isogeny walk problem O ✭❄❄✮ Input: Isogenous curves E , E ✵ . Output: A path of low degree isogenies from E to E ✵ . Exponential separation...Crypto happens! Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 10 / 49

  25. Isogeny graphs ✣ We look at the graph of elliptic curves with E ✵ E isogenies up to isomorphism. We say two isogenies ✣❀ ✣ ✵ are isomorphic if: ❡ ✣ ✵ E ✵ Example: Finite field, ordinary case, graph of isogenies of degree 3 . Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 11 / 49

  26. Structure of the graph 1 Theorem (Serre-Tate) Two curves are isogenous over a finite field k if and only if they have the same number of points on k . The graph of isogenies of prime degree ❵ ✻ ❂ p Ordinary case (isogeny volcanoes) Nodes can have degree 0 ❀ 1 ❀ 2 or ❵ ✰ 1 . ■ For ✘ 50 ✪ of the primes ❵ , graphs are just isolated points; ■ For other ✘ 50 ✪ , graphs are 2 -regular; ■ other cases only happen for finitely many ❵ ’s. Supersingular case The graph is ❵ ✰ 1 -regular. There is a unique (finite) connected component made of all supersingular curves with the same number of points. 1 Deuring 1941; Kohel 1996; Fouquet and Morain 2002. Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 12 / 49

Recommend

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization Centre for Applied Cryptographic Research June 17, 2016 CENTRE FOR APPLIED CRYPTOGRAPHIC RESEARCH (CACR) Motivation: Post-Quantum Cryptography

355 views • 16 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019 Mathematical foundations of asymmetric cryptography Aussois, Savoie Slides online at https://defeo.lu/docet/ Overview Isogeny graphs 1 Elliptic Curves

1.96k views • 156 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29, 2019 Cryptography meets Graph Theory Wrzburg, Franken, Germany Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29Aug 2,

1.99k views • 174 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris Saclay UVSQ May 13, 2019, Universit di Roma 3, Roma Slides online at https://defeo.lu/docet/ Elliptic curves Let E y 2 x 3 ax b

1.22k views • 76 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March 1923, 2018, Post-Scryptum Spring School, Les 7 Laux Slides online at http://defeo.lu/docet/ Photo courtesy of Elisa Lorenzo-Garca Overview

1.87k views • 144 slides
Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

856 views • 81 slides
Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de Versailles & Inria, Universit Paris-Saclay May 31, 2018, Journes du Pr-GDR Scurit, Paris Elliptic curves Let E y 2 x 3 ax b be

1.01k views • 73 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea Basso 1 , P eter Kutas 1 , Simon-Philipp Merz 2 , Christophe Petit 1 , Charlotte Weitk amper 1 University of Birmingham, UK Royal Holloway,

576 views • 19 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides
Isogeny based crypto: whats under the hood? Luca De Feo Universit Paris Saclay UVSQ Nov

Isogeny based crypto: whats under the hood? Luca De Feo Universit Paris Saclay UVSQ Nov

Isogeny based crypto: whats under the hood? Luca De Feo Universit Paris Saclay UVSQ Nov 15, 2018, cole des Mines de Saint-tienne, Gardanne Elliptic curves Let E y 2 x 3 ax b be an elliptic curve... R Q P P Q

715 views • 57 slides
Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER

Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER

Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER EPRINT.IACR.ORG/2014/794 BY DUCAS, LYUBASHEVSKY, AND PREST 2016-09-21, Royal Holloway, Egham OFFICIAL Public Key Cryptography (PKC) Also called

403 views • 26 slides
Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles St-Quentin-en-Yvelines France 1 Introduction: EC in cryptography Starting point: 1985 (V. Miller) Discrete logarithm based

487 views • 45 slides
Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril

Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril

Reminder on elliptic curves Endomorphism ring Volcano of -isogeny and Frobenius endomorphism -adic tower Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril Hugounenq, Jerome Plut, Eric Schost

472 views • 28 slides
Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019 Modern curve-based cryptography Modern curve-based cryptography 1 / 11 Modern curve-based cryptography Internet of Things Size & speed

1.39k views • 97 slides

More recommend