computing isogenies between montgomery curves using the
play

Computing Isogenies between Montgomery Curves Using the Action of (0 - PowerPoint PPT Presentation

Jul 02, 2023 •398 likes •972 views

Computing Isogenies between Montgomery Curves Using the Action of (0 , 0) Joost Renes Radboud University, The Netherlands 9 April 2018 9 April 2018 1 / 11 Supersingular isogeny-based cryptography Proposed by Jao & De Feo [JF11]

  1. Computing Isogenies between Montgomery Curves Using the Action of (0 , 0) Joost Renes Radboud University, The Netherlands 9 April 2018 9 April 2018 1 / 11

  2. Supersingular isogeny-based cryptography ◮ Proposed by Jao & De Feo [JF11] ◮ Submitted to NIST competition [Aza+17] ( on Wednesday ) ◮ SIDH (passive security) ◮ SIKE (active security) ◮ This talk: computing isogenies on curves with extra structure 9 April 2018 2 / 11

  3. A graph-based protocol Alice Bob 9 April 2018 3 / 11

  4. A graph-based protocol Alice Bob 9 April 2018 3 / 11

  5. A graph-based protocol 24 Alice 24 Bob 9 April 2018 3 / 11

  6. A graph-based protocol 24 Alice 24 Bob 9 April 2018 3 / 11

  7. A graph-based protocol 24 Alice 66 41 24 Bob 9 April 2018 3 / 11

  8. A graph-based protocol 24 Alice 66 41 24 Bob 9 April 2018 3 / 11

  9. A graph-based protocol 41 24 Alice 66 41 24 Bob 66 9 April 2018 3 / 11

  10. A graph-based protocol 41 24 Alice 66 41 24 Bob 66 9 April 2018 3 / 11

  11. A graph-based protocol 41 24 Alice 66 48 41 24 Bob 66 48 9 April 2018 3 / 11

  12. Constructing graphs and walks using isogenies 9 April 2018 4 / 11

  13. Constructing graphs and walks using isogenies J 41 J 24 J 0 J 66 J 17 J 48 J 40 Classes of supersingular elliptic curves 9 April 2018 4 / 11

  14. Constructing graphs and walks using isogenies J 41 J 24 J 0 J 66 J 17 J 48 J 40 ℓ -isogeny φ Classes of supersingular elliptic curves 9 April 2018 4 / 11

  15. Constructing graphs and walks using isogenies J 0 J 17 J 48 J 40 ℓ -isogeny φ Classes of supersingular elliptic curves 9 April 2018 4 / 11

  16. Constructing graphs and walks using isogenies Φ ℓ ( X , Y ) = X ℓ +1 + Y ℓ +1 + · · · (1) J 0 J 17 J 48 J 40 ℓ -isogeny φ Classes of supersingular elliptic curves 9 April 2018 4 / 11

  17. Constructing graphs and walks using isogenies Φ ℓ ( X , Y ) = X ℓ +1 + Y ℓ +1 + · · · (1) E 0 E 17 E 48 E 40 ℓ -isogeny φ Supersingular elliptic curves 9 April 2018 4 / 11

  18. Constructing graphs and walks using isogenies Φ ℓ ( X , Y ) = X ℓ +1 + Y ℓ +1 + · · · (1) (2) ℓ + 1 subgroups of order ℓ (V´ elu’s formulas) E 0 E 17 E 48 E 40 ℓ -isogeny φ Supersingular elliptic curves 9 April 2018 4 / 11

  19. Constructing graphs and walks using isogenies Φ ℓ ( X , Y ) = X ℓ +1 + Y ℓ +1 + · · · (1) (2) ℓ + 1 subgroups of order ℓ (V´ elu’s formulas) M 0 M 17 M 48 M 40 ℓ -isogeny φ Supersingular Montgomery curves 9 April 2018 4 / 11

  20. Constructing graphs and walks using isogenies Φ ℓ ( X , Y ) = X ℓ +1 + Y ℓ +1 + · · · (1) (2) ℓ + 1 subgroups of order ℓ (V´ elu’s formulas) (3) Costello–Hisil [CH17] for ℓ ≥ 3 M 0 M 17 M 48 M 40 ℓ -isogeny φ Supersingular Montgomery curves 9 April 2018 4 / 11

  21. Constructing graphs and walks using isogenies Φ ℓ ( X , Y ) = X ℓ +1 + Y ℓ +1 + · · · (1) (2) ℓ + 1 subgroups of order ℓ (V´ elu’s formulas) (3) Costello–Hisil [CH17] for ℓ ≥ 3 (Q1) Where do these formulas come from? (Q2) What about ℓ = 2 ? M 0 M 17 M 48 M 40 ℓ -isogeny φ Supersingular Montgomery curves 9 April 2018 4 / 11

  22. What is an isogeny.. (1) A morphism of curves φ M A ( x , y ) = 0 → M A ′ ( x , y ) = 0 − − − − − − − − − 9 April 2018 5 / 11

  23. What is an isogeny.. (1) A morphism of curves � f ( x ) � g ( x ) , — φ = M A ( x , y ) = 0 → M A ′ ( x , y ) = 0 − − − − − − − − − 9 April 2018 5 / 11

  24. What is an isogeny.. (1) A morphism of curves � f ( x ) � g ( x ) , — φ = M A ( x , y ) = 0 → M A ′ ( x , y ) = 0 − − − − − − − − − 9 April 2018 5 / 11

  25. What is an isogeny.. (1) A morphism of curves � f ( x ) � g ( x ) , — φ = M A ( x , y ) = 0 → M A ′ ( x , y ) = 0 − − − − − − − − − (2) A homomorphism of groups ( x 0 , —) ( x 1 , —) = ( x 2 , —) ⊕ � � f ( x 0 ) g ( x 0 ) , — 9 April 2018 5 / 11

  26. What is an isogeny.. (1) A morphism of curves � f ( x ) � g ( x ) , — φ = M A ( x , y ) = 0 → M A ′ ( x , y ) = 0 − − − − − − − − − (2) A homomorphism of groups ( x 0 , —) ( x 1 , —) = ( x 2 , —) ⊕ � � � � � � f ( x 0 ) f ( x 1 ) f ( x 2 ) = g ( x 0 ) , — g ( x 1 ) , — g ( x 2 ) , — ⊕ 9 April 2018 5 / 11

  27. Describing f and g � � f ( x ) Given an isogeny φ ( x ) = g ( x ) , — (1) A point ∞ such that φ : ∞ �→ ∞ . Also 9 April 2018 6 / 11

  28. Describing f and g � � f ( x ) Given an isogeny φ ( x ) = g ( x ) , — (1) A point ∞ such that φ : ∞ �→ ∞ . Also ( x T , —) �→ ∞ ⇐ ⇒ g ( x T ) = 0 9 April 2018 6 / 11

  29. Describing f and g � � f ( x ) Given an isogeny φ ( x ) = g ( x ) , — (1) A point ∞ such that φ : ∞ �→ ∞ . Also ( x T , —) �→ ∞ ⇐ ⇒ g ( x T ) = 0 � = ⇒ g ( x ) ≈ ( x − x T ) T ∈ ker φ 9 April 2018 6 / 11

  30. Describing f and g � � f ( x ) Given an isogeny φ ( x ) = g ( x ) , — (1) A point ∞ such that φ : ∞ �→ ∞ . Also ( x T , —) �→ ∞ ⇐ ⇒ g ( x T ) = 0 � = ⇒ g ( x ) ≈ ( x − x T ) T ∈ ker φ (2) A point Q ∈ M A such that f ( x Q ) = 0 9 April 2018 6 / 11

  31. Describing f and g � � f ( x ) Given an isogeny φ ( x ) = g ( x ) , — (1) A point ∞ such that φ : ∞ �→ ∞ . Also ( x T , —) �→ ∞ ⇐ ⇒ g ( x T ) = 0 � = ⇒ g ( x ) ≈ ( x − x T ) T ∈ ker φ (2) A point Q ∈ M A such that f ( x Q ) = 0 = ⇒ f ( x T + Q ) = 0 for all T ∈ ker φ 9 April 2018 6 / 11

  32. Describing f and g � � f ( x ) Given an isogeny φ ( x ) = g ( x ) , — (1) A point ∞ such that φ : ∞ �→ ∞ . Also ( x T , —) �→ ∞ ⇐ ⇒ g ( x T ) = 0 � = ⇒ g ( x ) ≈ ( x − x T ) T ∈ ker φ (2) A point Q ∈ M A such that f ( x Q ) = 0 = ⇒ f ( x T + Q ) = 0 for all T ∈ ker φ � = ⇒ f ( x ) ≈ ( x − x T + Q ) T ∈ ker φ 9 April 2018 6 / 11

  33. Isogeny structure Theorem (sketch) Let G ⊂ M ( ¯ K ) be a subgroup, Q / ∈ G and � f ( x ) � φ = g ( x ) , — a separable isogeny such that ker φ = G and f ( x Q ) = 0 . Then � � f ( x ) = c f · ( x − x T + Q ) , g ( x ) = ( x − x T ) . T ∈ G T ∈ G \∞ 9 April 2018 7 / 11

  34. Isogeny structure Theorem (sketch) Let G ⊂ M ( ¯ K ) be a subgroup, Q / ∈ G and � f ( x ) � φ = g ( x ) , — a separable isogeny such that ker φ = G and f ( x Q ) = 0 . Then � � f ( x ) = c f · ( x − x T + Q ) , g ( x ) = ( x − x T ) . T ∈ G T ∈ G \∞ ◮ Generalizes when Q does not map to (0 , —) 9 April 2018 7 / 11

  35. Isogeny structure Theorem (sketch) Let G ⊂ M ( ¯ K ) be a subgroup, Q / ∈ G and � f ( x ) � φ = g ( x ) , — a separable isogeny such that ker φ = G and f ( x Q ) = 0 . Then � � f ( x ) = c f · ( x − x T + Q ) , g ( x ) = ( x − x T ) . T ∈ G T ∈ G \∞ ◮ Generalizes when Q does not map to (0 , —) ◮ Close connection between action of Q and isogeny! 9 April 2018 7 / 11

  36. Application to Montgomery curves This works perfectly for Montgomery curves! (1) A distinguished point Q = (0 , 0) of order two � � 1 (2) A very simple action ( x T , —) + Q = x T , — 9 April 2018 8 / 11

  37. Application to Montgomery curves This works perfectly for Montgomery curves! (1) A distinguished point Q = (0 , 0) of order two � � 1 (2) A very simple action ( x T , —) + Q = x T , —   x · x T − 1 � = ⇒ φ ( x ) =  x , —  x − x T T ∈ G \∞ 9 April 2018 8 / 11

  38. Application to Montgomery curves This works perfectly for Montgomery curves! (1) A distinguished point Q = (0 , 0) of order two � � 1 (2) A very simple action ( x T , —) + Q = x T , —   x · x T − 1 � = ⇒ φ ( x ) =  x , —  x − x T T ∈ G \∞ and A ′ = π ( A − 3 σ ), where x T − 1 � � π = x T , σ = x T T ∈ G \∞ T ∈ G \∞ 9 April 2018 8 / 11

  39. Application to Montgomery curves This works perfectly for Montgomery curves! (1) A distinguished point Q = (0 , 0) of order two � � 1 (2) A very simple action ( x T , —) + Q = x T , —   x · x T − 1 � = ⇒ φ ( x ) =  x , —  x − x T T ∈ G \∞ and A ′ = π ( A − 3 σ ), where x T − 1 � � π = x T , σ = x T T ∈ G \∞ T ∈ G \∞ for any subgroup not containing (0 , 0), generalizing [CH17] 9 April 2018 8 / 11

  40. Isogenies of degree two.. A curve has three points of order two, one of which is (0 , 0) M 0 9 April 2018 9 / 11

  41. Isogenies of degree two.. A curve has three points of order two, one of which is (0 , 0) M 0 ker = ( 0 , 0 ) 9 April 2018 9 / 11

  42. Isogenies of degree two.. A curve has three points of order two, one of which is (0 , 0) M 0 9 April 2018 9 / 11

  43. Isogenies of degree two.. A curve has three points of order two, one of which is (0 , 0) M 0 9 April 2018 9 / 11

  44. Isogenies of degree two.. A curve has three points of order two, one of which is (0 , 0) M 0 M 1 9 April 2018 9 / 11

  45. Isogenies of degree two.. A curve has three points of order two, one of which is (0 , 0) M 0 M 1 9 April 2018 9 / 11

Recommend

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao Paulo da Silva , Ricardo Dahab, Julio L opez Institute of Computing University of Campinas Latin American Week on Coding and Information

558 views • 32 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
Computing Cyclic Isogenies in Genus 2 with Applications in Cryptography Alina Dudeanu 1 Dimitar

Computing Cyclic Isogenies in Genus 2 with Applications in Cryptography Alina Dudeanu 1 Dimitar

Computing Cyclic Isogenies in Genus 2 with Applications in Cryptography Alina Dudeanu 1 Dimitar Jetchev 1 Damien Robert 2 1 EPF Lausanne 2 INRIA Bordeaux May 20, 2014 1/21 Introduction Elliptic and Hyperelliptic Curves Applications: Public key

1.13k views • 92 slides
Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz, Damien Robert Damien Robert Rational isogenies 2 1 Theta functions Complex abelian varieties Quasi-periodicity: Damien Robert Rational

734 views • 23 slides
Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas Decru , and Benjamin Smith NutMiC 2019, Paris June 24, 2019 Background 2006: hash functions based on supersingular elliptic curves (Charles,

564 views • 52 slides
Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018 Brisbane, Australia ECC vs. post-quantum ECC W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404 Alice 2 " -isogenies, Bob 3 $

766 views • 19 slides
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of

Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of

Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arXiv:1012.4019 For ordinary isogenous elliptic curves of equal endomorphism ring, we show (under

657 views • 36 slides
Jacobi Curves: Computing the Exact Topology of Arrangements of Non-Singular Algebraic Curves

Jacobi Curves: Computing the Exact Topology of Arrangements of Non-Singular Algebraic Curves

Jacobi Curves: Computing the Exact Topology of Arrangements of Non-Singular Algebraic Curves Nicola Wolpert Max-Planck-Institut f ur Informatik Stuhlsatzenhausweg 85 66123 Saarbr ucken, Germany nicola@mpi-sb.mpg.de March 26, 2003

255 views • 11 slides
Efficiently Computing Succinct Trade-off Curves Sergei Vassilvitskii Mihalis Yannakakis Outline

Efficiently Computing Succinct Trade-off Curves Sergei Vassilvitskii Mihalis Yannakakis Outline

Efficiently Computing Succinct Trade-off Curves Sergei Vassilvitskii Mihalis Yannakakis Outline Introduction Polynomial size trade off curves Construction of Pareto curves in 2-d Pareto curves in 3+ d Conclusion

622 views • 44 slides
Mappings of elliptic curves Benjamin Smith INRIA Saclay Ile-de-France & Laboratoire

Mappings of elliptic curves Benjamin Smith INRIA Saclay Ile-de-France & Laboratoire

Mappings of elliptic curves Benjamin Smith INRIA Saclay Ile-de-France & Laboratoire dInformatique de l Ecole polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven,

515 views • 28 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

952 views • 67 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

896 views • 78 slides
Computing Equations of Curves with Many Points Virgile Ducet 1 Claus Fieker 2 1 Institut de

Computing Equations of Curves with Many Points Virgile Ducet 1 Claus Fieker 2 1 Institut de

Computing Equations of Curves with Many Points Virgile Ducet 1 Claus Fieker 2 1 Institut de Mathmatiques de Luminy 2 Fachbereich Mathematik Universitt Kaiserslautern Algorithmic Number Theory Symposium, July 2012 Motivation Let C / F q be a

410 views • 38 slides
1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

Topics Parametric curves and surfaces Polynomial curves Advanced Modeling 2 Rational curves Katja Bhler, Andrej Varchola, Eduard Tensor product surfaces Grller Triangular surfaces Institute of Computer Graphics and Algorithms Vienna

78 views • 6 slides
Computing Hermitian Determinantal Representations of Plane Curves Cynthia Vinzant University of

Computing Hermitian Determinantal Representations of Plane Curves Cynthia Vinzant University of

Computing Hermitian Determinantal Representations of Plane Curves Cynthia Vinzant University of Michigan 0.2 2 0.0 1 0 0.2 1 0.4 2 0.6 1.5 1.0 0.5 0.0 0.5 1.0 1.5 2 1 0 1 2 joint with Daniel Plaumann, Rainer Sinn, and David

523 views • 41 slides
Computing genus 2 curves from invariants on the Hilbert moduli space Journal of Number Theory,

Computing genus 2 curves from invariants on the Hilbert moduli space Journal of Number Theory,

Computing genus 2 curves from invariants on the Hilbert moduli space Journal of Number Theory, Special Issue on Elliptic Curve Cryptography http://eprint.iacr.org/2010/294 Kristin Lauter, Microsoft Research Joint work with: Tonghai Yang,

421 views • 39 slides
Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd

Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd

University of British Columbia CPSC 314 Computer Graphics Jan-Apr 2013 Tamara Munzner Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd edition 2 Curves 3 Parametric Curves parametric form

615 views • 32 slides
Finding ECM-friendly curves through a study of Galois properties 10th Algorithmic Number Theory

Finding ECM-friendly curves through a study of Galois properties 10th Algorithmic Number Theory

Finding ECM-friendly curves through a study of Galois properties 10th Algorithmic Number Theory Symposium Razvan Barbulescu 1 Joppe W. Bos 3 Cyril Bouvier 1 Thorsten Kleinjung 2 Peter L. Montgomery 3 1. Universit de Lorraine, CNRS, INRIA,

231 views • 21 slides
Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves

Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves

Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves Physical tools, used to model curves French Curves Smoothly connect pre-determined curve points French Curves French Curves Digital French

845 views • 42 slides
The Muffin Problem Guangi Cui - Montgomery Blair HS (in MD) Naveen Durvasula - Montgomery Blair

The Muffin Problem Guangi Cui - Montgomery Blair HS (in MD) Naveen Durvasula - Montgomery Blair

The Muffin Problem Guangi Cui - Montgomery Blair HS (in MD) Naveen Durvasula - Montgomery Blair HS (in MD) William Gasarch - University of MD Naveen Raman - Richard Montgomery HS (in MD) Sung Hyun Yoo - Bergen County Academies (in NJ) Cake

547 views • 42 slides
parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape

parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape

parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape modeling (3D) different representation implicit curves parametric curves (mostly used) 2D and 3D curves are mostly the same use vector notation

724 views • 35 slides
Explicit isogenies and implementation Luca De Feo Freelance researcher, courtesy of ANR CHIC

Explicit isogenies and implementation Luca De Feo Freelance researcher, courtesy of ANR CHIC

Explicit isogenies and implementation Luca De Feo Freelance researcher, courtesy of ANR CHIC & Universit e de Rennes 1 June 23, 2011 Geocrypt, Bastia, France Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June

590 views • 20 slides
Isogenies, Polarisations and Real Multiplication 2015/10/06 Journes C2 La

Isogenies, Polarisations and Real Multiplication 2015/10/06 Journes C2 La

Isogenies, Polarisations and Real Multiplication 2015/10/06 Journes C2 La Londe-Les-Maures Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco

867 views • 49 slides
Computing Node Polynomials for Plane Curves Florian Block University of Michigan FPSAC 2010

Computing Node Polynomials for Plane Curves Florian Block University of Michigan FPSAC 2010

Computing Node Polynomials for Plane Curves Florian Block University of Michigan FPSAC 2010 August 5, 2010 http://www-personal.umich.edu/ blockf/NodePolyTalk.pdf arXiv:1006.0218 Florian Block (U of Michigan) Computing Node Polynomials

411 views • 16 slides

More recommend