cryptographic schemes based on isogenies
play

Cryptographic Schemes Based on Isogenies Anton Stolbunov Trondheim, - PowerPoint PPT Presentation

Feb 03, 2024 •297 likes •519 views

Cryptographic Schemes Based on Isogenies Anton Stolbunov Trondheim, January 23, 2012 www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies 2 / 22 Outline [Ch. 1] Introduction [Ch. 2] Constructing Cryptographic Schemes Based

  1. Cryptographic Schemes Based on Isogenies Anton Stolbunov Trondheim, January 23, 2012 www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  2. 2 / 22 Outline [Ch. 1] Introduction [Ch. 2] Constructing Cryptographic Schemes Based on Isogenies [Ch. 3] Security Reductions for Schemes Based on Group Action [Ch. 4] Improved Algorithm for the Isogeny Problem www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  3. 3 / 22 Motivation for Research — security of current asymmetric cryptographic schemes is decreasing (index calculus algorithms, Shor’s algorithm, etc.); — cryptographic schemes based on new hard computational problems are needed; — elliptic curves and imaginary quadratic fields are well studied and good algorithms are available. www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  4. 4 / 22 Research Questions 1. How can isogenies between ordinary elliptic curves be used for building cryptographic schemes? Which schemes can be built? What is the efficiency of such schemes? 2. On which computational problems does the security of the proposed schemes depend? 3. What is the computational complexity of these problems? www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  5. 5 / 22 Related Work: Cryptographic Schemes Based on Isogenies [Teske 2003] key escrow system; [Rostovtsev et al. 2004] ordered digital signature scheme; [Rostovtsev, Stolbunov 2006] public-key encryption scheme; [Couveignes 2006] key agreement, authentication and Σ -protocols [Charles et al. 2009] hash using supersingular-curve isogenies; [Weiwei, Debiao 2010], [Debiao et al. 2011] authenticated key agreement protocols; [Jao, De Feo 2011] key agreement and public-key encryption using supersingular-curve isogenies. www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  6. 6 / 22 Elliptic Curves Let F be a field, char ( F ) � = 2 , 3. Example An elliptic curve E / F is a non-singular E ( F 47 ): algebraic curve defined by Y 2 = X 3 + X + 5 Y 2 = X 3 + aX + b , where a and b lie in F . Let L ⊇ F be an extension field. E ( L ) := { points over L } ∪ { P ∞ } is called the group of points of E over L . 4 a 3 j ( E ) := 1728 4 a 3 + 27 b 2 the j -invariant. www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  7. 7 / 22 Isogenies An isogeny φ from E 1 to E 2 is a (nonconstant) homomorphism φ : E 1 ( F ) → E 2 ( F ) that is given by rational functions. Example (cont.) E 1 / F 47 : Y 2 = X 3 + X + 5, j ( E 1 ) = 27; E 2 / F 47 : Y 2 = X 3 + 32 X + 19, j ( E 2 ) = 24. φ : E 1 → E 2 � X 2 − 17 X + 22 , X 2 + 13 X − 15 � ( X , Y ) �→ X 2 + 13 X + 7 Y . X − 17 ker ( φ ) = { ( 17 , 0 ) , P ∞ } , deg ( φ ) = 2. www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  8. 8 / 22 Class Group Action on j -Invariants in C Let K be an imaginary quadratic field and O K its ring of integers. CL ( O K ) = { [ a 1 ] , . . . , [ a h ] } ideal class group of O K . ELL σ ( O K ) := { j ( a 1 ) , . . . , j ( a h ) } set of j -invariants of the fractional ideals of O K for a fixed embedding σ of K in C . The action ∗ of CL ( O K ) on ELL σ ( O K ) is defined as ∗ : CL ( O K ) × ELL σ ( O K ) → ELL σ ( O K ) j ( a − 1 b ) . ([ a ] , j ( b )) �→ H = K ( j ( O K )) Hilbert class field of K . All j ( a i ) lie in O H . p a prime ideal of O H above a prime p that splits completely in O H . Reduction modulo p maps the elements j ( a i ) to j -invariants of ordinary elliptic curves over O H / p ∼ = F p . www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  9. � � � � � � � � � � � � � � � � � 9 / 22 Class Group Action on a Set of Isogenous Ordinary Elliptic Curves ELL p , n ( O K ) := { j ( E / F p ): # E ( F p ) = n , End ( E ) ∼ = O K } . The group CL ( O K ) acts simply transitively on the set ELL p , n ( O K ) . Example (cont.) E : Y 2 = X 3 + X + 5 over F 47 . End F 47 ( E ) ∼ j ( E ) = 27. = O − 152 . CL ( O − 152 ) Permutations on ELL 47 , 42 ( O − 152 ) 27 12 g = [( 3 , 2 , · )] ( 27 12 15 24 41 19 ) g 2 = [( 6 , 4 , · )] ( 27 15 41 )( 19 12 24 ) g 3 = [( 2 , 0 , · )] ( 27 24 )( 19 15 )( 41 12 ) � 15 19 g 4 = [( 6 , − 4 , · )] ( 27 41 15 )( 19 24 12 ) g 5 = [( 3 , − 2 , · )] ( 27 19 41 24 15 12 ) g 6 = [( 1 , 0 , · )] ( 27 )( 19 )( 41 )( 24 )( 15 )( 12 ) 41 24 www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  10. C ONSTRUCTING C RYPTOGRAPHIC S CHEMES B ASED ON I SOGENIES (Chapter 2) www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  11. � � � � � � 11 / 22 Key Agreement Protocol KA 1 System parameters Finite abelian group G acting by ∗ on a set X ; an element x ∈ X . The protocol (simplified) A B m A Input: − Input: − R R a ← − G b ← − G a b m A ← a ∗ x m B ← b ∗ x x k m A b a m B m B k A ← a ∗ m B k B ← b ∗ m A Output: k A Output: k B www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  12. 12 / 22 More Schemes Based on Group Action — public-key encryption scheme PE ; — authenticated key agreement protocols; — digital signature scheme; — secret-key encryption scheme; — no-key secret message transfer protocol; — commitment scheme. www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  13. 13 / 22 Proposed Implementation Details for Schemes Based on Isogenies — system parameter generation algorithm; — representation of elements of CL ( O K ) ; — efficient implementation of class group action on ELL p , n ( O K ) . One action is O ( log ( p ) 5 . 3 ) bit operations; — random sampling from the class group; — pseudo-random sampling from a large class group. www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  14. 14 / 22 Practical Implementation Created an open-source package ClassEll for PARI/GP . Average serial running time of one class group action Security (bits) ⌈ log p ⌉ (bits) Time (seconds) 75 224 19 80 244 21 96 304 56 112 364 90 128 428 229 timings for Intel Core i7 920 @ 3.6 GHz www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  15. S ECURITY R EDUCTIONS FOR S CHEMES B ASED ON G ROUP A CTION (Chapter 3) www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  16. � � � 16 / 22 Computational Problems An abelian group G acts by ∗ on a set X . Problem (Group Action Inverse (GAIP)) ? � y x Given x , y ∈ G ∗ x, find g such that g ∗ x = y. Problem (Decisional Diffie-Hellman Group y a � b Action (DDHAP)) ? r x k Given x , y , z , r ∈ G ∗ x, b decide whether r = ( ab ) ∗ x for some a and b a z satisfying y = a ∗ x and z = b ∗ x. Reducibility of Problems Can solve GAIP = ⇒ can solve DDHAP . www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  17. 17 / 22 Security Reductions Theorem If the DDHAP is hard, then the KA 1 protocol is secure in the session-key authenticated-link model of Canetti and Krawczyk. Theorem If the DDHAP is hard and the hash function family is entropy smoothing, then the PE encryption scheme is IND-CPA secure (indistinguishability of encryptions in the chosen-plaintext attack). www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  18. I MPROVED A LGORITHM FOR THE I SOGENY P ROBLEM (Chapter 4) Co-authored with Steven Galbraith www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  19. 19 / 22 The Isogeny Problem Problem (Isogeny Problem for Ordinary Elliptic Curves) Let E 1 / F q and E 2 / F q be ordinary elliptic curves satisfying # E 1 ( F q ) = # E 2 ( F q ) . Compute an F q -isogeny φ : E 1 → E 2 . Can solve IP with “comparable conductors” ⇐ ⇒ can solve CL -GAIP . Exponential-Time Classical Algorithms [Galbraith 1999] uses an O ( √ # ELL ) database of elliptic curves; [Galbraith, Hess and Smart (GHS) 2002] use the parallel collision search algorithm. We improve the GHS algorithm. Subexponential-Time Quantum Algorithm [Childs, Jao and Soukharev 2010] use algorithms for the hidden shift problem. www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

  20. 20 / 22 Proposed GHS Improvement Our idea Modify the random walk on the isogeny graph such that lower-degree (i.e. faster) isogenies are used more often. Results — provided formulae for the expected running time of the parallel collision search with uneven partitioning, and its variance; — experimentally measured the average running time for various partitionings with ± 0 . 1 % precision and 99 . 7 % confidence; — results apply to generic adding walks with uneven partitioning; — gave recommendations on frequencies of isogeny degrees; — asymptotic complexity of isogeny search is � q 1 / 4 + o ( 1 ) log 2 ( q ) log ( log ( q )) � O operations in F q . www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

Recommend

Private information retrieval schemes based on codes Julien Lavauzelle IRMAR, Universit de

Private information retrieval schemes based on codes Julien Lavauzelle IRMAR, Universit de

Private information retrieval schemes based on codes Julien Lavauzelle IRMAR, Universit de Rennes 1 Sminaire Mathmatiques Discrtes, Codes et Cryptographie 20/02/2020 Cryptographic primitives based on codes Best-known cryptographic

957 views • 91 slides
Toward Criteria for Standardization of Multi-Party Threshold Schemes for Cryptographic Primitives

Toward Criteria for Standardization of Multi-Party Threshold Schemes for Cryptographic Primitives

Toward Criteria for Standardization of Multi-Party Threshold Schemes for Cryptographic Primitives Lus T. A. N. Brando* Cryptographic Technology Group National Institute of Standards and Technology (Gaithersburg, USA) Presentation on August

828 views • 63 slides
Towards Standardization of Threshold Schemes for Cryptographic Primitives at NIST Lu s

Towards Standardization of Threshold Schemes for Cryptographic Primitives at NIST Lu s

Towards Standardization of Threshold Schemes for Cryptographic Primitives at NIST Lu s Brand ao Joint work with: Apostol Vassilev, Nicky Mouha, Michael Davidson The red dancing devil is from clker.com/clipart-13643.html National

2.04k views • 175 slides
Cryptography Cipher Schemes A cryptographic scheme is an example of a code. The special

Cryptography Cipher Schemes A cryptographic scheme is an example of a code. The special

10.4 Cryptography P. Danziger Cryptography Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded mes- sage be difficult to retrieve without some special piece of information, usually

499 views • 27 slides
Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao Paulo da Silva , Ricardo Dahab, Julio L opez Institute of Computing University of Campinas Latin American Week on Coding and Information

558 views • 32 slides
Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz, Damien Robert Damien Robert Rational isogenies 2 1 Theta functions Complex abelian varieties Quasi-periodicity: Damien Robert Rational

734 views • 23 slides
Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work with J. Burdges, S. Masson, C. Petit, A. Sanso IBM Research Zrich December 4, 2019, ECC, Bochum Slides online at https://defeo.lu/docet

928 views • 72 slides
Isogeny graphs in dimension 2 2014/12/17 Cryptographic seminar Caen Gatan Bisson, Romain

Isogeny graphs in dimension 2 2014/12/17 Cryptographic seminar Caen Gatan Bisson, Romain

Isogeny graphs in dimension 2 2014/12/17 Cryptographic seminar Caen Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chlo Martindale, Damien Robert Isogenies on elliptic curves Abelian

598 views • 44 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

952 views • 67 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

896 views • 78 slides
Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018 Brisbane, Australia ECC vs. post-quantum ECC W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404 Alice 2 " -isogenies, Bob 3 $

766 views • 19 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to Fault Injection Attacks Jakub Breier, Dirmanto Jap, and Shivam Bhasin Presenter: Wei He Physical Analysis and Cryptographic Engineering Nanyang

525 views • 26 slides
Computing Isogenies between Montgomery Curves Using the Action of (0 , 0) Joost Renes Radboud

Computing Isogenies between Montgomery Curves Using the Action of (0 , 0) Joost Renes Radboud

Computing Isogenies between Montgomery Curves Using the Action of (0 , 0) Joost Renes Radboud University, The Netherlands 9 April 2018 9 April 2018 1 / 11 Supersingular isogeny-based cryptography Proposed by Jao & De Feo [JF11]

972 views • 56 slides
Group Action Systems Group Action Systems : : a Mathematical tool for deriving a Mathematical

Group Action Systems Group Action Systems : : a Mathematical tool for deriving a Mathematical

Group Action Systems Group Action Systems : : a Mathematical tool for deriving a Mathematical tool for deriving Provable Secure Cryptographic Schemes Provable Secure Cryptographic Schemes Mara Isabel Gonzlez Vasco Universidad Rey Juan

1.05k views • 68 slides
Public-seed Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa

Public-seed Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa

Public-seed Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 Cryptographic schemes often built from generic building blocks Cryptographic schemes often built from generic building

2.03k views • 178 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of cryptographic function output based on genetic programming Petr venda, Martin Ukrop, Vashek Maty {svenda,xukrop,matyas}@fi.muni.cz Overview

367 views • 19 slides
An extension of the MoreauJean scheme based on the generalized schemes for the numerical

An extension of the MoreauJean scheme based on the generalized schemes for the numerical

An extension of the MoreauJean scheme based on the generalized schemes for the numerical time integration of flexible dynamical systems with contact and An extension of the MoreauJean scheme based on the generalized schemes for

1.16k views • 87 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas Decru , and Benjamin Smith NutMiC 2019, Paris June 24, 2019 Background 2006: hash functions based on supersingular elliptic curves (Charles,

564 views • 52 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides

More recommend