csi fish efficient isogeny based signatures through class
play

CSI-FiSh: Efficient Isogeny based Signatures through Class Group - PowerPoint PPT Presentation

Nov 02, 2022 •328 likes •1.2k views

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

  1. CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019

  2. Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic curve E 0 : y 2 = x 3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1 . Let O = End p ( E 0 ) ≃ Z ( √− p ) .

  3. Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic curve E 0 : y 2 = x 3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1 . Let O = End p ( E 0 ) ≃ Z ( √− p ) . The class group cl ( O ) acts freely and transitively on a set of supersingular elliptic curves X = E ℓℓ p ( O , π ) .

  4. Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic curve E 0 : y 2 = x 3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1 . Let O = End p ( E 0 ) ≃ Z ( √− p ) . The class group cl ( O ) acts freely and transitively on a set of supersingular elliptic curves X = E ℓℓ p ( O , π ) . 74 “simple” ideals whose action can be computed efficiently: l 1 = (3 , π − 1) , · · · , l 74 = (587 , π − 1)

  5. Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic curve E 0 : y 2 = x 3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1 . Let O = End p ( E 0 ) ≃ Z ( √− p ) . The class group cl ( O ) acts freely and transitively on a set of supersingular elliptic curves X = E ℓℓ p ( O , π ) . 74 “simple” ideals whose action can be computed efficiently: l 1 = (3 , π − 1) , · · · , l 74 = (587 , π − 1) CSIDH-512: Efficient Post-Quantum Diffie-Hellman protocol based on this action. Reasonably fast ( ± 80 ms) and very small keys.

  6. Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic curve E 0 : y 2 = x 3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1 . Let O = End p ( E 0 ) ≃ Z ( √− p ) . The class group cl ( O ) acts freely and transitively on a set of supersingular elliptic curves X = E ℓℓ p ( O , π ) . 74 “simple” ideals whose action can be computed efficiently: l 1 = (3 , π − 1) , · · · , l 74 = (587 , π − 1) CSIDH-512: Efficient Post-Quantum Diffie-Hellman protocol based on this action. Reasonably fast ( ± 80 ms) and very small keys. Can we do signatures ?

  7. Introduction : Seasign [De Feo, Galbraith] 2/34 [Rostovstev]: FS signatures from Graph Isomorphism-like identification scheme.

  8. Introduction : Seasign [De Feo, Galbraith] 2/34 [Rostovstev]: FS signatures from Graph Isomorphism-like identification scheme. problem: We cannot uniquely represent elements g = � 74 i =1 l e i i . ⇒ Signatures leak secret key.

  9. Introduction : Seasign [De Feo, Galbraith] 2/34 [Rostovstev]: FS signatures from Graph Isomorphism-like identification scheme. problem: We cannot uniquely represent elements g = � 74 i =1 l e i i . ⇒ Signatures leak secret key. solution: [SeaSign] Rejection sampling to prevent leakage. ⇒ Slow signing and large signatures (e.g. 17 min and 12 KB).

  10. Introduction : Seasign [De Feo, Galbraith] 2/34 [Rostovstev]: FS signatures from Graph Isomorphism-like identification scheme. problem: We cannot uniquely represent elements g = � 74 i =1 l e i i . ⇒ Signatures leak secret key. solution: [SeaSign] Rejection sampling to prevent leakage. ⇒ Slow signing and large signatures (e.g. 17 min and 12 KB). Can we do better ?

  11. Introduction: CSI-FiSh 3/34 We compute the structure of cl ( O ) : It is cyclic of order N =3 · 37 · 1407181 · 51593604295295867744293584889 · 31599414504681995853008278745587832204909 and generated by g = l 1 = (3 , π − 1) . We can uniquely represent elements of cl ( O ) as g a with a ∈ Z /N Z . CSI-FiSh: Isogeny signatures without rejection sampling ⇒ Much more efficient (e.g. 335 ms min and 2 KB).

  12. Outline of the talk 4/34 1 Some Isogeny-Based Crypto 2 Class group computation 3 CSI-FiSh

  13. Outline 5/34 1 Some Isogeny-Based Crypto 2 Class group computation 3 CSI-FiSh

  14. Elliptic curves and isogenies 6/34 Definition (Elliptic curve) Elliptic curves are curves defined by an equation of the form y 2 = x 3 + ax + b . Definition (Isogeny) → An isogeny of elliptic curves E, E ′ is a non-zero algebraic group morphism from E to E ′ .

  15. Endomorphisms 7/34 Definition (Endomorphism) An isogeny from a curve E to itself is called an endomorphism Examples: multiplication by n : P �→ P + P + · · · + P (n times). In characteristic p : Frobenius π : ( x, y ) �→ ( x p , y p ) . Endomorphisms form a ring End ( E ) : pointwise addition: ( φ 1 + φ 2 )( P ) = φ 1 ( P ) + φ 2 ( P ) multiplication by composition : φ 1 · φ 2 = φ 1 ◦ φ 2 Endomorphisms defined over F p form a Commutative subring! If End p ( E ) = End ( E ) , then E is ordinary, otherwise E is supersingular.

  16. Separable isogenies ↔ finite subgroups 8/34 Fact 1: An isogeny E → E ′ has a finite kernel. And conversely: Fact 2: For every finite subgroup H ⊂ E , there exists an isogeny φ : E → E ′ with kernel H . And this E ′ is unique (up to isomorphism).

  17. Separable isogenies ↔ finite subgroups 8/34 Fact 1: An isogeny E → E ′ has a finite kernel. And conversely: Fact 2: For every finite subgroup H ⊂ E , there exists an isogeny φ : E → E ′ with kernel H . And this E ′ is unique (up to isomorphism). Moreover, if H and E are defined over F p , then φ and E ′ are defined over F p Notation Given, H ⊂ E , we write E ′ = E/H .

  18. Class group action 9/34 Let E/ F p be a curve with End F p ( E ) = O and let the ideal class group of O ( denoted by cl ( O ) ) be the group of invertible fractional ideals modulo principal ideals. Then cl ( O ) acts on the set of elliptic curves defined over F p with F p -endomorphism ring O : �� � [ I ] ⋆ E = E/ ker α α ∈ I Well defined because: isogenous curves have same endomorphism ring principal ideals act trivially: [ � α � ] ⋆ E = E/ (ker α ) = E

  19. Class group action for CSIDH-512 10/34 [Castryck, Lange, Martindale, Panny, Renes] Choose p = 4 · 3 · 5 · . . . · 376 · 587 − 1 (which is prime), then E 0 : y 2 = x 3 + x is a supersingular elliptic curve with End F p ( E ) = Z [ π ] ≈ Z [ √− p ] . Let X = { E | E is supersingular and End F q ( E ) = Z [ π ] } . Then cl ( Z [ π ]) acts freely and transitively on X . One can efficiently compute the action of ideal classes of the form [ ℓ 1 ] = [(3 , π − 1)] , · · · , [ ℓ 74 ] = [(587 , π − 1)] and their inverses. A priori, we only really have a group action from Z 74 on X .

  20. Example 11/34 Images stolen from Wouter Castryck

  21. Example 11/34 Images stolen from Wouter Castryck

  22. Example 11/34 Images stolen from Wouter Castryck

  23. Example 11/34 Images stolen from Wouter Castryck

  24. Example 11/34 Images stolen from Wouter Castryck

  25. Example 11/34 Images stolen from Wouter Castryck

  26. Example 11/34 Images stolen from Wouter Castryck

  27. Example 11/34 Images stolen from Wouter Castryck

  28. Example 11/34 Images stolen from Wouter Castryck

  29. Example 11/34 Images stolen from Wouter Castryck

  30. Example 11/34 Images stolen from Wouter Castryck

  31. Example 11/34 Images stolen from Wouter Castryck

  32. Example 11/34 Images stolen from Wouter Castryck

  33. Example 11/34 Images stolen from Wouter Castryck

  34. Example 11/34 Images stolen from Wouter Castryck

  35. Example 11/34 Images stolen from Wouter Castryck

  36. Example 11/34 Images stolen from Wouter Castryck

  37. Example 11/34 Images stolen from Wouter Castryck

  38. Example 11/34 Images stolen from Wouter Castryck

  39. Vectorization and Paralellization 12/34 Vectorization problem ∼ DLOG given E, E ′ , hard to find [ a ] ∈ cl ( O ) such that [ a ] ⋆ X = Y . E ′ E ? Paralellization problem ∼ CDH given E, [ a ] ⋆ E, [ b ] ⋆ E , hard to compute [ ab ] ⋆ X . [ a ] ⋆ X [ a ] ⋆ [ a ] ⋆ X ? [ b ] ⋆ [ b ] ⋆ [ b ] ⋆ X

  40. CSIDH key exchange 13/34 Trump chooses secret key [ a ] , Zelensky chooses secret key [ b ] . 74 74 � [ ℓ i ] b i � [ ℓ i ] a i [ b ] = [ a ] = i =1 i =1 E a =[ a ] ⋆E 0 − − − − − − − − − − → E b =[ b ] ⋆E 0 ← − − − − − − − − − − ↓ ↓ [ a ] ⋆ E b [ b ] ⋆ E a Eavesdropper learns [ a ] ⋆ E 0 and [ b ] ⋆ E 0 , but not [ ab ] ⋆ E 0

  41. CSIDH and Seasign 14/34 CSIDH Advantages: CSIDH Disadvantages: non-interactive Speed: ∼ 35 ms CCA-security Subexponential quantum attack key size: 64 Bytes

  42. CSIDH and Seasign 14/34 CSIDH Advantages: CSIDH Disadvantages: non-interactive Speed: ∼ 35 ms CCA-security Subexponential quantum attack key size: 64 Bytes Can we do authentication/signatures? Problem is Z 74 ↔ cl ( O ) . We can’t sample uniformly from cl ( O ) . We dont have a unique way to represent elements in cl ( O ) .

  43. CSIDH and Seasign 14/34 CSIDH Advantages: CSIDH Disadvantages: non-interactive Speed: ∼ 35 ms CCA-security Subexponential quantum attack key size: 64 Bytes Can we do authentication/signatures? Problem is Z 74 ↔ cl ( O ) . We can’t sample uniformly from cl ( O ) . We dont have a unique way to represent elements in cl ( O ) . Seasign[DeFeo,Galbraith]+[Decru,Panny,Vercauteren]: Expensive workaround by using a very redundant representation of class group elements: Public key 16 KB, signatures 4 KB, 4 minutes.

Recommend

SeaSign: Compact isogeny signatures from class group actions Luca De Feo 1 , Steven D. Galbraith 2

SeaSign: Compact isogeny signatures from class group actions Luca De Feo 1 , Steven D. Galbraith 2

SeaSign: Compact isogeny signatures from class group actions Luca De Feo 1 , Steven D. Galbraith 2 1 Universit Paris Saclay UVSQ, France 2 University of Auckland, New Zeland May 23, 2019, Eurocrypt, Darmstadt Slides online at

740 views • 43 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

856 views • 81 slides
Why attribute-based signatures? The kind of authentication required in an attribute-based system

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek November 22, 2010 Abstract We introduce Attribute-Based Signatures (ABS) , a versatile primitive that allows a party to sign a message with fine-grained

864 views • 35 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
Getting Fish to Market Class 1 Budget Nunavut Health Pilot program Fish being delivered

Getting Fish to Market Class 1 Budget Nunavut Health Pilot program Fish being delivered

Getting Fish to Market Class 1 Budget Nunavut Health Pilot program Fish being delivered May be expanded Other Markets require CFIA Certification 16 Fisheries Master Plan Building a Modern Community Fishery Living document

172 views • 15 slides
More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis Hofheinz 2 Lisa Kohl 2 Jiaxin Pan 2 1 ENS Paris, France 2 Karlsruhe Institute of Technology, Germany R. Gay, D. Hofheinz, L. Kohl, J. Pan More Efficient

827 views • 45 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

468 views • 15 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University of Technology 20 July 2020 Benefits of hash-based signatures Old idea: 1979 Lamport one-time signatures. 1979 Merkle extends to more

659 views • 40 slides
Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea Basso 1 , P eter Kutas 1 , Simon-Philipp Merz 2 , Christophe Petit 1 , Charlotte Weitk amper 1 University of Birmingham, UK Royal Holloway,

575 views • 19 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-24 1 Outline Parameter choices RSA-PSS Genaro-Halevi-Rabin signatures Digital Signatures 2020-03-24 2 Recap Last

661 views • 53 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

785 views • 29 slides

More recommend