Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren - PowerPoint PPT Presentation

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 1 / 38

Elliptic curves and isogenies 1 Ordinary isogeny Diffie-Hellman 2 Supersingular isogeny Diffie-Hellman 3 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 2 / 38

Post-quantum cryptography Shor’s algorithm: breaks RSA, DLP , ECDLP in polytime on quantum computer Post-quantum cryptographic systems: Code-based crypto: McEliece, . . . Lattice based crypto: NTRU, LWE, . . . Hash-based crypto: Merkle hash tree signatures, . . . Multivariate crypto: Hidden Field Equations, . . . What about isogeny based crypto ? Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 3 / 38

Isogeny based crypto: history Diffie-Hellman key agreement: 1997: Couveignes: Talk at ENS about ”Hard Homogeneous Spaces” 2006: Rostovtsev, Stolbunov: ordinary isogeny Diffie-Hellman 2010: Weiwei, Debiao: key agreement protocols 2011: de Feo, Jao, Plˆ ut: supersingular isogeny Diffie-Hellman 2016: Costello, Longa, Naehrig: efficient implementation of SIDH Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 4 / 38

Isogeny based crypto: history Diffie-Hellman key agreement: 1997: Couveignes: Talk at ENS about ”Hard Homogeneous Spaces” 2006: Rostovtsev, Stolbunov: ordinary isogeny Diffie-Hellman 2010: Weiwei, Debiao: key agreement protocols 2011: de Feo, Jao, Plˆ ut: supersingular isogeny Diffie-Hellman 2016: Costello, Longa, Naehrig: efficient implementation of SIDH Other cryptographic constructions: 2003: Teske: elliptic curve trapdoor system 2004: Rostovtsev, Makhovenko, Shemyakina: ordered digital signature scheme 2009: Charles, Lauter, Goren: hash function based on isogeny graph 2010-2011: Debiao, Jianhua and Jin: random number generator and key agreement 2014: Sun, Tian, Wang: strong designated verifier signature 2014: Jao, Soukharev: undeniable signatures Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 4 / 38

Idea 1: Diffie-Hellman from abelian group action Let G be a finite abelian group and X a set with a group action ⋆ G × X → X : ( g , x ) �→ g ⋆ x Recall ( gh ) ⋆ x = g ⋆ ( h ⋆ x ) and e ⋆ x = x Key agreement: Alice Bob a ∈ R G b ∈ R G α = a ⋆ x β = b ⋆ x α − → β ← − k = a ⋆ β = ( ab ) ⋆ x k = b ⋆ α = ( ba ) ⋆ x Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 5 / 38

Idea 1: instantiation Couveignes (1997), Rostovtsev, Stolbunov (2006) Set X consists of j -invariants of elliptic curves E / F q with End ( E ) ≃ O K , ring of integers of quadratic imaginary field Group G is class group cl ( O K ) Ideal a in O K defines a subgroup E [ a ] and isogeny ϕ a : E → E ′ = E / E [ a ] Action: [ a ] ⋆ j ( E ) = j ( E ′ ) Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 6 / 38

Elliptic curves Elliptic curve E over field k with char ( k ) > 3 can be defined by y 2 = x 3 + ax + b 4 a 3 + 27 b 2 � = 0 a , b ∈ k , For any field extension k ′ / k , E ( k ′ ) set of k ′ -rational points forms an abelian group with O as identity element Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 7 / 38

Elliptic curves Elliptic curve E over field k with char ( k ) > 3 can be defined by y 2 = x 3 + ax + b 4 a 3 + 27 b 2 � = 0 a , b ∈ k , For any field extension k ′ / k , E ( k ′ ) set of k ′ -rational points forms an abelian group with O as identity element 4 a 3 The j -invariant j ( E ) = j ( a , b ) = 1728 4 a 3 + 27 b 2 determines isomorphism class over k Given j 0 ∈ k , easy to write down curve with j -invariant equal to j 0 j ( 0 , b ) = 0 and j ( a , 0 ) = 1728 General case: a = − 3 c and b = 2 c with c = j 0 / ( j 0 − 1728 ) Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 7 / 38

Torsion subgroups Multiplication by n map: [ n ] : E → E : P �→ nP n -torsion subgroup is kernel of [ n ] E [ n ] = { P ∈ E ( k ) : nP = O } If char ( k ) ∤ n , then structure of E [ n ] ≃ Z / n Z × Z / n Z If char ( k ) = p , then either: Supersingular: E [ p e ] = { O } or Ordinary: E [ p e ] ≃ Z / p e Z Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 8 / 38

Isogenies An isogeny ϕ : E 1 → E 2 is a morphism (rational map) that preserves identity The degree of an isogeny is its degree as rational map If isogeny is separable, then deg ( ϕ ) = # ker ( ϕ ) For isogeny ϕ : E 1 → E 2 of degree n we have dual isogeny ϕ : E 2 → E 1 with ˆ ϕ ◦ ϕ = [ n ] E 1 and ϕ ◦ ˆ ˆ ϕ = [ n ] E 2 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 9 / 38

Isogenies An isogeny ϕ : E 1 → E 2 is a morphism (rational map) that preserves identity The degree of an isogeny is its degree as rational map If isogeny is separable, then deg ( ϕ ) = # ker ( ϕ ) For isogeny ϕ : E 1 → E 2 of degree n we have dual isogeny ϕ : E 2 → E 1 with ˆ ϕ ◦ ϕ = [ n ] E 1 and ϕ ◦ ˆ ˆ ϕ = [ n ] E 2 Theorem For every finite subgroup H ⊂ E 1 ( k ) , there exists elliptic curve E 2 and separable isogeny ϕ : E 1 → E 2 with ker ϕ = H V´ elu’s formulae : compute curve E 2 and isogeny ϕ given H Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 9 / 38

ℓ -Isogenies and modular polynomial Let ℓ � = char ( k ) be prime, then isogeny of degree ℓ has cyclic kernel of order ℓ Recall: E [ ℓ ] = Z /ℓ Z × Z /ℓ Z , so there are ℓ + 1 cyclic subgroups Each subgroup is kernel of isogeny Isogeny is defined over k iff its kernel is Galois invariant under Gal ( k ( E [ ℓ ]) / k ) So there are: 0, 1, 2 or ℓ + 1, k -rational isogenies Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 10 / 38

ℓ -Isogenies and modular polynomial Let ℓ � = char ( k ) be prime, then isogeny of degree ℓ has cyclic kernel of order ℓ Recall: E [ ℓ ] = Z /ℓ Z × Z /ℓ Z , so there are ℓ + 1 cyclic subgroups Each subgroup is kernel of isogeny Isogeny is defined over k iff its kernel is Galois invariant under Gal ( k ( E [ ℓ ]) / k ) So there are: 0, 1, 2 or ℓ + 1, k -rational isogenies Modular polynomial : Φ ℓ ( X , Y ) Symmetric in X , Y and of degree ℓ + 1 Two elliptic curves E 1 , E 2 are ℓ -isogenous iff Φ ℓ ( j ( E 1 ) , j ( E 2 )) = 0 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 10 / 38

ℓ -Isogenies and modular polynomial Let ℓ � = char ( k ) be prime, then isogeny of degree ℓ has cyclic kernel of order ℓ Recall: E [ ℓ ] = Z /ℓ Z × Z /ℓ Z , so there are ℓ + 1 cyclic subgroups Each subgroup is kernel of isogeny Isogeny is defined over k iff its kernel is Galois invariant under Gal ( k ( E [ ℓ ]) / k ) So there are: 0, 1, 2 or ℓ + 1, k -rational isogenies Modular polynomial : Φ ℓ ( X , Y ) Symmetric in X , Y and of degree ℓ + 1 Two elliptic curves E 1 , E 2 are ℓ -isogenous iff Φ ℓ ( j ( E 1 ) , j ( E 2 )) = 0 Elkies algorithm : isogeny and its kernel given j ( E 1 ) and j ( E 2 ) Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 10 / 38

Endomorphism ring Endomorphism is an isogeny from E to itself The set of endomorphisms End ( E ) forms a ring ( ϕ + ψ )( P ) = ϕ ( P ) + ψ ( P ) ( ϕψ )( P ) = ϕ ( ψ ( P )) Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 11 / 38

Endomorphism ring Endomorphism is an isogeny from E to itself The set of endomorphisms End ( E ) forms a ring ( ϕ + ψ )( P ) = ϕ ( P ) + ψ ( P ) ( ϕψ )( P ) = ϕ ( ψ ( P )) Theorem End ( E ) of a curve E / k can be: End ( E ) ≃ Z 1 End ( E ) ≃ an order O in imaginary quadratic extension of Q 2 End ( E ) ≃ an order O in quaternion algebra over Q 3 If End ( E ) is strictly larger than Z , then E is said to have complex multiplication Case 3 occurs if and only if E is supersingular (see later) Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 11 / 38

Endomorphism rings of isogenous curves The endomorphism algebra End 0 ( E ) = End ( E ) ⊗ Q End 0 ( E ) is isogeny invariant: so if E 1 is supersingular then also E 2 In general End ( E 1 ) � = End ( E 2 ) , but for ℓ -isogenies we have End ( E 1 ) = End ( E 2 ) (horizontal) End ( E 1 ) has index ℓ in End ( E 2 ) (ascending) End ( E 2 ) has index ℓ in End ( E 1 ) (descending) Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 12 / 38

Frobenius endomorphism Let E be elliptic curve over finite field k = F q The Frobenius endomorphism π E : E → E : ( x , y ) �→ ( x q , y q ) Theorem The characteristic equation of π E is given by | t |≤ 2 √ q X 2 − tX + q = 0 , and # E ( F q ) = q + 1 − t ∆ = t 2 − 4 q ≤ 0, so Q ( π E ) is imag quad field K for | t | � = 2 √ q Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 13 / 38