explicit isogenies and implementation
play

Explicit isogenies and implementation Luca De Feo Freelance - PowerPoint PPT Presentation

Dec 04, 2023 •373 likes •590 views

Explicit isogenies and implementation Luca De Feo Freelance researcher, courtesy of ANR CHIC & Universit e de Rennes 1 June 23, 2011 Geocrypt, Bastia, France Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June

  1. Explicit isogenies and implementation Luca De Feo Freelance researcher, courtesy of ANR CHIC & Universit´ e de Rennes 1 June 23, 2011 Geocrypt, Bastia, France Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 1 / 13

  2. A quick review of SEA ✬ ✷ � t ✬ ✰ q ❂ ✵ ✷ ❊♥❞✭ ❊ ✮ ★ ❊ ✭ ❋ q ✮ ❂ q � t ✰ ✶ where Compute t ♠♦❞ ❵ for small primes ❵ ✏♣ ✑ t ✷ � ✹ q For primes ❵ splitting in ◗ : Compute the ❵ -th modular polynomial ✟ ❵ ✭ ❳ ❀ ❨ ✮ (or maybe one associated to a better invariant); Factor ✟ ❵ ✭ ❳ ❀ ❥ ❊ ✮ to obtain an isogenous curve ❊ ❵ ; Compute an explicit ❵ -isogeny ■ ❵ ✿ ❊ ✦ ❊ ❵ , let ❤ ❵ be its denominator; Compute ✭ ① q ❀ ② q ✮ over ❋ q ❬ ❳ ❪ ❂ ❤ ❵ ✭ ❳ ✮ ; Find t ❵ such that ✭ ① q ✷ ❀ ② q ✷ ✮ ✰ ❬ q ♠♦❞ ❵ ❪✭ ① ❀ ② ✮ ❂ ❬ t ❵ ❪✭ ① q ❀ ② q ✮ . Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 2 / 13

  3. State of the art Various implementations of SEA: Magma, Pari/GP, A. Enge / P. Gaudry / R. Lercier / F. Morain A. Sutherland, . . . BUT: Not many of them are open source. We lack a complete system to play around with modular polynomials and explicit isogenies Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 3 / 13

  4. Why compute explicit isogenies? Didactic and research purpose: play with the underpinnings of SEA; Some cryptographic applications: transfer DLPs between curves, construct cryptosystems; Other applications: compute modular polynomials, endomorphism rings; It’s fun. . . Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 4 / 13

  5. ❊ ✶ ✦ ❊ ✷ ❥ ✶ ❥ ✷ How to represent an isogeny? When drawing isogeny graphs, an isogeny is two ❥ -invariants and a kernel. ❥ ✶ � ✦ ❥ ✷ Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 5 / 13

  6. ❥ ✶ ❥ ✷ How to represent an isogeny? Any isogeny ❊ ✶ ✦ ❊ ✷ can be composed with the automorphisms of the curves; ✭ ① ❀ ② ✮ ✼✦ ✭ ① ❀ � ② ✮ Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 5 / 13

  7. How to represent an isogeny? Any isogeny ❊ ✶ ✦ ❊ ✷ can be composed with the automorphisms of the curves; If only ❥ ✶ and ❥ ✷ are specified, the isogeny can be composed with any isomorphism; Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 5 / 13

  8. How to represent an isogeny? Any isogeny ❊ ✶ ✦ ❊ ✷ can be composed with the automorphisms of the curves; If only ❥ ✶ and ❥ ✷ are specified, the isogeny can be composed with any isomorphism; How to uniquely represent explicit isogenies? Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 5 / 13

  9. How to uniquely represent an isogeny? Choose simplified models: ② ✷ ❂ ① ✸ ✰ ❛① ✰ ❜ , The only possible isomorphisms are ✭ ① ❀ ② ✮ ✼✦ ✭ ✉ ✷ ① ❀ ✉ ✸ ② ✮ , Make a canonical choice for the scale factor ✉ . For the multiplication-by- ♠ endomorphism, the choice is classical: Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13

  10. How to uniquely represent an isogeny? Choose simplified models: ② ✷ ❂ ① ✸ ✰ ❛① ✰ ❜ , The only possible isomorphisms are ✭ ① ❀ ② ✮ ✼✦ ✭ ✉ ✷ ① ❀ ✉ ✸ ② ✮ , Make a canonical choice for the scale factor ✉ . For the multiplication-by- ♠ endomorphism, the choice is classical: Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13

  11. How to uniquely represent an isogeny? Choose simplified models: ② ✷ ❂ ① ✸ ✰ ❛① ✰ ❜ , The only possible isomorphisms are ✭ ① ❀ ② ✮ ✼✦ ✭ ✉ ✷ ① ❀ ✉ ✸ ② ✮ , Make a canonical choice for the scale factor ✉ . For the multiplication-by- ♠ endomorphism, the choice is classical: ❬ ♠ ❪ ✄ ✦ ✄ ❂ ♠ ✦ ✄ ❬✷❪ Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13

  12. How to uniquely represent an isogeny? Choose simplified models: ② ✷ ❂ ① ✸ ✰ ❛① ✰ ❜ , The only possible isomorphisms are ✭ ① ❀ ② ✮ ✼✦ ✭ ✉ ✷ ① ❀ ✉ ✸ ② ✮ , Make a canonical choice for the scale factor ✉ . For the multiplication-by- ♠ endomorphism, the choice is classical: Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13

  13. How to uniquely represent an isogeny? Choose simplified models: ② ✷ ❂ ① ✸ ✰ ❛① ✰ ❜ , The only possible isomorphisms are ✭ ① ❀ ② ✮ ✼✦ ✭ ✉ ✷ ① ❀ ✉ ✸ ② ✮ , Make a canonical choice for the scale factor ✉ . For the multiplication-by- ♠ endomorphism, the choice is classical: ❬ ♠ ❪ ✄ ✦ ✶ ♠ ✄ ❂ ✦ ✄ Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13

  14. � Normalized isogenies Normalized isogenies An isogeny ■ ✿ ❊ ✦ ❊ ✵ induces an action on the differentials: ■ ✄ ✦ ❊ ✵ ❂ ❝ ✦ ❊ with ❝ ✷ ❑ . Then ✭ ❝② ■ ① ✭ ① ✮ ✵ ✮ ✷ ❂ ■ ① ✭ ① ✮ ✸ ✰ ❛ ✵ ■ ① ✭ ① ✮ ✰ ❜ ✵ ✿ When ■ ✄ ✦ ❊ ✵ ❂ ✦ ❊ , the isogeny is said to be normalized. ■ � ❊ ✵ ❊ � � � ❬ ♠ ❪ � � � ❫ ■ � � � ❊ By the dual isogeny theorem ■ ✄ ❫ ■ ✄ ✦ ❂ ♠ ✦ , but we are free to choose normalization factors ❝ and ❫ ❝ such that ❝ ❫ ❝ ❂ ♠ . There is no canonical choice, V´ elu’s formulae pick ❝ ❂ ✶ , ❫ ❝ ❂ ♠ . Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 7 / 13

  15. V´ elu’s formulae Compute an isogeny with given kernel (V´ elu 1971) Given the kernel ❍ , computes ■ ✿ ❊ ✦ ❊ ❂ ❍ given by ■ ✭ ❖ ❊ ✮ ❂ ■ ✭ ❖ ❊ ❂ ❍ ✮ , ✥ ✦ ❳ ❳ ■ ✭ P ✮ ❂ ① ✭ P ✮ ✰ ① ✭ P ✰ ◗ ✮ � ① ✭ ◗ ✮ ❀ ② ✭ P ✮ ✰ ② ✭ P ✰ ◗ ✮ � ② ✭ ◗ ✮ . ◗ ✷ ❍ ✄ ◗ ✷ ❍ ✄ In practice, given ❤ ✭ ① ✮ , of degree ❵ � ✶ , vanishing on ❍ ✑ ✵ ❤ ✭ ① ✮ ❂ ❵ ① � ♣ ✶ � ❢ ✵ ✭ ① ✮ ❤ ✵ ✭ ① ✮ ❣ ✭ ① ✮ ✏ ❤ ✵ ✭ ① ✮ ❳ ② ✷ ❂ ❢ ✭ ① ✮ , ♣ ✶ ❂ ① ✭ ◗ ✮ , ❤ ✭ ① ✮ � ✷ ❢ ✭ ① ✮ ❤ ✭ ① ✮ ◗ ✷ ❍ ✄ ✥ ✓ ✵ ✦ ❣ ✭ ① ✮ ✒ ❣ ✭ ① ✮ ■ ✭ ① ❀ ② ✮ ❂ ❤ ✭ ① ✮ ❀ ② ❤ ✭ ① ✮ Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 8 / 13

  16. Computing the kernel of an isogeny SEA (Elkies 1998; Bostan, Morain, Salvy, and Schost 2008) ❖ ✭ ❵ ✸ ✮ ⑦ Factor ✟ ❵ ✭ ❳ ❀ ❥ ❊ ✮ to obtain an ❵ -isogenous ❥ -invariant ❥ ❵ ; 1 ❖ ✭ ❵ ✸ ✮ ⑦ Compute normalized models; 2 ⑦ Solve the differential equation. ❖ ✭ ❵ ✮ 3 Note: Steps ✶ and ✷ can be replaced by an algorithm to evaluate large degree isogenies with complexity ❖ ✭ ▲ q ✭✶ ❂ ✷✮ ❧♦❣ ❵ ✮ (Jao and Soukharev 2010). Compute normalized models Let ✟ ❳ and ✟ ❨ be the partial derivatives of ✟ ❵ . Let ❊ ✿ ② ✷ ❂ ① ✸ ✰ ❛① ✰ ❜ , then a normalized model for ❥ ❵ is given by ❊ ❵ ✿ ② ✷ ❂ ① ✸ ✰ ⑦ ❛① ✰ ⑦ ❜ , with ❥ ✵ ✷ ❥ ✵ ✸ ❛ ❂ � ✶ ❜ ❂ � ✶ ⑦ ⑦ ❥ ❵ ✭ ❥ ❵ � ✶✼✷✽✮ ❀ ❵ ✭ ❥ ❵ � ✶✼✷✽✮ ❀ ❥ ✷ ✹✽ ✽✻✹ where ❥ ✵ ❂ � ✶✽ ❜ ✟ ❳ ✭ ❥ ❊ ❀ ❥ ❵ ✮ ✟ ❨ ✭ ❥ ❊ ❀ ❥ ❵ ✮ ❥ ❊ ✿ ❵ ❛ Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 9 / 13

  17. Small characteristic Problem: while solving the differential equation, divisions by the characteristic may occur. Finite fields of small characteristic (Lercier and Sirvent 2008) ❖ ✭ ❵ ✸ ✮ ⑦ Factor ✟ ❵ ✭ ❳ ❀ ❥ ❊ ✮ in ❋ q to obtain an ❵ -isogenous ❥ -invariant ❥ ❊ ✵ ; 1 ⑦ Lift ❥ ❊ and ❥ ❊ ✵ in ◗ q so that ✟ ❵ ✭⑦ ⑤ ❊ ❀ ⑦ ⑤ ❊ ✵ ✮ ❂ ✵ ❖ ✭ ❵ ✮ 2 ❖ ✭ ❵ ✸ ✮ ⑦ Compute a normalized model for the lift of ❊ ✵ ; 3 ⑦ Solve the differential equation in ◗ q ; ❖ ✭ ❵ ✮ 4 ⑦ Reduce in ❋ q . ❖ ✭ ❵ ✮ 5 Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 10 / 13

Recommend

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz, Damien Robert Damien Robert Rational isogenies 2 1 Theta functions Complex abelian varieties Quasi-periodicity: Damien Robert Rational

734 views • 23 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

952 views • 67 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

896 views • 78 slides
Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018 Brisbane, Australia ECC vs. post-quantum ECC W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404 Alice 2 " -isogenies, Bob 3 $

766 views • 19 slides
A simple , distributed implementation of the pi-calculus, using explicit fusions Pisa, July 2002

A simple , distributed implementation of the pi-calculus, using explicit fusions Pisa, July 2002

A simple , distributed implementation of the pi-calculus, using explicit fusions Pisa, July 2002 Lucian Wischik and Cosimo Laneve, Philippa Gardner Manuel Mazzara, Lorenzo Agostinelli Paper at Concur 2002 wischik.com/lu/research/

463 views • 21 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
Explicit Characterisation of Receding Horizon Control Mar a M. Seron September 2004 Centre

Explicit Characterisation of Receding Horizon Control Mar a M. Seron September 2004 Centre

Explicit Characterisation of Receding Horizon Control Mar a M. Seron September 2004 Centre for Complex Dynamic Systems and Control Outline Solution Using Geometry 1 Solution for Arbitrary N Example Implementation of the Explicit

403 views • 38 slides
Isogenies, Polarisations and Real Multiplication 2015/10/06 Journes C2 La

Isogenies, Polarisations and Real Multiplication 2015/10/06 Journes C2 La

Isogenies, Polarisations and Real Multiplication 2015/10/06 Journes C2 La Londe-Les-Maures Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco

867 views • 49 slides
Advanced macros and their implementation Matthew Might University of Utah matt.might.net

Advanced macros and their implementation Matthew Might University of Utah matt.might.net

Advanced macros and their implementation Matthew Might University of Utah matt.might.net Agenda Syntax-rules Explicit-renaming Implementation Why hygiene is good Two kinds of capture problem Expansion captured by context

453 views • 44 slides
Content Distribution Networks explicit transparent (hijacking connections) Outline

Content Distribution Networks explicit transparent (hijacking connections) Outline

Design Space Caching Content Distribution Networks explicit transparent (hijacking connections) Outline Replication Implementation Techniques server farms Hashing Schemes Redirection Strategies geographically

237 views • 6 slides
Pre- and post-quantum DiffieHellman from groups, actions, and isogenies Benjamin Smith

Pre- and post-quantum DiffieHellman from groups, actions, and isogenies Benjamin Smith

Pre- and post-quantum DiffieHellman from groups, actions, and isogenies Benjamin Smith CARAMBA Seminar // LORIA, Nancy // May 14, 2019 Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Key exchange Lets talk about

964 views • 52 slides
Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao Paulo da Silva , Ricardo Dahab, Julio L opez Institute of Computing University of Campinas Latin American Week on Coding and Information

558 views • 32 slides
Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work with J. Burdges, S. Masson, C. Petit, A. Sanso IBM Research Zrich December 4, 2019, ECC, Bochum Slides online at https://defeo.lu/docet

928 views • 72 slides
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of

Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of

Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arXiv:1012.4019 For ordinary isogenous elliptic curves of equal endomorphism ring, we show (under

657 views • 36 slides
Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S. Masson, C. Petit, A. Sanso Universit Paris Saclay UVSQ, France July 13, 2019, SIAM AG, Bern Slides online at https://defeo.lu/docet Tired of

350 views • 23 slides
Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org Key bits where all known attacks take 2 operations (naive serial attack metric,

412 views • 16 slides
Computing Cyclic Isogenies in Genus 2 with Applications in Cryptography Alina Dudeanu 1 Dimitar

Computing Cyclic Isogenies in Genus 2 with Applications in Cryptography Alina Dudeanu 1 Dimitar

Computing Cyclic Isogenies in Genus 2 with Applications in Cryptography Alina Dudeanu 1 Dimitar Jetchev 1 Damien Robert 2 1 EPF Lausanne 2 INRIA Bordeaux May 20, 2014 1/21 Introduction Elliptic and Hyperelliptic Curves Applications: Public key

1.13k views • 92 slides
Cryptographic Schemes Based on Isogenies Anton Stolbunov Trondheim, January 23, 2012 www.ntnu.no

Cryptographic Schemes Based on Isogenies Anton Stolbunov Trondheim, January 23, 2012 www.ntnu.no

Cryptographic Schemes Based on Isogenies Anton Stolbunov Trondheim, January 23, 2012 www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies 2 / 22 Outline [Ch. 1] Introduction [Ch. 2] Constructing Cryptographic Schemes Based

519 views • 22 slides
IR Simone Campanoni simonec@eecs.northwestern.edu Outline IR Explicit control flows

IR Simone Campanoni simonec@eecs.northwestern.edu Outline IR Explicit control flows

IR Simone Campanoni simonec@eecs.northwestern.edu Outline IR Explicit control flows Explicit data types A compiler High level programming language Front-end IR Middle-end IR Today: translating explicit control flow and data

696 views • 46 slides
Computing Isogenies between Montgomery Curves Using the Action of (0 , 0) Joost Renes Radboud

Computing Isogenies between Montgomery Curves Using the Action of (0 , 0) Joost Renes Radboud

Computing Isogenies between Montgomery Curves Using the Action of (0 , 0) Joost Renes Radboud University, The Netherlands 9 April 2018 9 April 2018 1 / 11 Supersingular isogeny-based cryptography Proposed by Jao & De Feo [JF11]

972 views • 56 slides
Isogenies, power operations, and homotopy theory Charles Rezk University of Illinois at

Isogenies, power operations, and homotopy theory Charles Rezk University of Illinois at

Isogenies, power operations, and homotopy theory Charles Rezk University of Illinois at Urbana-Champaign Seoul, August 18, 2014 Overview Plan. Context: power operations in cohomology theories. Recent advances: Morava E -theories. Formal

1.6k views • 124 slides
MOBILE COMPUTING CSE 40814/60814 Fall 2015 System Structure explicit explicit input output 1

MOBILE COMPUTING CSE 40814/60814 Fall 2015 System Structure explicit explicit input output 1

9/27/15 MOBILE COMPUTING CSE 40814/60814 Fall 2015 System Structure explicit explicit input output 1 9/27/15 Context as Implicit Input explicit explicit input output Context: state of the user state of the

679 views • 26 slides
Explicit-State Abstraction: A New Method Abstractions for Generating Heuristic Functions

Explicit-State Abstraction: A New Method Abstractions for Generating Heuristic Functions

Explicit-State Abstraction Explicit-State Abstraction: A New Method Abstractions for Generating Heuristic Functions Projections Explicit-State Abstractions Evaluation Malte Helmert 1 Patrik Haslum 2 org Hoffmann 3 J Conclusion 1

485 views • 25 slides
Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org Non-interactive key exchange Alice: secret a , public aG . Bob: secret b , public bG

499 views • 28 slides

More recommend