faster isogeny based compressed key agreement
play

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, - PowerPoint PPT Presentation

Jun 13, 2023 •45 likes •856 views

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

  1. Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1

  2. REVI EW : SI DH AND COMPRESSED KEYS 2

  3. Isogeny-based Crypto n SIDH: proposed replacement for DH-based elliptic curves in a post-quantum world. n Smallest post-quantum public keys ( < 200 bytes) ¨ boosted by key compression techniques ¨ applications with low bandwidth requirements n Downside: ¨ ≈ 2 order of magnitude slower than Four ℚ -based DH or other fast post-quantum KEM schemes (NewHope/ NTRU). 3

  4. SIDH Parameter Setting n ! = 2 $ ⋅ 3 ' − 1 for post-quantum sec. level ≈ 128 bits ¨ Previous: 751-bit prime for , = 372, / = 239 ¨ [ 2018] Adj et al. suggest ≈ 448 -bit primes are enough n 2 3 /5 6 7 ∶ 9: ; = < = + ?< ; + < a supersingular Montgomery curve of order p + 1 ; = 2 ;$ 3 ;' B , C B = 2(5 6 7 )[2 $ ] , A H , C H = 2(5 6 7 )[3 ' ] ¨ A n User private key: I ∈ K ℤ/ℓ N ℤ for ℓ ∈ 2,3 , O ∈ {,, /} n User public key: curve R S,T and points U V , U W . 4

  5. SIDH Parameter Setting n ! = 2 $ ⋅ 3 ' − 1 for post-quantum sec. level ≈ 128 bits ¨ Previous: 751-bit prime for , = 372, / = 239 ¨ [ 2018] Adj et al. suggest ≈ 448 -bit primes are enough n 2 3 /5 6 7 ∶ 9: ; = < = + ?< ; + < a supersingular Montgomery curve of order p + 1 ; = 2 ;$ 3 ;' B , C B = 2(5 6 7 )[2 $ ] , A H , C H = 2(5 6 7 )[3 ' ] ¨ A n User private key: I ∈ K ℤ/ℓ N ℤ for ℓ ∈ 2,3 , O ∈ {,, /} n User public key: curve R S,T and points U V , U W . 5

  6. SIDH Parameter Setting n ! = 2 $ ⋅ 3 ' − 1 for post-quantum sec. level ≈ 128 bits ¨ Previous: 751-bit prime for , = 372, / = 239 ¨ [ 2018] Adj et al. suggest ≈ 448 -bit primes are enough n 2 3 /5 6 7 ∶ 9: ; = < = + ?< ; + < a supersingular Montgomery curve of order p + 1 ; = 2 ;$ 3 ;' B , C B = 2(5 6 7 )[2 $ ] , A H , C H = 2(5 6 7 )[3 ' ] ¨ A n User private key: I ∈ K ℤ/ℓ N ℤ for ℓ ∈ 2,3 , O ∈ {,, /} n User public key: curve R S,T = U(2 3 ) and points V W , V X ∈ 2 B,H . 6

  7. SIDH Public Key Compression n Goal: transmit public key {" #,% , & ' , &())} " #,% /- . / : 12 3 = 5 6 + 85 3 + 5 & ' , & ) ∈ E ;,< 7

  8. SIDH Public Key Compression n [ 2011] Jao et al. ’s public key representation: !, # , $ % & , $ %(() ∈ + , - Pub. Key size: . /01 2 bits 3 4,5 /+ , - : #8 9 = ; < + !; 9 + ; % & , % ( ∈ E ?,@ 8

  9. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: '() *,+ ) ) *,+ /. / 0 : 23 4 = 6 7 + 96 4 + 6 ! " # ,% # ← '() *,+ ) : ; , : < ∈ E ?,@ isomorphic curve 9

  10. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: ! " #,% ∈ ' ( ) : * +,- . bits vs " #,% /' ( ) : 56 7 = 9 : + <9 7 + 9 #, % ∈ ' ( ) : / +,- . bits = > , = ? ∈ E A,B * 012 . bits saved 10

  11. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: :(< =,> ) < =,> /A B C : EF % = G H + IG % + G 4 5 , 4 8 ∈ / 0,1 There is a canonical basis {" # , " % } such that " # , " % = / 0,1 3 3 Idea: express 4 5 = 6 # " # + 6 % " % 4 8 = 9 # " # + 9 % " % 11

  12. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: :(< =,> ) < =,> /A B C : EF % = G H + IG % + G 4 5 , 4 8 ∈ / 0,1 There is a canonical basis {" # , " % } such that " # , " % = / 0,1 3 3 Linear algebra tasks - Build a basis Idea: express 4 5 = 6 # " # + 6 % " % - Internal product: pairing 4 8 = 9 # " # + 9 % " % - Coeff. extraction: DLOG 12

  13. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: %(' (,) ) ' (,) /. / 0 : 23 $ = 5 6 + 85 $ + 5 9 : = @ " ! " + @ $ ! $ 9 : , 9 ; ∈ = >,? 9 ; = A " ! " + A $ ! $ Find ! " , ! $ : Compression (1/ 3): Expensive scalar multiplications involved • find a basis {! " , ! $ } 13

  14. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: 7(9 :,; ) 9 :,; /> ? @ : BC ( = D E + FD ( + D ! " = $ % & % + $ ( & ( ! " , ! ) ∈ H I,J ! ) = * % & % + * ( & ( + = , - . / 0 , / 2 Compression (2/ 3): + 3 = , - . / 0 , 4 5 • prepare DLOG instances + 0 = , - . / 2 , 4 5 • Cost: 5 pairings + 2 = , - . / 0 , 4 6 + - = , - . / 2 , 4 6 21

  15. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: 9(; <,> ) ; <,> /A B C : EF ( = G H + IG ( + G ! " , ! ) ∈ K L,M ! " = $ % & % + $ ( & ( ! ) = * % & % + * ( & ( Compression (3/ 3): + , = − ./0 1 1 , + 2 = ./0 1 1 3 • Compute $ 6 ’s and * 6 ’s • Cost: 4 order 3 8 DLOGs 4 , = − ./0 1 1 5 (Pohlig-Hellman) 4 2 = ./0 1 1 2 22

  16. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: !(# $,& ) ( ) , ( * , + ) , + * ∈ ℤ . / # $,& /1 2 3 : 56 7 = 9 . + ;9 7 + 9 < = , < > ∈ ? @,A 23

  17. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: !(# $,& ) ( ) , ( * , + ) , + * ∈ ℤ . / 0 : * 123 4 bits Vs 5 6 7 , 5 6(8) ∈ 9 : ; : < 123 4 bits # $,& /A : ; : CD E = 5 . + H5 E + 5 I J , I K ∈ L M,N * =>? 4 bits saved 24

  18. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: 9(; <,= ) 3 4 , 3 6 , 8 4 , 8 6 ; <,= /@ A B : DE % = F G + HF % + F Decompression I J , I K ∈ ( ),+ • Compute ⟨" # , " % ⟩ = ( ) * ,+ * [3 . ] • Recover points: 0 1 ← 3 4 " # + 3 6 " % 0 7 ← 8 4 " # + 8 6 " % • Cost: 4 scalar muls. 25

  19. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: ! " #,% ∈ ' ( ) : * +,- . bits / 0 , / * , 1 0 , 1 * ∈ ℤ 3 4 : * +,- . bits vs #, % ∈ 5 ( ) : 6 +,- . bits 7 8(:) , 7 8 < : 6 +,- . bits Public key size: 6 =>? . bits Keys shrunk by 2× J • • Com pression tim e > 0C× KEX L 26

  20. SIDH Public Key Compression n [ 2017] Costello et al. key compression: L(4 M,; ) N O , N P , Q O , Q P !/# $ % : '( ) = + , + .+ ) + + Further compression / 0 , / 2 ∈ 4 • Bob recovers 5 6 , 5 7 to compute the kernel 8 = ⟨5 6 + : ; 5 7 ⟩ = = > + : ; ? > )A > + (= ) +: ; ? > )A ) • wlog. assume = > is invertible CDE 3 G (otherwise ? > is), then H> A > + (= ) = > H> + J K ? ) = > H> 8 = H> )A ) = 8 = > 1 + J K ? > = > 27

  21. SIDH Public Key Compression n [ 2017] Costello et al. key compression: L(4 M,; ) N O , N P , Q O , Q P !/# $ % : '( ) = + , + .+ ) + + Further compression / 0 , / 2 ∈ 4 • After recovering 5 6 , 5 7 , Bob computes the kernel 8 = ⟨5 6 + : ; 5 7 ⟩ = = > + : ; ? > )A > + (= ) +: ; ? > )A ) • wlog. assume = > is invertible CDE 3 G (otherwise ? > is), then H> A > + (= ) = > H> + J K ? ) = > H> 8 = H> )A ) = 8 = > 1 + J K ? > = > 28

  22. SIDH Public Key Compression n [ 2017] Costello et al. key compression: L(4 M,; ) N O , N P , Q O , Q P !/# $ % : '( ) = + , + .+ ) + + Further compression / 0 , / 2 ∈ 4 • After recovering 5 6 , 5 7 , Bob computes the kernel 8 = ⟨5 6 + : ; 5 7 ⟩ = = > + : ; ? > )A > + (= ) +: ; ? > )A ) • wlog. assume = > is invertible CDE 3 G (otherwise ? > is), then H> A > + (= ) = > H> + J K ? ) = > H> 8 = H> )A ) = 8 = > 1 + J K ? > = > 29

  23. SIDH Public Key Compression n [ 2017] Costello et al.’s key compression: >, ?, @ ∈ ℤ , 6 A : A/B CDE F bits !/# $ % : '( ) = + , + .+ ) + + / 0 , / 2 ∈ 4 3 elements in ℤ , 6 are enough: ;9 ∈ ℤ , 6 7 = 8 9 : 9 ;9 ∈ ℤ , 6 < = : ) : 9 ;9 ∈ ℤ , 6 = = 8 ) : 9 Plus 1 bit about invertibility of : 9 or 8 9 30

  24. SIDH Public Key Compression n 2017, Costello et al.’s key compression: !/# $ % : '( ) = + , + .+ ) + + To compress / 0 , / 2 : / 0 , / 2 ∈ 4 generate basis 5 6 , 5 ) • • Optimizations on compute 5 pairings steps 1, 2 and 3 • NB: cost of 5-way Monty Inv.: 30 muls (report) of compression and compute 4 DLOGs, i.e., {8 6 , 8 ) , 9 6 , 9 ) } • on decompression. compute ;, <, = from the quadruple above • 31

  25. SIDH Public Key Compression n 2017, Costello et al.’s key compression: !(#) ∈ & ' ( : ) *+, - bits ., 0, 1 ∈ ℤ 3 4 3 : 5/) *+, - bits 7/8 ' ( : :; < = > 3 + @> < + > A B , A C ∈ # Public key size: 5. E FGH - bits • Ex.: IJ = 328 bytes for I = 751 bits Compression time ≈ R× KEX and decompression ≈ T. U× KEX 32

  26. SIDH Public Key Compression n Is the current (de)compression performance acceptable? 33

  27. SIDH Public Key Compression n Is the current (de)compression performance acceptable? n Current state of classical elliptic curves: ¨ CHES’2 0 1 7 * : speed records for ECDH on embedded devices using curve Four ℚ . n Compression = free (similar to original SIDH, send one coordinate of the point) n Decompression = 0.04x key agreement * Liu Z, Longa P, Pereira G, Reparaz O, Seo H. FourQ on embedded devices with strong countermeasures against side-channel attacks. 34

Recommend

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi

593 views • 36 slides
A Faster P Solution for the Byzantine Agreement Problem Michael J. Dinneen, Yun-Bum Kim, and Radu

A Faster P Solution for the Byzantine Agreement Problem Michael J. Dinneen, Yun-Bum Kim, and Radu

Introduction Byzantine agreement P modules Faster Byzantine solution Conclusions A Faster P Solution for the Byzantine Agreement Problem Michael J. Dinneen, Yun-Bum Kim, and Radu Nicolescu Department of Computer Science, University of

1.07k views • 69 slides
Faster Subsequence and Dont -Care Pattern Matching on Compressed Texts Takanori Yamamoto,

Faster Subsequence and Dont -Care Pattern Matching on Compressed Texts Takanori Yamamoto,

Faster Subsequence and Dont -Care Pattern Matching on Compressed Texts Takanori Yamamoto, Hideo Bannai, Shunsuke Inenaga, Masayuki Takeda Department of Informatics, Kyushu University, JAPAN Originally presented at CPM 2011 1 Self

1.17k views • 47 slides
Faster Pattern Matching with Mismatches in Compressed Texts Karl Bringmann, Marvin Knnemann, and

Faster Pattern Matching with Mismatches in Compressed Texts Karl Bringmann, Marvin Knnemann, and

Few Matches or Almost Periodicity: Faster Pattern Matching with Mismatches in Compressed Texts Karl Bringmann, Marvin Knnemann, and Philip Wellnitz Max Planck Institute for Informatics, Saarland Informatics Campus (SIC), Saarbrcken, Germany

1.61k views • 134 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
Compressed Membership for NFA (DFA) with Compressed Labels is in NP (P) Artur Je University of

Compressed Membership for NFA (DFA) with Compressed Labels is in NP (P) Artur Je University of

Compressed Membership for NFA (DFA) with Compressed Labels is in NP (P) Artur Je University of Wrocaw Compressed membership for NFA 1 / 17 Artur Je What this talk is about Fully compressed membership problem for automata Compressed

733 views • 69 slides
Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea Basso 1 , P eter Kutas 1 , Simon-Philipp Merz 2 , Christophe Petit 1 , Charlotte Weitk amper 1 University of Birmingham, UK Royal Holloway,

575 views • 19 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 &amp; 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ &amp; Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

1.07k views • 84 slides
Faster Agreement via a Spectral Method for Detecting Malicious Behavior Valerie King Jared

Faster Agreement via a Spectral Method for Detecting Malicious Behavior Valerie King Jared

Faster Agreement via a Spectral Method for Detecting Malicious Behavior Valerie King Jared Saia Abstract to be reliable. What happens if a hidden cabal generates bits that are not truly random? Can we detect and We address the problem

340 views • 16 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
Isogeny based crypto: whats under the hood? Luca De Feo Universit Paris Saclay UVSQ Nov

Isogeny based crypto: whats under the hood? Luca De Feo Universit Paris Saclay UVSQ Nov

Isogeny based crypto: whats under the hood? Luca De Feo Universit Paris Saclay UVSQ Nov 15, 2018, cole des Mines de Saint-tienne, Gardanne Elliptic curves Let E y 2 x 3 ax b be an elliptic curve... R Q P P Q

715 views • 57 slides
Compressed Strings and Applications Shunsuke Inenaga Kyushu University, Japan Collaborators

Compressed Strings and Applications Shunsuke Inenaga Kyushu University, Japan Collaborators

PSC 2015 Faster Longest Common Extension on Compressed Strings and Applications Shunsuke Inenaga Kyushu University, Japan Collaborators This work is a collaboration with: Hideo Takaaki Bannai Nishimoto Tomohiro Masayuki I Takeda

1.06k views • 75 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics &amp; Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics &amp; Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics &amp; Optimization Centre for Applied Cryptographic Research June 17, 2016 CENTRE FOR APPLIED CRYPTOGRAPHIC RESEARCH (CACR) Motivation: Post-Quantum Cryptography

355 views • 16 slides
Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril

Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril

Reminder on elliptic curves Endomorphism ring Volcano of -isogeny and Frobenius endomorphism -adic tower Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril Hugounenq, Jerome Plut, Eric Schost

472 views • 28 slides
Aligning DNA sequences on compressed collections of genomes Part 2. Compressed indexing The

Aligning DNA sequences on compressed collections of genomes Part 2. Compressed indexing The

Aligning DNA sequences on compressed collections of genomes Part 2. Compressed indexing The CODATA-RDA Research Data Science Applied workshop on Bioinformatics ICTP, Trieste - Italy July 24-28, 2017 Nicola Prezza Technical University of

788 views • 45 slides

More recommend