Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019
The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret without making it available to EVE. 2/17
Di ffi e-Hellman Key Exchange (1976) G = < g > a finite cyclic group Discrete Logarithm Problem (DLP): Given g a find a . 3/17
Which group? Original protocol Di ffi e-Hellman (1976) ✓ Z ◆ × G = = < g > p Z DLP : Given g a mod p , find 0 < a < p � 1. 4/17
Which group? Elliptic-Curve Di ffi e-Hellman (ECDH) Koblitz and Miller (1985) E : elliptic curve over F q Q P G = E ( F q ) , P 2 G DLP P + Q Given Q = aP , find 0 < a < ord ( P ). y 2 = x 3 � 2 x + 2 5/17
Towards the quantum computing era... 1994 - Peter Shor’s quantum polynomial-time for integer factorization. ? y extends to ? Resolution of the DLP in all finite groups. ? ? y All the currently deployed public key infrastructure will IBM’s 50-qubit quantum computer March 2, 2018 need to be replaced. Credit: IBM Research Flickr 6/17
How serious is the threat? August 2015 NSA announced that it is planning to transition “in the not too distant future” to a new cipher suite that is resistant to quantum attacks. November 2017 NIST Post-Quantum Cryptography Competition: “process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms”. 7/17
What are the quantum-safe alternatives? Lattice-based cryptography 25 candidates (Round one) ! 12 candidates (Round two) Code-based cryptography 17 candidates (Round one) ! 7 candidates (Round two) Multivariate cryptography 10 candidates (Round one) ! 4 candidates (Round two) Hash-based cryptography 2 candidates (Round one) ! 1 candidates (Round two) Isogeny-based cryptography 1 candidate (Round one) ! 1 candidates (Round two) Other 5 candidates (Round one) ! 1 candidates (Round two) 8/17
Recall We look for cryptosystems which are not based on any discrete logarithm problem 9/17
Hard-Homogeneous Spaces (Couveignes, 97) G a group , X a set , an action G ⇥ X ! X ( g , x ) 7! g ⇤ x such that 8 x , x 0 2 X , 9 ! g 2 G such that g ⇤ x = x 0 . “Easy” operation (e.g. polynomial time): given g 2 G and x 2 X , compute g ⇤ x . “Hard” operation (e.g. not polynomial time): given x , x 0 2 X , find g 2 G such that g ⇤ x = x 0 . If G is Abelian ! commutative group action ! ! key exchange based on HHS. 10/17
Key exchange based on HHS public parameter : x 0 2 X Problem: Given a ⇤ x 0 find a . 11/17
Elliptic curves and isogenies E, an elliptic curve defined over F q : E : y 2 = ax 3 + bx + c , 4 a 3 + 27 b 2 6 = 0 a , b 2 F q , ϕ , an isogeny (non-constant rational map and group homomorphism): ϕ : E 0 E � ! ⇣ ⌘ g 1 ( x , y ) , f 2 ( x , y ) f 1 ( x , y ) ( x , y ) 7! g 2 ( x , y ) O := End( E ) , the ring of endomorphisms of E . 12/17
A commutative group action O an order in an imaginary quadratic field Set X : isomorphism classes E of elliptic curves having the same endomorphism ring O . Group G: ideal class group of O G = Cl( O ) = I ( O ) P ( O ) = { [ a ] : a is an ideal of O} , G is a finite abelian group. G acts on X: ϕ a : E 1 ! E 2 [ a ] ⇤ E 1 = E 2 with deg( ϕ a ) = N ( a ) 13/17
Random walks on the isogeny graph 14/18
Examples Couveignes - 1997 Rostovtsev and Stolbounov - 2006 and 2010 De Feo, Kie ff er, Smith - 2018 CSIDH - 2018 15/18
The underlying mathematical problem The security of these cryptosystems relies on the following “hard” mathematical problem: Let E 1 and E 2 two elliptic curves defined over a finite field such that there exists a imaginary quadratic order O which satisfies: O ∼ = End( E i ) , i = 1 , 2 . Problem : Find an isogeny [ a ] ∈ Cl( O ) such that φ : E 1 → E 2 [ a ] ∗ E 1 = E 2 . 16/18
How to tackle the problem? Problem : Given E 1 and E 2 , find [ a ] ∈ Cl( O ) such that [ a ] ∗ E 1 = E 2 . Limit the number of tries in Cl( O ): → Hidden Shift Problem Compute e ffi ciently [ a ] ∗ E 1 : → Factor [ a ] in a “short” product N := | Cl( O ) | ⇣ √ Biasse, I., Jacobson (2018): ⌘ O log( N ) Time: 2 ⇣ √ ⌘ O log( N ) Quantum memory: 2 17/18
Recommend
More recommend
