isogeny based cryptography an introduction
play

Isogeny Based Cryptography: an Introduction Luca De Feo IBM - PowerPoint PPT Presentation

Dec 26, 2022 •273 likes •2k views

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

  1. ✱ ✣ ✵ ✦ ✦ ✦ ✦ Maps: what’s /////// scalar///////////////// multiplication an isogeny? ✣ ✿ P ✼✦ ✣ ✭ P ✮ // E ✵ , A map E ✦ E a group morphism, with finite kernel E ❬ n ❪ ✬ ✭ ❩ ❂ n ❩ ✮ 2 any finite subgroup H ✚ E ), (//// the///////// torsion//////// group ///////////////////// surjective (in the algebraic closure), n 2 ★ H . given by rational maps of degree/// Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 9 / 80 https://defeo.lu/docet

  2. Maps: what’s /////// scalar///////////////// multiplication an isogeny? ✣ ✿ P ✼✦ ✣ ✭ P ✮ // E ✵ , A map E ✦ E a group morphism, with finite kernel E ❬ n ❪ ✬ ✭ ❩ ❂ n ❩ ✮ 2 any finite subgroup H ✚ E ), (//// the///////// torsion//////// group ///////////////////// surjective (in the algebraic closure), n 2 ★ H . given by rational maps of degree/// (Separable) isogenies ✱ finite subgroups: ✦ E ✵ ✦ 0 ✣ 0 ✦ H ✦ E Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 9 / 80 https://defeo.lu/docet

  3. ❋ ✄ ✼✦ Isogenies: an example over ❋ 11 E ✿ y 2 ❂ x 3 ✰ x E ✵ ✿ y 2 ❂ x 3 � 4 x ✥ ✦ x 2 ✰ 1 y x 2 � 1 ✣ ✭ x ❀ y ✮ ❂ ❀ x 2 x Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 10 / 80 https://defeo.lu/docet

  4. Isogenies: an example over ❋ 11 E ✿ y 2 ❂ x 3 ✰ x E ✵ ✿ y 2 ❂ x 3 � 4 x Kernel generator in red. ✥ ✦ x 2 ✰ 1 y x 2 � 1 ✣ ✭ x ❀ y ✮ ❂ ❀ This is a degree 2 map. x 2 x Analogous to x ✼✦ x 2 in ❋ ✄ q . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 10 / 80 https://defeo.lu/docet

  5. Maps: isogenies Theorem Let ✣ ✿ E ✦ E ✵ be a map between elliptic curves. These conditions are equivalent: ✣ is a surjective group morphism, ✣ is a group morphism with finite kernel, ✣ is a non-constant algebraic map of projective varieties sending the point at infinity of E onto the point at infinity of E ✵ . If they hold ✣ is called an isogeny. Two curves are called isogenous if there exists an isogeny between them. Example: Multiplication-by- m On any curve, an isogeny from E to itself (i.e., an endomorphism): ❬ m ❪ ✿ E ✦ E ❀ P ✼✦ ❬ m ❪ P ✿ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 11 / 80 https://defeo.lu/docet

  6. Isogeny lexicon Degree ✙ degree of the rational fractions defining the isogeny; Rough measure of the information needed to encode it. Separable, inseparable, cyclic An isogeny ✣ is separable iff ❞❡❣ ✣ ❂ ★ ❦❡r ✣ . Given H ✚ E finite, write ✣ ✿ E ✦ E ❂ H for the unique separable isogeny s.t. ❦❡r ✣ ❂ H . ✣ inseparable ✮ p divides ❞❡❣ ✣ . Cyclic isogeny ✑ separable isogeny with cyclic kernel. ■ Non-example: the multiplication map ❬ m ❪ ✿ E ✦ E . Rationality Given E defined over k , an isogeny ✣ is rational if ❦❡r ✣ is Galois invariant. ✮ ✣ is represented by rational fractions with coefficients in k . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 12 / 80 https://defeo.lu/docet

  7. The dual isogeny Let ✣ ✿ E ✦ E ✵ be an isogeny of degree m . There is a unique isogeny ❫ ✣ ✿ E ✵ ✦ E such that ❫ ✣ ✍ ❫ ✣ ✍ ✣ ❂ ❬ m ❪ E ❀ ✣ ❂ ❬ m ❪ E ✵ ✿ ❫ ✣ is called the dual isogeny of ✣ ; it has the following properties: ❫ ✣ is defined over k if and only if ✣ is; 1 ✥ for any isogeny ✥ ✿ E ✵ ✦ E ✵✵ ; ❬ ✥ ✍ ✣ ❂ ❫ ✣ ✍ ❫ 2 ✥ ✰ ✣ ❂ ❫ ❭ ✥ ✰ ❫ ✣ for any isogeny ✥ ✿ E ✦ E ✵ ; 3 ❞❡❣ ✣ ❂ ❞❡❣ ❫ ✣ ; 4 ❫ ❫ ✣ ❂ ✣ . 5 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 13 / 80 https://defeo.lu/docet

  8. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  9. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  10. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  11. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  12. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  13. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  14. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  15. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  16. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  17. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  18. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  19. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  20. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  21. ✣ ❂ ❂ Up to isomorphism R Q P P ✰ Q y 2 ❂ x 3 ✰ ax ✰ b 4 a 3 j ✑ 1728 � ✦ 4 a 3 ✰ 27 b 2 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  22. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  23. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  24. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  25. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  26. ✣ ❂ ❂ ✰ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  27. ✣ ❂ ✰ ❂ ✰ ✰ ❂ � ✦ ✑ ✰ Up to isomorphism Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  28. ✰ ❂ ✰ ✰ � ✦ ✑ ✰ ✣ ❂ Up to isomorphism j ❂ 1728 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  29. ✰ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism ✣ j ❂ 1728 j ❂ 287496 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  30. ✰ ❂ ✰ ✰ � ✦ ✑ ✰ ✣ Up to isomorphism j ❂ 1728 j ❂ 287496 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 14 / 80 https://defeo.lu/docet

  31. Isogeny graphs Serre-Tate theorem Two elliptic curves E ❀ E ✵ defined over a finite field ❋ q are isogenous (over ❋ q ) iff ★ E ✭ ❋ q ✮ ❂ ★ E ✵ ✭ ❋ q ✮ . Isogeny graphs Vertices are curves up to isomorphism, Edges are isogenies up to isomorphism. Isogeny volcanoes Curves are ordinary, Isogenies all have degree a prime ❵ . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 15 / 80 https://defeo.lu/docet

  32. The endomorphism ring The endomorphism ring ❊♥❞✭ E ✮ of an elliptic curve E is the ring of all isogenies E ✦ E (plus the null map) with addition and composition. Theorem (Deuring) Let E be an elliptic curve defined over a field k of characteristic p . ❊♥❞✭ E ✮ is isomorphic to one of the following: ❩ , only if p ❂ 0 E is ordinary. An order ❖ in a quadratic imaginary field: E is ordinary with complex multiplication by ❖ . Only if p ❃ 0 , a maximal order in a quaternion algebra a : E is supersingular. a (ramified at p and ✶ ) Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 16 / 80 https://defeo.lu/docet

  33. Algebras, orders ♣ A quadratic imaginary number field is an extension of ◗ of the form ◗ ✭ � D ✮ for some non-square D ❃ 0 . A quaternion algebra is an algebra of the form ◗ ✰ ☛ ◗ ✰ ☞ ◗ ✰ ☛☞ ◗ , where the generators satisfy the relations ☛ 2 ❀ ☞ 2 ✷ ◗ ❀ ☛ 2 ❁ 0 ❀ ☞ 2 ❁ 0 ❀ ☞☛ ❂ � ☛☞✿ Orders Let K be a finitely generated ◗ -algebra. An order ❖ ✚ K is a subring of K that is a finitely generated ❩ -module of maximal dimension. An order that is not contained in any other order of K is called a maximal order. Examples: ❩ is the only order contained in ◗ , ❩ ❬ i ❪ is the only maximal order of ◗ ✭ i ✮ , ♣ ♣ ❩ ❬ 5 ❪ is a non-maximal order of ◗ ✭ 5 ✮ , The ring of integers of a number field is its only maximal order, In general, maximal orders in quaternion algebras are not unique. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 17 / 80 https://defeo.lu/docet

  34. The finite field case Theorem (Hasse) Let E be defined over a finite field. Its Frobenius endomorphism ✙ satisfies a quadratic equation ✙ 2 � t ✙ ✰ q ❂ 0 in ❊♥❞✭ E ✮ for some ❥ t ❥ ✔ 2 ♣ q , called the trace of ✙ . The trace t is coprime to q if and only if E is ordinary. Suppose E is ordinary, then D ✙ ❂ t 2 � 4 q ❁ 0 is the discriminant of ❩ ❬ ✙ ❪ . K ❂ ◗ ✭ ✙ ✮ ❂ ◗ ✭ ♣ D ✙ ✮ is the endomorphism algebra of E . Denote by ❖ K its ring of integers, then ❩ ✻ ❂ ❩ ❬ ✙ ❪ ✚ ❊♥❞✭ E ✮ ✚ ❖ K ✿ In the supersingular case, ✙ may or may not be in ❩ , depending on q . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 18 / 80 https://defeo.lu/docet

  35. Endomorphism rings of ordinary curves ❖ K Classifying quadratic orders Let K be a quadratic number field, and let ❖ K be its ring of integers. ❩ ✰ 2 ❖ K ❩ ✰ 3 ❖ K ❩ ✰ 5 ❖ K Any order ❖ ✚ K can be written as ❖ ❂ ❩ ✰ f ❖ K for an integer f , called the conductor of ❖ , denoted by ❬ ❖ K ✿ ❖ ❪ . If d K is the discriminant of K , the discriminant ❩ ✰ 6 ❖ K ❩ ✰ 10 ❖ K ❩ ✰ 15 ❖ K of ❖ is f 2 d K . If ❖ ❀ ❖ ✵ are two orders with discriminants d ❀ d ✵ , then ❖ ✚ ❖ ✵ iff d ✵ ❥ d . ❩ ❬ ✙ ❪ ✬ ❩ ✰ 30 ❖ K Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 19 / 80 https://defeo.lu/docet

  36. Volcanology (Kohel 1996) ❊♥❞✭ E ✮ Let E ❀ E ✵ be curves with respective endomorphism rings ❖ ❀ ❖ ✵ ✚ K . ❖ K Let ✣ ✿ E ✦ E ✵ be an isogeny of prime degree ❵ , then: if ❖ ❂ ❖ ✵ , ✣ is horizontal; ❩ ❬ ✙ ❪ if ❬ ❖ ✵ ✿ ❖ ❪ ❂ ❵ , ✣ is ascending; if ❬ ❖ ✿ ❖ ✵ ❪ ❂ ❵ , ✣ is descending. Ordinary isogeny volcano of degree ❵ ❂ 3 . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 20 / 80 https://defeo.lu/docet

  37. ✿ ❩ ❬ ✙ ❪❪✮ ❂ ❵ ✭❬ ❖ Volcanology (Kohel 1996) Let E be ordinary, ❊♥❞✭ E ✮ ✚ K . � D K � D K ❖ K : maximal order of K , ✁ ✁ ❂ � 1 ❂ 0 ❵ ❵ D K : discriminant of K . � D K ✁ ❂ ✰ 1 ❵ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪ ❵ 1 ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪ 1 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 21 / 80 https://defeo.lu/docet

  38. Volcanology (Kohel 1996) Let E be ordinary, ❊♥❞✭ E ✮ ✚ K . � D K � D K ❖ K : maximal order of K , ✁ ✁ ❂ � 1 ❂ 0 ❵ ❵ D K : discriminant of K . Height ❂ v ❵ ✭❬ ❖ K ✿ ❩ ❬ ✙ ❪❪✮ . � D K ✁ ❂ ✰ 1 ❵ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪ ❵ 1 ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪ 1 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 21 / 80 https://defeo.lu/docet

  39. Volcanology (Kohel 1996) Let E be ordinary, ❊♥❞✭ E ✮ ✚ K . � D K � D K ❖ K : maximal order of K , ✁ ✁ ❂ � 1 ❂ 0 ❵ ❵ D K : discriminant of K . Height ❂ v ❵ ✭❬ ❖ K ✿ ❩ ❬ ✙ ❪❪✮ . How large is the crater? � D K ✁ ❂ ✰ 1 ❵ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪ ❵ 1 ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪ 1 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 21 / 80 https://defeo.lu/docet

  40. How large is the crater of a volcano? ♣ Let ❊♥❞✭ E ✮ ❂ ❖ ✚ ◗ ✭ � D ✮ . Define ■ ✭ ❖ ✮ , the group of invertible fractional ideals, P ✭ ❖ ✮ , the group of principal ideals, The class group The class group of ❖ is ❈❧✭ ❖ ✮ ❂ ■ ✭ ❖ ✮ ❂ P ✭ O ✮ ✿ It is a finite abelian group. Its order h ✭ ❖ ✮ is called the class number of ❖ . ♣ It arises as the Galois group of an abelian extension of ◗ ✭ � D ✮ . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 22 / 80 https://defeo.lu/docet

  41. Complex multiplication The a -torsion Let a ✚ ❖ be an (integral invertible) ideal of ❖ ; Let E ❬ a ❪ be the subgroup of E annihilated by a : E ❬ a ❪ ❂ ❢ P ✷ E ❥ ☛ ✭ P ✮ ❂ 0 for all ☛ ✷ a ❣ ❀ Let ✣ ✿ E ✦ E a , where E a ❂ E ❂ E ❬ a ❪ . Then ❊♥❞✭ E a ✮ ❂ ❖ (i.e., ✣ is horizontal). Theorem (Complex multiplication) The action on the set of elliptic curves with complex multiplication by ❖ defined by a ✄ j ✭ E ✮ ❂ j ✭ E a ✮ factors through ❈❧✭ ❖ ✮ , is faithful and transitive. Corollary ✏ ✑ D Let ❊♥❞✭ E ✮ have discriminant D . Assume that ❂ 1 , then E is on a crater of size N of an ❵ ❵ -volcano, and N ❥ h ✭❊♥❞✭ E ✮✮ . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 23 / 80 https://defeo.lu/docet

  42. ❈❧✭ ❖ ✮ Complex multiplication graphs E 3 Vertices are elliptic curves with E 4 E 2 complex multiplication by ❖ K (i.e., ♣ ❊♥❞✭ E ✮ ✬ ❖ K ✚ ◗ ✭ � D ✮ ). E 5 E 1 E 6 E 12 E 7 E 11 E 8 E 10 E 9 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 24 / 80 https://defeo.lu/docet

  43. ❈❧✭ ❖ ✮ Complex multiplication graphs E 3 Vertices are elliptic curves with E 4 E 2 complex multiplication by ❖ K (i.e., ♣ ❊♥❞✭ E ✮ ✬ ❖ K ✚ ◗ ✭ � D ✮ ). E 5 E 1 Edges are horizontal isogenies of bounded prime degree. degree 2 E 6 E 12 E 7 E 11 E 8 E 10 E 9 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 24 / 80 https://defeo.lu/docet

  44. ❈❧✭ ❖ ✮ Complex multiplication graphs E 3 Vertices are elliptic curves with E 4 E 2 complex multiplication by ❖ K (i.e., ♣ ❊♥❞✭ E ✮ ✬ ❖ K ✚ ◗ ✭ � D ✮ ). E 5 E 1 Edges are horizontal isogenies of bounded prime degree. degree 2 E 6 E 12 degree 3 E 7 E 11 E 8 E 10 E 9 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 24 / 80 https://defeo.lu/docet

  45. ❈❧✭ ❖ ✮ Complex multiplication graphs E 3 Vertices are elliptic curves with E 4 E 2 complex multiplication by ❖ K (i.e., ♣ ❊♥❞✭ E ✮ ✬ ❖ K ✚ ◗ ✭ � D ✮ ). E 5 E 1 Edges are horizontal isogenies of bounded prime degree. degree 2 E 6 E 12 degree 3 E 7 E 11 degree 5 E 8 E 10 E 9 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 24 / 80 https://defeo.lu/docet

  46. Complex multiplication graphs E 3 Vertices are elliptic curves with E 4 E 2 complex multiplication by ❖ K (i.e., ♣ ❊♥❞✭ E ✮ ✬ ❖ K ✚ ◗ ✭ � D ✮ ). E 5 E 1 Edges are horizontal isogenies of bounded prime degree. degree 2 E 6 E 12 degree 3 E 7 E 11 degree 5 Isomorphic to a Cayley graph of E 8 E 10 ❈❧✭ ❖ K ✮ . E 9 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 24 / 80 https://defeo.lu/docet

  47. Supersingular endomorphisms Recall, a curve E over a field ❋ q of characteristic p is supersingular iff ✙ 2 � t ✙ ✰ q ❂ 0 with t ❂ 0 ♠♦❞ p . Case: t ❂ 0 ✮ D ✙ ❂ � 4 q Only possibility for E ❂ ❋ p , E ❂ ❋ p has CM by an order of ◗ ✭ ♣� p ✮ , similar to the ordinary case. t ❂ ✝ 2 ♣ q Case: ✮ D ✙ ❂ 0 General case for E ❂ ❋ q , when q is an even power. ✙ ❂ ✝♣ q ✷ ❩ , hence no complex multiplication. We will ignore marginal cases: t ❂ ✝♣ q ❀ ✝♣ 2 q ❀ ✝♣ 3 q . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 25 / 80 https://defeo.lu/docet

  48. Supersingular complex multiplication Let E ❂ ❋ p be a supersingular curve, then ✙ 2 ❂ � p . Theorem (Delfs, Galbraith 2016) Let ❊♥❞ ❋ p ✭ E ✮ denote the ring of ❋ p -rational endomorphisms of E . Then ❩ ❬ ✙ ❪ ✚ ❊♥❞ ❋ p ✭ E ✮ ✚ ◗ ✭ ♣� p ✮ ✿ Orders of ◗ ✭ ♣� p ✮ If p ❂ 1 ♠♦❞ 4 , then ❩ ❬ ✙ ❪ is the maximal order. If p ❂ � 1 ♠♦❞ 4 , then ❩ ❬ ✙ ✰ 1 2 ❪ is the maximal order, and ❬ ❩ ❬ ✙ ✰ 1 2 ❪ ✿ ❩ ❬ ✙ ❪❪ ❂ 2 . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 26 / 80 https://defeo.lu/docet

  49. Supersingular CM graphs 2 -volcanoes, p ❂ � 1 ♠♦❞ 4 ❩ ❬ ✙ ✰ 1 2 ❪ ❩ ❬ ✙ ❪ 2 -graphs, p ❂ 1 ♠♦❞ 4 ❩ ❬ ✙ ❪ ✏ ✑ � p All other ❵ -graphs are cycles of horizontal isogenies iff ❂ 1 . ❵ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 27 / 80 https://defeo.lu/docet

  50. The full endomorphism ring Theorem (Deuring) Let E be a supersingular elliptic curve, then E is isomorphic to a curve defined over ❋ p 2 ; Every isogeny of E is defined over ❋ p 2 ; Every endomorphism of E is defined over ❋ p 2 ; ❊♥❞✭ E ✮ is isomorphic to a maximal order in a quaternion algebra ramified at p and ✶ . In particular: If E is defined over ❋ p , then ❊♥❞ ❋ p ✭ E ✮ is strictly contained in ❊♥❞✭ E ✮ . Some endomorphisms do not commute! Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 28 / 80 https://defeo.lu/docet

  51. An example The curve of j -invariant 1728 E ✿ y 2 ❂ x 3 ✰ x is supersingular over ❋ p iff p ❂ � 1 ♠♦❞ 4 . Endomorphisms ❊♥❞✭ E ✮ ❂ ❩ ❤ ✓❀ ✙ ✐ , with: ✙ the Frobenius endomorphism, s.t. ✙ 2 ❂ � p ; ✓ the map ✓ ✭ x ❀ y ✮ ❂ ✭ � x ❀ iy ✮ ❀ where i ✷ ❋ p 2 is a 4-th root of unity. Clearly, ✓ 2 ❂ � 1 . And ✓✙ ❂ � ✙✓ . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 29 / 80 https://defeo.lu/docet

  52. ❈❧✭ � ✮ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party j ❂ 1728 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 30 / 80 https://defeo.lu/docet

  53. ❈❧✭ � ✮ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party j ❂ 1728 ❈❧✭ � 4 p ✮ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 30 / 80 https://defeo.lu/docet

  54. ❈❧✭ � ✮ ❂ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party ❈❧✭ � 4 ✮ ❈❧✭ � 4 p ✮ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 30 / 80 https://defeo.lu/docet

  55. ❈❧✭ � ✮ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party j ❂ 0 ❈❧✭ � 4 ✮ ❈❧✭ � 4 p ✮ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 30 / 80 https://defeo.lu/docet

  56. ❂ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party ❈❧✭ � 3 ✮ ❈❧✭ � 4 ✮ ❈❧✭ � 4 p ✮ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 30 / 80 https://defeo.lu/docet

  57. ❂ ❂ Class group action party ❈❧✭ � 3 ✮ ❈❧✭ � 4 ✮ ❈❧✭ � 4 p ✮ ❈❧✭ � 23 ✮ ❈❧✭ � 79 ✮ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 30 / 80 https://defeo.lu/docet

  58. Supersingular graphs Quaternion algebras have many maximal orders. For every maximal order type of B p ❀ ✶ there are 1 or 2 curves over ❋ p 2 having endomorphism ring isomorphic to it. There is a unique isogeny class of supersingular curves over ✖ ❋ p of size ✙ p ❂ 12 . Lef ideals act on the set of maximal orders like isogenies. Figure: 3 -isogeny graph on ❋ 97 2 . The graph of ❵ -isogenies is ✭ ❵ ✰ 1 ✮ -regular. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 31 / 80 https://defeo.lu/docet

  59. Graphs lexicon Degree: Number of (outgoing/ingoing) edges. k -regular: All vertices have degree k . Connected: There is a path between any two vertices. Distance: The length of the shortest path between two vertices. Diameter: The longest distance between two vertices. ✕ 1 ✕ ✁ ✁ ✁ ✕ ✕ n : The (ordered) eigenvalues of the adjacency matrix. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 32 / 80 https://defeo.lu/docet

  60. Expander graphs Proposition If G is a k -regular graph, its largest and smallest eigenvalues satisfy k ❂ ✕ 1 ✕ ✕ n ✕ � k ✿ Expander families An infinite family of connected k -regular graphs on n vertices is an expander family if there exists an ✎ ❃ 0 such that all non-trivial eigenvalues satisfy ❥ ✕ ❥ ✔ ✭ 1 � ✎ ✮ k for n large enough. Expander graphs have short diameter: O ✭❧♦❣ n ✮ ; Random walks mix rapidly: afer O ✭❧♦❣ n ✮ steps, the induced distribution on the vertices is close to uniform. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 33 / 80 https://defeo.lu/docet

  61. Expander graphs from isogenies Theorem (Pizer) Let ❵ be fixed. The family of graphs of supersingular curves over ❋ p 2 with ❵ -isogenies, as p ✦ ✶ , is an expander family a . a Even better, it has the Ramanujan property. Theorem (Jao, Miller, Venkatesan) ♣ Let ❖ ✚ ◗ ✭ � D ✮ be an order in a quadratic imaginary field. The graphs of all curves over ❋ q with complex multiplication by ❖ , with isogenies of prime degree bounded a by ✭❧♦❣ q ✮ 2 ✰ ✍ , are expanders. a May contain traces of GRH. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 34 / 80 https://defeo.lu/docet

  62. Executive summary Separable ❵ -isogeny = finite kernel = subgroup of E ❬ ❵ ❪ (= ideal of norm ❵ ), Isogeny graphs have j -invariants for vertices and “some” isogenies for edges. By varying the choices for the vertex and the isogeny set, we obtain graphs with different properties. ❵ -isogeny graphs of ordinary curves are volcanoes, (full) ❵ -isogeny graphs of supersingular curves are finite ✭ ❵ ✰ 1 ✮ -regular. CM theory naturally leads to define graphs of horizontal isogenies (both in the ordinary and the supersingular case) that are isomorphic to Cayley graphs of class groups. CM graphs are expanders. Supersingular full ❵ -isogeny graphs are Ramanujan. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 35 / 80 https://defeo.lu/docet

  63. Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zürich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet

  64. The beauty and the beast (credit: Lorenz Panny) Components of particular isogeny graphs look like this: Which of these is good for crypto? Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 37 / 80 https://defeo.lu/docet

  65. The beauty and the beast (credit: Lorenz Panny) Components of particular isogeny graphs look like this: Which of these is good for crypto? Both. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 37 / 80 https://defeo.lu/docet

  66. The beauty and the beast (credit: Lorenz Panny) At this time, there are two distinct families of systems: ❋ p ❋ p 2 CSIDH [pron.: sea-side] SIDH https://csidh.isogeny.org https://sike.org Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 37 / 80 https://defeo.lu/docet

  67. Brief history of isogeny-based cryptography 1997 Couveignes introduces the Hard Homogeneous Spaces framework. His work stays unpublished for 10 years. 2006 Rostovtsev & Stolbunov independently rediscover Couveignes ideas, suggest isogeny-based Diffie–Hellman as a quantum-resistant primitive. 2006-2010 Other isogeny-based protocols by Teske and Charles, Goren & Lauter. 2011-2012 D., Jao & Plût introduce SIDH, an efficient post-quantum key exchange inspired by Couveignes, Rostovtsev, Stolbunov, Charles, Goren, Lauter. 2017 SIDH is submitted to the NIST competition (with the name SIKE, only isogeny-based candidate). 2018 D., Kieffer & Smith resurrect the Couveignes–Rostovtsev–Stolbunov protocol, Castryck, Lange, Martindale, Panny & Renes create an efficient variant named CSIDH. 2019 The year of proofs of isogeny knowledge: SeaSign (D. & Galbraith; Decru, Panny & Vercauteren), CSI-FiSh (Beullens, Kleinjung & Vercauteren), VDF (D., Masson, Petit & Sanso), threshold (D. & Meyer). Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 38 / 80 https://defeo.lu/docet

  68. Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 39 / 80 https://defeo.lu/docet

  69. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 39 / 80 https://defeo.lu/docet

  70. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 39 / 80 https://defeo.lu/docet

  71. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 39 / 80 https://defeo.lu/docet

  72. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 39 / 80 https://defeo.lu/docet

  73. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 39 / 80 https://defeo.lu/docet

  74. Elliptic curves Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 40 / 80 https://defeo.lu/docet

  75. The QUANTHOM Menace Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 41 / 80 https://defeo.lu/docet

  76. Basically every isogeny-based key-exchange... Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 42 / 80 https://defeo.lu/docet

  77. Basically every isogeny-based key-exchange... Public curve Public curve Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 42 / 80 https://defeo.lu/docet

  78. Basically every isogeny-based key-exchange... Public curve Shared secret Public curve Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography Simula UiB 42 / 80 https://defeo.lu/docet

Recommend

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ & Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

1.07k views • 84 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization Centre for Applied Cryptographic Research June 17, 2016 CENTRE FOR APPLIED CRYPTOGRAPHIC RESEARCH (CACR) Motivation: Post-Quantum Cryptography

355 views • 16 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019 Mathematical foundations of asymmetric cryptography Aussois, Savoie Slides online at https://defeo.lu/docet/ Overview Isogeny graphs 1 Elliptic Curves

1.96k views • 156 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29, 2019 Cryptography meets Graph Theory Wrzburg, Franken, Germany Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29Aug 2,

1.99k views • 174 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris Saclay UVSQ May 13, 2019, Universit di Roma 3, Roma Slides online at https://defeo.lu/docet/ Elliptic curves Let E y 2 x 3 ax b

1.22k views • 76 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March 1923, 2018, Post-Scryptum Spring School, Les 7 Laux Slides online at http://defeo.lu/docet/ Photo courtesy of Elisa Lorenzo-Garca Overview

1.87k views • 144 slides
Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

856 views • 81 slides
Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de Versailles & Inria, Universit Paris-Saclay May 31, 2018, Journes du Pr-GDR Scurit, Paris Elliptic curves Let E y 2 x 3 ax b be

1.01k views • 73 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides
Introduction to quantum algorithms and introduction to code-based cryptography Daniel J.

Introduction to quantum algorithms and introduction to code-based cryptography Daniel J.

Introduction to quantum algorithms and introduction to code-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Data (state) stored in n bits: an element of { 0 ; 1 } n ,

1.97k views • 138 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles St-Quentin-en-Yvelines France 1 Introduction: EC in cryptography Starting point: 1985 (V. Miller) Discrete logarithm based

487 views • 45 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global Map public-key cryptography classic post-quantum lattice code multivariate hash isogenies . . . McEliece Niederreiter . . . GRS codes

1.04k views • 73 slides
On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea Basso 1 , P eter Kutas 1 , Simon-Philipp Merz 2 , Christophe Petit 1 , Charlotte Weitk amper 1 University of Birmingham, UK Royal Holloway,

575 views • 19 slides
Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Cryptography Game-based Proofs Assumptions BLS Signature BF IB-Encryption Conclusion Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable Security Game-based Methodology 2 Game-based Approach

345 views • 12 slides

More recommend