isogeny based cryptography an introduction
play

Isogeny Based Cryptography: an Introduction Luca De Feo IBM - PowerPoint PPT Presentation

Feb 23, 2023 •327 likes •1.95k views

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

  1. Isogenies: an example over ❋ 11 E ✿ y 2 ❂ x 3 ✰ x E ✵ ✿ y 2 ❂ x 3 � 4 x Kernel generator in red. ✥ ✦ x 2 ✰ 1 y x 2 � 1 ✣ ✭ x ❀ y ✮ ❂ ❀ This is a degree 2 map. x 2 x Analogous to x ✼✦ x 2 in ❋ ✄ q . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 9 / 73 https://defeo.lu/docet

  2. Maps: isogenies Theorem Let ✣ ✿ E ✦ E ✵ be a map between elliptic curves. These conditions are equivalent: ✣ is a surjective group morphism, ✣ is a group morphism with finite kernel, ✣ is a non-constant algebraic map of projective varieties sending the point at infinity of E onto the point at infinity of E ✵ . If they hold ✣ is called an isogeny. Two curves are called isogenous if there exists an isogeny between them. Example: Multiplication-by- m On any curve, an isogeny from E to itself (i.e., an endomorphism): ❬ m ❪ ✿ E ✦ E ❀ P ✼✦ ❬ m ❪ P ✿ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 10 / 73 https://defeo.lu/docet

  3. Isogeny lexicon Degree ✙ degree of the rational fractions defining the isogeny; Rough measure of the information needed to encode it. Separable, inseparable, cyclic An isogeny ✣ is separable iff ❞❡❣ ✣ ❂ ★ ❦❡r ✣ . Given H ✚ E finite, write ✣ ✿ E ✦ E ❂ H for the unique separable isogeny s.t. ❦❡r ✣ ❂ H . ✣ inseparable ✮ p divides ❞❡❣ ✣ . Cyclic isogeny ✑ separable isogeny with cyclic kernel. ■ Non-example: the multiplication map ❬ m ❪ ✿ E ✦ E . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 11 / 73 https://defeo.lu/docet

  4. The dual isogeny Let ✣ ✿ E ✦ E ✵ be an isogeny of degree m . There is a unique isogeny ❫ ✣ ✿ E ✵ ✦ E such that ❫ ✣ ✍ ❫ ✣ ✍ ✣ ❂ ❬ m ❪ E ❀ ✣ ❂ ❬ m ❪ E ✵ ✿ ❫ ✣ is called the dual isogeny of ✣ ; it has the following properties: ❫ ✣ is defined over k if and only if ✣ is; 1 ✥ for any isogeny ✥ ✿ E ✵ ✦ E ✵✵ ; ❬ ✥ ✍ ✣ ❂ ❫ ✣ ✍ ❫ 2 ✥ ✰ ✣ ❂ ❫ ❭ ✥ ✰ ❫ ✣ for any isogeny ✥ ✿ E ✦ E ✵ ; 3 ❞❡❣ ✣ ❂ ❞❡❣ ❫ ✣ ; 4 ❫ ❫ ✣ ❂ ✣ . 5 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 12 / 73 https://defeo.lu/docet

  5. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  6. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  7. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  8. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  9. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  10. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  11. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  12. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  13. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  14. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  15. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  16. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  17. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  18. ✣ ❂ ❂ Up to isomorphism R Q P P ✰ Q y 2 ❂ x 3 ✰ ax ✰ b 4 a 3 j ✑ 1728 � ✦ 4 a 3 ✰ 27 b 2 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  19. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  20. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  21. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  22. ✣ ❂ ❂ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  23. ✣ ❂ ❂ ✰ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  24. ✣ ❂ ✰ ❂ ✰ ✰ ❂ � ✦ ✑ ✰ Up to isomorphism Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  25. ✰ ❂ ✰ ✰ � ✦ ✑ ✰ ✣ ❂ Up to isomorphism j ❂ 1728 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  26. ✰ ❂ ✰ ✰ � ✦ ✑ ✰ Up to isomorphism ✣ j ❂ 1728 j ❂ 287496 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  27. ✰ ❂ ✰ ✰ � ✦ ✑ ✰ ✣ Up to isomorphism j ❂ 1728 j ❂ 287496 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 13 / 73 https://defeo.lu/docet

  28. Isogeny graphs Serre-Tate theorem Two elliptic curves E ❀ E ✵ defined over a finite field ❋ q are isogenous (over ❋ q ) iff ★ E ✭ ❋ q ✮ ❂ ★ E ✵ ✭ ❋ q ✮ . Isogeny graphs Vertices are curves up to isomorphism, Edges are isogenies up to isomorphism. Isogeny volcanoes Curves are ordinary, Isogenies all have degree a prime ❵ . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 14 / 73 https://defeo.lu/docet

  29. The endomorphism ring The endomorphism ring ❊♥❞✭ E ✮ of an elliptic curve E is the ring of all isogenies E ✦ E (plus the null map) with addition and composition. Theorem (Deuring) Let E be an elliptic curve defined over a field k of characteristic p . ❊♥❞✭ E ✮ is isomorphic to one of the following: ❩ , only if p ❂ 0 E is ordinary. An order ❖ in a quadratic imaginary field: E is ordinary with complex multiplication by ❖ . Only if p ❃ 0 , a maximal order in a quaternion algebra a : E is supersingular. a (ramified at p and ✶ ) Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 15 / 73 https://defeo.lu/docet

  30. Algebras, orders ♣ A quadratic imaginary number field is an extension of ◗ of the form ◗ ✭ � D ✮ for some D ❃ 0 . A quaternion algebra is an algebra of the form ◗ ✰ ☛ ◗ ✰ ☞ ◗ ✰ ☛☞ ◗ , where the generators satisfy the relations ☛ 2 ❀ ☞ 2 ✷ ◗ ❀ ☛ 2 ❁ 0 ❀ ☞ 2 ❁ 0 ❀ ☞☛ ❂ � ☛☞✿ Orders Let K be a finitely generated ◗ -algebra. An order ❖ ✚ K is a subring of K that is a finitely generated ❩ -module of maximal dimension. An order that is not contained in any other order of K is called a maximal order. Examples: ❩ is the only order contained in ◗ , ❩ ❬ i ❪ is the only maximal order of ◗ ✭ i ✮ , ♣ ♣ ❩ ❬ 5 ❪ is a non-maximal order of ◗ ✭ 5 ✮ , The ring of integers of a number field is its only maximal order, In general, maximal orders in quaternion algebras are not unique. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 16 / 73 https://defeo.lu/docet

  31. The finite field case Frobenius endomorphism ✙ ✿ ✭ x ❀ y ✮ ✼✦ ✭ x q ❀ y q ✮ Theorem (Hasse): ✙ satisfies a quadratic equation ✙ 2 � t ✙ ✰ q ❂ 0 ✿ t is the trace, D ✙ ❂ t 2 � 4 q ✔ 0 is the discriminant, t ❂ 0 ♠♦❞ p iff the curve is supersingular. In the ordinary case D ✙ ✻ ❂ 0 and ♣ ❩ ❬ ✙ ❪ ✚ ❊♥❞✭ E ✮ ✚ ◗ ✭ D ✙ ✮ ✿ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 17 / 73 https://defeo.lu/docet

  32. Volcanology (Kohel 1996) ❊♥❞✭ E ✮ Let E ❀ E ✵ be curves with respective endomorphism rings ❖ ❀ ❖ ✵ ✚ K . ❖ K Let ✣ ✿ E ✦ E ✵ be an isogeny of prime degree ❵ , then: if ❖ ❂ ❖ ✵ , ✣ is horizontal; ❩ ❬ ✙ ❪ if ❬ ❖ ✵ ✿ ❖ ❪ ❂ ❵ , ✣ is ascending; if ❬ ❖ ✿ ❖ ✵ ❪ ❂ ❵ , ✣ is descending. Ordinary isogeny volcano of degree ❵ ❂ 3 . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 18 / 73 https://defeo.lu/docet

  33. ✿ ❩ ❬ ✙ ❪❪✮ ❂ ❵ ✭❬ ❖ Volcanology (Kohel 1996) Let E be ordinary, ❊♥❞✭ E ✮ ✚ K . � D K � D K ❖ K : maximal order of K , ✁ ✁ ❂ � 1 ❂ 0 ❵ ❵ D K : discriminant of K . � D K ✁ ❂ ✰ 1 ❵ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪ ❵ 1 ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪ 1 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 19 / 73 https://defeo.lu/docet

  34. Volcanology (Kohel 1996) Let E be ordinary, ❊♥❞✭ E ✮ ✚ K . � D K � D K ❖ K : maximal order of K , ✁ ✁ ❂ � 1 ❂ 0 ❵ ❵ D K : discriminant of K . Height ❂ v ❵ ✭❬ ❖ K ✿ ❩ ❬ ✙ ❪❪✮ . � D K ✁ ❂ ✰ 1 ❵ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪ ❵ 1 ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪ 1 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 19 / 73 https://defeo.lu/docet

  35. Volcanology (Kohel 1996) Let E be ordinary, ❊♥❞✭ E ✮ ✚ K . � D K � D K ❖ K : maximal order of K , ✁ ✁ ❂ � 1 ❂ 0 ❵ ❵ D K : discriminant of K . Height ❂ v ❵ ✭❬ ❖ K ✿ ❩ ❬ ✙ ❪❪✮ . How large is the crater? � D K ✁ ❂ ✰ 1 ❵ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪ ❵ 1 ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪ 1 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 19 / 73 https://defeo.lu/docet

  36. Vortex Surfer E 3 Vertices are elliptic curves with E 4 E 2 complex multiplication by ❖ K (i.e., ♣ ❊♥❞✭ E ✮ ✬ ❖ K ✚ ◗ ✭ � D ✮ ). E 5 E 1 E 6 E 12 E 7 E 11 E 8 E 10 E 9 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 20 / 73 https://defeo.lu/docet

  37. Vortex Surfer E 3 Vertices are elliptic curves with E 4 E 2 complex multiplication by ❖ K (i.e., ♣ ❊♥❞✭ E ✮ ✬ ❖ K ✚ ◗ ✭ � D ✮ ). E 5 E 1 Edges are horizontal isogenies of bounded prime degree. degree 2 E 6 E 12 E 7 E 11 E 8 E 10 E 9 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 20 / 73 https://defeo.lu/docet

  38. Vortex Surfer E 3 Vertices are elliptic curves with E 4 E 2 complex multiplication by ❖ K (i.e., ♣ ❊♥❞✭ E ✮ ✬ ❖ K ✚ ◗ ✭ � D ✮ ). E 5 E 1 Edges are horizontal isogenies of bounded prime degree. degree 2 E 6 E 12 degree 3 E 7 E 11 E 8 E 10 E 9 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 20 / 73 https://defeo.lu/docet

  39. Vortex Surfer E 3 Vertices are elliptic curves with E 4 E 2 complex multiplication by ❖ K (i.e., ♣ ❊♥❞✭ E ✮ ✬ ❖ K ✚ ◗ ✭ � D ✮ ). E 5 E 1 Edges are horizontal isogenies of bounded prime degree. degree 2 E 6 E 12 degree 3 E 7 E 11 degree 5 E 8 E 10 E 9 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 20 / 73 https://defeo.lu/docet

  40. Vortex Surfer E 3 Vertices are elliptic curves with E 4 E 2 complex multiplication by ❖ K (i.e., ♣ ❊♥❞✭ E ✮ ✬ ❖ K ✚ ◗ ✭ � D ✮ ). E 5 E 1 Edges are horizontal isogenies of bounded prime degree. degree 2 E 6 E 12 degree 3 E 7 E 11 degree 5 E 8 E 10 What’s happening here? Algebra! E 9 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 20 / 73 https://defeo.lu/docet

  41. ❵ ❵ ✣ ✵ ❂ ✣ ❖ Isogenies ✩ Ideals of ❊♥❞✭ E ✮ Horizontal Isogenies Invertible Ideals ❦❡r ✣ a ❂ ❢ P ✷ E ❥ ☛ ✭ P ✮ ❂ 0 for all ☛ ✷ a ❣ a ✚ ❊♥❞✭ E ✮ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 21 / 73 https://defeo.lu/docet

  42. ✣ ✵ ❂ ✣ ❖ Isogenies ✩ Ideals of ❊♥❞✭ E ✮ Horizontal Isogenies Invertible Ideals ❦❡r ✣ a ❂ ❢ P ✷ E ❥ ☛ ✭ P ✮ ❂ 0 for all ☛ ✷ a ❣ a ✚ ❊♥❞✭ E ✮ degree norm dual conjugate composition product “direction” on the ❵ -isogeny cycle ideal of norm ❵ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 21 / 73 https://defeo.lu/docet

  43. ❖ Isogenies ✩ Ideals of ❊♥❞✭ E ✮ Horizontal Isogenies Invertible Ideals ❦❡r ✣ a ❂ ❢ P ✷ E ❥ ☛ ✭ P ✮ ❂ 0 for all ☛ ✷ a ❣ a ✚ ❊♥❞✭ E ✮ degree norm dual conjugate composition product “direction” on the ❵ -isogeny cycle ideal of norm ❵ endomorphism principal ✣ b E ✵ E a ❂ b is principal ✣ a Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 21 / 73 https://defeo.lu/docet

  44. Isogenies ✩ Ideals of ❊♥❞✭ E ✮ Horizontal Isogenies Invertible Ideals ❦❡r ✣ a ❂ ❢ P ✷ E ❥ ☛ ✭ P ✮ ❂ 0 for all ☛ ✷ a ❣ a ✚ ❊♥❞✭ E ✮ degree norm dual conjugate composition product “direction” on the ❵ -isogeny cycle ideal of norm ❵ endomorphism principal ✣ b E ✵ E a ❂ b is principal ✣ a Elliptic curves with CM by ❖ Invertible ideals / Principal ideals Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 21 / 73 https://defeo.lu/docet

  45. Class group action Class group ♣ The class group of an order ❖ ✚ ◗ ✭ � D ✮ is the quotient ❈❧✭ ❖ ✮ ❂ ■ ✭ ❖ ✮ ❂ P ✭ ❖ ✮ ✿ It is a finite abelian group. Main theorem of complex multiplication The class group of ❖ acts faithfully and transitively on the set of elliptic curves with CM by ❖ by ❈❧✭ ❖ ✮ ✂ Ell ✭ ❖ ✮ ✦ Ell ✭ ❖ ✮ a ✄ E ✑ E ❂ E ❬ a ❪ Corollary ★ ❈❧✭ ❖ ✮ ❂ ★ Ell ✭ ❖ ✮ . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 22 / 73 https://defeo.lu/docet

  46. Supersingular endomorphisms Recall, a curve E over a field ❋ q of characteristic p is supersingular iff ✙ 2 � t ✙ ✰ q ❂ 0 with t ❂ 0 ♠♦❞ p . Case: t ❂ 0 ✮ D ✙ ❂ � 4 q Only possibility for E ❂ ❋ p , E ❂ ❋ p has CM by an order of ◗ ✭ ♣� p ✮ , similar to the ordinary case. t ❂ ✝ 2 ♣ q Case: ✮ D ✙ ❂ 0 General case for E ❂ ❋ q , when q is an even power. ✙ ❂ ✝♣ q ✷ ❩ , hence no complex multiplication. We will ignore marginal cases: t ❂ ✝♣ q ❀ ✝♣ 2 q ❀ ✝♣ 3 q . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 23 / 73 https://defeo.lu/docet

  47. The full endomorphism ring Theorem (Deuring) Let E be a supersingular elliptic curve, then E is isomorphic to a curve defined over ❋ p 2 ; Every isogeny of E is defined over ❋ p 2 ; Every endomorphism of E is defined over ❋ p 2 ; ❊♥❞✭ E ✮ is isomorphic to a maximal order in a quaternion algebra ramified at p and ✶ . In particular: If E is defined over ❋ p , then ❊♥❞ ❋ p ✭ E ✮ is strictly contained in ❊♥❞✭ E ✮ . Some endomorphisms do not commute! Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 24 / 73 https://defeo.lu/docet

  48. An example The curve of j -invariant 1728 E ✿ y 2 ❂ x 3 ✰ x is supersingular over ❋ p iff p ❂ � 1 ♠♦❞ 4 . Endomorphisms ❊♥❞✭ E ✮ ❂ ❩ ❤ ✓❀ ✙ ✐ , with: ✙ the Frobenius endomorphism, s.t. ✙ 2 ❂ � p ; ✓ the map ✓ ✭ x ❀ y ✮ ❂ ✭ � x ❀ iy ✮ ❀ where i ✷ ❋ p 2 is a 4-th root of unity. Clearly, ✓ 2 ❂ � 1 . And ✓✙ ❂ � ✙✓ . Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 25 / 73 https://defeo.lu/docet

  49. ❈❧✭ � ✮ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party j ❂ 1728 Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 26 / 73 https://defeo.lu/docet

  50. ❈❧✭ � ✮ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party j ❂ 1728 ❈❧✭ � 4 p ✮ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 26 / 73 https://defeo.lu/docet

  51. ❈❧✭ � ✮ ❂ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party ❈❧✭ � 4 ✮ ❈❧✭ � 4 p ✮ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 26 / 73 https://defeo.lu/docet

  52. ❈❧✭ � ✮ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party j ❂ 0 ❈❧✭ � 4 ✮ ❈❧✭ � 4 p ✮ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 26 / 73 https://defeo.lu/docet

  53. ❂ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party ❈❧✭ � 3 ✮ ❈❧✭ � 4 ✮ ❈❧✭ � 4 p ✮ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 26 / 73 https://defeo.lu/docet

  54. ❂ ❂ Class group action party ❈❧✭ � 3 ✮ ❈❧✭ � 4 ✮ ❈❧✭ � 4 p ✮ ❈❧✭ � 23 ✮ ❈❧✭ � 79 ✮ Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 26 / 73 https://defeo.lu/docet

  55. Supersingular graphs Quaternion algebras have many maximal orders. For every maximal order type of B p ❀ ✶ there are 1 or 2 curves over ❋ p 2 having endomorphism ring isomorphic to it. There is a unique isogeny class of supersingular curves over ✖ ❋ p of size ✙ p ❂ 12 . Lef ideals act on the set of maximal orders like isogenies. Figure: 3 -isogeny graph on ❋ 97 2 . The graph of ❵ -isogenies is ✭ ❵ ✰ 1 ✮ -regular. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 27 / 73 https://defeo.lu/docet

  56. Graphs lexicon Degree: Number of (outgoing/ingoing) edges. k -regular: All vertices have degree k . Connected: There is a path between any two vertices. Distance: The length of the shortest path between two vertices. Diameter: The longest distance between two vertices. ✕ 1 ✕ ✁ ✁ ✁ ✕ ✕ n : The (ordered) eigenvalues of the adjacency matrix. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 28 / 73 https://defeo.lu/docet

  57. Expander graphs Proposition If G is a k -regular graph, its largest and smallest eigenvalues satisfy k ❂ ✕ 1 ✕ ✕ n ✕ � k ✿ Expander families An infinite family of connected k -regular graphs on n vertices is an expander family if there exists an ✎ ❃ 0 such that all non-trivial eigenvalues satisfy ❥ ✕ ❥ ✔ ✭ 1 � ✎ ✮ k for n large enough. Expander graphs have short diameter: O ✭❧♦❣ n ✮ ; Random walks mix rapidly: afer O ✭❧♦❣ n ✮ steps, the induced distribution on the vertices is close to uniform. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 29 / 73 https://defeo.lu/docet

  58. Expander graphs from isogenies Theorem (Pizer) Let ❵ be fixed. The family of graphs of supersingular curves over ❋ p 2 with ❵ -isogenies, as p ✦ ✶ , is an expander family a . a Even better, it has the Ramanujan property. Theorem (Jao, Miller, Venkatesan) ♣ Let ❖ ✚ ◗ ✭ � D ✮ be an order in a quadratic imaginary field. The graphs of all curves over ❋ q with complex multiplication by ❖ , with isogenies of prime degree bounded a by ✭❧♦❣ q ✮ 2 ✰ ✍ , are expanders. a May contain traces of GRH. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 30 / 73 https://defeo.lu/docet

  59. Executive summary Separable ❵ -isogeny = finite kernel = subgroup of E ❬ ❵ ❪ (= ideal of norm ❵ ), Isogeny graphs have j -invariants for vertices and “some” isogenies for edges. By varying the choices for the vertex and the isogeny set, we obtain graphs with different properties. ❵ -isogeny graphs of ordinary curves are volcanoes, (full) ❵ -isogeny graphs of supersingular curves are finite ✭ ❵ ✰ 1 ✮ -regular. CM theory naturally leads to define graphs of horizontal isogenies (both in the ordinary and the supersingular case) that are isomorphic to Cayley graphs of class groups. CM graphs are expanders. Supersingular full ❵ -isogeny graphs are Ramanujan. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 31 / 73 https://defeo.lu/docet

  60. Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zürich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet

  61. The beauty and the beast (credit: Lorenz Panny) Components of particular isogeny graphs look like this: Which of these is good for crypto? Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 33 / 73 https://defeo.lu/docet

  62. The beauty and the beast (credit: Lorenz Panny) Components of particular isogeny graphs look like this: Which of these is good for crypto? Both. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 33 / 73 https://defeo.lu/docet

  63. The beauty and the beast (credit: Lorenz Panny) At this time, there are two distinct families of systems: ❋ p ❋ p 2 CSIDH [pron.: sea-side] SIDH https://csidh.isogeny.org https://sike.org Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 33 / 73 https://defeo.lu/docet

  64. Brief history of isogeny-based cryptography 1997 Couveignes introduces the Hard Homogeneous Spaces framework. His work stays unpublished for 10 years. 2006 Rostovtsev & Stolbunov independently rediscover Couveignes ideas, suggest isogeny-based Diffie–Hellman as a quantum-resistant primitive. 2006-2010 Other isogeny-based protocols by Teske and Charles, Goren & Lauter. 2011-2012 D., Jao & Plût introduce SIDH, an efficient post-quantum key exchange inspired by Couveignes, Rostovtsev, Stolbunov, Charles, Goren, Lauter. 2017 SIDH is submitted to the NIST competition (with the name SIKE, only isogeny-based candidate). 2018 D., Kieffer & Smith resurrect the Couveignes–Rostovtsev–Stolbunov protocol, Castryck, Lange, Martindale, Panny & Renes create an efficient variant named CSIDH. 2019 The year of proofs of isogeny knowledge: SeaSign (D. & Galbraith; Decru, Panny & Vercauteren), CSI-FiSh (Beullens, Kleinjung & Vercauteren), VDF (D., Masson, Petit & Sanso), threshold (D. & Meyer). Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 34 / 73 https://defeo.lu/docet

  65. Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... R Q P P ✰ Q Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 35 / 73 https://defeo.lu/docet

  66. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 35 / 73 https://defeo.lu/docet

  67. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 35 / 73 https://defeo.lu/docet

  68. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 35 / 73 https://defeo.lu/docet

  69. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 35 / 73 https://defeo.lu/docet

  70. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 35 / 73 https://defeo.lu/docet

  71. Elliptic curves Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 36 / 73 https://defeo.lu/docet

  72. The QUANTHOM Menace Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 37 / 73 https://defeo.lu/docet

  73. Basically every isogeny-based key-exchange... Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 38 / 73 https://defeo.lu/docet

  74. Basically every isogeny-based key-exchange... Public curve Public curve Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 38 / 73 https://defeo.lu/docet

  75. Basically every isogeny-based key-exchange... Public curve Shared secret Public curve Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 38 / 73 https://defeo.lu/docet

  76. Hard Homogeneous Spaces 1 Principal Homogeneous Space ● ✟ ❊ : A (finite) set ❊ acted upon by a group ● faithfully and transitively: ✄ ✿ ● ✂ ❊ � ✦ ❊ ✦ E ✵ g ✄ E ✼� Compatibility: g ✵ ✄ ✭ g ✄ E ✮ ❂ ✭ g ✵ g ✮ ✄ E for all g ❀ g ✵ ✷ ● and E ✷ ❊ ; Identity: e ✄ E ❂ E if and only if e ✷ ● is the identity element; Transitivity: for all E ❀ E ✵ ✷ ❊ there exist a unique g ✷ ● such that g ✄ E ✵ ❂ E . Example: the set of elliptic curves with complex multiplication by ❖ is a PHS for the class group ❈❧✭ ❖ ✮ . 1 Couveignes 2006. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 39 / 73 https://defeo.lu/docet

  77. Hard Homogeneous Spaces Hard Homogeneous Space (HHS) A Principal Homogeneous Space ● ✟ ❊ such that ● is commutative and: Evaluating E ✵ ❂ g ✄ E is easy; Inverting the action is hard. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 40 / 73 https://defeo.lu/docet

  78. HHS Diffie–Hellman Goal: Alice and Bob have never met before. They are chatting over a public channel, and want to agree on a shared secret to start a private conversation. Setup: They agree on a (large) HHS ● ✟ ❊ of order N . Bob Alice pick random a ✷ ● pick random b ✷ ● compute E A ❂ a ✄ E 0 compute E B ❂ b ✄ E 0 E A E B Shared secret is a ✄ E B ❂ ✭ ab ✮ ✄ E 0 ❂ b ✄ E A Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 41 / 73 https://defeo.lu/docet

  79. HHSDH from complex multiplication Obstacles: E 3 E 4 E 2 The group size of ❈❧✭ ❖ ✮ is unknown. Only ideals of small norm (isogenies of small degree) E 5 E 1 are efficient to evaluate. Solution: E 6 E 12 Restrict to elements of ❈❧✭ ❖ ✮ of the form ❨ a e i g ❂ E 7 E 11 i for a basis of a i of small norm. E 8 E 10 E 9 Equivalent to doing isogeny walks of smooth degree. Luca De Feo (IBM Research Zürich) Isogeny Based Cryptography NTNU 42 / 73 https://defeo.lu/docet

Recommend

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ & Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

1.07k views • 84 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization Centre for Applied Cryptographic Research June 17, 2016 CENTRE FOR APPLIED CRYPTOGRAPHIC RESEARCH (CACR) Motivation: Post-Quantum Cryptography

355 views • 16 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019 Mathematical foundations of asymmetric cryptography Aussois, Savoie Slides online at https://defeo.lu/docet/ Overview Isogeny graphs 1 Elliptic Curves

1.96k views • 156 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29, 2019 Cryptography meets Graph Theory Wrzburg, Franken, Germany Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29Aug 2,

1.99k views • 174 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris Saclay UVSQ May 13, 2019, Universit di Roma 3, Roma Slides online at https://defeo.lu/docet/ Elliptic curves Let E y 2 x 3 ax b

1.22k views • 76 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March 1923, 2018, Post-Scryptum Spring School, Les 7 Laux Slides online at http://defeo.lu/docet/ Photo courtesy of Elisa Lorenzo-Garca Overview

1.87k views • 144 slides
Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

856 views • 81 slides
Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de Versailles & Inria, Universit Paris-Saclay May 31, 2018, Journes du Pr-GDR Scurit, Paris Elliptic curves Let E y 2 x 3 ax b be

1.01k views • 73 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides
Introduction to quantum algorithms and introduction to code-based cryptography Daniel J.

Introduction to quantum algorithms and introduction to code-based cryptography Daniel J.

Introduction to quantum algorithms and introduction to code-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Data (state) stored in n bits: an element of { 0 ; 1 } n ,

1.97k views • 138 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles St-Quentin-en-Yvelines France 1 Introduction: EC in cryptography Starting point: 1985 (V. Miller) Discrete logarithm based

487 views • 45 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global Map public-key cryptography classic post-quantum lattice code multivariate hash isogenies . . . McEliece Niederreiter . . . GRS codes

1.04k views • 73 slides
On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea Basso 1 , P eter Kutas 1 , Simon-Philipp Merz 2 , Christophe Petit 1 , Charlotte Weitk amper 1 University of Birmingham, UK Royal Holloway,

575 views • 19 slides
Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Cryptography Game-based Proofs Assumptions BLS Signature BF IB-Encryption Conclusion Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable Security Game-based Methodology 2 Game-based Approach

345 views • 12 slides

More recommend