isogeny based cryptography
play

Isogeny-Based Cryptography Tanja Lange (with lots of slides by - PowerPoint PPT Presentation

Oct 07, 2022 •460 likes •1.65k views

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

  1. The beauty and the beast Components of well-chosen isogeny graphs look like this: Which of these is good for crypto? Tanja Lange Isogeny-Based Cryptography 8

  2. The beauty and the beast Components of well-chosen isogeny graphs look like this: Which of these is good for crypto? Both. Tanja Lange Isogeny-Based Cryptography 8

  3. The beauty and the beast At this time, there are two distinct families of systems: q = p 2 q = p CSIDH ["si:­saId] SIDH https://csidh.isogeny.org https://sike.org Tanja Lange Isogeny-Based Cryptography 8

  4. CSIDH ["si:­saId] (Castryck, Lange, Martindale, Panny, Renes; 2018) Tanja Lange Isogeny-Based Cryptography 9

  5. Why CSIDH? ◮ Closest thing we have in PQC to normal DH key exchange: Keys can be reused, blinded; no difference between initiator &responder. ◮ Public keys are represented by some A ∈ F p ; p fixed prime. ◮ Alice computes and distributes her public key A . Bob computes and distributes his public key B . ◮ Alice and Bob do computations on each other’s public keys to obtain shared secret. ◮ Fancy math: computations start on some elliptic curve E A : y 2 = x 3 + Ax 2 + x , use isogenies to move to a different curve. ◮ Computations need arithmetic (add, mult, div) modulo p and elliptic-curve computations. Tanja Lange Isogeny-Based Cryptography 10

  6. Math slide #1: Elliptic curves (nodes) An elliptic curve over F p is given by an equation E : y 2 = x 3 + ax + b , with 4 a 3 − 27 b 2 � = 0. A point P = ( x , y ) on E is a solution to this equation or the point ∞ at infinity. Tanja Lange Isogeny-Based Cryptography 11

  7. Math slide #1: Elliptic curves (nodes) An elliptic curve over F p is given by an equation E : y 2 = x 3 + ax + b , with 4 a 3 − 27 b 2 � = 0. A point P = ( x , y ) on E is a solution to this equation or the point ∞ at infinity. E is an abelian group: we can “add” and “subtract” points. ◮ The neutral element is ∞ . ◮ The inverse of ( x , y ) is ( x , − y ) . ◮ The sum of P 1 = ( x 1 , y 1 ) and P 2 = ( x 2 , y 2 ) is P 3 = ( x 3 , y 3 ) = λ 2 − x 1 − x 2 , λ ( x 1 − x 3 ) − y 1 � � where λ = ( y 2 − y 1 ) / ( x 2 − x 1 ) if x 1 � = x 2 and λ = ( 3 x 2 1 + a ) / ( 2 y 1 ) if P 1 = P 2 � = − P 1 . Takeaway: Computations in F p , some formulas. Other curve shapes, such as Montgomery curves y 2 = x 3 + Ax 2 + x are faster. Tanja Lange Isogeny-Based Cryptography 11

  8. Math slide #2: Isogenies (edges) An isogeny of elliptic curves is a non-zero map E → E ′ ◮ given by rational functions ◮ that is a group homomorphism. The degree of a separable isogeny is the size of its kernel. Tanja Lange Isogeny-Based Cryptography 12

  9. Math slide #2: Isogenies (edges) An isogeny of elliptic curves is a non-zero map E → E ′ ◮ given by rational functions ◮ that is a group homomorphism. The degree of a separable isogeny is the size of its kernel. Example #1: For each m � = 0, the multiplication-by- m map [ m ]: E → E is a degree- m 2 isogeny. If m � = 0 in the base field, its kernel is E [ m ] ∼ = Z / m × Z / m . Tanja Lange Isogeny-Based Cryptography 12

  10. Math slide #2: Isogenies (edges) An isogeny of elliptic curves is a non-zero map E → E ′ ◮ given by rational functions ◮ that is a group homomorphism. The degree of a separable isogeny is the size of its kernel. √ Example #2: For any a and b , the map ι : ( x , y ) �→ ( − x , − 1 · y ) defines a degree-1 isogeny of the elliptic curves { y 2 = x 3 + ax + b } − → { y 2 = x 3 + ax − b } . It is an isomorphism; its kernel is {∞} . Tanja Lange Isogeny-Based Cryptography 12

  11. Math slide #2: Isogenies (edges) An isogeny of elliptic curves is a non-zero map E → E ′ ◮ given by rational functions ◮ that is a group homomorphism. The degree of a separable isogeny is the size of its kernel. Example #3: � � x 3 − 4 x 2 + 30 x − 12 , x 3 − 6 x 2 − 14 x + 35 ( x , y ) �→ · y ( x − 2 ) 2 ( x − 2 ) 3 defines a degree-3 isogeny of the elliptic curves { y 2 = x 3 + x } − → { y 2 = x 3 − 3 x + 3 } over F 71 . Its kernel is { ( 2 , 9 ) , ( 2 , − 9 ) , ∞} . Tanja Lange Isogeny-Based Cryptography 12

  12. CSIDH in one slide Tanja Lange Isogeny-Based Cryptography 13

  13. CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. Tanja Lange Isogeny-Based Cryptography 13

  14. CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . Tanja Lange Isogeny-Based Cryptography 13

  15. CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . ◮ Look at the ℓ i -isogenies defined over F p within X . Tanja Lange Isogeny-Based Cryptography 13

  16. CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . ◮ Look at the ℓ i -isogenies defined over F p within X . magic math happens! p = 419 ℓ 1 = 3 ℓ 2 = 5 ℓ 3 = 7 Tanja Lange Isogeny-Based Cryptography 13

  17. CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . ◮ Look at the ℓ i -isogenies defined over F p within X . magic math happens! p = 419 ℓ 1 = 3 ℓ 2 = 5 ℓ 3 = 7 ◮ Walking “left” and “right” on any ℓ i -subgraph is efficient. Tanja Lange Isogeny-Based Cryptography 13

  18. CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . ◮ Look at the ℓ i -isogenies defined over F p within X . magic math happens! p = 419 ℓ 1 = 3 ℓ 2 = 5 ℓ 3 = 7 ◮ Walking “left” and “right” on any ℓ i -subgraph is efficient. ◮ We can represent E ∈ X as a single coefficient A ∈ F p . Tanja Lange Isogeny-Based Cryptography 13

  19. Walking in the CSIDH graph Taking a “positive” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x , y ∈ F p . The order of any ( x , y ) ∈ E divides p + 1, so [( p + 1 ) /ℓ i ]( x , y ) = ∞ or a point of order ℓ i . Sample a new point if you get ∞ . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Tanja Lange Isogeny-Based Cryptography 14

  20. Walking in the CSIDH graph Taking a “positive” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x , y ∈ F p . The order of any ( x , y ) ∈ E divides p + 1, so [( p + 1 ) /ℓ i ]( x , y ) = ∞ or a point of order ℓ i . Sample a new point if you get ∞ . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Taking a “negative” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x ∈ F p but y / ∈ F p . This uses scalar multiplication by ( p + 1 ) /ℓ i . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Tanja Lange Isogeny-Based Cryptography 14

  21. Walking in the CSIDH graph Taking a “positive” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x , y ∈ F p . The order of any ( x , y ) ∈ E divides p + 1, so [( p + 1 ) /ℓ i ]( x , y ) = ∞ or a point of order ℓ i . Sample a new point if you get ∞ . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Taking a “negative” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x ∈ F p but y / ∈ F p . This uses scalar multiplication by ( p + 1 ) /ℓ i . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Upshot: With “ x -only’ arithmetic” everything happens over F p . = ⇒ Efficient to implement! Tanja Lange Isogeny-Based Cryptography 14

  22. Math slide #3: Isogenies and kernels For any finite subgroup G of E , there exists a unique 1 separable isogeny ϕ G : E → E ′ with kernel G . The curve E ′ is called E / G . ( ≈ quotient groups) If G is defined over k , then ϕ G and E / G are also defined over k . 1 (up to isomorphism of E ′ )

  23. Math slide #3: Isogenies and kernels For any finite subgroup G of E , there exists a unique 1 separable isogeny ϕ G : E → E ′ with kernel G . The curve E ′ is called E / G . ( ≈ quotient groups) If G is defined over k , then ϕ G and E / G are also defined over k . Vélu ’71: Formulas for computing E / G and evaluating ϕ G at a point. Complexity: Θ(# G ) � only suitable for small degrees. 1 (up to isomorphism of E ′ )

  24. Math slide #3: Isogenies and kernels For any finite subgroup G of E , there exists a unique 1 separable isogeny ϕ G : E → E ′ with kernel G . The curve E ′ is called E / G . ( ≈ quotient groups) If G is defined over k , then ϕ G and E / G are also defined over k . Vélu ’71: Formulas for computing E / G and evaluating ϕ G at a point. Complexity: Θ(# G ) � only suitable for small degrees. Vélu operates in the field where the points in G live. � need to make sure extensions stay small for desired # G � this is why we use special p and curves with p + 1 points! Not all k -rational points of E / G are in the image of k -rational points on E ; but # E ( k ) # E / G ( k ) . 1 (up to isomorphism of E ′ )

  25. CSIDH key exchange Alice Bob [ , , , ] [ , , , ] Tanja Lange Isogeny-Based Cryptography 16

  26. CSIDH key exchange Alice Bob [ ↑ , , , ] [ ↑ , , , ] Tanja Lange Isogeny-Based Cryptography 16

  27. CSIDH key exchange Alice Bob [ , ↑ , , ] [ , ↑ , , ] Tanja Lange Isogeny-Based Cryptography 16

  28. CSIDH key exchange Alice Bob [ , , ↑ , ] [ , , ↑ , ] Tanja Lange Isogeny-Based Cryptography 16

  29. CSIDH key exchange Alice Bob [ , , , ↑ ] [ , , , ↑ ] Tanja Lange Isogeny-Based Cryptography 16

  30. CSIDH key exchange Alice Bob [ , , , ] [ , , , ] Tanja Lange Isogeny-Based Cryptography 16

  31. CSIDH key exchange Alice Bob [ ↑ , , , ] [ ↑ , , , ] Tanja Lange Isogeny-Based Cryptography 16

  32. CSIDH key exchange Alice Bob [ , ↑ , , ] [ , ↑ , , ] Tanja Lange Isogeny-Based Cryptography 16

  33. CSIDH key exchange Alice Bob [ , , ↑ , ] [ , , ↑ , ] Tanja Lange Isogeny-Based Cryptography 16

  34. CSIDH key exchange Alice Bob [ , , , ↑ ] [ , , , ↑ ] Tanja Lange Isogeny-Based Cryptography 16

  35. CSIDH key exchange Alice Bob [ , , , ] [ , , , ] Tanja Lange Isogeny-Based Cryptography 16

  36. Abstract from Diffie-Hellman dataflow “CSIDH: an efficient post-quantum commutative group action” Tanja Lange Isogeny-Based Cryptography 17

  37. Abstract from Diffie-Hellman dataflow “CSIDH: an efficient post-quantum commutative group action” Cycles are compatible: [right then left] = [left then right] � only need to keep track of total step counts for each ℓ i . 0 , − 3 ) ∈ Z 3 . Example: [ , , , , , , , ] just becomes (+ 1 , Tanja Lange Isogeny-Based Cryptography 17

  38. Abstract from Diffie-Hellman dataflow “CSIDH: an efficient post-quantum commutative group action” Cycles are compatible: [right then left] = [left then right] � only need to keep track of total step counts for each ℓ i . 0 , − 3 ) ∈ Z 3 . Example: [ , , , , , , , ] just becomes (+ 1 , There is a group action of ( Z n , +) on our set of curves X ! Tanja Lange Isogeny-Based Cryptography 17

  39. Abstract from Diffie-Hellman dataflow “CSIDH: an efficient post-quantum commutative group action” Cycles are compatible: [right then left] = [left then right] � only need to keep track of total step counts for each ℓ i . 0 , − 3 ) ∈ Z 3 . Example: [ , , , , , , , ] just becomes (+ 1 , There is a group action of ( Z n , +) on our set of curves X ! Many paths are “useless”. Fun fact: Quotienting out trivial actions yields the ideal-class group cl ( Z [ √− p ]) . Tanja Lange Isogeny-Based Cryptography 17

  40. Math slide #4: Quadratic twists Not my fault . . . / k if E is isomorphic to E ′ over ¯ E ′ / k is a twist elliptic curve E ” k . For E : y 2 = x 3 + Ax 2 + x over F p with p ≡ 3 mod 4 E ′ : − y 2 = x 3 + Ax 2 + x is isomorphic to E via √ ( x , y ) �→ ( x , − 1 y ) . This map is defined over F p 2 , so this is a quadratic twist. Tanja Lange Isogeny-Based Cryptography 18

  41. Math slide #4: Quadratic twists Not my fault . . . / k if E is isomorphic to E ′ over ¯ E ′ / k is a twist elliptic curve E ” k . For E : y 2 = x 3 + Ax 2 + x over F p with p ≡ 3 mod 4 E ′ : − y 2 = x 3 + Ax 2 + x is isomorphic to E via √ ( x , y ) �→ ( x , − 1 y ) . This map is defined over F p 2 , so this is a quadratic twist. Picking ( x , y ) on E with x ∈ F p , y � = F p implicitly picks point in E ′ ( F p ) . Tanja Lange Isogeny-Based Cryptography 18

  42. Math slide #4: Quadratic twists Not my fault . . . / k if E is isomorphic to E ′ over ¯ E ′ / k is a twist elliptic curve E ” k . For E : y 2 = x 3 + Ax 2 + x over F p with p ≡ 3 mod 4 E ′ : − y 2 = x 3 + Ax 2 + x is isomorphic to E via √ ( x , y ) �→ ( x , − 1 y ) . This map is defined over F p 2 , so this is a quadratic twist. Picking ( x , y ) on E with x ∈ F p , y � = F p implicitly picks point in E ′ ( F p ) . E ′ is not in the isogeny graph, does not have the right shape. E ′ is isomorphic to E ′′ : y 2 = x 3 − Ax 2 + x via ( x , y ) �→ ( − x , y ) over F p . Tanja Lange Isogeny-Based Cryptography 18

  43. Graphs of elliptic curves E 0 E 158 E 261 E 410 E 9 E 368 E 51 E 404 E 15 E 75 E 344 E 144 E 275 E 191 E 228 E 174 E 245 E 413 E 6 E 379 E 40 E 124 E 295 E 199 E 220 E 390 E 29 Nodes: Supersingular elliptic curves E A : y 2 = x 3 + Ax 2 + x over F 419 . Tanja Lange Isogeny-Based Cryptography 19

  44. Graphs of elliptic curves E 0 E 158 E 261 E 410 E 9 E 368 E 51 E 404 E 15 E 75 E 344 E 144 E 275 E 191 E 228 E 174 E 245 E 413 E 6 E 379 E 40 E 124 E 295 E 199 E 220 E 390 E 29 Nodes: Supersingular elliptic curves E A : y 2 = x 3 + Ax 2 + x over F 419 . Each E A on the left has E − A on the right. Negative direction means: flip to twist, go positive direction, flip back. Tanja Lange Isogeny-Based Cryptography 19

  45. Math slide #5: Vélu’s formulas Let P have prime order ℓ on E A . For 1 ≤ k < ℓ let x k be the x -coordinate of [ k ] P . Let ℓ − 1 ℓ − 1 � x i − 1 � � � τ = x i , σ = x i i = 1 i = 1 Then the ℓ isogeny from E A maps to E B with B = τ ( A − 3 σ ) . Main operation is to compute the x k , just some elliptic-curve additions. Note that [ ℓ − k ] P = − [ k ] P and both have the same x -coordinate. Implementations often use projective formulas to avoid (or delay) inverstions. Tanja Lange Isogeny-Based Cryptography 20

  46. Math slide #6: Class groups Reminder: X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . All curves in X have F p -endomorphism ring O = Z [ √− p ] . Let π the Frobenius endomorphism. Ideal in O above ℓ i . l i = ( ℓ i , π − 1 ) . Moving + in X with ℓ i isogeny ⇐ ⇒ action of l i on X . Tanja Lange Isogeny-Based Cryptography 21

  47. Math slide #6: Class groups Reminder: X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . All curves in X have F p -endomorphism ring O = Z [ √− p ] . Let π the Frobenius endomorphism. Ideal in O above ℓ i . l i = ( ℓ i , π − 1 ) . Moving + in X with ℓ i isogeny ⇐ ⇒ action of l i on X . More precisely: Subgroup corresponding to l i is E [ l i ] = E ( F p )[ ℓ i ] . (Note that ker ( π − 1 ) is just the F p -rational points!) Subgroup corresponding to l i is E [ l i ] = { P ∈ E [ ℓ i ] | π ( P ) = − P } . Tanja Lange Isogeny-Based Cryptography 21

  48. Math slide #6: Class groups Reminder: X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . All curves in X have F p -endomorphism ring O = Z [ √− p ] . Let π the Frobenius endomorphism. Ideal in O above ℓ i . l i = ( ℓ i , π − 1 ) . Moving + in X with ℓ i isogeny ⇐ ⇒ action of l i on X . More precisely: Subgroup corresponding to l i is E [ l i ] = E ( F p )[ ℓ i ] . (Note that ker ( π − 1 ) is just the F p -rational points!) Subgroup corresponding to l i is E [ l i ] = { P ∈ E [ ℓ i ] | π ( P ) = − P } . For Montgomery curves, E [ l i ] = { ( x , y ) ∈ E [ ℓ i ] | x ∈ F p ; y / ∈ F p } ∪ {∞} . Tanja Lange Isogeny-Based Cryptography 21

  49. Math slide #7: Commutative group action cl ( O ) acts on X . For most ideal classes the kernel is big and formulas are expensive to compute. I = l 10 1 l − 7 2 l 27 3 is a “big” ideal, but we can compute the action iteratively. cl ( O ) is commutative 2 so we get a commutative group action.. The choice for CSIDH: Let K = { [ l e 1 1 · · · l e 1 n ] | ( e 1 , ..., e n ) is ‘short’ } ⊆ cl ( O ) . The action of K on X is very efficient! Pick K as the keyspace 2 Important to use the F p -endomorphism ring.

  50. Cryptographic group actions Like in the CSIDH example, we generally get a DH-like key exchange from a commutative group action G × S → S : Alice public Bob random random a ← − − − G b ← − − − G a ∗ s b ∗ s key := a ∗ ( b ∗ s ) key := b ∗ ( a ∗ s ) Tanja Lange Isogeny-Based Cryptography 23

  51. Why no Shor? Shor computes α from h = g α by finding the kernel of the map f : Z 2 → G , ( x , y ) �→ g x · ↑ h y For general group actions, we cannot compose x ∗ s and y ∗ ( b ∗ s ) . For CSIDH this would require composing two elliptic curves in some form compatible with the action of G . Tanja Lange Isogeny-Based Cryptography 24

  52. CSIDH security Core problem: Given E , E ′ ∈ X , find a smooth-degree isogeny E → E ′ . Size of key space: ◮ About √ p of all A ∈ F p are valid keys. (More precisely # cl ( Z [ √− p ]) keys.) Without quantum computer: √ p ) . ◮ Meet-in-the-middle variants: Time O ( 4 (2016 Delfs–Galbraith) Tanja Lange Isogeny-Based Cryptography 25

  53. CSIDH security Core problem: Given E , E ′ ∈ X , find a smooth-degree isogeny E → E ′ . Size of key space: ◮ About √ p of all A ∈ F p are valid keys. (More precisely # cl ( Z [ √− p ]) keys.) Without quantum computer: √ p ) . ◮ Meet-in-the-middle variants: Time O ( 4 (2016 Delfs–Galbraith) With quantum computer: ◮ Abellian hidden-shift algorithms apply (2014 Childs–Jao–Soukharev) ◮ Kuperberg’s algoirhtm has subexponential complexity. CSIDH security: ◮ Public-key validation: Quickly check that E A : y 2 = x 3 + Ax 2 + x has p + 1 points. Tanja Lange Isogeny-Based Cryptography 25

  54. CSIDH-512 https://csidh.isogeny.org/ Definition: ◮ p = � 74 i = 1 ℓ i − 1 with ℓ 1 , . . . , ℓ 73 first 73 odd primes. ℓ 74 = 587. ◮ Exponents − 5 ≤ e i ≤ 5 for all 1 ≤ i ≤ 74. Sizes: ◮ Private keys: 32 bytes. (37 in current software for simplicity.) ◮ Public keys: 64 bytes (just one F p element). Performance on typical Intel Skylake laptop core: ◮ Clock cycles: about 12 · 10 7 per operation. ◮ Somewhat more for constant-time implementations. Security: ◮ Pre-quantum: at least 128 bits. Tanja Lange Isogeny-Based Cryptography 26

  55. CSIDH-512 https://csidh.isogeny.org/ Definition: ◮ p = � 74 i = 1 ℓ i − 1 with ℓ 1 , . . . , ℓ 73 first 73 odd primes. ℓ 74 = 587. ◮ Exponents − 5 ≤ e i ≤ 5 for all 1 ≤ i ≤ 74. Sizes: ◮ Private keys: 32 bytes. (37 in current software for simplicity.) ◮ Public keys: 64 bytes (just one F p element). Performance on typical Intel Skylake laptop core: ◮ Clock cycles: about 12 · 10 7 per operation. ◮ Somewhat more for constant-time implementations. Security: ◮ Pre-quantum: at least 128 bits. ◮ Post-quantum: complicated. Recent work analyzing cost: see https://quantum.isogeny.org . Several papers analyzing Kuperberg. (2018 Biasse–Iezzi-Jacobson, 2018-2020 Bonnetain–Schrottenloher, 2020 Peikert) https://csidh.isogeny.org/analysis.html Tanja Lange Isogeny-Based Cryptography 26

  56. CSIDH vs. Kuperberg Kuperberg’s algorithm consists of two components: 1. Evaluate the group action many times. (“oracle calls”) 2. Combine the results in a certain way. (“sieving”) Tanja Lange Isogeny-Based Cryptography 27

  57. CSIDH vs. Kuperberg Kuperberg’s algorithm consists of two components: 1. Evaluate the group action many times. (“oracle calls”) 2. Combine the results in a certain way. (“sieving”) ◮ The algorithm admits many different tradeoffs. ◮ Oracle calls are expensive. ◮ The sieving phase has classical and quantum operations. Tanja Lange Isogeny-Based Cryptography 27

  58. CSIDH vs. Kuperberg Kuperberg’s algorithm consists of two components: 1. Evaluate the group action many times. (“oracle calls”) 2. Combine the results in a certain way. (“sieving”) ◮ The algorithm admits many different tradeoffs. ◮ Oracle calls are expensive. ◮ The sieving phase has classical and quantum operations. How to compare costs? (Is one qubit operation ≈ one bit operation? a hundred? millions?) Tanja Lange Isogeny-Based Cryptography 27

  59. CSIDH vs. Kuperberg Kuperberg’s algorithm consists of two components: 1. Evaluate the group action many times. (“oracle calls”) 2. Combine the results in a certain way. (“sieving”) ◮ The algorithm admits many different tradeoffs. ◮ Oracle calls are expensive. ◮ The sieving phase has classical and quantum operations. How to compare costs? (Is one qubit operation ≈ one bit operation? a hundred? millions?) = ⇒ It is still rather unclear how to choose CSIDH parameters. � ( log p ) 1 / 2 + o ( 1 ) � ...but all known attacks cost exp ! Recent improvements to sieving target the o ( 1 ) . Kuperberg applies to all commutative group actions. Tanja Lange Isogeny-Based Cryptography 27

  60. SIDH – avoid commutativity The supersingular isogeny graph over F p 2 looks differently. Nodes are isomorphism classes of elliptic curves taken any extension field. (All isooprhism classes of supersingular elliptic curves defined over F p 2 ). Tanja Lange Isogeny-Based Cryptography 28

  61. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. Tanja Lange Isogeny-Based Cryptography 29

  62. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ Tanja Lange Isogeny-Based Cryptography 29

  63. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . Tanja Lange Isogeny-Based Cryptography 29

  64. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . ◮ Alice computes ϕ A : E → E / A ; Bob computes ϕ B : E → E / B . (These isogenies correspond to walking on the isogeny graph.) Tanja Lange Isogeny-Based Cryptography 29

  65. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . ◮ Alice computes ϕ A : E → E / A ; Bob computes ϕ B : E → E / B . (These isogenies correspond to walking on the isogeny graph.) ◮ Alice and Bob transmit the values E / A and E / B . Tanja Lange Isogeny-Based Cryptography 29

  66. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . ◮ Alice computes ϕ A : E → E / A ; Bob computes ϕ B : E → E / B . (These isogenies correspond to walking on the isogeny graph.) ◮ Alice and Bob transmit the values E / A and E / B . ◮ Alice somehow obtains A ′ := ϕ B ( A ) . (Similar for Bob.) Tanja Lange Isogeny-Based Cryptography 29

  67. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . ◮ Alice computes ϕ A : E → E / A ; Bob computes ϕ B : E → E / B . (These isogenies correspond to walking on the isogeny graph.) ◮ Alice and Bob transmit the values E / A and E / B . ◮ Alice somehow obtains A ′ := ϕ B ( A ) . (Similar for Bob.) ◮ They both compute the shared secret ( E / B ) / A ′ ∼ = E / � A , B � ∼ = ( E / A ) / B ′ . ◮ Key is an isomorphism class; make this useable taking j -invariant. Tanja Lange Isogeny-Based Cryptography 29

  68. SIDH’s auxiliary points Previous slide: “Alice somehow obtains A ′ := ϕ B ( A ) .” Alice knows only A , Bob knows only ϕ B . Tanja Lange Isogeny-Based Cryptography 30

  69. SIDH’s auxiliary points Previous slide: “Alice somehow obtains A ′ := ϕ B ( A ) .” Alice knows only A , Bob knows only ϕ B . ◮ Alice picks A as � P + [ a ] Q � for fixed public P , Q ∈ E . ◮ Bob includes ϕ B ( P ) and ϕ B ( Q ) in his public key. Tanja Lange Isogeny-Based Cryptography 30

Recommend

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ &amp; Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

1.07k views • 84 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics &amp; Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics &amp; Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics &amp; Optimization Centre for Applied Cryptographic Research June 17, 2016 CENTRE FOR APPLIED CRYPTOGRAPHIC RESEARCH (CACR) Motivation: Post-Quantum Cryptography

355 views • 16 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019 Mathematical foundations of asymmetric cryptography Aussois, Savoie Slides online at https://defeo.lu/docet/ Overview Isogeny graphs 1 Elliptic Curves

1.96k views • 156 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29, 2019 Cryptography meets Graph Theory Wrzburg, Franken, Germany Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29Aug 2,

1.99k views • 174 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris Saclay UVSQ May 13, 2019, Universit di Roma 3, Roma Slides online at https://defeo.lu/docet/ Elliptic curves Let E y 2 x 3 ax b

1.22k views • 76 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ &amp; Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ &amp; Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ &amp; Inria March 1923, 2018, Post-Scryptum Spring School, Les 7 Laux Slides online at http://defeo.lu/docet/ Photo courtesy of Elisa Lorenzo-Garca Overview

1.87k views • 144 slides
Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

856 views • 81 slides
Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de Versailles &amp; Inria, Universit Paris-Saclay May 31, 2018, Journes du Pr-GDR Scurit, Paris Elliptic curves Let E y 2 x 3 ax b be

1.01k views • 73 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea Basso 1 , P eter Kutas 1 , Simon-Philipp Merz 2 , Christophe Petit 1 , Charlotte Weitk amper 1 University of Birmingham, UK Royal Holloway,

575 views • 19 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides
Isogeny based crypto: whats under the hood? Luca De Feo Universit Paris Saclay UVSQ Nov

Isogeny based crypto: whats under the hood? Luca De Feo Universit Paris Saclay UVSQ Nov

Isogeny based crypto: whats under the hood? Luca De Feo Universit Paris Saclay UVSQ Nov 15, 2018, cole des Mines de Saint-tienne, Gardanne Elliptic curves Let E y 2 x 3 ax b be an elliptic curve... R Q P P Q

715 views • 57 slides
Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER

Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER

Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER EPRINT.IACR.ORG/2014/794 BY DUCAS, LYUBASHEVSKY, AND PREST 2016-09-21, Royal Holloway, Egham OFFICIAL Public Key Cryptography (PKC) Also called

403 views • 26 slides
Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles St-Quentin-en-Yvelines France 1 Introduction: EC in cryptography Starting point: 1985 (V. Miller) Discrete logarithm based

487 views • 45 slides
Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril

Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril

Reminder on elliptic curves Endomorphism ring Volcano of -isogeny and Frobenius endomorphism -adic tower Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril Hugounenq, Jerome Plut, Eric Schost

472 views • 28 slides
Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019 Modern curve-based cryptography Modern curve-based cryptography 1 / 11 Modern curve-based cryptography Internet of Things Size &amp; speed

1.39k views • 97 slides

More recommend