The beauty and the beast Components of well-chosen isogeny graphs look like this: Which of these is good for crypto? Tanja Lange Isogeny-Based Cryptography 8
The beauty and the beast Components of well-chosen isogeny graphs look like this: Which of these is good for crypto? Both. Tanja Lange Isogeny-Based Cryptography 8
The beauty and the beast At this time, there are two distinct families of systems: q = p 2 q = p CSIDH ["si:saId] SIDH https://csidh.isogeny.org https://sike.org Tanja Lange Isogeny-Based Cryptography 8
CSIDH ["si:saId] (Castryck, Lange, Martindale, Panny, Renes; 2018) Tanja Lange Isogeny-Based Cryptography 9
Why CSIDH? ◮ Closest thing we have in PQC to normal DH key exchange: Keys can be reused, blinded; no difference between initiator &responder. ◮ Public keys are represented by some A ∈ F p ; p fixed prime. ◮ Alice computes and distributes her public key A . Bob computes and distributes his public key B . ◮ Alice and Bob do computations on each other’s public keys to obtain shared secret. ◮ Fancy math: computations start on some elliptic curve E A : y 2 = x 3 + Ax 2 + x , use isogenies to move to a different curve. ◮ Computations need arithmetic (add, mult, div) modulo p and elliptic-curve computations. Tanja Lange Isogeny-Based Cryptography 10
Math slide #1: Elliptic curves (nodes) An elliptic curve over F p is given by an equation E : y 2 = x 3 + ax + b , with 4 a 3 − 27 b 2 � = 0. A point P = ( x , y ) on E is a solution to this equation or the point ∞ at infinity. Tanja Lange Isogeny-Based Cryptography 11
Math slide #1: Elliptic curves (nodes) An elliptic curve over F p is given by an equation E : y 2 = x 3 + ax + b , with 4 a 3 − 27 b 2 � = 0. A point P = ( x , y ) on E is a solution to this equation or the point ∞ at infinity. E is an abelian group: we can “add” and “subtract” points. ◮ The neutral element is ∞ . ◮ The inverse of ( x , y ) is ( x , − y ) . ◮ The sum of P 1 = ( x 1 , y 1 ) and P 2 = ( x 2 , y 2 ) is P 3 = ( x 3 , y 3 ) = λ 2 − x 1 − x 2 , λ ( x 1 − x 3 ) − y 1 � � where λ = ( y 2 − y 1 ) / ( x 2 − x 1 ) if x 1 � = x 2 and λ = ( 3 x 2 1 + a ) / ( 2 y 1 ) if P 1 = P 2 � = − P 1 . Takeaway: Computations in F p , some formulas. Other curve shapes, such as Montgomery curves y 2 = x 3 + Ax 2 + x are faster. Tanja Lange Isogeny-Based Cryptography 11
Math slide #2: Isogenies (edges) An isogeny of elliptic curves is a non-zero map E → E ′ ◮ given by rational functions ◮ that is a group homomorphism. The degree of a separable isogeny is the size of its kernel. Tanja Lange Isogeny-Based Cryptography 12
Math slide #2: Isogenies (edges) An isogeny of elliptic curves is a non-zero map E → E ′ ◮ given by rational functions ◮ that is a group homomorphism. The degree of a separable isogeny is the size of its kernel. Example #1: For each m � = 0, the multiplication-by- m map [ m ]: E → E is a degree- m 2 isogeny. If m � = 0 in the base field, its kernel is E [ m ] ∼ = Z / m × Z / m . Tanja Lange Isogeny-Based Cryptography 12
Math slide #2: Isogenies (edges) An isogeny of elliptic curves is a non-zero map E → E ′ ◮ given by rational functions ◮ that is a group homomorphism. The degree of a separable isogeny is the size of its kernel. √ Example #2: For any a and b , the map ι : ( x , y ) �→ ( − x , − 1 · y ) defines a degree-1 isogeny of the elliptic curves { y 2 = x 3 + ax + b } − → { y 2 = x 3 + ax − b } . It is an isomorphism; its kernel is {∞} . Tanja Lange Isogeny-Based Cryptography 12
Math slide #2: Isogenies (edges) An isogeny of elliptic curves is a non-zero map E → E ′ ◮ given by rational functions ◮ that is a group homomorphism. The degree of a separable isogeny is the size of its kernel. Example #3: � � x 3 − 4 x 2 + 30 x − 12 , x 3 − 6 x 2 − 14 x + 35 ( x , y ) �→ · y ( x − 2 ) 2 ( x − 2 ) 3 defines a degree-3 isogeny of the elliptic curves { y 2 = x 3 + x } − → { y 2 = x 3 − 3 x + 3 } over F 71 . Its kernel is { ( 2 , 9 ) , ( 2 , − 9 ) , ∞} . Tanja Lange Isogeny-Based Cryptography 12
CSIDH in one slide Tanja Lange Isogeny-Based Cryptography 13
CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. Tanja Lange Isogeny-Based Cryptography 13
CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . Tanja Lange Isogeny-Based Cryptography 13
CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . ◮ Look at the ℓ i -isogenies defined over F p within X . Tanja Lange Isogeny-Based Cryptography 13
CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . ◮ Look at the ℓ i -isogenies defined over F p within X . magic math happens! p = 419 ℓ 1 = 3 ℓ 2 = 5 ℓ 3 = 7 Tanja Lange Isogeny-Based Cryptography 13
CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . ◮ Look at the ℓ i -isogenies defined over F p within X . magic math happens! p = 419 ℓ 1 = 3 ℓ 2 = 5 ℓ 3 = 7 ◮ Walking “left” and “right” on any ℓ i -subgraph is efficient. Tanja Lange Isogeny-Based Cryptography 13
CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . ◮ Look at the ℓ i -isogenies defined over F p within X . magic math happens! p = 419 ℓ 1 = 3 ℓ 2 = 5 ℓ 3 = 7 ◮ Walking “left” and “right” on any ℓ i -subgraph is efficient. ◮ We can represent E ∈ X as a single coefficient A ∈ F p . Tanja Lange Isogeny-Based Cryptography 13
Walking in the CSIDH graph Taking a “positive” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x , y ∈ F p . The order of any ( x , y ) ∈ E divides p + 1, so [( p + 1 ) /ℓ i ]( x , y ) = ∞ or a point of order ℓ i . Sample a new point if you get ∞ . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Tanja Lange Isogeny-Based Cryptography 14
Walking in the CSIDH graph Taking a “positive” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x , y ∈ F p . The order of any ( x , y ) ∈ E divides p + 1, so [( p + 1 ) /ℓ i ]( x , y ) = ∞ or a point of order ℓ i . Sample a new point if you get ∞ . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Taking a “negative” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x ∈ F p but y / ∈ F p . This uses scalar multiplication by ( p + 1 ) /ℓ i . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Tanja Lange Isogeny-Based Cryptography 14
Walking in the CSIDH graph Taking a “positive” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x , y ∈ F p . The order of any ( x , y ) ∈ E divides p + 1, so [( p + 1 ) /ℓ i ]( x , y ) = ∞ or a point of order ℓ i . Sample a new point if you get ∞ . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Taking a “negative” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x ∈ F p but y / ∈ F p . This uses scalar multiplication by ( p + 1 ) /ℓ i . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Upshot: With “ x -only’ arithmetic” everything happens over F p . = ⇒ Efficient to implement! Tanja Lange Isogeny-Based Cryptography 14
Math slide #3: Isogenies and kernels For any finite subgroup G of E , there exists a unique 1 separable isogeny ϕ G : E → E ′ with kernel G . The curve E ′ is called E / G . ( ≈ quotient groups) If G is defined over k , then ϕ G and E / G are also defined over k . 1 (up to isomorphism of E ′ )
Math slide #3: Isogenies and kernels For any finite subgroup G of E , there exists a unique 1 separable isogeny ϕ G : E → E ′ with kernel G . The curve E ′ is called E / G . ( ≈ quotient groups) If G is defined over k , then ϕ G and E / G are also defined over k . Vélu ’71: Formulas for computing E / G and evaluating ϕ G at a point. Complexity: Θ(# G ) � only suitable for small degrees. 1 (up to isomorphism of E ′ )
Math slide #3: Isogenies and kernels For any finite subgroup G of E , there exists a unique 1 separable isogeny ϕ G : E → E ′ with kernel G . The curve E ′ is called E / G . ( ≈ quotient groups) If G is defined over k , then ϕ G and E / G are also defined over k . Vélu ’71: Formulas for computing E / G and evaluating ϕ G at a point. Complexity: Θ(# G ) � only suitable for small degrees. Vélu operates in the field where the points in G live. � need to make sure extensions stay small for desired # G � this is why we use special p and curves with p + 1 points! Not all k -rational points of E / G are in the image of k -rational points on E ; but # E ( k ) # E / G ( k ) . 1 (up to isomorphism of E ′ )
CSIDH key exchange Alice Bob [ , , , ] [ , , , ] Tanja Lange Isogeny-Based Cryptography 16
CSIDH key exchange Alice Bob [ ↑ , , , ] [ ↑ , , , ] Tanja Lange Isogeny-Based Cryptography 16
CSIDH key exchange Alice Bob [ , ↑ , , ] [ , ↑ , , ] Tanja Lange Isogeny-Based Cryptography 16
CSIDH key exchange Alice Bob [ , , ↑ , ] [ , , ↑ , ] Tanja Lange Isogeny-Based Cryptography 16
CSIDH key exchange Alice Bob [ , , , ↑ ] [ , , , ↑ ] Tanja Lange Isogeny-Based Cryptography 16
CSIDH key exchange Alice Bob [ , , , ] [ , , , ] Tanja Lange Isogeny-Based Cryptography 16
CSIDH key exchange Alice Bob [ ↑ , , , ] [ ↑ , , , ] Tanja Lange Isogeny-Based Cryptography 16
CSIDH key exchange Alice Bob [ , ↑ , , ] [ , ↑ , , ] Tanja Lange Isogeny-Based Cryptography 16
CSIDH key exchange Alice Bob [ , , ↑ , ] [ , , ↑ , ] Tanja Lange Isogeny-Based Cryptography 16
CSIDH key exchange Alice Bob [ , , , ↑ ] [ , , , ↑ ] Tanja Lange Isogeny-Based Cryptography 16
CSIDH key exchange Alice Bob [ , , , ] [ , , , ] Tanja Lange Isogeny-Based Cryptography 16
Abstract from Diffie-Hellman dataflow “CSIDH: an efficient post-quantum commutative group action” Tanja Lange Isogeny-Based Cryptography 17
Abstract from Diffie-Hellman dataflow “CSIDH: an efficient post-quantum commutative group action” Cycles are compatible: [right then left] = [left then right] � only need to keep track of total step counts for each ℓ i . 0 , − 3 ) ∈ Z 3 . Example: [ , , , , , , , ] just becomes (+ 1 , Tanja Lange Isogeny-Based Cryptography 17
Abstract from Diffie-Hellman dataflow “CSIDH: an efficient post-quantum commutative group action” Cycles are compatible: [right then left] = [left then right] � only need to keep track of total step counts for each ℓ i . 0 , − 3 ) ∈ Z 3 . Example: [ , , , , , , , ] just becomes (+ 1 , There is a group action of ( Z n , +) on our set of curves X ! Tanja Lange Isogeny-Based Cryptography 17
Abstract from Diffie-Hellman dataflow “CSIDH: an efficient post-quantum commutative group action” Cycles are compatible: [right then left] = [left then right] � only need to keep track of total step counts for each ℓ i . 0 , − 3 ) ∈ Z 3 . Example: [ , , , , , , , ] just becomes (+ 1 , There is a group action of ( Z n , +) on our set of curves X ! Many paths are “useless”. Fun fact: Quotienting out trivial actions yields the ideal-class group cl ( Z [ √− p ]) . Tanja Lange Isogeny-Based Cryptography 17
Math slide #4: Quadratic twists Not my fault . . . / k if E is isomorphic to E ′ over ¯ E ′ / k is a twist elliptic curve E ” k . For E : y 2 = x 3 + Ax 2 + x over F p with p ≡ 3 mod 4 E ′ : − y 2 = x 3 + Ax 2 + x is isomorphic to E via √ ( x , y ) �→ ( x , − 1 y ) . This map is defined over F p 2 , so this is a quadratic twist. Tanja Lange Isogeny-Based Cryptography 18
Math slide #4: Quadratic twists Not my fault . . . / k if E is isomorphic to E ′ over ¯ E ′ / k is a twist elliptic curve E ” k . For E : y 2 = x 3 + Ax 2 + x over F p with p ≡ 3 mod 4 E ′ : − y 2 = x 3 + Ax 2 + x is isomorphic to E via √ ( x , y ) �→ ( x , − 1 y ) . This map is defined over F p 2 , so this is a quadratic twist. Picking ( x , y ) on E with x ∈ F p , y � = F p implicitly picks point in E ′ ( F p ) . Tanja Lange Isogeny-Based Cryptography 18
Math slide #4: Quadratic twists Not my fault . . . / k if E is isomorphic to E ′ over ¯ E ′ / k is a twist elliptic curve E ” k . For E : y 2 = x 3 + Ax 2 + x over F p with p ≡ 3 mod 4 E ′ : − y 2 = x 3 + Ax 2 + x is isomorphic to E via √ ( x , y ) �→ ( x , − 1 y ) . This map is defined over F p 2 , so this is a quadratic twist. Picking ( x , y ) on E with x ∈ F p , y � = F p implicitly picks point in E ′ ( F p ) . E ′ is not in the isogeny graph, does not have the right shape. E ′ is isomorphic to E ′′ : y 2 = x 3 − Ax 2 + x via ( x , y ) �→ ( − x , y ) over F p . Tanja Lange Isogeny-Based Cryptography 18
Graphs of elliptic curves E 0 E 158 E 261 E 410 E 9 E 368 E 51 E 404 E 15 E 75 E 344 E 144 E 275 E 191 E 228 E 174 E 245 E 413 E 6 E 379 E 40 E 124 E 295 E 199 E 220 E 390 E 29 Nodes: Supersingular elliptic curves E A : y 2 = x 3 + Ax 2 + x over F 419 . Tanja Lange Isogeny-Based Cryptography 19
Graphs of elliptic curves E 0 E 158 E 261 E 410 E 9 E 368 E 51 E 404 E 15 E 75 E 344 E 144 E 275 E 191 E 228 E 174 E 245 E 413 E 6 E 379 E 40 E 124 E 295 E 199 E 220 E 390 E 29 Nodes: Supersingular elliptic curves E A : y 2 = x 3 + Ax 2 + x over F 419 . Each E A on the left has E − A on the right. Negative direction means: flip to twist, go positive direction, flip back. Tanja Lange Isogeny-Based Cryptography 19
Math slide #5: Vélu’s formulas Let P have prime order ℓ on E A . For 1 ≤ k < ℓ let x k be the x -coordinate of [ k ] P . Let ℓ − 1 ℓ − 1 � x i − 1 � � � τ = x i , σ = x i i = 1 i = 1 Then the ℓ isogeny from E A maps to E B with B = τ ( A − 3 σ ) . Main operation is to compute the x k , just some elliptic-curve additions. Note that [ ℓ − k ] P = − [ k ] P and both have the same x -coordinate. Implementations often use projective formulas to avoid (or delay) inverstions. Tanja Lange Isogeny-Based Cryptography 20
Math slide #6: Class groups Reminder: X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . All curves in X have F p -endomorphism ring O = Z [ √− p ] . Let π the Frobenius endomorphism. Ideal in O above ℓ i . l i = ( ℓ i , π − 1 ) . Moving + in X with ℓ i isogeny ⇐ ⇒ action of l i on X . Tanja Lange Isogeny-Based Cryptography 21
Math slide #6: Class groups Reminder: X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . All curves in X have F p -endomorphism ring O = Z [ √− p ] . Let π the Frobenius endomorphism. Ideal in O above ℓ i . l i = ( ℓ i , π − 1 ) . Moving + in X with ℓ i isogeny ⇐ ⇒ action of l i on X . More precisely: Subgroup corresponding to l i is E [ l i ] = E ( F p )[ ℓ i ] . (Note that ker ( π − 1 ) is just the F p -rational points!) Subgroup corresponding to l i is E [ l i ] = { P ∈ E [ ℓ i ] | π ( P ) = − P } . Tanja Lange Isogeny-Based Cryptography 21
Math slide #6: Class groups Reminder: X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . All curves in X have F p -endomorphism ring O = Z [ √− p ] . Let π the Frobenius endomorphism. Ideal in O above ℓ i . l i = ( ℓ i , π − 1 ) . Moving + in X with ℓ i isogeny ⇐ ⇒ action of l i on X . More precisely: Subgroup corresponding to l i is E [ l i ] = E ( F p )[ ℓ i ] . (Note that ker ( π − 1 ) is just the F p -rational points!) Subgroup corresponding to l i is E [ l i ] = { P ∈ E [ ℓ i ] | π ( P ) = − P } . For Montgomery curves, E [ l i ] = { ( x , y ) ∈ E [ ℓ i ] | x ∈ F p ; y / ∈ F p } ∪ {∞} . Tanja Lange Isogeny-Based Cryptography 21
Math slide #7: Commutative group action cl ( O ) acts on X . For most ideal classes the kernel is big and formulas are expensive to compute. I = l 10 1 l − 7 2 l 27 3 is a “big” ideal, but we can compute the action iteratively. cl ( O ) is commutative 2 so we get a commutative group action.. The choice for CSIDH: Let K = { [ l e 1 1 · · · l e 1 n ] | ( e 1 , ..., e n ) is ‘short’ } ⊆ cl ( O ) . The action of K on X is very efficient! Pick K as the keyspace 2 Important to use the F p -endomorphism ring.
Cryptographic group actions Like in the CSIDH example, we generally get a DH-like key exchange from a commutative group action G × S → S : Alice public Bob random random a ← − − − G b ← − − − G a ∗ s b ∗ s key := a ∗ ( b ∗ s ) key := b ∗ ( a ∗ s ) Tanja Lange Isogeny-Based Cryptography 23
Why no Shor? Shor computes α from h = g α by finding the kernel of the map f : Z 2 → G , ( x , y ) �→ g x · ↑ h y For general group actions, we cannot compose x ∗ s and y ∗ ( b ∗ s ) . For CSIDH this would require composing two elliptic curves in some form compatible with the action of G . Tanja Lange Isogeny-Based Cryptography 24
CSIDH security Core problem: Given E , E ′ ∈ X , find a smooth-degree isogeny E → E ′ . Size of key space: ◮ About √ p of all A ∈ F p are valid keys. (More precisely # cl ( Z [ √− p ]) keys.) Without quantum computer: √ p ) . ◮ Meet-in-the-middle variants: Time O ( 4 (2016 Delfs–Galbraith) Tanja Lange Isogeny-Based Cryptography 25
CSIDH security Core problem: Given E , E ′ ∈ X , find a smooth-degree isogeny E → E ′ . Size of key space: ◮ About √ p of all A ∈ F p are valid keys. (More precisely # cl ( Z [ √− p ]) keys.) Without quantum computer: √ p ) . ◮ Meet-in-the-middle variants: Time O ( 4 (2016 Delfs–Galbraith) With quantum computer: ◮ Abellian hidden-shift algorithms apply (2014 Childs–Jao–Soukharev) ◮ Kuperberg’s algoirhtm has subexponential complexity. CSIDH security: ◮ Public-key validation: Quickly check that E A : y 2 = x 3 + Ax 2 + x has p + 1 points. Tanja Lange Isogeny-Based Cryptography 25
CSIDH-512 https://csidh.isogeny.org/ Definition: ◮ p = � 74 i = 1 ℓ i − 1 with ℓ 1 , . . . , ℓ 73 first 73 odd primes. ℓ 74 = 587. ◮ Exponents − 5 ≤ e i ≤ 5 for all 1 ≤ i ≤ 74. Sizes: ◮ Private keys: 32 bytes. (37 in current software for simplicity.) ◮ Public keys: 64 bytes (just one F p element). Performance on typical Intel Skylake laptop core: ◮ Clock cycles: about 12 · 10 7 per operation. ◮ Somewhat more for constant-time implementations. Security: ◮ Pre-quantum: at least 128 bits. Tanja Lange Isogeny-Based Cryptography 26
CSIDH-512 https://csidh.isogeny.org/ Definition: ◮ p = � 74 i = 1 ℓ i − 1 with ℓ 1 , . . . , ℓ 73 first 73 odd primes. ℓ 74 = 587. ◮ Exponents − 5 ≤ e i ≤ 5 for all 1 ≤ i ≤ 74. Sizes: ◮ Private keys: 32 bytes. (37 in current software for simplicity.) ◮ Public keys: 64 bytes (just one F p element). Performance on typical Intel Skylake laptop core: ◮ Clock cycles: about 12 · 10 7 per operation. ◮ Somewhat more for constant-time implementations. Security: ◮ Pre-quantum: at least 128 bits. ◮ Post-quantum: complicated. Recent work analyzing cost: see https://quantum.isogeny.org . Several papers analyzing Kuperberg. (2018 Biasse–Iezzi-Jacobson, 2018-2020 Bonnetain–Schrottenloher, 2020 Peikert) https://csidh.isogeny.org/analysis.html Tanja Lange Isogeny-Based Cryptography 26
CSIDH vs. Kuperberg Kuperberg’s algorithm consists of two components: 1. Evaluate the group action many times. (“oracle calls”) 2. Combine the results in a certain way. (“sieving”) Tanja Lange Isogeny-Based Cryptography 27
CSIDH vs. Kuperberg Kuperberg’s algorithm consists of two components: 1. Evaluate the group action many times. (“oracle calls”) 2. Combine the results in a certain way. (“sieving”) ◮ The algorithm admits many different tradeoffs. ◮ Oracle calls are expensive. ◮ The sieving phase has classical and quantum operations. Tanja Lange Isogeny-Based Cryptography 27
CSIDH vs. Kuperberg Kuperberg’s algorithm consists of two components: 1. Evaluate the group action many times. (“oracle calls”) 2. Combine the results in a certain way. (“sieving”) ◮ The algorithm admits many different tradeoffs. ◮ Oracle calls are expensive. ◮ The sieving phase has classical and quantum operations. How to compare costs? (Is one qubit operation ≈ one bit operation? a hundred? millions?) Tanja Lange Isogeny-Based Cryptography 27
CSIDH vs. Kuperberg Kuperberg’s algorithm consists of two components: 1. Evaluate the group action many times. (“oracle calls”) 2. Combine the results in a certain way. (“sieving”) ◮ The algorithm admits many different tradeoffs. ◮ Oracle calls are expensive. ◮ The sieving phase has classical and quantum operations. How to compare costs? (Is one qubit operation ≈ one bit operation? a hundred? millions?) = ⇒ It is still rather unclear how to choose CSIDH parameters. � ( log p ) 1 / 2 + o ( 1 ) � ...but all known attacks cost exp ! Recent improvements to sieving target the o ( 1 ) . Kuperberg applies to all commutative group actions. Tanja Lange Isogeny-Based Cryptography 27
SIDH – avoid commutativity The supersingular isogeny graph over F p 2 looks differently. Nodes are isomorphism classes of elliptic curves taken any extension field. (All isooprhism classes of supersingular elliptic curves defined over F p 2 ). Tanja Lange Isogeny-Based Cryptography 28
SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. Tanja Lange Isogeny-Based Cryptography 29
SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ Tanja Lange Isogeny-Based Cryptography 29
SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . Tanja Lange Isogeny-Based Cryptography 29
SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . ◮ Alice computes ϕ A : E → E / A ; Bob computes ϕ B : E → E / B . (These isogenies correspond to walking on the isogeny graph.) Tanja Lange Isogeny-Based Cryptography 29
SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . ◮ Alice computes ϕ A : E → E / A ; Bob computes ϕ B : E → E / B . (These isogenies correspond to walking on the isogeny graph.) ◮ Alice and Bob transmit the values E / A and E / B . Tanja Lange Isogeny-Based Cryptography 29
SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . ◮ Alice computes ϕ A : E → E / A ; Bob computes ϕ B : E → E / B . (These isogenies correspond to walking on the isogeny graph.) ◮ Alice and Bob transmit the values E / A and E / B . ◮ Alice somehow obtains A ′ := ϕ B ( A ) . (Similar for Bob.) Tanja Lange Isogeny-Based Cryptography 29
SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . ◮ Alice computes ϕ A : E → E / A ; Bob computes ϕ B : E → E / B . (These isogenies correspond to walking on the isogeny graph.) ◮ Alice and Bob transmit the values E / A and E / B . ◮ Alice somehow obtains A ′ := ϕ B ( A ) . (Similar for Bob.) ◮ They both compute the shared secret ( E / B ) / A ′ ∼ = E / � A , B � ∼ = ( E / A ) / B ′ . ◮ Key is an isomorphism class; make this useable taking j -invariant. Tanja Lange Isogeny-Based Cryptography 29
SIDH’s auxiliary points Previous slide: “Alice somehow obtains A ′ := ϕ B ( A ) .” Alice knows only A , Bob knows only ϕ B . Tanja Lange Isogeny-Based Cryptography 30
SIDH’s auxiliary points Previous slide: “Alice somehow obtains A ′ := ϕ B ( A ) .” Alice knows only A , Bob knows only ϕ B . ◮ Alice picks A as � P + [ a ] Q � for fixed public P , Q ∈ E . ◮ Bob includes ϕ B ( P ) and ϕ B ( Q ) in his public key. Tanja Lange Isogeny-Based Cryptography 30
Recommend
More recommend