isogeny graphs in cryptography
play

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, - PowerPoint PPT Presentation

Jul 19, 2023 •377 likes •1.96k views

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019 Mathematical foundations of asymmetric cryptography Aussois, Savoie Slides online at https://defeo.lu/docet/ Overview Isogeny graphs 1 Elliptic Curves

  1. ✱ ✣ ✵ ✦ � ✦ � ✦ � ✦ ✵ ✵ ✿ ❂ ❂ What is /////// scalar///////////////// multiplication an isogeny? ✣ ✿ P ✼✦ ✣ ✭ P ✮ // E ✵ , A map E ✦ E a group morphism, with finite kernel E ❬ n ❪ ✬ ✭ ❩ ❂ n ❩ ✮ 2 any finite subgroup H ✚ E ), (//// the///////// torsion//////// group ///////////////////// surjective (in the algebraic closure), n 2 ★ H . given by rational maps of degree/// Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 11 / 93

  2. What is /////// scalar///////////////// multiplication an isogeny? ✣ ✿ P ✼✦ ✣ ✭ P ✮ // E ✵ , A map E ✦ E a group morphism, with finite kernel E ❬ n ❪ ✬ ✭ ❩ ❂ n ❩ ✮ 2 any finite subgroup H ✚ E ), (//// the///////// torsion//////// group ///////////////////// surjective (in the algebraic closure), n 2 ★ H . given by rational maps of degree/// (Separable) isogenies ✱ finite subgroups: ✣ ✦ E ✵ ✦ 0 0 � ✦ H � ✦ E � The kernel H determines the image curve E ✵ up to isomorphism def ❂ E ✵ ✿ E ❂ H Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 11 / 93

  3. ❋ ✄ ✼✦ Isogenies: an example over ❋ 11 E ✿ y 2 ❂ x 3 ✰ x E ✵ ✿ y 2 ❂ x 3 � 4 x ✥ ✦ x 2 ✰ 1 y x 2 � 1 ✣ ✭ x ❀ y ✮ ❂ ❀ x 2 x Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 12 / 93

  4. Isogenies: an example over ❋ 11 E ✿ y 2 ❂ x 3 ✰ x E ✵ ✿ y 2 ❂ x 3 � 4 x Kernel generator in red. ✥ ✦ x 2 ✰ 1 y x 2 � 1 This is a degree 2 map. ✣ ✭ x ❀ y ✮ ❂ ❀ x 2 x Analogous to x ✼✦ x 2 in ❋ ✄ q . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 12 / 93

  5. Isogeny properties Let ✣ ✿ E ✦ E ✵ be an isogeny defined over a field k of characteristic p . k ✭ E ✮ is the field of all rational functions from E to k ; ✣ ✄ k ✭ E ✵ ✮ is the subfield of k ✭ E ✮ defined as ✣ ✄ k ✭ E ✵ ✮ ❂ ❢ f ✍ ✣ ❥ f ✷ k ✭ E ✵ ✮ ❣ ✿ Degree, separability The degree of ✣ is ❞❡❣ ✣ ❂ ❬ k ✭ E ✮ ✿ ✣ ✄ k ✭ E ✵ ✮❪ . It is always finite. 1 ✣ is said to be separable, inseparable, or purely inseparable if the 2 extension of function fields is. If ✣ is separable, then ❞❡❣ ✣ ❂ ★ ❦❡r ✣ . 3 If ✣ is purely inseparable, then ❦❡r ✣ ❂ ❢❖❣ and ❞❡❣ ✣ is a power of p . 4 Any isogeny can be decomposed as a product of a separable and a 5 purely inseparable isogeny. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 13 / 93

  6. Isogeny properties Let ✣ ✿ E ✦ E ✵ be an isogeny defined over a field k of characteristic p . k ✭ E ✮ is the field of all rational functions from E to k ; ✣ ✄ k ✭ E ✵ ✮ is the subfield of k ✭ E ✮ defined as ✣ ✄ k ✭ E ✵ ✮ ❂ ❢ f ✍ ✣ ❥ f ✷ k ✭ E ✵ ✮ ❣ ✿ Degree, separability The degree of ✣ is ❞❡❣ ✣ ❂ ❬ k ✭ E ✮ ✿ ✣ ✄ k ✭ E ✵ ✮❪ . It is always finite. 1 ✣ is said to be separable, inseparable, or purely inseparable if the 2 extension of function fields is. If ✣ is separable, then ❞❡❣ ✣ ❂ ★ ❦❡r ✣ . 3 If ✣ is purely inseparable, then ❦❡r ✣ ❂ ❢❖❣ and ❞❡❣ ✣ is a power of p . 4 Any isogeny can be decomposed as a product of a separable and a 5 purely inseparable isogeny. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 13 / 93

  7. The dual isogeny Let ✣ ✿ E ✦ E ✵ be an isogeny of degree m . There is a unique isogeny ✣ ✿ E ✵ ✦ E such that ❫ ❫ ✣ ✍ ❫ ✣ ✍ ✣ ❂ ❬ m ❪ E ❀ ✣ ❂ ❬ m ❪ E ✵ ✿ ❫ ✣ is called the dual isogeny of ✣ ; it has the following properties: ❫ ✣ is defined over k if and only if ✣ is; 1 ✥ for any isogeny ✥ ✿ E ✵ ✦ E ✵✵ ; ❬ ✥ ✍ ✣ ❂ ❫ ✣ ✍ ❫ 2 ✥ ✰ ✣ ❂ ❫ ❭ ✥ ✰ ❫ ✣ for any isogeny ✥ ✿ E ✦ E ✵ ; 3 ❞❡❣ ✣ ❂ ❞❡❣ ❫ ✣ ; 4 ❫ ❫ ✣ ❂ ✣ . 5 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 14 / 93

  8. Isogeny graphs ✣ We look at the graph of elliptic curves with E ✵ E isogenies up to isomorphism. We say two isogenies ✣❀ ✣ ✵ are isomorphic if: ❡ ✣ ✵ E ✵ Example: Finite field, ordinary case, graph of isogenies of degree 3 . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 15 / 93

  9. What do isogeny graphs look like? Torsion subgroups ( ❵ prime) In an algebraically closed field: E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 ✰ There are exactly ❵ ✰ 1 cyclic subgroups H ✚ E of order ❵ : ❤ P ✰ Q ✐ ❀ ❤ P ✰ 2 Q ✐ ❀ ✿ ✿ ✿ ❀ ❤ P ✐ ❀ ❤ Q ✐ ✰ There are exactly ❵ ✰ 1 distinct (non-CM) 2 -isogeny graph over ❈ isogenies of degree ❵ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 16 / 93

  10. ✥ ✦ ✙ ✿ ♠♦❞ ❵ ✙ ❥ ❬ ❵ ❪ ●▲✭ ❩ ❂❵ ❩ ✮ What happens over a finite field ❋ p ? Rational isogenies ( ❵ ✻ ❂ p ) In the algebraic closure ✖ ❋ p E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 However, an isogeny is defined over ❋ p only if its kernel is Galois invariant. The Frobenius action on E ❬ ❵ ❪ Enter the Frobenius map ✙ ✭ P ✮ ❂ aP ✰ bQ ✙ ✿ E � ✦ E ✦ ✭ x p ❀ y p ✮ ✭ x ❀ y ✮ ✼� ✙ ✭ Q ✮ ❂ cP ✰ dQ E is seen here as a curve over ✖ ❋ p . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 17 / 93

  11. ✥ ✦ ✙ ✭ ✮ ❂ ✙ ✿ ♠♦❞ ❵ ✙ ✭ ✮ ❂ ✙ ❥ ❬ ❵ ❪ ●▲✭ ❩ ❂❵ ❩ ✮ What happens over a finite field ❋ p ? Rational isogenies ( ❵ ✻ ❂ p ) In the algebraic closure ✖ ❋ p E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 However, an isogeny is defined over ❋ p only if its kernel is Galois invariant. The Frobenius action on E ❬ ❵ ❪ Enter the Frobenius map aP ✰ bQ ✙ ✿ E � ✦ E ✦ ✭ x p ❀ y p ✮ ✭ x ❀ y ✮ ✼� cP ✰ dQ E is seen here as a curve over ✖ ❋ p . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 17 / 93

  12. ✙ ✭ ✮ ❂ ✙ ✿ ♠♦❞ ❵ ✙ ✭ ✮ ❂ ✙ ❥ ❬ ❵ ❪ ●▲✭ ❩ ❂❵ ❩ ✮ What happens over a finite field ❋ p ? Rational isogenies ( ❵ ✻ ❂ p ) In the algebraic closure ✖ ❋ p E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 However, an isogeny is defined over ❋ p only if its kernel is Galois invariant. The Frobenius action on E ❬ ❵ ❪ Enter the Frobenius map ✥ ✦ aP ✰ bQ ✙ ✿ E � ✦ E ✦ ✭ x p ❀ y p ✮ ✭ x ❀ y ✮ ✼� cP ✰ dQ E is seen here as a curve over ✖ ❋ p . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 17 / 93

  13. ✙ ✭ ✮ ❂ ✰ ✙ ✿ ♠♦❞ ❵ ✙ ✭ ✮ ❂ ✰ ✙ ❥ ❬ ❵ ❪ ●▲✭ ❩ ❂❵ ❩ ✮ What happens over a finite field ❋ p ? Rational isogenies ( ❵ ✻ ❂ p ) In the algebraic closure ✖ ❋ p E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 However, an isogeny is defined over ❋ p only if its kernel is Galois invariant. The Frobenius action on E ❬ ❵ ❪ Enter the Frobenius map ✥ ✦ a b ✙ ✿ E � ✦ E ✦ ✭ x p ❀ y p ✮ ✭ x ❀ y ✮ ✼� c d E is seen here as a curve over ✖ ❋ p . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 17 / 93

  14. ✙ ✭ ✮ ❂ ✰ ✙ ✭ ✮ ❂ ✰ ✙ ❥ ❬ ❵ ❪ ●▲✭ ❩ ❂❵ ❩ ✮ What happens over a finite field ❋ p ? Rational isogenies ( ❵ ✻ ❂ p ) In the algebraic closure ✖ ❋ p E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 However, an isogeny is defined over ❋ p only if its kernel is Galois invariant. The Frobenius action on E ❬ ❵ ❪ Enter the Frobenius map ✥ ✦ a b ✙ ✿ E � ✦ E ✙ ✿ ♠♦❞ ❵ ✦ ✭ x p ❀ y p ✮ ✭ x ❀ y ✮ ✼� c d E is seen here as a curve over ✖ ❋ p . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 17 / 93

  15. ✙ ✭ ✮ ❂ ✰ ✙ ✭ ✮ ❂ ✰ What happens over a finite field ❋ p ? Rational isogenies ( ❵ ✻ ❂ p ) In the algebraic closure ✖ ❋ p E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 However, an isogeny is defined over ❋ p only if its kernel is Galois invariant. The Frobenius action on E ❬ ❵ ❪ Enter the Frobenius map ✥ ✦ a b ✙ ✿ E � ✦ E ✙ ✿ ♠♦❞ ❵ ✦ ✭ x p ❀ y p ✮ ✭ x ❀ y ✮ ✼� c d We identify ✙ ❥ E ❬ ❵ ❪ to a conjugacy E is seen here as a curve over ✖ ❋ p . class in ●▲✭ ❩ ❂❵ ❩ ✮ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 17 / 93

  16. � ✕ ✁ ✙ ❥ ❬ ❵ ❪ ✘ ✦ ❵ ✰ ✕ ✏ ✑ ✕ ✙ ❥ ❬ ❵ ❪ ✘ ✕ ✻ ❂ ✖ ✦ ✖ � ✕ ✄ ✁ ✙ ❥ ❬ ❵ ❪ ✘ ✦ ✕ ❩ ❂❵ ❩ ✙ ❥ ❬ ❵ ❪ ✦ What happens over a finite field ❋ p ? Galois invariant subgroups of E ❬ ❵ ❪ = eigenspaces of ✙ ✷ ●▲✭ ❩ ❂❵ ❩ ✮ = rational isogenies of degree ❵ Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 18 / 93

  17. What happens over a finite field ❋ p ? Galois invariant subgroups of E ❬ ❵ ❪ = eigenspaces of ✙ ✷ ●▲✭ ❩ ❂❵ ❩ ✮ = rational isogenies of degree ❵ How many Galois invariant subgroups? � ✕ 0 ✁ ✦ ❵ ✰ 1 isogenies ✙ ❥ E ❬ ❵ ❪ ✘ 0 ✕ ✏ ✑ ✕ 0 with ✕ ✻ ❂ ✖ ✦ two isogenies ✙ ❥ E ❬ ❵ ❪ ✘ 0 ✖ � ✕ ✄ ✁ ✦ one isogeny ✙ ❥ E ❬ ❵ ❪ ✘ 0 ✕ ✙ ❥ E ❬ ❵ ❪ is not diagonalizable over ❩ ❂❵ ❩ ✦ no isogeny Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 18 / 93

  18. Weil pairing Let ✭ N ❀ p ✮ ❂ 1 , fix any basis E ❬ N ❪ ❂ ❤ R ❀ S ✐ . For any points P ❀ Q ✷ E ❬ N ❪ P ❂ aR ✰ bS Q ❂ cR ✰ dS ✁ ❂ ad � bc ✷ ❩ ❂ N ❩ � a b the form ❞❡t N ✭ P ❀ Q ✮ ❂ ❞❡t c d is bilinear, non-degenerate, and independent from the choice of basis. Theorem Let E ❂ ❋ q be a curve, there exists a Galois invariant bilinear map ✦ ✖ N ✚ ✖ ❋ q ❀ e N ✿ E ❬ N ❪ ✂ E ❬ N ❪ � called the Weil pairing of order N , and a primitive N -th root of unity ✏ ✷ ✖ ❋ q such that e N ✭ P ❀ Q ✮ ❂ ✏ ❞❡t N ✭ P ❀ Q ✮ ✿ The degree k of the smallest extension such that ✏ ✷ ❋ q k is called the embedding degree of the pairing. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 19 / 93

  19. Weil pairing and isogenies Note The Weil pairing is Galois invariant ✱ ❞❡t✭ ✙ ❥ E ❬ N ❪✮ ❂ q . Theorem Let ✣ ✿ E ✦ E ✵ be an isogeny and ❫ ✣ ✿ E ✵ ✦ E its dual. Let e N be the Weil pairing of E and e ✵ N that of E ✵ . Then, for e N ✭ P ❀ ❫ ✣ ✭ Q ✮✮ ❂ e ✵ N ✭ ✣ ✭ P ✮ ❀ Q ✮ ❀ for any P ✷ E ❬ N ❪ and Q ✷ E ✵ ❬ N ❪ . Corollary e ✵ N ✭ ✣ ✭ P ✮ ❀ ✣ ✭ Q ✮✮ ❂ e N ✭ P ❀ Q ✮ ❞❡❣ ✣ ✿ Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 20 / 93

  20. From local to global Theorem (Hasse) Let E be defined over a finite field ❋ q . Its Frobenius map ✙ satisfies a quadratic equation ✙ 2 � t ✙ ✰ q ❂ 0 for some ❥ t ❥ ✔ 2 ♣ q , called the trace of ✙ . The trace t is coprime to q if and only if E is ordinary. Endomorphisms An isogeny E ✦ E is also called an endomorphism. Examples: scalar multiplication ❬ n ❪ , Frobenius map ✙ . With addition and composition, the endomorphisms form a ring ❊♥❞✭ E ✮ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 21 / 93

  21. The endomorphism ring Theorem (Deuring) Let E be an ordinary elliptic curve defined over a finite field ❋ q . Let ✙ be its Frobenius endomorphism, and D ✙ ❂ t 2 � 4 q ❁ 0 the discriminant of its minimal polynomial. Then ❊♥❞✭ E ✮ is isomorphic to an order ❖ of the quadratic imaginary field ◗ ✭ ♣ D ✙ ✮ . a a An order is a subring that is a ❩ -module of rank 2 (equiv., a 2 -dimensional ❘ -lattice). In this case, we say that E has complex multiplication (CM) by ❖ . Theorem (Serre-Tate) CM elliptic curves E ❀ E ✵ are isogenous iff ❊♥❞✭ E ✮ ✡ ◗ ✬ ❊♥❞✭ E ✵ ✮ ✡ ◗ . Corollary: E ❂ ❋ p and E ✵ ❂ ❋ p are isogenous over ❋ p iff ★ E ✭ ❋ p ✮ ❂ ★ E ✵ ✭ ❋ p ✮ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 22 / 93

  22. Endomorphism rings of ordinary curves Classifying quadratic orders Let K be a quadratic number field, and let ❖ K be its ring of integers. Any order ❖ ✚ K can be written as ❖ ❂ ❩ ✰ f ❖ K for an integer f , called the conductor of ❖ , denoted by ❬ ❖ K ✿ ❖ ❪ . If D K is the discriminant of K , the discriminant of ❖ is f 2 D K . If ❖ ❀ ❖ ✵ are two orders with discriminants D ❀ D ✵ , then ❖ ✚ ❖ ✵ iff D ✵ ❥ D . ❖ K ❩ ✰ 2 ❖ K ❩ ✰ 3 ❖ K ❩ ✰ 5 ❖ K ❩ ✰ 6 ❖ K ❩ ✰ 10 ❖ K ❩ ✰ 15 ❖ K ❩ ❬ ✙ ❪ ✬ ❩ ✰ 30 ❖ K Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 23 / 93

  23. Volcanology (Kohel 1996) Let E ❀ E ✵ be curves with respective if ❖ ❂ ❖ ✵ , ✣ is horizontal; endomorphism rings ❖ ❀ ❖ ✵ ✚ K . if ❬ ❖ ✵ ✿ ❖ ❪ ❂ ❵ , ✣ is ascending; Let ✣ ✿ E ✦ E ✵ be an isogeny of if ❬ ❖ ✿ ❖ ✵ ❪ ❂ ❵ , ✣ is descending. prime degree ❵ , then: ❊♥❞✭ E ✮ ❖ K ❩ ❬ ✙ ❪ Ordinary isogeny volcano of degree ❵ ❂ 3 . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 24 / 93

  24. ✿ ❩ ❬ ✙ ❪❪✮ ❂ ❵ ✭❬ ❖ Volcanology (Kohel 1996) Let E be ordinary, ❊♥❞✭ E ✮ ✚ K . � D K ✁ � D K ✁ ❖ K : maximal order of K , ❂ � 1 ❂ 0 ❵ ❵ D K : discriminant of K . � D K ✁ ❂ ✰ 1 ❵ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ 1 ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 25 / 93

  25. Volcanology (Kohel 1996) Let E be ordinary, ❊♥❞✭ E ✮ ✚ K . � D K ✁ � D K ✁ ❖ K : maximal order of K , ❂ � 1 ❂ 0 ❵ ❵ D K : discriminant of K . Height ❂ v ❵ ✭❬ ❖ K ✿ ❩ ❬ ✙ ❪❪✮ . � D K ✁ ❂ ✰ 1 ❵ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ 1 ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 25 / 93

  26. Volcanology (Kohel 1996) Let E be ordinary, ❊♥❞✭ E ✮ ✚ K . � D K ✁ � D K ✁ ❖ K : maximal order of K , ❂ � 1 ❂ 0 ❵ ❵ D K : discriminant of K . Height ❂ v ❵ ✭❬ ❖ K ✿ ❩ ❬ ✙ ❪❪✮ . � D K ✁ How large is the crater? ❂ ✰ 1 ❵ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ 1 ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 25 / 93

  27. How large is the crater of a volcano? ♣ Let ❊♥❞✭ E ✮ ❂ ❖ ✚ ◗ ✭ � D ✮ . Define ■ ✭ ❖ ✮ , the group of invertible fractional ideals, P ✭ ❖ ✮ , the group of principal ideals, The class group The class group of ❖ is ❈❧✭ ❖ ✮ ❂ ■ ✭ ❖ ✮ ❂ P ✭ O ✮ ✿ It is a finite abelian group. Its order h ✭ ❖ ✮ is called the class number of ❖ . ♣ It arises as the Galois group of an abelian extension of ◗ ✭ � D ✮ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 26 / 93

  28. Complex multiplication The a -torsion Let a ✚ ❖ be an (integral invertible) ideal of ❖ ; Let E ❬ a ❪ be the subgroup of E annihilated by a : E ❬ a ❪ ❂ ❢ P ✷ E ❥ ☛ ✭ P ✮ ❂ 0 for all ☛ ✷ a ❣ ❀ Let ✣ ✿ E ✦ E a , where E a ❂ E ❂ E ❬ a ❪ . Then ❊♥❞✭ E a ✮ ❂ ❖ (i.e., ✣ is horizontal). Theorem (Complex multiplication) The action on the set of elliptic curves with complex multiplication by ❖ defined by a ✄ j ✭ E ✮ ❂ j ✭ E a ✮ factors through ❈❧✭ ❖ ✮ , is faithful and transitive. Corollary ✏ ✑ D Let ❊♥❞✭ E ✮ have discriminant D . Assume that ❂ 1 , then E is on a ❵ crater of size N of an ❵ -volcano, and N ❥ h ✭❊♥❞✭ E ✮✮ Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 27 / 93

  29. ❈❧✭ ❖ ✮ Complex multiplication graphs Vertices are elliptic curves with complex E 3 multiplication by ❖ K E 4 E 2 (i.e., ❊♥❞✭ E ✮ ✬ ❖ K ✚ ♣ � D ✮ ). ◗ ✭ E 5 E 1 E 6 E 12 E 7 E 11 E 8 E 10 E 9 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 28 / 93

  30. ❈❧✭ ❖ ✮ Complex multiplication graphs Vertices are elliptic curves with complex E 3 multiplication by ❖ K E 4 E 2 (i.e., ❊♥❞✭ E ✮ ✬ ❖ K ✚ ♣ � D ✮ ). ◗ ✭ Edges are horizontal E 5 E 1 isogenies of bounded prime degree. degree 2 E 6 E 12 E 7 E 11 E 8 E 10 E 9 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 28 / 93

  31. ❈❧✭ ❖ ✮ Complex multiplication graphs Vertices are elliptic curves with complex E 3 multiplication by ❖ K E 4 E 2 (i.e., ❊♥❞✭ E ✮ ✬ ❖ K ✚ ♣ � D ✮ ). ◗ ✭ Edges are horizontal E 5 E 1 isogenies of bounded prime degree. degree 2 E 6 E 12 degree 3 E 7 E 11 E 8 E 10 E 9 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 28 / 93

  32. ❈❧✭ ❖ ✮ Complex multiplication graphs Vertices are elliptic curves with complex E 3 multiplication by ❖ K E 4 E 2 (i.e., ❊♥❞✭ E ✮ ✬ ❖ K ✚ ♣ � D ✮ ). ◗ ✭ Edges are horizontal E 5 E 1 isogenies of bounded prime degree. degree 2 E 6 E 12 degree 3 E 7 E 11 degree 5 E 8 E 10 E 9 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 28 / 93

  33. Complex multiplication graphs Vertices are elliptic curves with complex E 3 multiplication by ❖ K E 4 E 2 (i.e., ❊♥❞✭ E ✮ ✬ ❖ K ✚ ♣ � D ✮ ). ◗ ✭ Edges are horizontal E 5 E 1 isogenies of bounded prime degree. degree 2 E 6 E 12 degree 3 E 7 E 11 degree 5 Isomorphic to a Cayley E 8 E 10 graph of ❈❧✭ ❖ K ✮ . E 9 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 28 / 93

  34. Supersingular endomorphisms Recall, a curve E over a field ❋ q of characteristic p is supersingular iff ✙ 2 � t ✙ ✰ q ❂ 0 with t ❂ 0 ♠♦❞ p . Case: t ❂ 0 ✮ D ✙ ❂ � 4 q Only possibility for E ❂ ❋ p , E ❂ ❋ p has CM by an order of ◗ ✭ ♣� p ✮ , similar to the ordinary case. t ❂ ✝ 2 ♣ q Case: ✮ D ✙ ❂ 0 General case for E ❂ ❋ q , when q is an even power. ✙ ❂ ✝♣ q , hence no complex multiplication. We will ignore marginal cases: t ❂ ✝♣ q ❀ ✝♣ 2 q ❀ ✝♣ 3 q . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 29 / 93

  35. Supersingular complex multiplication Let E ❂ ❋ p be a supersingular curve, then ✙ 2 ❂ � p , and ✏ ♣� p ✑ 0 ✙ ❂ ♠♦❞ ❵ �♣� p 0 ✏ ✑ � p for any ❵ s.t. ❂ 1 . ❵ Theorem (Delfs and Galbraith 2016) Let ❊♥❞ ❋ p ✭ E ✮ denote the ring of ❋ p -rational endomorphisms of E . Then ❩ ❬ ✙ ❪ ✚ ❊♥❞ ❋ p ✭ E ✮ ✚ ◗ ✭ ♣� p ✮ ✿ Orders of ◗ ✭ ♣� p ✮ If p ❂ 1 ♠♦❞ 4 , then ❩ ❬ ✙ ❪ is the maximal order. If p ❂ � 1 ♠♦❞ 4 , then ❩ ❬ ✙ ✰ 1 2 ❪ is the maximal order, and ❬ ❩ ❬ ✙ ✰ 1 2 ❪ ✿ ❩ ❬ ✙ ❪❪ ❂ 2 . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 30 / 93

  36. Supersingular CM graphs 2 -volcanoes, p ❂ � 1 ♠♦❞ 4 ❩ ❬ ✙ ✰ 1 2 ❪ ❩ ❬ ✙ ❪ 2 -graphs, p ❂ 1 ♠♦❞ 4 ❩ ❬ ✙ ❪ ✏ ✑ � p All other ❵ -graphs are cycles of horizontal isogenies iff ❂ 1 . ❵ Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 31 / 93

  37. The full endomorphism ring Theorem (Deuring) Let E be a supersingular elliptic curve, then E is isomorphic to a curve defined over ❋ p 2 ; Every isogeny of E is defined over ❋ p 2 ; Every endomorphism of E is defined over ❋ p 2 ; ❊♥❞✭ E ✮ is isomorphic to a maximal order in a quaternion algebra ramified at p and ✶ . In particular: If E is defined over ❋ p , then ❊♥❞ ❋ p ✭ E ✮ is strictly contained in ❊♥❞✭ E ✮ . Some endomorphisms do not commute! Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 32 / 93

  38. An example The curve of j -invariant 1728 E ✿ y 2 ❂ x 3 ✰ x is supersingular over ❋ p iff p ❂ � 1 ♠♦❞ 4 . Endomorphisms ❊♥❞✭ E ✮ ❂ ❩ ❤ ✓❀ ✙ ✐ , with: ✙ the Frobenius endomorphism, s.t. ✙ 2 ❂ � p ; ✓ the map ✓ ✭ x ❀ y ✮ ❂ ✭ � x ❀ iy ✮ ❀ where i ✷ ❋ p 2 is a 4-th root of unity. Clearly, ✓ 2 ❂ � 1 . And ✓✙ ❂ � ✙✓ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 33 / 93

  39. ❈❧✭ � ✮ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party j ❂ 1728 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 34 / 93

  40. ❈❧✭ � ✮ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party j ❂ 1728 ❈❧✭ � 4 p ✮ Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 34 / 93

  41. ❈❧✭ � ✮ ❂ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party ❈❧✭ � 4 ✮ ❈❧✭ � 4 p ✮ Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 34 / 93

  42. ❈❧✭ � ✮ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party j ❂ 0 ❈❧✭ � 4 ✮ ❈❧✭ � 4 p ✮ Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 34 / 93

  43. ❂ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party ❈❧✭ � 3 ✮ ❈❧✭ � 4 ✮ ❈❧✭ � 4 p ✮ Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 34 / 93

  44. ❂ ❂ Class group action party ❈❧✭ � 3 ✮ ❈❧✭ � 4 ✮ ❈❧✭ � 4 p ✮ ❈❧✭ � 23 ✮ ❈❧✭ � 79 ✮ Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 34 / 93

  45. Quaternion algebra?! WTF? 2 The quaternion algebra B p ❀ ✶ is: A 4 -dimensional ◗ -vector space with basis ✭ 1 ❀ i ❀ j ❀ k ✮ . A non-commutative division algebra 1 B p ❀ ✶ ❂ ◗ ❤ i ❀ j ✐ with the relations: i 2 ❂ a ❀ j 2 ❂ � p ❀ ij ❂ � ji ❂ k ❀ for some a ❁ 0 (depending on p ). All elements of B p ❀ ✶ are quadratic algebraic numbers. B p ❀ ✶ ✡ ◗ ❵ ✬ ▼ 2 ✂ 2 ✭ ◗ ❵ ✮ for all ❵ ✻ ❂ p . I.e., endomorphisms restricted to E ❬ ❵ e ❪ are just 2 ✂ 2 matrices ♠♦❞ ❵ e . B p ❀ ✶ ✡ ❘ is isomorphic to Hamilton’s quaternions. B p ❀ ✶ ✡ ◗ p is a division algebra. 1 All elements have inverses. 2 What The Field? Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 35 / 93

  46. Supersingular graphs Quaternion algebras have many maximal orders. For every maximal order type of B p ❀ ✶ there are 1 or 2 curves over ❋ p 2 having endomorphism ring isomorphic to it. There is a unique isogeny class of supersingular curves over ✖ ❋ p of size ✙ p ❂ 12 . Lef ideals act on the set of maximal orders like isogenies. Figure: 3 -isogeny graph on ❋ 97 2 . The graph of ❵ -isogenies is ✭ ❵ ✰ 1 ✮ -regular. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 36 / 93

  47. Graphs lexicon Degree: Number of (outgoing/ingoing) edges. k -regular: All vertices have degree k . Connected: There is a path between any two vertices. Distance: The length of the shortest path between two vertices. Diamater: The longest distance between two vertices. ✕ 1 ✕ ✁ ✁ ✁ ✕ ✕ n : The (ordered) eigenvalues of the adjacency matrix. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 37 / 93

  48. Expander graphs Proposition If G is a k -regular graph, its largest and smallest eigenvalues satisfy k ❂ ✕ 1 ✕ ✕ n ✕ � k ✿ Expander families An infinite family of connected k -regular graphs on n vertices is an expander family if there exists an ✎ ❃ 0 such that all non-trivial eigenvalues satisfy ❥ ✕ ❥ ✔ ✭ 1 � ✎ ✮ k for n large enough. Expander graphs have short diameter ( O ✭❧♦❣ n ✮ ); Random walks mix rapidly (afer O ✭❧♦❣ n ✮ steps, the induced distribution on the vertices is close to uniform). Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 38 / 93

  49. Expander graphs from isogenies Theorem (Pizer 1990, 1998) Let ❵ be fixed. The family of graphs of supersingular curves over ❋ p 2 with ❵ -isogenies, as p ✦ ✶ , is an expander family a . a Even better, it has the Ramanujan property. Theorem (Jao, Miller, and Venkatesan 2009) ♣ Let ❖ ✚ ◗ ✭ � D ✮ be an order in a quadratic imaginary field. The graphs of all curves over ❋ q with complex multiplication by ❖ , with isogenies of prime degree bounded a by ✭❧♦❣ q ✮ 2 ✰ ✍ , are expanders. a May contain traces of GRH. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 39 / 93

  50. Overview Isogeny graphs 1 Elliptic Curves Isogenies Isogeny graphs Endomorphism rings Ordinary graphs Supersingular graphs Cryptography 2 Isogeny walks and Hash functions Pairing verification and Verifiable Delay Functions Key exchange Open Problems Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 40 / 93

  51. History of isogeny-based cryptography 1996 Couveignes introduces the Hard Homogeneous Spaces (HHS). His work stays unpublished for 10 years. 2006 Rostovtsev & Stolbunov independently rediscover Couveignes ideas, suggest isogeny-based Diffie–Hellman as a quantum-resistant primitive. 2007 Charles, Goren & Lauter propose supersingular 2 -isogeny graphs as a foundation for a “provably secure” hash function. 2011-2012 D., Jao & Plût introduce SIDH, an efficient post-quantum key exchange inspired by Couveignes, Rostovtsev, Stolbunov, Charles, Goren, Lauter. 2017 SIDH is submitted to the NIST competition (with the name SIKE, only isogeny-based candidate). 2018 Castryck, Lange, Martindale, Panny & Renes publish an efficient variant of HHS named CSIDH. 2019 New isogeny protocols: Signatures, Verifiable Delay Functions, ... Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 41 / 93

  52. ❵ ✚ ❵ ⑦ ❖ ✭ ❵ ✮ Computing Isogenies Vélu’s formulas Input: A subgroup H ✚ E , Output: The isogeny ✣ ✿ E ✦ E ❂ H . Complexity: O ✭ ❵ ✮ — Vélu 1971, ... Why? Evaluate isogeny on points P ✷ E ; Walk in isogeny graphs. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 42 / 93

  53. Computing Isogenies Vélu’s formulas Input: A subgroup H ✚ E , Output: The isogeny ✣ ✿ E ✦ E ❂ H . Complexity: O ✭ ❵ ✮ — Vélu 1971, ... Why? Evaluate isogeny on points P ✷ E ; Walk in isogeny graphs. Explicit Isogeny Problem Input: Curve E , (prime) integer ❵ Output: All subgroups H ✚ E of order ❵ . Complexity: ⑦ ❖ ✭ ❵ 2 ✮ — Elkies 1992 Why? List all isogenies of given degree; Count points of elliptic curves; Compute endomorphism rings of elliptic curves; Walk in isogeny graphs. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 42 / 93

  54. ✵ ❀ ✵ ✣ ✿ ✦ Computing Isogenies Explicit Isogeny Problem (2) Input: Curves E ❀ E ✵ , isogenous of degree ❵ . Output: The isogeny ✣ ✿ E ✦ E ✵ of degree ❵ . Complexity: O ✭ ❵ 2 ✮ — Elkies 1992; Couveignes 1996; Lercier and Sirvent 2008; De Feo 2011; De Feo, Hugounenq, Plût, and Schost 2016; Lairez and Vaccon 2016, ... Why? Count points of elliptic curves. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 43 / 93

  55. Computing Isogenies Explicit Isogeny Problem (2) Input: Curves E ❀ E ✵ , isogenous of degree ❵ . Output: The isogeny ✣ ✿ E ✦ E ✵ of degree ❵ . Complexity: O ✭ ❵ 2 ✮ — Elkies 1992; Couveignes 1996; Lercier and Sirvent 2008; De Feo 2011; De Feo, Hugounenq, Plût, and Schost 2016; Lairez and Vaccon 2016, ... Why? Count points of elliptic curves. Isogeny Walk Problem Input: Isogenous curves E ❀ E ✵ . Output: An isogeny ✣ ✿ E ✦ E ✵ of smooth degree. Complexity: Generically hard — Galbraith, Hess, and Nigel P. Smart 2002, ... Why? Cryptanalysis (ECC); Foundational problem for isogeny-based cryptography. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 43 / 93

  56. Random walks and hash functions (circa 2006) Any expander graph gives rise to a hash function. 1 1 1 1 1 1 v ✵ H ✭ 010101 ✮ ❂ v ✵ v 0 0 0 0 0 0 Fix a starting vertex v ; The value to be hashed determines a random path to v ✵ ; v ✵ is the hash. (Denis X. Charles, Kristin E. Lauter, and Goren 2009) hash function (CGL) Use the expander graph of supersingular 2 -isogenies; ✮ Collision resistance ❂ hardness of finding cycles in the graph; 2nd preimage resistance Preimage resistance = hardness of finding a path from v to v ✵ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 44 / 93

  57. Hardness of CGL Finding cycles Analogous to finding endomorphisms... ...very bad idea to start from a curve with known endomorphism ring! Translation algortihm: elements of B p ❀ ✶ ✩ isogeny loops Doable in ♣♦❧②❧♦❣✭ p ✮ . a a Kohel, K. Lauter, Petit, and Tignol 2014; Eisenträger, Hallgren, K. Lauter, Morrison, and Petit 2018. Finding paths E ✦ E ✵ Analogous to finding connecting ideals between two maximal orders ❖ ❀ ❖ ✵ (i.e. a lef ideal I ✚ ❖ that is a right ideal of ❖ ✵ ). Poly-time equivalent to computing ❊♥❞✭ E ✮ and ❊♥❞✭ E ✵ ✮ . a Best known algorithm to compute ❊♥❞✭ E ✮ takes ♣♦❧②✭ p ✮ . b a Eisenträger, Hallgren, K. Lauter, Morrison, and Petit 2018. b Kohel 1996; Cerviño 2004. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 45 / 93

  58. Kohel, K. Lauter, Petit, and Tignol 2014 (KLPT) Input: Maximal order ❖ ✚ B p ❀ ✶ and associated curve E , Lef ideal I ✚ ❖ . Maximal order ❖ ✵ ✚ B p ❀ ✶ s.t. I connects ❖ to ❖ ✵ , Output: Equivalent ideal J (i.e., also connecting ❖ to ❖ ✵ ) of [smooth/power-smooth] norm. Isogeny walk associated to J . Complexity: ♣♦❧②❧♦❣✭ p ✮ , Output size: ♣♦❧②❧♦❣✭ p ✮ , Useful for: ■ “Shortening” isogeny walks (see VDFs), ■ “Reducing” isogeny walks (see Signatures), when these start from a curve with known endomorphism ring! (think j ❂ 0 ❀ 1728 and other curves with small CM discriminant) Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 46 / 93

  59. Sampling supersingular curves How to sample: A supersingular curve E ❂ ❋ p ? A supersingular curve E ❂ ❋ p 2 ? Random walks Start from a supersingular curve E 0 with small CM discriminant (e.g.: j ❂ 1728 ), Do a random walk E 0 ✦ E until reaching the mixing bound ( O ✭❧♦❣✭ p ✮✮ steps). Problem: the random walk reveals ❊♥❞✭ E ✮ via the KLPT algorithm. Open problem Give an algorithm to sample (uniformly) random supersingular curves in a way that does not reveal the endomorphism ring. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 47 / 93

  60. Boneh, Lynn, and Shacham 2004 signatures (BLS) Setup: Elliptic curve E ❂ ❋ p , s.t N ❥ ★ E ✭ ❋ p ✮ for a large prime N , (Weil) pairing e N ✿ E ❬ N ❪ ✂ E ❬ N ❪ ✦ ❋ p k for some small embedding degree k , A decomposition E ❬ N ❪ ❂ X 1 ✂ X 2 , with X 1 ❂ ❤ P ✐ . A hash function H ✿ ❢ 0 ❀ 1 ❣ ✄ ✦ X 2 . Private key: s ✷ ❩ ❂ N ❩ . Public key: sP . Sign: m ✼✦ sH ✭ m ✮ . Verifiy: e N ✭ P ❀ sH ✭ m ✮✮ ❂ e N ✭ sP ❀ H ✭ m ✮✮ . ❬ s ❪ ✂ 1 X 1 ✂ X 2 X 1 ✂ X 2 1 ✂ ❬ s ❪ e N ❋ p k X 1 ✂ X 2 e N Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 48 / 93

  61. US patent 8,250,367 3 Signatures from isogenies + pairings Replace the secret ❬ s ❪ ✿ E ✦ E with an isogeny ✣ ✿ E ✦ E ✵ ; Define decompositions E ✵ ❬ N ❪ ❂ Y 1 ✂ Y 2 ❀ E ❬ N ❪ ❂ X 1 ✂ X 2 ❀ s.t. ✣ ✭ X 1 ✮ ❂ Y 1 and ✣ ✭ X 2 ✮ ❂ Y 2 ; Define a hash function H ✿ ❢ 0 ❀ 1 ❣ ✄ ✦ Y 2 . ✣ ✂ 1 X 1 ✂ Y 2 Y 1 ✂ Y 2 1 ✂ ❫ e ✵ ✣ N ❋ p k X 1 ✂ X 2 e N 3 Broker, Denis X Charles, and Kristin E Lauter 2012. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 49 / 93

  62. US patent 8,250,367 3 Signatures from isogenies + pairings Replace the secret ❬ s ❪ ✿ E ✦ E with an isogeny ✣ ✿ E ✦ E ✵ ; Define decompositions E ✵ ❬ N ❪ ❂ Y 1 ✂ Y 2 ❀ E ❬ N ❪ ❂ X 1 ✂ X 2 ❀ s.t. ✣ ✭ X 1 ✮ ❂ Y 1 and ✣ ✭ X 2 ✮ ❂ Y 2 ; Define a hash function H ✿ ❢ 0 ❀ 1 ❣ ✄ ✦ Y 2 . ✣ ✂ 1 X 1 ✂ Y 2 Y 1 ✂ Y 2 Useless, but nice! 1 ✂ ❫ e ✵ ✣ N ❋ p k X 1 ✂ X 2 e N 3 Broker, Denis X Charles, and Kristin E Lauter 2012. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 49 / 93

  63. Verifiable Delay Functions A Verifiable Delay Function (VDF) is a function f ✿ X ✦ Y s.t.: Evaluating f at random x ✷ X is provably “slow” (e.g., ♣♦❧②✭★ X ✮ ), Given x ✷ X and y ✷ Y , verifying that f ✭ x ✮ ❂ y can be done “fast” (e.g., ♣♦❧②❧♦❣✭★ X ✮ ). (non)-Example: time-lock puzzles Take a trapdoor group G of (e.g., G ❂ ❩ ❂ N ❩ with N ❂ pq ); Define f ✿ G ✦ G as f ✭ g ✮ ❂ g 2 T : ■ Best algorithm if p ❀ q known: compute g 2 T ♠♦❞ ✬ ✭ pq ✮ ♣♦❧②❧♦❣✭ N ✮ ■ Best algorithm if p ❀ q unknown: T squarings O ✭ T ✮ However, in VDFs we want to let anyone verify efficiently. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 50 / 93

  64. VDFs from groups of unknown order Interactive verification protocol (Wesolowski 2019) Verifier chooses a prime ❵ in a set of small primes P ; 1 Prover computes 2 T ❂ a ❵ ✰ b , sends g 2 T ❀ g a to verifier; 2 Verifier computes 2 T ❂ a ❵ ✰ b , checks that 3 g 2 T ❂ ✭ g a ✮ ❵ g b Can be made non-interactive via Fiat-Shamir. Candidate groups of unknown order: RSA groups ❩ ❂ N ❩ , needs trusted third party to generate N ❂ pq ; Quadratic imaginary class groups ❈❧✭ � D ✮ for large random discriminants � D ❁ 0 . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 51 / 93

  65. VDFs from isogenies and pairings 4 ✣ ✂ 1 X 1 ✂ Y 2 Y 1 ✂ Y 2 1 ✂ ❫ e ✵ ✣ N ❋ p k X 1 ✂ X 2 e N Setup: Supersingular curve E ❂ ❋ p with (Weil) pairing e N ; Public isogeny ✣ ✿ E ✦ E ✵ of degree 2 T ; ✣ ✿ E ✵ ✦ E ; The dual isogeny ❫ A generator ❤ P ✐ ❂ X 1 ✚ E ❬ N ❪ , compute ✣ ✭ P ✮ . Evaluate: On input a random Q ✷ Y 2 ✚ E ✵ ❬ N ❪ , compute ❫ ✣ ✭ Q ✮ . Verify: Check that e N ✭ P ❀ ❫ ✣ ✭ Q ✮✮ ❂ e ✵ N ✭ ✣ ✭ P ✮ ❀ Q ✮ . 4 De Feo, Masson, Petit, and Sanso 2019. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 52 / 93

  66. Security Obvious attack: Pairing inversion must be hard (not post-quantum). ✣ ✿ E ✵ ✦ E than composing T Wanted: No better way to evaluate ❫ degree 2 isogenies. Shortcuts If we can find a shorter way from E to E ✵ , we can evaluate ❫ ✣ faster. Shortcuts are easy to compute: ■ If the isogeny graph is small (excludes ordinary pairing friendly curves); ■ If ❊♥❞✭ E ✮ or ❊♥❞✭ E ✵ ✮ is known (via KLPT). Needed: choose E ❂ ❋ p in a way that does not reveal ❊♥❞✭ E ✮ ; Only known solution: let a trusted third party generate E . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 53 / 93

  67. Let’s get back to Diffie-Hellman R Q P P ✰ Q Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 54 / 93

  68. ✰ Let’s get back to Diffie-Hellman Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 54 / 93

  69. ✰ Let’s get back to Diffie-Hellman Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 54 / 93

  70. ✰ Let’s get back to Diffie-Hellman Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 54 / 93

  71. ✰ Let’s get back to Diffie-Hellman Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 54 / 93

  72. ✰ Let’s get back to Diffie-Hellman Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 54 / 93

  73. Elliptic curves I power 70% of WWW traffic! Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 55 / 93

  74. The Q Menace Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 56 / 93

  75. Post-quantum cryptographer? Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 57 / 93

  76. Elliptic curves of the world, UNITE! QUOUSQUE QUANTUM? QUANTUM SUFFICIT! Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 58 / 93

  77. And so, they found a way around the Q... Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 59 / 93

  78. And so, they found a way around the Q... Public curve Public curve Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 59 / 93

  79. And so, they found a way around the Q... Public curve Shared secret Public curve Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 59 / 93

  80. ✭ ❩ ❂ ❩ ✮ ✂ ✚ � ✚ ✭ ❀ ♥ ❢ ❣ ✮ ✼✦ ✼✦ ✼✦ Expander graphs from groups Let G ❂ ❤ g ✐ be a cyclic g 8 group of order p . g 3 g 4 g 6 g 2 g 12 g 1 g 11 g 7 g 9 g 10 g 5 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Mar 18, 2019 — Maths of PKC 60 / 93

Recommend

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29, 2019 Cryptography meets Graph Theory Wrzburg, Franken, Germany Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29Aug 2,

1.99k views • 174 slides
Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris Saclay UVSQ May 13, 2019, Universit di Roma 3, Roma Slides online at https://defeo.lu/docet/ Elliptic curves Let E y 2 x 3 ax b

1.22k views • 76 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March 1923, 2018, Post-Scryptum Spring School, Les 7 Laux Slides online at http://defeo.lu/docet/ Photo courtesy of Elisa Lorenzo-Garca Overview

1.87k views • 144 slides
Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de Versailles & Inria, Universit Paris-Saclay May 31, 2018, Journes du Pr-GDR Scurit, Paris Elliptic curves Let E y 2 x 3 ax b be

1.01k views • 73 slides
Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint work with Emmanuel Thom Sorina Ionica 1 / 24 Isogeny graphs Kohel 1996: Graph with vertices elliptic curves defined over F q and edges all

302 views • 27 slides
BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017,

BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017,

ERNEST HUNTER DIMITAR BENJAMIN BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017, NIJMEGEN, THE NETHERLANDS BY BENJAMIN WESOLOWSKI FROM EPFL, SWITZERLAND AN INTRODUCTION TO ISOGENY GRAPHS

770 views • 63 slides
Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ & Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

1.07k views • 84 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization Centre for Applied Cryptographic Research June 17, 2016 CENTRE FOR APPLIED CRYPTOGRAPHIC RESEARCH (CACR) Motivation: Post-Quantum Cryptography

355 views • 16 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
Isogeny graphs in dimension 2 2014/12/17 Cryptographic seminar Caen Gatan Bisson, Romain

Isogeny graphs in dimension 2 2014/12/17 Cryptographic seminar Caen Gatan Bisson, Romain

Isogeny graphs in dimension 2 2014/12/17 Cryptographic seminar Caen Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chlo Martindale, Damien Robert Isogenies on elliptic curves Abelian

598 views • 44 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Exploring Isogeny Graphs Around the Volcano in 2 80 Days Luca De Feo hand drawings by Rachel

Exploring Isogeny Graphs Around the Volcano in 2 80 Days Luca De Feo hand drawings by Rachel

Exploring Isogeny Graphs Around the Volcano in 2 80 Days Luca De Feo hand drawings by Rachel Deyts Universit Paris Saclay UVSQ Dec 14, 2018, UVSQ, Versailles Elliptic curves Let E y 2 x 3 ax b be an elliptic curve...

1.02k views • 85 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de Mathmatiques de Marseille Journes Nationales de Calcul Formel 2019 CIRM, Luminy, 7 February 2019 Leonardo COL ( I2M-AMU ) OSIDH 7 February 2019 2

966 views • 73 slides
Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr ager (Penn State), Sean Hallgren (Penn State), Kristin Lauter (Microsoft Research), Travis Morrison (Penn State), Christophe Petit (Birmingham)

427 views • 38 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques de Marseille Number-Theoretic Methods in Cryptology 2019 Sorbonne Universit, Institut de Mathmatiques de Jussieu Paris, 26 June 2019 Leonardo

739 views • 53 slides
Algorithms for isogeny graphs Sorina Ionica Ecole Normale Suprieure Paris Inria Bordeaux 5

Algorithms for isogeny graphs Sorina Ionica Ecole Normale Suprieure Paris Inria Bordeaux 5

Algorithms for isogeny graphs Sorina Ionica Ecole Normale Suprieure Paris Inria Bordeaux 5 fvrier 2013 Sorina Ionica 1 / 35 Cryptographic motivation We need an abelian variety of small dimension (i.e. 1,2) defined over F q s.t. # A ( F q

833 views • 35 slides
Towards practical key exchange from ordinary isogeny graphs Luca De Feo 1,3 Jean Kieffer 2,3,4

Towards practical key exchange from ordinary isogeny graphs Luca De Feo 1,3 Jean Kieffer 2,3,4

Towards practical key exchange from ordinary isogeny graphs Luca De Feo 1,3 Jean Kieffer 2,3,4 Benjamin Smith 3 1 UVSQ, Universit Paris Saclay 2 cole normale suprieure, Paris 3 Inria and cole polytechnique, Universit Paris Saclay 4 Inria

882 views • 74 slides

More recommend