loop abort faults on supersingular isogeny cryptosystems
play

Loop-abort faults on supersingular isogeny cryptosystems Alexandre - PowerPoint PPT Presentation

Feb 25, 2024 •368 likes •955 views

Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski Laboratoire dInformatique de Paris 6 Sorbonne Universits UPMC, France cole Polytechnique Fdrale de Lausanne, EPFL IC LACAL, Switzerland

  1. Loop-abort faults on supersingular isogeny cryptosystems Alexandre Gélin Benjamin Wesolowski Laboratoire d’Informatique de Paris 6 – Sorbonne Universités UPMC, France École Polytechnique Fédérale de Lausanne, EPFL IC LACAL, Switzerland PQCrypto 2017 – Utrecht 2017/06/26 Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  2. Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  3. Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  4. Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] The isogeny graph of a supersingular elliptic curve: Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  5. Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] The isogeny graph of a supersingular elliptic curve: Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  6. Supersingular elliptic curves Definition A supersingular elliptic curve is a curve E defined over F p k such that � � # E F p k = 1 mod p . Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  7. Supersingular elliptic curves Definition A supersingular elliptic curve is a curve E defined over F p k such that � � # E F p k = 1 mod p . Interesting properties: All supersingular elliptic curves can be defined over F p 2 p About 12 supersingular elliptic curves, up to isomorphism Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  8. Isogenies Definition An isogeny φ between two elliptic curves E 1 and E 2 is a surjective group homomorphism with a finite kernel. The degree is defined by deg φ = # Ker φ . Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  9. Isogenies Definition An isogeny φ between two elliptic curves E 1 and E 2 is a surjective group homomorphism with a finite kernel. The degree is defined by deg φ = # Ker φ . Interesting properties: ⇒ a unique E 2 and φ such that G ⊂ E 1 = φ : E 1 → E 2 and Ker φ = G � � E 2 = E / G is obtained in O deg φ Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  10. Key-Exchange Protocol A prime p such that p + 1 = ℓ n A ℓ m B Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  11. Key-Exchange Protocol A prime p such that p + 1 = ℓ n A ℓ m B A supersingular elliptic curve E with ℓ n A ℓ m B points E Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  12. Key-Exchange Protocol A prime p such that p + 1 = ℓ n A ℓ m B A supersingular elliptic curve E with ℓ n A ℓ m B points E � � ℓ n A point R A chosen randomly in E A Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  13. Key-Exchange Protocol A prime p such that p + 1 = ℓ n A ℓ m B A supersingular elliptic curve E with ℓ n A ℓ m B points E � � ℓ n A point R A chosen randomly in E A A } 2 random, → ( m A , n A ) ∈ {1,..., ℓ n − � � ℓ n R A = m A P A + n A Q A for 〈 P A , Q A 〉 = E A Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  14. Key-Exchange Protocol A prime p such that p + 1 = ℓ n A ℓ m B A supersingular elliptic curve E with ℓ n A ℓ m B points E � � ℓ n A point R A chosen randomly in E A φ A A } 2 random, → ( m A , n A ) ∈ {1,..., ℓ n − � � ℓ n R A = m A P A + n A Q A for 〈 P A , Q A 〉 = E A ⇒ the curve E A = E / 〈 R A 〉 and φ A : E → E A E A = Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  15. Key-Exchange Protocol A prime p such that p + 1 = ℓ n A ℓ m B A supersingular elliptic curve E with ℓ n A ℓ m B points E � � ℓ n A point R A chosen randomly in E A φ A φ B A } 2 random, → ( m A , n A ) ∈ {1,..., ℓ n − � � ℓ n R A = m A P A + n A Q A for 〈 P A , Q A 〉 = E A ⇒ the curve E A = E / 〈 R A 〉 and φ A : E → E A E A E B = � � ℓ m A point R B = m B P B + n B Q B random in E = 〈 P B , Q B 〉 , B the curve E B = E / 〈 R B 〉 and φ B : E → E B Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  16. Key-Exchange Protocol � � Bob sends E B , φ B ( P A ), φ B ( Q A ) E where 〈 φ B ( P A ), φ B ( Q A ) 〉 = E B [ ℓ n A ] φ A φ B E A E B Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  17. Key-Exchange Protocol � � Bob sends E B , φ B ( P A ), φ B ( Q A ) E where 〈 φ B ( P A ), φ B ( Q A ) 〉 = E B [ ℓ n A ] φ A φ B Alice computes E AB = E B / 〈 m A φ B ( P A ) + n A φ B ( Q A ) 〉 E A E B E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  18. Key-Exchange Protocol � � Bob sends E B , φ B ( P A ), φ B ( Q A ) E where 〈 φ B ( P A ), φ B ( Q A ) 〉 = E B [ ℓ n A ] φ A φ B Alice computes E AB = E B / 〈 m A φ B ( P A ) + n A φ B ( Q A ) 〉 E A E B Bob computes E BA = E A / 〈 m B φ A ( P B ) + n B φ A ( Q B ) 〉 E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  19. Key-Exchange Protocol � � Bob sends E B , φ B ( P A ), φ B ( Q A ) E where 〈 φ B ( P A ), φ B ( Q A ) 〉 = E B [ ℓ n A ] φ A φ B Alice computes E AB = E B / 〈 m A φ B ( P A ) + n A φ B ( Q A ) 〉 E A E B Bob computes E BA = E A / 〈 m B φ A ( P B ) + n B φ A ( Q B ) 〉 E AB ≃ E / 〈 R A , R B 〉 ≃ E BA so j ( E AB ) = j ( E BA ) E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  20. Key-Exchange Protocol � � Bob sends E B , φ B ( P A ), φ B ( Q A ) E where 〈 φ B ( P A ), φ B ( Q A ) 〉 = E B [ ℓ n A ] φ A φ B Alice computes E AB = E B / 〈 m A φ B ( P A ) + n A φ B ( Q A ) 〉 E A E B Bob computes E BA = E A / 〈 m B φ A ( P B ) + n B φ A ( Q B ) 〉 E AB ≃ E / 〈 R A , R B 〉 ≃ E BA so j ( E AB ) = j ( E BA ) � ⇒ j ( E AB ) secret shared by Alice and Bob = E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  21. Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2 , find an isogeny between them of degree ℓ n A . Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  22. Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2 , find an isogeny between them of degree ℓ n A . Equivalent to find a path of fixed length in the isogeny graph Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  23. Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2 , find an isogeny between them of degree ℓ n A . Equivalent to find a path of fixed length in the isogeny graph � � � � p � ℓ n Brute-force attack in O ≈ O A Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  24. Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2 , find an isogeny between them of degree ℓ n A . Equivalent to find a path of fixed length in the isogeny graph � � � � p � ℓ n Brute-force attack in O ≈ O A � � � � n � p Claw finding: Find a collision in O 2 ℓ ≈ O 4 A Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  25. Attack framework Alice uses a static private key ( m A , n A ) E φ A φ B E A E B E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  26. Attack framework Alice uses a static private key ( m A , n A ) E ⇒ E A and φ A can be precomputed = φ A φ B E A E B E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  27. Attack framework Alice uses a static private key ( m A , n A ) E ⇒ E A and φ A can be precomputed = φ A φ B The attacker plays the role of Bob E A E B E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

  28. Attack framework Alice uses a static private key ( m A , n A ) E ⇒ E A and φ A can be precomputed = φ A φ B The attacker plays the role of Bob Focus on the isogeny from E B to E B / 〈 m A P ′ A + n A Q ′ A 〉 , E A E B where P ′ A = φ B ( P A ) and Q ′ A = φ B ( Q A ) E AB Alexandre Gélin, Benjamin Wesolowski Loop-abort faults on supersingular isogeny cryptosystems

Recommend

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

379 views • 33 slides
On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland AsiaCrypt 2016, 5th of December 1/17 Outline Joint work with Steven Galbraith , Christophe Petit and Barak Shani . 1

242 views • 23 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and

Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and

Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and evolutionQ, Inc. Full list of submitters: Reza Azarderakhsh, FAU Amir Jalali, LinkedIn Michael Naehrig, MSR Matt Campagna, Amazon David Jao, UW

365 views • 10 slides
The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO

The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO

The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO Kickoff meeting, Bordeaux, February 2020 Microsoft Research and Inria + cole polytechnique 1 g = 1 A directed multigraph (but almost a graph)

408 views • 25 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi

593 views • 36 slides
Supersingular Isogeny Key Encapsulation Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca

Supersingular Isogeny Key Encapsulation Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca

Supersingular Isogeny Key Encapsulation Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, Vladimir Soukharev November 14 ECC 2017 Nijmegen,

769 views • 75 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de Mathmatiques de Marseille Journes Nationales de Calcul Formel 2019 CIRM, Luminy, 7 February 2019 Leonardo COL ( I2M-AMU ) OSIDH 7 February 2019 2

966 views • 73 slides
The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this

The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this

The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this talk 1. Highlight some of the complications with assessing the cost of known attacks on computational problems. 2. Highlight some of the

640 views • 35 slides
Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr ager (Penn State), Sean Hallgren (Penn State), Kristin Lauter (Microsoft Research), Travis Morrison (Penn State), Christophe Petit (Birmingham)

427 views • 38 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques de Marseille Number-Theoretic Methods in Cryptology 2019 Sorbonne Universit, Institut de Mathmatiques de Jussieu Paris, 26 June 2019 Leonardo

739 views • 53 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
On supersingular varieties Ichiro Shimada Hiroshima University 24 September, 2010, Nagoya 1 /

On supersingular varieties Ichiro Shimada Hiroshima University 24 September, 2010, Nagoya 1 /

On supersingular varieties On supersingular varieties Ichiro Shimada Hiroshima University 24 September, 2010, Nagoya 1 / 28 On supersingular varieties Frobenius supersingular varieties Definition Let X be a smooth projective variety over F q

601 views • 28 slides
Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer Well talk about just one in detail: the one-time pad .

250 views • 6 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides
Ubiquitous faults T-79.4001 Seminar on Theoretical Computer Science Tero Pietilinen 4.4.2007

Ubiquitous faults T-79.4001 Seminar on Theoretical Computer Science Tero Pietilinen 4.4.2007

Nature of ubiquitous faults Communication Faults and Agreement Limits to Number of Ubiquitous Faults for Majority Unanimity in Spite of Ubiquitous Faults Ubiquitous faults T-79.4001 Seminar on Theoretical Computer Science Tero Pietilinen

685 views • 36 slides
W HAT A BOUT P AXOS ? Paxos tolerates a minority of processing failing by crashing . What

W HAT A BOUT P AXOS ? Paxos tolerates a minority of processing failing by crashing . What

B YZANTINE F AULT T OLERANCE Ellis Michael A H IERARCHY OF F AULT M ODELS No faults Crash faults Byzantine faults People who use tabs instead of spaces B YZANTINE F AULTS Also called "general" or "arbitrary" faults.

563 views • 31 slides
Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given the time Security Notions and computational resources. However,

307 views • 10 slides
Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1)

Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1)

Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1) Brian Randell Brian Randell Brian Randell WADS-3, May 2004 1 The Menu The Menu The Menu On Dependability Concepts On Fault Assumptions

600 views • 20 slides
Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net CryptoPuces 2009 Porquerolles, June 26, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures

363 views • 24 slides
I m pact of I nterm ittent Faults on Nanocom puting Devices Cristian Constantinescu June 28th,

I m pact of I nterm ittent Faults on Nanocom puting Devices Cristian Constantinescu June 28th,

I m pact of I nterm ittent Faults on Nanocom puting Devices Cristian Constantinescu June 28th, 2007 Dependable Systems and Networks Outline Fault classes Permanent faults Transient faults Intermittent faults Field

709 views • 24 slides

More recommend