post quantum static static key agreement using multiple
play

Post-Quantum Static-Static Key Agreement Using Multiple Protocol - PowerPoint PPT Presentation

Post-Quantum Static-Static Key Agreement Using Multiple Protocol Instances Reza Azarderakhsh 1 David Jao 2 , 3 Christopher Leonardi 2 Department of Computer and Electrical Engineering and Computer Science, Florida Atlantic University Department


  1. Post-Quantum Static-Static Key Agreement Using Multiple Protocol Instances Reza Azarderakhsh 1 David Jao 2 , 3 Christopher Leonardi 2 Department of Computer and Electrical Engineering and Computer Science, Florida Atlantic University Department of Combinatorics and Optimization, University of Waterloo evolutionQ, Inc., Waterloo, Ontario, Canada August 2017 Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 1 / 21

  2. Isogeny-Based Key Agreement 1 Elliptic Curve Background Jao-De Feo Key Agreement Active Attack Multiple Instances of Key Agreement 2 Protocol Security k -SIDH 3 Security Conclusion Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 2 / 21

  3. Isogeny-Based Key Agreement Elliptic Curve Background An elliptic curve over a finite field F p n , E ( F p n ) = { ( x , y ) ∈ ( F p n ) 2 : y 2 = x 3 + ax + b } ∪ {O} , is a finite Abelian group. Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 3 / 21

  4. Isogeny-Based Key Agreement Elliptic Curve Background An elliptic curve over a finite field F p n , E ( F p n ) = { ( x , y ) ∈ ( F p n ) 2 : y 2 = x 3 + ax + b } ∪ {O} , is a finite Abelian group. The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = O} . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 3 / 21

  5. Isogeny-Based Key Agreement Elliptic Curve Background An elliptic curve over a finite field F p n , E ( F p n ) = { ( x , y ) ∈ ( F p n ) 2 : y 2 = x 3 + ax + b } ∪ {O} , is a finite Abelian group. The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = O} . E is called supersingular if ∀ r ∈ N , E [ p r ] = {O} (otherwise E is called ordinary). Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 3 / 21

  6. Isogeny-Based Key Agreement Elliptic Curve Background An elliptic curve over a finite field F p n , E ( F p n ) = { ( x , y ) ∈ ( F p n ) 2 : y 2 = x 3 + ax + b } ∪ {O} , is a finite Abelian group. The m -torsion subgroup E [ m ] = { P ∈ E ( F p ) : [ m ] P = O} . E is called supersingular if ∀ r ∈ N , E [ p r ] = {O} (otherwise E is called ordinary). The j -invariant is a unique element of F p n associated to each F p n -isomorphism family of elliptic curves. 4 a 3 j ( E ) = 1728 4 a 3 + 27 b 2 ∈ F p n Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 3 / 21

  7. Isogeny-Based Key Agreement Elliptic Curve Background An isogeny φ : E → E ′ over F q is a non-constant rational map defined over F q such that φ ( O E ) = O E ′ , and is a group homomorphism from E ( F p n ) to E ′ ( F p n ). Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 4 / 21

  8. Isogeny-Based Key Agreement Elliptic Curve Background An isogeny φ : E → E ′ over F q is a non-constant rational map defined over F q such that φ ( O E ) = O E ′ , and is a group homomorphism from E ( F p n ) to E ′ ( F p n ). For each subgroup G of E , there is up to isomorphism a unique isogeny φ with domain E and kernel G . We denote the codomain curve by E / G . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 4 / 21

  9. Isogeny-Based Key Agreement Elliptic Curve Background An isogeny φ : E → E ′ over F q is a non-constant rational map defined over F q such that φ ( O E ) = O E ′ , and is a group homomorphism from E ( F p n ) to E ′ ( F p n ). For each subgroup G of E , there is up to isomorphism a unique isogeny φ with domain E and kernel G . We denote the codomain curve by E / G . The degree, deg( φ ), is its degree as a rational map which is equal to the size of its kernel (for our purposes). Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 4 / 21

  10. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Global Parameters: Let p = 2 m 3 n f ± 1, where f is a small prime, and E be a supersingular elliptic curve over F p 2 . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 5 / 21

  11. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Global Parameters: Let p = 2 m 3 n f ± 1, where f is a small prime, and E be a supersingular elliptic curve over F p 2 . Points P A , Q A which generate the subgroup E [2 m ] ∼ = Z / 2 m Z × Z / 2 m Z Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 5 / 21

  12. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Global Parameters: Let p = 2 m 3 n f ± 1, where f is a small prime, and E be a supersingular elliptic curve over F p 2 . Points P A , Q A which generate the subgroup E [2 m ] ∼ = Z / 2 m Z × Z / 2 m Z Points P B , Q B which generate the subgroup E [3 n ] ∼ = Z / 3 n Z × Z / 3 n Z Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 5 / 21

  13. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Key Generation: Alice: α ← R Z / 2 m Z , φ A : E → E A = E / � P A + [ α ] Q A � , ( R , S ) ← ( φ A ( P B ) , φ A ( Q B )) . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 6 / 21

  14. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Key Generation: Alice: α ← R Z / 2 m Z , φ A : E → E A = E / � P A + [ α ] Q A � , ( R , S ) ← ( φ A ( P B ) , φ A ( Q B )) . Bob: β ← R Z / 3 n Z , φ B : E → E B = E / � P B + [ β ] Q B � , ( U , V ) ← ( φ B ( P A ) , φ B ( Q A )) . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 6 / 21

  15. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Alice can compute: E B / � U + [ α ] V � = E B / � φ B ( P A ) + [ α ] φ B ( Q A ) � = E B / � φ B ( P A + [ α ] Q A ) � = E / � P B + [ β ] Q B , P A + [ α ] Q A � Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 7 / 21

  16. Isogeny-Based Key Agreement Jao-De Feo Key Agreement Alice can compute: E B / � U + [ α ] V � = E B / � φ B ( P A ) + [ α ] φ B ( Q A ) � = E B / � φ B ( P A + [ α ] Q A ) � = E / � P B + [ β ] Q B , P A + [ α ] Q A � Similarly Bob can compute: E A / � R + [ β ] S � = E A / � φ A ( P B ) + [ β ] φ A ( Q B ) � = E A / � φ A ( P B + [ β ] Q B ) � = E / � P A + [ α ] Q A , P B + [ β ] Q B � Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 7 / 21

  17. Isogeny-Based Key Agreement Jao-De Feo Key Agreement ker ( φ ′ ❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍ ✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟ ✯ E A B ) = � φ A ( P B ) + [ β ] φ A ( Q B ) � ✻ ker ( φ A ) = � P A + [ α ] Q A � ❥ ( E B , φ B ( P A ) , φ B ( Q A )) E AB ∼ E = E BA ❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍ ( E A , φ A ( P B ) , φ A ( Q B )) ✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟✟ ✯ ker ( φ B ) = � P B + [ β ] Q B � A ) = � φ B ( P A ) + [ α ] φ B ( Q A ) � ❄ ❥ ker ( φ ′ E B Figure: SIDH Key Agreement The shared secret is the j -invariant, j ( E AB ) ∈ F p 2 . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 8 / 21

  18. Isogeny-Based Key Agreement Active Attack This protocol is susceptible to an active attack when Alice reuses her key across multiple sessions. Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 9 / 21

  19. Isogeny-Based Key Agreement Active Attack This protocol is susceptible to an active attack when Alice reuses her key across multiple sessions. Lemma [ Galbraith , Petit , Shani , Ti , 2016] Let P , Q ∈ E [2 m ] be linearly independent points of order 2 m , and let α ∈ Z / 2 m Z . Then, � P + [ α ] Q � = � P + [ α ]( Q + [2 m − 1 ] P ) � if and only if α is even. Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 9 / 21

  20. Isogeny-Based Key Agreement Active Attack This protocol is susceptible to an active attack when Alice reuses her key across multiple sessions. Lemma [ Galbraith , Petit , Shani , Ti , 2016] Let P , Q ∈ E [2 m ] be linearly independent points of order 2 m , and let α ∈ Z / 2 m Z . Then, � P + [ α ] Q � = � P + [ α ]( Q + [2 m − 1 ] P ) � if and only if α is even. Suppose Alice and Bob verify they have the same shared secret. Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 9 / 21

  21. Isogeny-Based Key Agreement Active Attack This protocol is susceptible to an active attack when Alice reuses her key across multiple sessions. Lemma [ Galbraith , Petit , Shani , Ti , 2016] Let P , Q ∈ E [2 m ] be linearly independent points of order 2 m , and let α ∈ Z / 2 m Z . Then, � P + [ α ] Q � = � P + [ α ]( Q + [2 m − 1 ] P ) � if and only if α is even. Suppose Alice and Bob verify they have the same shared secret. Bob can be dishonest and use ( E B , U , V + [2 m − 1 ] U ) as his public key. Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 9 / 21

  22. Isogeny-Based Key Agreement Active Attack Alice will compute the elliptic curve E B / � U + [ α ]( V + [2 m − 1 ] U ) � . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 10 / 21

  23. Isogeny-Based Key Agreement Active Attack Alice will compute the elliptic curve E B / � U + [ α ]( V + [2 m − 1 ] U ) � . Bob can still compute the curve E A / � R + [ β ] S � . Azarderakhsh, Jao, Leonardi Post-Quantum Key Agreement August 2017 10 / 21

Recommend


More recommend