Quantum-resistant Cryptography based on Isogenies between Elliptic - PowerPoint PPT Presentation

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo˜ ao Paulo da Silva , Ricardo Dahab, Julio L´ opez Institute of Computing – University of Campinas Latin American Week on Coding and Information 2018 1

Agenda Introduction Isogenies Cryptographic Constructions Underlying Problems and Cryptanalysis Remarks Bibliography Latin American Week on Coding and Information 2018 2

Introduction

Motivation In Agust 2015, NSA announces plans to transition to quantum-resistant algorithms NIST published call for post-quantum candidate algorithms with deadline on November 30, 2017 Latin American Week on Coding and Information 2018 4

Motivation Why Isogenies? • Possibility of the emergence of a large-scale quantum computer: Shor’s algorithm; • It emerges as a new candidate in the construction of cryptographic primitives for the post-quantum world; • Using supersingular elliptic curves, the problem of computing isogenies between two curves remains exponential in the quantum model. Latin American Week on Coding and Information 2018 5

Retrospective 1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction. Latin American Week on Coding and Information 2018 6

Retrospective 1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction. Latin American Week on Coding and Information 2018 7

Retrospective 1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction. Latin American Week on Coding and Information 2018 8

Retrospective 1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction. Latin American Week on Coding and Information 2018 9

Retrospective 1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction. Latin American Week on Coding and Information 2018 10

Retrospective 1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction. Latin American Week on Coding and Information 2018 11

Retrospective 1996 Couveignes mentioned about isogenies in cryptography but only published in 2006; 2009 Charles et al presented hash functions constructions based on isogenies; 2010 Stolbunov presented first published isogeny-based public-key cryptosystem based on isogenies between ordinary curves; 2010 Childs et al. presented a quantum subexponenal attack on Stolbunovs public-key cryptosystem; 2011 Jao and De Feo presented the Supersingular Isogeny Diffie-Hellman (SIDH) and a identification protocol; 2017 Jao et al. proposed Supersingular Isogeny Key Encapsulaon (SIKE) as a submission to NIST PQC call; 2018 Castryck et al. proposed a (Comutative)SIDH based on Couveignes construction. Latin American Week on Coding and Information 2018 12

Elliptic Curves An elliptic curve E over a field K = F q is a plane algebric curve defined by an equation of the form y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 with a 1 , a 2 , ..., a 6 ∈ F q . • Short Weierstrass Model: y 2 = x 3 + Ax + B with A , B ∈ F q ; • 4 A 3 + 27 B 2 � = 0; • E ( F q ) = { ( x , y ) ∈ F q × F q : y 2 = x 3 + Ax + B } ∪ O forms an abelian group; • Hasse Theorem: # E ( F q ) = q + 1 − t with | t | ≤ 2 √ q ; • E is a supersingular curve over F q if, and only if, t ≡ 0 mod p , q = p n . Latin American Week on Coding and Information 2018 13

Isogenies

Isogenies • An isogeny is a non-constant rational map with the property of being a group homomorphism: φ : E 1 → E 2 such that φ ( P + Q ) = φ ( P ) + φ ( Q ) , P , Q ∈ E ( F q ); • We can identify, up to isomorphisms, an isogeny by its kernel; • For a separable isogeny, its degree is the number of points in its kernel; � � g 1 ( x , y ) , f 2 ( x , y ) f 1 ( x , y ) φ ( x , y ) = g 2 ( x , y ) with φ ( O ) = O and f i , g i , i ∈ { 1 , 2 } , polynomials. Latin American Week on Coding and Information 2018 15

Isogenies: V` elu Formula Let E : y 2 = x 3 + Ax + B and E ′ be elliptic curves. In order to compute the l -isogeny between these curves with kernel F = F + ∪ F − we use the V` elu formula � � v P u P � φ x ( x , y ) = x + + x − x P ( x − x Q ) 2 P ∈ F + � � P g y y − y P − g x 2 y � P φ y ( x , y ) = y − u P ( x − x P ) 3 + v P ( x − x P ) 2 P ∈ F + u P = ( g y Q ) 2 , v P = 2 g x where P = ( x P , y P ) , P , g y g x P = 3 x 2 P + A , P = − 2 y P v = � P ∈ F + v P , w = � P ∈ F + u P + x P v P . The expression for E ′ will be E ′ : y 2 = x 3 + ( A − 5 v ) x + ( B − 7 w ). Latin American Week on Coding and Information 2018 16

Cryptographic Constructions

Cryptographic Constructions • Hash • Javad Doliskani and Geovandro C. C. F. Pereira and Paulo S. L. M. Barreto [DPB2018] • Denis X. Charles and Eyal Z. Goren and Kristin E. Lauter [CGL06]. • Digital Signature • Steven D. Galbraith and Christophe Petit and Javier Silva [GPS16]. • Encryption • Castryck, W., Lange, T., Martindale, C., Panny, L., and Renes, J. [CLMPR2018] • Takeshi Koshiba and Katsuyuki Takashima [KT16]. • Luca De Feo and David Jao and J´ erˆ ome Plˆ ut [FJP11]. Latin American Week on Coding and Information 2018 18

SIDH - Supersingular Isogeny based Diffie-Hellman Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies [FJP11] • Public Parameters: • p = l e A A l e B B f ± 1, where l A , l B are small primes and e A , e B ∈ N . • E 0 a supersingular elliptic curve over F p 2 • P A , Q A , P B , Q B ∈ E 0 ( F p 2 ) such that � P A , Q A � = E 0 [ l e A A ] and � P B , Q B � = E 0 [ l e B B ] • Private Parameters: • m A , n A ∈ R Z l eA such that l A ∤ m A or l A ∤ n A A • m B , n B ∈ R Z l eB such that l B ∤ m B or l B ∤ n B B Latin American Week on Coding and Information 2018 19

SIDH - Supersingular Isogeny based Diffie-Hellman Figure 1: SIDH [FJP11]. Latin American Week on Coding and Information 2018 20