seasign compact isogeny signatures from class group
play

SeaSign: Compact isogeny signatures from class group actions Luca De - PowerPoint PPT Presentation

Jun 12, 2023 •290 likes •740 views

SeaSign: Compact isogeny signatures from class group actions Luca De Feo 1 , Steven D. Galbraith 2 1 Universit Paris Saclay UVSQ, France 2 University of Auckland, New Zeland May 23, 2019, Eurocrypt, Darmstadt Slides online at

  1. SeaSign: Compact isogeny signatures from class group actions Luca De Feo 1 , Steven D. Galbraith 2 1 Université Paris Saclay – UVSQ, France 2 University of Auckland, New Zeland May 23, 2019, Eurocrypt, Darmstadt Slides online at https://defeo.lu/docet

  2. Post-quantum isogeny primitives CSIDH (Couveignes 1996; Rostovtsev Stolbunov 2006; Castryck, Lange, SIDH (Jao, De Feo 2011) Martindale, Panny, Renes 2018) Pronounce S–I–D–H; Pronounce Sea–Side; Based on random isogeny walks in the Based on random isogeny walks in the full supersingular graph over ❋ p 2 ; ❋ p -restricted supersingular isogeny Basis for the NIST KEM candidate graph; SIKE; Straightforward generalization of Better asymptotic quantum security; Diffie–Hellman; Short keys, slow. More “natural” security assumption; Shorter keys, slower. L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 2 / 14

  3. Post-quantum isogeny primitives CSIDH (Couveignes 1996; Rostovtsev Stolbunov 2006; Castryck, Lange, SIDH (Jao, De Feo 2011) Martindale, Panny, Renes 2018) Pronounce S–I–D–H; Pronounce Sea–Side; Based on random isogeny walks in the Based on random isogeny walks in the full supersingular graph over ❋ p 2 ; ❋ p -restricted supersingular isogeny Basis for the NIST KEM candidate graph; SIKE; Straightforward generalization of Better asymptotic quantum security; Diffie–Hellman; Short keys, slow. More “natural” security assumption; Crappy signatures (slow, large). Shorter keys, slower. Not this talk. L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 2 / 14

  4. Post-quantum isogeny primitives CSIDH (Couveignes 1996; Rostovtsev Stolbunov 2006; Castryck, Lange, SIDH (Jao, De Feo 2011) Martindale, Panny, Renes 2018) Pronounce S–I–D–H; Pronounce Sea–Side; Based on random isogeny walks in the Based on random isogeny walks in the full supersingular graph over ❋ p 2 ; ❋ p -restricted supersingular isogeny Basis for the NIST KEM candidate graph; SIKE; Straightforward generalization of Better asymptotic quantum security; Diffie–Hellman; Short keys, slow. More “natural” security assumption; Crappy signatures (slow, large). Shorter keys, slower. Not this talk. Also crappy signatures, but different! This talk. L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 2 / 14

  5. ■ ❂ ✁ ✁ ✁ ❂ ✁ ✁ ✁ ❂ ✄ ❂ ✄ ❂ ✭ ✮ ✄ ❂ ✄ ❂ ✄ ✷ � What is CSIDH? A set of supersingular elliptic curves over ❋ p ; E 3 E 4 E 2 E 5 E 1 E 6 E 12 E 7 E 11 E 8 E 10 E 9 L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 3 / 14

  6. ■ ❂ ✁ ✁ ✁ ❂ ✁ ✁ ✁ ❂ ✄ ❂ ✄ ❂ ✭ ✮ ✄ ❂ ✄ ❂ ✄ ✷ What is CSIDH? A set of supersingular elliptic curves over ❋ p ; E 3 A group action by an abelian group G ; E 4 E 2 g E 5 E 1 E 6 E 12 g � 1 E 7 E 11 E 8 E 10 E 9 L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 3 / 14

  7. ❂ ✁ ✁ ✁ ❂ ✁ ✁ ✁ ❂ ✄ ❂ ✄ ❂ ✭ ✮ ✄ ❂ ✄ ❂ ✄ ■ � What is CSIDH? A set of supersingular elliptic curves over ❋ p ; E 3 A group action by an abelian group G ; E 4 E 2 Only efficient to evaluate the action of some small degree generators g ✷ G , e.g.: E 5 E 1 E 6 E 12 E 7 E 11 E 8 E 10 E 9 L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 3 / 14

  8. ❂ ✁ ✁ ✁ ❂ ✁ ✁ ✁ ❂ ✄ ❂ ✄ ❂ ✭ ✮ ✄ ❂ ✄ ❂ ✄ � What is CSIDH? A set of supersingular elliptic curves over ❋ p ; E 3 A group action by an abelian group G ; E 4 E 2 Only efficient to evaluate the action of some small degree generators g ✷ G , e.g.: E 5 E 1 ■ degree 2, E 6 E 12 E 7 E 11 E 8 E 10 E 9 L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 3 / 14

  9. ❂ ✁ ✁ ✁ ❂ ✁ ✁ ✁ ❂ ✄ ❂ ✄ ❂ ✭ ✮ ✄ ❂ ✄ ❂ ✄ � What is CSIDH? A set of supersingular elliptic curves over ❋ p ; E 3 A group action by an abelian group G ; E 4 E 2 Only efficient to evaluate the action of some small degree generators g ✷ G , e.g.: E 5 E 1 ■ degree 2, degree 3, E 6 E 12 E 7 E 11 E 8 E 10 E 9 L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 3 / 14

  10. ❂ ✁ ✁ ✁ ❂ ✁ ✁ ✁ ❂ ✄ ❂ ✄ ❂ ✭ ✮ ✄ ❂ ✄ ❂ ✄ � What is CSIDH? A set of supersingular elliptic curves over ❋ p ; E 3 A group action by an abelian group G ; E 4 E 2 Only efficient to evaluate the action of some small degree generators g ✷ G , e.g.: E 5 E 1 ■ degree 2, degree 3, degree 5, ... E 6 E 12 E 7 E 11 E 8 E 10 E 9 L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 3 / 14

  11. ❂ ✁ ✁ ✁ ❂ ✁ ✁ ✁ ❂ ✄ ❂ ✄ ❂ ✭ ✮ ✄ ❂ ✄ ❂ ✄ � What is CSIDH? A set of supersingular elliptic curves over ❋ p ; E 3 A group action by an abelian group G ; E 4 E 2 Only efficient to evaluate the action of some small degree generators g ✷ G , e.g.: E 5 E 1 ■ degree 2, degree 3, degree 5, ... Graph structure isomorphic to a Cayley graph; E 6 E 12 E 7 E 11 E 8 E 10 E 9 L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 3 / 14

  12. ❂ ✁ ✁ ✁ ❂ ✁ ✁ ✁ ❂ ✄ ❂ ✄ ❂ ✭ ✮ ✄ ❂ ✄ ❂ ✄ � What is CSIDH? A set of supersingular elliptic curves over ❋ p ; E 3 A group action by an abelian group G ; E 4 E 2 Only efficient to evaluate the action of some small degree generators g ✷ G , e.g.: E 5 E 1 ■ degree 2, degree 3, degree 5, ... Graph structure isomorphic to a Cayley graph; Good algorithm to do random walks in the graph. E 6 E 12 E 7 E 11 E 8 E 10 E 9 L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 3 / 14

  13. � ❂ ✁ ✁ ✁ ❂ ✁ ✁ ✁ ❂ ✄ ❂ ✄ ❂ ✭ ✮ ✄ ❂ ✄ ❂ ✄ What is CSIDH? A set of supersingular elliptic curves over ❋ p ; E 3 A group action by an abelian group G ; E 4 E 2 Only efficient to evaluate the action of some small degree generators g ✷ G , e.g.: E 5 E 1 ■ degree 2, degree 3, degree 5, ... Graph structure isomorphic to a Cayley graph; Good algorithm to do random walks in the graph. E 6 E 12 Key exchange: E 7 E 11 E 8 E 10 E 9 L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 3 / 14

  14. � ❂ ✁ ✁ ✁ ❂ ✄ ❂ ✄ ❂ ✭ ✮ ✄ ❂ ✄ ❂ ✄ What is CSIDH? A set of supersingular elliptic curves over ❋ p ; E A A group action by an abelian group G ; Only efficient to evaluate the action of some small degree generators g ✷ G , e.g.: ■ degree 2, degree 3, degree 5, ... Graph structure isomorphic to a Cayley graph; Good algorithm to do random walks in the graph. Key exchange: Alice picks secret a ❂ g a 2 2 g a 3 3 g a 5 5 ✁ ✁ ✁ , L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 3 / 14

  15. � ❂ ✄ ❂ ✄ ❂ ✭ ✮ ✄ ❂ ✄ ❂ ✄ What is CSIDH? A set of supersingular elliptic curves over ❋ p ; E A A group action by an abelian group G ; Only efficient to evaluate the action of some small degree generators g ✷ G , e.g.: ■ degree 2, degree 3, degree 5, ... Graph structure isomorphic to a Cayley graph; Good algorithm to do random walks in the graph. E B Key exchange: Alice picks secret a ❂ g a 2 2 g a 3 3 g a 5 5 ✁ ✁ ✁ , Bob picks secret b ❂ g b 2 2 g b 3 3 g b 5 5 ✁ ✁ ✁ , L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 3 / 14

  16. � ❂ ✭ ✮ ✄ ❂ ✄ ❂ ✄ What is CSIDH? A set of supersingular elliptic curves over ❋ p ; E A A group action by an abelian group G ; Only efficient to evaluate the action of some small degree generators g ✷ G , e.g.: ■ degree 2, degree 3, degree 5, ... Graph structure isomorphic to a Cayley graph; Good algorithm to do random walks in the graph. E B Key exchange: Alice picks secret a ❂ g a 2 2 g a 3 3 g a 5 5 ✁ ✁ ✁ , Bob picks secret b ❂ g b 2 2 g b 3 3 g b 5 5 ✁ ✁ ✁ , They exchange E A ❂ a ✄ E 1 and E B ❂ b ✄ E 1 , L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 3 / 14

  17. � What is CSIDH? A set of supersingular elliptic curves over ❋ p ; E A A group action by an abelian group G ; Only efficient to evaluate the action of some small degree generators g ✷ G , e.g.: ■ degree 2, degree 3, degree 5, ... Graph structure isomorphic to a Cayley graph; Good algorithm to do random walks in the graph. E B Key exchange: Alice picks secret a ❂ g a 2 2 g a 3 3 g a 5 5 ✁ ✁ ✁ , Bob picks secret b ❂ g b 2 2 g b 3 3 g b 5 5 ✁ ✁ ✁ , They exchange E A ❂ a ✄ E 1 and E B ❂ b ✄ E 1 , E AB Shared secret is E AB ❂ ✭ ab ✮ ✄ E 1 ❂ a ✄ E B ❂ b ✄ E A . L. De Feo, S. Galbraith (UVSQ, UniAuckland) SeaSign: isogeny signatures Eurocrypt 2019 — https://defeo.lu/docet 3 / 14

Recommend

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides
1V Compact Class-AB CMOS Log Filters X. Redondo and F. Serra-Graells Circuits and Systems Group

1V Compact Class-AB CMOS Log Filters X. Redondo and F. Serra-Graells Circuits and Systems Group

ISCAS05 1V Compact Class-AB CMOS Log Filters Intro Class-A Class-AB Example Conclusions 1/23 1V Compact Class-AB CMOS Log Filters X. Redondo and F. Serra-Graells Circuits and Systems Group Institut de Microelectrnica de Barcelona

527 views • 23 slides
Ozawas class S for locally compact groups and unique prime factorization of group von Neumann

Ozawas class S for locally compact groups and unique prime factorization of group von Neumann

Ozawas class S for locally compact groups and unique prime factorization of group von Neumann algebras Tobe Deprez Skyline Communications IPAM, Lake arrowhead, 2019 Tobe Deprez Class S for locally compact groups 1 / 27 Group von Neumann

468 views • 35 slides
Gravitational wave signatures of exotic compact objects Elisa Maggio Sapienza University of Rome

Gravitational wave signatures of exotic compact objects Elisa Maggio Sapienza University of Rome

Cortona Young 27-29 May 2020 Gravitational wave signatures of exotic compact objects Elisa Maggio Sapienza University of Rome Outline Gravitational waves as probes of strong gravity Exotic compact objects Ergoregion

246 views • 22 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Compact Multi-Signatures for Smaller Blockchains Dan Boneh 1 , Manu Drijvers 2 , Gregory Neven 2 1

Compact Multi-Signatures for Smaller Blockchains Dan Boneh 1 , Manu Drijvers 2 , Gregory Neven 2 1

Compact Multi-Signatures for Smaller Blockchains Dan Boneh 1 , Manu Drijvers 2 , Gregory Neven 2 1 Stanford University 2 DFINITY Bitcoin Blockchain and transactions Input 1 Output 1 Witness Input 2 Output 2 Witness Pointer to previous

372 views • 16 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril

Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril

Reminder on elliptic curves Endomorphism ring Volcano of -isogeny and Frobenius endomorphism -adic tower Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril Hugounenq, Jerome Plut, Eric Schost

472 views • 28 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

856 views • 81 slides
Group automorphisms: a dynamical point of view Can you describe the space of compact group

Group automorphisms: a dynamical point of view Can you describe the space of compact group

Group automorphisms: a dynamical point of view Can you describe the space of compact group automorphisms modulo dynamical equivalences? Tom Ward (UEA) April 2012, Mimar Sinan Fine Arts University, Istanbul The setting A continuous group

255 views • 23 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019 Mathematical foundations of asymmetric cryptography Aussois, Savoie Slides online at https://defeo.lu/docet/ Overview Isogeny graphs 1 Elliptic Curves

1.96k views • 156 slides
Class 19 : Where did the elements come from? 4/14/11 1 Notation we need some compact way of

Class 19 : Where did the elements come from? 4/14/11 1 Notation we need some compact way of

Class 19 : Where did the elements come from? 4/14/11 1 Notation we need some compact way of discussing nuclei Total number of nucleons = protons+neutrons Symbol for element Atomic number (set by atomic = number of protons number) 1

135 views • 11 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the Importance of Leptonic Decays for Higgs Discovery) Brooks Thomas (The University of Arizona) Shufang Su & BT [arXiv:0903.0667] What do we know about

375 views • 26 slides
Group Signatures with Almost-for-free Revocation t Libert 1 Thomas Peters 1 Moti Yung 2 Beno 1

Group Signatures with Almost-for-free Revocation t Libert 1 Thomas Peters 1 Moti Yung 2 Beno 1

Group Signatures with Almost-for-free Revocation t Libert 1 Thomas Peters 1 Moti Yung 2 Beno 1 Universit e catholique de Louvain, Crypto Group (Belgium) 2 - Google Inc. and Columbia University (USA) Santa Barbara, August 22, 2012 UCL

605 views • 19 slides
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

681 views • 33 slides
Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint work with Emmanuel Thom Sorina Ionica 1 / 24 Isogeny graphs Kohel 1996: Graph with vertices elliptic curves defined over F q and edges all

302 views • 27 slides
BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017,

BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017,

ERNEST HUNTER DIMITAR BENJAMIN BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017, NIJMEGEN, THE NETHERLANDS BY BENJAMIN WESOLOWSKI FROM EPFL, SWITZERLAND AN INTRODUCTION TO ISOGENY GRAPHS

770 views • 63 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides

More recommend