si said why csidh
play

["si:saId] Why CSIDH? Drop-in post-quantum replacement for - PowerPoint PPT Presentation

Jan 21, 2023 •357 likes •934 views

CSIDH : An Efficient Post-Quantum Commutative Group Action Wouter Castryck 1 Tanja Lange 2 Chloe Martindale 2 Lorenz Panny 2 Joost Renes 3 1 KU Leuven 2 TU Eindhoven 3 Radboud Universiteit Brisbane, 6 December 2018 ["si:saId] Why CSIDH?

  2. CSIDH : An Efficient Post-Quantum Commutative Group Action Wouter Castryck 1 Tanja Lange 2 Chloe Martindale 2 Lorenz Panny 2 Joost Renes 3 1 KU Leuven 2 TU Eindhoven 3 Radboud Universiteit Brisbane, 6 December 2018

  3. ["si:­saId]

  4. Why CSIDH? ◮ Drop-in post-quantum replacement for (EC)DH. https://csidh.isogeny.org 1/15

  5. Why CSIDH? ◮ Drop-in post-quantum replacement for (EC)DH. ◮ Non-interactive key exchange (full public-key validation); previously only slow solutions post-quantumly. https://csidh.isogeny.org 1/15

  6. Why CSIDH? ◮ Drop-in post-quantum replacement for (EC)DH. ◮ Non-interactive key exchange (full public-key validation); previously only slow solutions post-quantumly. ◮ Small keys: 64 bytes at conjectured AES-128 security level https://csidh.isogeny.org 1/15

  7. Why CSIDH? ◮ Drop-in post-quantum replacement for (EC)DH. ◮ Non-interactive key exchange (full public-key validation); previously only slow solutions post-quantumly. ◮ Small keys: 64 bytes at conjectured AES-128 security level ◮ Competitive speed: ∼ 35 ms per operation. (Skylake i5 w / TurboBoost) https://csidh.isogeny.org 1/15

  8. Why CSIDH? ◮ Drop-in post-quantum replacement for (EC)DH. ◮ Non-interactive key exchange (full public-key validation); previously only slow solutions post-quantumly. ◮ Small keys: 64 bytes at conjectured AES-128 security level ◮ Competitive speed: ∼ 35 ms per operation. (Skylake i5 w / TurboBoost) ◮ Clean mathematical structure: a true group action. (No noise, no auxiliary points, no compromises.) https://csidh.isogeny.org 1/15

  9. Why CSIDH? ◮ Drop-in post-quantum replacement for (EC)DH. ◮ Non-interactive key exchange (full public-key validation); previously only slow solutions post-quantumly. ◮ Small keys: 64 bytes at conjectured AES-128 security level ◮ Competitive speed: ∼ 35 ms per operation. (Skylake i5 w / TurboBoost) ◮ Clean mathematical structure: a true group action. (No noise, no auxiliary points, no compromises.) ◮ By the way: not ‘better’ or ‘worse’ than SIDH. It’s simply different and likely to be useful for different applications. https://csidh.isogeny.org 1/15

  10. Ordinary isogeny graphs Nodes: Ordinary elliptic curves defined over k up to ∼ = k . Edges: 3-, 5-, and 7-isogenies defined over k up to ∼ = k . Components look something like this: https://csidh.isogeny.org 2/15

  11. Ordinary isogeny graphs (cycles) Nodes: Ordinary elliptic curves defined over k up to ∼ = k . Edges: 3-, 5-, and 7-isogenies defined over k up to ∼ = k . https://csidh.isogeny.org 2/15

  12. Ordinary isogeny graphs (cycles) Nodes: Ordinary elliptic curves defined over k up to ∼ = k . Edges: 3-, 5-, and 7-isogenies defined over k up to ∼ = k . ??? Easy: Compute a random path, output the final node. Hard problem: Find a path between two given nodes. https://csidh.isogeny.org 2/15

  13. Alice vs. Eve Intuition: Combining edges from different cycles allows taking shortcuts to remote parts of the graph! https://csidh.isogeny.org 3/15

  14. Alice vs. Eve g 0 g 1 · g 1 g 3 · g 2 · g 8 g 11 Intuition: Combining edges from different cycles allows taking shortcuts to remote parts of the graph! cf. Square-&-Multiply: Alice gets an advantage over Eve. https://csidh.isogeny.org 3/15

  15. Point counting De Feo–Kieffer–Smith want an ordinary curve E / F q with many small primes ℓ | E ( F q ) . This seems difficult. https://csidh.isogeny.org 4/15

  16. https://csidh.isogeny.org 5/15

  17. Pictures: https://github.com/CardsAgainstCryptography https://csidh.isogeny.org 5/15

  18. I’ve been experimenting with supersingular curves in this context, because they have all the properties Kieffer was looking for. Are there any security issues with using supersingular curves? Hope I did not overlook anything stupid here! — an anonymous CSIDH coauthor Pictures: https://github.com/CardsAgainstCryptography https://csidh.isogeny.org 5/15

  19. I’ve been experimenting with supersingular curves in this context, because they have all the properties Kieffer was looking for. Are there any security issues with using supersingular curves? Hope I did not overlook anything stupid here! — an anonymous CSIDH coauthor Wouter, you are a genius! — me Pictures: https://github.com/CardsAgainstCryptography https://csidh.isogeny.org 5/15

  20. Supersingular isogeny graphs Nodes: Supersingular elliptic curves defined over k up to ∼ = k . Edges: 3-, 5-, and 7-isogenies defined over k up to ∼ = k . https://csidh.isogeny.org 6/15

  21. Supersingular isogeny graphs Nodes: Supersingular elliptic curves defined over k up to ∼ = k . Edges: 3-, 5-, and 7-isogenies defined over k up to ∼ = k . k = F 419 2 (same as F 419 ) https://csidh.isogeny.org 6/15

  22. Supersingular isogeny graphs Nodes: Supersingular elliptic curves defined over k up to ∼ = k . Edges: 3-, 5-, and 7-isogenies defined over k up to ∼ = k . k = F 419 2 (same as F 419 ) k = F 419 https://csidh.isogeny.org 6/15

  23. Supersingular isogeny graphs Theorem. The F p -rational endomorphism ring of an elliptic curve defined over F p is an imaginary quadratic order. https://csidh.isogeny.org 7/15

  24. Supersingular isogeny graphs Theorem. The F p -rational endomorphism ring of an elliptic curve defined over F p is an imaginary quadratic order. ...even in the supersingular case! https://csidh.isogeny.org 7/15

  25. Supersingular isogeny graphs Theorem. The F p -rational endomorphism ring of an elliptic curve defined over F p is an imaginary quadratic order. ...even in the supersingular case! Theorem/fact/definition. Let p > 3. An elliptic curve E over F p is supersingular if and only if # E ( F p ) = p + 1. https://csidh.isogeny.org 7/15

  26. Supersingular isogeny graphs Theorem. The F p -rational endomorphism ring of an elliptic curve defined over F p is an imaginary quadratic order. ...even in the supersingular case! Theorem/fact/definition. Let p > 3. An elliptic curve E over F p is supersingular if and only if # E ( F p ) = p + 1. = ⇒ We can simply craft a curve with a good number of points. https://csidh.isogeny.org 7/15

  27. Reminder The class group action is defined as follows: ◮ Inputs : An elliptic curve E with endomorphism ring O , an ideal a ⊆ O of prime norm ℓ . ◮ Output : The elliptic curve [ a ] E . 1. Compute the subgroup E [ a ] = � α ∈ a ker α killed by a . → E ′ with kernel E [ a ] . 2. Compute an ℓ -isogeny E − 3. Output E ′ . https://csidh.isogeny.org 8/15

  28. Reminder The class group action is defined as follows: ◮ Inputs : An elliptic curve E with endomorphism ring O , an ideal a ⊆ O of prime norm ℓ . ◮ Output : The elliptic curve [ a ] E . 1. Compute the subgroup E [ a ] = � α ∈ a ker α killed by a . → E ′ with kernel E [ a ] . 2. Compute an ℓ -isogeny E − 3. Output E ′ . Typically E [ a ] is only defined over F q m for m ≈ ℓ . = ⇒ Complexity of computing with E [ a ] is exponentia ℓ ... : ( https://csidh.isogeny.org 8/15

  29. CSIDH in one cslide (terrible pun totally intended) https://csidh.isogeny.org 9/15

  30. CSIDH in one cslide (terrible pun totally intended) ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . 1. ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { supersingular y 2 = x 3 + Ax 2 + x defined over F p } . https://csidh.isogeny.org 9/15

  31. CSIDH in one cslide (terrible pun totally intended) ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . 1. ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { supersingular y 2 = x 3 + Ax 2 + x defined over F p } . ◮ All curves in X have F p -endomorphism ring O = Z [ √ p ] . 2. Define the ideals l i = ( ℓ i , π − 1 ) of O . ◮ Let K = { [ l e 1 1 · · · l e 1 n ] | ( e 1 , ..., e n ) is ‘short’ } ⊆ cl ( O ) . https://csidh.isogeny.org 9/15

  32. CSIDH in one cslide (terrible pun totally intended) ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . 1. ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { supersingular y 2 = x 3 + Ax 2 + x defined over F p } . ◮ All curves in X have F p -endomorphism ring O = Z [ √ p ] . 2. Define the ideals l i = ( ℓ i , π − 1 ) of O . ◮ Let K = { [ l e 1 1 · · · l e 1 n ] | ( e 1 , ..., e n ) is ‘short’ } ⊆ cl ( O ) . 3. magic math happens! ∗ ∗ see next slides https://csidh.isogeny.org 9/15

  33. CSIDH in one cslide (terrible pun totally intended) ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . 1. ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { supersingular y 2 = x 3 + Ax 2 + x defined over F p } . ◮ All curves in X have F p -endomorphism ring O = Z [ √ p ] . 2. Define the ideals l i = ( ℓ i , π − 1 ) of O . ◮ Let K = { [ l e 1 1 · · · l e 1 n ] | ( e 1 , ..., e n ) is ‘short’ } ⊆ cl ( O ) . 3. magic math happens! ∗ ∗ see next slides 4. ◮ cl ( O ) acts on X and the action of K is very efficient! https://csidh.isogeny.org 9/15

  34. Magic (base field arithmetic) ◮ All the ideals ℓ i O split as l i · l i where l i = ( ℓ i , π − 1 ) . = ⇒ We can use all ℓ i we started with (generally: about 1/2) . https://csidh.isogeny.org 10/15

Recommend

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum Cryptanalysis of Post-Quantum Cryptography Simons Institute 24 February 2020 1 / 16 He Gives C-Sieves on the CSIDH Chris Peikert University of Michigan

1.61k views • 85 slides
Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org Key bits where all known attacks take 2 operations (naive serial attack metric,

412 views • 16 slides
Stronger and Faster Side-Channel Protections for CSIDH azquez 1 Mathilde Chenu 2,3 Daniel

Stronger and Faster Side-Channel Protections for CSIDH azquez 1 Mathilde Chenu 2,3 Daniel

Stronger and Faster Side-Channel Protections for CSIDH azquez 1 Mathilde Chenu 2,3 Daniel Cervantes-V nguez 1 and Luca De Feo 4 and Jes us-Javier Chi-Dom quez 1 and Benjamin Smith 2,3 Francisco Rodr guez-Henr 1 Computer Science

1.25k views • 93 slides
Side channel protections for CSIDH Luca De Feo IBM Research Zrich October 16, 2019, PHISIC,

Side channel protections for CSIDH Luca De Feo IBM Research Zrich October 16, 2019, PHISIC,

Side channel protections for CSIDH Luca De Feo IBM Research Zrich October 16, 2019, PHISIC, Gardanne based on joint work with D. Cervantes-Vzquez, M. Chenu, J.J. Chi-Domnguez, F. Rodrguez-Henrquez, B. Smith Slides online at

944 views • 90 slides
Towards Optimized and Constant-Time CSIDH on Embedded Devices Amir Jalali 1 , Reza Azarderakhsh 1

Towards Optimized and Constant-Time CSIDH on Embedded Devices Amir Jalali 1 , Reza Azarderakhsh 1

Towards Optimized and Constant-Time CSIDH on Embedded Devices Amir Jalali 1 , Reza Azarderakhsh 1 , Mehran Mozaffari Kermani 2 , and David Jao 3 Department of Computer and Electrical Engineering and Computer Science Florida Atlantic University

252 views • 14 slides
Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org Non-interactive key exchange Alice: secret a , public aG . Bob: secret b , public bG

499 views • 28 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides

More recommend