towards practical key exchange from ordinary isogeny
play

Towards practical key exchange from ordinary isogeny graphs Luca De - PowerPoint PPT Presentation

Towards practical key exchange from ordinary isogeny graphs Luca De Feo 1,3 Jean Kieffer 2,3,4 Benjamin Smith 3 1 UVSQ, Universit Paris Saclay 2 cole normale suprieure, Paris 3 Inria and cole polytechnique, Universit Paris Saclay 4 Inria


  1. Towards practical key exchange from ordinary isogeny graphs Luca De Feo 1,3 Jean Kieffer 2,3,4 Benjamin Smith 3 1 UVSQ, Université Paris Saclay 2 École normale supérieure, Paris 3 Inria and École polytechnique, Université Paris Saclay 4 Inria and IMB, Université de Bordeaux December 6, 2018

  2. Isogeny-based protocols Post-quantum candidates for key echange/encapsulation: e.g. SIDH/SIKE. Inspired by earlier ideas of Couveignes and Rostovtsev–Stolbunov: CRS key exchange construction .

  3. Isogeny-based protocols Post-quantum candidates for key echange/encapsulation: e.g. SIDH/SIKE. Inspired by earlier ideas of Couveignes and Rostovtsev–Stolbunov: CRS key exchange construction . CRS characteristics w.r.t. SIDH Pros Cons

  4. Isogeny-based protocols Post-quantum candidates for key echange/encapsulation: e.g. SIDH/SIKE. Inspired by earlier ideas of Couveignes and Rostovtsev–Stolbunov: CRS key exchange construction . CRS characteristics w.r.t. SIDH Pros Cons ▸ Very slow (minutes) ▸ Subexponential quantum attack

  5. Isogeny-based protocols Post-quantum candidates for key echange/encapsulation: e.g. SIDH/SIKE. Inspired by earlier ideas of Couveignes and Rostovtsev–Stolbunov: CRS key exchange construction . CRS characteristics w.r.t. SIDH Pros Cons ▸ Efficient key validation: ▸ Very slow (minutes) post-quantum NIKE ▸ Subexponential quantum ▸ More “natural” security attack hypotheses

  6. Isogeny-based protocols Post-quantum candidates for key echange/encapsulation: e.g. SIDH/SIKE. Inspired by earlier ideas of Couveignes and Rostovtsev–Stolbunov: CRS key exchange construction . CRS characteristics w.r.t. SIDH Pros Cons ▸ Efficient key validation: ▸ Very slow (minutes) post-quantum NIKE ▸ Subexponential quantum ▸ More “natural” security attack hypotheses Both: small keys.

  7. Goals CRS is worth improving. ▸ Key validation ▸ Security analysis ▸ Pre- and post-quantum parameter proposals ▸ Algorithmic improvements.

  8. Introduction The CRS construction Security analysis Algorithmic improvements

  9. Cryptography with a group action Hard Homogeneous Space (Couveignes): ( G , X ) where ▸ G finite commutative group ▸ G ⟳ X ▸ g ↦ g ⋅ x 0 is a 1-to-1 correspondence between G and X . Hardness hypotheses: ▸ Given g and x , computing g ⋅ x is easy ▸ Given x and g ⋅ x , computing g is hard.

  10. Cryptography with a group action Hard Homogeneous Space (Couveignes): ( G , X ) where ▸ G finite commutative group ▸ G ⟳ X ▸ g ↦ g ⋅ x 0 is a 1-to-1 correspondence between G and X . Hardness hypotheses: ▸ Given g and x , computing g ⋅ x is easy ▸ Given x and g ⋅ x , computing g is hard. Alice Bob x 0

  11. Cryptography with a group action Hard Homogeneous Space (Couveignes): ( G , X ) where ▸ G finite commutative group ▸ G ⟳ X ▸ g ↦ g ⋅ x 0 is a 1-to-1 correspondence between G and X . Hardness hypotheses: ▸ Given g and x , computing g ⋅ x is easy ▸ Given x and g ⋅ x , computing g is hard. Alice Bob x 0 a ← R G b ← R G

  12. Cryptography with a group action Hard Homogeneous Space (Couveignes): ( G , X ) where ▸ G finite commutative group ▸ G ⟳ X ▸ g ↦ g ⋅ x 0 is a 1-to-1 correspondence between G and X . Hardness hypotheses: ▸ Given g and x , computing g ⋅ x is easy ▸ Given x and g ⋅ x , computing g is hard. Alice Bob x 0 a b a ← R G b ← R G x a ← a ⋅ x 0 x a x b x b ← b ⋅ x 0

  13. Cryptography with a group action Hard Homogeneous Space (Couveignes): ( G , X ) where ▸ G finite commutative group ▸ G ⟳ X ▸ g ↦ g ⋅ x 0 is a 1-to-1 correspondence between G and X . Hardness hypotheses: ▸ Given g and x , computing g ⋅ x is easy ▸ Given x and g ⋅ x , computing g is hard. Alice Bob x 0 a b a ← R G b ← R G x a ← a ⋅ x 0 x a x b x b ← b ⋅ x 0 s ← a ⋅ x b s ← b ⋅ x a a b s

  14. Cryptography with a group action (2) Hardness hypotheses: ▸ Given g and x , computing g ⋅ x is easy

  15. Cryptography with a group action (2) Hardness hypotheses: ▸ Given g and x , if g ∈ S , computing g ⋅ x is easy where S is a small set of generators.

  16. Cryptography with a group action (2) Hardness hypotheses: ▸ Given g and x , if g ∈ S , computing g ⋅ x is easy where S is a small set of generators. The same DH key exchange works: ▸ Sample a ← G directly as a product ∏ s k i i , s i ∈ S ▸ Compute a ⋅ x as the sequence of actions of s i .

  17. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } :

  18. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : x 0

  19. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice x 0 a = s 12 s 21 s 3 − 1

  20. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice x 0 a = s 12 s 21 s 3 − 1

  21. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice x 0 a = s 12 s 21 s 3 − 1

  22. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice x 0 a = s 12 s 21 s 3 − 1

  23. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice x 0 a = s 12 s 21 s 3 − 1 x a

  24. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x a

  25. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x a

  26. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x a

  27. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  28. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  29. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  30. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  31. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  32. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : s Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  33. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : s Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  34. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : s Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

Recommend


More recommend