towards practical key exchange from ordinary isogeny
play

Towards practical key exchange from ordinary isogeny graphs Luca De - PowerPoint PPT Presentation

Apr 29, 2023 •132 likes •882 views

Towards practical key exchange from ordinary isogeny graphs Luca De Feo 1,3 Jean Kieffer 2,3,4 Benjamin Smith 3 1 UVSQ, Universit Paris Saclay 2 cole normale suprieure, Paris 3 Inria and cole polytechnique, Universit Paris Saclay 4 Inria

  1. Towards practical key exchange from ordinary isogeny graphs Luca De Feo 1,3 Jean Kieffer 2,3,4 Benjamin Smith 3 1 UVSQ, Université Paris Saclay 2 École normale supérieure, Paris 3 Inria and École polytechnique, Université Paris Saclay 4 Inria and IMB, Université de Bordeaux December 6, 2018

  2. Isogeny-based protocols Post-quantum candidates for key echange/encapsulation: e.g. SIDH/SIKE. Inspired by earlier ideas of Couveignes and Rostovtsev–Stolbunov: CRS key exchange construction .

  3. Isogeny-based protocols Post-quantum candidates for key echange/encapsulation: e.g. SIDH/SIKE. Inspired by earlier ideas of Couveignes and Rostovtsev–Stolbunov: CRS key exchange construction . CRS characteristics w.r.t. SIDH Pros Cons

  4. Isogeny-based protocols Post-quantum candidates for key echange/encapsulation: e.g. SIDH/SIKE. Inspired by earlier ideas of Couveignes and Rostovtsev–Stolbunov: CRS key exchange construction . CRS characteristics w.r.t. SIDH Pros Cons ▸ Very slow (minutes) ▸ Subexponential quantum attack

  5. Isogeny-based protocols Post-quantum candidates for key echange/encapsulation: e.g. SIDH/SIKE. Inspired by earlier ideas of Couveignes and Rostovtsev–Stolbunov: CRS key exchange construction . CRS characteristics w.r.t. SIDH Pros Cons ▸ Efficient key validation: ▸ Very slow (minutes) post-quantum NIKE ▸ Subexponential quantum ▸ More “natural” security attack hypotheses

  6. Isogeny-based protocols Post-quantum candidates for key echange/encapsulation: e.g. SIDH/SIKE. Inspired by earlier ideas of Couveignes and Rostovtsev–Stolbunov: CRS key exchange construction . CRS characteristics w.r.t. SIDH Pros Cons ▸ Efficient key validation: ▸ Very slow (minutes) post-quantum NIKE ▸ Subexponential quantum ▸ More “natural” security attack hypotheses Both: small keys.

  7. Goals CRS is worth improving. ▸ Key validation ▸ Security analysis ▸ Pre- and post-quantum parameter proposals ▸ Algorithmic improvements.

  8. Introduction The CRS construction Security analysis Algorithmic improvements

  9. Cryptography with a group action Hard Homogeneous Space (Couveignes): ( G , X ) where ▸ G finite commutative group ▸ G ⟳ X ▸ g ↦ g ⋅ x 0 is a 1-to-1 correspondence between G and X . Hardness hypotheses: ▸ Given g and x , computing g ⋅ x is easy ▸ Given x and g ⋅ x , computing g is hard.

  10. Cryptography with a group action Hard Homogeneous Space (Couveignes): ( G , X ) where ▸ G finite commutative group ▸ G ⟳ X ▸ g ↦ g ⋅ x 0 is a 1-to-1 correspondence between G and X . Hardness hypotheses: ▸ Given g and x , computing g ⋅ x is easy ▸ Given x and g ⋅ x , computing g is hard. Alice Bob x 0

  11. Cryptography with a group action Hard Homogeneous Space (Couveignes): ( G , X ) where ▸ G finite commutative group ▸ G ⟳ X ▸ g ↦ g ⋅ x 0 is a 1-to-1 correspondence between G and X . Hardness hypotheses: ▸ Given g and x , computing g ⋅ x is easy ▸ Given x and g ⋅ x , computing g is hard. Alice Bob x 0 a ← R G b ← R G

  12. Cryptography with a group action Hard Homogeneous Space (Couveignes): ( G , X ) where ▸ G finite commutative group ▸ G ⟳ X ▸ g ↦ g ⋅ x 0 is a 1-to-1 correspondence between G and X . Hardness hypotheses: ▸ Given g and x , computing g ⋅ x is easy ▸ Given x and g ⋅ x , computing g is hard. Alice Bob x 0 a b a ← R G b ← R G x a ← a ⋅ x 0 x a x b x b ← b ⋅ x 0

  13. Cryptography with a group action Hard Homogeneous Space (Couveignes): ( G , X ) where ▸ G finite commutative group ▸ G ⟳ X ▸ g ↦ g ⋅ x 0 is a 1-to-1 correspondence between G and X . Hardness hypotheses: ▸ Given g and x , computing g ⋅ x is easy ▸ Given x and g ⋅ x , computing g is hard. Alice Bob x 0 a b a ← R G b ← R G x a ← a ⋅ x 0 x a x b x b ← b ⋅ x 0 s ← a ⋅ x b s ← b ⋅ x a a b s

  14. Cryptography with a group action (2) Hardness hypotheses: ▸ Given g and x , computing g ⋅ x is easy

  15. Cryptography with a group action (2) Hardness hypotheses: ▸ Given g and x , if g ∈ S , computing g ⋅ x is easy where S is a small set of generators.

  16. Cryptography with a group action (2) Hardness hypotheses: ▸ Given g and x , if g ∈ S , computing g ⋅ x is easy where S is a small set of generators. The same DH key exchange works: ▸ Sample a ← G directly as a product ∏ s k i i , s i ∈ S ▸ Compute a ⋅ x as the sequence of actions of s i .

  17. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } :

  18. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : x 0

  19. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice x 0 a = s 12 s 21 s 3 − 1

  20. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice x 0 a = s 12 s 21 s 3 − 1

  21. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice x 0 a = s 12 s 21 s 3 − 1

  22. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice x 0 a = s 12 s 21 s 3 − 1

  23. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice x 0 a = s 12 s 21 s 3 − 1 x a

  24. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x a

  25. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x a

  26. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x a

  27. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  28. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  29. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  30. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  31. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  32. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : s Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  33. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : s Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

  34. The Cayley graph Computing the group action = walking in the Cayley graph : ▸ V = X ▸ Edge labelled by s ∈ S between x and s ⋅ x . If S = { s 1 , s 2 , s 3 } ∪ { s − 1 1 , s − 1 2 , s − 1 3 } : s Alice Bob x 0 a = s 12 s 21 s 3 − 1 b = s 1 − 2 s 20 s 31 x b x a

Recommend

BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017,

BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017,

ERNEST HUNTER DIMITAR BENJAMIN BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017, NIJMEGEN, THE NETHERLANDS BY BENJAMIN WESOLOWSKI FROM EPFL, SWITZERLAND AN INTRODUCTION TO ISOGENY GRAPHS

770 views • 63 slides
Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and

Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and

Presenting a live 90 minute webinar with interactive Q&A Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and Contemporaneous Exchange Managing the Audit Process, Mitigating Regulatory Sanctions, and

893 views • 52 slides
Development of SML# making ML an ordinary practical languaage . . . . . Atsushi Ohori

Development of SML# making ML an ordinary practical languaage . . . . . Atsushi Ohori

. . Development of SML# making ML an ordinary practical languaage . . . . . Atsushi Ohori joint work with Katsuhiro Ueno , Tohoku University Atsushi Ohori Development of SML# making ML an ordinary practical language 1 / 59

1.25k views • 79 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi

593 views • 36 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril

Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril

Reminder on elliptic curves Endomorphism ring Volcano of -isogeny and Frobenius endomorphism -adic tower Structure of Volcano of -isogeny applied to Couveigness algorithm Luca De Feo, Cyril Hugounenq, Jerome Plut, Eric Schost

472 views • 28 slides
Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

856 views • 81 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019 Mathematical foundations of asymmetric cryptography Aussois, Savoie Slides online at https://defeo.lu/docet/ Overview Isogeny graphs 1 Elliptic Curves

1.96k views • 156 slides
Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint work with Emmanuel Thom Sorina Ionica 1 / 24 Isogeny graphs Kohel 1996: Graph with vertices elliptic curves defined over F q and edges all

302 views • 27 slides
AUTOMATIC EXCHANGE OF INFORMATION Practical Examples for Trust Practitioners in Switzerland STEP

AUTOMATIC EXCHANGE OF INFORMATION Practical Examples for Trust Practitioners in Switzerland STEP

AUTOMATIC EXCHANGE OF INFORMATION Practical Examples for Trust Practitioners in Switzerland STEP Lausanne, 6 March 2018 David Violi Head Regulatory & Compliance Financial Services Western Switzerland Director, Attorney-at-law Agenda

487 views • 24 slides
On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland AsiaCrypt 2016, 5th of December 1/17 Outline Joint work with Steven Galbraith , Christophe Petit and Barak Shani . 1

242 views • 23 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29, 2019 Cryptography meets Graph Theory Wrzburg, Franken, Germany Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29Aug 2,

1.99k views • 174 slides
8. Ordinary Differential Equations Indispensable for many technical applications! 8. Ordinary

8. Ordinary Differential Equations Indispensable for many technical applications! 8. Ordinary

Introduction Approximation of IVP with FD Consistency and Convergence Multistep Methods Stiff Problems Applications 8. Ordinary Differential Equations Indispensable for many technical applications! 8. Ordinary Differential Equations

575 views • 30 slides
Section 1031 Exchange Strategies Maximizing Benefits and Practical Considerations December 7,

Section 1031 Exchange Strategies Maximizing Benefits and Practical Considerations December 7,

Section 1031 Exchange Strategies Maximizing Benefits and Practical Considerations December 7, 2016 Presenters Gina Mavica Nicholas Melillo Christina Novotny Alexander Szilvas Partner Partner Counsel Partner Moderator 2 Section 1031

958 views • 81 slides
Facebook Exchange Facebook Exchange (FBX) (FBX) Facebook Exchange The Facebook Exchange allows

Facebook Exchange Facebook Exchange (FBX) (FBX) Facebook Exchange The Facebook Exchange allows

Facebook Exchange Facebook Exchange (FBX) (FBX) Facebook Exchange The Facebook Exchange allows programmatic buying of Facebook ad inventory through real-time bidding. Agencies, trading desks and direct marketers can buy Facebook ads using

343 views • 7 slides
Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and

Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and

Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and evolutionQ, Inc. Full list of submitters: Reza Azarderakhsh, FAU Amir Jalali, LinkedIn Michael Naehrig, MSR Matt Campagna, Amazon David Jao, UW

365 views • 10 slides
Everything You Need To Know About The Ordinary Course of Business Preference Defense, And

Everything You Need To Know About The Ordinary Course of Business Preference Defense, And

Everything You Need To Know About The Ordinary Course of Business Preference Defense, And More! By: Bruce S. Nathan, Esq. David M. Banker, Esq. Terence D. Watson, Esq. Abstract Congress enacted the ordinary course of business defense

555 views • 18 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen 1 Tibor Jager 2 NTNU - Norwegian University of Science and Technology, Trondheim, Norway, kristian.gjosteen@ntnu.no Paderborn University, Paderborn,

360 views • 34 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO

The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO

The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO Kickoff meeting, Bordeaux, February 2020 Microsoft Research and Inria + cole polytechnique 1 g = 1 A directed multigraph (but almost a graph)

408 views • 25 slides

More recommend