twitter patricklonga outline
play

Twitter: @PatrickLonga Outline Motivation: the quantum menace - PowerPoint PPT Presentation

Apr 07, 2023 β€’269 likes β€’1.82k views

https://microsoft.com/en-us/research/people/plonga http://patricklonga.com Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange from supersingular isogenies: Preliminaries SIDH SIKE

  1. Ell lliptic curves and is isogenies β€’ Let 𝐹 1 and 𝐹 2 be elliptic curves defined over an extension field 𝑀 . β€’ An isogeny is a (non-constant) rational map 𝜚 : 𝐹 1 β†’ 𝐹 2 that preserves identity, i.e., 𝜚(𝒫 𝐹 1 ) β†’ 𝒫 𝐹 2 . Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 12

  2. Ell lliptic curves and is isogenies β€’ Let 𝐹 1 and 𝐹 2 be elliptic curves defined over an extension field 𝑀 . β€’ An isogeny is a (non-constant) rational map 𝜚 : 𝐹 1 β†’ 𝐹 2 that preserves identity, i.e., 𝜚(𝒫 𝐹 1 ) β†’ 𝒫 𝐹 2 . Relevant properties: β€’ Isogenies are group homomorphisms. β€’ For every finite subgroup 𝐻 βŠ† 𝐹 1 , there is a unique curve 𝐹 2 (up to isomorphism) and isogeny 𝜚 : 𝐹 1 β†’ 𝐹 2 with kernel 𝐻 . Write 𝐹 2 = 𝜚 𝐹 1 = 𝐹 1 / 𝐻 . β€’ (Separable) isogenies have deg 𝜚 = # ker 𝜚 . Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 12

  3. Supersingular curves β€’ An elliptic curve 𝐹/𝑀 is supersingular if #𝐹(𝑀) ≑ 1(mod π‘ž) . β€’ All supersingular curves can be defined over 𝔾 π‘ž 2 . β€’ There are ~ 𝒒/πŸπŸ‘ isomorphism classes of supersingular curves. Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 13

  4. Supersingular is isogeny graphs β€’ Vertices: the ~ π‘ž/12 isomorphism classes of supersingular curves over 𝔾 π‘ž 2 . Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

  5. Supersingular is isogeny graphs β€’ Vertices: the ~ π‘ž/12 isomorphism classes of supersingular curves over 𝔾 π‘ž 2 . Same j-invariant Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

  6. Supersingular is isogeny graphs β€’ Vertices: the ~ π‘ž/12 isomorphism classes of supersingular curves over 𝔾 π‘ž 2 . β€’ Edges: isogenies of a fixed prime degree 𝓂 ∀ π‘ž 𝓂 = 2 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

  7. Supersingular is isogeny graphs β€’ Vertices: the ~ π‘ž/12 isomorphism classes of supersingular curves over 𝔾 π‘ž 2 . β€’ Edges: isogenies of a fixed prime degree 𝓂 ∀ π‘ž 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝓂 = 2 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

  8. Supersingular is isogeny graphs β€’ Vertices: the ~ π‘ž/12 isomorphism classes of supersingular curves over 𝔾 π‘ž 2 . β€’ Edges: isogenies of a fixed prime degree 𝓂 ∀ π‘ž For any prime 𝓂 ∀ π‘ž , there exist (𝓂 + 1) isogenies of degree 𝓂 originating from every supersingular curve. 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝓂 = 2 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

  9. Supersingular is isogeny graphs β€’ Vertices: the ~ π‘ž/12 isomorphism classes of supersingular curves over 𝔾 π‘ž 2 . β€’ Edges: isogenies of a fixed prime degree 𝓂 ∀ π‘ž For any prime 𝓂 ∀ π‘ž , there exist (𝓂 + 1) isogenies of degree 𝓂 originating from every supersingular curve. 𝜚 3 𝜚 2 𝜚 2 𝜚 2 𝜚 3 𝜚 3 𝜚 2 𝜚 3 𝜚 2 𝜚 3 𝜚 3 𝜚 2 𝜚 3 𝜚 3 𝜚 2 𝜚 2 𝜚 3 𝜚 2 𝜚 3 𝜚 2 𝜚 3 𝜚 3 𝜚 2 𝜚 2 𝜚 3 𝜚 2 𝜚 3 𝜚 3 𝓂 = 2 𝓂 = 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

  11. SID IDH in in a nutshell Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

  12. SID IDH in in a nutshell 𝐹 0 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

  13. SID IDH in in a nutshell 𝐹 𝐡 𝐹 0 𝐹 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

  14. SID IDH in in a nutshell 𝐹 𝐡 𝐹 𝐢𝐡 𝐹 0 𝐹 𝐡𝐢 Same j-invariant 𝐹 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

  15. SID IDH: : setup Set 𝓂 ∈ 2,3 , supersingular curve 𝐹 0 /𝔾 π‘ž 2 with a prime π‘ž = 𝑔 βˆ™ 2 𝑓 𝐡 3 𝑓 𝐢 βˆ’ 1 such that 2 𝑓 𝐡 β‰ˆ 3 𝑓 𝐢 and 𝑔 small. β€’ Then: 𝐹 2 𝑓 𝐡 , 𝐹[3 𝑓 𝐢 ] βŠ‚ 𝐹 0 (𝔾 π‘ž 2 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 16

  16. SID IDH: : setup Set 𝓂 ∈ 2,3 , supersingular curve 𝐹 0 /𝔾 π‘ž 2 with a prime π‘ž = 𝑔 βˆ™ 2 𝑓 𝐡 3 𝑓 𝐢 βˆ’ 1 such that 2 𝑓 𝐡 β‰ˆ 3 𝑓 𝐢 and 𝑔 small. β€’ Then: 𝐹 2 𝑓 𝐡 , 𝐹[3 𝑓 𝐢 ] βŠ‚ 𝐹 0 (𝔾 π‘ž 2 ) works over 𝐹[2 𝑓 𝐡 ] using 2-isogenies and linearly independent points 𝑄 𝐡 , 𝑅 𝐡 . works over 𝐹[3 𝑓 𝐢 ] using 3-isogenies and linearly independent points 𝑄 𝐢 , 𝑅 𝐢 . Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 16

  17. SID IDH protocol private Alice private Bob public params E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  18. SID IDH protocol private Alice private Bob public params E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  19. SID IDH protocol private Alice private Bob public params 𝐹 𝐡 = 𝐹 0 / 𝐡 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  20. SID IDH protocol private Alice private Bob public params 𝐹 𝐡 = 𝐹 0 / 𝐡 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 𝐢 = 𝐹 0 / 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  21. SID IDH protocol private Alice private Bob public params 𝐹 𝐡 = 𝐹 0 / 𝐡 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 𝐢 = 𝐹 0 / 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  22. SID IDH protocol private Alice private Bob 𝑆 𝐡 , 𝑇 𝐡 = {𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 (𝑅 𝐢 )} public params 𝐹 𝐡 = 𝐹 0 / 𝐡 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 𝐢 = 𝐹 0 / 𝐢 𝑆 𝐢 , 𝑇 𝐢 = {𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 (𝑅 𝐡 )} Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  23. SID IDH protocol private Alice private Bob 𝑆 𝐡 , 𝑇 𝐡 = {𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 (𝑅 𝐢 )} public params 𝐹 𝐡 = 𝐹 0 / 𝐡 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 β€² ) = 𝐡′ = 𝑆 𝐢 + [𝑑 𝐡 ]𝑇 𝐢 𝑙𝑓𝑠(𝜚 𝐡 𝐹 𝐢𝐡 = 𝐹 𝐢 / 𝐡′ β€² 𝜚 𝐡 𝐹 𝐢 = 𝐹 0 / 𝐢 𝑆 𝐢 , 𝑇 𝐢 = {𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 (𝑅 𝐡 )} 𝐡′ = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝜚 𝐢 𝑅 𝐡 = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝑅 𝐡 = 𝜚 𝐢 𝐡 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  24. SID IDH protocol private Alice private Bob 𝑆 𝐡 , 𝑇 𝐡 = {𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 (𝑅 𝐢 )} public params 𝐹 𝐡 = 𝐹 0 / 𝐡 β€² 𝜚 𝐢 E ’ s are isogenous curves 𝐹 𝐡𝐢 = 𝐹 𝐡 / 𝐢 β€² P ’ s, Q ’ s, R ’ s, S ’ s are points β€² 𝑙𝑓𝑠 𝜚 𝐢 = 𝐢′ = 𝑆 𝐡 + [𝑑 𝐢 ]𝑇 𝐡 𝐹 0 β€² ) = 𝐡′ = 𝑆 𝐢 + [𝑑 𝐡 ]𝑇 𝐢 𝑙𝑓𝑠(𝜚 𝐡 𝐹 𝐢𝐡 = 𝐹 𝐢 / 𝐡′ β€² 𝜚 𝐡 𝐹 𝐢 = 𝐹 0 / 𝐢 𝑆 𝐢 , 𝑇 𝐢 = {𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 (𝑅 𝐡 )} 𝐡′ = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝜚 𝐢 𝑅 𝐡 = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝑅 𝐡 = 𝜚 𝐢 𝐡 𝐢 β€² = 𝜚 𝐡 𝑄 𝐢 + [𝑑 𝐢 ]𝜚 𝐡 𝑅 𝐢 = 𝜚 𝐡 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 = 𝜚 𝐡 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  25. SID IDH protocol private Alice private Bob 𝑆 𝐡 , 𝑇 𝐡 = {𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 (𝑅 𝐢 )} public params 𝐹 𝐡 = 𝐹 0 / 𝐡 β€² 𝜚 𝐢 E ’ s are isogenous curves 𝐹 𝐡𝐢 = 𝐹 𝐡 / 𝐢 β€² P ’ s, Q ’ s, R ’ s, S ’ s are points β€² 𝑙𝑓𝑠 𝜚 𝐢 = 𝐢′ = 𝑆 𝐡 + [𝑑 𝐢 ]𝑇 𝐡 𝐹 0 β€² ) = 𝐡′ = 𝑆 𝐢 + [𝑑 𝐡 ]𝑇 𝐢 𝑙𝑓𝑠(𝜚 𝐡 𝐹 𝐢𝐡 = 𝐹 𝐢 / 𝐡′ β€² 𝜚 𝐡 𝐹 𝐢 = 𝐹 0 / 𝐢 𝑆 𝐢 , 𝑇 𝐢 = {𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 (𝑅 𝐡 )} 𝐡′ = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝜚 𝐢 𝑅 𝐡 = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝑅 𝐡 = 𝜚 𝐢 𝐡 𝐢 β€² = 𝜚 𝐡 𝑄 𝐢 + [𝑑 𝐢 ]𝜚 𝐡 𝑅 𝐢 = 𝜚 𝐡 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 = 𝜚 𝐡 𝐢 β€² (𝜚 𝐡 (𝐹 0 )) β‰… 𝐹 0 / 𝑄 β€² (𝜚 𝐢 𝐹 0 ) 𝐹 𝐡𝐢 = 𝜚 𝐢 𝐡 + [𝑑 𝐡 ]𝑅 𝐡 , 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 β‰… 𝐹 𝐢𝐡 = 𝜚 𝐡 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  26. SID IDH protocol private Alice private Bob 𝑆 𝐡 , 𝑇 𝐡 = {𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 (𝑅 𝐢 )} public params 𝐹 𝐡 = 𝐹 0 / 𝐡 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 0 / 𝐡, 𝐢 𝐹 𝐢 = 𝐹 0 / 𝐢 𝑆 𝐢 , 𝑇 𝐢 = {𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 (𝑅 𝐡 )} 𝐡′ = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝜚 𝐢 𝑅 𝐡 = 𝜚 𝐢 𝑄 𝐡 + [𝑑 𝐡 ]𝑅 𝐡 = 𝜚 𝐢 𝐡 𝐢 β€² = 𝜚 𝐡 𝑄 𝐢 + [𝑑 𝐢 ]𝜚 𝐡 𝑅 𝐢 = 𝜚 𝐡 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 = 𝜚 𝐡 𝐢 β€² (𝜚 𝐡 (𝐹 0 )) β‰… 𝐹 0 / 𝑄 β€² (𝜚 𝐢 𝐹 0 ) 𝐹 𝐡𝐢 = 𝜚 𝐢 𝐡 + [𝑑 𝐡 ]𝑅 𝐡 , 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 β‰… 𝐹 𝐢𝐡 = 𝜚 𝐡 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

  27. SID IDH protocol Drawback: β€’ SIDH is not secure when keys are reused (Galbraith-Petit-Shani-Ti 2016) β€’ Only recommended in ephemeral mode Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 18

  29. Supersingular is isogeny key encapsulation (S (SIK IKE) β€’ IND-CCA secure key encapsulation: no problem reusing keys! β€’ Uses a variant of Hofheinz – HΓΆvelmanns – Kiltz (HHK) transform: IND-CPA PKE β†’ IND-CCA KEM β€’ HHK transform is secure in both the classical and quantum ROM models β€’ Offline key generation gives performance boost (no perf loss SIDH β†’ SIKE) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 19

  30. Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑑 𝐢 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐢 ) 2. Set 𝑙𝑓𝑠 𝜚 𝐢 = 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 3. pk 𝐢 = {𝜚 𝐢 𝐹 0 , 𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 𝑅 𝐡 } 4. 𝑑 ∈ 𝑆 {0,1} π‘œ 5. keypair: sk 𝐢 = (𝑑, 𝑑 𝐢 ) , pk 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

  31. Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑑 𝐢 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐢 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐢 = 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 3. pk 𝐢 = {𝜚 𝐢 𝐹 0 , 𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 𝑅 𝐡 } 1. message 𝑛 ∈ 𝑆 0,1 π‘œ 4. 𝑑 ∈ 𝑆 {0,1} π‘œ 2. 𝑠 = 𝐻 𝑛, pk 𝐢 mod 2 𝑓 𝐡 pk 𝐢 5. keypair: sk 𝐢 = (𝑑, 𝑑 𝐢 ) , pk 𝐢 3. Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠]𝑅 𝐡 4. pk 𝐡 = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } β€² (𝜚 𝐢 (𝐹 0 ))) 5. π‘˜ = π‘˜ 𝐹 𝐡𝐢 = π‘˜(𝜚 𝐡 6. Shared key: 𝑑𝑑 = 𝐼(𝑛, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

  32. Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑑 𝐢 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐢 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐢 = 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 3. pk 𝐢 = {𝜚 𝐢 𝐹 0 , 𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 𝑅 𝐡 } 1. message 𝑛 ∈ 𝑆 0,1 π‘œ 4. 𝑑 ∈ 𝑆 {0,1} π‘œ 2. 𝑠 = 𝐻 𝑛, pk 𝐢 mod 2 𝑓 𝐡 pk 𝐢 encryption 5. keypair: sk 𝐢 = (𝑑, 𝑑 𝐢 ) , pk 𝐢 3. Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠]𝑅 𝐡 4. pk 𝐡 = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } β€² (𝜚 𝐢 (𝐹 0 ))) 5. π‘˜ = π‘˜ 𝐹 𝐡𝐢 = π‘˜(𝜚 𝐡 6. Shared key: 𝑑𝑑 = 𝐼(𝑛, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

  33. Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑑 𝐢 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐢 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐢 = 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 3. pk 𝐢 = {𝜚 𝐢 𝐹 0 , 𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 𝑅 𝐡 } 1. message 𝑛 ∈ 𝑆 0,1 π‘œ 4. 𝑑 ∈ 𝑆 {0,1} π‘œ 2. 𝑠 = 𝐻 𝑛, pk 𝐢 mod 2 𝑓 𝐡 pk 𝐢 encryption 5. keypair: sk 𝐢 = (𝑑, 𝑑 𝐢 ) , pk 𝐢 3. Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠]𝑅 𝐡 Decaps 4. pk 𝐡 = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } 𝑑 = (pk 𝐡 , 𝐺(π‘˜) βŠ• 𝑛) β€² (𝜚 𝐢 (𝐹 0 ))) β€² (𝜚 𝐡 (𝐹 0 ))) 5. π‘˜ = π‘˜ 𝐹 𝐡𝐢 = π‘˜(𝜚 𝐡 1. π‘˜β€² = π‘˜ 𝐹 𝐢𝐡 = π‘˜(𝜚 𝐢 6. Shared key: 𝑑𝑑 = 𝐼(𝑛, 𝑑) 2 . 𝑛 β€² = 𝐺(π‘˜β€²) βŠ• 𝑑[2] 3 . 𝑠 β€² = 𝐻 𝑛 β€² , pk 𝐢 mod 2 𝑓 𝐡 4 . Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠′]𝑅 𝐡 β€² = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } 5. pk 𝐡 β€² = 𝑑[1] then 6. If pk 𝐡 Shared key: 𝑑𝑑 = 𝐼(𝑛 β€² , 𝑑) 7 . Else 𝑑𝑑 = 𝐼(𝑑, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

  34. Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑑 𝐢 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐢 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐢 = 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 3. pk 𝐢 = {𝜚 𝐢 𝐹 0 , 𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 𝑅 𝐡 } 1. message 𝑛 ∈ 𝑆 0,1 π‘œ 4. 𝑑 ∈ 𝑆 {0,1} π‘œ 2. 𝑠 = 𝐻 𝑛, pk 𝐢 mod 2 𝑓 𝐡 pk 𝐢 encryption 5. keypair: sk 𝐢 = (𝑑, 𝑑 𝐢 ) , pk 𝐢 3. Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠]𝑅 𝐡 Decaps 4. pk 𝐡 = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } 𝑑 = (pk 𝐡 , 𝐺(π‘˜) βŠ• 𝑛) β€² (𝜚 𝐢 (𝐹 0 ))) β€² (𝜚 𝐡 (𝐹 0 ))) 5. π‘˜ = π‘˜ 𝐹 𝐡𝐢 = π‘˜(𝜚 𝐡 1. π‘˜β€² = π‘˜ 𝐹 𝐢𝐡 = π‘˜(𝜚 𝐢 6. Shared key: 𝑑𝑑 = 𝐼(𝑛, 𝑑) 2 . 𝑛 β€² = 𝐺(π‘˜β€²) βŠ• 𝑑[2] 3 . 𝑠 β€² = 𝐻 𝑛 β€² , pk 𝐢 mod 2 𝑓 𝐡 decryption 4 . Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠′]𝑅 𝐡 β€² = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } 5. pk 𝐡 β€² = 𝑑[1] then 6. If pk 𝐡 Shared key: 𝑑𝑑 = 𝐼(𝑛 β€² , 𝑑) 7 . Else 𝑑𝑑 = 𝐼(𝑑, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

  35. Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑑 𝐢 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐢 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐢 = 𝑄 𝐢 + [𝑑 𝐢 ]𝑅 𝐢 3. pk 𝐢 = {𝜚 𝐢 𝐹 0 , 𝜚 𝐢 𝑄 𝐡 , 𝜚 𝐢 𝑅 𝐡 } 1. message 𝑛 ∈ 𝑆 0,1 π‘œ 4. 𝑑 ∈ 𝑆 {0,1} π‘œ 2. 𝑠 = 𝐻 𝑛, pk 𝐢 mod 2 𝑓 𝐡 pk 𝐢 encryption 5. keypair: sk 𝐢 = (𝑑, 𝑑 𝐢 ) , pk 𝐢 3. Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠]𝑅 𝐡 Decaps 4. pk 𝐡 = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } 𝑑 = (pk 𝐡 , 𝐺(π‘˜) βŠ• 𝑛) β€² (𝜚 𝐢 (𝐹 0 ))) β€² (𝜚 𝐡 (𝐹 0 ))) 5. π‘˜ = π‘˜ 𝐹 𝐡𝐢 = π‘˜(𝜚 𝐡 1. π‘˜β€² = π‘˜ 𝐹 𝐢𝐡 = π‘˜(𝜚 𝐢 6. Shared key: 𝑑𝑑 = 𝐼(𝑛, 𝑑) 2 . 𝑛 β€² = 𝐺(π‘˜β€²) βŠ• 𝑑[2] 3 . 𝑠 β€² = 𝐻 𝑛 β€² , pk 𝐢 mod 2 𝑓 𝐡 decryption 4 . Set 𝑙𝑓𝑠 𝜚 𝐡 = 𝑄 𝐡 + [𝑠′]𝑅 𝐡 β€² = {𝜚 𝐡 𝐹 0 , 𝜚 𝐡 𝑄 𝐢 , 𝜚 𝐡 𝑅 𝐢 } 5. pk 𝐡 β€² = 𝑑[1] then partial re-encryption 6. If pk 𝐡 Shared key: 𝑑𝑑 = 𝐼(𝑛 β€² , 𝑑) 𝐺, 𝐻, 𝐼 instantiated with cSHAKE256. 7 . Else 𝑑𝑑 = 𝐼(𝑑, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

  37. Computation la layers protocol SIDH, SIKE Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

  38. Computation la layers protocol SIDH, SIKE high-level point and 𝑄 + 𝑑 𝑅 , 𝓂 𝑓 -degree isogenies curve arithmetic Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

  39. Computation la layers protocol SIDH, SIKE high-level point and 𝑄 + 𝑑 𝑅 , 𝓂 𝑓 -degree isogenies curve arithmetic low-level point and 2 𝑄, 3 𝑄, 𝑄 + 𝑅, 𝜚(𝑄) curve arithmetic Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

  40. Computation la layers protocol SIDH, SIKE high-level point and 𝑄 + 𝑑 𝑅 , 𝓂 𝑓 -degree isogenies curve arithmetic low-level point and 2 𝑄, 3 𝑄, 𝑄 + 𝑅, 𝜚(𝑄) curve arithmetic 𝔾 π‘ž 2 add, mul, sqr, inv extension field arithmetic Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

  41. Computation la layers protocol SIDH, SIKE high-level point and 𝑄 + 𝑑 𝑅 , 𝓂 𝑓 -degree isogenies curve arithmetic low-level point and 2 𝑄, 3 𝑄, 𝑄 + 𝑅, 𝜚(𝑄) curve arithmetic 𝔾 π‘ž 2 add, mul, sqr, inv extension field arithmetic 𝔾 π‘ž add, mul, inv field arithmetic Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

  43. Hig igh-level point and curve ari rithmetic Two main internal computations: β€’ Double-scalar multiplications to construct kernels 𝑄 + 𝑑 𝑅 β€’ Smooth, 𝓢 𝒇 -degree isogeny computations 𝜚: 𝐹 0 β†’ 𝐹′ Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 22

  44. Computing 𝑄 + 𝑑 𝑅 Three-point differential ladder (x-only, variable point) β€’ De Feo-Jao-PlΓ»t (2014), step cost = 1DBL + 2ADD β€’ Faz-HernΓ‘ndez et al. (2018), step cost = 1DBL + 1ADD Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 23

  45. Computing 𝑄 + 𝑑 𝑅 [F [Faz-HernΓ‘ndez – LΓ³pez – Ochoa-JimΓ©nez – RodrΓ­g Γ­guez-HenrΓ­quez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 πŸ‘ = 𝑹 βˆ’ 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) πŸ‘ Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

  46. Computing 𝑄 + 𝑑 𝑅 [F [Faz-HernΓ‘ndez – LΓ³pez – Ochoa-JimΓ©nez – RodrΓ­g Γ­guez-HenrΓ­quez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 πŸ‘ = 𝑹 βˆ’ 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) πŸ‘ 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 βˆ’ 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

  47. Computing 𝑄 + 𝑑 𝑅 [Faz-HernΓ‘ndez – LΓ³pez – Ochoa-JimΓ©nez – RodrΓ­g [F Γ­guez-HenrΓ­quez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 πŸ‘ = 𝑹 βˆ’ 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) πŸ‘ 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 βˆ’ 𝑄 𝒕 𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 βˆ’ 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

  48. Computing 𝑄 + 𝑑 𝑅 [Faz-HernΓ‘ndez – LΓ³pez – Ochoa-JimΓ©nez – RodrΓ­g [F Γ­guez-HenrΓ­quez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 πŸ‘ = 𝑹 βˆ’ 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) πŸ‘ 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 βˆ’ 𝑄 𝒕 𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 βˆ’ 𝑄 𝒕 πŸ‘ = 𝟐 𝑄 + 4 𝑅 8 𝑅 [4]𝑅 βˆ’ 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

  49. Computing 𝑄 + 𝑑 𝑅 [Faz-HernΓ‘ndez – LΓ³pez – Ochoa-JimΓ©nez – RodrΓ­g [F Γ­guez-HenrΓ­quez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 πŸ‘ = 𝑹 βˆ’ 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) πŸ‘ 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 βˆ’ 𝑄 𝒕 𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 βˆ’ 𝑄 𝒕 πŸ‘ = 𝟐 𝑄 + 4 𝑅 8 𝑅 [4]𝑅 βˆ’ 𝑄 𝒕 πŸ’ = 𝟐 𝑄 + 12 𝑅 16 𝑅 [4]𝑅 βˆ’ 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

  50. Computing 𝑄 + 𝑑 𝑅 [Faz-HernΓ‘ndez – LΓ³pez – Ochoa-JimΓ©nez – RodrΓ­g [F Γ­guez-HenrΓ­quez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 πŸ‘ = 𝑹 βˆ’ 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) πŸ‘ 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 βˆ’ 𝑄 𝒕 𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 βˆ’ 𝑄 𝒕 πŸ‘ = 𝟐 𝑄 + 4 𝑅 8 𝑅 [4]𝑅 βˆ’ 𝑄 𝒕 πŸ’ = 𝟐 𝑄 + 12 𝑅 16 𝑅 [4]𝑅 βˆ’ 𝑄 𝒕 πŸ“ = 𝟏 𝑸 + πŸπŸ‘ 𝑹 32 𝑅 [20]𝑅 βˆ’ 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

  51. Computing 𝓂 𝑓 -degree is isogenies β€’ Construct it as a composition of multiple (small, prime-degree) isogenies 𝐹 𝐡 𝐹 0 𝐹 0 / 𝐡, 𝐢 𝐹 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 25

  52. Computing 𝓂 𝑓 -degree is isogenies β€’ Construct it as a composition of multiple (small, prime-degree) isogenies 𝐹 𝐡 𝐹 0 𝐹 0 / 𝐡, 𝐢 𝐹 𝐢 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 25

  53. Computing 𝓂 𝑓 -degree is isogenies β€’ Construct it as a composition of multiple (small, prime-degree) isogenies 𝐹 𝐡 𝐹 0 𝐹 0 / 𝐡, 𝐢 𝐹 𝐢 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 𝐢 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ β‹― βˆ™βˆ™ 𝜚 π‘“βˆ’1 𝐹 0 𝐹 1 𝐹 2 𝐹 3 𝐹 4 𝐹 𝐢 𝜚 π‘“βˆ’1 𝜚 0 𝜚 2 𝜚 1 𝜚 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 25

  54. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  55. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  56. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 Compute 3 4 -degree isogeny: 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  57. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 𝐹 4 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  58. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 β€’ Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 π‘“βˆ’π‘—βˆ’1 ]𝑄 𝑗 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  59. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 β€’ Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 π‘“βˆ’π‘—βˆ’1 ]𝑄 𝑗 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  60. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 β€’ Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 π‘“βˆ’π‘—βˆ’1 ]𝑄 𝑗 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  61. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 β€’ Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 π‘“βˆ’π‘—βˆ’1 ]𝑄 𝑗 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  62. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 β€’ Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 π‘“βˆ’π‘—βˆ’1 ]𝑄 𝑗 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 ( + ) slope: point operations Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  63. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 β€’ Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 π‘“βˆ’π‘—βˆ’1 ]𝑄 𝑗 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 ( + ) slope: point operations ( βˆ’ ) slope: isogeny operations Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  64. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 𝐹 4 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  65. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 𝐹 4 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  66. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 3 𝐹 4 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  67. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 3 𝐹 4 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  68. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 3 𝐹 4 𝜚 0 = 𝐹 0 / 81𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  69. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 3 𝐹 4 𝜚 0 = 𝐹 0 / 81𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 1 = 𝜚 0 (𝐹 0 ) 3 𝑄 3 𝑄 1 = 𝜚 0 (𝑄 0 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  70. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 3 𝐹 4 𝜚 0 = 𝐹 0 / 81𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 1 = 𝜚 0 (𝐹 0 ) 3 𝑄 3 𝑄 1 = 𝜚 0 (𝑄 0 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  71. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 3 𝐹 4 𝜚 1 = 𝐹 1 / 27𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  72. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 3 𝐹 4 𝜚 1 = 𝐹 1 / 27𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 2 = 𝜚 1 (𝐹 1 ) 3 𝑄 3 𝑄 2 = 𝜚 1 (𝑄 1 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  73. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 1 = 𝐹 1 / 27𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 2 = 𝜚 1 (𝐹 1 ) 3 𝑄 3 𝑄 2 = 𝜚 1 (𝑄 1 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  74. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 2 = 𝐹 2 / 9𝑄 2 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  75. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝑄 3 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 2 = 𝐹 2 / 9𝑄 2 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 3 = 𝜚 2 (𝐹 2 ) 3 𝑄 3 𝑄 3 = 𝜚 2 (𝑄 2 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  76. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 3 3 𝑄 0 𝑄 3 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 2 = 𝐹 2 / 9𝑄 2 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 3 = 𝜚 2 (𝐹 2 ) 3 𝑄 3 𝑄 3 = 𝜚 2 (𝑄 2 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  77. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝑄 3 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 3 = 𝐹 3 / 3𝑄 3 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

  78. Computing 𝓂 𝑓 -degree is isogenies β€’ Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐢 = 𝜚 𝐢 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐢 : 𝐹 0 β†’ 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐢 = 𝜚 0 βˆ™ 𝜚 1 βˆ™ 𝜚 2 βˆ™ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝑄 3 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 3 = 𝐹 3 / 3𝑄 3 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 4 = 𝜚 3 (𝐹 3 ) 3 𝑄 3 𝑄 4 𝑄 4 = 𝜚 3 (𝑄 3 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Recommend

Large-Scale Machine Learning at Twitter 2 Large-Scale Machine Learning at Twitter Jimmy Lin and

Large-Scale Machine Learning at Twitter 2 Large-Scale Machine Learning at Twitter Jimmy Lin and

Large-Scale Machine Learning at Twitter 2 Large-Scale Machine Learning at Twitter Jimmy Lin and Alek Kolcz Twitter, Inc. 1 Image source:google.com/images Large-Scale Machine Learning at Twitter Outline Outline Is twitter big data?

582 views β€’ 40 slides
Using Twitter for your CPD Janet Thomas November 2019 #PHYSIO19 Why twitter for CPD?

Using Twitter for your CPD Janet Thomas November 2019 #PHYSIO19 Why twitter for CPD?

Using Twitter for your CPD Janet Thomas November 2019 #PHYSIO19 Why twitter for CPD? Twitter is free! Twitter is flexible CPD from your phone Twitter crosses professional, hierarchical and geographical boundaries You

595 views β€’ 13 slides
WYSI (not always) WYG (but it can be) d.o./twitter: Andrew_Mallis ideograph OUTLINE

WYSI (not always) WYG (but it can be) d.o./twitter: Andrew_Mallis ideograph OUTLINE

WYSI (not always) WYG (but it can be) d.o./twitter: Andrew_Mallis ideograph OUTLINE context modules! concepts (distro) demo site google doc https://bit.ly/d7wysiwyg what you want http://bit.ly/WlUqcd what you get

671 views β€’ 36 slides
Sentiment Analysis in Twitter Rohit Kumar Jha, Sakaar Khurana Sentiment Analysis in Twitter

Sentiment Analysis in Twitter Rohit Kumar Jha, Sakaar Khurana Sentiment Analysis in Twitter

Sentiment Analysis in Twitter Rohit Kumar Jha, Sakaar Khurana Sentiment Analysis in Twitter Outline Introduction Problem Statement Motivation Previous Works Bag of Words Model Feature Extraction Unigrams Unigram+Bigram POS Tagging Naive

727 views β€’ 24 slides
Use of Java / JVM at Twitter @TonyPrintezis | @TwitterBoston tprintezis@twitter.com #JCP EC

Use of Java / JVM at Twitter @TonyPrintezis | @TwitterBoston tprintezis@twitter.com #JCP EC

Use of Java / JVM at Twitter @TonyPrintezis | @TwitterBoston tprintezis@twitter.com #JCP EC Twitter reps Tony Printezis VM Team | Infrastructure Org | Twitter ex-HotSpot (Sun / Oracle, 6+ years), ex-SunLabs (3+ years) Ramki

192 views β€’ 15 slides
Join the Conversation on Twitter Use #AMSSAevents to follow the conversation on Twitter and

Join the Conversation on Twitter Use #AMSSAevents to follow the conversation on Twitter and

Join the Conversation on Twitter Use #AMSSAevents to follow the conversation on Twitter and connect with other webinar participants. AMSSA can be found on Twitter @amssabc Tim Foran Immigration, Refugees and Citizenship Canada (IRCC)

1.53k views β€’ 116 slides
ML at Twitter: A Deep Dive into Twitters Timeline Cibele Montez Halasz, Twitter Cortex

ML at Twitter: A Deep Dive into Twitters Timeline Cibele Montez Halasz, Twitter Cortex

Twitter Cortex Twitter Timelines Quality ML at Twitter: A Deep Dive into Twitters Timeline Cibele Montez Halasz, Twitter Cortex Satanjeev Bano Banerjee, Twitter Timelines Quality OReilly AI Conference April 2019 Agenda 1 ML at

814 views β€’ 66 slides
Operations at Twitter John Adams Twitter Operations John Adams / @netik Early Twitter

Operations at Twitter John Adams Twitter Operations John Adams / @netik Early Twitter

Operations at Twitter John Adams Twitter Operations John Adams / @netik Early Twitter employee Lead engineer: Application Services (Apache, Unicorn, SMTP, etc...) Keynote Speaker: OReilly Velocity 2009 OReilly Web 2.0

771 views β€’ 46 slides
Twitter and Your (Academic) Job Search Goals Increase your awareness of Twitter and its

Twitter and Your (Academic) Job Search Goals Increase your awareness of Twitter and its

Twitter and Your (Academic) Job Search Goals Increase your awareness of Twitter and its features that are designed to help you in your job search and build your network Teach you how to STRATEGICALLY navigate Twitter and all of

879 views β€’ 55 slides
Twitter: #empower18 1 VUCA Volatile Uncertain Complex Ambiguous 2 Ed Catmull Because

Twitter: #empower18 1 VUCA Volatile Uncertain Complex Ambiguous 2 Ed Catmull Because

Li Listen, Imagine, Act: Bu Building a a Co Community o y of Th Thin inkers an and Doers Bena Kallick Email: kallick.bena@gmail.com Twitter: @benakallick Allison Zmuda Email: allison@allisonzmuda.com Twitter: @allison_zmuda Twitter:

586 views β€’ 20 slides
//Dashboard //Twitter Panel //Twitter Panel Context and Actions Act based on the document

//Dashboard //Twitter Panel //Twitter Panel Context and Actions Act based on the document

//Dashboard //Twitter Panel //Twitter Panel Context and Actions Act based on the document Act on the document I cant understand! Bring more context. //Twitter Panel Fill-in survey //Twitter Panel Link Restaurant //Twitter Panel

202 views β€’ 7 slides
@TwitterSports #NGBSummit @TJay August 21 2017 Agenda About Twitter Video on Twitter Best

@TwitterSports #NGBSummit @TJay August 21 2017 Agenda About Twitter Video on Twitter Best

@TwitterSports #NGBSummit @TJay August 21 2017 Agenda About Twitter Video on Twitter Best from IAAF Worlds 2017 Opportunities for NGBs Twitter is whats happening in the world and what people are talking about right now. 94 Billion

851 views β€’ 35 slides
Fixing Twitter ... and Finding your own Fail Whale John Adams Twitter Operations

Fixing Twitter ... and Finding your own Fail Whale John Adams Twitter Operations

Fixing Twitter ... and Finding your own Fail Whale John Adams Twitter Operations <jna@twitter.com> Operations Small team, growing rapidly. What do we do? Software Performance (back-end) Availability Capacity Planning

1.16k views β€’ 49 slides
Twitter Data Processing with MongoDB By Ama & Sameera Introduction Create twitter

Twitter Data Processing with MongoDB By Ama & Sameera Introduction Create twitter

Twitter Data Processing with MongoDB By Ama & Sameera Introduction Create twitter developer account Get access key Access REST API Execute some POST and GET queries Download a sample of twitter streaming data

464 views β€’ 30 slides
MySQL @Twitter: No More Forkin - Migrating to MySQL Community Version Twitter, Inc. MySQL

MySQL @Twitter: No More Forkin - Migrating to MySQL Community Version Twitter, Inc. MySQL

Twitter, Inc. MySQL @Twitter: No More Forkin - Migrating to MySQL Community Version Twitter, Inc. MySQL @Twitter Background Migration Process Migration Challenges Post-Deployment Challenges Future Plans Q&A

703 views β€’ 44 slides
Twitter in Mobile Mobile users do more and engage more 73% Mobile is the heart of the Twitter 6

Twitter in Mobile Mobile users do more and engage more 73% Mobile is the heart of the Twitter 6

TWITTER Twitter in Mobile Mobile users do more and engage more 73% Mobile is the heart of the Twitter 6 @TwitterAdsUK | Confidential http://www.pg.com.tr/procter/index.htm TWITTER DUAL SCREENING @TwitterAdsUK | Confidential

451 views β€’ 34 slides
Good morning! Please: 1. Download all files for this lesson 2. Open all 3 notebooks in Jupyter

Good morning! Please: 1. Download all files for this lesson 2. Open all 3 notebooks in Jupyter

Good morning! Please: 1. Download all files for this lesson 2. Open all 3 notebooks in Jupyter 3. Make a Twitter account (optional) 4. Log in to your Twitter account Outline 1. APIs: a. Overview b. Example with Twitter 2. Scraping a.

596 views β€’ 13 slides
enck.judith@epa.gov ARE YOU FOLLOWING US ON TWITTER YET? Twitter.com/EPARegion2 1 2 3 4 5 6

enck.judith@epa.gov ARE YOU FOLLOWING US ON TWITTER YET? Twitter.com/EPARegion2 1 2 3 4 5 6

Judith Enck EPA Region 2 Administrator enck.judith@epa.gov ARE YOU FOLLOWING US ON TWITTER YET? Twitter.com/EPARegion2 1 2 3 4 5 6 7 8 9 10 We just got back from Alaska, where we saw the cutest little glaciers. 11 12 13 14

484 views β€’ 27 slides
Twitter - @JuliaCSocial @KYGives #KYGives20 Twitter - @JuliaCSocial @KYGives #KYGives20

Twitter - @JuliaCSocial @KYGives #KYGives20 Twitter - @JuliaCSocial @KYGives #KYGives20

Twitter - @JuliaCSocial @KYGives #KYGives20 Twitter - @JuliaCSocial @KYGives #KYGives20 WWW.KYNONPROFITS.ORG REGISTER NOW: WWW.KYGIVES.ORG DEADLINE APRIL 20 UPDATED GETTING READY WEBINAR TOMORROW, 2PM EST Twitter - @JuliaCSocial @KYGives

618 views β€’ 57 slides
Linguistic Steganography on Twitter: Hierarchical Language Modelling with Manual Interaction

Linguistic Steganography on Twitter: Hierarchical Language Modelling with Manual Interaction

Linguistic Steganography on Twitter: Hierarchical Language Modelling with Manual Interaction Alex Wilson, Phil Blunsom, and Andrew D. Ker University of Oxford Twitter Twitter is a social networking site, launched in 2006. Users post

798 views β€’ 30 slides
What a are Twitter r bots, Twitter admits 8.5% of active and w what do they do? users, or

What a are Twitter r bots, Twitter admits 8.5% of active and w what do they do? users, or

Twitter bot accounts produced 3.8 million tweets, or 19 percent of all election tweets What a are Twitter r bots, Twitter admits 8.5% of active and w what do they do? users, or 23 million users are bots. @amrightnow, has more

400 views β€’ 13 slides
Propagated Opinion Retrieval in Twitter Zhunchen Luo, Jintao Tang and Ting

Propagated Opinion Retrieval in Twitter Zhunchen Luo, Jintao Tang and Ting

Propagated Opinion Retrieval in Twitter Zhunchen Luo, Jintao Tang and Ting Wang Opinion Retrieval in Twitter Extension work: opinion retrieval in Twitter ( ICWSM 2012 ) Twitter: an important source for people to

405 views β€’ 24 slides
#BREXIT ON TWITTER THE BIG QUETTION What is the relationship between social media and

#BREXIT ON TWITTER THE BIG QUETTION What is the relationship between social media and

#BREXIT ON TWITTER THE BIG QUETTION What is the relationship between social media and politict? How was Twitter used in the contexu of Brexit? What is the correlation between real life events and the world of Twitter? How do

604 views β€’ 29 slides
Operations at Twitter John Adams Twitter Operations USENIX LISA 2010 Friday, November 12, 2010

Operations at Twitter John Adams Twitter Operations USENIX LISA 2010 Friday, November 12, 2010

Operations at Twitter John Adams Twitter Operations USENIX LISA 2010 Friday, November 12, 2010 John Adams / @netik Early Twitter employee Lead engineer: Application Services (Apache, Unicorn, SMTP, etc...) Keynote Speaker:

744 views β€’ 59 slides

More recommend