csidh : an efficient post-quantum commutative group action · replace exponentiation on the group g...

CSIDH:An Efficient Post-QuantumCommutative Group Action

Wouter Castryck1 Tanja Lange2 Chloe Martindale2

Lorenz Panny2 Joost Renes3

1KU Leuven 2TU Eindhoven 3Radboud Universiteit

Crypto Working Group, Utrecht, 14 September 2018

1 / 21

["si:saId]

2 / 21

Why CSIDH?

I Drop-in post-quantum replacement for (EC)DH

I Non-interactive key exchange (full public-key validation);previously an open problem post-quantumly (w/ reasonable speed)

I Small keys: 64 bytes at conjectured AES-128 security levelI Competitive speed: ∼ 85 ms for a full key exchangeI Flexible: compatible with 0-RTT protocols such as QUIC;

recent preprint uses CSIDH for ‘SeaSign’ signatures

3 / 21

Why CSIDH?

I Drop-in post-quantum replacement for (EC)DHI Non-interactive key exchange (full public-key validation);

previously an open problem post-quantumly (w/ reasonable speed)



3 / 21

Why CSIDH?



I Small keys: 64 bytes at conjectured AES-128 security level

I Competitive speed: ∼ 85 ms for a full key exchangeI Flexible: compatible with 0-RTT protocols such as QUIC;


3 / 21

Why CSIDH?



I Small keys: 64 bytes at conjectured AES-128 security levelI Competitive speed: ∼ 85 ms for a full key exchange

I Flexible: compatible with 0-RTT protocols such as QUIC;recent preprint uses CSIDH for ‘SeaSign’ signatures

3 / 21

Why CSIDH?





3 / 21

Post-quantum Diffie-Hellman?

Traditionally, Diffie-Hellman works in a group G via the map

Z× G → G(x, g) 7→ gx.

Shor’s algorithm quantumly computes x from gx in any groupin polynomial time.

Idea:

Replace exponentiation on the group G by a group action of agroup H on a set S:

H × S→ S.

4 / 21

Post-quantum Diffie-Hellman!

Traditionally, Diffie-Hellman works in a group G via the map

Z× G → G(x, g) 7→ gx.

Shor’s algorithm quantumly computes x from gx in any groupin polynomial time.

Idea:

Replace exponentiation on the group G by a group action of agroup H on a set S:

H × S→ S.

4 / 21

Square-and-multiply

Suppose G ∼= Z/23 and that Alice computes g13.

·g·g·g

·g

·g

·g

·g

·g

·g·g

·g ·g ·g

·g

·g2

·g2

·g2

·g2

·g2·g2

·g

·g4

·g4

·g4

·g

·g4

·g8

g0g1

g2

g3

g4

g5

g6

g7

g8

g9

g10

g11 g12 g13g14

g15

g16

g17

g18

g19

g20

g21g22

5 / 21

Cycles!

·g·g·g

·g·g·g·g·g

·g ·g ·g ·g ·g·g·g·g·g·g

·g·g·g·g·g

g0g1

g2

g3

g4

g5

g6

g7

g8

g9

g10g11 g12 g13

g14g15

g16

g17

g18

g19g20

g21g22

·g2·g2

·g2

·g2

·g2

·g2

·g2

·g2

·g2·g2·g2·g2·g2·g

2·g2·g2·g2·g2

·g2·g2·g2·g2·g2

g0

g1

g2

g3

g4

g5

g6

g7

g8

g9

g10

g11g12

g13

g14

g15

g16

g17

g18

g19

g20

g21

g22

·g4·g4

·g4

·g4

·g4

·g4

·g4

·g4

·g4·g4·g4·g4·g4·g

4·g4·g4·g4·g4

·g4·g4·g4·g4·g4

g0

g1

g2

g3

g4

g5

g6

g7

g8

g9

g10

g11g12

g13g14

g15

g16

g17

g18

g19

g20

g21

g22

·g8·g8

·g8

·g8

·g8

·g8

·g8

·g8

·g8·g8·g8·g8·g8·g

8·g8·g8·g8·g8

·g8·g8·g8·g8·g8

g0

g1

g2

g3

g4

g5

g6

g7g8

g9

g10

g11 g12

g13

g14

g15g16

g17

g18

g19g20

g21

g22

Cycles are compatible: [right, then left] = [left, then right], etc.

6 / 21

Cycles!g0

g1g2

g3

g4

g5

g6

g7

g8

g9

g10g11 g12 g13

g14g15

g16

g17

g18

g19g20

g21g22 g0

g1

g2

g3

g4

g5

g6

g7

g8

g9

g10

g11g12

g13

g14

g15

g16

g17

g18

g19

g20

g21

g22

g0

g1

g2

g3

g4

g5

g6

g7

g8

g9

g10

g11g12

g13g14

g15

g16

g17

g18

g19

g20

g21

g22

g0

g1

g2

g3

g4

g5

g6

g7g8

g9

g10

g11 g12

g13

g14

g15g16

g17

g18

g19g20

g21

g22


6 / 21

Cycles!g0

g1g2

g3

g4

g5

g6

g7

g8

g9

g10g11 g12 g13

g14g15

g16

g17

g18

g19g20

g21g22 g0g1

g2

g3

g4

g5

g6

g7

g8

g9

g10g11 g12 g13

g14g15

g16

g17

g18

g19g20

g21g22

g0g1

g2

g3

g4

g5

g6

g7

g8

g9

g10g11 g12 g13

g14g15

g16

g17

g18

g19g20

g21g22 g0g1

g2

g3

g4

g5

g6

g7

g8

g9

g10g11 g12 g13

g14g15

g16

g17

g18

g19g20

g21g22


6 / 21

Union of cycles: rapid mixingg0

g1

g2

g3

g4

g5

g6

g7

g8

g9

g10

g11 g12g13

g14

g15

g16

g17

g18

g19

g20

g21g22

CSIDH: Nodes are now elliptic curves and edges are isogenies.

7 / 21

Union of cycles: rapid mixing

g0g1

g2

g3

g4

g5

g6

g7

g8

g9

g10

g11 g12g13

g14

g15

g16

g17

g18

g19

g20

g21g22

CSIDH: Nodes are now elliptic curves and edges are isogenies.

7 / 21

Graphs of elliptic curvesE0E158

E410

E368

E404

E75

E144

E191

E174

E413

E379

E124

E199 E390 E29E220

E295

E40

E6

E245

E228

E275

E344

E15

E51

E9

E261

Nodes: Supersingular curves EA : y2 = x3 + Ax2 + x over F419.Edges: 3-, 5-, and 7-isogenies (certain kinds of maps).

8 / 21


E410

E368

E404

E75

E144

E191

E174

E413

E379

E124

E199 E390 E29E220

E295

E40

E6

E245

E228

E275

E344

E15

E51

E9

E261

Nodes: Supersingular curves EA : y2 = x3 + Ax2 + x over F419.

Edges: 3-, 5-, and 7-isogenies (certain kinds of maps).

8 / 21


E410

E368

E404

E75

E144

E191

E174

E413

E379

E124

E199 E390 E29E220

E295

E40

E6

E245

E228

E275

E344

E15

E51

E9

E261

Nodes: Supersingular curves EA : y2 = x3 + Ax2 + x over F419.Edges: 3-, 5-, and 7-isogenies (certain kinds of maps).

8 / 21

Graphs of elliptic curves

E0E158E410E368

E404

E75

E144

E191

E174

E413

E379

E124E199 E390 E29

E220

E295

E40

E6

E245

E228

E275

E344

E15

E51

E9E261

A 3-isogeny(picture not to scale)

E51: y2=x3+51x2+x E9: y2=x3+9x2+x

(x, y)(

97x3−183x2+xx2−183x+97 ,

y· 133x3+154x2−5x+97−x3+65x2+128x−133

)

9 / 21

Diffie-Hellman on ‘nice’ graphs

Alice Bob[+,−,+,−] [+,+,−,+]

10 / 21


Alice Bob[+↑,−,+,−] [+

↑,+,−,+]

10 / 21


Alice Bob[+,−

↑,+,−] [+,+

↑,−,+]

10 / 21


Alice Bob[+,−,+

↑,−] [+,+,−

↑,+]

10 / 21


Alice Bob[+,−,+,−

↑] [+,+,−,+

↑]

10 / 21


Alice Bob[+,−,+,−] [+,+,−,+]

10 / 21


Alice Bob[+↑,−,+,−] [+

↑,+,−,+]

10 / 21


Alice Bob[+,−

↑,+,−] [+,+

↑,−,+]

10 / 21


Alice Bob[+,−,+

↑,−] [+,+,−

↑,+]

10 / 21


Alice Bob[+,−,+,−

↑] [+,+,−,+

↑]

10 / 21


Alice Bob[+,−,+,−] [+,+,−,+]

10 / 21

A walkable graph

Important properties for such a walk:

IP1 I The graph is a composition of compatible cycles.IP2 I We can compute neighbours in given directions.

11 / 21

IP1: A composition of cycles

I The graph used in CSIDH is constructed as a compositionof graphs G` of ‘`-isogenies’.

12 / 21



I In our example, these areE0E158E410

E368

E404

E75

E144

E191

E174

E413

E379E124

E199 E390 E29E220

E295

E40

E6

E245

E228

E275

E344

E15

E51

E9E261

G3:

12 / 21




E368

E404

E75

E144

E191

E174

E413

E379E124

E199 E390 E29E220

E295

E40

E6

E245

E228

E275

E344

E15

E51

E9E261

G5:

12 / 21




E368

E404

E75

E144

E191

E174

E413

E379E124

E199 E390 E29E220

E295

E40

E6

E245

E228

E275

E344

E15

E51

E9E261

G7:

12 / 21




E368

E404

E75

E144

E191

E174

E413

E379E124

E199 E390 E29E220

E295

E40

E6

E245

E228

E275

E344

E15

E51

E9E261

G3∪G5∪G7:

12 / 21



I Generally, the G` look something like

G3: G5:

I We want to make sure G` is just a cycle.

12 / 21

IP2: Compute neighbours in given directions

The edges of G` are `-isogenies.

(picture not to scale)

E51 : y2 = x3 + 51x2 + x E9 : y2 = x3 + 9x2 + x

(x, y)(

97x3−183x2+xx2−183x+97 , y · 133x3+154x2−5x+97

−x3+65x2+128x−133

)

I The orientation of G` is mathematically well-defined(canonical way to compute the ‘left’ or ‘right’ isogeny).

I The cost grows with ` want small `.I Generally needs big extension fields...

13 / 21




E51 : y2 = x3 + 51x2 + x E9 : y2 = x3 + 9x2 + x

(x, y)(

97x3−183x2+xx2−183x+97 , y · 133x3+154x2−5x+97

−x3+65x2+128x−133

)


I The cost grows with ` want small `.

I Generally needs big extension fields...

13 / 21




E51 : y2 = x3 + 51x2 + x E9 : y2 = x3 + 9x2 + x

(x, y)(

97x3−183x2+xx2−183x+97 , y · 133x3+154x2−5x+97

−x3+65x2+128x−133

)


I The cost grows with ` want small `.I Generally needs big extension fields...

13 / 21

Point counting

Both ‘IP’s are connected to the number of points on the curves.

It seems difficult to find a curve with a given number of points(and such that the graph is big). [De Feo–Kieffer–Smith]

14 / 21

Salt water (CSIDH, get it?) is a solution (do bad chemistry jokes belong in crypto talks?)

1. I Choose some small odd primes `1, . . . , `n.

I Make sure p = 4 · `1 · · · `n − 1 is prime.I Fix the curve E0 : y2 = x3 + x over Fp.

2. magic math happens!

3. I E0 has p + 1 points.I Let the nodes of Gì be those EA with p + 1 points.I Then every Gì is a disjoint union of cycles.I All Gì are compatible.I Computations need only Fp-arithmetic.

15 / 21


1. I Choose some small odd primes `1, . . . , `n.I Make sure p = 4 · `1 · · · `n − 1 is prime.

I Fix the curve E0 : y2 = x3 + x over Fp.



15 / 21


1. I Choose some small odd primes `1, . . . , `n.I Make sure p = 4 · `1 · · · `n − 1 is prime.I Fix the curve E0 : y2 = x3 + x over Fp.



15 / 21




3. I E0 has p + 1 points.

I Let the nodes of Gì be those EA with p + 1 points.I Then every Gì is a disjoint union of cycles.I All Gì are compatible.I Computations need only Fp-arithmetic.

15 / 21




3. I E0 has p + 1 points.I Let the nodes of Gì be those EA with p + 1 points.

I Then every Gì is a disjoint union of cycles.I All Gì are compatible.I Computations need only Fp-arithmetic.

15 / 21




3. I E0 has p + 1 points.I Let the nodes of Gì be those EA with p + 1 points.I Then every Gì is a disjoint union of cycles.

I All Gì are compatible.I Computations need only Fp-arithmetic.

15 / 21




3. I E0 has p + 1 points.I Let the nodes of Gì be those EA with p + 1 points.I Then every Gì is a disjoint union of cycles.I All Gì are compatible.

I Computations need only Fp-arithmetic.

15 / 21





15 / 21

Representing nodes of the graph

Side effect of magic:

I Every node of G`i can be written as

EA : y2 = x3 + Ax2 + x.

⇒ Can compress every node to a single value A ∈ Fp.⇒ Tiny keys!

16 / 21




EA : y2 = x3 + Ax2 + x.

⇒ Can compress every node to a single value A ∈ Fp.

⇒ Tiny keys!

16 / 21




EA : y2 = x3 + Ax2 + x.

⇒ Can compress every node to a single value A ∈ Fp.⇒ Tiny keys!

16 / 21

Does any A work?

No.

I About√p of all A ∈ Fp are valid keys.

I Public-key validation: Check that EA has p + 1 points.Easy Monte-Carlo algorithm: Pick random P on EA and check [p + 1]P = ∞.1

1This algorithm has a small chance of false positives, but we actually use avariant that proves that EA has p + 1 points.

17 / 21

Security

Classical:I Meet-in-the-middle variants: Time O( 4

√p).

Quantum:I Hidden-shift algorithms: Subexponential complexity.

I Literature contains mostly asymptotics.I Time-space trade-off: Fastest variants need huge memory.I Concrete estimates are to be done.I (Recent preprint [BS] ignores much of the cost!)

18 / 21

Security


√p).


I Literature contains mostly asymptotics.I Time-space trade-off: Fastest variants need huge memory.I Concrete estimates are to be done.

I (Recent preprint [BS] ignores much of the cost!)

18 / 21

Security


√p).


I Literature contains mostly asymptotics.I Time-space trade-off: Fastest variants need huge memory.I Concrete estimates are to be done.I (Recent preprint [BS] ignores much of the cost!)

18 / 21

Parameters

CSIDH-log p targ

etN

IST

leve

l

publ

icke

ysi

ze

priv

ate

key

size

tim

e(f

ulle

xcha

nge)

cycl

es(f

ulle

xcha

nge)

stac

km

emor

y

clas

sica

lsec

urit

y

quan

tum

secu

rity

clai

med

by[B

S](t

ake

cum

gran

osa

lis)

CSIDH-512 1 64 b 32 b 85 ms 212e6 4368 b 128 71CSIDH-1024 3 128 b 64 b 256 88CSIDH-1792 5 224 b 112 b 448 104

19 / 21

Work in progress & future work

I Fast and constant-time implementation

I Reliable security analysisI More applications

I [Your paper here!]

20 / 21


I Fast and constant-time implementationI Reliable security analysis

I More applications


20 / 21


I Fast and constant-time implementationI Reliable security analysisI More applications


20 / 21

Thank you!

21 / 21

References

Mentioned in this talk:

I Castryck, Lange, Martindale, Panny, Renes:CSIDH: An Efficient Post-Quantum Commutative Group Actionhttps://ia.cr/2018/383 (to appear at ASIACRYPT 2018)

I De Feo, Kieffer, Smith:Towards practical key exchange from ordinary isogeny graphshttps://ia.cr/2018/485 (to appear at ASIACRYPT 2018)

I De Feo, Galbraith:SeaSign: Compact isogeny signatures from class group actionshttps://ia.cr/2018/824

I [BS] Bonnetain, Schrottenloher:Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemeshttps://ia.cr/2018/537

Other related work:I Delfs, Galbraith:

Computing isogenies between supersingular elliptic curves over Fphttps://arxiv.org/abs/1310.7789

I Childs, Jao, Soukharev:Constructing elliptic curve isogenies in quantum subexponential timehttps://arxiv.org/abs/1012.4019

I Meyer, Reith:A faster way to the CSIDHhttps://ia.cr/2018/782(to appear at Indocrypt 2018)

I Jao, LeGrow, Leonardi, Ruiz-Lopez:A polynomial quantum space attack on CRS and CSIDH(MathCrypt 2018)

I Biasse, Iezzi, Jacobson:A note on the security of CSIDHhttps://arxiv.org/abs/1806.03656(to appear at Indocrypt 2018)

https://ia.cr/2018/383




https://arxiv.org/abs/1310.7789




Where’s the group?


E51 : y2 = x3 + 51x2 + x E9 : y2 = x3 + 9x2 + x

(x, y)(

97x3−183x2+xx2−183x+97 , y · 133x3+154x2−5x+97

−x3+65x2+128x−133

)

I E9 = E51/a where a is the ideal (3, π − 1) of EndFp(E51).

I For our choices of A, EndFp(EA) ∼= Z[√−p].I The group action is

cl(Z[√−p])× {EA} −→ {EA}

([a],E) 7−→ E/a

(modulo details).

csidh : an efficient post-quantum commutative group action · replace exponentiation on the group g...

Documents