Efficient compression of SIDH public keys

Craig Costello1 David Jao2 Patrick Longa1

Michael Naehrig1 Joost Renes3 David Urbanik2

1Microsoft Research, Redmond, USA

2University of Waterloo, Ontario, Canada

3Radboud University, Nijmegen, The Netherlands

1 May 2017

1 May 2017 1 / 14

Supersingular-isogeny Diffie-Hellman

I Post-quantum secure (ephemeral) key exchange [JF11]

I Based on hardness of finding large-degree isogenies

I Small keys (≈ 564 bytes public)

I Relatively slow compared to other PQ proposals

I Key compression (≈ 385 bytes), at very high cost [Aza+16]

This talkI Key size reduced by 12.5% (≈ 330 bytes)

I Compression up to 66× faster

I Decompression up to 15× faster

1 May 2017 2 / 14

Supersingular-isogeny Diffie-Hellman

I Post-quantum secure (ephemeral) key exchange [JF11]

I Based on hardness of finding large-degree isogenies

I Small keys (≈ 564 bytes public)

I Relatively slow compared to other PQ proposals

I Key compression (≈ 385 bytes), at very high cost [Aza+16]

This talkI Key size reduced by 12.5% (≈ 330 bytes)

I Compression up to 66× faster

I Decompression up to 15× faster

1 May 2017 2 / 14

Isogeny graphs

p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 2

p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 3

17

41

40

0

24

48

66

2

2

2

3

22

22

2

2

3

2

1 May 2017 3 / 14

Isogeny graphs

p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 2

p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 3

17

41

40

0

24

48

662

2

2

3

22

22

2

2

3

2

1 May 2017 3 / 14

Isogeny graphs

p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 2

p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 3

17

41

40

0

24

48

66

2

2

2

3

22

22

2

2

3

2

1 May 2017 3 / 14

Isogeny graphs

p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 2

p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 3

17

41

40

0

24

48

66

2

2

2

3

22

22

2

2

3

2

1 May 2017 3 / 14

Key generation

= private party A, = private party B, = public keys

17

41

40

0

24

48

66

17

41

40

0

24

48

66

2

2

2

3

22

22

2

2

3

2

1 May 2017 4 / 14

Key generation

= private party A, = private party B, = public keys

17

41

40

0

24

48

66

17

41

40

0

24

48

66

2

2

2

3

22

22

2

2

3

2

1 May 2017 4 / 14

Supersingular-isogeny Diffie-Hellman [JF11]

= private party A, = private party B, = public key

↗↗↗ = 2-graph walk, ↘↘↘ = 3-graph walk,

E

EA

EB

EAB

EA[`e ] = 〈P,Q〉

∈ Fp2 (= 2 log p bits)

∈ F2p2 (= 4 log p bits)

EA[`e ] = 〈R,S〉

(α, β, γ, δ) ∈ Z4`e (≈ 2 log p bits)

φA

φB

1 May 2017 5 / 14

Supersingular-isogeny Diffie-Hellman [JF11]

= private party A, = private party B, = public key

↗↗↗ = 2-graph walk, ↘↘↘ = 3-graph walk,

E

EA

EB

EAB

EA[`e ] = 〈P,Q〉

∈ Fp2 (= 2 log p bits)

∈ F2p2 (= 4 log p bits)

EA[`e ] = 〈R,S〉

(α, β, γ, δ) ∈ Z4`e (≈ 2 log p bits)

φA

φB

1 May 2017 5 / 14

Supersingular-isogeny Diffie-Hellman [JF11]

= private party A, = private party B, = public key

↗↗↗ = 2-graph walk, ↘↘↘ = 3-graph walk,

E

EA

EB

EAB

EA[`e ] = 〈P,Q〉

∈ Fp2 (= 2 log p bits)

∈ F2p2 (= 4 log p bits)

EA[`e ] = 〈R,S〉

(α, β, γ, δ) ∈ Z4`e (≈ 2 log p bits)

φA

φB

1 May 2017 5 / 14

Supersingular-isogeny Diffie-Hellman [JF11]

= private party A, = private party B, = public key

↗↗↗ = 2-graph walk, ↘↘↘ = 3-graph walk,

E

EA

EB

EAB

EA[`e ] = 〈P,Q〉

∈ Fp2 (= 2 log p bits)

∈ F2p2 (= 4 log p bits)

EA[`e ] = 〈R,S〉

(α, β, γ, δ) ∈ Z4`e (≈ 2 log p bits)

φA

φB

1 May 2017 5 / 14

Supersingular-isogeny Diffie-Hellman [JF11]

= private party A, = private party B, = public key

↗↗↗ = 2-graph walk, ↘↘↘ = 3-graph walk,

E

EA

EB

EAB

EA[`e ] = 〈P,Q〉

∈ Fp2 (= 2 log p bits)

∈ F2p2 (= 4 log p bits)

EA[`e ] = 〈R,S〉

(α, β, γ, δ) ∈ Z4`e (≈ 2 log p bits)

φA

φB

1 May 2017 5 / 14

Public-key compression [Aza+16]

Compression

〈P,Q〉〈R, S〉

〈αR + βS , γR + δS〉(α, β, γ, δ)

Decompression

(α, β, γ, δ)〈R, S〉

(α, β, γ, δ)〈P,Q〉

Expensive

Significantly improve efficiency (up to 66×)

Significantly improve efficiency (up to 15×)

1 May 2017 6 / 14

Public-key compression [Aza+16]

Compression

〈P,Q〉〈R, S〉

〈αR + βS , γR + δS〉(α, β, γ, δ)

Decompression

(α, β, γ, δ)〈R, S〉

(α, β, γ, δ)〈P,Q〉

Expensive

Significantly improve efficiency (up to 66×)

Significantly improve efficiency (up to 15×)

1 May 2017 6 / 14

Public-key compression [Aza+16]

Compression

〈P,Q〉〈R, S〉

〈αR + βS , γR + δS〉(α, β, γ, δ)

Decompression

(α, β, γ, δ)〈R, S〉

(α, β, γ, δ)〈P,Q〉

Expensive

Significantly improve efficiency (up to 66×)

Significantly improve efficiency (up to 15×)

1 May 2017 6 / 14

Finding a canonical basis

Find R, S such that E [2372] = 〈R,S〉, where

#E (Fp2) =(23723239

)2.

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E [2372] = 〈R,S〉, where

#E (Fp2) =(23723239

)2.

Finding an element of order 2372

1 Deterministically pick R ∈ E (Fp2) \ 2E (Fp2)

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E [2372] = 〈R,S〉, where

#E (Fp2) =(23723239

)2.

Finding an element of order 2372

1 Deterministically pick R ∈ E (Fp2) \ 2E (Fp2)

For E : y2 = x(x − γ)(x − δ),

R ∈ 2E (Fp2) ⇐⇒ xR , xR − δ, xR − γ are squares

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E [2372] = 〈R,S〉, where

#E (Fp2) =(23723239

)2.

Finding an element of order 2372

1 Deterministically pick a non-square xR ∈ Fp2

For E : y2 = x(x − γ)(x − δ),

R ∈ 2E (Fp2) ⇐⇒ xR , xR − δ, xR − γ are squares

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E [2372] = 〈R,S〉, where

#E (Fp2) =(23723239

)2.

Finding an element of order 2372

1 Deterministically pick a non-square xR ∈ Fp2

2 If x3R + Ax2R + xR is not a square, goto 1

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E [2372] = 〈R,S〉, where

#E (Fp2) =(23723239

)2.

Finding an element of order 2372

1 Deterministically pick a non-square xR ∈ Fp2

2 If x3R + Ax2R + xR is not a square, goto 1

3 Set R ← (xR ,√x3R + Ax2R + xR)

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E [2372] = 〈R,S〉, where

#E (Fp2) =(23723239

)2.

Finding an element of order 2372

1 Deterministically pick a non-square xR ∈ Fp2

2 If x3R + Ax2R + xR is not a square, goto 1

3 Set R ← (xR ,√x3R + Ax2R + xR)

4 Set R ← [3239]R

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E [2372] = 〈R,S〉, where

#E (Fp2) =(23723239

)2.

Finding an element of order 2372

1 Deterministically pick a non-square xR ∈ Fp2

2 If x3R + Ax2R + xR is not a square, goto 1

3 Set R ← (xR ,√x3R + Ax2R + xR)

4 Set R ← [3239]R

Finding a canonical basis of E [2372]

1 Pick R ∈ E (Fp2) of order 2372

2 Pick S ∈ E (Fp2) of order 2372

3 If E [2372] 6= 〈R, S〉, goto 2.1 May 2017 7 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn

e = e(R,S) eβ = e(R,P) eδ = e(R,Q)

e−α = e(S ,P) e−γ = e(S ,Q)

such that P = αR + βS and Q = γR + δS

......

......

...

Optimized formulas for fn,R and fn,S !

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn

e = e(R,S) eβ = e(R,P) eδ = e(R,Q)

e−α = e(S ,P) e−γ = e(S ,Q)

such that P = αR + βS and Q = γR + δS

e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)

f0 ← fn,R

f0 ← f0(S)

...

......

......

Optimized formulas for fn,R and fn,S !

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn

e = e(R,S) eβ = e(R,P) eδ = e(R,Q)

e−α = e(S ,P) e−γ = e(S ,Q)

such that P = αR + βS and Q = γR + δS

e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)

f0 ← fn,R f1← fn,R

f0 ← f0(S) f1 ← f1(P)

......

......

...

Optimized formulas for fn,R and fn,S !

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn

e = e(R,S) eβ = e(R,P) eδ = e(R,Q)

e−α = e(S ,P) e−γ = e(S ,Q)

such that P = αR + βS and Q = γR + δS

e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)

f0 ← fn,R

f0 ← f0(S) f1 ← f0(P)

......

......

...

Optimized formulas for fn,R and fn,S !

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn

e = e(R,S) eβ = e(R,P) eδ = e(R,Q)

e−α = e(S ,P) e−γ = e(S ,Q)

such that P = αR + βS and Q = γR + δS

e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)

f0 ← fn,R f2← fn,R

f0 ← f0(S) f1 ← f0(P) f2 ← f2(Q)

......

...

......

Optimized formulas for fn,R and fn,S !

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn

e = e(R,S) eβ = e(R,P) eδ = e(R,Q)

e−α = e(S ,P) e−γ = e(S ,Q)

such that P = αR + βS and Q = γR + δS

e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)

f0 ← fn,R

f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q)

......

...

......

Optimized formulas for fn,R and fn,S !

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn

e = e(R,S) eβ = e(R,P) eδ = e(R,Q)

e−α = e(S ,P) e−γ = e(S ,Q)

such that P = αR + βS and Q = γR + δS

e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)

f0 ← fn,R f3 ← fn,S

f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q) f3 ← f3(P)

......

......

...

Optimized formulas for fn,R and fn,S !

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn

e = e(R,S) eβ = e(R,P) eδ = e(R,Q)

e−α = e(S ,P) e−γ = e(S ,Q)

such that P = αR + βS and Q = γR + δS

e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)

f0 ← fn,R f3 ← fn,S f4← fn,S

f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q) f3 ← f3(P) f4 ← f4(Q)

......

......

...

Optimized formulas for fn,R and fn,S !

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn

e = e(R,S) eβ = e(R,P) eδ = e(R,Q)

e−α = e(S ,P) e−γ = e(S ,Q)

such that P = αR + βS and Q = γR + δS

e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)

f0 ← fn,R f3 ← fn,S

f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q) f3 ← f3(P) f4 ← f3(Q)

......

......

...

Optimized formulas for fn,R and fn,S !

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn

e = e(R,S) eβ = e(R,P) eδ = e(R,Q)

e−α = e(S ,P) e−γ = e(S ,Q)

such that P = αR + βS and Q = γR + δS

e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)

f0 ← fn,R f3 ← fn,S

f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q) f3 ← f3(P) f4 ← f3(Q)

......

......

...

Optimized formulas for fn,R and fn,S !1 May 2017 8 / 14

Efficient discrete logarithms (Pohlig-Hellman)

For e0, e1, e2, e3, e4 ∈ µ`e , compute α, β, γ, δ such that

e1 = e−α0 , e2 = eβ0 , e3 = e−γ0 , e4 = eδ0

As µ`e ⊂ Gp+1 ⊂ Fp2 , I ≈M, S ≈ 2s, C ≈ 2m + 1s

DL`e#G1 = `e

DL` DL` · · · DL`#G1 = `

1 May 2017 9 / 14

Efficient discrete logarithms (Pohlig-Hellman)

For e0, e1, e2, e3, e4 ∈ µ`e , compute α, β, γ, δ such that

e1 = e−α0 , e2 = eβ0 , e3 = e−γ0 , e4 = eδ0

As µ`e ⊂ Gp+1 ⊂ Fp2 , I ≈M, S ≈ 2s, C ≈ 2m + 1s

DL`e#G1 = `e

DL` DL` · · · DL`#G1 = `

1 May 2017 9 / 14

Nested Pohlig-Hellman

PH1#G1 = `e1

#G2 = `e2 PH2 PH2 · · · PH2

#G3 = `e3 PH3 PH3 · · · PH3

#Gn = `en

......

PHn PHn · · · PHn

#Gn+1 = ` DL` DL` · · · DL`

1 May 2017 10 / 14

Comparison

# windows Fp2 table size

n w1 w2 w3 w4 M S Fp2

0 – – – – 372 69 378 375

1 19 – – – 375 7 445 43

2 51 7 – – 643 4 437 25

3 84 21 5 – 716 3 826 25

4 114 35 11 3 1 065 3 917 27

Options for different time-memory trade-offs [Sut11]

1 May 2017 11 / 14

Signature size reduction

I The quadruple (α, β, γ, δ) ∈ Z4`e determines

P = αR + βS , Q = γR + δS .

These determine 〈P + λQ〉, for some λ ∈ Z∗`e

I Thus we only need P,Q up to scalar, and compress to

[α : β : γ : δ] .

As P,Q form a basis of E [`e ], either α or β is invertible

I Normalizing, we represent it in Z3`e × Z2

1 May 2017 12 / 14

Benchmarks (for ` = 2)

This work [Aza+16] Speed-up

Key size (bytes) 328 385 –

SIDH (cc × 106) 80 – –

Compression (cc × 106) 109 6 081 56×

Decompression (cc × 106) 42 539 13×

Full no comp. (cc × 106) 192 535 2.8×

Full comp. (cc × 106) 469 15 395 31×

Software available at

https://github.com/Microsoft/PQCrypto-SIDH

1 May 2017 13 / 14

Thanks!

Questions

1 May 2017 14 / 14

References I

[Aza+16] Reza Azarderakhsh, David Jao, Kassem Kalach, Brian Koziel andChristopher Leonardi. “Key Compression for Isogeny-BasedCryptosystems”. In: Proceedings of the 3rd ACM InternationalWorkshop on ASIA Public-Key Cryptography, AsiaPKC@AsiaCCS,Xi’an, China, May 30 - June 03, 2016. Ed. by Keita Emura,Goichiro Hanaoka and Rui Zhang. ACM, 2016, pp. 1–10. doi:10.1145/2898420.2898421. url:http://doi.acm.org/10.1145/2898420.2898421.

[JF11] David Jao and Luca De Feo. “Towards Quantum-ResistantCryptosystems from Supersingular Elliptic Curve Isogenies”. In:Post-Quantum Cryptography - 4th International Workshop,PQCrypto 2011, Taipei, Taiwan, November 29 - December 2,2011. Proceedings. 2011, pp. 19–34. doi:10.1007/978-3-642-25405-5_2. url:http://dx.doi.org/10.1007/978-3-642-25405-5_2.

1 May 2017 15 / 14

References II

[Sut11] Andrew V. Sutherland. “Structure computation and discretelogarithms in finite abelian p-groups”. In: Math. Comput. 80.273(2011), pp. 477–500. doi: 10.1090/S0025-5718-10-02356-2.url: http://dx.doi.org/10.1090/S0025-5718-10-02356-2.

1 May 2017 16 / 14