public-key cryptography from supersingular elliptic curve...
TRANSCRIPT
Public-key cryptography fromsupersingular elliptic curve isogenies
David Jao
Department of Combinatorics & OptimizationUniversity of Waterloo
August 1, 2019
Elliptic curves
DefinitionAn elliptic curve over a field F isa nonsingular curve E of the form
E : y2 = x3 + ax + b,
for fixed constants a, b ∈ F .
The set of projective points onan elliptic curve forms a group.
x
y
P
Q
-HP+QL
P+Q
E
Counting points on elliptic curves
Example
The elliptic curve E : y2 = x3 + x over F11 has points
(0, 0), (5, 3), (5, 8), (7, 3), (7, 8), (8, 5),
(8, 6), (9, 1), (9, 10), (10, 3), (10, 8),∞.
This is no coincidence:
TheoremFor any prime p ≡ 3 (mod 4), the elliptic curve E : y2 = x3 + xover Fp has p + 1 points.
Proof by example
x x3 + x is x3 + x a QR?√x3 + x points on E
0 0 zero 0 (0, 0)1 2 QNR none none2 10 QNR none none3 8 QNR none none4 2 QNR none none5 9 QR ±3 (5, 3), (5, 8)6 −9 QNR none none7 −2 QR ±3 (7, 3), (7, 8)8 −8 QR ±5 (8, 5), (8, 6)9 −10 QR ±1 (9, 1), (9, 10)
10 −2 QR ±3 (10, 3), (10, 8)
Isogenies
DefinitionAn isogeny is a morphism φ of algebraic varieties between twoelliptic curves, such that φ is a group homomorphism.
Concretely:
φ : E → E ′
φ(x , y) = (φx(x , y), φy (x , y))
φx(x , y) =f1(x , y)
f2(x , y)
φy (x , y) =g1(x , y)
g2(x , y)
(f1, f2, g1, and g2 are all polynomials)
Microsoft Research
“David, I want tobuild cryptosystemsusing isogenies.”
“Roger that.”
A brief history of public-key cryptography
Cryptosystem Hard problem
Diffie-Hellman (1976)Elliptic curve cryptography (1986) Discrete logarithmsPairing-based cryptography (2000)
RSA (1977)Factoring integersRabin (1978)
Composite residues (1985)
Code-based cryptography (1979) Decoding linear codes
Lattice-based / NTRU (1996)Finding short lattice vectors
Isogeny based / CRS (1996)Computing isogenies
SIDH / SIKE (2011)
Motivation: quantum computers
Quantum computers represent a huge potential threat to existingpublic-key cryptosystems: RSA, ECC, etc.
I Transitioning cryptographic algorithms takes time. If you waituntil the threat arrives, it’s too late.
I NIST is already standardizing post-quantum cryptography.Expected completion: 2022–2024.
I Only public-key cryptography is threatened.
Post-quantum public-key cryptosystems / digital signatures:
I Lattice-based cryptography
I Code-based cryptography
I Multivariate polynomials
I Hash-based cryptography
I Isogeny-based cryptography
A short history of isogeny-based cryptography
Couveignes (1997), Rostovstev & Stolbunov (2006):
I Public-key cryptosystem using ordinary elliptic curve isogenies
I Very slow
I Quantum subexp. attack (Childs, Jao, Soukharev 2014)
Charles, Goren & Lauter (2009):
I First published cryptographic construction using isogenies
I Hash function only — no encryption
Jao & De Feo, SIDH / SIKE (2011):
I First public-key cryptosystem using supersingular isogenies
I Much faster than CRS
I Hardness problem is related to CGL (Costache et al. 2018)
Castryck et al., CSIDH (2018)
I CRS over supersingular curves
I Still has quantum subexponential attack
I Slower than SIDH, but has smaller keys (at low security levels)
SIDH / SIKE
Supersingular Isogeny Diffie-Hellman (Jao and De Feo, 2011):
I A key-exchange protocol, similar to Diffie-Hellman, usingisogenies between supersingular elliptic curves
Why isogenies?
I Because they seem to be quantum-resistant
Why supersingular elliptic curves?
I We found a quantum subexponential attack for ordinary (i.e.non-supersingular) curves (Childs, Jao, and Soukharev 2014)
Supersingular Isogeny Key Encapsulation (https://sike.org)(Jao and twelve other authors, 2017–2019):
I A more secure (and slower) version of SIDH, with randompadding and protection against active attacks.
Some group theory
DefinitionLet φ : G → H be a group homomorphism. The kernel of φ,denoted ker φ, is
{g ∈ G : φ(g) = 0}.
Theorem (First isomorphism theorem)
Let φ : G → H be a group homomorphism. Then:
I ker φ is a subgroup of G .
I G/ ker φ is isomorphic to the image of φ.
In particular, every surjective group homomorphism is isomorphicto some projection map G → G/K for some K .
SIDH overview
1. Public parameters: Supersingular elliptic curve E over Fp2 .
2. Alice chooses a kernel A ⊂ E (Fp2) and sends E/A to Bob.
3. Bob chooses a kernel B ⊂ E (Fp2) and sends E/B to Alice.
4. The shared secret is
E/〈A,B〉 = (E/A)/φA(B) = (E/B)/φB(A).
Diffie-Hellman (DH)
g g x
g y g xy
SIDH
E E/A
E/B E/〈A,B〉
φB
φA
Detailed description of SIDH
Public parameters:
I Prime p of the form 2e23e3 − 1 (needed for computations)
I Supersingular curve E : y2 = x3 + x over Fp2 of order (p + 1)2
I Z-basis {P2,Q2} of E [2e2 ] and {P3,Q3} of E [3e3 ]
Alice:
I Choose sk2 ∈ Z and compute S2 = P2 + sk2Q2 of order 2e2
I Compute φ2 : E → E/〈S2〉I Send E/〈S2〉, φ2(P3), φ2(Q3) to Bob
Bob:
I Same as Alice, swapping 2 with 3
The shared secret is derived from
E/〈S2,S3〉 = (E/〈S2〉)/〈φ2(P3) + sk3φ2(Q3)〉 = (E/〈S2〉)/〈φ2(S3)〉= (E/〈S3〉)/〈φ3(P2) + sk2φ3(Q2)〉 = (E/〈S3〉)/〈φ3(S2)〉
Attacks
Hardness assumption: Given E and E/A, it is computationallyinfeasible to find A.
Fastest known (passive) attack is a meet-in-the-middle collisionsearch or claw search on a search space of size deg(φ) ≈ 2300.
E
E3E32
E31
E2E22
E21
E1E12
E11
E/A
. . .
· · ·
. ..
Asymptotic complexity
For a generic meet-in-the-middle attack, the values in the tableare provable lower bounds.
Alice Bob
Classical√
2e2√
3e3
Quantum 3√
2e2 3√
3e3
Quantum security level of SIDH is conjecturally
min(3√
2e2 ,3√
3e3) ≈ p1/6
Advantages of SIKE
I 190 byte public keys — smallest of all the NIST proposals
I Simple parameter selection
I Slow speed will be less of an issue as computers get faster
I Uses nontrivial math!