CSIDH [‘si:,sad] Using supersingular elliptic curves to speed up CRS key agreement (joint work with T. Lange, C. Martindale, L. Panny, J. Renes) PQCRYPTO.

CSIDH [‘si:,sad] Using supersingular elliptic curves to speed up CRS key agreement (joint work with T. Lange, C. Martindale, L. Panny, J. Renes) PQCRYPTO workshop Academia Sinica Taiwan, 29 June 2018 𝐸 2 𝐸 1 Wouter Castryck

Quick overview Isogeny-based cryptography = new kind of elliptic curve cryptography, supposed to be resistant against quantum computers classical elliptic curve cryptography 𝑃 2 𝑃 1 based on hidden relation between two points on an elliptic curve isogeny-based cryptography 𝐸 2 𝐸 1 based on hidden relation between two elliptic curves in an isogeny class

Isogeny-based cryptography
Quick history: classical 1976 Diffie – Hellman: Key exchange using exponentiation in groups 1985 Miller (indep. Koblitz in 1987): Use groups of rational points on elliptic curves 1994 Shor: Polynomial-time quantum break

Quick history: isogeny 1 1990 a.o. Brassard – Yung: Generalize ‘exponentiation in groups’ to ‘acting on sets by commutative groups’ 1997 Couveignes (indep. Stolbunov – Rostovtsev in 2004): Use action on isogeny classes of elliptic curves over 𝐅 𝑝 by ideal class groups of quadratic rings 2003 a.o. Kuperberg: Subexponential-time quantum break

Quick history: isogeny 2 2006 Charles – Goren – Lauter: Build hash function from isogeny graphs of supersingular elliptic curves over 𝐅 𝑝 2 . 2010 Jao – De Feo: Build key exchange from these isogeny graphs.

Part I: Diffie-Hellman key exchange from group actions

Group actions An action of a group 𝐺 on a set 𝑋 is a map
𝐺×𝑋→𝑋: 𝑔,𝑥 ↦𝑔∗𝑥 obeying the rules 𝑒∗𝑥=𝑥 and 𝑔 1 ∗ 𝑔 2 ∗𝑥 = 𝑔 1 ⋅ 𝑔 2 ∗𝑥 for all 𝑔 1 , 𝑔 2 ∈𝐺. Further terminology: The group action is called transitive if for all 𝑥,𝑦∈𝑋 there is a 𝑔∈𝐺 such that 𝑦=𝑔∗𝑥. The group action is free if 𝑔∗𝑥=𝑥 implies that 𝑔=𝑒. Under these assumptions 𝑋 is called a principal homogeneous space for 𝐺, or a 𝐺-torsor.

Examples of group actions (I)
Important example of a group action: 𝐺= 𝐙 𝑁 × ,⋅ action: 𝑎 ∗𝑔≔ 𝑔 𝑎 Exponentiation: 𝑋= group of order 𝑁, ⋅ so the set is incidentally a group here Note that indeed: 1 ∗𝑔= 𝑔 1 =𝑔 𝑎 1 ∗ 𝑎 2 ∗𝑔 = 𝑎 1 ∗ 𝑔 𝑎 2 = 𝑔 𝑎 𝑎 1 = 𝑔 𝑎 1 𝑎 2 = 𝑎 1 𝑎 2 ∗𝑔 Note: To obtain a torsor one must replace 𝑋 by its set of generators.

Examples of group actions (II)
Let 𝑝>2 be a prime number and let 𝐸: 𝑦 2 =𝑓(𝑥) be an elliptic curve over 𝐅 𝑝 . Let 𝑁= 𝐸 𝐅 𝑝 . 𝑃 𝑥 0 2 ∗ 𝑥 0 action: 𝑎 ∗ 𝑥 0 ≔𝑥-coordinate of 𝑎𝑃 where 𝑃∈𝐸 𝐅 𝑝 ∪ 𝐸 twist ( 𝐅 𝑝 ) is a point with 𝑥-coordinate 𝑥 0 . Kummer action: 𝐺= 𝐙 𝑁 × ,⋅ 2𝑃 𝑋= 𝐏 1 𝐅 𝑝 = 𝐅 𝑝 ∪{∞}

Diffie-Hellman key exchange using commutative group actions
acting on set 𝑋 𝑥 0 ∈𝑋 𝑎∈𝐺 𝑎∗ 𝑥 0 𝑏∈𝐺 𝑏∗ 𝑥 0 𝑎∗ 𝑏∗ 𝑥 0 = 𝑎⋅𝑏 ∗ 𝑥 0 =𝑏∗(𝑎∗ 𝑥 0 ) shared secret:

Requested features: Practicality: given 𝑎∈𝐺 and 𝑥 0 ∈𝑋, can efficiently compute 𝑎∗ 𝑥 0 Security: hardness of generalization of the discrete logarithm problem, i.e., given 𝑎∗ 𝑥 0 ∈𝑋 and 𝑥 0 ∈𝑋, determine some corresponding 𝑎 (sometimes called the vectorization problem) Both requisites are non-trivial a priori! E.g., possible to define group action so that Alice and Bob should solve discrete logs for key exchange, while Eve can break the scheme by mere exponentiation. Both requisites are non-trivial a priori! As for practicality: in general no square-and-multiply because 𝑋 is just a set! ( = double-and-add for elliptic curves)

Three main `serious’ examples: classical Diffie-Hellman key exchange using exponentiation practical thanks to square-and-multiply 𝒙-coordinate only elliptic curve Diffie-Hellman using the Kummer action practical thanks to differential addition (Montgomery ladder) e.g., used in X25519 Couveignes-Rostovtsev-Stolbunov key exchange using the `CM torsor’ to be discussed very soon

What can one hope to gain from this generalization?  Diffie-Hellman from exponentiation in groups is inherently not post-quantum! Reason: given ℎ= 𝑔 𝑎 , to find 𝑎∈ 𝐙 𝑁 with 𝑁=ord(𝑔) can be seen as the hidden subgroup problem (HSP) associated with 𝐙 𝑁 × 𝐙 𝑁 →𝐺: 𝜆,𝜇 ↦ 𝑔 𝜆 ℎ −𝜇 constant on cosets of 〈 𝑎,1 〉 Shor’s quantum algorithm solves HSP in commutative groups in polynomial time

𝑓:Dih 𝐺 →𝑋: 𝑔 ↦ 𝑔∗(𝑎∗𝑥) 𝑔⋅[𝑟] ↦ 𝑔∗𝑥
Diffie-Hellman key exchange using commutative group actions What can one hope to gain from this generalization?  In the more general setting of commutative groups actions Shor does not apply! However, given 𝑎∗𝑥, to find 𝑎∈𝐺 can still be viewed as a hidden subgroup problem, through 𝑓:Dih 𝐺 →𝑋: 𝑔 ↦ 𝑔∗(𝑎∗𝑥) 𝑔⋅[𝑟] ↦ 𝑔∗𝑥 constant on cosets of 〈𝑎⋅[𝑟]〉 dihedral group associated with 𝐺 ( 𝑟 = reflection) but… Kuperberg’s quantum algorithm solves HSP in dihedral groups in time 𝐿 |𝐺| ( 1 2 ) not commutative!

Part II: Couveignes-Rostovtsev-Stolbunov key exchange

Couveignes-Rostovtsev-Stolbunov key agreement
In 1997 Couveignes designed the first isogeny-based cryptosystem. submitted to CRYPTO, rejected and never formally published rediscovered by Rostovtsev and Stolbunov in 2004 sped up by De Feo, Kieffer and Smith in 2017 Content of proposal: Diffie-Hellman key exchange using the ‘CM torsor’: an action of 𝐺=Cl 𝑂 ,⋅ (ideal class group of an imaginary quadratic order) on a the set of the form 𝑋= elliptic curves 𝐸 𝐅 𝑝 with En d 𝐅 𝑝 𝐸 ≅𝑂 and prescribed 𝐸 𝐅 𝑝 ≅ 𝐅 𝑝 through isogenies.

Homomorphisms, isomorphisms, endomorphisms, isogenies
In the context of elliptic curves, a homomorphism 𝜑: 𝐸 1 → 𝐸 2 is a map which is algebraic, i.e., can be described in terms of rational functions a group homomorphism, in particular 𝜑 ∞ =∞ this means that 𝜑 𝑃+𝑄 =𝜑 𝑃 +𝜑(𝑄) for all 𝑃,𝑄∈ 𝐸 1 . Fact: The kernel 𝜑 −1 {∞} is either all of 𝐸 1 or a finite subset of 𝐸 1 . An isogeny 𝜑: 𝐸 1 → 𝐸 2 is a non-zero homomorphism (i.e., with finite kernel). An isomorphism 𝜑: 𝐸 1 → 𝐸 2 is a homomorphism with an inverse homomorphism. An endomorphism of an elliptic curve 𝐸 is a homomorphism to itself.

The endomorphism ring The endomorphisms of an elliptic curve 𝐸/ 𝐅 𝑝 form a ring with pointwise addition: multiplication by composition: 𝜑 1 + 𝜑 2 :𝐸→𝐸 :𝑃↦ 𝜑 1 𝑃 + 𝜑 2 (𝑃) 𝜑 1 ⋅ 𝜑 2 :𝐸→𝐸 :𝑃↦ 𝜑 1 𝜑 2 (𝑃 ) We make a distinction between: the ring of 𝐅 𝑝 -rational endomorphisms En d 𝐅 𝑝 (𝐸) the full ring of endomorphisms End(𝐸) can a priori be a strictly bigger ring! i.e., can be described using coefficients in 𝐅 𝑝

Frobenius endomorphism 𝑥,𝑦 ↦( 𝑥 𝑝 , 𝑦 𝑝 )
The endomorphism ring Very remarkable fact: En d 𝐅 𝑝 (𝐸) is isomorphic to an imaginary quadratic order, so it is a commutative ring! More precisely 𝐙 𝜋 ⊆En d 𝐅 𝑝 𝐸 ⊆ 𝑂 𝐐(𝜋) scalar multiplication maps Frobenius endomorphism 𝑥,𝑦 ↦( 𝑥 𝑝 , 𝑦 𝑝 ) maximal order index = conductor As for the full ring of endomorphisms, one usually simply has En d 𝐅 𝑝 𝐸 =End(𝐸). If this is the case then our elliptic curve 𝐸 is called ordinary. Exceptionally it can happen that the inclusion En d 𝐅 𝑝 𝐸 ⊆End(𝐸) is strict. In which case 𝐸 is called supersingular. In this case End(𝐸) is not commutative! alternative characterization (if 𝑝>3): 𝐸 𝐅 𝑝 =𝑝+1

Ideal class group Let 𝑂 be an imaginary quadratic order and consider multiplication of ideals: 𝐼 1 ⋅ 𝐼 2 ≔ 𝛼𝛽 𝛼∈ 𝐼 1 and 𝛽∈ 𝐼 2 〉. Call two ideals 𝐼 1 , 𝐼 2 ⊆𝑂 equivalent if there exist 𝛼,𝛽∈𝑂∖{0} such that 𝛼 ⋅ 𝐼 1 = 𝛽 ⋅ 𝐼 2 , i.e., if they are equal ‘modulo principal ideals’. Note: equivalence is compatible with multiplication of ideals, if 𝐼 1 ∼ 𝐽 1 and 𝐼 2 ∼ 𝐽 2 then 𝐼 1 ⋅ 𝐼 2 ∼ 𝐽 1 ⋅ 𝐽 2 . So we can multiply equivalence classes! The ideal class group of 𝑂 is Cl 𝑂 ={ equivalence classes of non-zero ideals 𝐼⊆𝑂 not containing conductor },⋅

The CM torsor Required fact about isogenies:
Remember that an isogeny 𝜑: 𝐸 1 → 𝐸 2 has a finite kernel 𝐻= 𝜑 −1 ∞ ⊆ 𝐸 1 . If 𝜑 is defined over 𝐅 𝑝 then so is 𝐻, i.e. 𝜋 𝐻 =𝐻. Conversely: For each finite subgroup 𝐻⊆ 𝐸 1 defined over 𝐅 𝑝 there is a curve 𝐸 2 and an isogeny 𝜑: 𝐸 1 → 𝐸 2 with kernel 𝐻 and both 𝐸 2 and 𝜑 are defined over 𝐅 𝑝 . If we restrict to separable isogenies then 𝐸 2 is unique up to 𝐅 𝑝 -isomorphism. notation: 𝐸 2 = 𝐸 1 /𝐻

The CM torsor Let 𝐸/ 𝐅 𝑝 be an elliptic curve with endomorphism ring 𝑂=En d 𝐅 𝑝 E . Let 𝐼⊆𝑂 be a non-zero ideal. Then one can define the subgroup 𝐻 𝐼 = 𝛼∈𝐼 ker 𝛼 and consider the associated separable isogeny 𝜑 𝐼 :𝐸→𝐸/ 𝐻 𝐼 . Premature version of the CM torsor: define 𝐼∗𝐸≔𝐸/ 𝐻 𝐼 .

The CM torsor Can be shown:
If 𝐼⊆𝑂 is a nonzero ideal not containing conductor and En d 𝐅 𝑝 𝐸 =𝑂 then also En d 𝐅 𝑝 𝐼∗𝐸 =𝑂, so can repeat. Moreover 𝐼 1 ∗ 𝐼 2 ∗𝐸 = 𝐼 1 ⋅ 𝐼 2 ∗𝐸 for all non-zero ideals 𝐼 1 , 𝐼 2 ⊆𝑂. Tate: all isogenous elliptic curves have the same number of 𝐅 𝑝 -points. Thus our premature version of the CM torsor can be viewed as an ‘action’ of nonzero ideals 𝐼⊆𝑂 , ⋅ on 𝑋= elliptic curves 𝐸 𝐅 𝑝 with En d 𝐅 𝑝 𝐸 ≅𝑂 and prescribed 𝐸 𝐅 𝑝 ≅ 𝐅 𝑝

The CM torsor To get our desired action of Cl 𝑂 ,⋅ it suffices to remark that principal ideals act trivially: 𝐼= 𝛼 ⇒ 𝐻 𝐼 = ker 𝛼 ⇒ 𝜑 𝐼 :𝐸→ 𝐸 𝐻 𝐼 ≅𝐸 where the isomorphism holds because 𝛼 is an endomorphism. Cl 𝑂 So we finally get our action: 𝑋= elliptic curves 𝐸 𝐅 𝑝 with En d 𝐅 𝑝 𝐸 ≅𝑂 and prescribed 𝐸 𝐅 𝑝 ≅ 𝐅 𝑝 … can be shown to be free and transitive, hence a torsor.

imaginary quadratic order 𝑂 ell. curve 𝐸 0 with En d 𝐅 𝑝 E 0 ≅𝑂 [𝐼]∈Cl(𝑂) [𝐼]∗ 𝐸 0 [𝐽]∈Cl(𝑂) [𝐽]∗ 𝐸 0 𝐼 ∗ 𝐽 ∗ 𝐸 0 = 𝐼 ⋅ 𝐽 ∗ 𝐸 0 =[𝐽]∗([𝐼]∗ 𝐸 0 ) shared secret:

How to do this in practice? Remember: no square-and-multiply! Idea: find enough ideals 𝐼 1 , 𝐼 2 , 𝐼 3 ,…, 𝐼 𝑟 whose action is ‘easy’ to compute. In practice, we want norm 𝐼 𝑗 ≔ 𝑂 𝐼 𝑗 small. Then 𝐻 𝐼 𝑗 is small and we can explicitly compute 𝐸 𝐻 𝐼 𝑗 using Vélu’s formulae. (Other possible strategy: modular polynomials.) Example: 𝐼=〈[2],𝜋−[1]〉. Then: ker 2 = 𝐸 2 = 𝑃∈𝐸 2𝑃=∞ ker 𝜋− 1 = 𝑃∈𝐸 𝜋 𝑃 =𝑃 =𝐸( 𝐅 𝑝 ) 𝐻 𝐼 = 𝑃∈𝐸 𝐅 𝑝 2𝑃=∞

Example continued (let 𝑝>2 be a prime number). Let 𝑎∈ 𝐅 𝑝 and 𝑏∈ 𝐅 𝑝 × be such that 𝑎 2 −4𝑏 is nonzero square. Consider 𝐸: 𝑦 2 = 𝑥 3 +𝑎 𝑥 2 +𝑏𝑥. Then 𝐻 𝐼 = 𝑃∈𝐸 𝐅 𝑝 2𝑃=∞ = 0,0 , ∞ and Vélu’s formula’s give 𝜑:𝐸→𝐸/ 𝐻 𝐼 : 0,0 ,∞↦∞ 𝑥 1 , 𝑦 1 ↦ 𝑦 𝑥 1 2 , 𝑦 1 𝑥 1 2 −𝑏 𝑥 if 𝑥 1 ≠0 where 𝐸 2 : 𝑦 2 = 𝑥 3 −2𝑎 𝑥 2 + 𝑎 2 −4𝑏 𝑥.

𝐼 1 𝑒 1 ⋅ 𝐼 2 𝑒 2 ⋅ 𝐼 3 𝑒 3 ⋯ 𝐼 𝑟 𝑒 𝑟 for 0≤ 𝑒 𝑖 ≤𝜆
Couveignes-Rostovtsev-Stolbunov key agreement Now assume that we have found enough ‘easy’ ideals 𝐼 1 , 𝐼 2 , 𝐼 3 ,…, 𝐼 𝑟 . Fact: from (extended) Riemann Hypothesis it follows that Cl 𝑂 is generated by classes of ideals of norm at most ≈ log 2 |Cl 𝑂 | . Then we choose approximately random [𝐼]∈Cl 𝑂 as 𝐼 1 𝑒 1 ⋅ 𝐼 2 𝑒 2 ⋅ 𝐼 3 𝑒 3 ⋯ 𝐼 𝑟 𝑒 𝑟 for 0≤ 𝑒 𝑖 ≤𝜆 where 𝑒 1 , 𝑒 2 ,…, 𝑒 3 ∈ 0, …,𝜆 𝑟 is uniform random. If also 𝐼 𝑗 −1 easy then can take −𝜆≤ 𝑒 𝑖 ≤𝜆 and need (2𝜆+1)≈ 2 𝑘 𝑟 . Note: if Cl 𝑂 ≈ 2 𝑘 then need 𝜆≈ 2 𝑘 𝑟 , so the larger 𝑟 the better. Then 𝐼 ∗𝐸 can be computed using ≈𝜆⋅𝑟 isogenies.

A note on Cl 𝑂 : Theorem (Brauer-Siegel): if 𝐸 𝐅 𝑝 does not lie too close to the boundary of the Hasse interval, then Cl 𝑂 ≈ 𝑝 . Best attacks are the generic ones, i.e., they apply to every group action based scheme: classical: time Cl 𝑂 ≈ 4 𝑝 , e.g., baby-step giant-step quantum: time 𝐿 Cl 𝑂 = 𝐿 𝑝 , e.g. Kuperberg Example of concrete parameter sizes: 𝑝≈ provides 128 bits of classical security 64 bits of quantum security (ongoing debate) Note: non-interactive

imaginary quadratic order 𝑂 ell. curve 𝐸 0 with En d 𝐅 𝑝 E 0 ≅𝑂 easy ideals 𝐼 1 , 𝐼 2 ,…, 𝐼 𝑟 ⊆𝑂 𝑎 1 ,…, 𝑎 𝑟 ∈ 0, …, 𝜆 𝑟 𝐼 1 𝑎 1 ⋯ 𝐼 1 𝑎 𝑟 ∗ 𝐸 0 𝑏 1 ,…, 𝑏 𝑟 ∈ 0, …, 𝜆 𝑟 𝐼 1 𝑏 1 ⋯ 𝐼 𝑟 𝑏 𝑟 ∗ 𝐸 0 𝐼 1 𝑎 1 ⋯∗ 𝐼 1 𝑏 1 ⋯∗ 𝐸 0 = 𝐼 1 𝑎 1 + 𝑏 1 ⋯∗ 𝐸 0 = 𝐼 1 𝑏 1 ⋯∗ 𝐼 1 𝑎 1 ⋯∗ 𝐸 0 shared secret:

Schreier graph interpretation
Example: secret vector (3,5,3,−1) Schreier graph interpretation 𝑋 Recall: action of Cl 𝑂 on 𝑋 is free and transitive ⇒ Cl 𝑂 = 𝑋 . 𝐸 0 Let [𝐼]∈Cl(𝑂). Repeated action of 𝐼 partitions 𝑋 into oriented cycles Cl 𝑂 ord[𝐼] cycles of length ord[𝐼] each Want to compute: (These cycles are craters of volcano graphs.) 𝐼 4 −1 𝐼 𝐼 𝐼 ∗ 𝐸 0

Recall: action of Cl 𝑂 on 𝑋 is free and transitive ⇒ Cl 𝑂 = 𝑋 . Schreier graph interpretation Let [𝐼]∈Cl(𝑂). Repeated action of 𝐼 partitions 𝑋 into oriented cycles Cl 𝑂 ord[𝐼] cycles of length ord[𝐼] each Example: secret vector (3,5,3,−1) (These cycles are craters of volcano graphs.) Want to compute: 𝑋 𝐸 0 𝐼 4 −1 𝐼 𝐼 𝑰 𝟏 3 ∗ 𝐸 0

Recall: action of Cl 𝑂 on 𝑋 is free and transitive ⇒ Cl 𝑂 = 𝑋 . Schreier graph interpretation Let [𝐼]∈Cl(𝑂). Repeated action of 𝐼 partitions 𝑋 into oriented cycles Cl 𝑂 ord[𝐼] cycles of length ord[𝐼] each Example: secret vector (3,5,3,−1) (These cycles are craters of volcano graphs.) Want to compute: 𝑋 𝐸 0 𝐼 4 −1 𝐼 𝑰 𝟐 𝐼 ∗ 𝐸 0

Recall: action of Cl 𝑂 on 𝑋 is free and transitive ⇒ Cl 𝑂 = 𝑋 . Schreier graph interpretation Let [𝐼]∈Cl(𝑂). Repeated action of 𝐼 partitions 𝑋 into oriented cycles Cl 𝑂 ord[𝐼] cycles of length ord[𝐼] each Example: secret vector (3,5, 3,−1) (These cycles are craters of volcano graphs.) Want to compute: 𝑋 𝐸 0 𝐼 4 −1 𝐼 𝑰 𝟐 𝐼 ∗ 𝐸 0

Recall: action of Cl 𝑂 on 𝑋 is free and transitive ⇒ Cl 𝑂 = 𝑋 . Schreier graph interpretation Let [𝐼]∈Cl(𝑂). Repeated action of 𝐼 partitions 𝑋 into oriented cycles Cl 𝑂 ord[𝐼] cycles of length ord[𝐼] each Example: secret vector (3,5,3,−1) (These cycles are craters of volcano graphs.) Want to compute: 𝑋 𝐸 0 𝐼 4 −1 𝐼 𝑰 𝟐 𝐼 ∗ 𝐸 0

Recall: action of Cl 𝑂 on 𝑋 is free and transitive ⇒ Cl 𝑂 = 𝑋 . Schreier graph interpretation Let [𝐼]∈Cl(𝑂). Repeated action of 𝐼 partitions 𝑋 into oriented cycles Cl 𝑂 ord[𝐼] cycles of length ord[𝐼] each Example: secret vector (3,5,3,−1) (These cycles are craters of volcano graphs.) Want to compute: 𝑋 𝐸 0 𝐼 4 −1 𝑰 𝟑 𝐼 𝐼 ∗ 𝐸 0

Recall: action of Cl 𝑂 on 𝑋 is free and transitive ⇒ Cl 𝑂 = 𝑋 . Schreier graph interpretation Let [𝐼]∈Cl(𝑂). Repeated action of 𝐼 partitions 𝑋 into oriented cycles Cl 𝑂 ord[𝐼] cycles of length ord[𝐼] each Example: secret vector (3,5,3,−1) (These cycles are craters of volcano graphs.) Want to compute: 𝑋 𝐸 0 𝑰 𝟒 −1 𝐼 𝐼 𝐼 ∗ 𝐸 0

Example: secret vector (3,5,3,−1) Schreier graph interpretation 𝑋 Recall: action of Cl 𝑂 on 𝑋 is free and transitive ⇒ Cl 𝑂 = 𝑋 . 𝐸 0 Let [𝐼]∈Cl(𝑂). Repeated action of 𝐼 partitions 𝑋 into oriented cycles Cl 𝑂 ord[𝐼] cycles of length ord[𝐼] each Want to compute: (These cycles are craters of volcano graphs.) 𝐼 4 −1 𝐼 𝐼 𝐼 ∗ 𝐸 0

Alice 𝐸 Bob

𝐸 𝐴 Schreier graph interpretation Alice 𝐸 𝐸 𝐵 Bob

𝐸 𝐴 Schreier graph interpretation 𝐸 𝐴 Alice 𝐸 𝐸 𝐵 𝐸 𝐵 Bob

𝐸 𝐴 Schreier graph interpretation Alice 𝐸 𝐴 𝐸 𝐵 𝐸 𝐸 𝐵 Bob

𝐸 𝐴 Schreier graph interpretation Alice 𝐸 𝐵 𝐸 𝐴 𝐸 𝐸 𝐵 Bob

𝐸 𝐴 Schreier graph interpretation Alice 𝐸 𝐴𝐵 𝐸 𝐵 𝐸 𝐴 𝐸 𝐸 𝐵 Bob

Part III: Commutative Supersingular Isogeny Diffie-Hellman

Speed-ups by De Feo, Kieffer, Smith
Bad news not mentioned yet: Couveignes-Rostovtsev-Stolbunov key exchange is extremely slow. Last year De Feo, Kieffer, Smith revisited the scheme from an efficiency point of view. Remember: want ‘easy’ ideals 𝐼 1 , 𝐼 2 , 𝐼 3 ,…, 𝐼 𝑟 with easy inverse classes. Then Alice and Bob sample as 𝐼 1 𝑒 1 ⋅ 𝐼 2 𝑒 2 ⋅ 𝐼 3 𝑒 3 ⋯ 𝐼 1 𝑒 𝑟 for −𝜆≤ 𝑒 𝑖 ≤𝜆 where 𝑒 1 , 𝑒 2 ,…, 𝑒 3 ∈ −𝜆, …,𝜆 𝑟 is uniform random.

De Feo, Kieffer and Smith have several interesting ideas for constructing such ideals. Ideal ideals: let ℓ be a prime number not dividing the conductor of 𝑂 for which ℓ = ℓ ,𝜋− 1 ⋅〈 ℓ , 𝜋+ 1 〉 𝐼 𝐽= representant of 𝐼 −1 But also 𝐻 𝐽 = 𝑃∈𝐸 𝐅 𝑝 2 ∖ 𝐅 𝑝 ℓ𝑃=∞ =〈 𝑃 ℓ ′ 〉 and 𝐸/ 𝐻 𝐽 can be computed efficiently using Vélu’s formulae applied to quadratic twist (or using 𝑥-coordinate only versions). unique 𝐅 𝑝 2 ∖ 𝐅 𝑝 -point of order ℓ In this case 𝐻 𝐼 = 𝑃∈𝐸 𝐅 𝑝 ℓ𝑃=∞ =〈 𝑃 ℓ 〉 and 𝐸/ 𝐻 𝐼 can be computed efficiently using Vélu’s formulae, as in the example. unique 𝐅 𝑝 -rational point of order ℓ

ℓ divides 𝐸 𝐅 𝑝 and 𝑝≡−1 mod ℓ
Speed-ups by De Feo, Kieffer, Smith De Feo, Kieffer and Smith have several interesting ideas for constructing such ideals. Ideal ideals: let ℓ be a prime number not dividing the conductor of 𝑂 for which ℓ = ℓ ,𝜋− 1 ⋅〈 ℓ , 𝜋+ 1 〉 𝐼 𝐽= representant of 𝐼 −1 This type of splitting is equivalent to ℓ divides 𝐸 𝐅 𝑝 and 𝑝≡−1 mod ℓ

ℓ divides 𝐸 𝐅 𝑝 and 𝑝≡−1 mod ℓ
Speed-ups by De Feo, Kieffer, Smith So: we would like to enforce ℓ divides 𝐸 𝐅 𝑝 and 𝑝≡−1 mod ℓ for as many small primes ℓ as possible. Strategy: Select a large prime 𝑝 such that 𝑝≡−1 mod many small ℓ’s Find elliptic curve 𝐸/ 𝐅 𝑝 such that 𝐸 𝐅 𝑝 is divisible by as many of these ℓ’s as possible. easy, e.g. for 512 bit 𝑝 this works for ≈ 75 primes ℓ very hard, unless…

Using heavy computation and tricks involving modular curves, De Feo, Kieffer, Smith enforced this for 7 primes in the case of 512 bit 𝑝. But if 𝑟=7 we would need exponents 𝑒 𝑖 in a range of size ! Also require many other less beneficial ideals to generate Cl(𝑂) Key exchange remains too slow (± 4 minutes) But… another thing we did not mention yet: Both Couveignes-Rostovtsev-Stolbunov and De Feo-Kieffer-Smith restrict their attention to the full endomorphism ring End(𝐸), rather than En d 𝐅 𝑝 (𝐸). As a consequence, they restrict their attention to ordinary elliptic curves.

𝑝≡−1 mod ℓ ⇒ automatically 𝐸 𝐅 𝑝 is divisible by ℓ
CSIDH: commutative supersingular isogeny Diffie-Hellman But by working with En d 𝐅 𝑝 (𝐸) there is no reason to restrict to ordinary elliptic curves… … and supersingular elliptic curves have the property we are after! Remember: if 𝐸/ 𝐅 𝑝 is supersingular then 𝐸 𝐅 𝑝 =𝑝+1, so 𝑝≡−1 mod ℓ ⇒ automatically 𝐸 𝐅 𝑝 is divisible by ℓ So the property we want comes for free in the supersingular case. CSIDH

𝑂=𝐙 −𝑝 (conductor 2 so we have to skip the prime 2)
CSIDH: commutative supersingular isogeny Diffie-Hellman Concrete set-up: 𝑝 a prime of the form 4 ℓ 1 ℓ 2 ℓ 3 … ℓ 𝑟 −1 (with ℓ 𝑖 odd) 𝐸 0 : 𝑦 2 = 𝑥 3 +𝑥 over 𝐅 𝑝 (supersingular because 𝑝≡3 mod 4) 𝑂=𝐙 −𝑝 (conductor 2 so we have to skip the prime 2) compute action using 𝐼 1 = ℓ 1 ,𝜋− 1 , 𝐼 2 = ℓ 2 ,𝜋− 1 , … and 𝑥-coordinate only Vélu-type formulas for Montgomery curves due to Costello-Hisil, Renes map points to next curve to speed up search for ℓ-torsion points

CSIDH: commutative supersingular isogeny Diffie-Hellman
Concrete values: For 512 bit 𝑝 we can work with 74 ℓ 𝑖 ’s. Since ≈11 it suffices to work with exponents 𝑒 𝑖 in range {−5,…, 5} Proof-of-concept implementation in C(with some further speed-ups): key exchange in 100 ms Another feature: Easy key validation, because work with Montgomery curves 𝑦 2 = 𝑥 3 +𝐴𝑥+𝑥 over 𝐅 𝑝 . turns out to uniquely determine the 𝐅 𝑝 -isomorphism class (so just need to check supersingularity)

Comparison to SIDH (slide by Luca De Feo)

CSIDH [‘si:,sad] Using supersingular elliptic curves to speed up CRS key agreement (joint work with T. Lange, C. Martindale, L. Panny, J. Renes) PQCRYPTO.

Similar presentations

Presentation on theme: "CSIDH [‘si:,sad] Using supersingular elliptic curves to speed up CRS key agreement (joint work with T. Lange, C. Martindale, L. Panny, J. Renes) PQCRYPTO."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

CSIDH [‘si:,sad] Using supersingular elliptic curves to speed up CRS key agreement (joint work with T. Lange, C. Martindale, L. Panny, J. Renes) PQCRYPTO.

Similar presentations

Presentation on theme: "CSIDH [‘si:,sad] Using supersingular elliptic curves to speed up CRS key agreement (joint work with T. Lange, C. Martindale, L. Panny, J. Renes) PQCRYPTO."— Presentation transcript:

Similar presentations

About project

Feedback