sign in sign up
<<
Home , E2 (cipher)

Cryptanalysis of known and attempted attacks on SIDH and SIKE

Brandon Langenberg

Post-Doc at FAU Senior Researcher at PQSecure

ETSI/IQC Quantum Safe Workshop - November 6, 2019

Brandon Langenberg of known and attempted attacks ... ETSI/IQC Quantum Safe 1 / 22 Motivation

NIST Post Quantum Standardization Process Currently in Round 2 and expected to conclude around 2022 with ”more than one” candidate.

Five families of Mathematical Algorithms

I Hash-based I Code-based I Lattice-based I Multivariate I Isogeny-based (SIKE) Two Categories

I Encapsulation Mechanism (KEM) I Algorithm (DSA)

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 2 / 22 NIST PQ Standardization: Call for Proposals

1 AES 128 2170/MAXDEPTH quantum gates or 2143 classical gates

2 SHA3-256 2146 classical gates

3 AES 192 2333/MAXDEPTH quantum gates or 2207 classical gates

4 SHA3-384 2210 classical gates

5 AES 256 2298/MAXDEPTH quantum gates or 2272 classical gates

6 SHA3-512 2274 classical gates

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 3 / 22 Brief History

2006: Birth of Supersingular isogeny-based

I Families of Ramanujan Graphs and Quaternion Algebras (Charles-Goren-Lauter) I Hash Functions

2011: Supersingular Isogeny Diffie-HellmanKey Exchange (SIDH)

I Towards Quantum-Resistant from Supersingular Elliptic Curve Isogenies (Jao-De Feo)

2017: Supersingluar isogeny Key Encapuslation (SIKE)

I SIKE submission to NIST PQ Standardization Process (https://SIKE.org)

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 4 / 22 Elliptic Curves and Isogenies

If K is a field such that char(K) > 3, then any elliptic curve, E, can be defined as:

E : y2 = x3 + ax + b where a, b K and ∆ = 16(4a3 + 27b2) = 0 ∈ − 6

Points on E together with ”+” form an abelian group (identity element = ). ∞ 4a3 Isomorphism classes determined by the j-invariant: j(E) = 1728 · 4a3+27b2

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 5 / 22 Elliptic Curves and Isogenies

Isogenies:

Let E1 and E2 be elliptic curves defined over an extension field L. An isogeny, φ, is a non-constant rational map (φ : E1 E2) that preserves the identity. This is also a group homomorphism. →

Let A E1 be finite, then there exists a unique curve E2 (up to isomorphism) such h i ≤ that φ : E1 E2 has kernel A . We write: E2 = E1/ A . → h i h i

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 6 / 22 Elliptic Curves and Isogenies

For a given prime p and elliptic curve E defined over Fp2 , the following are true: 2 #E(Fp2 ) = (p + 1) p/12 isomorphism classes of supersingular curves (Identified by j-invariants) ≈ b c For prime ` = p, exactly ` + 1 isogenies of degree ` from a supersingular curve 6

(a) ` = 2 (b) ` = 3

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 7 / 22 SIDH/SIKE

eA eB Operations performed over Fp2 where p = `A `B 1 e e e e 1/2 − I p = 2 2 3 3 1 where 2 2 3 3 p − ≈ ≈ Montgomery Curve: E : y2 = x3 + 6x2 + x (SIKE round 2)

Computational Supersingular Isogeny (CSSI) Problem:

Given the public parameters `A, `B, eA, eB,p,E,P A,QA, and the elliptic curve E/A compute eA a degree-` isogeny φA : E E/A (or determine a generator ofA). A →

φA E E/A

φB

E/B E/ A,B h i

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 8 / 22 SIDH

same j-invariant φAB EA

φA same isomorphism class

Public j(EBA) = j(EAB) E

φBA EB φB

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 9 / 22 Failed attacks on pure Isogeny problem (Martindale and Panny: 2019)

Finding Fp-Subgraph ∗ ∗∗ ∗ ∗∗ I Find curves E ,E Fp and map E E E E/A. ∈ 0 ∗→ →00 ∗∗ → 1/4 I Middle map is easier, but φ : E E and φ : E E/A just as hard. ( e(p )) → → O Lifting to Characteristic Zero I View as complex elliptic curves (isogenies become C-linear map). I ”Even if we could ... wouldn’t know how to find that endomorphism in the first place.”

Weil Restrictions

I View E over Fp2 as a set of equations over Fp. I End up possibly computing less (but larger degree) isogenies. Thus no gain.

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 10 / 22 Failed attacks on pure Isogeny problem (Martindale and Panny: 2019)

Finding Fp-Subgraph ∗ ∗∗ ∗ ∗∗ I Find curves E ,E Fp and map E E E E/A. ∈ 0 ∗→ →00 ∗∗ → 1/4 I Middle map is easier, but φ : E E and φ : E E/A just as hard. ( e(p )) → → O Lifting to Characteristic Zero I View as complex elliptic curves (isogenies become C-linear map). I ”Even if we could ... wouldn’t know how to find that endomorphism in the first place.”

Weil Restrictions

I View E over Fp2 as a set of equations over Fp. I End up possibly computing less (but larger degree) isogenies. Thus no gain.

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 10 / 22 Failed attacks on pure Isogeny problem (Martindale and Panny: 2019)

Finding Fp-Subgraph ∗ ∗∗ ∗ ∗∗ I Find curves E ,E Fp and map E E E E/A. ∈ 0 ∗→ →00 ∗∗ → 1/4 I Middle map is easier, but φ : E E and φ : E E/A just as hard. ( e(p )) → → O Lifting to Characteristic Zero I View as complex elliptic curves (isogenies become C-linear map). I ”Even if we could ... wouldn’t know how to find that endomorphism in the first place.”

Weil Restrictions

I View E over Fp2 as a set of equations over Fp. I End up possibly computing less (but larger degree) isogenies. Thus no gain.

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 10 / 22 Failed attacks using auxiliary points (Martindale and Panny: 2019)

Interpolation Problems

I ”Computationally infeasible.”

Group-theoretic approaches

I ”Obtaining any information about the action on the `A-torsion...seems infeasible.”

Constructing endomorphisms to exploit the auxilary points

I ”It seems extremently unlikely that Petit’s attack can possibly apply...”

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 11 / 22 SIDH SIKE ⇒ Active reaction attack (Galbraith, Petit, Shani and Bo Ti: 2016) 1 I Recovers a static private key in linear number of queries. (Fewer than n log (p)) ≈ 2 2 I FIX: Generate new ephemeral key pair for each connection and perform extra check.

Exposure Model (Koziel, Azarderakhsh and Jao: 2017)

I Discover an inermediate kernel point and curve. I FIX: Utilize random curve isomorphism at beginning. (”Computationally inexpensive”)

Partial Zero/Zero-Point Attack on 3-Point Ladder (Koziel, Azarderakhsh and Jao: 2017)

I FIX: Randomize representation of P and P . (+2 multiplications per step) − I FIX: Dynamic keys, private key representation randomization, point binding.

Loop-abort fault attack (G´elin and Wesolowski: 2017)

I Inject faults to cause partial isogeny computation, thus leaking information. I FIX: Check counter after loop or add parallel counter. (”Cheap and easy to implement”)

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 12 / 22 SIDH SIKE ⇒ Active reaction attack (Galbraith, Petit, Shani and Bo Ti: 2016) 1 I Recovers a static private key in linear number of queries. (Fewer than n log (p)) ≈ 2 2 I FIX: Generate new ephemeral key pair for each connection and perform extra check.

Exposure Model (Koziel, Azarderakhsh and Jao: 2017)

I Discover an inermediate kernel point and curve. I FIX: Utilize random curve isomorphism at beginning. (”Computationally inexpensive”)

Partial Zero/Zero-Point Attack on 3-Point Ladder (Koziel, Azarderakhsh and Jao: 2017)

I FIX: Randomize representation of P and Q P . (+2 multiplications per step) − I FIX: Dynamic keys, private key representation randomization, point binding.

Loop-abort fault attack (G´elin and Wesolowski: 2017)

I Inject faults to cause partial isogeny computation, thus leaking information. I FIX: Check counter after loop or add parallel counter. (”Cheap and easy to implement”)

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 12 / 22 SIDH SIKE ⇒ Active reaction attack (Galbraith, Petit, Shani and Bo Ti: 2016) 1 I Recovers a static private key in linear number of queries. (Fewer than n log (p)) ≈ 2 2 I FIX: Generate new ephemeral key pair for each connection and perform extra check.

Exposure Model (Koziel, Azarderakhsh and Jao: 2017)

I Discover an inermediate kernel point and curve. I FIX: Utilize random curve isomorphism at beginning. (”Computationally inexpensive”)

Partial Zero/Zero-Point Attack on 3-Point Ladder (Koziel, Azarderakhsh and Jao: 2017)

I FIX: Randomize representation of P and Q P . (+2 multiplications per step) − I FIX: Dynamic keys, private key representation randomization, point binding.

Loop-abort fault attack (G´elin and Wesolowski: 2017)

I Inject faults to cause partial isogeny computation, thus leaking information. I FIX: Check counter after loop or add parallel counter. (”Cheap and easy to implement”)

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 12 / 22 SIDH SIKE ⇒ Active reaction attack (Galbraith, Petit, Shani and Bo Ti: 2016) 1 I Recovers a static private key in linear number of queries. (Fewer than n log (p)) ≈ 2 2 I FIX: Generate new ephemeral key pair for each connection and perform extra check.

Exposure Model (Koziel, Azarderakhsh and Jao: 2017)

I Discover an inermediate kernel point and curve. I FIX: Utilize random curve isomorphism at beginning. (”Computationally inexpensive”)

Partial Zero/Zero-Point Attack on 3-Point Ladder (Koziel, Azarderakhsh and Jao: 2017)

I FIX: Randomize representation of P and Q P . (+2 multiplications per step) − I FIX: Dynamic keys, private key representation randomization, point binding.

Loop-abort fault attack (G´elin and Wesolowski: 2017)

I Inject faults to cause partial isogeny computation, thus leaking information. I FIX: Check counter after loop or add parallel counter. (”Cheap and easy to implement”)

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 12 / 22 Claw Finding Algorithm: Meet-in-the-Middle

Claw Finding Problem: Given two functions f : X Y and g : W Y such that X W , find (a, b) such that → → | | ≈ | | f(x) = g(w).

Build a tree of all curves `e/2-isogenous to E and store. (Let this be f(X)) Compute curves `e/2-isogenous to E/A and search. (Let this be g(W )) High probability one isomorphism class in both sets. (i.e. unique Claw exists) Concatenate CSSI problem solved. →

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 13 / 22 Claw Finding Algorithm: Meet-in-the-Middle ......

E00 E12 ......

......

E = E0 E01 E11 E1 = E/A ......

......

E02 E10 ...... Figure: Meet-in-the-middle attack for degree-2 isogeny trees

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 14 / 22 Claw Finding Algorithm: Meet-in-the-Middle

NIST Level Storage Complexity Time complexity Meet-in-the-Middle (`e/2) (p1/4) (`e/2) (p1/4) O ≈108 O O ≈108 O 1 SIKEp434 (2 ) (2 ) ≈ O 126 ≈ O 126 2 SIKEp503 (2 ) (2 ) ≈ O 152 ≈ O 152 3 SIKEp610 (2 ) (2 ) ≈ O 186 ≈ O 186 5 SIKEp751 (2 ) (2 ) ≈ O ≈ O

However, this storage is considered infeasible [ACVCD+19]. 280 storage was fixed as a feasable upper bound. This increases the run time and makes MitM less advantageous.

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 15 / 22 Claw Finding Algorithm: Meet-in-the-Middle

NIST Level Storage Complexity Time complexity Meet-in-the-Middle (`e/2) (p1/4) (`e/2) (p1/4) O ≈108 O O ≈108 O 1 SIKEp434 (2 ) (2 ) ≈ O 126 ≈ O 126 2 SIKEp503 (2 ) (2 ) ≈ O 152 ≈ O 152 3 SIKEp610 (2 ) (2 ) ≈ O 186 ≈ O 186 5 SIKEp751 (2 ) (2 ) ≈ O ≈ O

However, this storage is considered infeasible [ACVCD+19]. 280 storage was fixed as a feasable upper bound. This increases the run time and makes MitM less advantageous.

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 15 / 22 van Oorschot-Wiener (vOW) Golden Collision Claw Finding Algorithm

Define f : S S to be easily computable (and behave pseudo-randomly). → Define a portion of points as ”distinguished” (depending on storage size).

Starting at x0 S apply f until a distinguished point (xd) is found. ∈

x0 f(x0) = x1 f(x1) = x2 ... f(xd−1) = xd → → → → 80 Store triples, Xi = (xd , x0 , di), until storage is full ( 2 storage). i i ≈ Then replace until a collision is found ( = 0 ). x0i x0i S /2 collisions but only one unique (i.e. Golden Collision). ≈ | |

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 16 / 22 van Oorschot-Wiener (vOW) Golden Collision Claw Finding Algorithm

Define f : S S to be easily computable (and behave pseudo-randomly). → Define a portion of points as ”distinguished” (depending on storage size).

Starting at x0 S apply f until a distinguished point (xd) is found. ∈

x0 f(x0) = x1 f(x1) = x2 ... f(xd−1) = xd → → → → 80 Store triples, Xi = (xd , x0 , di), until storage is full ( 2 storage). i i ≈ Then replace until a collision is found ( = 0 ). x0i x0i S /2 collisions but only one unique (i.e. Golden Collision). ≈ | | . . X0 . . . X1 Xi . . . . . Xn 280 storage ≈ Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 16 / 22 van Oorschot-Wiener (vOW) Golden Collision Claw Finding Algorithm

Define f : S S to be easily computable (and behave pseudo-randomly). → Define a portion of points as ”distinguished” (depending on storage size).

Starting at x0 S apply f until a distinguished point (xd) is found. ∈

x0 f(x0) = x1 f(x1) = x2 ... f(xd−1) = xd → → → → 80 Store triples, Xi = (xd , x0 , di), until storage is full ( 2 storage). i i ≈ Then replace until a collision is found ( = 0 ). x0i x0i S /2 collisions but only one unique (i.e. Golden Collision). ≈ | | . . . . X0 . . X0 . . . . X X . X0 X0 . 1 i → 1 i . . . . 0 . . Xn . . Xn 280 storage ≈ Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 16 / 22 van Oorschot-Wiener (vOW) Golden Collision Claw Finding Algorithm

Define f : S S to be easily computable (and behave pseudo-randomly). → Define a portion of points as ”distinguished” (depending on storage size).

Starting at x0 S apply f until a distinguished point (xd) is found. ∈ xd x0 f(x0) = x1 f(x1) = x2 ... f(xd−1) = xd → → → → 80 Store triples, Xi = (xd , x0 , di), until storage is full ( 2 storage). i i ≈ Then replace until a collision is found ( = 0 ). x0i x0i S /2 collisions but only one unique (i.e. Golden Collision). ≈ | | . . . . x X0 . . X0 . . 0i . 0 0 . X X . X X . x0 1 i → 1 i j . . . . 0 . . Xn . . Xn 280 storage ≈ Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 16 / 22 vOW Cost Estimates

Since 280 storage possible choices, must overwrite storage many times.  Also, choice of f may be bad, so may need to pick a new f and start over. Performance using 1 processor and M registers of memory:

p3/8+O(1)  max: , p1/4+O(1) M 1/2

NIST NIST Classical Total Time Gates x64 instructions Level Gates Req. 280 memory 296 memory 280 memory

1 SIKEp434 143 128 142 143 3 SIKEp610 207 189 209 210 5 SIKEp751 272 - 263 262 [ACVCD+18] [JS19] [CLNR+19]

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 17 / 22 Grover’s Quantum Search Algorithm

A quantum algorithm to search an unsorted list (in ”superposition”). Increases probability of the correct answer being the output. Repeated approximately 2k/2 times where k is size of input. Since 2eA 3eB p1/2 (p1/4). ≈ ≈ → O

2k/2 ≈ Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 18 / 22 Grover (Jaques and Schanck: 2019) Partition search space among P processors

Grover Iterations: p1/4/√P Total gate count: p1/4 √P (# gates for one Grover iteration) · · Minimum Depth: (p1/4/√P ) (depth of one Grover iteration) · Table: Results expressed as base-2 logarithms

SIKEp434 SIKEp610 SIKEp751 GDW GDW GDW MAXDEPTH = 296 158 96 63 248 96 152 320 96 224 MAXMEMORY = 296 175 79 96 220 124 96 256 160 96 G & DW-cost optimal 132 122 10 177 167 10 213 202 11

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 19 / 22 Tani’s Quantum Walk Algorithm (Seiichiro Tani: 2008)

Quantum algorithm to solve the Claw F inding P roblem using Johnson graphs. Implements a generalized Grover’s Algorithm. Query complexity: (`e/3). O However, [Jaques-Shank 2019] analyze the complexity of implementation and quantum memory queries and conclude:

”An adversary with enough quantum memory to run Tani’s algorithm with the query-optimal parameters could break SIKE faster by using the classical control hardware to run vOW.”

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 20 / 22 Jaques-Schanck (and SIKE Spec) Cost Estimates

Table: Max Depth = 296. Results expressed as base-2 logarithms

SIKEp434 SIKEp610 SIKEp751 Attack GDW GDW GDW Grover 158 96 63 248 96 152 320 96 224 Tani 143 95 62 232 96 152 304 95 224 vOw 155 95 70 200 95 115 236 96 151

Table: Max Width = 296. Results expressed as base-2 logarithms

SIKEp434 SIKEp610 SIKEp751 Attack GDW GDW GDW Grover 175 79 96 220 124 96 256 160 96 Tani 160 78 96 204 124 96 240 159 96 vOw 142 56 96 209 124 96 263 178 96

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 21 / 22 Jaques-Schanck (and SIKE Spec) Cost Estimates

Table: Optimizing G-cost. Results expressed as base-2 logarithms

SIKEp434 SIKEp610 SIKEp751 Attack GDW GDW GDW Grover 132 122 10 177 167 10 213 202 11 Tani 124 114 25 169 159 25 205 194 27 vOw 132 14 128 177 14 173 213 16 208

Table: Optimizing DW -cost. Results expressed as base-2 logarithms

SIKEp434 SIKEp610 SIKEp751 Attack GDW GDW GDW Grover 132 122 10 177 167 10 213 202 11 Tani 131 122 10 177 167 10 213 202 11 vOw 132 14 128 177 14 173 213 16 208

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 22 / 22 References Gora Adj, Daniel Cervantes-V´aazquez,Jes´us-JavierChi-Dom´ınguez,Alfred Menezes, and Francisco Rodr´ıguez-Henr´ıquez On the Cost of Computing Isogenies Between Supersingular Elliptic Curves Selected Areas in Cryptography - SAC 2018, Cham. Springer International Publishing (2019), 322-343

Craig Costello, Patrick Longa, Michael Naehrig, Joost Renes, and Fernando Virdia Improved Classical Cryptanalysis of the Computational Supersingular Isogeny Problem https: // eprint. iacr. org/ 2019/ 298

Samuel Dobson, Steven D. Galbraith, Jason LeGrow, Yan Bo Ti, Lukas Zobernig An Adaptive Attack on 2-SIDH https: // eprint. iacr. org/ 2019/ 890

Simon-Philipp Merz, Romy Minko, and Christophe Petit Another look at some isogeny hardness assumptions https: // eprint. iacr. org/ 2019/ 950

Samuel Jaques and John M. Schanck Quantum cryptanalysis in the RAM model: Claw-finding attacks on SIKE https: // eprint. iacr. org/ 2019/ 103

Chloe Martindale and Lorenz Panny How to not break SIDH https: // eprint. iacr. org/ 2019/ 558

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 1/2 References Steven Galbraith, Christophe Petit, Barak Shani and Tan Bo Ti On the Security of Supersingular Isogeny Cryptosystems https: // eprint. iacr. org/ 2016/ 859

Seiichiro Tani Claw Finding Algorithms Using Quantum Walk https: // arxiv. org/ abs/ 0708. 2584 (2008)

SIKE Team Supersingluar Isogeny Key Encapsulation https: // sike. org/ files/ SIDH-spec. pdf (2019)

Alexandre G´elinand Benjamin Wesolowski Loop-Abort Faults on Supersingular Isogeny Cryptosystems https: // eprint. iacr. org/ 2017/ 374

Brian Koziel, Reza Azarderakhsh, and David Jao An Exposure Model for Supersingular Isogeny Diffie-Hellman Key Exchange http: // faculty. eng. fau. edu/ azarderakhsh/ files/ 2016/ 11/ RSA-2018-01-08. pdf (2017)

Atsushi Fujioka, Katsuyuki Takashima, Shintaro Terada, and Kazuki Yoneyama Supersingular Isogeny Diffie-Hellman Authenticated Key Exchange https: // eprint. iacr. org/ 2018/ 730

Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 2/2