Cryptanalysis of Known and Attempted Attacks on SIDH and SIKE
Total Page:16
File Type:pdf, Size:1020Kb
Cryptanalysis of known and attempted attacks on SIDH and SIKE Brandon Langenberg Post-Doc at FAU Senior Researcher at PQSecure ETSI/IQC Quantum Safe Cryptography Workshop - November 6, 2019 Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 1 / 22 Motivation NIST Post Quantum Standardization Process Currently in Round 2 and expected to conclude around 2022 with "more than one" candidate. Five families of Mathematical Algorithms I Hash-based I Code-based I Lattice-based I Multivariate I Isogeny-based (SIKE) Two Categories I Key Encapsulation Mechanism (KEM) I Digital Signature Algorithm (DSA) Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 2 / 22 NIST PQ Standardization: Call for Proposals 1 AES 128 2170/MAXDEPTH quantum gates or 2143 classical gates 2 SHA3-256 2146 classical gates 3 AES 192 2333/MAXDEPTH quantum gates or 2207 classical gates 4 SHA3-384 2210 classical gates 5 AES 256 2298/MAXDEPTH quantum gates or 2272 classical gates 6 SHA3-512 2274 classical gates Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 3 / 22 Brief History 2006: Birth of Supersingular isogeny-based cryptosystem I Families of Ramanujan Graphs and Quaternion Algebras (Charles-Goren-Lauter) I Hash Functions 2011: Supersingular Isogeny Diffie-HellmanKey Exchange (SIDH) I Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies (Jao-De Feo) 2017: Supersingluar isogeny Key Encapuslation (SIKE) I SIKE submission to NIST PQ Standardization Process (https://SIKE.org) Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 4 / 22 Elliptic Curves and Isogenies If K is a field such that char(K) > 3, then any elliptic curve, E, can be defined as: E : y2 = x3 + ax + b where a; b K and ∆ = 16(4a3 + 27b2) = 0 2 − 6 Points on E together with "+" form an abelian group (identity element = ). 1 4a3 Isomorphism classes determined by the j-invariant: j(E) = 1728 · 4a3+27b2 Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 5 / 22 Elliptic Curves and Isogenies Isogenies: Let E1 and E2 be elliptic curves defined over an extension field L. An isogeny, φ, is a non-constant rational map (φ : E1 E2) that preserves the identity. This is also a group homomorphism. ! Let A E1 be finite, then there exists a unique curve E2 (up to isomorphism) such h i ≤ that φ : E1 E2 has kernel A . We write: E2 = E1= A . ! h i h i Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 6 / 22 Elliptic Curves and Isogenies For a given prime p and elliptic curve E defined over Fp2 , the following are true: 2 #E(Fp2 ) = (p + 1) p=12 isomorphism classes of supersingular curves (Identified by j-invariants) ≈ b c For prime ` = p, exactly ` + 1 isogenies of degree ` from a supersingular curve 6 (a) ` = 2 (b) ` = 3 Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 7 / 22 SIDH/SIKE eA eB Operations performed over Fp2 where p = `A `B 1 e e e e 1=2 − I p = 2 2 3 3 1 where 2 2 3 3 p − ≈ ≈ Montgomery Curve: E : y2 = x3 + 6x2 + x (SIKE round 2) Computational Supersingular Isogeny (CSSI) Problem: Given the public parameters `A; `B; eA; eB;p;E;P A;QA, and the elliptic curve E=A compute eA a degree-` isogeny φA : E E=A (or determine a generator ofA). A ! φA E E/A φB E/B E/ A,B h i Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 8 / 22 SIDH same j-invariant φAB EA φA same isomorphism class Public Key Exchange j(EBA) = j(EAB) E φBA EB φB Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 9 / 22 Failed attacks on pure Isogeny problem (Martindale and Panny: 2019) Finding Fp-Subgraph ∗ ∗∗ ∗ ∗∗ I Find curves E ;E Fp and map E E E E=A. 2 0 ∗! !00 ∗∗ ! 1=4 I Middle map is easier, but φ : E E and φ : E E=A just as hard. ( e(p )) ! ! O Lifting to Characteristic Zero I View as complex elliptic curves (isogenies become C-linear map). I "Even if we could ... wouldn't know how to find that endomorphism in the first place." Weil Restrictions I View E over Fp2 as a set of equations over Fp. I End up possibly computing less (but larger degree) isogenies. Thus no gain. Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 10 / 22 Failed attacks on pure Isogeny problem (Martindale and Panny: 2019) Finding Fp-Subgraph ∗ ∗∗ ∗ ∗∗ I Find curves E ;E Fp and map E E E E=A. 2 0 ∗! !00 ∗∗ ! 1=4 I Middle map is easier, but φ : E E and φ : E E=A just as hard. ( e(p )) ! ! O Lifting to Characteristic Zero I View as complex elliptic curves (isogenies become C-linear map). I "Even if we could ... wouldn't know how to find that endomorphism in the first place." Weil Restrictions I View E over Fp2 as a set of equations over Fp. I End up possibly computing less (but larger degree) isogenies. Thus no gain. Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 10 / 22 Failed attacks on pure Isogeny problem (Martindale and Panny: 2019) Finding Fp-Subgraph ∗ ∗∗ ∗ ∗∗ I Find curves E ;E Fp and map E E E E=A. 2 0 ∗! !00 ∗∗ ! 1=4 I Middle map is easier, but φ : E E and φ : E E=A just as hard. ( e(p )) ! ! O Lifting to Characteristic Zero I View as complex elliptic curves (isogenies become C-linear map). I "Even if we could ... wouldn't know how to find that endomorphism in the first place." Weil Restrictions I View E over Fp2 as a set of equations over Fp. I End up possibly computing less (but larger degree) isogenies. Thus no gain. Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 10 / 22 Failed attacks using auxiliary points (Martindale and Panny: 2019) Interpolation Problems I "Computationally infeasible." Group-theoretic approaches I "Obtaining any information about the action on the `A-torsion...seems infeasible." Constructing endomorphisms to exploit the auxilary points I "It seems extremently unlikely that Petit's attack can possibly apply..." Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 11 / 22 SIDH SIKE ) Active reaction attack (Galbraith, Petit, Shani and Bo Ti: 2016) 1 I Recovers a static private key in linear number of queries. (Fewer than n log (p)) ≈ 2 2 I FIX: Generate new ephemeral key pair for each connection and perform extra check. Exposure Model (Koziel, Azarderakhsh and Jao: 2017) I Discover an inermediate kernel point and curve. I FIX: Utilize random curve isomorphism at beginning. ("Computationally inexpensive") Partial Zero/Zero-Point Attack on 3-Point Ladder (Koziel, Azarderakhsh and Jao: 2017) I FIX: Randomize representation of P and Q P . (+2 multiplications per step) − I FIX: Dynamic keys, private key representation randomization, point binding. Loop-abort fault attack (G´elin and Wesolowski: 2017) I Inject faults to cause partial isogeny computation, thus leaking information. I FIX: Check counter after loop or add parallel counter. ("Cheap and easy to implement") Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 12 / 22 SIDH SIKE ) Active reaction attack (Galbraith, Petit, Shani and Bo Ti: 2016) 1 I Recovers a static private key in linear number of queries. (Fewer than n log (p)) ≈ 2 2 I FIX: Generate new ephemeral key pair for each connection and perform extra check. Exposure Model (Koziel, Azarderakhsh and Jao: 2017) I Discover an inermediate kernel point and curve. I FIX: Utilize random curve isomorphism at beginning. ("Computationally inexpensive") Partial Zero/Zero-Point Attack on 3-Point Ladder (Koziel, Azarderakhsh and Jao: 2017) I FIX: Randomize representation of P and Q P . (+2 multiplications per step) − I FIX: Dynamic keys, private key representation randomization, point binding. Loop-abort fault attack (G´elin and Wesolowski: 2017) I Inject faults to cause partial isogeny computation, thus leaking information. I FIX: Check counter after loop or add parallel counter. ("Cheap and easy to implement") Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 12 / 22 SIDH SIKE ) Active reaction attack (Galbraith, Petit, Shani and Bo Ti: 2016) 1 I Recovers a static private key in linear number of queries. (Fewer than n log (p)) ≈ 2 2 I FIX: Generate new ephemeral key pair for each connection and perform extra check. Exposure Model (Koziel, Azarderakhsh and Jao: 2017) I Discover an inermediate kernel point and curve. I FIX: Utilize random curve isomorphism at beginning. ("Computationally inexpensive") Partial Zero/Zero-Point Attack on 3-Point Ladder (Koziel, Azarderakhsh and Jao: 2017) I FIX: Randomize representation of P and Q P . (+2 multiplications per step) − I FIX: Dynamic keys, private key representation randomization, point binding. Loop-abort fault attack (G´elin and Wesolowski: 2017) I Inject faults to cause partial isogeny computation, thus leaking information. I FIX: Check counter after loop or add parallel counter. ("Cheap and easy to implement") Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 12 / 22 SIDH SIKE ) Active reaction attack (Galbraith, Petit, Shani and Bo Ti: 2016) 1 I Recovers a static private key in linear number of queries. (Fewer than n log (p)) ≈ 2 2 I FIX: Generate new ephemeral key pair for each connection and perform extra check. Exposure Model (Koziel, Azarderakhsh and Jao: 2017) I Discover an inermediate kernel point and curve. I FIX: Utilize random curve isomorphism at beginning.