Public-key cryptography from supersingular elliptic curve isogenies
David Jao
Department of Combinatorics & Optimization University of Waterloo
August 1, 2019 Elliptic curves
y E Definition An elliptic curve over a field F is -HP+QL a nonsingular curve E of the form Q 2 3 E : y = x + ax + b, P x for fixed constants a, b ∈ F .
The set of projective points on P+Q an elliptic curve forms a group. Counting points on elliptic curves
Example 2 3 The elliptic curve E : y = x + x over F11 has points
(0, 0), (5, 3), (5, 8), (7, 3), (7, 8), (8, 5), (8, 6), (9, 1), (9, 10), (10, 3), (10, 8), ∞.
This is no coincidence: Theorem For any prime p ≡ 3 (mod 4), the elliptic curve E : y 2 = x3 + x over Fp has p + 1 points. Proof by example
√ x x3 + x is x3 + x a QR? x3 + x points on E 0 0 zero 0 (0, 0) 1 2 QNR none none 2 10 QNR none none 3 8 QNR none none 4 2 QNR none none 5 9 QR ±3 (5, 3), (5, 8) 6 −9 QNR none none 7 −2 QR ±3 (7, 3), (7, 8) 8 −8 QR ±5 (8, 5), (8, 6) 9 −10 QR ±1 (9, 1), (9, 10) 10 −2 QR ±3 (10, 3), (10, 8) Isogenies
Definition An isogeny is a morphism φ of algebraic varieties between two elliptic curves, such that φ is a group homomorphism.
Concretely:
φ: E → E 0
φ(x, y) = (φx (x, y), φy (x, y))
f1(x, y) φx (x, y) = f2(x, y) g1(x, y) φy (x, y) = g2(x, y)
(f1, f2, g1, and g2 are all polynomials) Microsoft Research
“David, I want to build cryptosystems “Roger that.” using isogenies.” A brief history of public-key cryptography
Cryptosystem Hard problem Diffie-Hellman (1976) Elliptic curve cryptography (1986) Discrete logarithms Pairing-based cryptography (2000) RSA (1977) Factoring integersRabin(1978) Composite residues (1985) Code-based cryptography (1979) Decoding linear codes Lattice-based / NTRU (1996) Finding short lattice vectors Isogeny based / CRS (1996) Computing isogenies SIDH / SIKE (2011) Motivation: quantum computers
Quantum computers represent a huge potential threat to existing public-key cryptosystems: RSA, ECC, etc.
I Transitioning cryptographic algorithms takes time. If you wait until the threat arrives, it’s too late.
I NIST is already standardizing post-quantum cryptography. Expected completion: 2022–2024.
I Only public-key cryptography is threatened. Post-quantum public-key cryptosystems/ digital signatures:
I Lattice-based cryptography
I Code-based cryptography
I Multivariate polynomials
I Hash-based cryptography
I Isogeny-based cryptography A short history of isogeny-based cryptography
Couveignes (1997), Rostovstev & Stolbunov (2006):
I Public-key cryptosystem using ordinary elliptic curve isogenies I Very slow I Quantum subexp. attack (Childs, Jao, Soukharev 2014) Charles, Goren & Lauter (2009):
I First published cryptographic construction using isogenies I Hash function only — no encryption Jao & De Feo, SIDH / SIKE (2011):
I First public-key cryptosystem using supersingular isogenies I Much faster than CRS I Hardness problem is related to CGL (Costache et al. 2018) Castryck et al., CSIDH (2018)
I CRS over supersingular curves I Still has quantum subexponential attack I Slower than SIDH, but has smaller keys (at low security levels) SIDH / SIKE
Supersingular Isogeny Diffie-Hellman (Jao and De Feo, 2011):
I A key-exchange protocol, similar to Diffie-Hellman, using isogenies between supersingular elliptic curves Why isogenies?
I Because they seem to be quantum-resistant Why supersingular elliptic curves?
I We found a quantum subexponential attack for ordinary (i.e. non-supersingular) curves (Childs, Jao, and Soukharev 2014)
Supersingular Isogeny Key Encapsulation (https://sike.org) (Jao and twelve other authors, 2017–2019):
I A more secure (and slower) version of SIDH, with random padding and protection against active attacks. Some group theory
Definition Let φ: G → H be a group homomorphism. The kernel of φ, denoted ker φ, is {g ∈ G : φ(g) = 0}.
Theorem (First isomorphism theorem) Let φ: G → H be a group homomorphism. Then:
I ker φ is a subgroup of G.
I G/ ker φ is isomorphic to the image of φ.
In particular, every surjective group homomorphism is isomorphic to some projection map G → G/K for some K. SIDH overview
1. Public parameters: Supersingular elliptic curve E over Fp2 .
2. Alice chooses a kernel A ⊂ E(Fp2 ) and sends E/A to Bob.
3. Bob chooses a kernel B ⊂ E(Fp2 ) and sends E/B to Alice. 4. The shared secret is
E/hA, Bi = (E/A)/φA(B) = (E/B)/φB (A).
Diffie-Hellman (DH) SIDH
φ g g x E A E/A
φB g y g xy E/B E/hA, Bi Detailed description of SIDH
Public parameters: e e I Prime p of the form 2 2 3 3 − 1 (needed for computations) 2 3 2 I Supersingular curve E : y = x + x over Fp2 of order (p + 1) e e I Z-basis {P2, Q2} of E[2 2 ] and {P3, Q3} of E[3 3 ] Alice: e I Choose sk2 ∈ Z and compute S2 = P2 + sk2Q2 of order 2 2
I Compute φ2 : E → E/hS2i
I Send E/hS2i, φ2(P3), φ2(Q3) to Bob Bob:
I Same as Alice, swapping 2 with 3 The shared secret is derived from
E/hS2, S3i = (E/hS2i)/hφ2(P3)+ sk 3φ2(Q3)i = (E/hS2i)/hφ2(S3)i
= (E/hS3i)/hφ3(P2)+ sk 2φ3(Q2)i = (E/hS3i)/hφ3(S2)i Attacks
Hardness assumption: Given E and E/A, it is computationally infeasible to find A.
Fastest known (passive) attack is a meet-in-the-middle collision search or claw search on a search space of size deg(φ) ≈ 2300.
E11 . E1 .. E12
E21 E E2 ··· E/A E22
E31 . E3 .. E32 Asymptotic complexity
For a generic meet-in-the-middle attack, the values in the table are provable lower bounds.
√Alice √Bob Classical 2e2 3e3 √3 √3 Quantum 2e2 3e3
Quantum security level of SIDH is conjecturally √ √ 3 3 1/6 min( 2e2 , 3e3 ) ≈ p Advantages of SIKE
I 190 byte public keys — smallest of all the NIST proposals
I Simple parameter selection
I Slow speed will be less of an issue as computers get faster
I Uses nontrivial math!