Public-key from supersingular elliptic

David Jao

Department of Combinatorics & Optimization University of Waterloo

August 1, 2019 Elliptic

y E Definition An elliptic curve over a field F is -HP+QL a nonsingular curve E of the form Q 2 3 E : y = x + ax + b, P x for fixed constants a, b ∈ F .

The set of projective points on P+Q an elliptic curve forms a . Counting points on elliptic curves

Example 2 3 The elliptic curve E : y = x + x over F11 has points

(0, 0), (5, 3), (5, 8), (7, 3), (7, 8), (8, 5), (8, 6), (9, 1), (9, 10), (10, 3), (10, 8), ∞.

This is no coincidence: Theorem For any prime p ≡ 3 (mod 4), the elliptic curve E : y 2 = x3 + x over Fp has p + 1 points. Proof by example

√ x x3 + x is x3 + x a QR? x3 + x points on E 0 0 zero 0 (0, 0) 1 2 QNR none none 2 10 QNR none none 3 8 QNR none none 4 2 QNR none none 5 9 QR ±3 (5, 3), (5, 8) 6 −9 QNR none none 7 −2 QR ±3 (7, 3), (7, 8) 8 −8 QR ±5 (8, 5), (8, 6) 9 −10 QR ±1 (9, 1), (9, 10) 10 −2 QR ±3 (10, 3), (10, 8) Isogenies

Definition An is a morphism φ of algebraic varieties between two elliptic curves, such that φ is a group .

Concretely:

φ: E → E 0

φ(x, y) = (φx (x, y), φy (x, y))

f1(x, y) φx (x, y) = f2(x, y) g1(x, y) φy (x, y) = (x, y)

(f1, f2, g1, and g2 are all polynomials) Microsoft Research

“David, I want to build cryptosystems “Roger that.” using isogenies.” A brief history of public-key cryptography

Cryptosystem Hard problem Diffie-Hellman (1976) Elliptic curve cryptography (1986) Discrete Pairing-based cryptography (2000) RSA (1977) Factoring integersRabin(1978) Composite residues (1985) Code-based cryptography (1979) Decoding linear codes -based / NTRU (1996) Finding short lattice vectors Isogeny based / CRS (1996) Computing isogenies SIDH / SIKE (2011) Motivation: quantum computers

Quantum computers represent a huge potential threat to existing public-key cryptosystems: RSA, ECC, etc.

I Transitioning cryptographic takes time. If you wait until the threat arrives, it’s too late.

I NIST is already standardizing post-quantum cryptography. Expected completion: 2022–2024.

I Only public-key cryptography is threatened. Post-quantum public-key cryptosystems/ digital signatures:

I Lattice-based cryptography

I Code-based cryptography

I Multivariate polynomials

I Hash-based cryptography

I Isogeny-based cryptography A short history of isogeny-based cryptography

Couveignes (1997), Rostovstev & Stolbunov (2006):

I Public-key cryptosystem using ordinary elliptic curve isogenies I Very slow I Quantum subexp. attack (Childs, Jao, Soukharev 2014) Charles, Goren & Lauter (2009):

I First published cryptographic construction using isogenies I Hash function only — no encryption Jao & De Feo, SIDH / SIKE (2011):

I First public-key cryptosystem using supersingular isogenies I Much faster than CRS I Hardness problem is related to CGL (Costache et al. 2018) Castryck et al., CSIDH (2018)

I CRS over supersingular curves I Still has quantum subexponential attack I Slower than SIDH, but has smaller keys (at low security levels) SIDH / SIKE

Supersingular Isogeny Diffie-Hellman (Jao and De Feo, 2011):

I A key-exchange protocol, similar to Diffie-Hellman, using isogenies between supersingular elliptic curves Why isogenies?

I Because they seem to be quantum-resistant Why supersingular elliptic curves?

I We found a quantum subexponential attack for ordinary (i.e. non-supersingular) curves (Childs, Jao, and Soukharev 2014)

Supersingular Isogeny Key Encapsulation (https://sike.org) (Jao and twelve other authors, 2017–2019):

I A more secure (and slower) version of SIDH, with random padding and protection against active attacks. Some

Definition Let φ: G → H be a . The of φ, denoted ker φ, is {g ∈ G : φ(g) = 0}.

Theorem (First isomorphism theorem) Let φ: G → H be a group homomorphism. Then:

I ker φ is a of G.

I G/ ker φ is isomorphic to the of φ.

In particular, every surjective group homomorphism is isomorphic to some projection map G → G/K for some K. SIDH overview

1. Public parameters: Supersingular elliptic curve E over Fp2 .

2. Alice chooses a kernel A ⊂ E(Fp2 ) and sends E/A to Bob.

3. Bob chooses a kernel B ⊂ E(Fp2 ) and sends E/B to Alice. 4. The shared secret is

E/hA, Bi = (E/A)/φA(B) = (E/B)/φB (A).

Diffie-Hellman (DH) SIDH

φ g g x E A E/A

φB g y g xy E/B E/hA, Bi Detailed description of SIDH

Public parameters: e e I Prime p of the form 2 2 3 3 − 1 (needed for computations) 2 3 2 I Supersingular curve E : y = x + x over Fp2 of (p + 1) e e I Z-basis {P2, Q2} of E[2 2 ] and {P3, Q3} of E[3 3 ] Alice: e I Choose sk2 ∈ Z and compute S2 = P2 + sk2Q2 of order 2 2

I Compute φ2 : E → E/hS2i

I Send E/hS2i, φ2(P3), φ2(Q3) to Bob Bob:

I Same as Alice, swapping 2 with 3 The shared secret is derived from

E/hS2, S3i = (E/hS2i)/hφ2(P3)+ sk 3φ2(Q3)i = (E/hS2i)/hφ2(S3)i

= (E/hS3i)/hφ3(P2)+ sk 2φ3(Q2)i = (E/hS3i)/hφ3(S2)i Attacks

Hardness assumption: Given E and E/A, it is computationally infeasible to find A.

Fastest known (passive) attack is a meet-in-the-middle collision search or claw search on a search space of size deg(φ) ≈ 2300.

E11 . E1 .. E12

E21 E E2 ··· E/A E22

E31 . E3 .. E32 Asymptotic complexity

For a generic meet-in-the-middle attack, the values in the table are provable lower bounds.

√Alice √Bob Classical 2e2 3e3 √3 √3 Quantum 2e2 3e3

Quantum security level of SIDH is conjecturally √ √ 3 3 1/6 min( 2e2 , 3e3 ) ≈ p Advantages of SIKE

I 190 byte public keys — smallest of all the NIST proposals

I Simple parameter selection

I Slow speed will be less of an issue as computers get faster

I Uses nontrivial math!