Cryptanalysis of Known and Attempted Attacks on SIDH and SIKE

Cryptanalysis of Known and Attempted Attacks on SIDH and SIKE

Cryptanalysis of known and attempted attacks on SIDH and SIKE Brandon Langenberg Post-Doc at FAU Senior Researcher at PQSecure ETSI/IQC Quantum Safe Cryptography Workshop - November 6, 2019 Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 1 / 22 Motivation NIST Post Quantum Standardization Process Currently in Round 2 and expected to conclude around 2022 with "more than one" candidate. Five families of Mathematical Algorithms I Hash-based I Code-based I Lattice-based I Multivariate I Isogeny-based (SIKE) Two Categories I Key Encapsulation Mechanism (KEM) I Digital Signature Algorithm (DSA) Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 2 / 22 NIST PQ Standardization: Call for Proposals 1 AES 128 2170/MAXDEPTH quantum gates or 2143 classical gates 2 SHA3-256 2146 classical gates 3 AES 192 2333/MAXDEPTH quantum gates or 2207 classical gates 4 SHA3-384 2210 classical gates 5 AES 256 2298/MAXDEPTH quantum gates or 2272 classical gates 6 SHA3-512 2274 classical gates Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 3 / 22 Brief History 2006: Birth of Supersingular isogeny-based cryptosystem I Families of Ramanujan Graphs and Quaternion Algebras (Charles-Goren-Lauter) I Hash Functions 2011: Supersingular Isogeny Diffie-HellmanKey Exchange (SIDH) I Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies (Jao-De Feo) 2017: Supersingluar isogeny Key Encapuslation (SIKE) I SIKE submission to NIST PQ Standardization Process (https://SIKE.org) Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 4 / 22 Elliptic Curves and Isogenies If K is a field such that char(K) > 3, then any elliptic curve, E, can be defined as: E : y2 = x3 + ax + b where a; b K and ∆ = 16(4a3 + 27b2) = 0 2 − 6 Points on E together with "+" form an abelian group (identity element = ). 1 4a3 Isomorphism classes determined by the j-invariant: j(E) = 1728 · 4a3+27b2 Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 5 / 22 Elliptic Curves and Isogenies Isogenies: Let E1 and E2 be elliptic curves defined over an extension field L. An isogeny, φ, is a non-constant rational map (φ : E1 E2) that preserves the identity. This is also a group homomorphism. ! Let A E1 be finite, then there exists a unique curve E2 (up to isomorphism) such h i ≤ that φ : E1 E2 has kernel A . We write: E2 = E1= A . ! h i h i Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 6 / 22 Elliptic Curves and Isogenies For a given prime p and elliptic curve E defined over Fp2 , the following are true: 2 #E(Fp2 ) = (p + 1) p=12 isomorphism classes of supersingular curves (Identified by j-invariants) ≈ b c For prime ` = p, exactly ` + 1 isogenies of degree ` from a supersingular curve 6 (a) ` = 2 (b) ` = 3 Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 7 / 22 SIDH/SIKE eA eB Operations performed over Fp2 where p = `A `B 1 e e e e 1=2 − I p = 2 2 3 3 1 where 2 2 3 3 p − ≈ ≈ Montgomery Curve: E : y2 = x3 + 6x2 + x (SIKE round 2) Computational Supersingular Isogeny (CSSI) Problem: Given the public parameters `A; `B; eA; eB;p;E;P A;QA, and the elliptic curve E=A compute eA a degree-` isogeny φA : E E=A (or determine a generator ofA). A ! φA E E/A φB E/B E/ A,B h i Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 8 / 22 SIDH same j-invariant φAB EA φA same isomorphism class Public Key Exchange j(EBA) = j(EAB) E φBA EB φB Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 9 / 22 Failed attacks on pure Isogeny problem (Martindale and Panny: 2019) Finding Fp-Subgraph ∗ ∗∗ ∗ ∗∗ I Find curves E ;E Fp and map E E E E=A. 2 0 ∗! !00 ∗∗ ! 1=4 I Middle map is easier, but φ : E E and φ : E E=A just as hard. ( e(p )) ! ! O Lifting to Characteristic Zero I View as complex elliptic curves (isogenies become C-linear map). I "Even if we could ... wouldn't know how to find that endomorphism in the first place." Weil Restrictions I View E over Fp2 as a set of equations over Fp. I End up possibly computing less (but larger degree) isogenies. Thus no gain. Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 10 / 22 Failed attacks on pure Isogeny problem (Martindale and Panny: 2019) Finding Fp-Subgraph ∗ ∗∗ ∗ ∗∗ I Find curves E ;E Fp and map E E E E=A. 2 0 ∗! !00 ∗∗ ! 1=4 I Middle map is easier, but φ : E E and φ : E E=A just as hard. ( e(p )) ! ! O Lifting to Characteristic Zero I View as complex elliptic curves (isogenies become C-linear map). I "Even if we could ... wouldn't know how to find that endomorphism in the first place." Weil Restrictions I View E over Fp2 as a set of equations over Fp. I End up possibly computing less (but larger degree) isogenies. Thus no gain. Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 10 / 22 Failed attacks on pure Isogeny problem (Martindale and Panny: 2019) Finding Fp-Subgraph ∗ ∗∗ ∗ ∗∗ I Find curves E ;E Fp and map E E E E=A. 2 0 ∗! !00 ∗∗ ! 1=4 I Middle map is easier, but φ : E E and φ : E E=A just as hard. ( e(p )) ! ! O Lifting to Characteristic Zero I View as complex elliptic curves (isogenies become C-linear map). I "Even if we could ... wouldn't know how to find that endomorphism in the first place." Weil Restrictions I View E over Fp2 as a set of equations over Fp. I End up possibly computing less (but larger degree) isogenies. Thus no gain. Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 10 / 22 Failed attacks using auxiliary points (Martindale and Panny: 2019) Interpolation Problems I "Computationally infeasible." Group-theoretic approaches I "Obtaining any information about the action on the `A-torsion...seems infeasible." Constructing endomorphisms to exploit the auxilary points I "It seems extremently unlikely that Petit's attack can possibly apply..." Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 11 / 22 SIDH SIKE ) Active reaction attack (Galbraith, Petit, Shani and Bo Ti: 2016) 1 I Recovers a static private key in linear number of queries. (Fewer than n log (p)) ≈ 2 2 I FIX: Generate new ephemeral key pair for each connection and perform extra check. Exposure Model (Koziel, Azarderakhsh and Jao: 2017) I Discover an inermediate kernel point and curve. I FIX: Utilize random curve isomorphism at beginning. ("Computationally inexpensive") Partial Zero/Zero-Point Attack on 3-Point Ladder (Koziel, Azarderakhsh and Jao: 2017) I FIX: Randomize representation of P and Q P . (+2 multiplications per step) − I FIX: Dynamic keys, private key representation randomization, point binding. Loop-abort fault attack (G´elin and Wesolowski: 2017) I Inject faults to cause partial isogeny computation, thus leaking information. I FIX: Check counter after loop or add parallel counter. ("Cheap and easy to implement") Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 12 / 22 SIDH SIKE ) Active reaction attack (Galbraith, Petit, Shani and Bo Ti: 2016) 1 I Recovers a static private key in linear number of queries. (Fewer than n log (p)) ≈ 2 2 I FIX: Generate new ephemeral key pair for each connection and perform extra check. Exposure Model (Koziel, Azarderakhsh and Jao: 2017) I Discover an inermediate kernel point and curve. I FIX: Utilize random curve isomorphism at beginning. ("Computationally inexpensive") Partial Zero/Zero-Point Attack on 3-Point Ladder (Koziel, Azarderakhsh and Jao: 2017) I FIX: Randomize representation of P and Q P . (+2 multiplications per step) − I FIX: Dynamic keys, private key representation randomization, point binding. Loop-abort fault attack (G´elin and Wesolowski: 2017) I Inject faults to cause partial isogeny computation, thus leaking information. I FIX: Check counter after loop or add parallel counter. ("Cheap and easy to implement") Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 12 / 22 SIDH SIKE ) Active reaction attack (Galbraith, Petit, Shani and Bo Ti: 2016) 1 I Recovers a static private key in linear number of queries. (Fewer than n log (p)) ≈ 2 2 I FIX: Generate new ephemeral key pair for each connection and perform extra check. Exposure Model (Koziel, Azarderakhsh and Jao: 2017) I Discover an inermediate kernel point and curve. I FIX: Utilize random curve isomorphism at beginning. ("Computationally inexpensive") Partial Zero/Zero-Point Attack on 3-Point Ladder (Koziel, Azarderakhsh and Jao: 2017) I FIX: Randomize representation of P and Q P . (+2 multiplications per step) − I FIX: Dynamic keys, private key representation randomization, point binding. Loop-abort fault attack (G´elin and Wesolowski: 2017) I Inject faults to cause partial isogeny computation, thus leaking information. I FIX: Check counter after loop or add parallel counter. ("Cheap and easy to implement") Brandon Langenberg Cryptanalysis of known and attempted attacks ... ETSI/IQC Quantum Safe 12 / 22 SIDH SIKE ) Active reaction attack (Galbraith, Petit, Shani and Bo Ti: 2016) 1 I Recovers a static private key in linear number of queries. (Fewer than n log (p)) ≈ 2 2 I FIX: Generate new ephemeral key pair for each connection and perform extra check. Exposure Model (Koziel, Azarderakhsh and Jao: 2017) I Discover an inermediate kernel point and curve. I FIX: Utilize random curve isomorphism at beginning.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    33 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us