Public-key cryptography from supersingular elliptic curve isogenies David Jao Department of Combinatorics & Optimization University of Waterloo August 1, 2019 Elliptic curves y E Definition An elliptic curve over a field F is -HP+QL a nonsingular curve E of the form Q 2 3 E : y = x + ax + b; P x for fixed constants a; b 2 F . The set of projective points on P+Q an elliptic curve forms a group. Counting points on elliptic curves Example 2 3 The elliptic curve E : y = x + x over F11 has points (0; 0); (5; 3); (5; 8); (7; 3); (7; 8); (8; 5); (8; 6); (9; 1); (9; 10); (10; 3); (10; 8); 1: This is no coincidence: Theorem For any prime p ≡ 3 (mod 4), the elliptic curve E : y 2 = x3 + x over Fp has p + 1 points. Proof by example p x x3 + x is x3 + x a QR? x3 + x points on E 0 0 zero 0 (0; 0) 1 2 QNR none none 2 10 QNR none none 3 8 QNR none none 4 2 QNR none none 5 9 QR ±3 (5; 3); (5; 8) 6 −9 QNR none none 7 −2 QR ±3 (7; 3); (7; 8) 8 −8 QR ±5 (8; 5); (8; 6) 9 −10 QR ±1 (9; 1); (9; 10) 10 −2 QR ±3 (10; 3); (10; 8) Isogenies Definition An isogeny is a morphism φ of algebraic varieties between two elliptic curves, such that φ is a group homomorphism. Concretely: φ: E ! E 0 φ(x; y) = (φx (x; y); φy (x; y)) f1(x; y) φx (x; y) = f2(x; y) g1(x; y) φy (x; y) = g2(x; y) (f1; f2; g1, and g2 are all polynomials) Microsoft Research \David, I want to build cryptosystems \Roger that." using isogenies." A brief history of public-key cryptography Cryptosystem Hard problem Diffie-Hellman (1976) Elliptic curve cryptography (1986) Discrete logarithms Pairing-based cryptography (2000) RSA (1977) Factoring integersRabin(1978) Composite residues (1985) Code-based cryptography (1979) Decoding linear codes Lattice-based / NTRU (1996) Finding short lattice vectors Isogeny based / CRS (1996) Computing isogenies SIDH / SIKE (2011) Motivation: quantum computers Quantum computers represent a huge potential threat to existing public-key cryptosystems: RSA, ECC, etc. I Transitioning cryptographic algorithms takes time. If you wait until the threat arrives, it's too late. I NIST is already standardizing post-quantum cryptography. Expected completion: 2022{2024. I Only public-key cryptography is threatened. Post-quantum public-key cryptosystems/ digital signatures: I Lattice-based cryptography I Code-based cryptography I Multivariate polynomials I Hash-based cryptography I Isogeny-based cryptography A short history of isogeny-based cryptography Couveignes (1997), Rostovstev & Stolbunov (2006): I Public-key cryptosystem using ordinary elliptic curve isogenies I Very slow I Quantum subexp. attack (Childs, Jao, Soukharev 2014) Charles, Goren & Lauter (2009): I First published cryptographic construction using isogenies I Hash function only | no encryption Jao & De Feo, SIDH / SIKE (2011): I First public-key cryptosystem using supersingular isogenies I Much faster than CRS I Hardness problem is related to CGL (Costache et al. 2018) Castryck et al., CSIDH (2018) I CRS over supersingular curves I Still has quantum subexponential attack I Slower than SIDH, but has smaller keys (at low security levels) SIDH / SIKE Supersingular Isogeny Diffie-Hellman (Jao and De Feo, 2011): I A key-exchange protocol, similar to Diffie-Hellman, using isogenies between supersingular elliptic curves Why isogenies? I Because they seem to be quantum-resistant Why supersingular elliptic curves? I We found a quantum subexponential attack for ordinary (i.e. non-supersingular) curves (Childs, Jao, and Soukharev 2014) Supersingular Isogeny Key Encapsulation (https://sike.org) (Jao and twelve other authors, 2017{2019): I A more secure (and slower) version of SIDH, with random padding and protection against active attacks. Some group theory Definition Let φ: G ! H be a group homomorphism. The kernel of φ, denoted ker φ, is fg 2 G : φ(g) = 0g: Theorem (First isomorphism theorem) Let φ: G ! H be a group homomorphism. Then: I ker φ is a subgroup of G. I G= ker φ is isomorphic to the image of φ. In particular, every surjective group homomorphism is isomorphic to some projection map G ! G=K for some K. SIDH overview 1. Public parameters: Supersingular elliptic curve E over Fp2 . 2. Alice chooses a kernel A ⊂ E(Fp2 ) and sends E=A to Bob. 3. Bob chooses a kernel B ⊂ E(Fp2 ) and sends E=B to Alice. 4. The shared secret is E=hA; Bi = (E=A)=φA(B) = (E=B)=φB (A): Diffie-Hellman (DH) SIDH φ g g x E A E=A φB g y g xy E=B E=hA; Bi Detailed description of SIDH Public parameters: e e I Prime p of the form 2 2 3 3 − 1 (needed for computations) 2 3 2 I Supersingular curve E : y = x + x over Fp2 of order (p + 1) e e I Z-basis fP2; Q2g of E[2 2 ] and fP3; Q3g of E[3 3 ] Alice: e I Choose sk2 2 Z and compute S2 = P2 + sk2Q2 of order 2 2 I Compute φ2 : E ! E=hS2i I Send E=hS2i; φ2(P3); φ2(Q3) to Bob Bob: I Same as Alice, swapping 2 with 3 The shared secret is derived from E=hS2; S3i = (E=hS2i)=hφ2(P3)+ sk 3φ2(Q3)i = (E=hS2i)=hφ2(S3)i = (E=hS3i)=hφ3(P2)+ sk 2φ3(Q2)i = (E=hS3i)=hφ3(S2)i Attacks Hardness assumption: Given E and E=A, it is computationally infeasible to find A. Fastest known (passive) attack is a meet-in-the-middle collision search or claw search on a search space of size deg(φ) ≈ 2300. E11 : E1 :: E12 E21 E E2 ··· E=A E22 E31 : E3 :: E32 Asymptotic complexity For a generic meet-in-the-middle attack, the values in the table are provable lower bounds. pAlice pBob Classical 2e2 3e3 p3 p3 Quantum 2e2 3e3 Quantum security level of SIDH is conjecturally p p 3 3 1=6 min( 2e2 ; 3e3 ) ≈ p Advantages of SIKE I 190 byte public keys | smallest of all the NIST proposals I Simple parameter selection I Slow speed will be less of an issue as computers get faster I Uses nontrivial math!.