Loop-abort faults on supersingular isogeny cryptosystems
|
|
- Kellie Wilkinson
- 5 years ago
- Views:
Transcription
1 Loop-abort faults on supersingular isogeny cryptosystems Alexandre Gélin Benjamin Wesolowski Laboratoire d Informatique de Paris 6 Sorbonne Universités UPMC, France École Polytechnique Fédérale de Lausanne, EPFL IC LACAL, Switzerland PQCrypto 2017 Utrecht 2017/06/26
2 Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011
3 Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06]
4 Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] The isogeny graph of a supersingular elliptic curve:
5 Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] The isogeny graph of a supersingular elliptic curve:
6 Supersingular elliptic curves Definition A supersingular elliptic curve is a curve E defined over F p k ( ) #E F p k = 1 mod p. such that
7 Supersingular elliptic curves Definition A supersingular elliptic curve is a curve E defined over F p k ( ) #E F p k = 1 mod p. such that Interesting properties: All supersingular elliptic curves can be defined over F p 2 About p 12 supersingular elliptic curves, up to isomorphism
8 Isogenies Definition An isogeny φ between two elliptic curves E 1 and E 2 is a surjective group homomorphism with a finite kernel. The degree is defined by degφ = #Ker φ.
9 Isogenies Definition An isogeny φ between two elliptic curves E 1 and E 2 is a surjective group homomorphism with a finite kernel. The degree is defined by degφ = #Ker φ. Interesting properties: G E 1 = a unique E 2 and φ such that φ : E 1 E 2 and Ker φ = G E 2 = E/G is obtained in O ( degφ )
10 Key-Exchange Protocol A prime p such that p + 1 = l n A lm B
11 A supersingular elliptic curve E with l n A lm B points E Key-Exchange Protocol A prime p such that p + 1 = l n A lm B
12 Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B points A point R A chosen randomly in E [ l n A ] E
13 Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B A point R A chosen randomly in E [ l n A (m A,n A ) {1,...,l n A }2 random, R A = m A P A + n A Q A for P A,Q A = E [ l n ] A ] points E
14 Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B A point R A chosen randomly in E [ l n A (m A,n A ) {1,...,l n A }2 random, R A = m A P A + n A Q A for P A,Q A = E [ l n ] A ] points φ A E = the curve E A = E/ R A and φ A : E E A E A
15 Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B A point R A chosen randomly in E [ l n A (m A,n A ) {1,...,l n A }2 random, R A = m A P A + n A Q A for P A,Q A = E [ l n ] A ] points φ A E φ B = the curve E A = E/ R A and φ A : E E A E A E B A point R B = m B P B + n B Q B random in E [ l m ] B = PB,Q B, the curve E B = E/ R B and φ B : E E B
16 Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B E A E B
17 Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) E A E B E AB
18 Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) Bob computes E BA = E A / m B φ A (P B ) + n B φ A (Q B ) E A E B E AB
19 Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) Bob computes E BA = E A / m B φ A (P B ) + n B φ A (Q B ) E A E B E AB E/ R A,R B E BA so j(e AB ) = j(e BA ) E AB
20 Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) Bob computes E BA = E A / m B φ A (P B ) + n B φ A (Q B ) E A E B E AB E/ R A,R B E BA so j(e AB ) = j(e BA ) = j(e AB ) secret shared by Alice and Bob E AB
21 Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A.
22 Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A. Equivalent to find a path of fixed length in the isogeny graph
23 Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A. Equivalent to find a path of fixed length in the isogeny graph Brute-force attack in O ( l n A ) O ( p )
24 Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A. Equivalent to find a path of fixed length in the isogeny graph Brute-force attack in O ( l n A ) O ( p ) ) Claw finding: Find a collision in O (l n 2 A O ( 4 p )
25 Attack framework Alice uses a static private key (m A,n A ) E φ A φ B E A E B E AB
26 Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E φ A φ B E A E B E AB
27 Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B E A E B E AB
28 Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B Focus on the isogeny from E B to E B / m A P A + n AQ A, where P A = φ B(P A ) and Q A = φ B(Q A ) E A E B E AB
29 Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B Focus on the isogeny from E B to E B / m A P A + n AQ A, where P A = φ B(P A ) and Q A = φ B(Q A ) Previous active attack [GPST16]: E A E B Idea: Provide dishonest points ( P A, Q A ) instead of (P A,Q A ) E AB
30 Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B Focus on the isogeny from E B to E B / m A P A + n AQ A, where P A = φ B(P A ) and Q A = φ B(Q A ) Previous active attack [GPST16]: E A E B Idea: Provide dishonest points ( P A, Q A ) instead of (P A,Q A ) Countermeasure: Validation method verifies the correctness of the inputs (Fujisaki-Okamoto transform) E AB
31 How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A )
32 How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A Decompose and iterate n O(l A ) ) E B = E 0 E 1 E n 1 E n = E AB where each is a degree-l A isogeny
33 How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A Decompose and iterate n O(l A ) ) E B = E 0 E 1 E n 1 E n = E AB where each is a degree-l A isogeny R 0 = m A P A + n AQ A and for 1 k n 1, E k+1 = E k / l n k 1 A R k φ k+1 : E k E k+1 R k+1 = φ k+1 (R k )
34 How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A Decompose and iterate n O(l A ) ) E B = E 0 E 1 E n 1 E n = E AB where each is a degree-l A isogeny R 0 = m A P A + n AQ A and for 1 k n 1, E k+1 = E k / l n k 1 A R k φ k+1 : E k E k+1 R k+1 = φ k+1 (R k ) E n = E AB = E B / R 0 and φ = φ n φ 1
35 Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes
36 Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes Inject a fault that induces an early-abort in the loop
37 Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes Inject a fault that induces an early-abort in the loop Proven feasible in practice [Blömer et al.]
38 Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes Inject a fault that induces an early-abort in the loop Proven feasible in practice [Blömer et al.] Implementations of SIDH on embedded devices already exist
39 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes
40 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A )
41 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1
42 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A
43 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A if n a is even, then Ker φ 1 = 2 n 1 P A
44 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A if n a is even, then Ker φ 1 = 2 n 1 P A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A )
45 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A = (m A,n A ) equivalent to (a,1) for a = m A n A and a even if n a is even, then Ker φ 1 = 2 n 1 P A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A )
46 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A = (m A,n A ) equivalent to (a,1) for a = m A n A and a even if n a is even, then Ker φ 1 = 2 n 1 P A = (m A,n A ) equivalent to (1,a) for a = n A m A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A ) and a even
47 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A = (m A,n A ) equivalent to (a,1) for a = m A n A and a even if n a is even, then Ker φ 1 = 2 n 1 P A = (m A,n A ) equivalent to (1,a) for a = n A m A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A ) = (m A,n A ) equivalent to (1,a) for a = n A m A and a even and a odd
48 The attack l A = 2 Subsequent steps: we assume the key of the form (1,a)
49 The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits
50 The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits The k-th bit is either 0 or 1, i.e., / ( ) E k = E B 2 n k P A + (a mod 2k 1 )Q A or E k = E B / 2 n k ( P A + (a mod 2k k 1 )Q A )
51 The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits The k-th bit is either 0 or 1, i.e., / ( ) E k = E B 2 n k P A + (a mod 2k 1 )Q A or E k = E B / 2 n k ( P A + (a mod 2k k 1 )Q A ) Make a guess and recover the k-th bit of a
52 The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits The k-th bit is either 0 or 1, i.e., / ( ) E k = E B 2 n k P A + (a mod 2k 1 )Q A or E k = E B / 2 n k ( P A + (a mod 2k k 1 )Q A ) Make a guess and recover the k-th bit of a Conclusion: full-key recovery by iterating this process
53 Analysis n bits recovered in n interactions with the victim = n faults injected
54 Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1,
55 Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1, about n µ faults injected if the success can be detected
56 Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1, about n µ about 2n µ faults injected if the success can be detected otherwise
57 Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1, about n µ about 2n µ faults injected if the success can be detected otherwise Alternative with less faults assuming a stronger oracle
58 Thanks Bedankt
Loop-abort faults on supersingular isogeny cryptosystems
Loop-abort faults on supersingular isogeny cryptosystems Alexandre Gélin 1 and Benjamin Wesolowski 2 1 Sorbonne Universités, UPMC Paris 6, UMR 7606, LIP6, Paris, France alexandre.gelin@lip6.fr 2 École
More informationSide-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman
Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman Presenter: Reza Azarderakhsh CEECS Department and I-Sense, Florida Atlantic University razarderakhsh@fau.edu Paper by: Brian
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationIsogenies in a quantum world
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal
More informationElliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography
Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Andrew Sutherland MIT Undergraduate Mathematics Association November 29, 2018 Creating a shared secret
More informationA gentle introduction to isogeny-based cryptography
A gentle introduction to isogeny-based cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Motivation Part 2: Preliminaries Part 3: Brief SIDH sketch
More informationSupersingular Isogeny Key Encapsulation
Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and evolutionq, Inc. Full list of submitters: Reza Azarderakhsh, FAU Matt Campagna, Amazon Craig Costello, MSR Luca
More informationAn introduction to supersingular isogeny-based cryptography
An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular
More informationGenus Two Isogeny Cryptography
Genus Two Isogeny Cryptography E.V. Flynn 1 and Yan Bo Ti 2 1 Mathematical Institute, Oxford University, UK. flynn@maths.ox.ac.uk 2 Mathematics Department, University of Auckland, NZ. yanbo.ti@gmail.com
More informationSupersingular Isogeny Key Encapsulation (SIKE)
Supersingular Isogeny Key Encapsulation (SIKE) Reza Azarderakhsh Matthew Campagna Craig Costello Luca De Feo Basil Hess David Jao Brian Koziel Brian LaMacchia Patrick Longa Michael Naehrig Joost Renes
More informationhttps://www.microsoft.com/en-us/research/people/plonga/ Outline Motivation recap Isogeny-based cryptography The SIDH key exchange protocol The SIKE protocol Authenticated key exchange from supersingular
More informationA Post-Quantum Digital Signature Scheme based on Supersingular Isogenies
Post-Quantum Digital Signature Scheme based on Supersingular Isogenies by Youngho Yoo thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationIsogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem
Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem Chloe Martindale 26th January, 2018 These notes are from a talk given in the Séminaire Géométrie et algèbre effectives
More informationParametrizations for Families of ECM-Friendly Curves
Parametrizations for Families of ECM-Friendly Curves Thorsten Kleinjung Arjen K. Lenstra Laboratoire d Informatique de Paris 6 Sorbonne Universités UPMC École Polytechnique Fédérale de Lausanne, EPFL IC
More informationExplicit Complex Multiplication
Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven,
More informationConstructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationThe isogeny cycle seminar
The isogeny cycle seminar Luca De Feo Université de Versailles & Inria Saclay September 29, 2016, École Polytechnique Fédérale de Lausanne Elliptic curves Let E : y 2 = x 3 + ax + b be an elliptic curve...
More informationSide-Channel Attacks on Quantum-Resistant Supersingular Isogeny Die-Hellman
Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Die-Hellman Brian Koziel 1, Reza Azarderakhsh 2, and David Jao 3 1 Texas Instruments, kozielbrian@gmail.com. 2 CEECS Dept and I-SENSE FAU,
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS
ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS GORA ADJ, OMRAN AHMADI, AND ALFRED MENEZES Abstract. We study the isogeny graphs of supersingular elliptic curves over finite fields,
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationMappings of elliptic curves
Mappings of elliptic curves Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves
More informationHard and Easy Problems for Supersingular Isogeny Graphs
Hard and Easy Problems for Supersingular Isogeny Graphs Christophe Petit and Kristin Lauter University of Birmingham, Microsoft Research February 21, 2018 Abstract We consider the endomorphism ring computation
More informationCSIDH: An Efficient Post-Quantum Commutative Group Action
CSIDH: An Efficient Post-Quantum Commutative Group Action Wouter Castryck 1, Tanja Lange 2, Chloe Martindale 2, Lorenz Panny 2, and Joost Renes 3 wouter.castryck@esat.kuleuven.be, tanja@hyperelliptic.org,
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationOn hybrid SIDH schemes using Edwards and Montgomery curve arithmetic
On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic Michael Meyer 1,2, Steffen Reith 1, and Fabio Campos 1 1 Department of Computer Science, University of Applied Sciences Wiesbaden 2
More informationAdvanced Cryptography Quantum Algorithms Christophe Petit
The threat of quantum computers Advanced Cryptography Quantum Algorithms Christophe Petit University of Oxford Christophe Petit -Advanced Cryptography 1 Christophe Petit -Advanced Cryptography 2 The threat
More informationSupersingular isogeny graphs and endomorphism rings: reductions and solutions
Supersingular isogeny graphs and endomorphism rings: reductions and solutions Kirsten Eisenträger 1, Sean Hallgren 2, Kristin Lauter 3, Travis Morrison 1, and Christophe Petit 4 1 The Pennsylvania State
More informationEfficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography
Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography Angshuman Karmakar 1, Sujoy Sinha Roy 1, Frederik Vercauteren 1,2, and Ingrid Verbauwhede 1 1 KU Leuven ESAT/COSIC and
More informationA quantum algorithm for computing isogenies between supersingular elliptic curves
A quantum algorithm for computing isogenies between supersingular elliptic curves Jean-François Biasse 1,2, David Jao 1, and Anirudh Sankar 1 1 Department of Combinatorics and Optimization 2 Institute
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationElliptic Curve Computations (1) View the graph and an elliptic curve Graph the elliptic curve y 2 = x 3 x over the real number field R.
Elliptic Curve Computations (1) View the graph and an elliptic curve Graph the elliptic curve y 2 = x 3 x over the real number field R. >> v = y^2 - x*(x-1)*(x+1) v = y^2 - x*(x-1)*(x+1) >> ezplot(v, [-1,3,-5,5])
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationEfficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography
Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography Angshuman Karmakar 1 Sujoy Sinha Roy 1 Frederik Vercauteren 1,2 Ingrid Verbauwhede 1 1 COSIC, ESAT KU Leuven and iminds
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationCounting points on genus 2 curves over finite
Counting points on genus 2 curves over finite fields Chloe Martindale May 11, 2017 These notes are from a talk given in the Number Theory Seminar at the Fourier Institute, Grenoble, France, on 04/05/2017.
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationCurrent trends and challenges in post-quantum cryptography. Steven Galbraith University of Auckland, New Zealand
Current trends and challenges in post-quantum cryptography University of Auckland, New Zealand Thanks Eric Bach, Joshua Holden, Jen Paulhus, Andrew Shallue, Renate Scheidler, Jonathan Sorenson. Hilary
More informationFault Attacks Against Lattice-Based Signatures
Fault Attacks Against Lattice-Based Signatures T. Espitau P-A. Fouque B. Gérard M. Tibouchi Lip6, Sorbonne Universités, Paris August 12, 2016 SAC 16 1 Towards postquantum cryptography Quantum computers
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationPublic Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.
Public Key Cryptography All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. The thing that is common among all of them is that each
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationAsymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)
Asymmetric Pairings Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) 1 Overview In their 2006 paper "Pairings for cryptographers", Galbraith, Paterson and Smart identified three
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationFaster Algorithms for Isogeny Problems using Torsion Point Images
Faster Algorithms for Isogeny Problems using Torsion Point Images Christophe Petit School of Computer Science, University of Birmingham Abstract. There is a recent trend in cryptography to construct protocols
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationMATH UN Midterm 2 November 10, 2016 (75 minutes)
Name: UNI: Instructor: Shrenik Shah MATH UN3025 - Midterm 2 November 10, 2016 (75 minutes) This examination booklet contains 6 problems. There are 10 sheets of paper including the front cover. This is
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationNEON-SIDH: Ecient Implementation of Supersingular Isogeny Die-Hellman Key Exchange Protocol on ARM
NEON-SIDH: Ecient Implementation of Supersingular Isogeny Die-Hellman Key Exchange Protocol on ARM Brian Koziel 1, Amir Jalali 2, Reza Azarderakhsh 3, David Jao 4, and Mehran Mozaari-Kermani 5 1 Texas
More informationFraud within Asymmetric Multi-Hop Cellular Networks
Financial Cryptography 2005 EPFL, Lausanne, Switzerland ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE Wireless networks Single-hop cellular network Multi-hop network Multi-hop cellular network Asymmetric multi-hop
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationPARAMETRIZATIONS FOR FAMILIES OF ECM-FRIENDLY CURVES
PARAMETRIZATIONS FOR FAMILIES OF ECM-FRIENDLY CURVES ALEXANDRE GÉLIN, THORSTEN KLEINJUNG, AND ARJEN K. LENSTRA Abstract. We provide a new family of elliptic curves that results in a one to two percent
More informationQuantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes
Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes Xavier Bonnetain 1,2 and André Schrottenloher 2 1 Sorbonne Université, Collège Doctoral, F-75005 Paris, France 2 Inria, France Abstract.
More informationEvaluating Large Degree Isogenies between Elliptic Curves
Evaluating Large Degree Isogenies between Elliptic Curves by Vladimir Soukharev A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationA message recovery signature scheme equivalent to DSA over elliptic curves
A message recovery signature scheme equivalent to DSA over elliptic curves Atsuko Miyaji Multimedia Development Center Matsushita Electric Industrial Co., LTD. E-mail : miyaji@isl.mei.co.jp Abstract. The
More informationPractical Supersingular Isogeny Group Key Agreement
Practical Supersingular Isogeny Group Key Agreement Reza Azarderakhsh 1, Amir Jalali 1, David Jao 2, and Vladimir Soukharev 3 1 Department of Computer and Electrical Engineering and Computer Science, Florida
More informationElliptic Curve Cryptosystems
Elliptic Curve Cryptosystems Santiago Paiva santiago.paiva@mail.mcgill.ca McGill University April 25th, 2013 Abstract The application of elliptic curves in the field of cryptography has significantly improved
More informationA Dierential Power Analysis attack against the Miller's Algorithm
A Dierential Power Analysis attack against the Miller's Algorithm Nadia El Mrabet (1), G. Di Natale (2) and M.L. Flottes (2) (1) Team Arith, (2) Team CCSI/LIRMM, Université Montpellier 2 Prime 2009, UCC,
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationOverview. Public Key Algorithms II
Public Key Algorithms II Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@csc.lsu.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc4601-04/ Louisiana State
More informationON THE COST OF COMPUTING ISOGENIES BETWEEN SUPERSINGULAR ELLIPTIC CURVES
ON THE COST OF COMPUTING ISOGENIES BETWEEN SUPERSINGULR ELLIPTIC CURVES GOR DJ, DNIEL CERVNTES-VÁZQUEZ, JESÚS-JVIER CHI-DOMÍNGUEZ, LFRED MENEZES, ND FRNCISCO RODRÍGUEZ-HENRÍQUEZ bstract. The security of
More informationComputing modular polynomials with the Chinese Remainder Theorem
Computing modular polynomials with the Chinese Remainder Theorem Andrew V. Sutherland Massachusetts Institute of Technology ECC 009 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Computing modular
More informationSJÄLVSTÄNDIGA ARBETEN I MATEMATIK
SJÄLVSTÄNDIG RBETEN I MTEMTIK MTEMTISK INSTITUTIONEN, STOCKHOLMS UNIVERSITET Post-Quantum Cryptography: Supersingular Isogeny Diffie-Hellman Key Exchange av Erik Thormarker 2017 - No 42 MTEMTISK INSTITUTIONEN,
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationIdentification Protocols and Signature Schemes Based on Supersingular Isogeny Problems
Identification Protocols and Signature Schemes Based on Supersingular Isogeny Problems Steven D. Galbraith 1, Christophe Petit 2, and Javier Silva 3 1 Mathematics Department, University of Auckland, NZ.
More informationdit-upm RSA Cybersecurity Cryptography
-upm Cybersecurity Cryptography José A. Mañas < http://www.dit.upm.es/~pepe/> Information Technology Department Universidad Politécnica de Madrid 4 october 2018 public key (asymmetric) public key secret
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More informationUniv.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.
Cryptography Univ.-Prof. Dr. rer. nat. Rudolf Mathar 1 2 3 4 15 15 15 15 60 Written Examination Cryptography Tuesday, August 29, 2017, 01:30 p.m. Name: Matr.-No.: Field of study: Please pay attention to
More informationElliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm Problem Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM October 19, 2009 Vanessa VITSE (UVSQ) Elliptic Curve Discrete Logarithm Problem October
More informationPublic key exchange using semidirect product of (semi)groups
Public key exchange using semidirect product of (semi)groups Maggie Habeeb 1, Delaram Kahrobaei 2, Charalambos Koupparis 3, and Vladimir Shpilrain 4 1 California University of Pennsylvania habeeb@calu.edu
More informationFinal Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.
Final Exam Math 10: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 0 April 2002 :0 11:00 a.m. Instructions: Please be as neat as possible (use a pencil), and show
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationSuppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:
Elliptic Curve Cryptography Jim Royer CIS 428/628: Introduction to Cryptography November 6, 2018 Suppose F is a field and a 1,..., a 6 F. Definition 1. An elliptic curve E over a field F is a curve given
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationAlgorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis
Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis Christophe Negre ici joined work with T. Plantard (U. of Wollongong, Australia) Journees Nationales GDR IM January
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationEvitando ataques Side-Channel mediante el cálculo de curvas isógenas e isomorfas
1 / 24 Evitando ataques Side-Channel mediante el cálculo de curvas isógenas e isomorfas R. Abarzúa 1 S. Martínez 2 J. Miret 2 R. Tomàs 2 J. Valera 2 1 Universidad de Santiago de Chile (Chile). e-mail:
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationTOWARDS QUANTUM-RESISTANT CRYPTOSYSTEMS FROM SUPERSINGULAR ELLIPTIC CURVE ISOGENIES
TOWRDS QUNTUM-RESISTNT CRYPTOSYSTEMS FROM SUPERSINGULR ELLIPTIC CURVE ISOGENIES LUC DE FEO, DVID JO, ND JÉRÔME PLÛT bstract. We present new candidates for quantum-resistant public-key cryptosystems based
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More information