|
|
- Baldwin Owen
- 5 years ago
- Views:
Transcription
1
2 Outline Motivation recap Isogeny-based cryptography The SIDH key exchange protocol The SIKE protocol Authenticated key exchange from supersingular isogenies ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 1
3 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 2 Quick motivation recap Quantum computers will break public-key cryptography currently in use: cryptosystems based on factoring and (elliptic curve) discrete logarithms NIST launches the post-quantum cryptography standardization project: call-for-proposals-final-dec-2016.pdf The goal of this process is to select a number of acceptable candidate cryptosystems for standardization. (This includes: digital signatures, encryption and key encapsulation).
4 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 3 Post-quantum candidates Code-based Lattice-based Hash-based Multivariate Isogeny-based Classic McEliece, QCMDPC codes (BIKE) NTRU, LWE (FrodoKEM), M-LWE (Kyber), R-LWE (NewHope) Merkle hash-tree signatures (Gravity-SPHINCS, SPHINCS + ) MQDSS, Rainbow SIDH (SIKE)
5 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 3 Post-quantum candidates: in this talk Code-based Lattice-based Hash-based Multivariate Isogeny-based Classic McEliece, QCMDPC codes (BIKE) NTRU, LWE (FrodoKEM), M-LWE (Kyber), R-LWE (NewHope) Merkle hash-tree signatures (Gravity-SPHINCS, SPHINCS + ) MQDSS, Rainbow SIDH (SIKE)
6 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 4 (A brief) Timeline of isogeny-based crypto, part I 1996 Couveignes describes first isogeny-based (key exchange) scheme Rostovtsev and Stolbunov propose key exchange using ordinary isogenies. These schemes are impractical, and Can be broken in quantum subexponential time (Childs Jao Soukharev 2010) Jao and De Feo propose key exchange using supersingular isogenies (SIDH). Much better performance. Best quantum and classical attack complexity is, as of today, exponential.
7 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 5 Elliptic curves and isogenies Every elliptic curve over a field K with char(k) > 3 can be defined in (short) Weierstrass form by E: y 2 = x 3 + ax + b, where a, b K and = 16(4a b 2 ) 0.
8 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 5 Elliptic curves and isogenies Every elliptic curve over a field K with char(k) > 3 can be defined in (short) Weierstrass form by E: y 2 = x 3 + ax + b, where a, b K and = 16(4a b 2 ) 0. For an extension field L of K, the set of L-rational points on E E L = x, y L L: y 2 x 3 ax b = 0 {O}, together with the group addition law, forms an abelian group with identity O.
9 Elliptic curves and isogenies Every elliptic curve over a field K with char(k) > 3 can be defined in (short) Weierstrass form by E: y 2 = x 3 + ax + b, where a, b K and = 16(4a b 2 ) 0. For an extension field L of K, the set of L-rational points on E E L = x, y L L: y 2 x 3 ax b = 0 {O}, together with the group addition law, forms an abelian group with identity O. Isomorphism classes are determined by the j-invariant: j E = a 3 4a 3 +27b 2 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 5
10 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 6 Elliptic curves and isogenies Let E 1 and E 2 be elliptic curves defined over an extension field L. An isogeny is a (non-constant) rational map φ: E 1 E 2 that preserves identity, i.e., φ(o E1 ) O E2.
11 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 6 Elliptic curves and isogenies Let E 1 and E 2 be elliptic curves defined over an extension field L. An isogeny is a (non-constant) rational map φ: E 1 E 2 that preserves identity, i.e., φ(o E1 ) O E2. Relevant properties: Isogenies are group homomorphisms. For every finite subgroup G E 1, there is a unique curve E 2 (up to isomorphism) and isogeny φ: E 1 E 2 with kernel G. Write E 2 = φ E 1 = E 1 /G. (Separable) isogenies have deg φ = # ker φ.
12 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 7 Supersingular curves An elliptic curve E/L is supersingular if #E(L) 1(mod p). All supersingular curves can be defined over F p 2. There are ~ p/12 isomorphism classes of supersingular curves.
13 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 8 Supersingular isogeny graphs Vertices: the ~ p/12 isomorphism classes of supersingular curves over F p 2.
14 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 8 Supersingular isogeny graphs Vertices: the ~ p/12 isomorphism classes of supersingular curves over F p 2. Edges: isogenies of a fixed prime degree l p l = 2
15 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 8 Supersingular isogeny graphs Vertices: the ~ p/12 isomorphism classes of supersingular curves over F p 2. Edges: isogenies of a fixed prime degree l p For any prime l p, there exist (l + 1) isogenies of degree l originating from every supersingular curve. l = 2
16 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 8 Supersingular isogeny graphs Vertices: the ~ p/12 isomorphism classes of supersingular curves over F p 2. Edges: isogenies of a fixed prime degree l p For any prime l p, there exist (l + 1) isogenies of degree l originating from every supersingular curve. l = 2 l = 3
17 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 9 Supersingular Isogeny Diffie-Hellman (SIDH) Setup: l 2,3, supersingular curve E 0 /F p 2 with a prime p = f 2 e A3 e B 1 such that 2 e A 3 e B and f small. Then: E 2 e A, E[3 e B] E 0 (F p 2)
18 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 9 Supersingular Isogeny Diffie-Hellman (SIDH) Setup: l 2,3, supersingular curve E 0 /F p 2 with a prime p = f 2 e A3 e B 1 such that 2 e A 3 e B and f small. Then: E 2 e A, E[3 e B] E 0 (F p 2) works over E[2 e A] using 2-isogenies and linearly independent points P A, Q A. works over E[3 e B] using 3-isogenies and linearly independent points P B, Q B.
19 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points E 0
20 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points E 0
21 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points E A = E 0 / A E 0
22 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points E A = E 0 / A E 0 E B = E 0 / B
23 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points E A = E 0 / A E 0 E B = E 0 / B
24 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points R A, S A = {φ A P B, φ A (Q B )} E A = E 0 / A E 0 E B = E 0 / B R B, S B = {φ B P A, φ B (Q A )}
25 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points R A, S A = {φ A P B, φ A (Q B )} E A = E 0 / A E 0 ker(φ A ) = A = R B + [s A ]S B E E φ BA B = E 0 / B A R B, S B = {φ B P A, φ B (Q A )} = E B / A A = φ B P A + [s A ]φ B Q A = φ B P A + [s A ]Q A = φ B A
26 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points R A, S A = {φ A P B, φ A (Q B )} E A = E 0 / A φ B ker φ B = B = R A + [s B ]S A E AB = E A / B E 0 ker(φ A ) = A = R B + [s A ]S B φ A E B = E 0 / B R B, S B = {φ B P A, φ B (Q A )} E BA = E B / A A = φ B P A + [s A ]φ B Q A = φ B P A + [s A ]Q A = φ B A B = φ A P B + [s B ]φ A Q B = φ A P B + [s B ]Q B = φ A B
27 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points R A, S A = {φ A P B, φ A (Q B )} E A = E 0 / A φ B ker φ B = B = R A + [s B ]S A E AB = E A / B E 0 ker(φ A ) = A = R B + [s A ]S B φ A E B = E 0 / B R B, S B = {φ B P A, φ B (Q A )} E BA = E B / A A = φ B P A + [s A ]φ B Q A = φ B P A + [s A ]Q A = φ B A B = φ A P B + [s B ]φ A Q B = φ A P B + [s B ]Q B = φ A B E AB = φ B (φ A (E 0 )) E 0 / P A + [s A ]Q A, P B + [s B ]Q B E BA = φ A (φ B E 0 )
28 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points R A, S A = {φ A P B, φ A (Q B )} E A = E 0 / A E 0 E 0 / A, B E B = E 0 / B R B, S B = {φ B P A, φ B (Q A )} A = φ B P A + [s A ]φ B Q A = φ B P A + [s A ]Q A = φ B A B = φ A P B + [s B ]φ A Q B = φ A P B + [s B ]Q B = φ A B E AB = φ B (φ A (E 0 )) E 0 / P A + [s A ]Q A, P B + [s B ]Q B E BA = φ A (φ B E 0 )
29 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 11 SIDH security Setting: supersingular curves E 1 /F p 2 and E 2 /F p 2, a large prime p, and isogeny φ: E 1 E 2 with fixed, smooth, public degree. Supersingular isogeny problem: given P, Q E 1 and φ P, φ Q E 2, compute φ.
30 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 11 SIDH security Setting: supersingular curves E 1 /F p 2 and E 2 /F p 2, a large prime p, and isogeny φ: E 1 E 2 with fixed, smooth, public degree. Supersingular isogeny problem: given P, Q E 1 and φ P, φ Q E 2, compute φ. Best known attacks: classical O(p 1/4 ) and quantum O(p 1/6 ) via generic claw finding algorithms
31 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 11 SIDH security Setting: supersingular curves E 1 /F p 2 and E 2 /F p 2, a large prime p, and isogeny φ: E 1 E 2 with fixed, smooth, public degree. Supersingular isogeny problem: given P, Q E 1 and φ P, φ Q E 2, compute φ. Best known attacks: classical O(p 1/4 ) and quantum O(p 1/6 ) via generic claw finding algorithms Recently, Adj et al. (2018) argue that the best classical attack is instead the van Oorschot-Wiener collision finding algorithm: higher running time, but smaller space lower cost
32 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 12 Supersingular Isogeny Diffie-Hellman (SIDH) (Until recently) two problems remained: Existing realizations were still slow (running in the hundreds of milliseconds) and unprotected against timing side-channel attacks SIDH is not secure when keys are reused (Galbraith-Petit-Shani-Ti 2016) Only recommended in ephemeral mode
33 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 13 (A brief) Timeline of isogeny-based crypto, part II 2016 SIDH gets closer to practical use (Costello Longa Naehrig 2016). New parameter set (SIDHp751) for the 128-bit quantum security level. Several optimizations push performance below 60 milliseconds in constant-time Maybe, still not fast enough for some applications, and not secure with static keys.
34 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 14 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 IND-CCA secure key encapsulation: no problem reusing keys! Uses a variant of Hofheinz Hövelmanns Kiltz (HHK) transform: IND-CPA PKE IND-CCA KEM HHK transform is secure in both the classical and quantum ROM models Offline key generation gives performance boost (no perf loss SIDH SIKE)
35 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 15 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 Three parameters sets: SIKEp503, SIKEp751, SIKEp964 Match security of AES-128, AES-192 and AES For a starting curve E 0 /F p 2: y 2 = x 3 + x, where p = 2 e A3 e B 1 Scheme (SIKEp + log 2 p ) e A, e B classical sec. quantum sec. Security level SIKEp503 (250,159) 126 bits 84 bits AES-128 (NIST level 1) SIKEp751 (372,239) 188 bits 125 bits AES-192 (NIST level 3) SIKEp964 (486,301) 241 bits 161 bits AES-256 (NIST level 5)
36 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 15 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 Three parameters sets: SIKEp503, SIKEp751, SIKEp964 Match security of AES-128, AES-192 and AES or maybe exceed their security! See post by Ray Perlner in NIST PQC forum (March 29, 2018): See recent paper by Adj et al. For a starting curve E 0 /F p 2: y 2 = x 3 + x, where p = 2 e A3 e B 1 Scheme (SIKEp + log 2 p ) e A, e B classical sec. quantum sec. Security level SIKEp503 (250,159) 126 bits 84 bits AES-128 (NIST level 1)? SIKEp751 (372,239) 188 bits 125 bits AES-192 (NIST level 3)? SIKEp964 (486,301) 241 bits 161 bits AES-256 (NIST level 5)?
37 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 16 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 Upshot: Potential opportunity to tune parameters and achieve better performance. More research/cryptanalysis is needed.
38 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 17 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 KeyGen 1. s B R [0, 2 log 23 eb ) 2. Set ker φ B = P B + [s B ]Q B 3. pk B = {φ B E 0, φ B P A, φ B Q A } 4. s R {0,1} n 5. keypair: sk B = (s, s B ), pk B
39 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 KeyGen 1. s B R [0, 2 log 23 eb ) 2. Set ker φ B = P B + [s B ]Q B 3. pk B = {φ B E 0, φ B P A, φ B Q A } 4. s R {0,1} n 5. keypair: sk B = (s, s B ), pk B pk B Encaps 1. message m R 0,1 n 2. r = G m, pk B mod 2 e A 3. Set ker φ A = P A + [r]q A 4. pk A = {φ A E 0, φ A P B, φ A Q B } 5. j = j E AB = j(φ A (φ B (E 0 ))) 6. Shared key: ss = H(m, c) ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 17
40 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 17 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 KeyGen 1. s B R [0, 2 log 23 eb ) 2. Set ker φ B = P B + [s B ]Q B 3. pk B = {φ B E 0, φ B P A, φ B Q A } 4. s R {0,1} n 5. keypair: sk B = (s, s B ), pk B pk B Encaps 1. message m R 0,1 n 2. r = G m, pk B mod 2 e A 3. Set ker φ A = P A + [r]q A 4. pk A = {φ A E 0, φ A P B, φ A Q B } 5. j = j E AB = j(φ A (φ B (E 0 ))) 6. Shared key: ss = H(m, c) encryption
41 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 17 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 KeyGen 1. s B R [0, 2 log 23 eb ) 2. Set ker φ B = P B + [s B ]Q B 3. pk B = {φ B E 0, φ B P A, φ B Q A } 4. s R {0,1} n 5. keypair: sk B = (s, s B ), pk B Decaps 1. j = j E BA = j(φ B (φ A (E 0 ))) 2. m = F(j ) c[2] 3. r = G m, pk B mod 2 e A 4. Set ker φ A = P A + [r ]Q A 5. pk A = {φ A E 0, φ A P B, φ A Q B } 6. If pk A = c[1] then Shared key: ss = H(m, c) 7. Else ss = H(s, c) pk B c = (pk A, F(j) m) Encaps 1. message m R 0,1 n 2. r = G m, pk B mod 2 e A 3. Set ker φ A = P A + [r]q A 4. pk A = {φ A E 0, φ A P B, φ A Q B } 5. j = j E AB = j(φ A (φ B (E 0 ))) 6. Shared key: ss = H(m, c) encryption
42 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 17 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 KeyGen 1. s B R [0, 2 log 23 eb ) 2. Set ker φ B = P B + [s B ]Q B 3. pk B = {φ B E 0, φ B P A, φ B Q A } 4. s R {0,1} n 5. keypair: sk B = (s, s B ), pk B Decaps 1. j = j E BA = j(φ B (φ A (E 0 ))) 2. m = F(j ) c[2] 3. r = G m, pk B mod 2 e A decryption 4. Set ker φ A = P A + [r ]Q A 5. pk A = {φ A E 0, φ A P B, φ A Q B } 6. If pk A = c[1] then Shared key: ss = H(m, c) 7. Else ss = H(s, c) pk B c = (pk A, F(j) m) Encaps 1. message m R 0,1 n 2. r = G m, pk B mod 2 e A 3. Set ker φ A = P A + [r]q A 4. pk A = {φ A E 0, φ A P B, φ A Q B } 5. j = j E AB = j(φ A (φ B (E 0 ))) 6. Shared key: ss = H(m, c) encryption
43 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 17 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 KeyGen 1. s B R [0, 2 log 23 eb ) 2. Set ker φ B = P B + [s B ]Q B 3. pk B = {φ B E 0, φ B P A, φ B Q A } 4. s R {0,1} n 5. keypair: sk B = (s, s B ), pk B Decaps 1. j = j E BA = j(φ B (φ A (E 0 ))) 2. m = F(j ) c[2] 3. r = G m, pk B mod 2 e A decryption 4. Set ker φ A = P A + [r ]Q A 5. pk A = {φ A E 0, φ A P B, φ A Q B } 6. If pk A = c[1] then partial re-encryption Shared key: ss = H(m, c) 7. Else ss = H(s, c) pk B c = (pk A, F(j) m) Encaps 1. message m R 0,1 n 2. r = G m, pk B mod 2 e A 3. Set ker φ A = P A + [r]q A 4. pk A = {φ A E 0, φ A P B, φ A Q B } 5. j = j E AB = j(φ A (φ B (E 0 ))) 6. Shared key: ss = H(m, c) F, G, H instantiated with cshake256. encryption
44 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 18 Implementation: SIDH Library Current release: version Implements SIDH and SIKE with two parameter sets: SIDH/SIKEp503 and SIDH/SIKEp751 No secret branches, no secret memory accesses: protected against cache and timing attacks
45 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 18 Implementation: SIDH Library Current release: version Implements SIDH and SIKE with two parameter sets: SIDH/SIKEp503 and SIDH/SIKEp751 No secret branches, no secret memory accesses: protected against cache and timing attacks Recent update (May 7, 2018) with performance improvements!
46 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 19 Performance on x64 Primitive Quantum sec. Problem Speed Comm. Classical RSA 3072 ~0 bits factoring 4.6 ms 0.8 KB ECDH NIST P-256 ~0 bits EC dlog 1.4 ms 0.1 KB Passively secure key-exchange SIDHp bits? isogenies 9.2 ms 0.7 KB SIDHp bits? isogenies 26.9 ms 1.1 KB IND-CCA secure KEMs Kyber 161 bits M-LWE 0.07 ms 1.2 KB FrodoKEM bits LWE ms KB SIKEp bits? isogenies 9.0 ms 0.4 KB SIKEp bits? isogenies 26.0 ms 0.6 KB (*) Obtained on 3.4GHz Intel Haswell (Kyber) or Skylake (FrodoKEM and SIKE). very fast slow very small large
47 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 20 Authenticated key exchange Two core functions in SIDH (l {2,3}): isogen l, given secret integer s l, outputs public key pk l isoex l, given keypair (s l, pk l ), outputs shared secret j
48 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 20 Authenticated key exchange Two core functions in SIDH (l {2,3}): isogen l, given secret integer s l, outputs public key pk l isoex l, given keypair (s l, pk l ), outputs shared secret j Three core functions in SIKE: Keygen outputs keypair pk 3, sk 3 = (s, s 3 ) Encaps, given public key pk 3, outputs ciphertext ct and shared secret K s Decaps, given keypair (sk 3, pk 3 ) and ciphertext ct, outputs shared secret K s (iff ciphertext OK)
49 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 21 (Un)Authenticated key exchange s 2 K 2 pk 2 isogen 2 (s 2 ) pk 2 s 3 K 3 pk 3 pk 3 isogen 3 s 3 j isoex 2 (pk 3, s 2 ) K s = H(j) j isoex 3 pk 2, s 3 K s = H(j) (Ephemeral) unauthenticated SIDH key exchange Keyspace K 2 : [0,, 2 e 2 Keyspace K 3 : [0,, 2 γ, where γ = log 2 3 e 3
50 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 22 (Un)Authenticated key exchange (sk 3, pk 3 ) Keygen() K s Decaps(sk 3, pk 3, ct) pk 3 (ct, K s ) Encaps pk 3 ct Unauthenticated SIKE key exchange
51 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 22 (Un)Authenticated key exchange (sk 3, pk 3 ) Keygen() K s Decaps(sk 3, pk 3, ct) pk 3 (ct, K s ) Encaps pk 3 ct Unauthenticated SIKE key exchange has (sk 3, pk 3 ) K s Decaps(sk 3, pk 3, ct) ct knows pk 3 (ct, K s ) Encaps pk 3 Semi-static unauthenticated SIKE key exchange
52 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 23 Authenticated key exchange Original SIDH and SIKE protocols do not protect against (active) MitM attacks. Two popular ways to do authentication: Via digital signatures (e.g., SIGMA protocols [Krawczyk 2003]) Implicitly (e.g., based on KEMs [Boyd et al. 2008])
53 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 23 Authenticated key exchange Original SIDH and SIKE protocols do not protect against (active) MitM attacks. Two popular ways to do authentication: Via digital signatures (e.g., SIGMA protocols [Krawczyk 2003]) Implicitly (e.g., based on KEMs [Boyd et al. 2008]) We consider protocols under the strong security model of Canetti-Krawczyk (CK): Basic session-key security Perfect forward secrecy (PFS) Key-compromise impersonation (KCI) resilience
54 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 24 Authenticated key exchange: SIGMA-based has (sk A, pk A ) knows pk B r 2 R {0,1} n s A = H 1 r 2, B mod 2 e 2 epk A isogen 2 (s A ) j isoex 2 (epk B, s A ) K m = H 3 j K s = H 4 (j) epk A, n A epk B, B, n B, SIG skb (epk B, n A ), MAC Km (B) A, SIG ska (epk A, n B ), MAC Km (A) has (sk B, pk B ) knows pk A r 3 R {0,1} n s B = H 2 r 3, epk A mod 2 γ epk B isogen 3 s B j isoex 3 epk A, s B K m = H 3 j K s = H 4 (j) SIGMA-SIDH: client-server authenticated key exchange (*) γ = log 2 3 e 3
55 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 25 Authenticated key exchange: SIGMA-based For the near term: post-quantum protocols can use a classical signature scheme Security is proven in the CK model extended to the post-specified peer setting MACs and digital signature need to be existentially unforgeable under chosen message attacks (EUF-CMA)
56 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 26 Implicitly authenticated key exchange has (sk A, pk A ) knows pk B r 2 R {0,1} n s A = H 1 r 2, B mod 2 e 2 epk A isogen 2 (s A ) (ct A, K A ) Encaps(pk B ) K B Decaps(sk A, pk A, ct B ) j isoex 2 epk B, s A K s = H 3 (j, K A, K B ) ct A, epk A ct B, epk B has (sk B, pk B ) knows pk A r 3 R {0,1} n s B = H 2 r 3, epk A mod 2 γ epk B isogen 3 s B j isoex 3 epk A, s B (ct B, K B ) Encaps(pk A ) K A Decaps(sk B, pk B, ct A ) K s = H 3 (j, K A, K B ) AKE-SIDH-SIKE: client-server authenticated key exchange with weak PFS (*) γ = log 2 3 e 3
57 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 26 Implicitly authenticated key exchange Bob s authentication has (sk A, pk A ) knows pk B r 2 R {0,1} n s A = H 1 r 2, B mod 2 e 2 epk A isogen 2 (s A ) (ct A, K A ) Encaps(pk B ) K B Decaps(sk A, pk A, ct B ) j isoex 2 epk B, s A K s = H 3 (j, K A, K B ) ct A, epk A ct B, epk B has (sk B, pk B ) knows pk A r 3 R {0,1} n s B = H 2 r 3, epk A mod 2 γ epk B isogen 3 s B j isoex 3 epk A, s B (ct B, K B ) Encaps(pk A ) K A Decaps(sk B, pk B, ct A ) K s = H 3 (j, K A, K B ) AKE-SIDH-SIKE: client-server authenticated key exchange with weak PFS (*) γ = log 2 3 e 3
58 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 26 Implicitly authenticated key exchange has (sk A, pk A ) knows pk B has (sk B, pk B ) knows pk A r 2 R {0,1} n s A = H 1 r 2, B mod 2 e 2 epk A isogen 2 (s A ) (ct A, K A ) Encaps(pk B ) ct A, epk A r 3 R {0,1} n s B = H 2 r 3, epk A mod 2 γ epk B isogen 3 s B j isoex 3 epk A, s B (ct B, K B ) Encaps(pk A ) K A Decaps(sk B, pk B, ct A ) Alice s authentication Bob s authentication K B Decaps(sk A, pk A, ct B ) j isoex 2 epk B, s A K s = H 3 (j, K A, K B ) ct B, epk B K s = H 3 (j, K A, K B ) AKE-SIDH-SIKE: client-server authenticated key exchange with weak PFS (*) γ = log 2 3 e 3
59 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 27 Implicitly authenticated key exchange AKE-SIDH-SIKE can achieve full PFS by sending MAC Km (B) and MAC Km (A) and adding a third pass: AKE3-SIDH-SIKE Security is proven in the CK model including KCI resilience and PFS Security proof by Boyd et al. (2008) directly applies after replacing decision Diffie-Hellman (DDH) assumption by supersingular decision Diffie-Hellman (SSDH) assumption
60 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 28 Performance on x64: estimates for P503 Protocol Method Passes Features Speed Comm. Unauthenticated key-exchange SIDH - 2 PFS 9.2 ms 756 bytes SIKE - 2 PFS 9.0 ms 780 bytes Authenticated key-exchange SIGMA-SIDH Sign-and-MAC 3 PFS/KCI/IM/KC 9.2 ms 948 bytes SIGMA-I-SIDH Sign-and-MAC 3 PFS/KCI/IM/KC/IP 9.2 ms 948 bytes AKE-SIDH-SIKE implicit 2 weak PFS/KCI 27.2 ms 1560 bytes AKE3-SIDH-SIKE implicit 3 PFS/KCI/KC 27.2 ms 1624 bytes PFS: perfect forward secrecy KCI: key-compromise impersonation resilience IM: identity misbinding resilience KC: key confirmation IP: identity protection (*) Estimates on a 3.4GHz Intel Core i (Skylake) processor. (**) Speed estimates do not include network delays, cost of signing/macs.
61 Authenticated key exchange: relevant links For more details, see: P. Longa, A Note on Post-Quantum Authenticated Key Exchange from Supersingular Isogenies, Related work: S.D. Galbraith, Authenticated key exchange for SIDH, ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 29
62 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 30 SIKE in the NIST post-quantum competition SIKE website: SIKE specification: SIDH Library: Package (protocol specification and implementations) submitted to NIST: documents/round-1/submissions/sike.zip
63 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 31 References G. Adj, D. Cervantes-Vázquez, J.-J. Chi-Domínguez, A. Menezes, F. Rodríguez-Henríquez. On the cost of computing isogenies between supersingular elliptic curves, C. Boyd, Y. Cliff, J. M. González Nieto, K. G. Paterson. Efficient one-round key exchange in the standard model, in ACISP R. Canetti, H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels, in EUROCRYPT A. Childs, D. Jao, V. Soukharev. Constructing elliptic curve isogenies in quantum subexponential time, Journal of Math. Cryptology, (2010) C. Costello, P. Longa, M. Naehrig. Efficient Algorithms for supersingular isogeny Diffie-Hellman, in Advances in Cryptology CRYPTO J.-M. Couveignes. Computing l-isogenies using the p-torsion, in ANTS-II, J.-M. Couveignes. Hard homogeneous spaces, S.D. Galbraith, C. Petit, B. Shani, Y.B. Ti. On the security of supersingular isogeny cryptosystems, in ASIACRYPT D. Jao, L. De Feo. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies, in PQCrypto H. Krawczyk. SIGMA: the SIGn-and-MAc approach to authenticated Diffie-Hellman and its use in the IKE-protocols, in CRYPTO A. Rostovtsev and A. Stolbunov. Public-key cryptosystem based on isogenies, A. Stolbunov, Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves, in Adv. Math. Commun., 2010.
64
Supersingular Isogeny Key Encapsulation
Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and evolutionq, Inc. Full list of submitters: Reza Azarderakhsh, FAU Matt Campagna, Amazon Craig Costello, MSR Luca
More informationSupersingular Isogeny Key Encapsulation (SIKE)
Supersingular Isogeny Key Encapsulation (SIKE) Reza Azarderakhsh Matthew Campagna Craig Costello Luca De Feo Basil Hess David Jao Brian Koziel Brian LaMacchia Patrick Longa Michael Naehrig Joost Renes
More informationAn introduction to supersingular isogeny-based cryptography
An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular
More informationIsogenies in a quantum world
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationElliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography
Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Andrew Sutherland MIT Undergraduate Mathematics Association November 29, 2018 Creating a shared secret
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationSide-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman
Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman Presenter: Reza Azarderakhsh CEECS Department and I-Sense, Florida Atlantic University razarderakhsh@fau.edu Paper by: Brian
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationA gentle introduction to isogeny-based cryptography
A gentle introduction to isogeny-based cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Motivation Part 2: Preliminaries Part 3: Brief SIDH sketch
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationCurrent trends and challenges in post-quantum cryptography. Steven Galbraith University of Auckland, New Zealand
Current trends and challenges in post-quantum cryptography University of Auckland, New Zealand Thanks Eric Bach, Joshua Holden, Jen Paulhus, Andrew Shallue, Renate Scheidler, Jonathan Sorenson. Hilary
More informationON THE COST OF COMPUTING ISOGENIES BETWEEN SUPERSINGULAR ELLIPTIC CURVES
ON THE COST OF COMPUTING ISOGENIES BETWEEN SUPERSINGULR ELLIPTIC CURVES GOR DJ, DNIEL CERVNTES-VÁZQUEZ, JESÚS-JVIER CHI-DOMÍNGUEZ, LFRED MENEZES, ND FRNCISCO RODRÍGUEZ-HENRÍQUEZ bstract. The security of
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationA Post-Quantum Digital Signature Scheme based on Supersingular Isogenies
Post-Quantum Digital Signature Scheme based on Supersingular Isogenies by Youngho Yoo thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationPost-quantum key exchange based on Lattices
Post-quantum key exchange based on Lattices Joppe W. Bos Romanian Cryptology Days Conference Cybersecurity in a Post-quantum World September 20, 2017, Bucharest 1. NXP Semiconductors Operations in > 35
More informationLoop-abort faults on supersingular isogeny cryptosystems
Loop-abort faults on supersingular isogeny cryptosystems Alexandre Gélin Benjamin Wesolowski Laboratoire d Informatique de Paris 6 Sorbonne Universités UPMC, France École Polytechnique Fédérale de Lausanne,
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLoop-abort faults on supersingular isogeny cryptosystems
Loop-abort faults on supersingular isogeny cryptosystems Alexandre Gélin 1 and Benjamin Wesolowski 2 1 Sorbonne Universités, UPMC Paris 6, UMR 7606, LIP6, Paris, France alexandre.gelin@lip6.fr 2 École
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationPractical, Quantum-Secure Key Exchange from LWE
Practical, Quantum-Secure Key Exchange from LWE Douglas Stebila 4 th ETSI/IQC Workshop on Quantum-Safe Cryptography September 21, 2016 Acknowledgements Collaborators Joppe Bos Craig Costello and Michael
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationOn hybrid SIDH schemes using Edwards and Montgomery curve arithmetic
On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic Michael Meyer 1,2, Steffen Reith 1, and Fabio Campos 1 1 Department of Computer Science, University of Applied Sciences Wiesbaden 2
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationPart 2 LWE-based cryptography
Part 2 LWE-based cryptography Douglas Stebila SAC Summer School Université d'ottawa August 14, 2017 https://www.douglas.stebila.ca/research/presentations Funding acknowledgements: SAC Summer School 2017-08-14
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationThe isogeny cycle seminar
The isogeny cycle seminar Luca De Feo Université de Versailles & Inria Saclay September 29, 2016, École Polytechnique Fédérale de Lausanne Elliptic curves Let E : y 2 = x 3 + ax + b be an elliptic curve...
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationCryptography from Pairings
DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 1 Cryptography from Pairings Kenny Paterson kenny.paterson@rhul.ac.uk May 31st 2007 DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 2 The Pairings Explosion
More informationEfficient algorithms for supersingular isogeny
Efficient algorithms for supersingular isogeny Diffie-Hellman Craig Costello, Patrick Longa, and Michael Naehrig Microsoft Research, US bstract. We propose a new suite of algorithms that significantly
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationCSIDH: An Efficient Post-Quantum Commutative Group Action
CSIDH: An Efficient Post-Quantum Commutative Group Action Wouter Castryck 1, Tanja Lange 2, Chloe Martindale 2, Lorenz Panny 2, and Joost Renes 3 wouter.castryck@esat.kuleuven.be, tanja@hyperelliptic.org,
More informationElliptic Curve Cryptography
AIMS-VOLKSWAGEN STIFTUNG WORKSHOP ON INTRODUCTION TO COMPUTER ALGEBRA AND APPLICATIONS Douala, Cameroon, October 12, 2017 Elliptic Curve Cryptography presented by : BANSIMBA Gilda Rech BANSIMBA Gilda Rech
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationSPHINCS: practical stateless hash-based signatures
SPHINCS: practical stateless hash-based signatures D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, P. Schwabe, and Z. Wilcox O'Hearn Digital Signatures are Important!
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationPost-Quantum Security of Authenticated Key Establishment Protocols
Post-Quantum Security of Authenticated Key Establishment Protocols by Jason LeGrow A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationEfficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography
Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography Angshuman Karmakar 1 Sujoy Sinha Roy 1 Frederik Vercauteren 1,2 Ingrid Verbauwhede 1 1 COSIC, ESAT KU Leuven and iminds
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationPOST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW?
POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Böck https://hboeck.de 1 INTRODUCTION Hanno Böck, freelance journalist and hacker. Writing for Golem.de and others. Fuzzing Project, funded
More informationPractical Supersingular Isogeny Group Key Agreement
Practical Supersingular Isogeny Group Key Agreement Reza Azarderakhsh 1, Amir Jalali 1, David Jao 2, and Vladimir Soukharev 3 1 Department of Computer and Electrical Engineering and Computer Science, Florida
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationGenus Two Isogeny Cryptography
Genus Two Isogeny Cryptography E.V. Flynn 1 and Yan Bo Ti 2 1 Mathematical Institute, Oxford University, UK. flynn@maths.ox.ac.uk 2 Mathematics Department, University of Auckland, NZ. yanbo.ti@gmail.com
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationHybrid Key Encapsulation Mechanisms and Authenticated Key Exchange
Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange Nina Bindel 1 Jacqueline Brendel 1 Marc Fischlin 1 Brian Goncalves 2 Douglas Stebila 3 1 Technische Universität Darmstadt, Darmstadt,
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More information18 Seconds to Key Exchange: Limitations of Supersingular Isogeny Diffie-Hellman on Embedded Devices
18 Seconds to Key Exchange: Limitations of Supersingular Isogeny Diffie-Hellman on Embedded Devices Philipp Koppermann 1, Eduard Pop 1, Johann Heyszl 1, and Georg Sigl 1,2 1 Fraunhofer Institute for pplied
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationNetwork Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30
Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) LIU Zhen Due Date: March 30 Questions: 1. RSA (20 Points) Assume that we use RSA with the prime numbers p = 17 and q = 23. (a) Calculate
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More informationSecurity II: Cryptography exercises
Security II: Cryptography exercises Markus Kuhn Lent 2015 Part II Some of the exercises require the implementation of short programs. The model answers use Perl (see Part IB Unix Tools course), but you
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationFrodoKEM Learning With Errors Key Encapsulation. Algorithm Specifications And Supporting Documentation
FrodoKEM Learning With Errors Key Encapsulation Algorithm Specifications And Supporting Documentation Erdem Alkim Joppe W. Bos Léo Ducas Patrick Longa Ilya Mironov Michael Naehrig Valeria Nikolaenko Chris
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationUnbalancing Pairing-Based Key Exchange Protocols
Unbalancing Pairing-Based Key Exchange Protocols Michael Scott Certivox Labs mike.scott@certivox.com Abstract. In many pairing-based protocols more than one party is involved, and some or all of them may
More information