- PDF Free Download

Size: px

Start display at page:

Download ""

Baldwin Owen
5 years ago
Views:

2 Outline Motivation recap Isogeny-based cryptography The SIDH key exchange protocol The SIKE protocol Authenticated key exchange from supersingular isogenies ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 1

3 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 2 Quick motivation recap Quantum computers will break public-key cryptography currently in use: cryptosystems based on factoring and (elliptic curve) discrete logarithms NIST launches the post-quantum cryptography standardization project: call-for-proposals-final-dec-2016.pdf The goal of this process is to select a number of acceptable candidate cryptosystems for standardization. (This includes: digital signatures, encryption and key encapsulation).

4 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 3 Post-quantum candidates Code-based Lattice-based Hash-based Multivariate Isogeny-based Classic McEliece, QCMDPC codes (BIKE) NTRU, LWE (FrodoKEM), M-LWE (Kyber), R-LWE (NewHope) Merkle hash-tree signatures (Gravity-SPHINCS, SPHINCS + ) MQDSS, Rainbow SIDH (SIKE)

5 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 3 Post-quantum candidates: in this talk Code-based Lattice-based Hash-based Multivariate Isogeny-based Classic McEliece, QCMDPC codes (BIKE) NTRU, LWE (FrodoKEM), M-LWE (Kyber), R-LWE (NewHope) Merkle hash-tree signatures (Gravity-SPHINCS, SPHINCS + ) MQDSS, Rainbow SIDH (SIKE)

6 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 4 (A brief) Timeline of isogeny-based crypto, part I 1996 Couveignes describes first isogeny-based (key exchange) scheme Rostovtsev and Stolbunov propose key exchange using ordinary isogenies. These schemes are impractical, and Can be broken in quantum subexponential time (Childs Jao Soukharev 2010) Jao and De Feo propose key exchange using supersingular isogenies (SIDH). Much better performance. Best quantum and classical attack complexity is, as of today, exponential.

7 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 5 Elliptic curves and isogenies Every elliptic curve over a field K with char(k) > 3 can be defined in (short) Weierstrass form by E: y 2 = x 3 + ax + b, where a, b K and = 16(4a b 2 ) 0.

8 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 5 Elliptic curves and isogenies Every elliptic curve over a field K with char(k) > 3 can be defined in (short) Weierstrass form by E: y 2 = x 3 + ax + b, where a, b K and = 16(4a b 2 ) 0. For an extension field L of K, the set of L-rational points on E E L = x, y L L: y 2 x 3 ax b = 0 {O}, together with the group addition law, forms an abelian group with identity O.

9 Elliptic curves and isogenies Every elliptic curve over a field K with char(k) > 3 can be defined in (short) Weierstrass form by E: y 2 = x 3 + ax + b, where a, b K and = 16(4a b 2 ) 0. For an extension field L of K, the set of L-rational points on E E L = x, y L L: y 2 x 3 ax b = 0 {O}, together with the group addition law, forms an abelian group with identity O. Isomorphism classes are determined by the j-invariant: j E = a 3 4a 3 +27b 2 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 5

10 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 6 Elliptic curves and isogenies Let E 1 and E 2 be elliptic curves defined over an extension field L. An isogeny is a (non-constant) rational map φ: E 1 E 2 that preserves identity, i.e., φ(o E1 ) O E2.

11 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 6 Elliptic curves and isogenies Let E 1 and E 2 be elliptic curves defined over an extension field L. An isogeny is a (non-constant) rational map φ: E 1 E 2 that preserves identity, i.e., φ(o E1 ) O E2. Relevant properties: Isogenies are group homomorphisms. For every finite subgroup G E 1, there is a unique curve E 2 (up to isomorphism) and isogeny φ: E 1 E 2 with kernel G. Write E 2 = φ E 1 = E 1 /G. (Separable) isogenies have deg φ = # ker φ.

12 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 7 Supersingular curves An elliptic curve E/L is supersingular if #E(L) 1(mod p). All supersingular curves can be defined over F p 2. There are ~ p/12 isomorphism classes of supersingular curves.

13 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 8 Supersingular isogeny graphs Vertices: the ~ p/12 isomorphism classes of supersingular curves over F p 2.

14 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 8 Supersingular isogeny graphs Vertices: the ~ p/12 isomorphism classes of supersingular curves over F p 2. Edges: isogenies of a fixed prime degree l p l = 2

15 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 8 Supersingular isogeny graphs Vertices: the ~ p/12 isomorphism classes of supersingular curves over F p 2. Edges: isogenies of a fixed prime degree l p For any prime l p, there exist (l + 1) isogenies of degree l originating from every supersingular curve. l = 2

16 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 8 Supersingular isogeny graphs Vertices: the ~ p/12 isomorphism classes of supersingular curves over F p 2. Edges: isogenies of a fixed prime degree l p For any prime l p, there exist (l + 1) isogenies of degree l originating from every supersingular curve. l = 2 l = 3

17 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 9 Supersingular Isogeny Diffie-Hellman (SIDH) Setup: l 2,3, supersingular curve E 0 /F p 2 with a prime p = f 2 e A3 e B 1 such that 2 e A 3 e B and f small. Then: E 2 e A, E[3 e B] E 0 (F p 2)

18 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 9 Supersingular Isogeny Diffie-Hellman (SIDH) Setup: l 2,3, supersingular curve E 0 /F p 2 with a prime p = f 2 e A3 e B 1 such that 2 e A 3 e B and f small. Then: E 2 e A, E[3 e B] E 0 (F p 2) works over E[2 e A] using 2-isogenies and linearly independent points P A, Q A. works over E[3 e B] using 3-isogenies and linearly independent points P B, Q B.

19 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points E 0

20 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points E 0

21 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points E A = E 0 / A E 0

22 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points E A = E 0 / A E 0 E B = E 0 / B

23 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points E A = E 0 / A E 0 E B = E 0 / B

24 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points R A, S A = {φ A P B, φ A (Q B )} E A = E 0 / A E 0 E B = E 0 / B R B, S B = {φ B P A, φ B (Q A )}

25 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points R A, S A = {φ A P B, φ A (Q B )} E A = E 0 / A E 0 ker(φ A ) = A = R B + [s A ]S B E E φ BA B = E 0 / B A R B, S B = {φ B P A, φ B (Q A )} = E B / A A = φ B P A + [s A ]φ B Q A = φ B P A + [s A ]Q A = φ B A

26 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points R A, S A = {φ A P B, φ A (Q B )} E A = E 0 / A φ B ker φ B = B = R A + [s B ]S A E AB = E A / B E 0 ker(φ A ) = A = R B + [s A ]S B φ A E B = E 0 / B R B, S B = {φ B P A, φ B (Q A )} E BA = E B / A A = φ B P A + [s A ]φ B Q A = φ B P A + [s A ]Q A = φ B A B = φ A P B + [s B ]φ A Q B = φ A P B + [s B ]Q B = φ A B

27 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points R A, S A = {φ A P B, φ A (Q B )} E A = E 0 / A φ B ker φ B = B = R A + [s B ]S A E AB = E A / B E 0 ker(φ A ) = A = R B + [s A ]S B φ A E B = E 0 / B R B, S B = {φ B P A, φ B (Q A )} E BA = E B / A A = φ B P A + [s A ]φ B Q A = φ B P A + [s A ]Q A = φ B A B = φ A P B + [s B ]φ A Q B = φ A P B + [s B ]Q B = φ A B E AB = φ B (φ A (E 0 )) E 0 / P A + [s A ]Q A, P B + [s B ]Q B E BA = φ A (φ B E 0 )

28 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 10 Supersingular Isogeny Diffie-Hellman (SIDH) private Alice public private Bob params E s are isogenous curves P s, Q s, R s, S s are points R A, S A = {φ A P B, φ A (Q B )} E A = E 0 / A E 0 E 0 / A, B E B = E 0 / B R B, S B = {φ B P A, φ B (Q A )} A = φ B P A + [s A ]φ B Q A = φ B P A + [s A ]Q A = φ B A B = φ A P B + [s B ]φ A Q B = φ A P B + [s B ]Q B = φ A B E AB = φ B (φ A (E 0 )) E 0 / P A + [s A ]Q A, P B + [s B ]Q B E BA = φ A (φ B E 0 )

29 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 11 SIDH security Setting: supersingular curves E 1 /F p 2 and E 2 /F p 2, a large prime p, and isogeny φ: E 1 E 2 with fixed, smooth, public degree. Supersingular isogeny problem: given P, Q E 1 and φ P, φ Q E 2, compute φ.

30 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 11 SIDH security Setting: supersingular curves E 1 /F p 2 and E 2 /F p 2, a large prime p, and isogeny φ: E 1 E 2 with fixed, smooth, public degree. Supersingular isogeny problem: given P, Q E 1 and φ P, φ Q E 2, compute φ. Best known attacks: classical O(p 1/4 ) and quantum O(p 1/6 ) via generic claw finding algorithms

31 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 11 SIDH security Setting: supersingular curves E 1 /F p 2 and E 2 /F p 2, a large prime p, and isogeny φ: E 1 E 2 with fixed, smooth, public degree. Supersingular isogeny problem: given P, Q E 1 and φ P, φ Q E 2, compute φ. Best known attacks: classical O(p 1/4 ) and quantum O(p 1/6 ) via generic claw finding algorithms Recently, Adj et al. (2018) argue that the best classical attack is instead the van Oorschot-Wiener collision finding algorithm: higher running time, but smaller space lower cost

32 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 12 Supersingular Isogeny Diffie-Hellman (SIDH) (Until recently) two problems remained: Existing realizations were still slow (running in the hundreds of milliseconds) and unprotected against timing side-channel attacks SIDH is not secure when keys are reused (Galbraith-Petit-Shani-Ti 2016) Only recommended in ephemeral mode

33 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 13 (A brief) Timeline of isogeny-based crypto, part II 2016 SIDH gets closer to practical use (Costello Longa Naehrig 2016). New parameter set (SIDHp751) for the 128-bit quantum security level. Several optimizations push performance below 60 milliseconds in constant-time Maybe, still not fast enough for some applications, and not secure with static keys.

34 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 14 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 IND-CCA secure key encapsulation: no problem reusing keys! Uses a variant of Hofheinz Hövelmanns Kiltz (HHK) transform: IND-CPA PKE IND-CCA KEM HHK transform is secure in both the classical and quantum ROM models Offline key generation gives performance boost (no perf loss SIDH SIKE)

35 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 15 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 Three parameters sets: SIKEp503, SIKEp751, SIKEp964 Match security of AES-128, AES-192 and AES For a starting curve E 0 /F p 2: y 2 = x 3 + x, where p = 2 e A3 e B 1 Scheme (SIKEp + log 2 p ) e A, e B classical sec. quantum sec. Security level SIKEp503 (250,159) 126 bits 84 bits AES-128 (NIST level 1) SIKEp751 (372,239) 188 bits 125 bits AES-192 (NIST level 3) SIKEp964 (486,301) 241 bits 161 bits AES-256 (NIST level 5)

36 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 15 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 Three parameters sets: SIKEp503, SIKEp751, SIKEp964 Match security of AES-128, AES-192 and AES or maybe exceed their security! See post by Ray Perlner in NIST PQC forum (March 29, 2018): See recent paper by Adj et al. For a starting curve E 0 /F p 2: y 2 = x 3 + x, where p = 2 e A3 e B 1 Scheme (SIKEp + log 2 p ) e A, e B classical sec. quantum sec. Security level SIKEp503 (250,159) 126 bits 84 bits AES-128 (NIST level 1)? SIKEp751 (372,239) 188 bits 125 bits AES-192 (NIST level 3)? SIKEp964 (486,301) 241 bits 161 bits AES-256 (NIST level 5)?

37 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 16 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 Upshot: Potential opportunity to tune parameters and achieve better performance. More research/cryptanalysis is needed.

38 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 17 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 KeyGen 1. s B R [0, 2 log 23 eb ) 2. Set ker φ B = P B + [s B ]Q B 3. pk B = {φ B E 0, φ B P A, φ B Q A } 4. s R {0,1} n 5. keypair: sk B = (s, s B ), pk B

39 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 KeyGen 1. s B R [0, 2 log 23 eb ) 2. Set ker φ B = P B + [s B ]Q B 3. pk B = {φ B E 0, φ B P A, φ B Q A } 4. s R {0,1} n 5. keypair: sk B = (s, s B ), pk B pk B Encaps 1. message m R 0,1 n 2. r = G m, pk B mod 2 e A 3. Set ker φ A = P A + [r]q A 4. pk A = {φ A E 0, φ A P B, φ A Q B } 5. j = j E AB = j(φ A (φ B (E 0 ))) 6. Shared key: ss = H(m, c) ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 17

40 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 17 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 KeyGen 1. s B R [0, 2 log 23 eb ) 2. Set ker φ B = P B + [s B ]Q B 3. pk B = {φ B E 0, φ B P A, φ B Q A } 4. s R {0,1} n 5. keypair: sk B = (s, s B ), pk B pk B Encaps 1. message m R 0,1 n 2. r = G m, pk B mod 2 e A 3. Set ker φ A = P A + [r]q A 4. pk A = {φ A E 0, φ A P B, φ A Q B } 5. j = j E AB = j(φ A (φ B (E 0 ))) 6. Shared key: ss = H(m, c) encryption

41 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 17 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 KeyGen 1. s B R [0, 2 log 23 eb ) 2. Set ker φ B = P B + [s B ]Q B 3. pk B = {φ B E 0, φ B P A, φ B Q A } 4. s R {0,1} n 5. keypair: sk B = (s, s B ), pk B Decaps 1. j = j E BA = j(φ B (φ A (E 0 ))) 2. m = F(j ) c[2] 3. r = G m, pk B mod 2 e A 4. Set ker φ A = P A + [r ]Q A 5. pk A = {φ A E 0, φ A P B, φ A Q B } 6. If pk A = c[1] then Shared key: ss = H(m, c) 7. Else ss = H(s, c) pk B c = (pk A, F(j) m) Encaps 1. message m R 0,1 n 2. r = G m, pk B mod 2 e A 3. Set ker φ A = P A + [r]q A 4. pk A = {φ A E 0, φ A P B, φ A Q B } 5. j = j E AB = j(φ A (φ B (E 0 ))) 6. Shared key: ss = H(m, c) encryption

42 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 17 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 KeyGen 1. s B R [0, 2 log 23 eb ) 2. Set ker φ B = P B + [s B ]Q B 3. pk B = {φ B E 0, φ B P A, φ B Q A } 4. s R {0,1} n 5. keypair: sk B = (s, s B ), pk B Decaps 1. j = j E BA = j(φ B (φ A (E 0 ))) 2. m = F(j ) c[2] 3. r = G m, pk B mod 2 e A decryption 4. Set ker φ A = P A + [r ]Q A 5. pk A = {φ A E 0, φ A P B, φ A Q B } 6. If pk A = c[1] then Shared key: ss = H(m, c) 7. Else ss = H(s, c) pk B c = (pk A, F(j) m) Encaps 1. message m R 0,1 n 2. r = G m, pk B mod 2 e A 3. Set ker φ A = P A + [r]q A 4. pk A = {φ A E 0, φ A P B, φ A Q B } 5. j = j E AB = j(φ A (φ B (E 0 ))) 6. Shared key: ss = H(m, c) encryption

43 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 17 Supersingular isogeny key encapsulation (SIKE) Costello De Feo Jao Longa Naehrig Renes, 2017 KeyGen 1. s B R [0, 2 log 23 eb ) 2. Set ker φ B = P B + [s B ]Q B 3. pk B = {φ B E 0, φ B P A, φ B Q A } 4. s R {0,1} n 5. keypair: sk B = (s, s B ), pk B Decaps 1. j = j E BA = j(φ B (φ A (E 0 ))) 2. m = F(j ) c[2] 3. r = G m, pk B mod 2 e A decryption 4. Set ker φ A = P A + [r ]Q A 5. pk A = {φ A E 0, φ A P B, φ A Q B } 6. If pk A = c[1] then partial re-encryption Shared key: ss = H(m, c) 7. Else ss = H(s, c) pk B c = (pk A, F(j) m) Encaps 1. message m R 0,1 n 2. r = G m, pk B mod 2 e A 3. Set ker φ A = P A + [r]q A 4. pk A = {φ A E 0, φ A P B, φ A Q B } 5. j = j E AB = j(φ A (φ B (E 0 ))) 6. Shared key: ss = H(m, c) F, G, H instantiated with cshake256. encryption

44 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 18 Implementation: SIDH Library Current release: version Implements SIDH and SIKE with two parameter sets: SIDH/SIKEp503 and SIDH/SIKEp751 No secret branches, no secret memory accesses: protected against cache and timing attacks

45 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 18 Implementation: SIDH Library Current release: version Implements SIDH and SIKE with two parameter sets: SIDH/SIKEp503 and SIDH/SIKEp751 No secret branches, no secret memory accesses: protected against cache and timing attacks Recent update (May 7, 2018) with performance improvements!

46 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 19 Performance on x64 Primitive Quantum sec. Problem Speed Comm. Classical RSA 3072 ~0 bits factoring 4.6 ms 0.8 KB ECDH NIST P-256 ~0 bits EC dlog 1.4 ms 0.1 KB Passively secure key-exchange SIDHp bits? isogenies 9.2 ms 0.7 KB SIDHp bits? isogenies 26.9 ms 1.1 KB IND-CCA secure KEMs Kyber 161 bits M-LWE 0.07 ms 1.2 KB FrodoKEM bits LWE ms KB SIKEp bits? isogenies 9.0 ms 0.4 KB SIKEp bits? isogenies 26.0 ms 0.6 KB (*) Obtained on 3.4GHz Intel Haswell (Kyber) or Skylake (FrodoKEM and SIKE). very fast slow very small large

47 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 20 Authenticated key exchange Two core functions in SIDH (l {2,3}): isogen l, given secret integer s l, outputs public key pk l isoex l, given keypair (s l, pk l ), outputs shared secret j

48 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 20 Authenticated key exchange Two core functions in SIDH (l {2,3}): isogen l, given secret integer s l, outputs public key pk l isoex l, given keypair (s l, pk l ), outputs shared secret j Three core functions in SIKE: Keygen outputs keypair pk 3, sk 3 = (s, s 3 ) Encaps, given public key pk 3, outputs ciphertext ct and shared secret K s Decaps, given keypair (sk 3, pk 3 ) and ciphertext ct, outputs shared secret K s (iff ciphertext OK)

49 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 21 (Un)Authenticated key exchange s 2 K 2 pk 2 isogen 2 (s 2 ) pk 2 s 3 K 3 pk 3 pk 3 isogen 3 s 3 j isoex 2 (pk 3, s 2 ) K s = H(j) j isoex 3 pk 2, s 3 K s = H(j) (Ephemeral) unauthenticated SIDH key exchange Keyspace K 2 : [0,, 2 e 2 Keyspace K 3 : [0,, 2 γ, where γ = log 2 3 e 3

50 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 22 (Un)Authenticated key exchange (sk 3, pk 3 ) Keygen() K s Decaps(sk 3, pk 3, ct) pk 3 (ct, K s ) Encaps pk 3 ct Unauthenticated SIKE key exchange

51 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 22 (Un)Authenticated key exchange (sk 3, pk 3 ) Keygen() K s Decaps(sk 3, pk 3, ct) pk 3 (ct, K s ) Encaps pk 3 ct Unauthenticated SIKE key exchange has (sk 3, pk 3 ) K s Decaps(sk 3, pk 3, ct) ct knows pk 3 (ct, K s ) Encaps pk 3 Semi-static unauthenticated SIKE key exchange

52 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 23 Authenticated key exchange Original SIDH and SIKE protocols do not protect against (active) MitM attacks. Two popular ways to do authentication: Via digital signatures (e.g., SIGMA protocols [Krawczyk 2003]) Implicitly (e.g., based on KEMs [Boyd et al. 2008])

53 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 23 Authenticated key exchange Original SIDH and SIKE protocols do not protect against (active) MitM attacks. Two popular ways to do authentication: Via digital signatures (e.g., SIGMA protocols [Krawczyk 2003]) Implicitly (e.g., based on KEMs [Boyd et al. 2008]) We consider protocols under the strong security model of Canetti-Krawczyk (CK): Basic session-key security Perfect forward secrecy (PFS) Key-compromise impersonation (KCI) resilience

54 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 24 Authenticated key exchange: SIGMA-based has (sk A, pk A ) knows pk B r 2 R {0,1} n s A = H 1 r 2, B mod 2 e 2 epk A isogen 2 (s A ) j isoex 2 (epk B, s A ) K m = H 3 j K s = H 4 (j) epk A, n A epk B, B, n B, SIG skb (epk B, n A ), MAC Km (B) A, SIG ska (epk A, n B ), MAC Km (A) has (sk B, pk B ) knows pk A r 3 R {0,1} n s B = H 2 r 3, epk A mod 2 γ epk B isogen 3 s B j isoex 3 epk A, s B K m = H 3 j K s = H 4 (j) SIGMA-SIDH: client-server authenticated key exchange (*) γ = log 2 3 e 3

55 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 25 Authenticated key exchange: SIGMA-based For the near term: post-quantum protocols can use a classical signature scheme Security is proven in the CK model extended to the post-specified peer setting MACs and digital signature need to be existentially unforgeable under chosen message attacks (EUF-CMA)

56 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 26 Implicitly authenticated key exchange has (sk A, pk A ) knows pk B r 2 R {0,1} n s A = H 1 r 2, B mod 2 e 2 epk A isogen 2 (s A ) (ct A, K A ) Encaps(pk B ) K B Decaps(sk A, pk A, ct B ) j isoex 2 epk B, s A K s = H 3 (j, K A, K B ) ct A, epk A ct B, epk B has (sk B, pk B ) knows pk A r 3 R {0,1} n s B = H 2 r 3, epk A mod 2 γ epk B isogen 3 s B j isoex 3 epk A, s B (ct B, K B ) Encaps(pk A ) K A Decaps(sk B, pk B, ct A ) K s = H 3 (j, K A, K B ) AKE-SIDH-SIKE: client-server authenticated key exchange with weak PFS (*) γ = log 2 3 e 3

57 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 26 Implicitly authenticated key exchange Bob s authentication has (sk A, pk A ) knows pk B r 2 R {0,1} n s A = H 1 r 2, B mod 2 e 2 epk A isogen 2 (s A ) (ct A, K A ) Encaps(pk B ) K B Decaps(sk A, pk A, ct B ) j isoex 2 epk B, s A K s = H 3 (j, K A, K B ) ct A, epk A ct B, epk B has (sk B, pk B ) knows pk A r 3 R {0,1} n s B = H 2 r 3, epk A mod 2 γ epk B isogen 3 s B j isoex 3 epk A, s B (ct B, K B ) Encaps(pk A ) K A Decaps(sk B, pk B, ct A ) K s = H 3 (j, K A, K B ) AKE-SIDH-SIKE: client-server authenticated key exchange with weak PFS (*) γ = log 2 3 e 3

58 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 26 Implicitly authenticated key exchange has (sk A, pk A ) knows pk B has (sk B, pk B ) knows pk A r 2 R {0,1} n s A = H 1 r 2, B mod 2 e 2 epk A isogen 2 (s A ) (ct A, K A ) Encaps(pk B ) ct A, epk A r 3 R {0,1} n s B = H 2 r 3, epk A mod 2 γ epk B isogen 3 s B j isoex 3 epk A, s B (ct B, K B ) Encaps(pk A ) K A Decaps(sk B, pk B, ct A ) Alice s authentication Bob s authentication K B Decaps(sk A, pk A, ct B ) j isoex 2 epk B, s A K s = H 3 (j, K A, K B ) ct B, epk B K s = H 3 (j, K A, K B ) AKE-SIDH-SIKE: client-server authenticated key exchange with weak PFS (*) γ = log 2 3 e 3

59 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 27 Implicitly authenticated key exchange AKE-SIDH-SIKE can achieve full PFS by sending MAC Km (B) and MAC Km (A) and adding a third pass: AKE3-SIDH-SIKE Security is proven in the CK model including KCI resilience and PFS Security proof by Boyd et al. (2008) directly applies after replacing decision Diffie-Hellman (DDH) assumption by supersingular decision Diffie-Hellman (SSDH) assumption

60 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 28 Performance on x64: estimates for P503 Protocol Method Passes Features Speed Comm. Unauthenticated key-exchange SIDH - 2 PFS 9.2 ms 756 bytes SIKE - 2 PFS 9.0 ms 780 bytes Authenticated key-exchange SIGMA-SIDH Sign-and-MAC 3 PFS/KCI/IM/KC 9.2 ms 948 bytes SIGMA-I-SIDH Sign-and-MAC 3 PFS/KCI/IM/KC/IP 9.2 ms 948 bytes AKE-SIDH-SIKE implicit 2 weak PFS/KCI 27.2 ms 1560 bytes AKE3-SIDH-SIKE implicit 3 PFS/KCI/KC 27.2 ms 1624 bytes PFS: perfect forward secrecy KCI: key-compromise impersonation resilience IM: identity misbinding resilience KC: key confirmation IP: identity protection (*) Estimates on a 3.4GHz Intel Core i (Skylake) processor. (**) Speed estimates do not include network delays, cost of signing/macs.

61 Authenticated key exchange: relevant links For more details, see: P. Longa, A Note on Post-Quantum Authenticated Key Exchange from Supersingular Isogenies, Related work: S.D. Galbraith, Authenticated key exchange for SIDH, ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 29

62 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 30 SIKE in the NIST post-quantum competition SIKE website: SIKE specification: SIDH Library: Package (protocol specification and implementations) submitted to NIST: documents/round-1/submissions/sike.zip

63 ICMC 2018 Patrick Longa Practical quantum-resistant crypto from supersingular isogenies 31 References G. Adj, D. Cervantes-Vázquez, J.-J. Chi-Domínguez, A. Menezes, F. Rodríguez-Henríquez. On the cost of computing isogenies between supersingular elliptic curves, C. Boyd, Y. Cliff, J. M. González Nieto, K. G. Paterson. Efficient one-round key exchange in the standard model, in ACISP R. Canetti, H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels, in EUROCRYPT A. Childs, D. Jao, V. Soukharev. Constructing elliptic curve isogenies in quantum subexponential time, Journal of Math. Cryptology, (2010) C. Costello, P. Longa, M. Naehrig. Efficient Algorithms for supersingular isogeny Diffie-Hellman, in Advances in Cryptology CRYPTO J.-M. Couveignes. Computing l-isogenies using the p-torsion, in ANTS-II, J.-M. Couveignes. Hard homogeneous spaces, S.D. Galbraith, C. Petit, B. Shani, Y.B. Ti. On the security of supersingular isogeny cryptosystems, in ASIACRYPT D. Jao, L. De Feo. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies, in PQCrypto H. Krawczyk. SIGMA: the SIGn-and-MAc approach to authenticated Diffie-Hellman and its use in the IKE-protocols, in CRYPTO A. Rostovtsev and A. Stolbunov. Public-key cryptosystem based on isogenies, A. Stolbunov, Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves, in Adv. Math. Commun., 2010.

Supersingular Isogeny Key Encapsulation

Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and evolutionq, Inc. Full list of submitters: Reza Azarderakhsh, FAU Matt Campagna, Amazon Craig Costello, MSR Luca