You could have invented Supersingular Isogeny Diffie-Hellman

Size: px

Start display at page:

Download "You could have invented Supersingular Isogeny Diffie-Hellman"

Dwight Conley
6 years ago
Views:

1 You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October / 22

2 Shor s algorithm 94 Shor s algorithm quantumly breaks Diffie-Hellman in any group in polynomial time. 2 / 22

3 Shor s algorithm 94 Shor s algorithm quantumly breaks Diffie-Hellman in any group in polynomial time. But mathematicians fancy elliptic curves... What do? 2 / 22

4 Graph walking Diffie-Hellman? Imagine... We have a finite graph and some starting node There is a set of directions for navigating the graph Alice and Bob do Diffie-Hellman using secret paths 3 / 22

5 Graph walking Diffie-Hellman? 3 / 22

6 Graph walking Diffie-Hellman? 3 / 22

7 Graph walking Diffie-Hellman? 3 / 22

8 Graph walking Diffie-Hellman? Imagine... We have a finite graph and some starting node There is a set of directions for navigating the graph Alice and Bob do Diffie-Hellman using secret paths 3 / 22

9 Graph walking Diffie-Hellman? Imagine... We have a finite graph and some starting node There is a set of directions for navigating the graph Alice and Bob do Diffie-Hellman using secret paths It should be hard to recover the path given the end points. = The graph must be random and exponentially large. 3 / 22

10 Graph walking Diffie-Hellman? Imagine... We have a finite graph and some starting node There is a set of directions for navigating the graph Alice and Bob do Diffie-Hellman using secret paths It should be hard to recover the path given the end points. = The graph must be random and exponentially large. How to make sure Alice and Bob arrive at the same end point? 3 / 22

11 Graph walking? Stand back! We re going to do math. 4 / 22

12 Elliptic curves An elliptic curve (modulo details) is given by an equation E: y 2 = x 3 + ax + b. A point on E is a solution to this equation or. Isomorphism classes are identified by their j-invariant. 5 / 22

13 Elliptic curves An elliptic curve (modulo details) is given by an equation E: y 2 = x 3 + ax + b. A point on E is a solution to this equation or. Isomorphism classes are identified by their j-invariant. E is an abelian group: we can add points. The neutral element is. The inverse of (x, y) is (x, y). The sum of (x 1, y 1 ) and (x 2, y 2 ) is ( λ 2 x 1 x 2, λ(2x 1 + x 2 λ 2 ) y 1 ) where λ = y 2 y 1 x 2 x 1 if x 1 x 2 and λ = 3x2 1 +a 2y 1 otherwise. 5 / 22

14 Isogenies An isogeny of elliptic curves is a non-constant map E E given by rational functions that is a group homomorphism The degree of a separable 1 isogeny is the size of its kernel. 1 Over F q, this means it does not factor through Frobenius (x, y) (x q, y q ). 6 / 22

15 Isogenies An isogeny of elliptic curves is a non-constant map E E given by rational functions that is a group homomorphism The degree of a separable 1 isogeny is the size of its kernel. Example: For each m 0, the multiplication-by-m map [m]: E E is a degree-m 2 isogeny. If m 0 in the base field, its kernel is E[m] = Z/m Z/m. 1 Over F q, this means it does not factor through Frobenius (x, y) (x q, y q ). 6 / 22

16 Isogenies An isogeny of elliptic curves is a non-constant map E E given by rational functions that is a group homomorphism The degree of a separable 1 isogeny is the size of its kernel. ( ) Example: (x, y) x 3 4x 2 +30x 12, x3 6x 2 14x+35 y (x 2) 2 (x 2) 3 defines a degree-3 isogeny of the elliptic curves {y 2 = x 3 + x} {y 2 = x 3 3x + 3} over F 71. Its kernel is {(2, 9), (2, 9), }. 1 Over F q, this means it does not factor through Frobenius (x, y) (x q, y q ). 6 / 22

17 Isogeny graphs Fix a prime power q and an integer l 2. The l-isogeny graph over F q consists of the following data: Nodes: isomorphism classes of elliptic curves /F q. Edges: equivalence classes 1 of degree-l isogenies. 1 Two isogenies ϕ: E E and ψ : E E are identified if ψ = ι ϕ for some isomorphism ι: E E. 7 / 22

18 Isogeny graphs Fix a prime power q and an integer l 2. The l-isogeny graph over F q consists of the following data: Nodes: isomorphism classes of elliptic curves /F q. Edges: equivalence classes 1 of degree-l isogenies. The l-isogeny graph is an undirected multigraph except for edges touching the j-invariants 0 or Two isogenies ϕ: E E and ψ : E E are identified if ψ = ι ϕ for some isomorphism ι: E E. 7 / 22

19 2-isogeny graph over F / 22

20 3-isogeny graph over F / 22

21 Supersingular elliptic curves An elliptic curve E/ F p is supersingular if E[p] = { }. 10 / 22

22 Supersingular elliptic curves An elliptic curve E/ F p is supersingular if E[p] = { }. If p 5, then E/F p is supersingular iff #E(F p ) = p / 22

23 Supersingular elliptic curves An elliptic curve E/ F p is supersingular if E[p] = { }. If p 5, then E/F p is supersingular iff #E(F p ) = p + 1. Every supersingular elliptic curve is defined over F p / 22

24 Supersingular isogeny graphs The supersingular elliptic curves form a component of the l-isogeny graph over F p 2, the supersingular l-isogeny graph. 11 / 22

25 Supersingular isogeny graphs p = 277, l = 2 11 / 22

26 Supersingular isogeny graphs p = 541, l = 2 11 / 22

27 Supersingular isogeny graphs p = 1033, l = 2 11 / 22

28 Supersingular isogeny graphs p = 2053, l = 2 11 / 22

29 Supersingular isogeny graphs p = 4129, l = 2 11 / 22

30 Supersingular isogeny graphs The supersingular elliptic curves form a component of the l-isogeny graph over F p 2, the supersingular l-isogeny graph. 11 / 22

31 Supersingular isogeny graphs The supersingular elliptic curves form a component of the l-isogeny graph over F p 2, the supersingular l-isogeny graph. There are p/12 + ε supersingular elliptic curves over F p. 11 / 22

32 Supersingular isogeny graphs The supersingular elliptic curves form a component of the l-isogeny graph over F p 2, the supersingular l-isogeny graph. There are p/12 + ε supersingular elliptic curves over F p. y 2 = x is supersingular iff p 1 (mod 3). y 2 = x 3 + x is supersingular iff p 1 (mod 4). 11 / 22

33 Supersingular isogeny graphs The supersingular elliptic curves form a component of the l-isogeny graph over F p 2, the supersingular l-isogeny graph. There are p/12 + ε supersingular elliptic curves over F p. y 2 = x is supersingular iff p 1 (mod 3). y 2 = x 3 + x is supersingular iff p 1 (mod 4). The supersingular l-isogeny graph is (almost) Ramanujan. (Almost) all nodes have out-degree l / 22

34 Supersingular isogeny graphs p = 277, l = / 22

35 Algorithms? State of this talk: Exponentially large random graph. How to compute on this graph? 12 / 22

36 Isogenies and kernels For any finite subgroup G of E, there exists a unique 1 separable isogeny ϕ G : E E with kernel G. The curve E is called E/G. 1 (up to isomorphism of E ) 13 / 22

37 Vélu s formulas 71 Let G be a finite subgroup of an elliptic curve E. Then ( P x(p)+ ( ) ( ) x(p+q) x(q), y(p)+ y(p+q) y(q) Q G Q G Q Q defines an isogeny of elliptic curves whose kernel is G. 14 / 22

38 Vélu s formulas 71 Let G be a finite subgroup of an elliptic curve E. Then ( P x(p)+ ( ) ( ) x(p+q) x(q), y(p)+ y(p+q) y(q) Q G Q G Q Q defines an isogeny of elliptic curves whose kernel is G. For small G, this leads to efficient formulas for computing the defining equation of E/G evaluating the isogeny E E/G at a point 14 / 22

39 Representing isogeny paths Storing each curve and kernel on the way is expensive. ψ 1 ψ 2 ψ n 1 ψ n E E 1... E n 1 E/G (It would also make the DH system we re building impossible...) 15 / 22

40 Representing isogeny paths Storing each curve and kernel on the way is expensive. ψ 1 ψ 2 ψ n 1 ψ n E E 1... E n 1 E/G (It would also make the DH system we re building impossible...) Use the kernel of the composition! ψ 1 ψ 2 ψ n 1 ψ n E E 1... E n 1 E/G ϕ G 15 / 22

41 Representing isogeny paths Storing each curve and kernel on the way is expensive. ψ 1 ψ 2 ψ n 1 ψ n E E 1... E n 1 E/G (It would also make the DH system we re building impossible...) Use the kernel of the composition! ψ 1 ψ 2 ψ n 1 ψ n E E 1... E n 1 E/G ϕ G Evaluate ϕ G via a chain of small-degree isogenies: If G = Z/l n, set ker ψ i := [l n i ](ψ i 1 ψ 1 )(G). (This is usually not the optimal strategy.) 15 / 22

42 Commutativity? State of this talk: Exponentially large random graph. Efficient formulas to traverse it. How to make Alice and Bob s walks commute? 16 / 22

43 Commutativity? We want: E 0 ϕ A ϕ B E A E B ψ B ψa E 17 / 22

44 Commutativity? We want: E 0 ϕ A ϕ B E A E B ψ B ψa E If only Bob could help Alice by shifting her ker ϕ A to E B... but Alice must keep ϕ A secret... : ( 17 / 22

45 Commutativity! We want: E 0 ϕ A ϕ B E A E B ψ B ψa E If only Bob could help Alice by shifting her ker ϕ A to E B... but Alice must keep ϕ A secret... : Solution: Bob shifts a public group that contains ker ϕ A. ( 17 / 22

46 Commutativity! We want: E 0 ϕ A ϕ B E A E B ψ B ψa E If only Bob could help Alice by shifting her ker ϕ A to E B... but Alice must keep ϕ A secret... : Solution: Bob shifts a public group that contains ker ϕ A. Fix some public generator points P, Q E 0 [deg ϕ A ]. Alice computes ϕ A : E 0 E A with kernel P + [a]q. Bob uses ϕ B to shift P, Q to E B and gives them to Alice. Alice computes ψ A with kernel ϕ B (P) + [a]ϕ B (Q). By magic math, Bob will arrive at an isomorphic E. ( 17 / 22

47 The SIDH protocol (De Feo Jao Plût 2011) Public parameters: a large prime p = 2 n A3 n B 1 and a supersingular E 0 /F p. bases (P A, Q A ) and (P B, Q B ) of E 0 [2 n A] and E 0 [3 n B]. 18 / 22

48 The SIDH protocol (De Feo Jao Plût 2011) Public parameters: a large prime p = 2 n A3 n B 1 and a supersingular E 0 /F p. bases (P A, Q A ) and (P B, Q B ) of E 0 [2 n A] and E 0 [3 n B]. Alice public Bob a random {0...2 na 1 } b random {0...3 nb 1 } G A := P A + [2a]Q A G B := P B + [3b]Q B compute ϕ A : E 0 E 0 /G A compute ϕ B : E 0 E 0 /G B ϕ A (P B ), ϕ A (Q B ) ϕ B (P A ), ϕ B (Q A ) recover E B = E 0 /G B H A := ϕ B (P A ) + [2a]ϕ B (Q A ) s := j(e B /H A ) recover E A = E 0 /G A H B := ϕ A (P B ) + [3b]ϕ A (Q B ) s := j(e A /H B ) 18 / 22

49 Optimizations Projective representation of curve coefficients. 1 Distortion map on E 0 speeds up public key generation. 1 Use of Montgomery model and x-only arithmetic. 1 Compression reduces public key size to 7 2 log 2 p bits. 2 1 Costello Longa Naehrig 2016, 2 Costello Jao Longa Naehrig Renes Urbanik 2016, 19 / 22

50 Optimizations Projective representation of curve coefficients. 1 Distortion map on E 0 speeds up public key generation. 1 Use of Montgomery model and x-only arithmetic. 1 Compression reduces public key size to 7 2 log 2 p bits. 2 Current performance records: 2 Public keys Cycles Wall-clock time uncompressed 564 bytes ms compressed 330 bytes ms (Parameters aimed at 192 bits of classical and 128 bits of quantum security.) 1 Costello Longa Naehrig 2016, 2 Costello Jao Longa Naehrig Renes Urbanik 2016, 19 / 22

51 Security The security of SIDH depends on the hardness of..: Computing an isogeny between two given curves. 1...when the images of some points are known. 2 Computing the endomorphism ring of a given curve. 3 1 Galbraith Petit Shani Ti 2016, 2 Petit 2017, 3 Kohel Lauter Petit Tignol 2014, 20 / 22

52 Security The security of SIDH depends on the hardness of..: Computing an isogeny between two given curves. 1...when the images of some points are known. 2 Computing the endomorphism ring of a given curve. 3 Best known attacks: O(p 1/4 ) classically and O(p 1/6 ) quantumly. 1 Galbraith Petit Shani Ti 2016, 2 Petit 2017, 3 Kohel Lauter Petit Tignol 2014, 20 / 22

53 Security The security of SIDH depends on the hardness of..: Computing an isogeny between two given curves. 1...when the images of some points are known. 2 Computing the endomorphism ring of a given curve. 3 Best known attacks: O(p 1/4 ) classically and O(p 1/6 ) quantumly. Caution! If Bob reuses his key pair, Alice can recover his private key in O(log p) queries. 1 1 Galbraith Petit Shani Ti 2016, 2 Petit 2017, 3 Kohel Lauter Petit Tignol 2014, 20 / 22

54 Open problems How can we cheaply reuse key pairs? Will this ever be really fast? 21 / 22

55 Open problems How can we cheaply reuse key pairs? Will this ever be really fast? Is this scheme actually secure? Are there weak parameters, side channels, fault attacks,..? 21 / 22

56 Thank you! 22 / 22

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Andrew Sutherland MIT Undergraduate Mathematics Association November 29, 2018 Creating a shared secret