Supersingular Isogeny Key Encapsulation (SIKE)

Size: px

Start display at page:

Download "Supersingular Isogeny Key Encapsulation (SIKE)"

Laura Preston
5 years ago
Views:

1 Supersingular Isogeny Key Encapsulation (SIKE) Reza Azarderakhsh Matthew Campagna Craig Costello Luca De Feo Basil Hess David Jao Brian Koziel Brian LaMacchia Patrick Longa Michael Naehrig Joost Renes Vladimir Soukharev Digital Security Group, Radboud University, Nijmegen 1 February 2018

2 Introduction (generic intro...) 1 / 1

3 A graph-based protocol Alice Bob 2 / 1

4 A graph-based protocol Alice Bob 2 / 1

5 A graph-based protocol 24 Alice 24 Bob 2 / 1

6 A graph-based protocol 24 Alice 24 Bob 2 / 1

7 A graph-based protocol 24 Alice Bob 2 / 1

8 A graph-based protocol 24 Alice Bob 2 / 1

9 A graph-based protocol Alice Bob 66 2 / 1

10 A graph-based protocol Alice Bob 66 2 / 1

11 A graph-based protocol Alice Bob / 1

12 Constructing graphs and walks using isogenies 3 / 1

13 Constructing graphs and walks using isogenies E 24 E 41 E 66 E 17 E 48 E 40 Supersingular elliptic curves 3 / 1

14 Constructing graphs and walks using isogenies l-isogeny φ R E 24 E 41 E 66 E 17 E 48 E 40 Supersingular elliptic curves 3 / 1

15 Constructing graphs and walks using isogenies l-isogeny φ R E 66 {E 24, P 24, Q 24 } E 41 E 17 E 48 E 40 Supersingular elliptic curves 3 / 1

16 Constructing graphs and walks using isogenies l-isogeny φ R E 66 {E 24, P 24, Q 24 } E 41 E 17 E 48 E 40 Supersingular elliptic curves 3 / 1

17 Constructing graphs and walks using isogenies l-isogeny φ R E 66 {E 24, P 24, Q 24 } E 41 E 17 E 48 E 40 Supersingular elliptic curves 3 / 1

18 Constructing graphs and walks using isogenies l-isogeny φ R {E 66, P 66, Q 66 } {E 24, P 24, Q 24 } E 41 E 17 E 48 E 40 Supersingular elliptic curves 3 / 1

19 Constructing graphs and walks using isogenies l-isogeny φ R {E 66, P 66, Q 66 } {E 24, P 24, Q 24 } E 41 E 17 (1) Choose graph (prime) E 48 E 40 Supersingular elliptic curves 3 / 1

20 Constructing graphs and walks using isogenies l-isogeny φ R {E 66, P 66, Q 66 } {E 24, P 24, Q 24 } E 41 E 17 E 48 (1) Choose graph (prime) (2) Fix starting curve E 40 Supersingular elliptic curves 3 / 1

21 Constructing graphs and walks using isogenies l-isogeny φ R {E 66, P 66, Q 66 } {E 24, P 24, Q 24 } E 41 E 17 E 48 (1) Choose graph (prime) (2) Fix starting curve (3) Fix points E 40 Supersingular elliptic curves 3 / 1

22 Choosing parameters (1) Fix prime p = 2 e2 3 e / 1

23 Choosing parameters (1) Fix prime p = 2 e2 3 e 3 1 (2) Fix starting curve : y 2 = x 3 + x 4 / 1

24 Choosing parameters (1) Fix prime p = 2 e2 3 e 3 1 (2) Fix starting curve : y 2 = x 3 + x (3) Choose smallest points such that [2 e 2 ] = {P 2, Q 2 }, [3 e 3 ] = {P 3, Q 3 } 4 / 1

25 Choosing parameters Only choice to make! How large? (1) Fix prime p = 2 e2 3 e 3 1 (2) Fix starting curve : y 2 = x 3 + x (3) Choose smallest points such that [2 e 2 ] = {P 2, Q 2 }, [3 e 3 ] = {P 3, Q 3 } 4 / 1

26 The SIDH problem {E A, P A, Q A } {P 2, Q 2 } φ A {P 3, Q 3 } φ B {E B, P B, Q B } E AB 5 / 1

27 The SIDH problem {E A, P A, Q A } {P 2, Q 2 } φ A {P 3, Q 3 } φ B {E B, P B, Q B } E AB Prob. 1 (SIDH): Given {E A, P A, Q A } and {E B, P B, Q B }, get E AB 5 / 1

28 The SIDH problem {E A, P A, Q A } {P 2, Q 2 } φ A {P 3, Q 3 } φ B {E B, P B, Q B } E AB Prob. 1 (SIDH): Given {E A, P A, Q A } and {E B, P B, Q B }, get E AB Prob. 2 (SSI*): Given {E A, P A, Q A }, get φ A 5 / 1

29 The SIDH problem {E A, P A, Q A } {P 2, Q 2 } φ A {P 3, Q 3 } φ B {E B, P B, Q B } E AB Prob. 1 (SIDH): Given {E A, P A, Q A } and {E B, P B, Q B }, get E AB Prob. 2 (SSI*): Prob. 3 (SSI): Given {E A, P A, Q A }, get φ A Given E A, get φ A 5 / 1

30 Solving SSI with claw finding algorithms E A 6 / 1

31 Solving SSI with claw finding algorithms E A 6 / 1

32 Solving SSI with claw finding algorithms E A 6 / 1

33 Solving SSI with claw finding algorithms E A 6 / 1

34 Solving SSI with claw finding algorithms E A Complexity of O( deg φ) O( 4 p) classical O( 3 deg φ) O( 6 p) quantum oracle queries 6 / 1

35 Aligning security with the NIST requirements As secure as k-bit AES Classical Quantum AES / 1

36 Aligning security with the NIST requirements As secure as k-bit AES Classical Quantum AES SIKEp / 1

37 Aligning security with the NIST requirements As secure as k-bit AES Classical Quantum AES SIKEp AES SIKEp / 1

38 Aligning security with the NIST requirements As secure as k-bit AES Classical Quantum AES SIKEp AES SIKEp AES SIKEp / 1

39 What is SIKE... PK A K PK B SIDH Passively secure under (SI)CDH 8 / 1

40 What is SIKE... PK A PK A K PK B SIDH Passively secure under (SI)CDH 8 / 1

41 What is SIKE... PK A PK A K K PK B PK B SIDH Passively secure under (SI)CDH 8 / 1

42 What is SIKE... PK A PK A K K PK B PK B C 0 = PK B C 1 = M F (K) SIDH Passively secure under (SI)CDH 8 / 1

43 What is SIKE... PK A PK A K K PK B PK B C 0 = PK B C 1 = M F (K) SIDH Passively secure under (SI)CDH 8 / 1

44 What is SIKE... PK A PK A K K PK B PK B C 0 = PK B C 1 = M F (K) SIDH Passively secure under (SI)CDH ElGamal Passively secure under (SI)CDH in ROM 8 / 1

45 What is SIKE... PK A PK A PK A K K K SIDH PK B Passively secure under (SI)CDH PK B C 0 = PK B C 1 = M F (K) ElGamal Passively secure under (SI)CDH in ROM PK B S = H(M, C 0, C 1 ) 8 / 1

46 What is SIKE... PK A PK A PK A K K K SIDH PK B Passively secure under (SI)CDH PK B C 0 = PK B C 1 = M F (K) ElGamal Passively secure under (SI)CDH in ROM PK B S = H(M, C 0, C 1 ) 8 / 1

47 What is SIKE... PK A PK A PK A K K K SIDH PK B Passively secure under (SI)CDH PK B C 0 = PK B C 1 = M F (K) ElGamal Passively secure under (SI)CDH in ROM PK B S = H(M, C 0, C 1 ) SIKE Actively secure under (SI)CDH in ROM 8 / 1

48 Implementation choices: curve model (1) Model choice: Montgomery 9 / 1

49 Implementation choices: curve model (1) Model choice: Montgomery (2) Only x-coordinates needed (x, ) φ E 1 (f (x), ) deg(f ) = deg(φ) 9 / 1

50 Computing isogenies (3) Tree-based isogeny computation (, P 00 ) Order of P 00 is l e = deg(φ 00 ) = l e 10 / 1

51 Computing isogenies (3) Tree-based isogeny computation (, P 01 ) P 01 = [l]p 00 Order of P 01 is l e 1 = deg(φ 01 ) = l e 1 10 / 1

52 Computing isogenies (3) Tree-based isogeny computation P 02 = [l 2 ]P 00 Order of P 02 is l e 2 (, P 02 ) = deg(φ 02 ) = l e 2 10 / 1

53 Computing isogenies (3) Tree-based isogeny computation P 03 = [l 3 ]P 00 Order of P 03 is l e 3 = deg(φ 03 ) = l e 3 (, P 03 ) 10 / 1

54 Computing isogenies (3) Tree-based isogeny computation P 04 = [l 4 ]P 00 Order of P 04 is l e 4 = deg(φ 04 ) = l e 4 (, P 04 ) 10 / 1

55 Computing isogenies (3) Tree-based isogeny computation P 05 = [l 5 ]P 00 Order of P 05 is l e 5 = deg(φ 05 ) = l e 5 (, P 05 ) 10 / 1

56 Computing isogenies (3) Tree-based isogeny computation P 06 = [l 6 ]P 00 Order of P 06 is l e 6 = deg(φ 06 ) = l e 6 (, P 06 ) 10 / 1

57 Computing isogenies (3) Tree-based isogeny computation (E 1, P 10 ) P 10 = φ 00 (P 00 ) Order of P 10 is l e 1 = deg(φ 10 ) = l e 1 10 / 1

58 Computing isogenies (3) Tree-based isogeny computation P 11 = [l]p 10 Order of P 11 is l e 2 (E 1, P 11 ) = deg(φ 11 ) = l e 2 10 / 1

59 Computing isogenies (3) Tree-based isogeny computation P 12 = [l 2 ]P 10 Order of P 12 is l e 3 = deg(φ 12 ) = l e 3 (E 1, P 12 ) 10 / 1

60 Computing isogenies (3) Tree-based isogeny computation P 13 = [l 3 ]P 10 Order of P 13 is l e 4 = deg(φ 13 ) = l e 4 (E 1, P 13 ) 10 / 1

61 Computing isogenies (3) Tree-based isogeny computation P 14 = [l 4 ]P 10 Order of P 14 is l e 5 = deg(φ 14 ) = l e 5 (E 1, P 14 ) 10 / 1

62 Computing isogenies (3) Tree-based isogeny computation P 15 = [l 5 ]P 10 Order of P 15 is l e 6 = deg(φ 15 ) = l e 6 (E 1, P 15 ) 10 / 1

63 Computing isogenies (3) Tree-based isogeny computation (E 6, P 60 ) 10 / 1

64 Computing isogenies (3) Tree-based isogeny computation 10 / 1

65 Where to begin (4) Starting curve : y 2 = x 3 + x with j = 1728 = Know things about End( ), could help attacks.. 1 = = Defined over F p F p 2 Attack O( p) (with low memory 2 ) = No better way to obtain a random starting curve? 1 Petit 17 2 Delfs, Galbraith / 1

66 Other implementation choices (5) No public-key compression 12 / 1

67 Other implementation choices (5) No public-key compression (6) Sym. functions cshake / 1

68 Final numbers Speed (ms) PK (Kbytes) RSA NIST P Kyber FrodoKEM SIKEp SIKEp SIDHp SIDHp (Numbers from Patrick Longa s RWC 18 talk, measured on different platforms..) 13 / 1

69 Thanks All details can be found at: Post-Quantum-Cryptography/documents/round-1/ submissions/sike.zip All authors: Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, David Jao, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, Vladimir Soukharev 14 / 1

Supersingular Isogeny Key Encapsulation

Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and evolutionq, Inc. Full list of submitters: Reza Azarderakhsh, FAU Matt Campagna, Amazon Craig Costello, MSR Luca