Post on 15-Mar-2020
transcript
Craig Costello
A gentle introduction to isogeny-based cryptography
Tutorial at SPACE 2016December 15, 2016
CRRao AIMSCS, Hyderabad, India
Part 1: Motivation
Part 2: Preliminaries
Part 3: Brief SIDH sketch
Diffie-Hellman key exchange (circa 1976)
π =685408003627063761059275919665781694368639459527871881531452
π = 123456789
π = 1606938044258990275541962092341162602522202993782792835301301
π =362059131912941987637880257325269696682836735524942246807440
ππ mod π = 78467374529422653579754596319852702575499692980085777948593
πππ mod π = 437452857085801785219961443000845969831329749878767465041215
560048104293218128667441021342483133802626271394299410128798 = ππ mod π
Diffie-Hellman key exchange (circa 2016)
π = 123456789
π =5809605995369958062859502533304574370686975176362895236661486152287203730997110225737336044533118407251326157754980517443990529594540047121662885672187032401032111639706440498844049850989051627200244765807041812394729680540024104827976584369381522292361208779044769892743225751738076979568811309579125511333093243519553784816306381580161860200247492568448150242515304449577187604136428738580990172551573934146255830366405915000869643732053218566832545291107903722831634138599586406690325959725187447169059540805012310209639011750748760017095360734234945757416272994856013308616958529958304677637019181594088528345061285863898271763457294883546638879554311615446446330199254382340016292057090751175533888161918987295591531536698701292267685465517437915790823154844634780260102891718032495396075041899485513811126977307478969074857043710
716150121315922024556759241239013152919710956468406379442914941614357107914462567329693649
πππ =330166919524192149323761733598426244691224199958894654036331526394350099088627302979833339501183059198113987880066739419999231378970715307039317876258453876701124543849520979430233302777503265010724513551209279573183234934359636696506968325769489511028943698821518689496597758218540767517885836464160289471651364552490713961456608536013301649753975875610659655755567474438180357958360226708742348175045563437075840969230826767034061119437657466993989389348289599600338950372251336932673571743428823026014699232071116171392219599691096846714133643382745709376112500514300983651201961186613464267685926563624589817259637248558104903657371981684417053993082671827345252841433337325420088380059232089174946086536664984836041334031650438692639106287627157575758383128971053401037407031731509582807639509448704617983930135028
7596589383292751993079161318839043121329118930009948197899907586986108953591420279426874779423560221038468
π =7147687166405; 9571879053605547396582692405186145916522354912615715297097100679170037904924330116019497881089087696131592831386326210951294944584400497488929803858493191812844757232102398716043906200617764831887545755623377085391250529236463183321912173214641346558452549172283787727566955898452199622029450892269665074265269127802446416400\90259271040043389582611419862375878988193612187945591802864062679\86483957813927304368495559776413009721221824915810964579376354556\65546298837778595680891578821511273574220422646379170599917677567\30420698422392494816906777896174923072071297603455802621072109220\54662739697748553543758990879608882627763290293452560094576029847\39136138876755438662247926529997805988647241453046219452761811989\97464772529088780604931795419514638292288904557780459294373052654\10485180264002079415193983851143425084273119820368274789460587100\30497747706924427898968991057212096357725203480402449913844583448
π =655456209464694; 93360682685816031704969423104727624468251177438749706128879957701\93698826859762790479113062308975863428283798589097017957365590672\8357138638957122466760949930089855480244640303954430074800250796203638661931522988606354100532244846391589798641210273772558373965\48653931285483865070903191974204864923589439190352993032676961005\08840431979272991603892747747094094858192679116146502863521484987\08623286193422239171712154568612530067276018808591500424849476686\706784051068715397706852664532638332403983747338379697022624261377163163204493828299206039808703403575100467337085017748387148822224875309641791879395483731754620034884930540399950519191679471224\05558557093219350747155777569598163700850920394705281936392411084\43600686183528465724969562186437214972625833222544865996160464558\54629937016589470425264445624157899586972652935647856967092689604\42796501209877036845001246792761563917639959736383038665362727158
1974966481832271932862620186142505559719097997625337606540081479948757754456670542185781051331382174972068905995549284294506678994768546685955940340934936375624510789382969603134886961788481424913516872530546022029662470461057707715772483216821171742461283211956785376315202786494034647973536919967369935770926871783856022988735589541210564305228996197614537270822178234757462238037900142350513967990494465082246618501681499574014746384567166244019067013944724470150525694177463721850933025357393837919800705723814217290296516393042343612687649717077634843006689239728687091216655686698309786578047401579166115635085698868474877726766712073860961529476071145597063402090591037030181826355218987380945462945580355697525966763466146993277420884712557411847558661178122098955149524361601993365326052422101474898256696660124195726100495725510022002932814218768060112310763455404567248761396399633344901857872119208518550803791724
ππ
(mod q)=
4116046620695933066832285256534418724107779992205720799935743972371563687620383783327424719396665449687938178193214952698336131699379861648113207956169499574005182063853102924755292845506262471329301240277031401312209687711427883948465928161110782751969552580451787052540164697735099369253619948958941630655511051619296131392197821987575429848264658934577688889155615145050480918561594129775760490735632255728098809700583965017196658531101013084326474277865655251213287725871678420376241901439097879386658420056919119973967264551107584485525537442884643379065403121253975718031032782719790076818413945341143157261205957499938963479817893107541948645774359056731729700335965844452066712238743995765602919548561681262366573815194145929420370183512324404671912281455859090458612780918001663308764073238447199488070126873048860279221761629281961046255219584327714817248626243962413613075956770018017385724999495117779149416882188
=ππ
(mod q)
ECDH key exchange (1999 β nowish)
π = (48439561293906451759052585252797914202762949526041747995844080717082404635286,36134250956749795798585127919587881956611106672985015071877198253568414405109)
π = 2256 β 2224 + 2192 + 296 β 1π = 115792089210356248762697446949407573530086143415290314195533631308867097853951
π =891306445912460335776397706414628550231450284928352556031837219223173
24614395
πΈ/π π: π¦2 = π₯3 β3π₯ +π
π =100955574639327864188069383161907080327719109190584053916797810821934
05190826
[a]π = (84116208261315898167593067868200525612344221886333785331584793435449501658416,102885655542185598026739250172885300109680266058548048621945393128043427650740)
[b]π = (101228882920057626679704131545407930245895491542090988999577542687271695288383,77887418190304022994116595034556257760807185615679689372138134363978498341594)
[ab]π = (101228882920057626679704131545407930245895491542090988999577542687271695288383,77887418190304022994116595034556257760807185615679689372138134363978498341594)
#πΈ = 115792089210356248762697446949407573529996955224135760342422259061068512044369
β’ Quantum computers break elliptic curves, finite fields, factoring, everything currently used for PKC
β’ Aug 2015: NSA announces plans to transition to quantum-resistant algorithms
β’ Feb 2016: NIST calls for quantum-secure submissions
Quantum computers β Cryptopocalypse
Post-quantum key exchange
This talk + Sundayβs: isogenies
What hard problem(s) do we use now???
Diffie-Hellman instantiations
DH ECDH R-LWE[BCNSβ15, newhope, NTRU]
LWE[Frodo]
SIDH[DJP14, CLN16]
elements integers πmodulo prime
points π in
curve group
elements π in ring
π = β€π π₯ /β¨Ξ¦π π₯ β©matrices π΄ in
β€ππΓπ
curves πΈ in
isogeny class
secrets exponents π₯ scalars π small errors π , π β π small π , π β β€ππ isogenies π
computations π, π₯ β¦ ππ₯ π, π β¦ π π π, π , π β¦ ππ + π π΄, π , π β¦ π΄π + π π, πΈ β¦ π(πΈ)
hard problem given π, ππ₯
find π₯given π, π π
find πgiven π, ππ + π
find π given π΄, π΄π + π
find π given πΈ, π(πΈ)
find π
Part 1: Motivation
Part 2: Preliminaries
Part 3: Brief SIDH sketch
To construct degree π extension field π½ππ of a finite field π½π, take π½ππ = π½π(πΌ)where π πΌ = 0 and π(π₯) is irreducible of degree π in π½π[π₯].
Extension fields
Example: for any prime π β‘ 3 mod 4, can take π½π2 = π½π π where π2 + 1 = 0
β’ Recall that every elliptic curve πΈ over a field πΎ with char πΎ > 3 can be defined by
πΈ βΆ π¦2 = π₯3 + ππ₯ + π,
where π, π β πΎ, 4π3 + 27π2 β 0
β’ For any extension πΎβ²/πΎ, the set of πΎβ²-rational points forms a group with identity
β’ The π-invariant π πΈ = π π, π = 1728 β 4π3
4π3+27π2determines isomorphism
class over ΰ΄₯πΎ
β’ E.g., πΈβ²: π¦2 = π₯3 + ππ’2π₯ + ππ’3 is isomorphic to πΈ for all π’ β πΎβ
β’ Recover a curve from π: e.g., set π = β3π and π = 2π with π = π/(π β 1728)
Elliptic Curves and π-invariants
Over π½13, the curves πΈ1 βΆ π¦
2 = π₯3 + 9π₯ + 8and
πΈ2 βΆ π¦2 = π₯3 + 3π₯ + 5
are isomorphic, since
π πΈ1 = 1728 β 4β 93
4β 93+27β 82= 3 = 1728 β
4β 33
4β 33+27β 52= π(πΈ2)
An isomorphism is given by π βΆ πΈ1 β πΈ2 , π₯, π¦ β¦ 10π₯, 5π¦ ,πβ1: πΈ2 β πΈ1, π₯, π¦ β¦ 4π₯, 8π¦ ,
noting that π β1 = β2
Example
β’ The multiplication-by-π map: π βΆ πΈ β πΈ, π β¦ π π
β’ The π-torsion subgroup is the kernel of ππΈ π = π β πΈ ΰ΄₯πΎ βΆ π π = β
β’ Found as the roots of the ππ‘β division polynomial ππ
β’ If char πΎ doesnβt divide π, then πΈ π β β€π Γ β€π
Torsion subgroups
β’ Consider πΈ/π½11: π¦2 = π₯3 + 4 with #πΈ(π½11) = 12
β’ 3-division polynomial π3(π₯) = 3π₯4 + 4π₯ partiallysplits as π3 π₯ = π₯ π₯ + 3 π₯2 + 8π₯ + 9
β’ Thus, π₯ = 0 and π₯ = β3 give 3-torsion points.The points (0,2) and (0,9) are in πΈ π½11 , but the rest lie in πΈ(π½112)
β’ Write π½112 = π½11(π) with π2 + 1 = 0. π3 π₯ splits over π½112 as π3 π₯ = π₯ π₯ + 3 π₯ + 9π + 4 (π₯ + 2π + 4)
β’ Observe πΈ 3 β β€3 Γ β€3 , i.e., 4 cyclic subgroups of order 3
Example
Isogenies
β’ Isogeny: morphism (rational map)π βΆ πΈ1 β πΈ2that preserves identity, i.e. π β1 = β2
β’ Degree of (separable) isogeny is number of elements in kernel, same as its degree as a rational map
β’ Given finite subgroup πΊ β πΈ1, there is a unique curve πΈ2 and isogeny π βΆ πΈ1 β πΈ2 (up to isomorphism) having kernel πΊ. Write πΈ2 = π(πΈ1) = πΈ1/β¨πΊβ©.
Isogenies
β’ Isomorphisms are a special case of isogenies where the kernel is trivial π βΆ πΈ1 β πΈ2, ker π = β1
β’ Endomorphisms are a special case of isogenies where the domain and co-domain are the same curve
π βΆ πΈ1 β πΈ1, ker π = πΊ, |πΊ| > 1
β’ Perhaps think of isogenies as a generalization of either/both: isogenies allow non-trivial kernel and allow different domain/co-domain
β’ Isogenies are *almost* isomorphisms
Veluβs formulasGiven any finite subgroup of πΊ of πΈ, we may form a quotient isogeny
π: πΈ β πΈβ² = πΈ/πΊ
with kernel πΊ using Veluβs formulas
Example: πΈ βΆ π¦2 = (π₯2 + π1π₯ + π0)(π₯ β π). The point (π, 0) has order 2; the quotient of πΈ by β¨ π, 0 β© gives an isogeny
π βΆ πΈ β πΈβ² = πΈ/β¨ π, 0 β©,where
πΈβ² βΆ y2 = x3 + β 4a + 2b1 x2 + b12 β 4b0 x
And where π maps π₯, π¦ to π₯3β πβπ1 π₯2β π1πβπ0 π₯βπ0π
π₯βπ,x2β 2a xβ b1a+b0 y
xβa 2
Veluβs formulas
Given curve coefficients π, π for πΈ, and all of the π₯-coordinates π₯π of the subgroup πΊ β πΈ, Veluβs formulas output πβ², πβ² for πΈβ², and the map
π βΆ πΈ β πΈβ²,
π₯, π¦ β¦π1 π₯,π¦
π1 π₯,π¦,π2 π₯,π¦
π2 π₯,π¦
β’ Recall πΈ/π½11: π¦2 = π₯3 + 4 with #πΈ(π½11) = 12
β’ Consider 3 βΆ πΈ β πΈ, the multiplication-by-3 endomorphism
β’ πΊ = ker 3 , which is not cyclic
β’ Conversely, given the subgroup πΊ,the unique isogeny π with ker π = πΊ turns out to be the endormorphism π = [3]
β’ But what happens if we instead take πΊ as one of the cyclic subgroups of order 3?
πΊ = πΈ[3]Example, cont.
Example, cont. πΈ/π½11: π¦2= π₯3 + 4
π2
π4
π1
π3
πΈ2/π½11: π¦2= π₯3 + 5π₯
πΈ4/π½112: π¦2= π₯3 + (4π + 3)π₯
πΈ1/π½11: π¦2= π₯3 + 2
πΈ3/π½112: π¦2= π₯3 + 7π + 3 π₯
πΈ1, πΈ2, πΈ3, πΈ4 all 3-isogenous to πΈ, but whatβs the relation to each other?
For every isogeny π: πΈ1 β πΈ2 of degree π, there exists (unique, up to isomorphism) dual isogeny π : πΈ2 β πΈ1 of degree π, such that
π β π = π πΈ1
and
π β π = π πΈ2
The dual isogeny
β’ πΈ/π½π with π = ππ supersingular iff πΈ π = {β}
β’ Fact: all supersingular curves can be defined over π½π2
β’ Let ππ2 be the set of supersingular π-invariants
Supersingular curves
Theorem: #ππ2 =π
12+ π, π β {0,1,2}
β’ We are interested in the set of supersingular curves (up to isomorphism) over a specific field
β’ Thm (Tate): πΈ1 and πΈ2 isogenous if and only if #πΈ1 = #πΈ2β’ Thm (Mestre): all supersingular curves over π½π2 in same isogeny class
β’ Fact (see previous slides): for every prime β not dividing π, there existsβ + 1 isogenies of degree β originating from any supersingular curve
β’ Previous example actually had πΈ2 β πΈ3 β πΈ4, so letβs increase the size a little to get a picture of how this all pans outβ¦
The supersingular isogeny graph
Upshot: immediately leads to (β + 1) directed regular graph π(ππ2 , β)
β’ Let π = 241, π½π2 = π½π π€ = π½π π₯ /(π₯2 β 3π₯ + 7)
β’ #ππ2 = 20
β’ ππ2 = {93, 51π€ + 30, 190π€ + 183, 240, 216, 45π€ + 211, 196π€ +105, 64, 155π€ + 3, 74π€ + 50, 86π€ + 227, 167π€ + 31, 175π€ + 237,66π€ + 39, 8, 23π€ + 193, 218π€ + 21, 28, 49π€ + 112, 192π€ + 18}
E.g. a supersingular isogeny graph
Credit to Fre Vercauteren for example and pictureβ¦
Supersingular isogeny graph for β = 2: π(π2412, 2)
Supersingular isogeny graph for β = 3: π(π2412, 3)
Rapid mixing property: Let π be any subset of the vertices of the graph πΊ, and π₯ be any vertex in πΊ. A βlong enoughβ random
walk will land in π with probability at least π
2|πΊ|.
Supersingular isogeny graphs are Ramanujan graphs
See De Feo, Jao, Plut (Prop 2.1) for precise formula describing whatβs βlong enoughβ
Part 1: Motivation
Part 2: Preliminaries
Part 3: Brief SIDH sketch
πΈ0 πΈπ΄ = πΈ0/β¨π΄β©
πΈ0/β¨π΅β© = πΈπ΅ πΈπ΄π΅ = πΈ0/β¨π΄, π΅β©
ππ΄
ππ΅
ππ΄β²
ππ΅β²
params public private
πΈβs are isogenous curves
πβs, πβs, π βs, πβs are points
SIDH: in a nutshell
β’ Non-commutative, so ππ΅ππ΄ β ππ΄ππ΅ (canβt even multiply), hence ππ΄β² and ππ΅
β²
β’ Alice canβt just take πΈπ΅/β¨π΄β©, π΄ doesnβt lie on πΈπ΅
πΈ0 πΈπ΄ = πΈ0/β¨ππ΄ + π π΄ ππ΄β©
πΈ0/β¨ππ΅ + π π΅ ππ΅β© = πΈπ΅ πΈπ΄π΅ = πΈ0/β¨π΄, π΅β©
ππ΄
ππ΅
ππ΄β²
ππ΅β²
params public private
πΈβs are isogenous curves
πβs, πβs, π βs, πβs are points
SIDH: in a nutshell
(ππ΅(ππ΄), ππ΅(ππ΄)) = (π π΅ , ππ΅)
(π π΄, ππ΄) = (ππ΄(ππ΅), ππ΄(ππ΅))
πΈπ΄/β¨π π΄ + π π΅ ππ΄β© β πΈ0/β¨ππ΄ + π π΄ ππ΄ , ππ΅ + π π΅ ππ΅β© β πΈπ΅/β¨π π΅ + π π΄ ππ΅β©
Key: Alice sends her isogeny evaluated at Bobβs generators, and vice versa
β’ Why πΈβ² = πΈ/β¨π + π πβ© , etc?
β’ Why not just πΈβ² = πΈ/β¨ π πβ© ?... because here πΈβ² is β independent of π
β’ Need two-dimensional basis to span two-dimensional torsion
β’ Every different π now gives a different order π subgroup, i.e., kernel, i.e. isogeny
β’ Composite same thing, just uglier picture
πΈ π β β€π Γ β€π(π prime depicted below)
π + 1 cyclic subgroups order n
π
[π ]ππ
β’ Why πΈβ² = πΈ/β¨π + π πβ© , etc?
β’ Why not just πΈβ² = πΈ/β¨ π πβ© ?... because here πΈβ² is β independent of π
β’ Need two-dimensional basis to span two-dimensional torsion
β’ Every different π now gives a different order π subgroup, i.e., kernel, i.e. isogeny
β’ Composite same thing, just uglier picture
πΈ π β β€π Γ β€π(π prime depicted below)
π + 1 cyclic subgroups order n
π
[π ]π
π
β’ Why πΈβ² = πΈ/β¨π + π πβ© , etc?
β’ Why not just πΈβ² = πΈ/β¨ π πβ© ?... because here πΈβ² is β independent of π
β’ Need two-dimensional basis to span two-dimensional torsion
β’ Every different π now gives a different order π subgroup, i.e., kernel, i.e. isogeny
β’ Composite same thing, just uglier picture
πΈ π β β€π Γ β€π(π prime depicted below)
π + 1 cyclic subgroups order n
π
[π ]ππ
β’ Why πΈβ² = πΈ/β¨π + π πβ© , etc?
β’ Why not just πΈβ² = πΈ/β¨ π πβ© ?... because here πΈβ² is β independent of π
β’ Need two-dimensional basis to span two-dimensional torsion
β’ Every different π now gives a different order π subgroup, i.e., kernel, i.e. isogeny
β’ Composite same thing, just uglier picture
πΈ π β β€π Γ β€π(π prime depicted below)
π + 1 cyclic subgroups order n
π
π
β’ Computing isogenies of prime degree β at least π β , e.g., Veluβsformulas need the whole kernel specified
β’ We (obviously) need exp. set of kernels, meaning exp. sized isogenies, which we canβt compute unless theyβre smooth
β’ Here (for efficiency/ease) we will only use isogenies of degree βπ
for β β {2,3}
Exploiting smooth degree isogenies
Exploiting smooth degree isogenies
(credit DJPβ14 for picture, and for a much better way to traverse the tree)
β’ Suppose our secret point π 0 has order β5 with, e.g., β β {2,3}, we need π βΆ πΈ β πΈ/β¨π 0β©
β’ Could compute all β5 elements in kernel (but only because exp is 5)
β’ Better to factor π = π4π3π2π1π0, where all ππ have degree β, and
π0 = πΈ0 β πΈ0/β¨ β4 π 0β© , π 1 = π0 π 0 ;
π1 = πΈ1 β πΈ1/β¨ β3 π 1β© , π 2 = π1(π 1);
π2 = πΈ2 β πΈ2/β¨ β2 π 2β© , π 3 = π2(π 2);
π3 = πΈ3 β πΈ3/β¨ β1 π 3β© , π 4 = π3(π 3);
π4 = πΈ4 β πΈ4/β¨π 4β© .
Questions?