1/22
On the Cost of Computing Isogenies BetweenSupersingular Elliptic Curves
Gora Adj 1, Daniel Cervantes-Vazquez 2, Jesus-JavierChi-Domınguez 2, Alfred Menezes 1, and Francisco
Rodrıguez-Henrıquez 2
1Department of Combinatorics & Optimization, University of Waterloo
2Computer Science Department, CINVESTAV-IPN
August 17, 2018
1/22
Agenda
1 Introduction
2 SIDH overview
3 CSSI problem
4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations
5 Conclusions
1/22
Outline
1 Introduction
2 SIDH overview
3 CSSI problem
4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations
5 Conclusions
2/22
Introduction
The Supersingular Isogeny Diffie-Hellman (SIDH) key agreementscheme was proposed by De Feo andJao [De Feo & Jao’11, De Feo, Jao and Plut’14].
• It is one of 69 candidates being considered by the (NIST) forinclusion in a forthcoming standard for quantum-safecryptography [Jao et al.’17].
• Its security is based on the difficulty of the ComputationalSupersingular Isogeny (CSSI) problem (CSSI problem wasintroduced in [Charles et al.’09]).
2/22
Introduction
The Supersingular Isogeny Diffie-Hellman (SIDH) key agreementscheme was proposed by De Feo andJao [De Feo & Jao’11, De Feo, Jao and Plut’14].
• It is one of 69 candidates being considered by the (NIST) forinclusion in a forthcoming standard for quantum-safecryptography [Jao et al.’17].
• Its security is based on the difficulty of the ComputationalSupersingular Isogeny (CSSI) problem (CSSI problem wasintroduced in [Charles et al.’09]).
2/22
Introduction
The Supersingular Isogeny Diffie-Hellman (SIDH) key agreementscheme was proposed by De Feo andJao [De Feo & Jao’11, De Feo, Jao and Plut’14].
• It is one of 69 candidates being considered by the (NIST) forinclusion in a forthcoming standard for quantum-safecryptography [Jao et al.’17].
• Its security is based on the difficulty of the ComputationalSupersingular Isogeny (CSSI) problem (CSSI problem wasintroduced in [Charles et al.’09]).
2/22
Introduction: main contributions
One of our main contributions is the observation that VW goldencollision search can be used to solve CSSI.
Thus, there are two classical attacks on CSSI:
• Meet-in-the middle, and
• VW golden collision search.
We argue that, even though VW is slower than MITM, it is lesscostly, and thus should be used to select parameters for resistanceto known classical attacks.
Remarks: two facts about VW golden collision search:
1 it is not well known, and
2 it is different from the “usual” VW collision search.
2/22
Introduction: main contributions
One of our main contributions is the observation that VW goldencollision search can be used to solve CSSI.Thus, there are two classical attacks on CSSI:
• Meet-in-the middle, and
• VW golden collision search.
We argue that, even though VW is slower than MITM, it is lesscostly, and thus should be used to select parameters for resistanceto known classical attacks.
Remarks: two facts about VW golden collision search:
1 it is not well known, and
2 it is different from the “usual” VW collision search.
2/22
Introduction: main contributions
One of our main contributions is the observation that VW goldencollision search can be used to solve CSSI.Thus, there are two classical attacks on CSSI:
• Meet-in-the middle, and
• VW golden collision search.
We argue that, even though VW is slower than MITM, it is lesscostly, and thus should be used to select parameters for resistanceto known classical attacks.
Remarks: two facts about VW golden collision search:
1 it is not well known, and
2 it is different from the “usual” VW collision search.
2/22
Introduction: main contributions
One of our main contributions is the observation that VW goldencollision search can be used to solve CSSI.Thus, there are two classical attacks on CSSI:
• Meet-in-the middle, and
• VW golden collision search.
We argue that, even though VW is slower than MITM, it is lesscostly, and thus should be used to select parameters for resistanceto known classical attacks.
Remarks: two facts about VW golden collision search:
1 it is not well known, and
2 it is different from the “usual” VW collision search.
2/22
Introduction
Flow of this presentation
In this talk, we will review the VW golden collision search as itapplies to CSSI problem.
Remark: we are not accounting for the memory access costs, whichare expected to be quite expensive.
2/22
Introduction
Flow of this presentation
In this talk, we will review the VW golden collision search as itapplies to CSSI problem.Remark: we are not accounting for the memory access costs, whichare expected to be quite expensive.
2/22
Outline
1 Introduction
2 SIDH overview
3 CSSI problem
4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations
5 Conclusions
3/22
SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]
SIDH framework:
• p = `eAA `eBB d − 1 is a prime number,
• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.
• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.
General description SIDH:
RA ← [nA] + [mA]
RB ← [nB ] + [mB ]
E
E/〈RA,RB〉
The shared secret key is j(E/〈RA,RB〉).
3/22
SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]
SIDH framework:
• p = `eAA `eBB d − 1 is a prime number,
• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.
• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.
General description SIDH:
RA ← [nA] + [mA]
RB ← [nB ] + [mB ]
E
E/〈RA,RB〉
The shared secret key is j(E/〈RA,RB〉).
3/22
SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]
SIDH framework:
• p = `eAA `eBB d − 1 is a prime number,
• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.
• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.
General description SIDH:
RA ← [nA]PA + [mA]QA
RB ← [nB ]PB + [mB ]QB
E E/〈RA〉
E/〈RB〉 E/〈RA,RB〉
φA
φB
The shared secret key is j(E/〈RA,RB〉).
3/22
SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]
SIDH framework:
• p = `eAA `eBB d − 1 is a prime number,
• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.
• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.
General description SIDH:
RA ← [nA]PA + [mA]QA
RB ← [nB ]PB + [mB ]QB
E E/〈RA〉
E/〈RB〉 E/〈RA,RB〉
φA
φB
φA(PB
),φA(QB
),E/〈RA〉
The shared secret key is j(E/〈RA,RB〉).
3/22
SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]
SIDH framework:
• p = `eAA `eBB d − 1 is a prime number,
• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.
• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.
General description SIDH:
RA ← [nA]PA + [mA]QA
RB ← [nB ]PB + [mB ]QB
E E/〈RA〉
E/〈RB〉 E/〈RA,RB〉
φA
φB
φA(PB
),φA(QB
),E/〈RA〉
φB(PA
),φB(QA
),E/〈RB〉
The shared secret key is j(E/〈RA,RB〉).
3/22
SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]
SIDH framework:
• p = `eAA `eBB d − 1 is a prime number,
• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.
• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.
General description SIDH:
φB(RA)← [nA]φB(PA) + [mA]φB(QA)
φA(RB)← [nB ]φA(PB) + [mB ]φA(QB)
E E/〈RA〉
E/〈RB〉 E/〈RA,RB〉
φA
φB φ′B
φA(PB
),φA(QB
),E/〈RA〉
φB(PA
),φB(QA
),E/〈RB〉
φ′A
The shared secret key is j(E/〈RA,RB〉).
3/22
SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]
SIDH framework:
• p = `eAA `eBB d − 1 is a prime number,
• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.
• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.
General description SIDH:
φB(RA)← [nA]φB(PA) + [mA]φB(QA)
φA(RB)← [nB ]φA(PB) + [mB ]φA(QB)
E E/〈RA〉
E/〈RB〉 E/〈RA,RB〉
φA
φB φ′B
φA(PB
),φA(QB
),E/〈RA〉
φB(PA
),φB(QA
),E/〈RB〉
φ′A
The shared secret key is j(E/〈RA,RB〉).
3/22
Outline
1 Introduction
2 SIDH overview
3 CSSI problem
4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations
5 Conclusions
4/22
CSSI problem
As a consequence, SIDH based its security in the hardness of thefollowing problem
Problem (CSSI)
Given the public parameters `A, `B , eA, eB , p, E , PA, QA, and theelliptic curve E/〈RA〉, compute a degree-`eAA isogenyφA : E → E/〈RA〉.
5/22
CSSI modeled as Collision FindingProblem
Let’s write (R, `, e) to mean either (RA, `A, eA) or (RB , `B , eB),E1 = E , and E2 = E/〈R〉. Notice that the degree-(`e) isogenyφ : E → E/〈R〉 can be writen as the composition of twodegree-`e/2 isogenies.
φR0
R0 =[`e2
]R
φR1
R1 = φR0(R)
E1 E1/〈R0〉 E2
5/22
CSSI modeled as Collision FindingProblem
Let’s write (R, `, e) to mean either (RA, `A, eA) or (RB , `B , eB),E1 = E , and E2 = E/〈R〉. Therefore, E1 and E2 satisfies:
φ[`e/2]R1
∀R1 ∈ E1[`e ](Fp2)of order `e
just onecollision
φ[`e/2]R2
∀R2 ∈ E2[`e ](Fp2)of order `e
E1 j(E1/〈R1〉) E2j(E2/〈R2〉)
5/22
Outline
1 Introduction
2 SIDH overview
3 CSSI problem
4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations
5 Conclusions
5/22
Outline
1 Introduction
2 SIDH overview
3 CSSI problem
4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations
5 Conclusions
6/22
Meet-in-the-middle attack
Let’s ilustrate how MITM works by an example. Let `A = 2,`B = 3, eA = 4, eB = 2, p = 24 · 32 · 5− 1,
E1 : y2 = x3 +(0x040 · i + 0x1F0
)x +
(0x1E6 · i + 0x0C7
),
P1 = (0x16E · i + 0x1B4, 0x10B · i + 0x05F),
Q1 = (0x203 · i + 0x0CC, 0x047 · i + 0x0C5), and
E2 : y2 = x3 +(0x1CF · i + 0x047
)x +
(0x1EA · i + 0x00D
).
Then, the goal is to find a degree-24 isogeny from E1 to E2.
6/22
Meet-in-the-middle attack
First, compute the degree-22 isogeny tree rooted at E1, and storeits leaves.
E1
E12
0x000 · i + 0x000
0x000 · i + 0x000
E11
0x000 · i + 0x088
0x000 · i + 0x000
E10
0x000 · i + 0x000
0x000 · i + 0x000
E2
E20
0x000 · i + 0x000
0x000 · i + 0x000
E21
0x000 · i + 0x000
0x000 · i + 0x000
E22
0x000 · i + 0x000
0x000 · i + 0x000
6/22
Meet-in-the-middle attack
First, compute the degree-22 isogeny tree rooted at E1, and storeits leaves.
E1
E12
0x255 · i + 0x01D
0x081 · i + 0x2C5
0x10D · i + 0x25F
0x031 · i + 0x09D
0x059 · i +0x1B1
E11
0x088 · i + 0x01F
0x160 · i + 0x108
0x0450x160 · i + 0x108
0x0FF · i + 0x053
E10
0x00A
0x0F9 · i + 0x150
0x07F · i + 0x0DD0x1F5 · i + 0x046
0x17
7· i
+0x
0CB
E2
E20
0x000 · i + 0x000
0x000 · i + 0x000
E21
0x000 · i + 0x000
0x000 · i + 0x000
E22
0x000 · i + 0x000
0x000 · i + 0x000
6/22
Meet-in-the-middle attack
Second, compute degree-22 isogenies at E2 until the match isfound.
E1
E12
0x255 · i + 0x01D
0x081 · i + 0x2C5
0x10D · i + 0x25F
0x031 · i + 0x09D
0x059 · i +0x1B1
E11
0x088 · i + 0x01F
0x160 · i + 0x108
0x0450x160 · i + 0x108
0x0FF · i + 0x053
E10
0x00A
0x0F9 · i + 0x150
0x07F · i + 0x0DD0x1F5 · i + 0x046
0x17
7· i
+0x
0CB
E2
E20
0x0A0 · i + 0x1B30x101 · i + 0x0DC
0x05B0x14D · i + 0x23F
0x127 · i +0x026
E21
0x07F · i + 0x0DD0x047 · i + 0x218
0x000 · i + 0x000
0x22D · i + 0x228
E22
0x000 · i + 0x0000x00 · i + 0x000
0x000 · i + 0x0000x00 · i + 0x000
0x00· i
+0x
000
6/22
Meet-in-the-middle attack
Then, we can reconstruct φA : E1 → E2 by composing the followingisogenies:
E1φ0−→ E10
φ1−→ E100
Fp2 -isomorphism−−−−−−−−−−→
ψE210
φ2−→ E21φ3−→ E2
E1
E12
0x255 · i + 0x01D
0x081 · i + 0x2C5
0x10D · i + 0x25F
0x031 · i + 0x09D
0x059 · i +0x1B1
E11
0x088 · i + 0x01F
0x160 · i + 0x108
0x0450x160 · i + 0x108
0x0FF · i + 0x053
E10
0x00A
0x0F9 · i + 0x150
0x07F · i + 0x0DD0x1F5 · i + 0x046
0x17
7· i
+0x
0CB
E2
E20
0x0A0 · i + 0x1B30x101 · i + 0x0DC
0x05B0x14D · i + 0x23F
0x127 · i +0x026
E21
0x07F · i + 0x0DD0x047 · i + 0x2180x241 · i + 0x16E
0x000 · i + 0x0000x144 · i + 0x238
0x22D · i + 0x228
0x144 · i + 0x14E
E22
0x000 · i + 0x0000x00 · i + 0x000
0x000 · i + 0x0000x00 · i + 0x000
0x00· i
+0x
000
6/22
Meet-in-the-middle attack
Now, let λ be the discrete log of φA(QA) in base φA(PA) (or viceversa). Then, the secret kernel of Alice is 〈QA − [λ]PA〉 (orPA − [λ]QA). In our example, λ = 3.
E1
E12
0x255 · i + 0x01D
0x081 · i + 0x2C5
0x10D · i + 0x25F
0x031 · i + 0x09D
0x059 · i +0x1B1
E11
0x088 · i + 0x01F
0x160 · i + 0x108
0x0450x160 · i + 0x108
0x0FF · i + 0x053
E10
0x00A
0x0F9 · i + 0x150
0x07F · i + 0x0DD0x1F5 · i + 0x046
0x17
7· i
+0x
0CB
E2
E20
0x0A0 · i + 0x1B30x101 · i + 0x0DC
0x05B0x14D · i + 0x23F
0x127 · i +0x026
E21
0x07F · i + 0x0DD0x047 · i + 0x2180x241 · i + 0x16E
0x000 · i + 0x0000x144 · i + 0x238
0x22D · i + 0x228
0x144 · i + 0x14E
E22
0x000 · i + 0x0000x00 · i + 0x000
0x000 · i + 0x0000x00 · i + 0x000
0x00· i
+0x
000
7/22
Meet-in-the-middle attack
Clearly, The average-case time complexity is 1.5N and it has space
complexity N, where N ≈ (`A + 1)`eA/2−1A ≈ p1/4 (Infeasible for
N ≥ 280).
Consequently, using m processors and w cells of memory, therunning time of MITM is approximately
(w/m + N/m)N
w≈ N2/(w ·m) ≈ p1/2/(w ·m).
7/22
Meet-in-the-middle attack
Clearly, The average-case time complexity is 1.5N and it has space
complexity N, where N ≈ (`A + 1)`eA/2−1A ≈ p1/4 (Infeasible for
N ≥ 280).Consequently, using m processors and w cells of memory, therunning time of MITM is approximately
(w/m + N/m)N
w≈ N2/(w ·m) ≈ p1/2/(w ·m).
8/22
Meet-in-the-middle attack: experiments
MITM-basic MITM-DFS
expected measured clock clock
eA eB d time space time cycles cycles
32 20 23 217.17 220.72 217.26 234.50 231.73
34 21 109 218.17 221.83 218.24 235.49 232.71
36 22 31 219.17 222.87 219.14 236.43 233.67
38 23 271 220.17 223.99 220.20 237.59 234.60
40 25 71 221.17 225.04 221.15 238.63 235.71
42 26 37 222.17 226.09 222.11 239.83 236.78
44 27 37 223.17 227.14 223.25 241.07 237.87
Meet-in-the-middle attacks for finding a 2eA -isogeny between twosupersingular elliptic curves over Fp2 with p = 2eA · 3eB · d − 1. The‘expected time’ and ‘measured time’ columns give the expected numberand the actual number of degree-2eA/2 isogeny computations forMITM-basic. The space is measured in bytes.
8/22
Outline
1 Introduction
2 SIDH overview
3 CSSI problem
4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations
5 Conclusions
9/22
Collision search problem
Let S be a finite set of size M. The goal is to find a collision for arandom function f : S → S .
10/22
VW collision search
Firstly, let’s define an element x of S to be distinguished if it hassome easily-testable distinguishing property, and let θ be theproportion of elements of S that are distinguished.
Then, using m processors, the expected time complexity of the VWmethod is approximately 1
m
√πM/2 + 2.5/θ.
10/22
VW collision search
Firstly, let’s define an element x of S to be distinguished if it hassome easily-testable distinguishing property, and let θ be theproportion of elements of S that are distinguished.
Then, using m processors, the expected time complexity of the VWmethod is approximately 1
m
√πM/2 + 2.5/θ.
11/22
VW golden collision search
A random function f : S → S is expected to have (M − 1)/2unordered collisions.
Suppose that we seek a particular one ofthese collisions, called a golden collision, which can be efficientlyrecognized.Consequently, one continues generating distinguished points andcollisions until the golden collision is encountered.
11/22
VW golden collision search
A random function f : S → S is expected to have (M − 1)/2unordered collisions. Suppose that we seek a particular one ofthese collisions, called a golden collision, which can be efficientlyrecognized.
Consequently, one continues generating distinguished points andcollisions until the golden collision is encountered.
11/22
VW golden collision search
A random function f : S → S is expected to have (M − 1)/2unordered collisions. Suppose that we seek a particular one ofthese collisions, called a golden collision, which can be efficientlyrecognized.Consequently, one continues generating distinguished points andcollisions until the golden collision is encountered.
11/22
VW golden collision searchThe golden collision might occur with very small probabilitycompared to other collision.
Thus, it is necessary to change theversion of f periodically.
0
1020
2
17
197
15 4
9
25
1 12 13
22
26
11
8
621
27
5
3242318
16
14
Functional graph of a random function f : {0, . . . , 27} → {0, . . . , 27}.The desire golden collision is marked with Orange.
11/22
VW golden collision searchThe golden collision might occur with very small probabilitycompared to other collision. Thus, it is necessary to change theversion of f periodically.
0
1020
2
17
197
15 4
9
25
1 12 13
22
26
11
8
621
27
5
3242318
16
14
Functional graph of a random function f : {0, . . . , 27} → {0, . . . , 27}.The desire golden collision is marked with Orange.
12/22
VW golden collision search
Let
• w be the number of elements we can store in memory,
• θ = 2.25√w/M,
• 10w be the number of distinguished elements that eachversion of f produces,
• 210 ≤ w ≤ M/210.
Heuristically, van Oorschot and Wiener saw that each version of fgenerates approximately 1.3w collisions, of which approximately1.1w are distinct. In addition, the expected running time to findthe golden collisions when m processors are employed is
1
m
(2.5√M3/w
). (1)
12/22
VW golden collision search
Let
• w be the number of elements we can store in memory,
• θ = 2.25√w/M,
• 10w be the number of distinguished elements that eachversion of f produces,
• 210 ≤ w ≤ M/210.
Heuristically, van Oorschot and Wiener saw that each version of fgenerates approximately 1.3w collisions, of which approximately1.1w are distinct.
In addition, the expected running time to findthe golden collisions when m processors are employed is
1
m
(2.5√M3/w
). (1)
12/22
VW golden collision search
Let
• w be the number of elements we can store in memory,
• θ = 2.25√w/M,
• 10w be the number of distinguished elements that eachversion of f produces,
• 210 ≤ w ≤ M/210.
Heuristically, van Oorschot and Wiener saw that each version of fgenerates approximately 1.3w collisions, of which approximately1.1w are distinct. In addition, the expected running time to findthe golden collisions when m processors are employed is
1
m
(2.5√M3/w
). (1)
13/22
Solving CSSI with VW golden collisionsearch
Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.
Then, f : S → S can be described as follows:
Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.
13/22
Solving CSSI with VW golden collisionsearch
Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.
Then, f : S → S can be described as follows:
Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.
13/22
Solving CSSI with VW golden collisionsearch
Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.
Then, f : S → S can be described as follows:
(c, b, k) ∈ S R =
{[` · k]Pc + Qc , if b = `,Pc + [b · `e/2−1 + k]Qc , otherwise.
j = j(Ec/〈R〉) ∈ Fp2
Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.
13/22
Solving CSSI with VW golden collisionsearch
Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.
Then, f : S → S can be described as follows:
(c, b, k) ∈ S R =
{[` · k]Pc + Qc , if b = `,Pc + [b · `e/2−1 + k]Qc , otherwise.
j = j(Ec/〈R〉) ∈ Fp2
hc
Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.
13/22
Solving CSSI with VW golden collisionsearch
Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.
Then, f : S → S can be described as follows:
(c, b, k) ∈ S R =
{[` · k]Pc + Qc , if b = `,Pc + [b · `e/2−1 + k]Qc , otherwise.
j = j(Ec/〈R〉) ∈ Fp2
hc
Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.
13/22
Solving CSSI with VW golden collisionsearch
Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.
Then, f : S → S can be described as follows:
(c, b, k) ∈ S R =
{[` · k]Pc + Qc , if b = `,Pc + [b · `e/2−1 + k]Qc , otherwise.
j = j(Ec/〈R〉) ∈ Fp2
hc
fc
Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.
13/22
Solving CSSI with VW golden collisionsearch
Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.
Then, f : S → S can be described as follows:
(c, b, k) ∈ S R =
{[` · k]Pc + Qc , if b = `,Pc + [b · `e/2−1 + k]Qc , otherwise.
(c ′, b′, k ′) ∈ S j = j(Ec/〈R〉) ∈ Fp2
hc
fc
gn
Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.
13/22
Solving CSSI with VW golden collisionsearch
Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.
Then, f : S → S can be described as follows:
(c, b, k) ∈ S R =
{[` · k]Pc + Qc , if b = `,Pc + [b · `e/2−1 + k]Qc , otherwise.
(c ′, b′, k ′) ∈ S j = j(Ec/〈R〉) ∈ Fp2
hc
f=gn◦fc◦hc fc
gn
Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.
14/22
Solving CSSI with VW golden collisionsearch
e p w 28 210 212 214 216
50 250331179− 1 c1 1.37 1.36 1.37 1.41 1.49
c2 1.14 1.12 1.12 1.11 1.09
60 26033731− 1 c1 1.37 1.34 1.34 1.35 1.36
c2 1.15 1.13 1.13 1.12 1.12
70 270332127− 1 c1 1.33 1.34 1.34 1.34 1.34
c2 1.13 1.14 1.13 1.13 1.13
80 28032571− 1 c1 1.35 1.32 1.33 1.34 1.33
c2 1.14 1.12 1.13 1.13 1.13
Observed number c1w of collisions and number c2w of distinct collisionsper CSSI-based random function fn. The numbers are averages for 25function versions (except for (e,w) ∈ {(80, 212), (80, 214), (80, 216)} forwhich 5 function versions were used).
14/22
Solving CSSI with VW golden collisionsearch
Therefore, using m processors and w cells of memory, the VWmethod can be used to find this golden collision in expected time
1
m
(2.5√
8N3/w)≈ 7.1p3/8/(w1/2m).
15/22
Solving CSSI with VW golden collisionsearch: experiments
median average
expected measured clock measured clock
eA eB d w time time cycles time cycles
32 20 23 29 223.20 223.55 240.79 224.38 241.62
34 21 109 29 224.70 224.54 241.89 226.02 243.37
36 22 31 210 225.70 226.06 243.51 227.25 244.70
38 23 271 211 226.70 226.15 243.70 227.69 245.23
40 25 71 211 228.20 226.36 243.99 229.01 246.64
42 26 37 212 229.20 228.92 246.52 230.95 248.55
44 27 37 213 230.20 229.78 247.46 230.91 248.58
Van Oorschot-Wiener golden collision search for finding a 2eA -isogenybetween two supersingular elliptic curves over Fp2 withp = 2eA · 3eB · d − 1. The expected and measured times list the numberof degree-2eA/2 isogeny computations.
16/22
Solving CSSI with VW golden collisionsearch: 128-, 160-, 192-bit security
p ≈ 2448 p ≈ 2512 p ≈ 2536 p ≈ 2614
# processors space calendar total calendar total calendar total calendar totalm w time time time time time time time time
Meet-in-the-middle using Depth-first search48 64 106 154 138 186 150 198 188 23648 80 90 138 122 170 134 182 172 22064 80 74 138 106 170 118 182 156 220
van Oorschot and Wiener golden collision search48 64 88 136 112 160 121 169 149 19748 80 80 128 104 152 113 161 141 18964 80 64 128 88 152 97 161 125 189
Time complexity estimates of CSSI attacks for p ≈ 2448, p ≈ 2512,p ≈ 2536 and p ≈ 2614. All numbers are expressed in their base-2logarithms. The unit of time is a 2e/2-isogeny computation 2, and we areignoring communication costs.
Conclusion: MITM is more costly than VW golden collision search.
2Calendar time is the elapsed time taken for a computation, whereas totaltime is the sum of the time expended by all m processors.
16/22
Solving CSSI with VW golden collisionsearch: 128-, 160-, 192-bit security
p ≈ 2448 p ≈ 2512 p ≈ 2536 p ≈ 2614
# processors space calendar total calendar total calendar total calendar totalm w time time time time time time time time
Meet-in-the-middle using Depth-first search48 64 106 154 138 186 150 198 188 23648 80 90 138 122 170 134 182 172 22064 80 74 138 106 170 118 182 156 220
van Oorschot and Wiener golden collision search48 64 88 136 112 160 121 169 149 19748 80 80 128 104 152 113 161 141 18964 80 64 128 88 152 97 161 125 189
Time complexity estimates of CSSI attacks for p ≈ 2448, p ≈ 2512,p ≈ 2536 and p ≈ 2614. All numbers are expressed in their base-2logarithms. The unit of time is a 2e/2-isogeny computation 2, and we areignoring communication costs.
Conclusion: MITM is more costly than VW golden collision search.2Calendar time is the elapsed time taken for a computation, whereas total
time is the sum of the time expended by all m processors.
16/22
Outline
1 Introduction
2 SIDH overview
3 CSSI problem
4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations
5 Conclusions
17/22
Comments about quantum attacks
Tani’s algorithm
The fastest known quantum attack on CSSI is Tani’s algorithm[Tani’09], which has an running time equal to O(p1/6) and requiresO(p1/6) space.
Grover’s algorithm
Clearly, CSSI can also be solved by an application of Grover’squantum search [Grover’96], which has a running time equal toO(p1/4). However, using m quantum circuits only yields a speedupby a factor of
√m [Zalka’99].
Tani vs Grover: the recent work of Jaques and Schanck argue thatTani’s algorithm is more costly than Grover’s algorithm using allreasonable cost measures [Jaques & Schank’18].
17/22
Comments about quantum attacks
Tani’s algorithm
The fastest known quantum attack on CSSI is Tani’s algorithm[Tani’09], which has an running time equal to O(p1/6) and requiresO(p1/6) space.
Grover’s algorithm
Clearly, CSSI can also be solved by an application of Grover’squantum search [Grover’96], which has a running time equal toO(p1/4). However, using m quantum circuits only yields a speedupby a factor of
√m [Zalka’99].
Tani vs Grover: the recent work of Jaques and Schanck argue thatTani’s algorithm is more costly than Grover’s algorithm using allreasonable cost measures [Jaques & Schank’18].
17/22
Comments about quantum attacks
Tani’s algorithm
The fastest known quantum attack on CSSI is Tani’s algorithm[Tani’09], which has an running time equal to O(p1/6) and requiresO(p1/6) space.
Grover’s algorithm
Clearly, CSSI can also be solved by an application of Grover’squantum search [Grover’96], which has a running time equal toO(p1/4). However, using m quantum circuits only yields a speedupby a factor of
√m [Zalka’99].
Tani vs Grover: the recent work of Jaques and Schanck argue thatTani’s algorithm is more costly than Grover’s algorithm using allreasonable cost measures [Jaques & Schank’18].
17/22
Comments about quantum attacksNIST suggests that 240 is the maximum depth of a quantumcircuit that can be executed in one year using presently envisionedquantum computing architectures [NIST’16].
Thus, assuming that the maximum circuit depth is 2k , the numberof quantum circuits needed to perform Grover’s search in one year
for p ≈ 2r is approximately(2r4
2k
)2.
Maximum depth of p ≈ 2448 p ≈ 2512 p ≈ 2536 p ≈ 2614
a quantum circuit m m m m
40 144 176 188 227
64 96 128 140 179
Number of quantum circuits needed to perform Grover’s search in oneyear for p ≈ 2448, p ≈ 2512, p ≈ 2536, and p ≈ 2614. All numbers areexpressed in their base-2 logarithms.
17/22
Comments about quantum attacksNIST suggests that 240 is the maximum depth of a quantumcircuit that can be executed in one year using presently envisionedquantum computing architectures [NIST’16].
Thus, assuming that the maximum circuit depth is 2k , the numberof quantum circuits needed to perform Grover’s search in one year
for p ≈ 2r is approximately(2r4
2k
)2.
Maximum depth of p ≈ 2448 p ≈ 2512 p ≈ 2536 p ≈ 2614
a quantum circuit m m m m
40 144 176 188 227
64 96 128 140 179
Number of quantum circuits needed to perform Grover’s search in oneyear for p ≈ 2448, p ≈ 2512, p ≈ 2536, and p ≈ 2614. All numbers areexpressed in their base-2 logarithms.
17/22
Outline
1 Introduction
2 SIDH overview
3 CSSI problem
4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations
5 Conclusions
18/22
Recommendations
Assuming m ≤ 264 and w ≤ 280, we suggest
• p434 = 22163137 − 1 (instead of p751 = 23723239 − 1[Costello et al.’16]) in order to achieve 128-bit security,
• p546 = 22733172 − 1 (instead of p964 = 24863301 − 1[Jao et al.’17]) in order to achieve 160-bit security, and
• p610 = 23053192 − 1 in order to achieve 192-bit security.
18/22
RecommendationsSIDH operations are about 4.8 times faster when p434 is usedinstead of p751.
Protocol CLN library [Costello et al.’16] CLN + enhancementsphase p751 p434 p546 p751 p434 p546
KeyGen.
Alice 35.7 7.51 13.20 26.9 5.3 10.5
Bob 39.9 8.32 14.84 30.5 6.0 11.7
SharedSecret
Alice 33.6 7.01 12.56 24.9 5.0 10.0
Bob 38.4 7.94 14.35 28.6 5.8 11.5
Performance of the SIDH protocol. All timings are reported in 106 clockcycles, measured on an Intel Core i7-6700 supporting a Skylakemicro-architecture. The “CLN + enhancements” columns are for ourimplementation that incorporates improved formulas for degree-4 anddegree-3 isogenies from [Costello & Hisil’17] and Montgomery laddersfrom [Faz-Hernandez et al.’17] into the CLN library.
18/22
Outline
1 Introduction
2 SIDH overview
3 CSSI problem
4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations
5 Conclusions
19/22
Conclusions
• We showed that VW Golden Collision search can be used toattack CSSI.
• First implementations of MITM and Golden collision searchCSSI attacks reported.
• The implementations confirm that the performance of theseattacks is accurately predicted by their heuristic analysis.
• Our concrete cost analysis of the attacks leads to theconclusion that golden collision search is more cost effectivethat the meet-in-the-middle attack.
• SIDH operations are about 4.8 times faster when p434 is usedinstead of p751.
19/22
Conclusions
SIDH parameters with p434 could be deemed to meet the securityrequirements in NIST’s Category 2 [NIST’16] (classical andquantum security comparable or greater than that of SHA-256with respect to collision resistance).
SIDH parameters with p610 could be deemed to meet the securityrequirements in NIST’s Category 4 [NIST’16] (classical andquantum security comparable to that of SHA-384).
20/22
Thank you for your attention
I look forward to your comments and questions.e-mail: [email protected]
We thank Steven Galbraith for the suggestion to traverse theMITM trees using depth-first search. We also thank Sam Jaquesfor the many discussions on Grover’s and Tani’s algorithms.
19/22
Reference I
I D. Jao and L. De Feo, “Towards quantum-resistantcryptosystems from supersingular elliptic curve isogenies”,Post-Quantum Cryptography — PQCrypto 2011, LNCS 7071(2011), 19–34.
I D. Charles, E. Goren and K. Lauter, “Cryptographic hashfunctions from expander graphs”, Journal of Cryptology, 22(2009), 93–113.
I J.M. Pollard, “Monte Carlo Methods for Index Computation(mod p)”. Mathematics of Computation, 32 (1978).
I P. van Oorschot and M. Wiener, “Improving implementablemeet-in-the-middle attacks by orders of magnitude”, Advancesin Cryptology — CRYPTO ’96, LNCS 1109 (1996), 229–236.
20/22
Reference II
I L. De Feo, D. Jao and J. Plut, “Towards quantum-resistantcryptosystems from supersingular elliptic curve isogenies”,Journal of Mathematical Cryptology, 8 (2014), 209–247.
I D. Jao et al., “Supersingular isogeny key encapsulation”,Round 1 submission, NIST Post-Quantum CryptographyStandardization, November 30, 2017.
I Wikipedia, “Sunway TaihuLight”,https://en.wikipedia.org/wiki/Sunway_TaihuLight.
I Wikipedia, “Exabyte”,https://en.wikipedia.org/wiki/Exabyte#Google.
21/22
Reference III
I National Institute of Standards and Technology, “Submissionrequirements and evaluation criteria for the post-quantumcryptography standardization process”, December 2016.Available from https://csrc.nist.gov/csrc/media/
projects/post-quantum-cryptography/documents/
call-for-proposals-final-dec-2016.pdf.
I L. Grover, “A fast quantum mechanical algorithm for databasesearch”, Proceedings of the Twenty-Eighth Annual Symposiumon Theory of Computing — STOC ’96, ACM Press (1996),212–219.
I S. Tani, “Claw finding algorithms using quantum walk”,Theoretical Computer Science, 410 (2009), 5285–5297.
I C. Zalka, “Grover’s quantum searching algorithm is optimal”,Physical Review A, 60 (1999), 2746–2751.
22/22
Reference IV
I C. Costello and H. Hisil, “A simple and compact algorithm forSIDH with arbitrary degree isogenies”, Advances in Cryptology— ASIACRYPT 2017, LNCS 10624 (2017), 303–329.
I A. Faz-Hernandez, J. Lopez, E. Ochoa-Jimenez and F.Rodrıguez-Henrıquez, “A faster software implementation of thesupersingular isogeny Diffie-Hellman key exchange protocol”,IEEE Transactions on Computers, to appear; also available fromhttp://eprint.iacr.org/2017/1015.
I C. Costello, P. Longa and M. Naehrig, “Efficient algorithms forsupersingular isogeny Diffie-Hellman”, Advances in Cryptology— CRYPTO 2016, LNCS 9814 (2016), 572–601.
I S. Jaques and J. Schanck, “Cost analyses of Tani’s algorithm”,in preparation.