csidh : an efficient post-quantum commutative group action · replace exponentiation on the group g...
TRANSCRIPT
CSIDH:An Efficient Post-QuantumCommutative Group Action
Wouter Castryck1 Tanja Lange2 Chloe Martindale2
Lorenz Panny2 Joost Renes3
1KU Leuven 2TU Eindhoven 3Radboud Universiteit
Crypto Working Group, Utrecht, 14 September 2018
1 / 21
["si:saId]
2 / 21
Why CSIDH?
I Drop-in post-quantum replacement for (EC)DH
I Non-interactive key exchange (full public-key validation);previously an open problem post-quantumly (w/ reasonable speed)
I Small keys: 64 bytes at conjectured AES-128 security levelI Competitive speed: ∼ 85 ms for a full key exchangeI Flexible: compatible with 0-RTT protocols such as QUIC;
recent preprint uses CSIDH for ‘SeaSign’ signatures
3 / 21
Why CSIDH?
I Drop-in post-quantum replacement for (EC)DHI Non-interactive key exchange (full public-key validation);
previously an open problem post-quantumly (w/ reasonable speed)
I Small keys: 64 bytes at conjectured AES-128 security levelI Competitive speed: ∼ 85 ms for a full key exchangeI Flexible: compatible with 0-RTT protocols such as QUIC;
recent preprint uses CSIDH for ‘SeaSign’ signatures
3 / 21
Why CSIDH?
I Drop-in post-quantum replacement for (EC)DHI Non-interactive key exchange (full public-key validation);
previously an open problem post-quantumly (w/ reasonable speed)
I Small keys: 64 bytes at conjectured AES-128 security level
I Competitive speed: ∼ 85 ms for a full key exchangeI Flexible: compatible with 0-RTT protocols such as QUIC;
recent preprint uses CSIDH for ‘SeaSign’ signatures
3 / 21
Why CSIDH?
I Drop-in post-quantum replacement for (EC)DHI Non-interactive key exchange (full public-key validation);
previously an open problem post-quantumly (w/ reasonable speed)
I Small keys: 64 bytes at conjectured AES-128 security levelI Competitive speed: ∼ 85 ms for a full key exchange
I Flexible: compatible with 0-RTT protocols such as QUIC;recent preprint uses CSIDH for ‘SeaSign’ signatures
3 / 21
Why CSIDH?
I Drop-in post-quantum replacement for (EC)DHI Non-interactive key exchange (full public-key validation);
previously an open problem post-quantumly (w/ reasonable speed)
I Small keys: 64 bytes at conjectured AES-128 security levelI Competitive speed: ∼ 85 ms for a full key exchangeI Flexible: compatible with 0-RTT protocols such as QUIC;
recent preprint uses CSIDH for ‘SeaSign’ signatures
3 / 21
Post-quantum Diffie-Hellman?
Traditionally, Diffie-Hellman works in a group G via the map
Z× G → G(x, g) 7→ gx.
Shor’s algorithm quantumly computes x from gx in any groupin polynomial time.
Idea:
Replace exponentiation on the group G by a group action of agroup H on a set S:
H × S→ S.
4 / 21
Post-quantum Diffie-Hellman?
Traditionally, Diffie-Hellman works in a group G via the map
Z× G → G(x, g) 7→ gx.
Shor’s algorithm quantumly computes x from gx in any groupin polynomial time.
Idea:
Replace exponentiation on the group G by a group action of agroup H on a set S:
H × S→ S.
4 / 21
Post-quantum Diffie-Hellman!
Traditionally, Diffie-Hellman works in a group G via the map
Z× G → G(x, g) 7→ gx.
Shor’s algorithm quantumly computes x from gx in any groupin polynomial time.
Idea:
Replace exponentiation on the group G by a group action of agroup H on a set S:
H × S→ S.
4 / 21
Square-and-multiply
Suppose G ∼= Z/23 and that Alice computes g13.
·g·g·g
·g
·g
·g
·g
·g
·g·g
·g ·g ·g
·g
·g2
·g2
·g2
·g2
·g2·g2
·g
·g4
·g4
·g4
·g
·g4
·g8
g0g1
g2
g3
g4
g5
g6
g7
g8
g9
g10
g11 g12 g13g14
g15
g16
g17
g18
g19
g20
g21g22
5 / 21
Square-and-multiply
Suppose G ∼= Z/23 and that Alice computes g13.
·g·g·g
·g
·g
·g
·g
·g
·g·g
·g ·g ·g
·g
·g2
·g2
·g2
·g2
·g2·g2
·g
·g4
·g4
·g4
·g
·g4
·g8
g0g1
g2
g3
g4
g5
g6
g7
g8
g9
g10
g11 g12 g13g14
g15
g16
g17
g18
g19
g20
g21g22
5 / 21
Square-and-multiply
Suppose G ∼= Z/23 and that Alice computes g13.
·g·g·g
·g
·g
·g
·g
·g
·g·g
·g ·g ·g
·g
·g2
·g2
·g2
·g2
·g2·g2
·g
·g4
·g4
·g4
·g
·g4
·g8
g0g1
g2
g3
g4
g5
g6
g7
g8
g9
g10
g11 g12 g13g14
g15
g16
g17
g18
g19
g20
g21g22
5 / 21
Square-and-multiply
Suppose G ∼= Z/23 and that Alice computes g13.
·g·g·g
·g
·g
·g
·g
·g
·g·g
·g ·g ·g
·g
·g2
·g2
·g2
·g2
·g2·g2
·g
·g4
·g4
·g4
·g
·g4
·g8
g0g1
g2
g3
g4
g5
g6
g7
g8
g9
g10
g11 g12 g13g14
g15
g16
g17
g18
g19
g20
g21g22
5 / 21
Square-and-multiply
Suppose G ∼= Z/23 and that Alice computes g13.
·g·g·g
·g
·g
·g
·g
·g
·g·g
·g ·g ·g
·g
·g2
·g2
·g2
·g2
·g2·g2
·g
·g4
·g4
·g4
·g
·g4
·g8
g0g1
g2
g3
g4
g5
g6
g7
g8
g9
g10
g11 g12 g13g14
g15
g16
g17
g18
g19
g20
g21g22
5 / 21
Cycles!
·g·g·g
·g·g·g·g·g
·g ·g ·g ·g ·g·g·g·g·g·g
·g·g·g·g·g
g0g1
g2
g3
g4
g5
g6
g7
g8
g9
g10g11 g12 g13
g14g15
g16
g17
g18
g19g20
g21g22
·g2·g2
·g2
·g2
·g2
·g2
·g2
·g2
·g2·g2·g2·g2·g2·g
2·g2·g2·g2·g2
·g2·g2·g2·g2·g2
g0
g1
g2
g3
g4
g5
g6
g7
g8
g9
g10
g11g12
g13
g14
g15
g16
g17
g18
g19
g20
g21
g22
·g4·g4
·g4
·g4
·g4
·g4
·g4
·g4
·g4·g4·g4·g4·g4·g
4·g4·g4·g4·g4
·g4·g4·g4·g4·g4
g0
g1
g2
g3
g4
g5
g6
g7
g8
g9
g10
g11g12
g13g14
g15
g16
g17
g18
g19
g20
g21
g22
·g8·g8
·g8
·g8
·g8
·g8
·g8
·g8
·g8·g8·g8·g8·g8·g
8·g8·g8·g8·g8
·g8·g8·g8·g8·g8
g0
g1
g2
g3
g4
g5
g6
g7g8
g9
g10
g11 g12
g13
g14
g15g16
g17
g18
g19g20
g21
g22
Cycles are compatible: [right, then left] = [left, then right], etc.
6 / 21
Cycles!g0
g1g2
g3
g4
g5
g6
g7
g8
g9
g10g11 g12 g13
g14g15
g16
g17
g18
g19g20
g21g22 g0
g1
g2
g3
g4
g5
g6
g7
g8
g9
g10
g11g12
g13
g14
g15
g16
g17
g18
g19
g20
g21
g22
g0
g1
g2
g3
g4
g5
g6
g7
g8
g9
g10
g11g12
g13g14
g15
g16
g17
g18
g19
g20
g21
g22
g0
g1
g2
g3
g4
g5
g6
g7g8
g9
g10
g11 g12
g13
g14
g15g16
g17
g18
g19g20
g21
g22
Cycles are compatible: [right, then left] = [left, then right], etc.
6 / 21
Cycles!g0
g1g2
g3
g4
g5
g6
g7
g8
g9
g10g11 g12 g13
g14g15
g16
g17
g18
g19g20
g21g22 g0g1
g2
g3
g4
g5
g6
g7
g8
g9
g10g11 g12 g13
g14g15
g16
g17
g18
g19g20
g21g22
g0g1
g2
g3
g4
g5
g6
g7
g8
g9
g10g11 g12 g13
g14g15
g16
g17
g18
g19g20
g21g22 g0g1
g2
g3
g4
g5
g6
g7
g8
g9
g10g11 g12 g13
g14g15
g16
g17
g18
g19g20
g21g22
Cycles are compatible: [right, then left] = [left, then right], etc.
6 / 21
Cycles!g0
g1g2
g3
g4
g5
g6
g7
g8
g9
g10g11 g12 g13
g14g15
g16
g17
g18
g19g20
g21g22 g0g1
g2
g3
g4
g5
g6
g7
g8
g9
g10g11 g12 g13
g14g15
g16
g17
g18
g19g20
g21g22
g0g1
g2
g3
g4
g5
g6
g7
g8
g9
g10g11 g12 g13
g14g15
g16
g17
g18
g19g20
g21g22 g0g1
g2
g3
g4
g5
g6
g7
g8
g9
g10g11 g12 g13
g14g15
g16
g17
g18
g19g20
g21g22
Cycles are compatible: [right, then left] = [left, then right], etc.
6 / 21
Union of cycles: rapid mixingg0
g1
g2
g3
g4
g5
g6
g7
g8
g9
g10
g11 g12g13
g14
g15
g16
g17
g18
g19
g20
g21g22
CSIDH: Nodes are now elliptic curves and edges are isogenies.
7 / 21
Union of cycles: rapid mixing
g0g1
g2
g3
g4
g5
g6
g7
g8
g9
g10
g11 g12g13
g14
g15
g16
g17
g18
g19
g20
g21g22
CSIDH: Nodes are now elliptic curves and edges are isogenies.
7 / 21
Graphs of elliptic curvesE0E158
E410
E368
E404
E75
E144
E191
E174
E413
E379
E124
E199 E390 E29E220
E295
E40
E6
E245
E228
E275
E344
E15
E51
E9
E261
Nodes: Supersingular curves EA : y2 = x3 + Ax2 + x over F419.Edges: 3-, 5-, and 7-isogenies (certain kinds of maps).
8 / 21
Graphs of elliptic curvesE0E158
E410
E368
E404
E75
E144
E191
E174
E413
E379
E124
E199 E390 E29E220
E295
E40
E6
E245
E228
E275
E344
E15
E51
E9
E261
Nodes: Supersingular curves EA : y2 = x3 + Ax2 + x over F419.
Edges: 3-, 5-, and 7-isogenies (certain kinds of maps).
8 / 21
Graphs of elliptic curvesE0E158
E410
E368
E404
E75
E144
E191
E174
E413
E379
E124
E199 E390 E29E220
E295
E40
E6
E245
E228
E275
E344
E15
E51
E9
E261
Nodes: Supersingular curves EA : y2 = x3 + Ax2 + x over F419.Edges: 3-, 5-, and 7-isogenies (certain kinds of maps).
8 / 21
Graphs of elliptic curves
E0E158E410E368
E404
E75
E144
E191
E174
E413
E379
E124E199 E390 E29
E220
E295
E40
E6
E245
E228
E275
E344
E15
E51
E9E261
A 3-isogeny(picture not to scale)
E51: y2=x3+51x2+x E9: y2=x3+9x2+x
(x, y)(
97x3−183x2+xx2−183x+97 ,
y· 133x3+154x2−5x+97−x3+65x2+128x−133
)
9 / 21
Diffie-Hellman on ‘nice’ graphs
Alice Bob[+,−,+,−] [+,+,−,+]
10 / 21
Diffie-Hellman on ‘nice’ graphs
Alice Bob[+↑,−,+,−] [+
↑,+,−,+]
10 / 21
Diffie-Hellman on ‘nice’ graphs
Alice Bob[+,−
↑,+,−] [+,+
↑,−,+]
10 / 21
Diffie-Hellman on ‘nice’ graphs
Alice Bob[+,−,+
↑,−] [+,+,−
↑,+]
10 / 21
Diffie-Hellman on ‘nice’ graphs
Alice Bob[+,−,+,−
↑] [+,+,−,+
↑]
10 / 21
Diffie-Hellman on ‘nice’ graphs
Alice Bob[+,−,+,−] [+,+,−,+]
10 / 21
Diffie-Hellman on ‘nice’ graphs
Alice Bob[+↑,−,+,−] [+
↑,+,−,+]
10 / 21
Diffie-Hellman on ‘nice’ graphs
Alice Bob[+,−
↑,+,−] [+,+
↑,−,+]
10 / 21
Diffie-Hellman on ‘nice’ graphs
Alice Bob[+,−,+
↑,−] [+,+,−
↑,+]
10 / 21
Diffie-Hellman on ‘nice’ graphs
Alice Bob[+,−,+,−
↑] [+,+,−,+
↑]
10 / 21
Diffie-Hellman on ‘nice’ graphs
Alice Bob[+,−,+,−] [+,+,−,+]
10 / 21
A walkable graph
Important properties for such a walk:
IP1 I The graph is a composition of compatible cycles.IP2 I We can compute neighbours in given directions.
11 / 21
IP1: A composition of cycles
I The graph used in CSIDH is constructed as a compositionof graphs G` of ‘`-isogenies’.
12 / 21
IP1: A composition of cycles
I The graph used in CSIDH is constructed as a compositionof graphs G` of ‘`-isogenies’.
I In our example, these areE0E158E410
E368
E404
E75
E144
E191
E174
E413
E379E124
E199 E390 E29E220
E295
E40
E6
E245
E228
E275
E344
E15
E51
E9E261
G3:
12 / 21
IP1: A composition of cycles
I The graph used in CSIDH is constructed as a compositionof graphs G` of ‘`-isogenies’.
I In our example, these areE0E158E410
E368
E404
E75
E144
E191
E174
E413
E379E124
E199 E390 E29E220
E295
E40
E6
E245
E228
E275
E344
E15
E51
E9E261
G5:
12 / 21
IP1: A composition of cycles
I The graph used in CSIDH is constructed as a compositionof graphs G` of ‘`-isogenies’.
I In our example, these areE0E158E410
E368
E404
E75
E144
E191
E174
E413
E379E124
E199 E390 E29E220
E295
E40
E6
E245
E228
E275
E344
E15
E51
E9E261
G7:
12 / 21
IP1: A composition of cycles
I The graph used in CSIDH is constructed as a compositionof graphs G` of ‘`-isogenies’.
I In our example, these areE0E158E410
E368
E404
E75
E144
E191
E174
E413
E379E124
E199 E390 E29E220
E295
E40
E6
E245
E228
E275
E344
E15
E51
E9E261
G3∪G5∪G7:
12 / 21
IP1: A composition of cycles
I The graph used in CSIDH is constructed as a compositionof graphs G` of ‘`-isogenies’.
I Generally, the G` look something like
G3: G5:
I We want to make sure G` is just a cycle.
12 / 21
IP1: A composition of cycles
I The graph used in CSIDH is constructed as a compositionof graphs G` of ‘`-isogenies’.
I Generally, the G` look something like
G3: G5:
I We want to make sure G` is just a cycle.
12 / 21
IP2: Compute neighbours in given directions
The edges of G` are `-isogenies.
(picture not to scale)
E51 : y2 = x3 + 51x2 + x E9 : y2 = x3 + 9x2 + x
(x, y)(
97x3−183x2+xx2−183x+97 , y · 133x3+154x2−5x+97
−x3+65x2+128x−133
)
I The orientation of G` is mathematically well-defined(canonical way to compute the ‘left’ or ‘right’ isogeny).
I The cost grows with ` want small `.I Generally needs big extension fields...
13 / 21
IP2: Compute neighbours in given directions
The edges of G` are `-isogenies.
(picture not to scale)
E51 : y2 = x3 + 51x2 + x E9 : y2 = x3 + 9x2 + x
(x, y)(
97x3−183x2+xx2−183x+97 , y · 133x3+154x2−5x+97
−x3+65x2+128x−133
)
I The orientation of G` is mathematically well-defined(canonical way to compute the ‘left’ or ‘right’ isogeny).
I The cost grows with ` want small `.I Generally needs big extension fields...
13 / 21
IP2: Compute neighbours in given directions
The edges of G` are `-isogenies.
(picture not to scale)
E51 : y2 = x3 + 51x2 + x E9 : y2 = x3 + 9x2 + x
(x, y)(
97x3−183x2+xx2−183x+97 , y · 133x3+154x2−5x+97
−x3+65x2+128x−133
)
I The orientation of G` is mathematically well-defined(canonical way to compute the ‘left’ or ‘right’ isogeny).
I The cost grows with ` want small `.
I Generally needs big extension fields...
13 / 21
IP2: Compute neighbours in given directions
The edges of G` are `-isogenies.
(picture not to scale)
E51 : y2 = x3 + 51x2 + x E9 : y2 = x3 + 9x2 + x
(x, y)(
97x3−183x2+xx2−183x+97 , y · 133x3+154x2−5x+97
−x3+65x2+128x−133
)
I The orientation of G` is mathematically well-defined(canonical way to compute the ‘left’ or ‘right’ isogeny).
I The cost grows with ` want small `.I Generally needs big extension fields...
13 / 21
Point counting
Both ‘IP’s are connected to the number of points on the curves.
It seems difficult to find a curve with a given number of points(and such that the graph is big). [De Feo–Kieffer–Smith]
14 / 21
Point counting
Both ‘IP’s are connected to the number of points on the curves.
It seems difficult to find a curve with a given number of points(and such that the graph is big). [De Feo–Kieffer–Smith]
14 / 21
Salt water (CSIDH, get it?) is a solution (do bad chemistry jokes belong in crypto talks?)
1. I Choose some small odd primes `1, . . . , `n.
I Make sure p = 4 · `1 · · · `n − 1 is prime.I Fix the curve E0 : y2 = x3 + x over Fp.
2. magic math happens!
3. I E0 has p + 1 points.I Let the nodes of G`i be those EA with p + 1 points.I Then every G`i is a disjoint union of cycles.I All G`i are compatible.I Computations need only Fp-arithmetic.
15 / 21
Salt water (CSIDH, get it?) is a solution (do bad chemistry jokes belong in crypto talks?)
1. I Choose some small odd primes `1, . . . , `n.I Make sure p = 4 · `1 · · · `n − 1 is prime.
I Fix the curve E0 : y2 = x3 + x over Fp.
2. magic math happens!
3. I E0 has p + 1 points.I Let the nodes of G`i be those EA with p + 1 points.I Then every G`i is a disjoint union of cycles.I All G`i are compatible.I Computations need only Fp-arithmetic.
15 / 21
Salt water (CSIDH, get it?) is a solution (do bad chemistry jokes belong in crypto talks?)
1. I Choose some small odd primes `1, . . . , `n.I Make sure p = 4 · `1 · · · `n − 1 is prime.I Fix the curve E0 : y2 = x3 + x over Fp.
2. magic math happens!
3. I E0 has p + 1 points.I Let the nodes of G`i be those EA with p + 1 points.I Then every G`i is a disjoint union of cycles.I All G`i are compatible.I Computations need only Fp-arithmetic.
15 / 21
Salt water (CSIDH, get it?) is a solution (do bad chemistry jokes belong in crypto talks?)
1. I Choose some small odd primes `1, . . . , `n.I Make sure p = 4 · `1 · · · `n − 1 is prime.I Fix the curve E0 : y2 = x3 + x over Fp.
2. magic math happens!
3. I E0 has p + 1 points.I Let the nodes of G`i be those EA with p + 1 points.I Then every G`i is a disjoint union of cycles.I All G`i are compatible.I Computations need only Fp-arithmetic.
15 / 21
Salt water (CSIDH, get it?) is a solution (do bad chemistry jokes belong in crypto talks?)
1. I Choose some small odd primes `1, . . . , `n.I Make sure p = 4 · `1 · · · `n − 1 is prime.I Fix the curve E0 : y2 = x3 + x over Fp.
2. magic math happens!
3. I E0 has p + 1 points.
I Let the nodes of G`i be those EA with p + 1 points.I Then every G`i is a disjoint union of cycles.I All G`i are compatible.I Computations need only Fp-arithmetic.
15 / 21
Salt water (CSIDH, get it?) is a solution (do bad chemistry jokes belong in crypto talks?)
1. I Choose some small odd primes `1, . . . , `n.I Make sure p = 4 · `1 · · · `n − 1 is prime.I Fix the curve E0 : y2 = x3 + x over Fp.
2. magic math happens!
3. I E0 has p + 1 points.I Let the nodes of G`i be those EA with p + 1 points.
I Then every G`i is a disjoint union of cycles.I All G`i are compatible.I Computations need only Fp-arithmetic.
15 / 21
Salt water (CSIDH, get it?) is a solution (do bad chemistry jokes belong in crypto talks?)
1. I Choose some small odd primes `1, . . . , `n.I Make sure p = 4 · `1 · · · `n − 1 is prime.I Fix the curve E0 : y2 = x3 + x over Fp.
2. magic math happens!
3. I E0 has p + 1 points.I Let the nodes of G`i be those EA with p + 1 points.I Then every G`i is a disjoint union of cycles.
I All G`i are compatible.I Computations need only Fp-arithmetic.
15 / 21
Salt water (CSIDH, get it?) is a solution (do bad chemistry jokes belong in crypto talks?)
1. I Choose some small odd primes `1, . . . , `n.I Make sure p = 4 · `1 · · · `n − 1 is prime.I Fix the curve E0 : y2 = x3 + x over Fp.
2. magic math happens!
3. I E0 has p + 1 points.I Let the nodes of G`i be those EA with p + 1 points.I Then every G`i is a disjoint union of cycles.I All G`i are compatible.
I Computations need only Fp-arithmetic.
15 / 21
Salt water (CSIDH, get it?) is a solution (do bad chemistry jokes belong in crypto talks?)
1. I Choose some small odd primes `1, . . . , `n.I Make sure p = 4 · `1 · · · `n − 1 is prime.I Fix the curve E0 : y2 = x3 + x over Fp.
2. magic math happens!
3. I E0 has p + 1 points.I Let the nodes of G`i be those EA with p + 1 points.I Then every G`i is a disjoint union of cycles.I All G`i are compatible.I Computations need only Fp-arithmetic.
15 / 21
Representing nodes of the graph
Side effect of magic:
I Every node of G`i can be written as
EA : y2 = x3 + Ax2 + x.
⇒ Can compress every node to a single value A ∈ Fp.⇒ Tiny keys!
16 / 21
Representing nodes of the graph
Side effect of magic:
I Every node of G`i can be written as
EA : y2 = x3 + Ax2 + x.
⇒ Can compress every node to a single value A ∈ Fp.
⇒ Tiny keys!
16 / 21
Representing nodes of the graph
Side effect of magic:
I Every node of G`i can be written as
EA : y2 = x3 + Ax2 + x.
⇒ Can compress every node to a single value A ∈ Fp.⇒ Tiny keys!
16 / 21
Does any A work?
No.
I About√p of all A ∈ Fp are valid keys.
I Public-key validation: Check that EA has p + 1 points.Easy Monte-Carlo algorithm: Pick random P on EA and check [p + 1]P = ∞.1
1This algorithm has a small chance of false positives, but we actually use avariant that proves that EA has p + 1 points.
17 / 21
Does any A work?
No.
I About√p of all A ∈ Fp are valid keys.
I Public-key validation: Check that EA has p + 1 points.Easy Monte-Carlo algorithm: Pick random P on EA and check [p + 1]P = ∞.1
1This algorithm has a small chance of false positives, but we actually use avariant that proves that EA has p + 1 points.
17 / 21
Does any A work?
No.
I About√p of all A ∈ Fp are valid keys.
I Public-key validation: Check that EA has p + 1 points.Easy Monte-Carlo algorithm: Pick random P on EA and check [p + 1]P = ∞.1
1This algorithm has a small chance of false positives, but we actually use avariant that proves that EA has p + 1 points.
17 / 21
Does any A work?
No.
I About√p of all A ∈ Fp are valid keys.
I Public-key validation: Check that EA has p + 1 points.Easy Monte-Carlo algorithm: Pick random P on EA and check [p + 1]P = ∞.1
1This algorithm has a small chance of false positives, but we actually use avariant that proves that EA has p + 1 points.
17 / 21
Security
Classical:I Meet-in-the-middle variants: Time O( 4
√p).
Quantum:I Hidden-shift algorithms: Subexponential complexity.
I Literature contains mostly asymptotics.I Time-space trade-off: Fastest variants need huge memory.I Concrete estimates are to be done.I (Recent preprint [BS] ignores much of the cost!)
18 / 21
Security
Classical:I Meet-in-the-middle variants: Time O( 4
√p).
Quantum:I Hidden-shift algorithms: Subexponential complexity.
I Literature contains mostly asymptotics.I Time-space trade-off: Fastest variants need huge memory.I Concrete estimates are to be done.I (Recent preprint [BS] ignores much of the cost!)
18 / 21
Security
Classical:I Meet-in-the-middle variants: Time O( 4
√p).
Quantum:I Hidden-shift algorithms: Subexponential complexity.
I Literature contains mostly asymptotics.I Time-space trade-off: Fastest variants need huge memory.I Concrete estimates are to be done.
I (Recent preprint [BS] ignores much of the cost!)
18 / 21
Security
Classical:I Meet-in-the-middle variants: Time O( 4
√p).
Quantum:I Hidden-shift algorithms: Subexponential complexity.
I Literature contains mostly asymptotics.I Time-space trade-off: Fastest variants need huge memory.I Concrete estimates are to be done.I (Recent preprint [BS] ignores much of the cost!)
18 / 21
Parameters
CSIDH-log p targ
etN
IST
leve
l
publ
icke
ysi
ze
priv
ate
key
size
tim
e(f
ulle
xcha
nge)
cycl
es(f
ulle
xcha
nge)
stac
km
emor
y
clas
sica
lsec
urit
y
quan
tum
secu
rity
clai
med
by[B
S](t
ake
cum
gran
osa
lis)
CSIDH-512 1 64 b 32 b 85 ms 212e6 4368 b 128 71CSIDH-1024 3 128 b 64 b 256 88CSIDH-1792 5 224 b 112 b 448 104
19 / 21
Work in progress & future work
I Fast and constant-time implementation
I Reliable security analysisI More applications
I [Your paper here!]
20 / 21
Work in progress & future work
I Fast and constant-time implementationI Reliable security analysis
I More applications
I [Your paper here!]
20 / 21
Work in progress & future work
I Fast and constant-time implementationI Reliable security analysisI More applications
I [Your paper here!]
20 / 21
Work in progress & future work
I Fast and constant-time implementationI Reliable security analysisI More applications
I [Your paper here!]
20 / 21
Thank you!
21 / 21
References
Mentioned in this talk:
I Castryck, Lange, Martindale, Panny, Renes:CSIDH: An Efficient Post-Quantum Commutative Group Actionhttps://ia.cr/2018/383 (to appear at ASIACRYPT 2018)
I De Feo, Kieffer, Smith:Towards practical key exchange from ordinary isogeny graphshttps://ia.cr/2018/485 (to appear at ASIACRYPT 2018)
I De Feo, Galbraith:SeaSign: Compact isogeny signatures from class group actionshttps://ia.cr/2018/824
I [BS] Bonnetain, Schrottenloher:Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemeshttps://ia.cr/2018/537
Other related work:I Delfs, Galbraith:
Computing isogenies between supersingular elliptic curves over Fphttps://arxiv.org/abs/1310.7789
I Childs, Jao, Soukharev:Constructing elliptic curve isogenies in quantum subexponential timehttps://arxiv.org/abs/1012.4019
I Meyer, Reith:A faster way to the CSIDHhttps://ia.cr/2018/782(to appear at Indocrypt 2018)
I Jao, LeGrow, Leonardi, Ruiz-Lopez:A polynomial quantum space attack on CRS and CSIDH(MathCrypt 2018)
I Biasse, Iezzi, Jacobson:A note on the security of CSIDHhttps://arxiv.org/abs/1806.03656(to appear at Indocrypt 2018)
Where’s the group?
(picture not to scale)
E51 : y2 = x3 + 51x2 + x E9 : y2 = x3 + 9x2 + x
(x, y)(
97x3−183x2+xx2−183x+97 , y · 133x3+154x2−5x+97
−x3+65x2+128x−133
)
I E9 = E51/a where a is the ideal (3, π − 1) of EndFp(E51).
I For our choices of A, EndFp(EA) ∼= Z[√−p].I The group action is
cl(Z[√−p])× {EA} −→ {EA}
([a],E) 7−→ E/a
(modulo details).
Where’s the group?
(picture not to scale)
E51 : y2 = x3 + 51x2 + x E9 : y2 = x3 + 9x2 + x
(x, y)(
97x3−183x2+xx2−183x+97 , y · 133x3+154x2−5x+97
−x3+65x2+128x−133
)
I E9 = E51/a where a is the ideal (3, π − 1) of EndFp(E51).
I For our choices of A, EndFp(EA) ∼= Z[√−p].I The group action is
cl(Z[√−p])× {EA} −→ {EA}
([a],E) 7−→ E/a
(modulo details).