powerpoint presentation...call-for-proposals-final-dec-2016.pdf “the goal of this process is to...

https://www.microsoft.com/en-us/research/people/plonga/

Outline

• Motivation recap

• SIDH

• SIKE

• Implementation results

• Authenticated key exchange from supersingular isogenies

TU Darmstadt, Sept 2018 Patrick Longa – Post-quantum key exchange from supersingular isogenies 1

Quick motivation recap

• Quantum computers will break public-key cryptography currently in use: cryptosystems based on factoring and (elliptic curve) discrete logarithms

• NIST launches the post-quantum cryptography standardization project:https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/

call-for-proposals-final-dec-2016.pdf

“The goal of this process is to select a number of acceptable candidate cryptosystems for standardization.”

(This includes: key encapsulation, encryption and digital signatures).


https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf

https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf

Post-quantum families

Code-based

Lattice-based

Hash-based

Multivariate

Isogeny-based

Classic McEliece, QC-MDPC codes (BIKE)

NTRU, LWE (FrodoKEM), M-LWE (Kyber), R-LWE (NewHope)

Merkle hash-tree signatures (Gravity-SPHINCS, SPHINCS+)

MQDSS, Rainbow

SIDH (SIKE)


Post-quantum families: in this talk…

Code-based

Lattice-based

Hash-based

Multivariate

Isogeny-based

Classic McEliece, QCMDPC codes (BIKE)

NTRU, LWE (FrodoKEM), M-LWE (Kyber), R-LWE (NewHope)

Merkle hash-tree signatures (Gravity-SPHINCS, SPHINCS+)

MQDSS, Rainbow

SIDH (SIKE)


Supersingular isogeny key exchange

Supersingular isogeny Diffie-Hellman key exchange (SIDH)

• Proposed by Jao and De Feo in 2011.

• Compared to “predecessors” based on ordinary isogenies, SIDH has:• Much better performance

• Exponential complexity of best classical and quantum attacks.


Supersingular isogeny key exchange

Supersingular isogeny Diffie-Hellman key exchange (SIDH)

• Proposed by Jao and De Feo in 2011.

• Compared to “predecessors” based on ordinary isogenies, SIDH has:• Much better performance

• Exponential complexity of best classical and quantum attacks.

Supersingular isogeny key encapsulation (SIKE)

• Designed by Costello–De Feo–Jao–L–Naehrig–Renes in 2017.

• IND-CCA secure key encapsulation protocol based on SIDH.

• Submitted to the NIST PQC standardization process.


Elliptic curves and isogenies

• Every elliptic curve over a field 𝐾 with char(𝐾) > 3 can be defined in (short) Weierstrass form by

𝐸: 𝑦2= 𝑥3 + 𝑎𝑥 + 𝑏,

where 𝑎, 𝑏 ∈ 𝐾 and ∆ = −16(4𝑎3 + 27𝑏2) ≠ 0.




𝐸: 𝑦2= 𝑥3 + 𝑎𝑥 + 𝑏,

where 𝑎, 𝑏 ∈ 𝐾 and ∆ = −16(4𝑎3 + 27𝑏2) ≠ 0.

• For an extension field 𝐿 of 𝐾, the set of 𝐿-rational points on 𝐸

𝐸 𝐿 = 𝑥, 𝑦 ∈ 𝐿 × 𝐿: 𝑦2−𝑥3 − 𝑎𝑥 − 𝑏 = 0 ∪ {𝒪},

together with the group addition law, forms an abelian group with identity 𝒪.




𝐸: 𝑦2= 𝑥3 + 𝑎𝑥 + 𝑏,

where 𝑎, 𝑏 ∈ 𝐾 and ∆ = −16(4𝑎3 + 27𝑏2) ≠ 0.

• For an extension field 𝐿 of 𝐾, the set of 𝐿-rational points on 𝐸

𝐸 𝐿 = 𝑥, 𝑦 ∈ 𝐿 × 𝐿: 𝑦2−𝑥3 − 𝑎𝑥 − 𝑏 = 0 ∪ {𝒪},

together with the group addition law, forms an abelian group with identity 𝒪.

• Isomorphism classes are determined by the 𝒋-invariant: 𝑗 𝐸 = 1728 ∙4𝑎3

4𝑎3+27𝑏2



• Let 𝐸1 and 𝐸2 be elliptic curves defined over an extension field 𝐿.

• An isogeny is a (non-constant) rational map

𝜙: 𝐸1 → 𝐸2

that preserves identity, i.e., 𝜙(𝒪𝐸1) → 𝒪𝐸2 .



• Let 𝐸1 and 𝐸2 be elliptic curves defined over an extension field 𝐿.

• An isogeny is a (non-constant) rational map

𝜙: 𝐸1 → 𝐸2

that preserves identity, i.e., 𝜙(𝒪𝐸1) → 𝒪𝐸2 .

Relevant properties:

• Isogenies are group homomorphisms.

• For every finite subgroup 𝐺 ⊆ 𝐸1, there is a unique curve 𝐸2 (up to isomorphism) and isogeny 𝜙: 𝐸1 → 𝐸2 with kernel 𝐺. Write 𝐸2 = 𝜙 𝐸1 = 𝐸1/𝐺.

• (Separable) isogenies have deg 𝜙 = #ker 𝜙 .


Supersingular curves

• An elliptic curve 𝐸/𝐿 is supersingular if #𝐸(𝐿) ≡ 1(mod 𝑝).

• All supersingular curves can be defined over 𝔽𝑝2.

• There are ~ 𝒑/𝟏𝟐 isomorphism classes of supersingular curves.


Supersingular isogeny graphs

• Vertices: the ~ 𝑝/12 isomorphism classes of supersingular curves over 𝔽𝑝2.




• Edges: isogenies of a fixed prime degree 𝓁 ∤ 𝑝

𝓁 = 2





For any prime 𝓁 ∤ 𝑝, there exist (𝓁 + 1) isogenies of degree 𝓁originating from every supersingular curve.

𝓁 = 2





For any prime 𝓁 ∤ 𝑝, there exist (𝓁 + 1) isogenies of degree 𝓁originating from every supersingular curve.

𝓁 = 2 𝓁 = 3


Supersingular Isogeny Diffie-Hellman (SIDH)

Setup: 𝓁 ∈ 2,3 , supersingular curve 𝐸0/𝔽𝑝2 with a prime 𝑝 = 𝑓 ∙ 2𝑒𝐴3𝑒𝐵 − 1such that 2𝑒𝐴 ≈ 3𝑒𝐵 and 𝑓 small.

• Then: 𝐸 2𝑒𝐴 , 𝐸[3𝑒𝐵] ⊂ 𝐸0(𝔽𝑝2)



Setup: 𝓁 ∈ 2,3 , supersingular curve 𝐸0/𝔽𝑝2 with a prime 𝑝 = 𝑓 ∙ 2𝑒𝐴3𝑒𝐵 − 1such that 2𝑒𝐴 ≈ 3𝑒𝐵 and 𝑓 small.

• Then: 𝐸 2𝑒𝐴 , 𝐸[3𝑒𝐵] ⊂ 𝐸0(𝔽𝑝2)

works over 𝐸[2𝑒𝐴] using 2-isogenies and linearly independent points 𝑃𝐴, 𝑄𝐴.

works over 𝐸[3𝑒𝐵] using 3-isogenies and linearly independent points 𝑃𝐵, 𝑄𝐵.



𝐸0

private Alice public

E ’s are isogenous curvesP ’s, Q ’s, R ’s, S ’s are points

private Bob params



𝐸0

𝐸𝐴= 𝐸0/ 𝐴



private Bob params



𝐸0

𝐸𝐴

𝐸𝐵= 𝐸0/ 𝐵

= 𝐸0/ 𝐴



private Bob params



𝐸0

𝐸𝐴

𝐸𝐵

𝑅𝐴, 𝑆𝐴 = {𝜙𝐴 𝑃𝐵 , 𝜙𝐴(𝑄𝐵)}

𝑅𝐵 , 𝑆𝐵 = {𝜙𝐵 𝑃𝐴 , 𝜙𝐵(𝑄𝐴)}

= 𝐸0/ 𝐵

= 𝐸0/ 𝐴



private Bob params



𝐸0

𝐸𝐴

𝐸𝐵𝜙𝐴′ 𝐸𝐵𝐴



= 𝐸0/ 𝐵

= 𝐸0/ 𝐴

𝑘𝑒𝑟(𝜙𝐴′ ) = 𝐴′ = 𝑅𝐵 + [𝑠𝐴]𝑆𝐵

= 𝐸𝐵/ 𝐴′



private Bob params

𝐴′ = 𝜙𝐵 𝑃𝐴 + [𝑠𝐴]𝜙𝐵 𝑄𝐴 = 𝜙𝐵 𝑃𝐴 + [𝑠𝐴]𝑄𝐴 = 𝜙𝐵 𝐴



𝐸0

𝐸𝐴

𝐸𝐵

𝜙𝐵′

𝜙𝐴′

𝑘𝑒𝑟 𝜙𝐵′ = 𝐵′ = 𝑅𝐴 + [𝑠𝐵]𝑆𝐴

𝐸𝐴𝐵

𝐸𝐵𝐴

= 𝐸𝐴/ 𝐵′



= 𝐸0/ 𝐵

= 𝐸0/ 𝐴


= 𝐸𝐵/ 𝐴′



private Bob params

𝐵′ = 𝜙𝐴 𝑃𝐵 + [𝑠𝐵]𝜙𝐴 𝑄𝐵 = 𝜙𝐴 𝑃𝐵 + [𝑠𝐵]𝑄𝐵 = 𝜙𝐴 𝐵




𝐸0

𝐸𝐴

𝐸𝐵

𝜙𝐵′

𝜙𝐴′

𝑘𝑒𝑟 𝜙𝐵′ = 𝐵′ = 𝑅𝐴 + [𝑠𝐵]𝑆𝐴

𝐸𝐴𝐵

𝐸𝐵𝐴

= 𝐸𝐴/ 𝐵′



= 𝐸0/ 𝐵

= 𝐸0/ 𝐴


= 𝐸𝐵/ 𝐴′

𝐸𝐴𝐵 = 𝜙𝐵′ (𝜙𝐴(𝐸0)) ≅ 𝐸0/ 𝑃𝐴 + [𝑠𝐴]𝑄𝐴, 𝑃𝐵 + [𝑠𝐵]𝑄𝐵 ≅ 𝐸𝐵𝐴 = 𝜙𝐴

′ (𝜙𝐵 𝐸0 )



private Bob params





𝐸0

𝐸𝐴

𝐸𝐵



= 𝐸0/ 𝐵

= 𝐸0/ 𝐴

𝐸𝐴𝐵 = 𝜙𝐵′ (𝜙𝐴(𝐸0)) ≅ 𝐸0/ 𝑃𝐴 + [𝑠𝐴]𝑄𝐴, 𝑃𝐵 + [𝑠𝐵]𝑄𝐵 ≅ 𝐸𝐵𝐴 = 𝜙𝐴

′ (𝜙𝐵 𝐸0 )



private Bob params



𝐸0/ 𝐴, 𝐵


SIDH security

Setting: supersingular curves 𝐸1/𝔽𝑝2 and 𝐸2/𝔽𝑝2, a large prime 𝑝, and isogeny 𝜙: 𝐸1 → 𝐸2 with fixed, smooth, public degree.

Supersingular isogeny problem: given 𝑃, 𝑄 ∈ 𝐸1 and 𝜙 𝑃 ,𝜙 𝑄 ∈ 𝐸2, compute 𝜙.


SIDH security


• Best known attacks: classical 𝑂(𝑝1/4) and quantum 𝑂(𝑝1/6) via generic claw finding algorithms (“Meet-in-the-Middle”)



SIDH security


• Best known attacks: classical 𝑂(𝑝1/4) and quantum 𝑂(𝑝1/6) via generic claw finding algorithms (“Meet-in-the-Middle”)

• Recently, Adj et al. (2018) argue that the best classical attack is instead the van Oorschot–Wiener collision finding algorithm:

higher running time, but smaller space → lower cost




Drawback:

• SIDH is not secure when keys are reused (Galbraith-Petit-Shani-Ti 2016)

• Only recommended in ephemeral mode


• IND-CCA secure key encapsulation: no problem reusing keys!

• Uses a variant of Hofheinz–Hövelmanns–Kiltz (HHK) transform:

IND-CPA PKE → IND-CCA KEM

• HHK transform is secure in both the classical and quantum ROM models

• Offline key generation gives performance boost (no perf loss SIDH → SIKE)



• Three parameters sets submitted to NIST: SIKEp503, SIKEp751, SIKEp964

• Match security of AES-128, AES-192 and AES-256...

Scheme (SIKEp + log𝟐𝒑 )

𝑒𝐴, 𝑒𝐵 classical sec. quantum sec. Security level

SIKEp503 (250,159) 126 bits 84 bits AES-128 (NIST level 1)?



Starting curve 𝐸0/𝔽𝑝2: 𝑦2= 𝑥3 + 𝑥, where 𝑝 = 2𝑒𝐴3𝑒𝐵 − 1.

Security estimates only take into account Meet-in-the-Middle attack.



• Three parameters sets submitted to NIST: SIKEp503, SIKEp751, SIKEp964

• Match security of AES-128, AES-192 and AES-256... or maybe exceed their security!

Scheme (SIKEp + log𝟐𝒑 )

𝑒𝐴, 𝑒𝐵 classical sec. quantum sec. Security level




Starting curve 𝐸0/𝔽𝑝2: 𝑦2= 𝑥3 + 𝑥, where 𝑝 = 2𝑒𝐴3𝑒𝐵 − 1.

Security estimates only take into account Meet-in-the-Middle attack.




Upshot:

• Potential opportunity to tune parameters and achieve better performance.

• More research/cryptanalysis is needed.


KeyGen

1. 𝑠𝐵 ∈𝑅 [0, 2 log23𝑒𝐵 )

2. Set 𝑘𝑒𝑟 𝜙𝐵 = 𝑃𝐵 + [𝑠𝐵]𝑄𝐵3. pk𝐵 = {𝜙𝐵 𝐸0 , 𝜙𝐵 𝑃𝐴 , 𝜙𝐵 𝑄𝐴 }

4. 𝑠 ∈𝑅 {0,1}𝑛

5. keypair: sk𝐵 = (𝑠, 𝑠𝐵), pk𝐵



KeyGen

1. 𝑠𝐵 ∈𝑅 [0, 2 log23𝑒𝐵 )


4. 𝑠 ∈𝑅 {0,1}𝑛

5. keypair: sk𝐵 = (𝑠, 𝑠𝐵), pk𝐵pk𝐵

Encaps

1. message 𝑚 ∈𝑅 0,1 𝑛

2. 𝑟 = 𝐺 𝑚, pk𝐵 mod 2𝑒𝐴

3. Set 𝑘𝑒𝑟 𝜙𝐴 = 𝑃𝐴 + [𝑟]𝑄𝐴4. pk𝐴 = {𝜙𝐴 𝐸0 , 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 }

5. 𝑗 = 𝑗 𝐸𝐴𝐵 = 𝑗(𝜙𝐴′ (𝜙𝐵(𝐸0)))

6. Shared key: 𝑠𝑠 = 𝐻(𝑚, 𝑐)



KeyGen

1. 𝑠𝐵 ∈𝑅 [0, 2 log23𝑒𝐵 )


4. 𝑠 ∈𝑅 {0,1}𝑛


Encaps




5. 𝑗 = 𝑗 𝐸𝐴𝐵 = 𝑗(𝜙𝐴′ (𝜙𝐵(𝐸0)))


encryption



KeyGen

1. 𝑠𝐵 ∈𝑅 [0, 2 log23𝑒𝐵 )


4. 𝑠 ∈𝑅 {0,1}𝑛


Encaps




5. 𝑗 = 𝑗 𝐸𝐴𝐵 = 𝑗(𝜙𝐴′ (𝜙𝐵(𝐸0)))


encryption

𝑐 = (pk𝐴, 𝐹(𝑗) ⊕𝑚)Decaps

1. 𝑗′ = 𝑗 𝐸𝐵𝐴 = 𝑗(𝜙𝐵′ (𝜙𝐴(𝐸0)))

2. 𝑚′ = 𝐹(𝑗′) ⊕ 𝑐[2]

3. 𝑟′ = 𝐺 𝑚′, pk𝐵 mod 2𝑒𝐴

4. Set 𝑘𝑒𝑟 𝜙𝐴 = 𝑃𝐴 + [𝑟′]𝑄𝐴5. pk𝐴

′ = {𝜙𝐴 𝐸0 , 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 }

6. If pk𝐴′ = 𝑐[1] then

Shared key: 𝑠𝑠 = 𝐻(𝑚′, 𝑐)

7. Else 𝑠𝑠 = 𝐻(𝑠, 𝑐)



KeyGen

1. 𝑠𝐵 ∈𝑅 [0, 2 log23𝑒𝐵 )


4. 𝑠 ∈𝑅 {0,1}𝑛


Encaps




5. 𝑗 = 𝑗 𝐸𝐴𝐵 = 𝑗(𝜙𝐴′ (𝜙𝐵(𝐸0)))


encryption


1. 𝑗′ = 𝑗 𝐸𝐵𝐴 = 𝑗(𝜙𝐵′ (𝜙𝐴(𝐸0)))

2. 𝑚′ = 𝐹(𝑗′) ⊕ 𝑐[2]



′ = {𝜙𝐴 𝐸0 , 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 }




decryption



KeyGen

1. 𝑠𝐵 ∈𝑅 [0, 2 log23𝑒𝐵 )


4. 𝑠 ∈𝑅 {0,1}𝑛


Encaps




5. 𝑗 = 𝑗 𝐸𝐴𝐵 = 𝑗(𝜙𝐴′ (𝜙𝐵(𝐸0)))


encryption


1. 𝑗′ = 𝑗 𝐸𝐵𝐴 = 𝑗(𝜙𝐵′ (𝜙𝐴(𝐸0)))

2. 𝑚′ = 𝐹(𝑗′) ⊕ 𝑐[2]



′ = {𝜙𝐴 𝐸0 , 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 }




partial re-encryption

𝐹, 𝐺, 𝐻 instantiated with cSHAKE256.

decryption



• Current release: version 3.0

https://github.com/Microsoft/PQCrypto-SIDH

• Implements SIDH and SIKE with two parameter sets: SIDH/SIKEp503 and SIDH/SIKEp751

Implementation: SIDH Library






• Includes the following implementations:

• Portable C implementation

• High-speed 64-bit implementation• With high-speed x64 assembly for the field arithmetic

• With high-speed ARMv8-A assembly for the field arithmetic







• Includes the following implementations:

• Portable C implementation

• High-speed 64-bit implementation• With high-speed x64 assembly for the field arithmetic

• With high-speed ARMv8-A assembly for the field arithmetic

• No secret branches, no secret memory accesses: protected against cache and timing attacks




Performance on x64 (SIDH v3.0)

Primitive Quantum sec. Cycles (× 𝟏𝟎𝟔) Time @3.4GHz

Passively secure key-exchange

SIDHp503 84 bits 31.5 9.2 ms

SIDHp751 125 bits 91.4 26.9 ms

IND-CCA secure KEMs

SIKEp503 84 bits 30.7 9.0 ms

SIKEp751 125 bits 88.4 26.0 ms

(*) Obtained on a 3.4GHz Intel Core i7-6700 (Skylake) processor.


very small large

Performance on x64

Primitive Quantum sec. Problem Speed Comm.

Classical

RSA 3072 ~0 bits factoring 4.6 ms 0.8 KB

ECDH NIST P-256 ~0 bits EC dlog 1.4 ms 0.1 KB


SIDHp503 84 bits ? isogenies 9.2 ms 0.7 KB

SIDHp751 125 bits ? isogenies 26.9 ms 1.1 KB

IND-CCA secure KEMs

Kyber 161 bits M-LWE 0.07 ms 1.2 KB

FrodoKEM 103–150 bits LWE 1.2–2.3 ms 9.5–15.4 KB

SIKEp503 84 bits ? isogenies 9.0 ms 0.4 KB

SIKEp751 125 bits ? isogenies 26.0 ms 0.6 KB

very fast slow(*) Obtained on 3.4GHz Intel Haswell (Kyber) or Skylake (FrodoKEM and SIKE).


Performance on 64-bit ARM (SIDH v3.0)



SIDHp503 84 bits 90.3 45.3 ms

IND-CCA secure KEMs

SIKEp503 84 bits 87.8 44.1 ms

(*) Obtained on a 1.992GHz ARM Cortex-A72 (ARMv8-A) processor.


Performance on 32-bit ARM (to be presented at CHES 2018)



SIDHp503 84 bits 176.0 88.0 ms

IND-CCA secure KEMs

SIKEp503 84 bits 172.5 86.3 ms

(*) Obtained on a 2.0GHz ARM Cortex-A15 (ARMv7-A) processor.


Authenticated key exchange from isogenies

Original SIDH and SIKE protocols do not protect against (active) MitM attacks.

• P. Longa, A Note on Post-Quantum Authenticated Key Exchange from Supersingular Isogenies, 2018. https://eprint.iacr.org/2018/267

Presents schemes for two popular ways to do authentication:

• Via digital signatures: based SIGMA protocols [Krawczyk 2003]

• Implicitly: based on KEMs [Boyd et al. 2008]

Protocols are defined under the strong security model of Canetti-Krawczyk (CK): basic session-key security, perfect forward secrecy (PFS), key-compromise impersonation (KCI) resilience, etc.


https://eprint.iacr.org/2018/267

Performance on x64: estimates for P503

Protocol Method Passes Features Speed Comm.

Unauthenticated key-exchange

SIDH - 2 PFS 9.2 ms 756 bytes

SIKE - 2 PFS 9.0 ms 780 bytes

Authenticated key-exchange

SIGMA-SIDH Sign-and-MAC 3 PFS/KCI/IM/KC 9.2 ms 948 bytes

SIGMA-I-SIDH Sign-and-MAC 3 PFS/KCI/IM/KC/IP 9.2 ms 948 bytes

AKE-SIDH-SIKE implicit 2 weak PFS/KCI 27.2 ms 1560 bytes

AKE3-SIDH-SIKE implicit 3 PFS/KCI/KC 27.2 ms 1624 bytes

(*) Estimates on a 3.4GHz Intel Core i7-6700 (Skylake) processor.(**) Speed estimates do not include network delays, cost of signing/MACs.

PFS: perfect forward secrecyKCI: key-compromise impersonation resilienceIM: identity misbinding resilience

KC: key confirmationIP: identity protection


SIKE in the NIST post-quantum “competition”

• SIKE website: http://sike.org/

• SIKE specification: http://sike.org/files/SIDH-spec.pdf

• SIDH Library: https://github.com/Microsoft/PQCrypto-SIDH

• Package (protocol specification and implementations) submitted to NIST:

https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/ documents/round-1/submissions/SIKE.zip


http://sike.org/

http://sike.org/files/SIDH-spec.pdf


https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/SIKE.zip

The full SIKE team

Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, David Jao, Brian Koziel, Brian LaMacchia, Patrick Longa,

Michael Naehrig, Joost Renes, Vladimir Soukharev


References

• G. Adj, D. Cervantes-Vázquez, J.-J. Chi-Domínguez, A. Menezes, F. Rodríguez-Henríquez. On the cost of computing isogenies between supersingular elliptic curves, 2018. https://eprint.iacr.org/2018/313

• C. Boyd, Y. Cliff, J. M. González Nieto, K. G. Paterson. Efficient one-round key exchange in the standard model, in ACISP 2008.

• R. Canetti, H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels, in EUROCRYPT 2001.

• A. Childs, D. Jao, V. Soukharev. Constructing elliptic curve isogenies in quantum subexponential time, Journal of Math. Cryptology, 2014. http://arxiv.org/abs/1012.4019 (2010)

• C. Costello, P. Longa, M. Naehrig. Efficient Algorithms for supersingular isogeny Diffie-Hellman, in Advances in Cryptology–CRYPTO 2016. https://eprint.iacr.org/2016/413

• S.D. Galbraith, C. Petit, B. Shani, Y.B. Ti. On the security of supersingular isogeny cryptosystems, in ASIACRYPT 2016.

• D. Jao, L. De Feo. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies, in PQCrypto2011.

• H. Krawczyk. SIGMA: the “SIGn-and-MAc” approach to authenticated Diffie-Hellman and its use in the IKE-protocols, in CRYPTO 2003.

• P. Longa. A Note on post-quantum authenticated key exchange from supersingular isogenies, 2018. https://eprint.iacr.org/2018/267



http://arxiv.org/abs/1012.4019



https://www.microsoft.com/en-us/research/people/plonga/

powerpoint presentation...call-for-proposals-final-dec-2016.pdf “the goal of this process is to...

Documents