Abstract
Diffie–Hellman key exchange is at the foundations of public-key cryptography, but conventional group-based Diffie–Hellman is vulnerable to Shor’s quantum algorithm. A range of “post-quantum Diffie–Hellman” protocols have been proposed to mitigate this threat, including the Couveignes, Rostovtsev–Stolbunov, SIDH, and CSIDH schemes, all based on the combinatorial and number-theoretic structures formed by isogenies of elliptic curves. Pre- and post-quantum Diffie–Hellman schemes resemble each other at the highest level, but the further down we dive, the more differences emerge—differences that are critical when we use Diffie–Hellman as a basic component in more complicated constructions. In this survey we compare and contrast pre- and post-quantum Diffie–Hellman algorithms, highlighting some important subtleties.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
More generally, Armknecht, Gagliardoni, Katzenbeisser, and Peter have shown that no group-homomorphic cryptosystem can be secure against a quantum adversary, essentially because of the existence of Shor’s algorithm [8].
- 2.
Some protocols do use the shared secret \(S\) as a key, most notably the textbook ElGamal encryption presented at the start of Sect. 4.
- 3.
If Alice immediately encrypts a message under \(K\) and sends the ciphertext to Bob with \(E\), then this is “hashed ElGamal” encryption (see [1] for a full encryption scheme in this style).
- 4.
Recall that \(L_X[\alpha ,c] = \exp ((c + o(1))(\log X)^\alpha (\log \log X)^{1-\alpha })\).
- 5.
At least, it is the only improvement as far as asymptotic complexity is concerned: implementation and distribution have improved substantially. It is, nevertheless, quite dumbfounding that in over thirty years of cryptographically-motivated research, we have only scraped a tiny constant factor away from the classical asymptotic complexity of the DLP in a generic prime-order elliptic curve over a prime finite field.
- 6.
Not entirely seamlessly: some operations, like hashing into \(\mathcal {G}\), become slightly more complicated when we pass from finite fields to elliptic curves (see [108]).
- 7.
While quotienting by \(\pm 1\) is useful in curve-based cryptosystems, it is counterproductive in multiplicative groups of finite fields. There, the pseudo-scalar multiplication is \((m,P+1/P) \mapsto P^m + 1/P^m\); computing this is slightly slower than computing simple exponentiations, and saves no space at any point.
- 8.
Buchmann, Scheidler, and Williams later proposed what they claimed was the first group-less key exchange in the infrastructure of real quadratic fields [29]. Mireles Morales investigated the infrastructure in the analogous even-degree hyperelliptic function field case [102], relating it to a subset of the class group of the field; in view of his work, it is more appropriate to describe infrastructure key exchange as group-based. In any case, coming nearly a decade after Miller, this would not have been the first non-group Diffie–Hellman.
- 9.
If we require this property to hold for all \(P\) in \(\mathcal {X}\), then \(\mathcal {F}\) is a commutative magma. Diffie–Hellman protocols where \(\mathcal {F}\) is equipped with a semigroup or semiring structure have been investigated [97], though the results are only of theoretical interest.
- 10.
- 11.
Algorithm 9 becomes the usual BSGS for DLPs in \(\mathfrak {G} = \langle {\mathfrak {e}}\rangle \) if we let \(\mathcal {X} = \mathfrak {G} \) (with the group operation as the action), let \(P = 1\), and let \(Q\) be the discrete log target.
- 12.
It might seem odd that some black-box group algorithms like BSGS and Pollard \(\rho \) adapt easily to PHSes, but not others like Pohlig–Hellman. But looking closer, BSGS and Pollard \(\rho \) in groups only require translations, and not a full group law. We can therefore see BSGS and Pollard \(\rho \) not as black-box group algorithms, but rather as black-box PHS algorithms that are traditionally applied with \(\mathcal {X} = \mathfrak {G} \).
- 13.
Biasse, Jacobson, and Iezzi [19] have made some preliminary steps in this direction, and claim a classical complexity of \(O(\sqrt{N/M})\) for vectorization when \(\mathfrak {G}\) contains a subgroup of order \(M\). However, their algorithm assumes we can correctly guess the subgroup orbits of the vectorization targets—and this is a problem for which we have no solution that improves on exhaustive search (or vectorization). When run as a probabilistic vectorization algorithm, therefore, their algorithm runs in time \(O(\sqrt{MN})\), which is actually a factor-of-\(\sqrt{M}\) slowdown over BSGS.
- 14.
An elliptic curve is by definition a pair \((\mathcal {E},0_\mathcal {E})\), where \(\mathcal {E}\) is a curve of genus 1 and \(0_\mathcal {E}\) is a distinguished point on \(\mathcal {E}\) (which becomes the identity element of the group of points; cf. Example 3); so it makes sense that a morphism \((\mathcal {E},0_{\mathcal {E}}) \rightarrow (\mathcal {E}',0_{\mathcal {E}'})\) in the category of elliptic curves should be a mapping of algebraic curves \(\mathcal {E}\rightarrow \mathcal {E}'\) preserving the distinguished points, that is, mapping \(0_\mathcal {E}\) onto \(0_{\mathcal {E}'}\).
- 15.
If we consider endomorphisms defined over \(\mathbb {F}_{p^2}\), then the ring is noncommutative.
- 16.
We use classical modular polynomials here for simplicity, but alternative modular polynomials such as Atkin’s, which have smaller degree, are better in practice. These degrees are still in \(O(\ell )\), so the asymptotic efficiency of this approach does not change.
References
Abdalla, M., Bellare, M., Rogaway, P.: DHAES: an encryption scheme based on the Diffie–Hellman problem. IACR Cryptology ePrint Archive 1999:7 (1999)
Adj, G., Cervantes-Vázquez, D., Chi-Domínguez, J., Menezes, A., Rodríguez-Henríquez, F.: On the cost of computing isogenies between supersingular elliptic curves. IACR Cryptology ePrint Archive 2018:313 (2018)
Agashe, A., Lauter, K.E., Venkatesan, R.: Constructing elliptic curves with a known number of points over a prime field. In: High Primes and Misdemeanors: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams [30], pp. 1–17
Aguilar, C., Gaborit, P., Lacharme, P., Schrek, J., Zémor, G.: Noisy Diffie–Hellman protocols (2010). Slides presented at the recent results session of PQC 2010. https://pqc2010.cased.de/rr/03.pdf
Akavia, A.: Solving hidden number problem with one bit oracle and advice. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 337–354. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_20
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 327–343. USENIX Association (2016)
Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 211–223. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_16
Armknecht, F., Gagliardoni, T., Katzenbeisser, S., Peter, A.: General impossibility of group homomorphic encryption in the quantum world. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 556–573. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_32
Azarderakhsh, R., et al.: Supersingular isogeny key encapsulation (2017)
Balasubramanian, R., Koblitz, N.: The improbability that an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm. J. Cryptol. 11(2), 141–145 (1998)
Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_1
Benaloh, J.: Simple verifiable elections. In: Wallach, D.S., Rivest, R.L. (eds.) 2006 USENIX/ACCURATE Electronic Voting Technology Workshop, EVT 2006, Vancouver, BC, Canada, 1 August 2006. USENIX Association (2006)
Bentahar, K.: The equivalence between the DHP and DLP for elliptic curves used in practical applications, revisited. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 376–391. Springer, Heidelberg (2005). https://doi.org/10.1007/11586821_25
Bernstein, D.J.: Curve25519: new Diffie–Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_14
Bernstein, D.J.: Differential addition chains. Preprint (2006)
Bernstein, D.J., Chuengsatiansup, C., Lange, T., Schwabe, P.: Kummer strikes back: new DH speed records. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 317–337. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_17
Bernstein, D.J., et al.: Faster discrete logarithms on FPGAs. IACR Cryptology ePrint Archive 2016:382. Document ID: 01ac92080664fb3a778a430e028e55c8 (2016)
Bernstein, D.J., Lange, T., Schwabe, P.: On the correct use of the negation map in the Pollard rho method. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 128–146. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_8
Biasse, J., Iezzi, A., Jacobson Jr., M.: A note on the security of CSIDH. CoRR, abs/1806.03656 (2018)
Boneh, D.: The decision Diffie–Hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054851
Boneh, D., Lipton, R.J.: Algorithms for black-box fields and their application to cryptography (extended abstract). In: Koblitz [83], pp. 283–297
Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie–Hellman and related schemes. In: Koblitz [83], pp. 129–142
Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH and ordinary isogeny-based schemes. IACR Cryptology ePrint Archive 2018:537 (2018)
Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, 17–21 May 2015, pp. 553–570. IEEE Computer Society (2015)
Bos, J.W., Friedberger, S.: Fast arithmetic modulo \(2^xp^y\pm 1\). In: Burgess, N., Bruguera, J.D., de Dinechin, F. (eds.) IEEE Symposium on Computer Arithmetic - ARITH 2017, pp. 148–155. IEEE Computer Society (2017)
Bos, J.W., Friedberger, S.: Arithmetic considerations for isogeny based cryptography. IACR Cryptology ePrint Archive 2018:376 (2018)
Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0
Bröker, R., Lauter, K.E., Sutherland, A.V.: Modular polynomials via isogeny volcanoes. Math. Comput. 81(278), 1201–1231 (2012)
Buchmann, J., Scheidler, R., Williams, H.C.: A key-exchange protocol using real quadratic fields. J. Cryptol. 7, 171–199 (1994)
van der Poorten, A., Stein, A. (eds.): High Primes and Misdemeanors: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams. Fields Institute Communications Series, vol. 42. American Mathematical Society
Buchmann, J., Takagi, T., Vollmer, U.: Number field cryptography. In: van der Poorten, A., Stein, A. (eds.) [30]. High Primes and Misdemeanors: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams, pp. 111–125
Buchmann, J.A., Williams, H.C.: A key exchange system based on real quadratic fields. In: Brassard [27], pp. 335–343
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28
Cassels, J.W.S.: Lectures on Elliptic Curves. London Mathematical Society Student Texts, vol. 24 Cambridge University Press (1991)
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. IACR Cryptology ePrint Archive 2018:383 (2018)
Cheon, J.H.: Security analysis of the strong Diffie–Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_1
Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)
Coron, J.-S., Nielsen, J.B. (eds.): EUROCRYPT 2017. LNCS, vol. 10210. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7
Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi and Peyrin [130], pp. 303–329
Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. In: Coron and Nielsen [38], pp. 679–706
Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie–Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_21
Costello, C., Smith, B.: Montgomery curves and their arithmetic. J. Cryptogr. Eng. 8, 227–240 (2017)
Couveignes, J.M.: Hard homogeneous spaces. IACR Cryptology ePrint Archive 2006:291 (2006)
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)
Déchène, I.: On the security of generalized Jacobian cryptosystems. Adv. Math. Commun. 1(4), 413–426 (2007)
Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Cryptogr. 78(2), 425–440 (2016)
den Boer, B.: Diffie–Hellman is as strong as discrete log for certain primes. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 530–539. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_38
Deneuville, J.-C., Gaborit, P., Zémor, G.: Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 18–34. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_2
Diem, C., Thomé, E.: Index calculus in class groups of non-hyperelliptic curves of genus three. J. Cryptol. 21(4), 593–611 (2008)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Ding, J.: New cryptographic constructions using generalized learning with errors problem. IACR Cryptology ePrint Archive 2012:387 (2012)
Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. IACR Cryptology ePrint Archive, 2012:688 (2012)
Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_11
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)
Enge, A., Gaudry, P., Thomé, E.: An L(1/3) discrete logarithm algorithm for low degree curves. J. Cryptol. 24(1), 24–41 (2011)
Faz-Hernández, A., López, J., Ochoa-Jiménez, E., Rodríguez-Henríquez, F.: A faster software implementation of the supersingular isogeny Diffie–Hellman key exchange protocol. IEEE Trans. Comput. PP(99), 1 (2017)
De Feo, L.: Mathematics of isogeny based cryptography. CoRR, abs/1711.04062 (2017)
De Feo, L., Kieffer, J., Smith, B.: Towards practical key exchange from ordinary isogeny graphs. IACR Cryptology ePrint Archive 2018:485 (2018)
Fouquet, M., Morain, F.: Isogeny volcanoes and the SEA algorithm. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 276–291. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45455-1_23
Freire, E.S.V., Hofheinz, D., Kiltz, E., Paterson, K.G.: Non-interactive key exchange. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 254–271. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_17
Frey, G., Müller, M., Rück, H.: The tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Trans. Inf. Theory 45(5), 1717–1719 (1999)
Fried, J., Gaudry, P., Heninger, N., Thomé, E.: A kilobit hidden SNFS discrete logarithm computation. In: Coron and Nielsen [38], pp. 202–231
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Galbraith, S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math. 2, 118–138 (1999)
Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS Weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_3
Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3
Galbraith, S.D., Smith, B.: Discrete logarithms in generalized Jacobians. IACR Cryptology ePrint Archive 2006:333 (2006)
Galbraith, S.D., Vercauteren, F.: Computational problems in supersingular elliptic curve isogenies. Quantum Inf. Process. 17, 265 (2017)
Gaudry, P.: Fast genus 2 arithmetic based on Theta functions. J. Math. Cryptol. 1(3), 243–265 (2007). https://eprint.iacr.org/2005/314/
Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44(12), 1690–1702 (2009)
Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15(1), 19–46 (2002)
Gaudry, P., Thomé, E., Thériault, N., Diem, C.: A double large prime variation for small genus hyperelliptic index calculus. Math. Comput. 76(257), 475–492 (2007)
Grémy, L., Guillevic, A.: DiscreteLogDB, a database of computations of discrete logarithms (2017). https://gitlab.inria.fr/dldb/discretelogdb
Guillevic, A., Morain, F.: Discrete logarithms. In: El Mrabet and Joye [103], Chap. 9
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki–Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 553–571. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_31
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Jao, D., Miller, S.D., Venkatesan, R.: Expander graphs based on GRH with an application to elliptic curve cryptography. J. Number Theory 129(6), 1491–1504 (2009)
Kleinjung, T., Diem, C., Lenstra, A.K., Priplata, C., Stahlke, C.: Computation of a 768-bit prime field discrete logarithm. In: Coron and Nielsen [38], pp. 185–201
Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)
Koblitz, N.: Hyperelliptic cryptosystems. J. Cryptol. 1(3), 139–150 (1989)
Koblitz, N. (ed.): CRYPTO 1996. LNCS, vol. 1109. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5
Kohel, D.R.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California at Berkley (1996)
Kohel, D.R., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17(A), 418–432 (2014)
Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)
Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: Severini, S., Brandao, F. (eds.) 8th Conference on the Theory of Quantum Computation. Communication and Cryptography (TQC 2013). Leibniz International Proceedings in Informatics (LIPIcs), vol. 22, pp. 20–34. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany (2013)
Langley, A., Hamburg, M., Turner, S.: Elliptic curves for security. RFC, 7748, pp. 1–22 (2016)
Lenstra, A.K., Lenstra, H.W. (eds.): The Development of the Number field Sieve. LNM, vol. 1554. Springer, Heidelberg (1993). https://doi.org/10.1007/BFb0091534
Lenstra, A.K., Verheul, E.R.: The XTR public key system. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 1–19. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_1
Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052240
Lochter, M., Merkle, J.: Elliptic curve cryptography (ECC) brainpool standard curves and curve generation. RFC, 5639, pp. 1–27 (2010)
Marlinspike, M., Perrin, T.: The X3DH key agreement protocol (2016)
Martin-Lopez, E., Laing, A., Lawson, T., Alvarez, R., Zhou, X.-Q., O’Brien, J.L.: Experimental realization of Shor’s quantum factoring algorithm using qubit recycling. Nat. Photon. 6(11), 773–776, 11 (2012)
Maurer, U.M.: Towards the equivalence of breaking the Diffie–Hellman protocol and computing discrete logarithms. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 271–281. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_26
Maurer, U.M., Wolf, S.: The relationship between breaking the Diffie–Hellman protocol and computing discrete logarithms. SIAM J. Comput. 28(5), 1689–1721 (1999)
Maze, G., Monico, C., Rosenthal, J.: Public key cryptography based on semigroup actions. Adv. Math. Commun. 1(4), 489–507 (2007)
Menezes, A., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993)
Mestre, J.: La méthode des graphes. Exemples et applications. In: Proceedings of the International Conference on Class Numbers and Fundamental Units of Algebraic Number Fields (Katata), pp. 217–242 (1986)
Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_31
Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)
Mireles Morales, D.J.: An analysis of the infrastructure in real function fields. IACR Cryptology ePrint Archive 2008:299 (2008)
El Mrabet, N., Joye, M. (eds.): Guide to Pairing-Based Cryptography. Chapman and Hall/CRC, New York (2016)
Murty, V.K.: Abelian varieties and cryptography. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 1–12. Springer, Heidelberg (2005). https://doi.org/10.1007/11596219_1
Muzereau, A., Smart, N.P., Vercauteren, F.: The equivalence between the DHP and DLP for elliptic curves used in practical applications. LMS J. Comput. Math. 7, 50–72 (2004)
National Institute of Standards and Technology (NIST). SP 800–56A recommendations for pair-wise key-establishment schemes using discrete logarithm cryptography
NIST. Post-quantum cryptography standardization
Ochoa-Jiménez, E., Rodríguez-Henríquez, F., Tibouchi, M.: Discrete logarithms. In: El Mrabet and Joye [103], Chap. 8
Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_12
Perrin, T., Marlinspike, M.: The double ratchet algorithm (2016)
Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi and Peyrin [130], pp. 330–353
Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (corresp). IEEE Trans. Inf. Theory 24(1), 106–110 (1978)
Pollard, J.M.: Monte Carlo methods for index computation (mod \(p\)). Math. Comput. 32(143), 918–924 (1978)
Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space, June 2004. arXiv:quant-ph/0406151
Renes, J., Schwabe, P., Smith, B., Batina, L.: \(\mu \)Kummer: efficient hyperelliptic signatures and key exchange on microcontrollers. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 301–320. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_15
Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC, 8446, pp. 1–160 (2018)
Robert, D.: Theta functions and cryptographic applications. Ph.D. thesis, Université Henri Poincaré - Nancy I, July 2010
Roetteler, M., Naehrig, M., Svore, K.M., Lauter, K.E.: Quantum resource estimates for computing elliptic curve discrete logarithms. In: Takagi and Peyrin [130], pp. 241–270
Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive 2006:145 (2006)
Rubin, K., Silverberg, A.: Torus-based cryptography. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 349–365. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_21
Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard [27], pp. 239–252
Shanks, D.: Class number, a theory of factorization and genera. Proc. Symp. PureMath. 20, 415–440 (1971)
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of the 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18
Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106. Springer, New York (1992)
Smart, N.P.: The discrete logarithm problem on elliptic curves of trace one. J. Cryptol. 12(3), 193–196 (1999)
Smith, B.: Isogenies and the discrete logarithm problem in jacobians of genus 3 hyperelliptic curves. J. Cryptol. 22(4), 505–529 (2009)
Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)
Sutherland, A.V.: Accelerating the CM method. LMS J. Comput. Math. 15, 172–204 (2012)
Takagi, T., Peyrin, T. (eds.): ASIACRYPT 2017. LNCS, vol. 10625. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9
Tani, S.: Claw finding algorithms using quantum walk. Theor. Comput. Sci. 410(50), 5285–5297 (2009)
Thormarker, E.: Post-quantum cryptography: supersingular isogeny Diffie–Hellman key exchange. Ph.D. thesis, Stockholm University (2017)
Urbanik, D., Jao, D.: SoK: the problem landscape of SIDH. In: Proceedings of the 5th ACM on ASIA Public-Key Cryptography Workshop, APKC 2018, pp. 53–60. ACM, New York (2018)
van Dam, W., Hallgren, S., Ip, L.: Quantum algorithms for some hidden shift problems. SIAM J. Comput. 36(3), 763–778 (2006)
Vélu, J.: Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris Sér. A-B 273, A238–A241 (1971)
Wenger, E., Wolfger, P.: Harder, better, faster, stronger: elliptic curve discrete logarithm computations on FPGAs. J. Cryptogr. Eng. 6(4), 287–297 (2016)
Acknowledgements
I am grateful to Luca De Feo, Florian Hess, Jean Kieffer, and Antonin Leroux for the many hours they spent discussing these cryptosystems with me; and the organisers, chairs, and community of WAIFI 2018.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Smith, B. (2018). Pre- and Post-quantum Diffie–Hellman from Groups, Actions, and Isogenies. In: Budaghyan, L., Rodríguez-Henríquez, F. (eds) Arithmetic of Finite Fields. WAIFI 2018. Lecture Notes in Computer Science(), vol 11321. Springer, Cham. https://doi.org/10.1007/978-3-030-05153-2_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-05153-2_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05152-5
Online ISBN: 978-3-030-05153-2
eBook Packages: Computer ScienceComputer Science (R0)