Advertisement

Towards Practical Key Exchange from Ordinary Isogeny Graphs

  • Luca De FeoEmail author
  • Jean Kieffer
  • Benjamin Smith
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11274)

Abstract

We revisit the ordinary isogeny-graph based cryptosystems of Couveignes and Rostovtsev–Stolbunov, long dismissed as impractical. We give algorithmic improvements that accelerate key exchange in this framework, and explore the problem of generating suitable system parameters for contemporary pre- and post-quantum security that take advantage of these new algorithms. We also prove the session-key security of this key exchange in the Canetti–Krawczyk model, and the IND-CPA security of the related public-key encryption scheme, under reasonable assumptions on the hardness of computing isogeny walks. Our systems admit efficient key-validation techniques that yield CCA-secure encryption, thus providing an important step towards efficient post-quantum non-interactive key exchange (NIKE).

Keywords

Post-quantum cryptography Key exchange Elliptic curves Isogenies 

Notes

Acknowledgments

We would like to thank Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes for sharing a draft of their paper with us, and Alexandre Gélin and François Morain for fruitful discussions. De Feo acknowledges the support of the French Programme d’Investissements d’Avenir under the national project RISQ n\(^{\circ }\) P141580-3069086/DOS0044212.

References

  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: DHAES: an encryption scheme based on the Diffie-Hellman problem. Cryptology ePrint Archive, Report 1999/007 (1999), https://eprint.iacr.org/1999/007
  2. 2.
    Abdalla, M., Bellare, M., Rogaway, P.: The oracle diffie-hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45353-9_12 CrossRefGoogle Scholar
  3. 3.
    Atkin, A.O.L., Morain, F.: Elliptic curves and primality proving. Math. Comp. 61(203), 29–68 (1993).  https://doi.org/10.2307/2152935 MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Azarderakhsh, R., et al.: Supersingular Isogeny Key Encapsulation (2017). http://sike.org
  5. 5.
    Biasse, J.F., Jacobson, M.J., Silvester, A.K.: Security estimates for quadratic field based cryptosystems. In: Steinfeld, R., Hawkes, P. (eds.) Information Security and Privacy, pp. 233–247. Springer, Berlin, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14081-5_15 CrossRefGoogle Scholar
  6. 6.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, Mihir (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44598-6_8 CrossRefGoogle Scholar
  7. 7.
    Bostan, A., Morain, F., Salvy, B., Schost, É.: Fast algorithms for computing isogenies between elliptic curves. Math. Comput. 77(263), 1755–1778 (2008).  https://doi.org/10.1090/S0025-5718-08-02066-8 MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Bröker, R., Lauter, K.E., Sutherland, A.V.: Modular polynomials via isogeny volcanoes. Math. Comput. 81(278), 1201–1231 (2012).  https://doi.org/10.1090/S0025-5718-2011-02508-1 MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Bruinier, J.H., Ono, K., Sutherland, A.V.: Class polynomials for nonholomorphic modular functions. J. Num. Theory 161, 204–229 (2016).  https://doi.org/10.1016/j.jnt.2015.07.002 MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Buchmann, J., Williams, H.C.: A key-exchange system based on imaginary quadratic fields. J. Crypt. 1(2), 107–118 (1988).  https://doi.org/10.1007/BF02351719 MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44987-6_28 CrossRefGoogle Scholar
  12. 12.
    Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Galbraith, S.D., Peyrin, T. (eds.) ASIACRYPT 2018, LNCS, vol. 11274, pp. 380–411. Springer (2018)Google Scholar
  13. 13.
    Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Crypto. 8(1), 1–29 (2014)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. Des. Codes Crypt. 36(1), 33–43 (2005).  https://doi.org/10.1007/s10623-003-1160-8 MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, New York (1993).  https://doi.org/10.1007/978-3-662-02945-9 CrossRefzbMATHGoogle Scholar
  16. 16.
    Cohen, H., Lenstra, H.W.: Heuristics on class groups of number fields. In: Jager, H. (ed.) Number Theory Noordwijkerhout 1983, pp. 33–62. Springer, Heidelberg (1984).  https://doi.org/10.1007/BFb0099440 CrossRefGoogle Scholar
  17. 17.
    Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi, T., Peyrin, T. (eds.) Advances in Cryptology - ASIACRYPT 2017, ASIACRYPT 2017. Lecture Notes in Computer Science, vol. 10625. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-319-70697-9_11 CrossRefGoogle Scholar
  18. 18.
    Costello, C., Smith, B.: Montgomery curves and their arithmetic. J. Crypt. Eng. 8(3), 227–240 (2017).  https://doi.org/10.1007/s13389-017-0157-6. hal.inria.fr/hal-01483768 CrossRefGoogle Scholar
  19. 19.
    Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006). https://eprint.iacr.org/2006/291
  20. 20.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003).  https://doi.org/10.1137/S0097539702403773 MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    De Feo, L.: Mathematics of isogeny based cryptography. CoRR abs/1711.04062 (2017). http://arxiv.org/abs/1711.04062
  22. 22.
    De Feo, L., Hugounenq, C., Plût, J., Schost, É.: Explicit isogenies in quadratic time in any characteristic. LMS J. Comput. Math. 19(A), 267–282 (2016)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Cryptography 78(2), 425–440 (2016).  https://doi.org/10.1007/s10623-014-0010-1 MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Serre, J.-P.: A Course in Arithmetic. GTM, vol. 7. Springer, New York (1973).  https://doi.org/10.1007/978-1-4684-9884-4 CrossRefzbMATHGoogle Scholar
  25. 25.
    Fieker, C., Hart, W., Hofmann, T., Johansson, F.: Nemo/Hecke: computer algebra and number theory packages for the Julia programming language. In: Proceedings of the 2017 ACM on International Symposium on Symbolic and Algebraic Computation, ISSAC 2017, pp. 157–164. ACM, New York, (2017).  https://doi.org/10.1145/3087604.3087611
  26. 26.
    Fouquet, M., Morain, F.: Isogeny volcanoes and the SEA algorithm. In: Fieker, C., Kohel, D.R. (eds.) Algorithmic Number Theory, ANTS 2002. Lecture Notes in Computer Science, vol. 2369. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45455-1_23 CrossRefGoogle Scholar
  27. 27.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_34 CrossRefGoogle Scholar
  28. 28.
    Galbraith, S., Stolbunov, A.: Improved algorithm for the isogeny problem for ordinary elliptic curves. Appl. Algebra Eng. Commun. Comput. 24(2), 107–131 (2013).  https://doi.org/10.1007/s00200-013-0185-0 MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Galbraith, S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math. 2, 118–138 (1999).  https://doi.org/10.1112/S1461157000000097 MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Galbraith, S.D.: Mathematics of public key cryptography. Cambridge University Press, Cambridge (2012). https://www.math.auckland.ac.nz/sgal018/crypto-book/crypto-book.html CrossRefGoogle Scholar
  31. 31.
    Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_3 CrossRefGoogle Scholar
  32. 32.
    Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_3 CrossRefGoogle Scholar
  33. 33.
    Hamdy, S., Möller, B.: Security of cryptosystems based on class groups of imaginary quadratic orders. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 234–247. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44448-3_18 CrossRefGoogle Scholar
  34. 34.
    Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the fujisaki-okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70500-2_12 CrossRefzbMATHGoogle Scholar
  35. 35.
    Ionica, S., Joux, A.: Pairing the volcano. Math. Comput. 82(281), 581–603 (2013)MathSciNetCrossRefGoogle Scholar
  36. 36.
    Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.Y. (ed.) Post-Quantum Cryptography, PQCrypto 2011. Lecture Notes in Computer Science, vol. 7071. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25405-5_2 CrossRefGoogle Scholar
  37. 37.
    Jao, D., Miller, S.D., Venkatesan, R.: Expander graphs based on GRH with an application to elliptic curve cryptography. J. Number Theory 129(6), 1491–1504 (2009).  https://doi.org/10.1016/j.jnt.2008.11.006 MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Jao, D., Soukharev, V.: A subexponential algorithm for evaluating large degree isogenies. In: Hanrot, G., Morain, F., Thomé, E. (eds.) Algorithmic Number Theory, ANTS 2010. Lecture Notes in Computer Science, vol. 6197. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14518-6_19 CrossRefGoogle Scholar
  39. 39.
    Kieffer, J.: Étude et accélération du protocole d’échange de clés de Couveignes-Rostovtsev-Stolbunov. Master’s thesis, Inria Saclay & Université Paris VI (2017)Google Scholar
  40. 40.
    Ko, K.H., Lee, S.J., Cheon, J.H., Han, J.W., Kang, J., Park, C.: New public-key cryptosystem using braid groups. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 166–183. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44598-6_10 CrossRefGoogle Scholar
  41. 41.
    Kohel, D.R.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California at Berkley (1996)Google Scholar
  42. 42.
    Kohel, D.R.: Echidna databases (2018). http://iml.univ-mrs.fr/~kohel/dbs/
  43. 43.
    Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)MathSciNetCrossRefGoogle Scholar
  44. 44.
    Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: Severini, S., Brandao, F. (eds.) 8th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2013), Leibniz International Proceedings in Informatics (LIPIcs), vol. 22, pp. 20–34. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany (2013).  https://doi.org/10.4230/LIPIcs.TQC.2013.20, http://drops.dagstuhl.de/opus/volltexte/2013/4321
  45. 45.
    Lang, S.: Elliptic Functions Graduate Texts in Mathematics. Springer, New York (1987).  https://doi.org/10.1007/978-1-4612-4752-4 CrossRefGoogle Scholar
  46. 46.
    Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052240 CrossRefGoogle Scholar
  47. 47.
    Littlewood, J.E.: On the class-number of the corpus \(p(\sqrt{k})\). Proc. London Math. Soc. 2(1), 358–372 (1928)MathSciNetCrossRefGoogle Scholar
  48. 48.
    Maze, G., Monico, C., Rosenthal, J.: Public key cryptography based on semigroup actions. Adv. Math. Commun. 1(4), 489–507 (2007).  https://doi.org/10.3934/amc.2007.1.489 MathSciNetCrossRefzbMATHGoogle Scholar
  49. 49.
    Mestre, J.: La méthode des graphes. Exemples et applications. In: Proceedings of the International Conference on Class Numbers and Fundamental Units of Algebraic Number Fields (Katata), pp. 217–242 (1986)Google Scholar
  50. 50.
    Miret, J.M., Moreno, R., Sadornil, D., Tena, J., Valls, M.: An algorithm to compute volcanoes of 2-isogenies of elliptic curves over finite fields. Appli. Math. Comput. 176(2), 739–750 (2006)MathSciNetCrossRefGoogle Scholar
  51. 51.
    Montgomery, P.L.: Speeding the pollard and elliptic curve methods of factorization. Math. comput. 48(177), 243–264 (1987)MathSciNetCrossRefGoogle Scholar
  52. 52.
    Morain, F.: Calcul du nombre de points sur une courbe elliptique dans un corps fini: aspects algorithmiques. J. Théor. Nombres Bordeaux 7(1), 255–282 (1995). http://jtnb.cedram.org/item?id=JTNB_1995__7_1_255_0, les Dix-huitièmes Journées Arithmétiques, Bordeaux (1993)
  53. 53.
    National institute of standards and technology: announcing request for nominations for public-key post-quantum cryptographic algorithms (2016). https://www.federalregister.gov/d/2016-30615
  54. 54.
    Okeya, K., Kurumatani, H., Sakurai, K.: Elliptic curves with the montgomery-form and their cryptographic applications. In: Imai, H., Zheng, Y. (eds.) Public Key Cryptography, PKC 2000. Lecture Notes in Computer Science, vol. 1751. Springer, Heidelberg (2000).  https://doi.org/10.1007/978-3-540-46588-1_17 CrossRefGoogle Scholar
  55. 55.
    Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space June 2004. arXiv:quant-ph/0406151. http://arxiv.org/abs/quant-ph/0406151
  56. 56.
    Renes, J.: Computing isogenies between montgomery curves using the action of (0, 0). In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 229–247. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-79063-3_11 CrossRefGoogle Scholar
  57. 57.
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 April 2006. http://eprint.iacr.org/2006/145/
  58. 58.
    Schoof, R.: Counting points on elliptic curves over finite fields. J. de Théorie des Nombres de Bordeaux 7(1), 219–254 (1995)MathSciNetCrossRefGoogle Scholar
  59. 59.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. GTM, vol. 106. Springer, New York (2009).  https://doi.org/10.1007/978-0-387-09494-6 CrossRefzbMATHGoogle Scholar
  60. 60.
    Silverman, J.H.: Advanced Topics in the Arithmetic of Elliptic Curves Graduate Texts in Mathematics. Springer, New York (1994)CrossRefGoogle Scholar
  61. 61.
    Stolbunov, A.: Reductionist security arguments for public-key cryptographic schemes based on group action. In: Mjølsnes, S.F., (ed.) Norsk informasjonssikkerhetskonferanse (NISK) (2009)Google Scholar
  62. 62.
    Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)MathSciNetCrossRefGoogle Scholar
  63. 63.
    Stolbunov, A.: Cryptographic schemes based on isogenies (2012)Google Scholar
  64. 64.
    Sutherland, A.V.: Accelerating the CM method. LMS J. Comput. Math. 15, 172–204 (2012).  https://doi.org/10.1112/S1461157012001015 MathSciNetCrossRefzbMATHGoogle Scholar
  65. 65.
    Sutherland, A.V.: Constructing elliptic curves over finite fields with prescribed torsion. Math. Comput. 81, 1131–1147 (2012)MathSciNetCrossRefGoogle Scholar
  66. 66.
    Sutherland, A.V.: Modular polynomials (2018). https://math.mit.edu/~drew/ClassicalModPolys.html
  67. 67.
    Teske, E.: An elliptic curve trapdoor system. J. Crypt. 19(1), 115–133 (2006).  https://doi.org/10.1007/s00145-004-0328-3 MathSciNetCrossRefzbMATHGoogle Scholar
  68. 68.
    Urbanik, D., Jao, D.: SoK: The problem landscape of SIDH. Cryptology ePrint Archive, Report 2018/336 (2018).  https://doi.org/10.1145/3197507.3197516, https://eprint.iacr.org/2018/336
  69. 69.
    Vélu, J.: Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris Sér. A-B 273, A238–A241 (1971)Google Scholar
  70. 70.
    Zimmermann, P., Dodson, B.: 20 years of ECM. In: Hess, F., Pauli, S., Pohst, M. (eds.) Algorithmic Number Theory, ANTS 2006. Lecture Notes in Computer Science, vol. 4076, pp. 525–542. Springer, Heidelberg (2006).  https://doi.org/10.1007/11792086_37 CrossRefGoogle Scholar
  71. 71.
    Zimmermann, P., et al.: GMP-ECM software (2018). http://ecm.gforge.inria.fr/

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.UVSQ, LMVUniversité Paris SaclayVersaillesFrance
  2. 2.École Normale SupérieureParisFrance
  3. 3.IMB - Institut de Mathématiques de Bordeaux, Inria Bordeaux - Sud-OuestTalenceFrance
  4. 4.Inria and École polytechniqueUniversité Paris SaclayPalaiseauFrance

Personalised recommendations