Supersingular Isogeny Diffie–Hellman Authenticated Key Exchange

  • Atsushi FujiokaEmail author
  • Katsuyuki Takashima
  • Shintaro Terada
  • Kazuki Yoneyama
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11396)


We propose two authenticated key exchange protocols from supersingular isogenies. Our protocols are the first post-quantum one-round Diffie–Hellman type authenticated key exchange ones in the following points: one is secure under the quantum random oracle model and the other resists against maximum exposure where a non-trivial combination of secret keys is revealed. The security of the former and the latter is proven under isogeny versions of the decisional and gap Diffie–Hellman assumptions, respectively. We also propose a new approach for invalidating the Galbraith–Vercauteren-type attack for the gap problem.


One-round authenticated key exchange Supersingular isogeny decisional Diffie–Hellman assumption Degree-insensitive supersingular isogeny gap Diffie–Hellman assumption CK model CK\(^{+}\) model Quantum adversary 


  1. 1.
    Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In: FOCS 2014, pp. 474–483 (2014)Google Scholar
  2. 2.
    Azarderakhsh, R., Jao, D., Kalach, K., Koziel, B., Leonardi, C.: Key compression for isogeny-based cryptosystems. In: AsiaPKC 2016, pp. 1–10 (2016)Google Scholar
  3. 3.
    Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). Scholar
  4. 4.
    Bos, J.W., Friedberger, S.: Fast arithmetic modulo \(2^{\text{x}}\)\({\text{ p }}^{\text{ y }} \pm 1\). In: ARITH 2017, pp. 148–155 (2017)Google Scholar
  5. 5.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). Scholar
  6. 6.
    Charles, D., Lauter, K., Goren, E.: Cryptographic hash functions from expander graphs. J. Crypt. 22(1), 93–113 (2009)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Crypt. 8(1), 1–29 (2014)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 679–706. Springer, Cham (2017). Scholar
  9. 9.
    Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). Scholar
  10. 10.
    Dagdelen, Ö., Fischlin, M., Gagliardoni, T.: The fiat–shamir transformation in a quantum world. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 62–81. Springer, Heidelberg (2013). Scholar
  11. 11.
    De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Crypt. 8(3), 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  12. 12.
    Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism. In: ASIACCS 2013, pp. 83–94 (2013)Google Scholar
  13. 13.
    Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Strongly secure authenticated key exchange from factoring, codes, and lattices. Des. Codes Crypt. 76(3), 469–504 (2015). A preliminary version appeared in PKC 2012 (2012)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Galbraith, S.D.: Authenticated key exchange for SIDH. IACR Cryptology ePrint Archive 2018, 266 (2018).
  15. 15.
    Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). Scholar
  16. 16.
    Galbraith, S.D., Vercauteren, F.: Computational problems in supersingular elliptic curve isogenies. IACR Cryptology ePrint Archive 2017, 774 (2017).
  17. 17.
    Jao, D., et al.: Supersingular Isogeny Key Encapsulation (SIKE). Submission to NIST Post-Quantum Cryptography Standardization (2017)Google Scholar
  18. 18.
    Jeong, I.R., Katz, J., Lee, D.H.: One-round protocols for two-party authenticated key exchange. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 220–232. Springer, Heidelberg (2004). Scholar
  19. 19.
    Koziel, B., Azarderakhsh, R., Kermani, M.M., Jao, D.: Post-quantum cryptography on FPGA based on isogenies on elliptic curves. IEEE Trans. Circuits Syst. 64–I(1), 86–99 (2017)CrossRefGoogle Scholar
  20. 20.
    Koziel, B., Jalali, A., Azarderakhsh, R., Jao, D., Mozaffari-Kermani, M.: NEON-SIDH: efficient implementation of supersingular isogeny Diffie-Hellman key exchange protocol on ARM. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 88–103. Springer, Cham (2016). Scholar
  21. 21.
    Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). Scholar
  22. 22.
    LeGrow, J., Jao, D., Azarderakhsh, R.: Modeling quantum-safe authenticated key establishment, and an isogeny-based protocol. IACR Cryptology ePrint Archive 2018, 282 (2018).
  23. 23.
    Longa, P.: A note on post-quantum authenticated key exchange from supersingular isogenies. IACR Cryptology ePrint Archive 2018, 267 (2018).
  24. 24.
    National Institute of Standards and Technology: Post-Quantum crypto standardization: Call for Proposals Announcement, December 2016.
  25. 25.
    Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 330–353. Springer, Cham (2017). Scholar
  26. 26.
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive 2006, 145 (2006).
  27. 27.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Sutherland, A.: Identifying supersingular elliptic curves. LMS J. Comput. Math. 15, 317–325 (2012)MathSciNetCrossRefGoogle Scholar
  29. 29.
    Thormarker, E.: Post-quantum cryptography: supersingular isogeny Diffie-Hellman key exchange. Master’s thesis, Stockholm University (2017)Google Scholar
  30. 30.
    Urbanik, D., Jao, D.: SoK: the problem landscape of SIDH. In: APKC 2018, pp. 53–60 (2018)Google Scholar
  31. 31.
    Xu, X., Xue, H., Wang, K., Tian, S., Liang, B., Yu, W.: Strongly secure authenticated key exchange from supersingular isogeny. IACR Cryptology ePrint Archive 2018, 760 (2018).
  32. 32.
    Zhandry, M.: How to construct quantum random functions. In: FOCS 2012, pp. 679–687 (2012)Google Scholar
  33. 33.
    Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). Scholar
  34. 34.
    Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. IACR Cryptology ePrint Archive 2018, 276 (2018).

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Atsushi Fujioka
    • 1
    Email author
  • Katsuyuki Takashima
    • 2
  • Shintaro Terada
    • 3
  • Kazuki Yoneyama
    • 3
  1. 1.Kanagawa UniversityKanagawaJapan
  2. 2.Mitsubishi ElectricKanagawaJapan
  3. 3.Ibaraki UniversityIbarakiJapan

Personalised recommendations