Advertisement

SeaSign: Compact Isogeny Signatures from Class Group Actions

  • Luca De FeoEmail author
  • Steven D. Galbraith
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11478)

Abstract

We give a new signature scheme for isogenies that combines the class group actions of CSIDH with the notion of Fiat-Shamir with aborts. Our techniques allow to have signatures of size less than one kilobyte at the 128-bit security level, even with tight security reduction (to a non-standard problem) in the quantum random oracle model. Hence our signatures are potentially shorter than lattice signatures, but signing and verification are currently very expensive.

Notes

Acknowledgements

Thanks to Samuel Dobson for doing some experiments with discrete Gaussians. Thanks to Lorenz Panny for comments and suggestions. Thanks to Damien Stehlé for references about solving close vector problems. Thanks to the Eurocrypt referees for their careful reading of the paper.

Luca De Feo was supported by the French Programme d’Investissements d’Avenir under the national project RISQ no P141580-3069086/DOS0044212.

References

  1. 1.
    Abdalla, M., Fouque, P.-A., Lyubashevsky, V., Tibouchi, M.: Tightly-secure signatures from lossy identification schemes. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 572–590. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_34CrossRefGoogle Scholar
  2. 2.
    Adj, G., Cervantes-Vázquez, D., Chi-Domínguez, J.J., Menezes, A., Rodríguez-Henríquez, F.: On the cost of computing isogenies between supersingular elliptic curves. In: Cid, C., Jacobson Jr., M. (eds.) SAC 2018. LNCS, vol. 11349, pp. 322–343. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-10970-7_15CrossRefGoogle Scholar
  3. 3.
    Babai, L.: On Lovász lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., di Vimercati, S.D.C. (eds.) ACM CCS 2006, pp. 390–399. ACM (2006)Google Scholar
  5. 5.
    Bernstein, D.J., et al.: SPHINCS+, November 2017. https://sphincs.org/data/sphincs+-submission-nist.zip
  6. 6.
    Bernstein, D.J., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_15CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J., Lange, T., Martindale, C., Panny, L.: Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 409–441. Springer, Cham (2019)Google Scholar
  8. 8.
    Biasse, J., Fieker, C., Jacobson, M.J.: Fast heuristic algorithms for computing relations in the class group of a quadratic order, with applications to isogeny evaluation. LMS J. Comput. Math. 19(A), 371–390 (2016)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Biasse, J.-F., Iezzi, A., Jacobson Jr., M.J.: A note on the security of CSIDH. In: Chakraborty, D., Iwata, T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 153–168. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-05378-9_9CrossRefGoogle Scholar
  10. 10.
    Blömer, J.: Closest vectors, successive minima, and dual HKZ-bases of lattices. In: Montanari, U., Rolim, J.D.P., Welzl, E. (eds.) ICALP 2000. LNCS, vol. 1853, pp. 248–259. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45022-X_22CrossRefzbMATHGoogle Scholar
  11. 11.
    Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH and ordinary isogeny-based schemes. IACR Cryptology ePrint Archive 2018/537 (2018)Google Scholar
  12. 12.
    Bröker, R., Charles, D.X., Lauter, K.E.: Evaluating large degree isogenies and applications to pairing based cryptography. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 100–112. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85538-5_7CrossRefzbMATHGoogle Scholar
  13. 13.
    Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S.D. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03332-3_15CrossRefGoogle Scholar
  14. 14.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_1CrossRefGoogle Scholar
  15. 15.
    Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Cohen, H.: A Course in Computational Algebraic Number Theory, vol. 138. Springer, New York (1993).  https://doi.org/10.1007/978-3-662-02945-9CrossRefzbMATHGoogle Scholar
  17. 17.
    Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 303–329. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_11CrossRefGoogle Scholar
  18. 18.
    Couveignes, J.M.: Hard homogeneous spaces. eprint 2006/291 (2006)Google Scholar
  19. 19.
    Cox, D.A.: Primes of the Form x2 + ny2: Fermat, Class Field Theory, and Complex Multiplication. Wiley, Hoboken (1997)CrossRefGoogle Scholar
  20. 20.
    De Feo, L.: Mathematics of isogeny based cryptography. Notes from a summer school on mathematics for post-quantum cryptography (2017). https://arxiv.org/abs/1711.04062
  21. 21.
    De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  22. 22.
    De Feo, L., Kieffer, J., Smith, B.: Towards practical key exchange from ordinary isogeny graphs. In: Peyrin, T., Galbraith, S.D. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 365–394. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03332-3_14CrossRefGoogle Scholar
  23. 23.
    Decru, T., Panny, L., Vercauteren, F.: Faster SeaSign signatures through improved rejection sampling. To appear at PQCrypto 2019 (2019)Google Scholar
  24. 24.
    Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(F_p\). Des. Codes Crypt. 78(2), 425–440 (2016)CrossRefGoogle Scholar
  25. 25.
    Fukase, M., Kashiwabara, K.: An accelerated algorithm for solving SVP based on statistical analysis. J. Inf. Process. 23(1), 67–80 (2015)Google Scholar
  26. 26.
    Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge (2012)CrossRefGoogle Scholar
  27. 27.
    Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_3CrossRefGoogle Scholar
  28. 28.
    Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 3–33. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70694-8_1CrossRefGoogle Scholar
  29. 29.
    Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2(4), 837–850 (1989)MathSciNetCrossRefGoogle Scholar
  30. 30.
    Huelsing, A., Butin, D., Gazdag, S.L., Rijneveld, J., Mohaisen, A.: XMSS: eXtended Merkle signature scheme. RFC 8391, May 2018Google Scholar
  31. 31.
    Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49384-7_15CrossRefGoogle Scholar
  32. 32.
    Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25405-5_2CrossRefzbMATHGoogle Scholar
  33. 33.
    Jao, D., LeGrow, J., Leonardi, C., Ruiz-Lopez, L.: A subexponential-time, polynomial quantum space algorithm for inverting the CM group action. To appear in proceedings of MathCrypt (2019)Google Scholar
  34. 34.
    Jao, D., Soukharev, V.: A subexponential algorithm for evaluating large degree isogenies. In: Hanrot, G., Morain, F., Thomé, E. (eds.) ANTS 2010. LNCS, vol. 6197, pp. 219–233. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14518-6_19CrossRefGoogle Scholar
  35. 35.
    Jaques, S., Schanck, J.M.: Quantum cryptanalysis in the RAM model: claw-finding attacks on SIKE. Cryptology ePrint Archive, Report 2019/103 (2019). https://eprint.iacr.org/2019/103
  36. 36.
    Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of fiat-shamir signatures in the quantum random-oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78372-7_18CrossRefzbMATHGoogle Scholar
  37. 37.
    Kitaev, A.Y.: Quantum measurements and the Abelian stabilizer problem. arXiv preprint quant-ph/9511026 (1995). https://arxiv.org/abs/quant-ph/9511026
  38. 38.
    Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)MathSciNetCrossRefGoogle Scholar
  39. 39.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19074-2_21CrossRefGoogle Scholar
  40. 40.
    Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-10366-7_35CrossRefGoogle Scholar
  41. 41.
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990).  https://doi.org/10.1007/0-387-34805-0_21CrossRefGoogle Scholar
  42. 42.
    Meyer, M., Reith, S.: A faster way to the CSIDH. In: Chakraborty, D., Iwata, T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 137–152. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-05378-9_8CrossRefGoogle Scholar
  43. 43.
    National Institute of Standards and Technology: Announcing request for nominations for public-key post-quantum cryptographic algorithms (2016). https://www.federalregister.gov/d/2016-30615
  44. 44.
    Neven, G., Smart, N.P., Warinschi, B.: Hash function requirements for Schnorr signatures. J. Math. Cryptol. 3(1), 69–87 (2009)MathSciNetCrossRefGoogle Scholar
  45. 45.
    Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space. arXiv:quant-ph/0406151, June 2004
  46. 46.
    Renes, J.: Computing isogenies between Montgomery curves using the action of (0, 0). In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 229–247. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-79063-3_11CrossRefGoogle Scholar
  47. 47.
    Shanks, D.: On Gauss and composition. In: Number Theory and Applications, pp. 163–204. NATO - Advanced Study Institute. Kluwer Academic Press (1989)Google Scholar
  48. 48.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. GTM, vol. 106. Springer, New York (1986).  https://doi.org/10.1007/978-1-4757-1920-8CrossRefzbMATHGoogle Scholar
  49. 49.
    Stolbunov, A.: Cryptographic schemes based on isogenies. Doctoral thesis, NTNU (2012)Google Scholar
  50. 50.
    Sutherland, A.: Elliptic curves. Lecture Notes from a Course (18.783). MIT (2017). http://math.mit.edu/classes/18.783/2017/lectures
  51. 51.
    Vélu, J.: Isogénies entre courbes elliptiques. Comptes Rendus de l’Académie des Sciences de Paris 273, 238–241 (1971)zbMATHGoogle Scholar
  52. 52.
    Washington, L.C.: Elliptic Curves: Number Theory and Cryptography, 2nd edn. CRC Press, Boca Raton (2008)CrossRefGoogle Scholar
  53. 53.
    Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A post-quantum digital signature scheme based on supersingular isogenies. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 163–181. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70972-7_9CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.Université Paris-Saclay – UVSQ, LMV, UMR CNRS 8100VersaillesFrance
  2. 2.Mathematics DepartmentUniversity of AucklandAucklandNew Zealand

Personalised recommendations