Skip to main content
SpringerLink
Log in

Trapdoor DDH Groups from Pairings and Isogenies

  • Conference paper
  • First Online:
Selected Areas in Cryptography (SAC 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12804))

Included in the following conference series:

  • 727 Accesses

Abstract

Trapdoor DDH groups are an appealing cryptographic primitive introduced by Dent–Galbraith (ANTS 2006), where DDH instances are hard to solve unless provided with additional information (i.e., a trapdoor). In this paper, we introduce a new trapdoor DDH group construction using pairings and isogenies of supersingular elliptic curves, and present two instantiations of it. The construction solves all shortcomings of previous constructions as identified by Seurin (RSA 2013). We also present partial attacks on a previous construction due to Dent–Galbraith, and we provide a formal security definition of the related notion of “trapdoor pairings”.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We stress that DDH is easy for a supersingular curve with a known distortion map, but finding a distortion map on a random curve is believed to be a hard problem [18, 33]. See also Sect. 2.1.

  2. 2.

    The reason for asking for g is that, since the pairing will not be available to all parties, it is not immediate to produce a canonical generator of \(\mathbb {G}_T\) from the generator of \(\mathbb {G}\). We ask for it in advance so that it does not depend on aPbP.

  3. 3.

    In CSIDH [5], the authors suggest \(B=5\) and \(n=74\) for a prime p of length 512 bits.

  4. 4.

    This attack can be readily extended when \(r_1\ne r_2\), but in that case the attack from the previous section will be simpler.

References

  1. Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9

    Chapter  Google Scholar 

  2. Biasse, J.-F., Jao, D., Sankar, A.: A quantum algorithm for computing isogenies between supersingular elliptic curves. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 428–442. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13039-2_25

    Chapter  Google Scholar 

  3. Blake, I.F., Seroussi, G., Smart, N.P.: Advances in Elliptic Curve Cryptography, vol. 317. Cambridge University Press, Cambridge (2005)

    Book  Google Scholar 

  4. Burdges, J., De Feo, L.: Delay encryption (2020)

    Google Scholar 

  5. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15

    Chapter  Google Scholar 

  6. Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)

    Google Scholar 

  7. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)

    Google Scholar 

  8. Coron, J.-S.: Finding small roots of bivariate integer polynomial equations revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492–505. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_29

    Chapter  Google Scholar 

  9. Coron, J.-S.: Finding small roots of bivariate integer polynomial equations: a direct approach. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 379–394. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_21

    Chapter  Google Scholar 

  10. Coron, J.-S., Kirichenko, A., Tibouchi, M.: A note on the bivariate Coppersmith theorem. J. Cryptol. 26, 246–250 (2013)

    Article  MathSciNet  Google Scholar 

  11. De Feo, L.: Mathematics of isogeny-based cryptography. arXiv preprint arXiv:1711.04062 (2017)

  12. De Feo, L.: Isogeny graphs in cryptography (2019)

    Google Scholar 

  13. De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. Technical report, IACR Cryptology ePrint Archive (2018)

    Google Scholar 

  14. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)

    MathSciNet  MATH  Google Scholar 

  15. De Feo, L., Masson, S., Petit, C., Sanso, A.: Verifiable delay functions from supersingular isogenies and pairings. Technical report, Cryptology ePrint Archive, Report 2019/166 (2019)

    Google Scholar 

  16. Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Designs, Codes Crypt. 78(2), 425–440 (2016)

    Google Scholar 

  17. Dent, A.W., Galbraith, S.D.: Hidden pairings and trapdoor DDH groups. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 436–451. Springer, Heidelberg (2006). https://doi.org/10.1007/11792086_31

    Chapter  Google Scholar 

  18. Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_11

    Chapter  Google Scholar 

  19. Galbraith, S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math. 2, 118–138 (1999)

    Article  MathSciNet  Google Scholar 

  20. Galbraith, S.D., McKee, J.F.: Pairings on elliptic curves over finite commutative rings. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 392–409. Springer, Heidelberg (2005). https://doi.org/10.1007/11586821_26

    Chapter  Google Scholar 

  21. Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 3–33. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_1

    Chapter  Google Scholar 

  22. Galbraith, S.D., Rotger, V.: Easy decision Diffie-Hellman groups. LMS J. Comput. Math. 7, 201–218 (2004)

    Article  MathSciNet  Google Scholar 

  23. Icart, T.: How to hash into elliptic curves. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 303–316. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_18

    Chapter  Google Scholar 

  24. Joux, A., Lercier, R., Smart, N., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_19

    Chapter  MATH  Google Scholar 

  25. Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_20

    Chapter  Google Scholar 

  26. Kohel, D.R.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California, Berkeley (1996)

    Google Scholar 

  27. Koshiba, T., Takashima, K.: Pairing cryptography meets isogeny: a new framework of isogenous pairing groups. IACR Cryptology ePrint Archive 2016, 1138 (2016)

    Google Scholar 

  28. Lauter, K.E., Charles, D., Mityagin, A.: Trapdoor pairings, May 15 2012. US Patent 8,180,047 (2012)

    Google Scholar 

  29. Lenstra Jr., H.W.: Factoring integers with elliptic curves. Ann. Math. 649–673 (1987)

    Google Scholar 

  30. Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993)

    Article  MathSciNet  Google Scholar 

  31. Morales, D.J.M.: An attack on disguised elliptic curves. J. Math. Cryptol. 2(1), 1–8 (2008)

    Google Scholar 

  32. Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16

    Chapter  Google Scholar 

  33. Petit, C., Lauter, K.E.: Hard and easy problems for supersingular isogeny graphs. IACR Cryptology ePrint Archive 2017, 962 (2017)

    Google Scholar 

  34. Prabhakaran, M., Xue, R.: Statistically hiding sets. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 100–116. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_7

    Chapter  Google Scholar 

  35. Seurin, Y.: New constructions and applications of trapdoor DDH groups. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 443–460. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_27

    Chapter  Google Scholar 

  36. Silverman, J.H.: The Arithmetic of Elliptic Curves. GTM, vol. 106. Springer, New York (2009). https://doi.org/10.1007/978-0-387-09494-6

    Book  MATH  Google Scholar 

  37. Verheul, E.R.: Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. J. Cryptol. 17(4), 277–296 (2004)

    Article  MathSciNet  Google Scholar 

Download references

Acknowledgements

We thank Jens Groth, Steven Galbraith and Frederik Vercauteren for discussions related to this work. In particular, some of our applications were suggested by Jens Groth. We also thank the anonymous reviewers. Work by the first and second author was supported by an EPSRC New Investigator grant (EP/S01361X/1). The third author was supported by a PhD grant from the Spanish government, co-financed by the ESF (Ayudas para contratos predoctorales para la formación de doctores 2016). This work was partially done while the third author visited the University of Birmingham.

Author information

Authors and Affiliations

  1. University of Birmingham, Birmingham, UK

    Péter Kutas & Christophe Petit

  2. Université libre de Bruxelles, Brussels, Belgium

    Christophe Petit

  3. Universitat Pompeu Fabra, Barcelona, Spain

    Javier Silva

Authors
  1. Péter Kutas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christophe Petit
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Javier Silva
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Javier Silva .

Editor information

Editors and Affiliations

  1. University of Haifa, Haifa, Israel

    Orr Dunkelman

  2. University of Calgary, Calgary, AB, Canada

    Michael J. Jacobson, Jr.

  3. Dalhousie University, Halifax, NS, Canada

    Colin O'Flynn

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kutas, P., Petit, C., Silva, J. (2021). Trapdoor DDH Groups from Pairings and Isogenies. In: Dunkelman, O., Jacobson, Jr., M.J., O'Flynn, C. (eds) Selected Areas in Cryptography. SAC 2020. Lecture Notes in Computer Science(), vol 12804. Springer, Cham. https://doi.org/10.1007/978-3-030-81652-0_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-81652-0_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-81651-3

  • Online ISBN: 978-3-030-81652-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation