Abstract
This is an informal tutorial on the supersingular isogeny Diffie-Hellman protocol aimed at non-isogenists.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
SIKE stands for supersingular isogeny key encapsulation, a variant of SIDH whose differences are mostly unimportant in this tutorial (further details are in Sect. 7).
- 2.
Those unfamiliar with projective space can take this at face value, while those in the know can substitute \(x=X/Z\) and \(y=y/Z\) to cast these equations into \(\mathbb {P}^2\) and observe that \(\psi ((0 :1 :0)=(0 :1 :0)\), and vice versa.
- 3.
Note that this is the opposite of the situation for discrete logarithm-based ECC, where supersingular curves are avoided for security reasons. Discrete logarithms are no longer useful as hard underlying problems in the post-quantum setting, and they have no relevance to the security of SIDH.
- 4.
Astute readers wanting to prove that \(j_{AB}=j_{BA}\) can argue that both j-invariants correspond to the isomorphism class of \(E/\langle S_A, S_B \rangle \) by using the identity \(E/\langle P, Q\rangle \cong (E/\langle P \rangle )/\langle \phi (Q) \rangle \) with \(\phi :E \rightarrow E/\langle P \rangle \). Otherwise, see [9, §3].
- 5.
We remind the reader that the security of SIDH/SIKE is unrelated to discrete logarithm problems!
- 6.
Edges can have multiplicities greater than 1, which takes care of the tiny handful of anomalies we discussed in Sect. 6.
- 7.
- 8.
This distinguishing property can essentially be anything, so long as it yields the right fraction of elements; in our example, a good choice would be to hash the element and check for 30 leading zeros.
References
Adj, G., Cervantes-Vázquez, D., Chi-Domínguez, J., Menezes, A., Rodríguez-Henríquez, F.: On the cost of computing isogenies between supersingular elliptic curves. In: Cid, C., Jacobson, M.J. (eds.) SAC 2018. LNCS, vol. 11349, pp. 322–343. Springer, Berlin (2018). https://doi.org/10.1007/978-3-030-10970-7_15
Azarderakhsh, R., Jao, D., Kalach, K., Koziel, B., Leonardi, C:. Key compression for isogeny-based cryptosystems. In: Emura, K., Hanaoka, G., Zhang, R. (eds.) Proceedings of the 3rd ACM International Workshop on ASIA Public-Key Cryptography, AsiaPKC@AsiaCCS, Xi’an, China, 30 May–03 June 2016, pp. 1–10. ACM (2016)
Costello, C., Longa, P., Naehrig, M., Renes, J., Virdia, F.: Improved classical cryptanalysis of the computational supersingular isogeny problem. IACR Cryptol. ePrint Archive 2019, 298 (2019)
De Feo, L.: Mathematics of isogeny based cryptography. CoRR, abs/1711.04062 (2017). https://arxiv.org/pdf/1711.04062.pdf
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)
Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3
Galbraith, S.D., Vercauteren, F.: Computational problems in supersingular elliptic curve isogenies. Quantum Inf. Process. 17(10), 265 (2018)
Jao, D., et al.: SIKE: supersingular isogeny key encapsulation. Manuscript available at sike.org/ (2017)
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Jaques, S., Schanck, J.M.: Quantum cryptanalysis in the RAM model: claw-finding attacks on SIKE. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 32–61. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_2
Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)
Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, 2nd edn. Springer, Berlin (2009)
Smith, B.: Pre- and Post-quantum Diffie–Hellman from groups, actions, and isogenies. In: Budaghyan, L., Rodríguez-Henríquez, F. (eds.) WAIFI 2018. LNCS, vol. 11321, pp. 3–40. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05153-2_1
Tate, J.: Endomorphisms of abelian varieties over finite fields. Inventiones Math. 2(2), 134–144 (1966)
The National Institute of Standards and Technology (NIST): Submission requirements and evaluation criteria for the post-quantum cryptography standardization process, December 2016. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf
Urbanik, D.: A friendly introduction to supersingular isogeny Diffie-Hellman, May 2017. https://csclub.uwaterloo.ca/~dburbani/work/friendlysidh.pdf
van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)
Vélu, J.: Isogénies entre courbes elliptiques. CR Acad. Sci. Paris Sér. AB 273, A238–A241 (1971)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Costello, C. (2020). Supersingular Isogeny Key Exchange for Beginners. In: Paterson, K., Stebila, D. (eds) Selected Areas in Cryptography – SAC 2019. SAC 2019. Lecture Notes in Computer Science(), vol 11959. Springer, Cham. https://doi.org/10.1007/978-3-030-38471-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-38471-5_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38470-8
Online ISBN: 978-3-030-38471-5
eBook Packages: Computer ScienceComputer Science (R0)