SlideShare a Scribd company logo

Codes and Isogenies

Priyanka Aash, profile picture
Priyanka Aash

The document summarizes a presentation on revocable identity-based encryption (RIBE) from codes with rank metric. Key points: - RIBE adds an efficient revocation procedure to identity-based encryption by using a binary tree structure and key updates. - The construction is based on low rank parity-check codes, with the master secret key defined as the "trapdoor" generated by the RankSign algorithm. - Security relies on the rank syndrome decoding problem. Key updates are done efficiently through the binary tree with logarithmic complexity. - Parameters are given that allow decoding of up to 2wr errors with small failure probability, suitable for the identity-based encryption scheme.

Technology
1 of 101
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
SESSION ID: #RSAC David Jao CODES AND ISOGENIES CRYP-F02 Professor University of Waterloo
SESSION ID: CRYP-F02 REVOCABLE IDENTITY-BASED ENCRYPTION FROM CODES WITH RANK METRIC Somitra Kumar Sanadhya Associate Professor CSE, IIT Ropar, India Joint work with Donghoon Chang (IIIT Delhi), Amit Kumar Chauhan (IIT Ropar), and Sandeep Kumar (IIIT Delhi & University of Delhi, India) Date: 04/20/2018 Session: CRYP-F02 Time: 10:15 AM - 11:00 AM
Thanks to US Department of State for not providing Nonimmigrant Visa to Dr. Somitra Kumar Sanadhya. Dr. Reza Azarderakhsh kindly agrees to present our work at CT-RSA 2018. We would like to thank Dr. Reza Azarderakhsh for accepting our request. 2
Motivation Identity-based Crypto: To resolve the problem of key management in standard PKE. Encrypt Decrypt m CT = (id, c) Bob decrypts Didid PP PP, MSK Setup (Decryption Key) id Alice encrypts Bob’s identity 1k m/⊥ Key Authority PKG 3
Motivation Identity-based Crypto: To resolve the problem of key management in standard PKE. Encrypt Decrypt m CT = (id, c) Bob decrypts Didid PP PP, MSK Setup (Decryption Key) id Alice encrypts Bob’s identity 1k m/⊥ Key Authority PKG Problem: how to efficiently revoke past users in identity-based encryption (IBE) ? 3
Revocable IBE (RIBE) Adding efficient revocation procedure to IBE ... Encrypt Decrypt m CT = (id, t, c) Bob decrypts (id, t) PP PP, MSK Setup Key Authority id Alice encrypts 1k tTime Did,t = {SKid, KUt} m/⊥ Private Key Gen Key Update Bob’s identity PP, MSK, id SKid PP, MSK, t KUt Revocation PP, id, t Yes/No revoked status of user id at time t Decryption key 4
Revocable IBE (RIBE) Adding efficient revocation procedure to IBE ... Encrypt Decrypt m CT = (id, t, c) Bob decrypts (id, t) PP PP, MSK Setup Key Authority id Alice encrypts 1k tTime Did,t = {SKid, KUt} m/⊥ Private Key Gen Key Update Bob’s identity PP, MSK, id SKid PP, MSK, t KUt Revocation PP, id, t Yes/No revoked status of user id at time t Decryption key • Initially, the key update is public to all users. At a later time, stop publishing the key updates for a revoked user ! 4
Key Generation on a Binary Tree • Upon registration, the key authority provides the user u3 with a set of distinct private keys for each node in Path(v) on a binary tree BT. root u1 u2 u3 u4 u5 u6 u7 u8 v Path(v) θ θ θr • To generate the key for a user u, one can choose a random value r • split r into two parts r1 and r2 for each node • generate private-key SKid on (id, r1) using private key generation algorithm • do key-updates KUt on (t, r2) using key-updates algorithm • The decryption-key is: DKid,t = {SKid, KUt} for a node on a path corresponding to a user u. 5
How to revoke a user ? • Run the Revocation algorithm R(id∗, t∗, RL) : • adds revoked user id∗ to the revocation list RL at revoked time t∗ . • Do the key-updates for non-revoked users (the number of key-updates are logarithmic in the number of users). • Stop sending key-updates for a revoked user for the time t ≥ t∗. 6
How to do Key-Updates for a user ? • Run the Key-Update-Nodes algorithm KUNodes(BT, RL, t) : • returns a minimal set Y ⊂ BT of nodes for which key update needs to be published. KUNodes(BT, RL, t) X, Y ← φ ∀(vi, ti) ∈ RL if ti ≤ t then add Path(vi) to X ∀θ ∈ X if θ /∈ X then add θ to Y if θr /∈ X then add θr to Y If Y = φ then add root to Y Return Y 7
Examples of Key-Updates Algorithm √ × √ √ √ × × × u1 u2 u3 u4 u5 u6 u7 u8 u1 u2 u3 u4 u5 u6 u7 u8 (a) No user is revoked (b) User u3 is revoked shows that the key-updates KUt is published for those nodes at time t. 8
Selective-Revocable-ID Security of RIBE Challenger Attacker (PP, MSK, RL) ← S(1k ) (id∗ , t∗ ) PP id SKid ← SK(PP, MSK, id) t KUt ← KU(PP, MSK, t) c∗ ← Encrypt(PP, id∗ , t∗ , mb) (id∗ , m0, m1) b ← {0, 1} SK(PP, MSK, ·) KU(PP, MSK, ·) A b ∈ {0, 1} R(id∗ , t∗ , RL)RL A targets to attack id∗ at time t∗ doesn’t make queryA with (id, t) = (id∗ , t∗ ) (Updated) for t ≥ t∗ . A outputs The advantage of A is defined as Advind-srid-cpa A,RIBE (k) := Pr[b = b] − 1 2 . 9
A Bit of (R)IBE History • Boneh and Franklin : Identity-based Encryption from Weil Pairing, CRYPTO 2001. • Boldyreva, Goyal and Kumar : Identity-based Encryption (from Weil pairing) with Efficient Revocation, ACM CCS 2008. • Agrawal, Boneh and Boyen : Efficient Lattice (H)IBE in the Standard Model, EUROCRYPT 2010. • Chen, Lim, Ling, Wang and Nguyen : Revocable Identity-Based Encryption from Lattices, ACISP 2012. • Gaborit, Hauteville, Phan and Tillich : Identity-based Encryption from Codes with Rank Metric, CRYPTO 2017. 10
Our Work • We construct Revocable IBE (RIBE) from Codes with Rank Metric. • Highlights of RIBE : • Constructed from Low Rank Parity-Check (LRPC) codes. • Master Secret Key (MSK) is defined as the “Trapdoor” generated through the RankSign algorithm1. • Provides IND-sRID-CPA security which relies mainly on the Rank Syndrome Decoding (RSD) problem1. • Binary-Tree data structure2 is used to add efficient revocation procedure to IBE. 1 Gaborit et al. RankSign: An Efficient Signature Algorithm based on the Rank Metric, PQCrypto 2014. 2 Boldyreva, Goyal, and Kumar. Identity-based Encryption with Efficient Revocation, ACM CCS 2008. 11
Rank Metric over Fn qm • Let Fqm be a m-dimensional vector space over the field Fq with prime q. • Let B = (b1, . . . , bm) be a basis of Fqm . • Let x = (x1, . . . , xn) ∈ Fn qm , then each coordinate xj can be expressed in terms of basis B as : xj = m i=1 mij bi where mij ∈ Fq • The m × n matrix associated with x is defined as M(x) = (mij)1≤i≤m, 1≤j≤n. • Rank weight of x is defined as x = Rank M(x) • Rank distance (metric) d(x, y) between elements x and y in Fn qm is defined as d(x, y) = x − y 12
Rank Code • A linear code C of dimension k and length n is a subspace of dimension k of Fn qm embedded with the rank metric. • C can be represented by two ways : • by a generator matrix G ∈ Fk×n qm . Each rows of G is an element of a basis of C, C = {xG | x ∈ Fk qm } • by a parity-check matrix H ∈ F (n−k)×n qm . Each rows of H determines a parity-check equation verified by its elements of C : C = {x ∈ Fn qm | HxT = 0} 13
Low Rank Parity-Check (LRPC) Codes LRPC Codes • Let H = (hij)1≤i≤n−k, 1≤j≤n ∈ F (n−k)×n qm be a full rank matrix. • All the elements of H generate an Fq-subspace F of dimension d: F = hij Fq • The code C[n, k, d]qm with parity-check matrix H is called a LRPC code of weight d. Such a matrix H is called a homogeneous matrix of weight d. 14
Augmented Low Rank Parity-Check Codes Augmented LRPC Codes • Let H ∈ F (n−k)×n qm be a homogeneous matrix of full rank and of weight d. • R ∈ F (n−k)× qm be a random matrix. • P ∈ GLn−k(Fqm )) and Q ∈ GLn+ (Fq) be two invertible matrices. • H = P(R|H)Q be the parity-check matrix of a code C of type [n + , k + ]. We call such a code, an LRPC+ code. If = 0, then C is a LRPC code. Definition (LRPC+ Problem) Given an LRPC+ code, distinguish it from a random code with the same parameters. 15
Rank Syndrome Decoding Problem Definition (Rank Syndrome Decoding (RSD) Problem) Instance : a parity-check matrix H in F (n−k)×n qm , a syndrome s in Fn−k qm and an integer w. Question : does there exist x ∈ Fn qm such that H.xT = s and wR(x) ≤ w ? Definition (Decisional Rank Syndrome Decoding (DRSD) Problem) Instance : a generator matrix G in Fk×n qm , m ∈ Fk qm and x ∈ Fn qm of weight w. Question : can we distinguish the pair (G, mG + x) from (G, y) with y $ ←− Fn qm ? 16
Rank Support Learning Problem Definition (Rank Support Learning (RSL) Problem) • Let A be a random full-rank matrix of size (n − k) × n over Fqm and U be a subspace of Fqm of dimension w. • Let O be an oracle which gives samples of the form (A, Av), where v $ ←− Un. • The RSL problem is to recover V given only access to the oracle. That is, Pr[A(A, AV) = V] ≤ , V $ ←− Un×N where N be the number of queries made to the oracle O. • The DRSL problem is to distinguish (A, AV) from (A, Y) with Y $ ←− F (n−k)×N qm . 17
Overview of RIBE from LRPC Codes Set up Public Parameters PP = (A, G, u) A ∈ F (k+ )×(n+ ) qm , full-rank matrix G ∈ Fk ×n qm , a generator matrix u ∈ F (n+ ) qm , uniformly random where MSK = (H, P, Q, R) Compute p1 = Hash(id) and p2 = Hash(t) Encryption of m ∈ Fk qm PP = (A, G, u) Compute p1 = Hash(id) and p2 = Hash(t) Decryption of CT CT = (id, t, C, x) If Rank((e1 + e2)V ) ≤ 2wr, recover m. for a simple code which can decode upto 2wr errors such that H AT = 0 Compute p1 = Hash(id) Syndrome x1 = H pT 1 + H uT 1 Sample e1 as H eT 1 = x1 using MSK Compute s1 as p1 + u1 = s1A + e1 KUt := s2 Compute p2 = Hash(t) Syndrome x2 = H pT 2 + H uT 2 Sample e2 as H eT 2 = x2 using MSK Compute s2 as p2 + u2 = s2A + e2 Private-Key Gen Key-Update Gen Choose V ∈ F (n+ )×n qm randomly of weight w A p1 + p2 + u V + 0 mG = C x (s | −1) C x = −(e1 + e2)V − mG Define “Decryption Key” DKid,t := s := s1 + s2 Define u2 = u − u1Choose u1 randomly SKid := s1 Set Up Public Parameters Generate “Trapdoor as MSK” from RankSign algorithm Construct from Augmented LRPC Codes with parity-check matrix H = P(R|H)Q 18
Security of RIBE Theorem Suppose there exists an adversary A against the IND-sRID-CPA security, who makes at most qH1 and qH2 distinct queries to the H1 and H2 random oracles, then the advantage of adversary A is given by the following expression ribe ≤ qH1 + qH2 . 2 q + drsd + lrpc+ + drsl, where ribe, drsd, drsl and lrpc+ are respectively the bound on the advantage of the attacks against the RIBE system, the DRSD, DRSL and LRPC+ problems. 19
Proof Sketch (Selective-Revocable-ID security of RIBE) Suppose A be a probabilistic polynomial time adversary who wishes to break the se- curity of RIBE in selective-revocable-ID security. Goal : To show that a PPT adversary A has a negligible advantage in winning the orig- inal IND-sRID-CPA game. Transitions of Games: Game G0 Game G1 Game G2 Game G3 Game G4 Real Game IND-sRID-CPA Generate decryption keys Define matrix A as random Choose challenged ciphertext Fully Random w/o knowledge of trapdoor matrix to generate codewords randomlyCT∗ = (id∗ , t∗ , c∗ , x∗ ) Game |Pr[AG0 ] − Pr[AG1 ]| ≤ 2 q + drsd |Pr[AG1 ] − Pr[AG2 ]| ≤ lrpc+ |Pr[AG2 ] − Pr[AG3 ]| ≤ drsl Pr[AG3 ] = Pr[AG4 ] = 1 2 20
Practical set of Parameters We choose the parameters of the simple code in such a way that it can decode up to 2wr errors and the decoding error with failure probability ≈ 1 q −2wr+1 is small. Scheme n n − k m q d r dGV dsign IBE3 100 20 96 2192 5 12 16 11 20 RIBE 100 20 96 2192 5 12 16 11 20 Scheme Public Key Size (Bytes) n k w IBE5 4,239,360 of A 96 9 66 4 RIBE 4,497,408 of (A, u) 96 9 66 2 With the above parameters, one can achieve decoding failure probability ≈ 2−576. 3 Gaborit et al.: Identity-based Encryption from Codes with Rank Metric, CRYPTO 2017. 21
Conclusion and Future Work • We built the revocable IBE from codes with rank metric. • We formally proved the selective-ID CPA security of revocable IBE in the random oracle model. • As an extension of this work, one might think of constructing Revocable IBE with adaptive-ID CCA security, which is a strongest security model. • Another extension could be a scheme secure in standard model. 22
23
AN EXPOSURE MODEL FOR SUPERSINGULAR ISOGENY DIFFIE-HELLMAN KEY EXCHANGE Brian Koziel, Reza Azarderakhsh, David Jao Assistant Professor Florida Atlantic University
Current PKC is safe until large-scale quantum computers are available • ECDH, ECDSA: Protected by the Elliptic curve discrete logarithm problem 2
Current PKC is safe until large-scale quantum computers are available • ECDH, ECDSA: Protected by the Elliptic curve discrete logarithm problem • RSA: Protected by the factorization and discrete logarithm problems 2
Current PKC is safe until large-scale quantum computers are available • ECDH, ECDSA: Protected by the Elliptic curve discrete logarithm problem • RSA: Protected by the factorization and discrete logarithm problems • Large-scale quantum computers with Shor’s algorithm will BREAK the security assumptions for these primitives Figure: Quantum Computer (The Verge) 2
NIST has started a PQC standardization process Primary Post-Quantum Cryptography (PQC) Candidates: • Code-Based: McEliece 3
NIST has started a PQC standardization process Primary Post-Quantum Cryptography (PQC) Candidates: • Code-Based: McEliece • Hash-based: Lamport, Merkle Signatures 3
NIST has started a PQC standardization process Primary Post-Quantum Cryptography (PQC) Candidates: • Code-Based: McEliece • Hash-based: Lamport, Merkle Signatures • Lattice-based: NTRU, LWE 3
NIST has started a PQC standardization process Primary Post-Quantum Cryptography (PQC) Candidates: • Code-Based: McEliece • Hash-based: Lamport, Merkle Signatures • Lattice-based: NTRU, LWE • Multivariate: Rainbow Signature 3
NIST has started a PQC standardization process Primary Post-Quantum Cryptography (PQC) Candidates: • Code-Based: McEliece • Hash-based: Lamport, Merkle Signatures • Lattice-based: NTRU, LWE • Multivariate: Rainbow Signature • Isogeny-based: SIDH, SIKE 3
NIST has started a PQC standardization process Primary Post-Quantum Cryptography (PQC) Candidates: • Isogeny-based: SIDH, SIKE Figure: E : y2 = x3 − x Left: E/Z Right: E/F127 3
SIDH offers the smallest key sizes of known quantum-resistant algorithms Table: Comparison of different post-quantum key exchange and encryption algorithms at 128-bit quantum security level. Key sizes are in Bytes Algorithm NTRU New Hope McBits SIDH Compressed SIDH Type Lattice Ring-LWE Code Isogeny Isogeny Public Key 6,130 2,048 1,046,739 576 336 Private Key 6,743 2,048 10,992 48 48 Performance Slow Very Fast Slow Very Slow Very Slow 4
SIDH offers the smallest key sizes of known quantum-resistant algorithms Table: Comparison of different post-quantum key exchange and encryption algorithms at 128-bit quantum security level. Key sizes are in Bytes Algorithm NTRU New Hope McBits SIDH Compressed SIDH Type Lattice Ring-LWE Code Isogeny Isogeny Public Key 6,130 2,048 1,046,739 576 336 Private Key 6,743 2,048 10,992 48 48 Performance Slow Very Fast Slow Very Slow Very Slow • Small key sizes reduce transmission cost and storage requirement 4
Why would I want to use SIDH or SIKE as a quantum alternative? Pros :) • Very small public/private keys • Implementations resemble ECC • Security based on supersingular isogeny problem • SIKE: IND-CCA KEM alternative to SIDH → static keys can be reused! • No possibility for decryption error • No complicated error distributions, rejection sampling, etc. • Conservative security analysis when assuming generic attacks Cons :( • Newest candidate for PQC applications • Very slow • SIDH has security concerns if keys are reused 5
Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 6
Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem 6
Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem • 2009: Charles et al. - Hash functions from supersingular isogenies 6
Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem • 2009: Charles et al. - Hash functions from supersingular isogenies • 2010: Stolbunov - First published isogeny-based public-key cryptosystem based on isogenies between ordinary curves 6
Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem • 2009: Charles et al. - Hash functions from supersingular isogenies • 2010: Stolbunov - First published isogeny-based public-key cryptosystem based on isogenies between ordinary curves • 2010: Childs et al. - Quantum subexponential attack on Stolbunov’s public-key cryptosystem 6
Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem • 2009: Charles et al. - Hash functions from supersingular isogenies • 2010: Stolbunov - First published isogeny-based public-key cryptosystem based on isogenies between ordinary curves • 2010: Childs et al. - Quantum subexponential attack on Stolbunov’s public-key cryptosystem • 2011: Jao and De Feo - Supersingular Isogeny Diffie-Hellman (SIDH) proposed 6
Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem • 2009: Charles et al. - Hash functions from supersingular isogenies • 2010: Stolbunov - First published isogeny-based public-key cryptosystem based on isogenies between ordinary curves • 2010: Childs et al. - Quantum subexponential attack on Stolbunov’s public-key cryptosystem • 2011: Jao and De Feo - Supersingular Isogeny Diffie-Hellman (SIDH) proposed • 2016: Galbraith et al. - Active attack against SIDH with static key re-use 6
Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem • 2009: Charles et al. - Hash functions from supersingular isogenies • 2010: Stolbunov - First published isogeny-based public-key cryptosystem based on isogenies between ordinary curves • 2010: Childs et al. - Quantum subexponential attack on Stolbunov’s public-key cryptosystem • 2011: Jao and De Feo - Supersingular Isogeny Diffie-Hellman (SIDH) proposed • 2016: Galbraith et al. - Active attack against SIDH with static key re-use • 2017: Jao et al. - Supersingular Isogeny Key Encapsulation (SIKE) submitted to NIST PQC process 6
Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field 7
Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime 7
Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime • There exists some isogeny φ : E1 → E2 with a fixed, smooth degree that is public 7
Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime • There exists some isogeny φ : E1 → E2 with a fixed, smooth degree that is public Supersingular Isogeny Problem Given P, Q ∈ E1 and φ(P), φ(Q) ∈ E2, compute the secret isogeny, φ 7
Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime • There exists some isogeny φ : E1 → E2 with a fixed, smooth degree that is public Supersingular Isogeny Problem Given P, Q ∈ E1 and φ(P), φ(Q) ∈ E2, compute the secret isogeny, φ • The best known attack is based on the claw finding algorithm 7
Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime • There exists some isogeny φ : E1 → E2 with a fixed, smooth degree that is public Supersingular Isogeny Problem Given P, Q ∈ E1 and φ(P), φ(Q) ∈ E2, compute the secret isogeny, φ • The best known attack is based on the claw finding algorithm • For SIDH/SIKE: 7
Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime • There exists some isogeny φ : E1 → E2 with a fixed, smooth degree that is public Supersingular Isogeny Problem Given P, Q ∈ E1 and φ(P), φ(Q) ∈ E2, compute the secret isogeny, φ • The best known attack is based on the claw finding algorithm • For SIDH/SIKE: • Classical attack O(p1/4) 7
Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime • There exists some isogeny φ : E1 → E2 with a fixed, smooth degree that is public Supersingular Isogeny Problem Given P, Q ∈ E1 and φ(P), φ(Q) ∈ E2, compute the secret isogeny, φ • The best known attack is based on the claw finding algorithm • For SIDH/SIKE: • Classical attack O(p1/4) • Quantum attack O(p1/6) 7
Visualizing the Supersingular Isogeny Problem Consider a graph where each node represents supersingular isomorphism classes Isomorphism Class 8
Visualizing the Supersingular Isogeny Problem For = 2, each node is connected by three unique 2-isogenies Isomorphism Class 2-isogeny 9
Visualizing the Supersingular Isogeny Problem Consider finding an isogeny from Class A to Class B when = 2 Isomorphism Class 2-isogeny A B 10
Visualizing the Supersingular Isogeny Problem For large isogeny graphs (i.e., p is 512 bits or more), finding an isogeny path is HARD. Isomorphism Class 2-isogeny A B 11
The SIDH protocol resembles standard Diffie-Hellman Diffie-Hellman Alice Bob A g, p B gAmodp gBmodp (gB)Amodp (gA)Bmodp gBAmodp ≡ gABmodp 12
The SIDH protocol resembles standard Diffie-Hellman Diffie-Hellman Alice Bob A g, p B gAmodp gBmodp (gB)Amodp (gA)Bmodp gBAmodp ≡ gABmodp Supersingular Isogeny Diffie-Hellman Alice Bob φA E0/Fp2 φB φA : E0 → EA φB : E0 → EB E0/ A E0/ B φA : EB → EBA φB : EA → EAB EBA = E0/ B, A EAB = E0/ A, B j(EBA)modp ≡ j(EAB)modp 12
SIDH Protocol E0 EA = E0/ A φA E0/ [mA]PA + [nA]QA
SIDH Protocol E0 EA = E0/ A EB = E0/ B φA E0/ [mA]PA + [nA]QA φB E0/ [mB]PB + [nB]QB
SIDH Protocol E0 EA = E0/ A {φA(PB), φA(QB)} EB = E0/ B {φB(PA), φB(QA)} φA E0/ [mA]PA + [nA]QA φB E0/ [mB]PB + [nB]QB
SIDH Protocol E0 EA = E0/ A {φA(PB), φA(QB)} EB = E0/ B {φB(PA), φB(QA)} φA E0/ [mA]PA + [nA]QA φB E0/ [mB]PB + [nB]QB φB EA/ [mA]φB(PA) + [nA]φB(QA)
SIDH Protocol E0 EA = E0/ A {φA(PB), φA(QB)} EB = E0/ B {φB(PA), φB(QA)} E0/ A, B φA E0/ [mA]PA + [nA]QA φB E0/ [mB]PB + [nB]QB φB EA/ [mA]φB(PA) + [nA]φB(QA) φAEB/ [mB]φA(PB) + [nB]φA(QB) 13
SIDH Computations Secret Kernel Generation • Inputs: • Supersingular elliptic curve E(Fp2 ), torsion basis {P,Q}, private keys m, n • Compute R = [m]P + [n]Q Large-Degree Isogeny • Inputs: • Supersingular elliptic curve E, secret kernel point R • Compute φ : E → E/ R by iteratively computing isogenies SIDH Isogeny Evaluation and Computation PA PD Mult. InversionAddition Addition SquaringMult. Inversion Double Point Multiplication Large degree Isogeny comput PQC protocols Extended group ops Group ops pF 2 p F Arithmetic Arithmetic Figure: Breakdown of supersingular isogeny computations 14
Visualizing the large-degree isogeny computation • Large-degree isogenies can be computed by iteratively computing small-degree isogenies • Set E0 = E and R0 = ker(φ) • Find kernel point ker(φi) = e−i−1Ri • Compute ith isogeny φi : Ei → Ei/ e−i−1Ri = Ei+1 • Push kernel point to new curve Ri+1 = φi(Ri) Point mult by Evaluate Isogeny Get -isogeny with Velu s formulas 15
Creating an exposure model for SIDH • Exposure Model → Assessing the security of a cryptosystem if certain pieces of information are divulged 16
Creating an exposure model for SIDH • Exposure Model → Assessing the security of a cryptosystem if certain pieces of information are divulged • Necessary to account for weak implementations or new attacks 16
Creating an exposure model for SIDH • Exposure Model → Assessing the security of a cryptosystem if certain pieces of information are divulged • Necessary to account for weak implementations or new attacks • Looking specifically at the large-degree isogeny 16
Why might intermediate values be exposed? • Poor implementation • New attacks on large-degree isogeny • Cache prime and probe • Spectre and Meltdown • Intermediate values not cleared • Unexpected reset • etc. etc. 17
What are the exposure classes? • CLASS 1: Intermediate curve is exposed 18
What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies 18
What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half 18
What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half • CLASS 2: Intermediate kernel point is exposed 18
What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half • CLASS 2: Intermediate kernel point is exposed • Some variant of the secret kernel point is leaked 18
What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half • CLASS 2: Intermediate kernel point is exposed • Some variant of the secret kernel point is leaked • If corresponding curve can be found, then remaining isogenies can be computed → this is very bad 18
What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half • CLASS 2: Intermediate kernel point is exposed • Some variant of the secret kernel point is leaked • If corresponding curve can be found, then remaining isogenies can be computed → this is very bad • CLASS 3: Intermediate basis point is exposed 18
What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half • CLASS 2: Intermediate kernel point is exposed • Some variant of the secret kernel point is leaked • If corresponding curve can be found, then remaining isogenies can be computed → this is very bad • CLASS 3: Intermediate basis point is exposed • If corresponding curve is found, then isogeny decisions are revealed 18
What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half • CLASS 2: Intermediate kernel point is exposed • Some variant of the secret kernel point is leaked • If corresponding curve can be found, then remaining isogenies can be computed → this is very bad • CLASS 3: Intermediate basis point is exposed • If corresponding curve is found, then isogeny decisions are revealed • After the corresponding curve has been found, this situation resembles the intermediate curve scenario 18
Visualization of an exposed kernel point • With an exposed kernel point (CLASS 2), an attacker can find the corresponding curve and compute the remaining isogenies that compose the secret isogeny Point mult by Evaluate Isogeny Get -isogeny with Velu s formulas Leaked point and corresponding isomorphism class Hidden kernel point and base isomorphism class (a) (b) 19
An exposed kernel point is a disaster as it can be used to retrieve private keys General attack procedure for point after k -isogenies and j point multiplications by Intermediate kernel point is of the form S = φk−1:0([ jm]P + [ jn]Q) on curve Ek (CLASS 2). Original secret kernel point is of the form R = [m]P + [n]Q 20
An exposed kernel point is a disaster as it can be used to retrieve private keys General attack procedure for point after k -isogenies and j point multiplications by Intermediate kernel point is of the form S = φk−1:0([ jm]P + [ jn]Q) on curve Ek (CLASS 2). Original secret kernel point is of the form R = [m]P + [n]Q 1 Find isogenous curve Ek to find first k isogenies (difficulty O( k)) 20
An exposed kernel point is a disaster as it can be used to retrieve private keys General attack procedure for point after k -isogenies and j point multiplications by Intermediate kernel point is of the form S = φk−1:0([ jm]P + [ jn]Q) on curve Ek (CLASS 2). Original secret kernel point is of the form R = [m]P + [n]Q 1 Find isogenous curve Ek to find first k isogenies (difficulty O( k)) 2 Push torsion basis through k isogenies • {φk−1:0(P), φk−1:0(Q)} 20
An exposed kernel point is a disaster as it can be used to retrieve private keys General attack procedure for point after k -isogenies and j point multiplications by Intermediate kernel point is of the form S = φk−1:0([ jm]P + [ jn]Q) on curve Ek (CLASS 2). Original secret kernel point is of the form R = [m]P + [n]Q 1 Find isogenous curve Ek to find first k isogenies (difficulty O( k)) 2 Push torsion basis through k isogenies • {φk−1:0(P), φk−1:0(Q)} 3 Perform generalized elliptic curve discrete log (simple for SIDH curves) → result is k − j bits of private key • φk−1:0([ jm]P + [ jn]Q) = φk−1:0([m ]P) + φk−1:0([n ]Q) 20
An exposed kernel point is a disaster as it can be used to retrieve private keys General attack procedure for point after k -isogenies and j point multiplications by Intermediate kernel point is of the form S = φk−1:0([ jm]P + [ jn]Q) on curve Ek (CLASS 2). Original secret kernel point is of the form R = [m]P + [n]Q 1 Find isogenous curve Ek to find first k isogenies (difficulty O( k)) 2 Push torsion basis through k isogenies • {φk−1:0(P), φk−1:0(Q)} 3 Perform generalized elliptic curve discrete log (simple for SIDH curves) → result is k − j bits of private key • φk−1:0([ jm]P + [ jn]Q) = φk−1:0([m ]P) + φk−1:0([n ]Q) 4 Perform exhaustive search on the point multiples j for the rest of the key (difficulty O( j)) • Remaining secret key bits is some secret multiple of the point order: m ≡ x × m mod j 20
A random pre-isogeny isomorphism protects against all but an exposed curve • V´elu’s formulas for isogenies are deterministic for a given kernel point and curve 21
A random pre-isogeny isomorphism protects against all but an exposed curve • V´elu’s formulas for isogenies are deterministic for a given kernel point and curve • An isomorphism moves from one curve to another within an isomorphism class 21
A random pre-isogeny isomorphism protects against all but an exposed curve • V´elu’s formulas for isogenies are deterministic for a given kernel point and curve • An isomorphism moves from one curve to another within an isomorphism class • A random isomorphism will scale the curve 21
A random pre-isogeny isomorphism protects against all but an exposed curve • V´elu’s formulas for isogenies are deterministic for a given kernel point and curve • An isomorphism moves from one curve to another within an isomorphism class • A random isomorphism will scale the curve • This scaling changes the output curves of isogenies and obfuscates any points that are exposed 21
Visualization of a pre-isogeny isomorphism • The pre-isogeny isomorphism obfuscates any exposed points throughout the isogeny operation After Isomorphism Before Isomorphism 22
Visualization of a pre-isogeny isomorphism • The pre-isogeny isomorphism obfuscates any exposed points throughout the isogeny operation • Protects against CLASS 2 and CLASS 3 exposures After Isomorphism Before Isomorphism 22
A pre-isogeny isomorphism is a computationally cheap countermeasure • For short Weierstrass curves, this requires a random number and several field operations 23
A pre-isogeny isomorphism is a computationally cheap countermeasure • For short Weierstrass curves, this requires a random number and several field operations • Major cost is generating random numbers Table: Cost of Pre-isogeny Isomorphism Protocol r δ I M S SIDH Round 1 1 0 1 9 3 SIDH Round 2 1 0 1 5 3 SIDH Indirect Key Validation 1 4 1 15 5 (Kirkwood et al. Validiation) • Let r be the cost to generate a random number, I be a finite-field inversion, M be a finite-field multiplication, S be a finite-field squaring, and δ be a finite-field comparison 23
Conclusion • SIDH/SIKE are up and coming candidates for PQC standardization 24
Conclusion • SIDH/SIKE are up and coming candidates for PQC standardization • These primitives feature the smallest known public key sizes for quantum-resistant PKC 24
Conclusion • SIDH/SIKE are up and coming candidates for PQC standardization • These primitives feature the smallest known public key sizes for quantum-resistant PKC • We created an exposure model for the large-degree isogeny computation 24
Conclusion • SIDH/SIKE are up and coming candidates for PQC standardization • These primitives feature the smallest known public key sizes for quantum-resistant PKC • We created an exposure model for the large-degree isogeny computation • We showed that an exposed intermediate kernel point (CLASS 2) can reveal a party’s private key 24
Conclusion • SIDH/SIKE are up and coming candidates for PQC standardization • These primitives feature the smallest known public key sizes for quantum-resistant PKC • We created an exposure model for the large-degree isogeny computation • We showed that an exposed intermediate kernel point (CLASS 2) can reveal a party’s private key • We proposed a pre-isogeny isomorphism as a cheap countermeasure to protect against exposing intermediate points in the future 24
Conclusion • SIDH/SIKE are up and coming candidates for PQC standardization • These primitives feature the smallest known public key sizes for quantum-resistant PKC • We created an exposure model for the large-degree isogeny computation • We showed that an exposed intermediate kernel point (CLASS 2) can reveal a party’s private key • We proposed a pre-isogeny isomorphism as a cheap countermeasure to protect against exposing intermediate points in the future • Thank you very much for your attention. Questions? 24

More Related Content

PPTX
Blockchain Tokenization
Bellaj Badr
 
PPTX
Bitcoin & Bitcoin Mining
Abdullah Khan Zehady
 
PPTX
MITM Attacks on HTTPS: Another Perspective
GreenD0g
 
PPTX
Cryptography
jayashri kolekar
 
PDF
Multi-Signature Deep Dive
Benedict Chan
 
PDF
IBM Blockchain Platform Technical Introduction v1.1
Matt Lucas
 
PDF
Emily Stamm - Post-Quantum Cryptography
CSNP
 
PDF
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2
Sam Bowne
 
Blockchain Tokenization
Bellaj Badr
 
Bitcoin & Bitcoin Mining
Abdullah Khan Zehady
 
MITM Attacks on HTTPS: Another Perspective
GreenD0g
 
Cryptography
jayashri kolekar
 
Multi-Signature Deep Dive
Benedict Chan
 
IBM Blockchain Platform Technical Introduction v1.1
Matt Lucas
 
Emily Stamm - Post-Quantum Cryptography
CSNP
 
CNIT 141: 5. More About Block Ciphers + Modular Arithmetic 2
Sam Bowne
 

What's hot (20)

PPT
Pgp
precy02
 
PDF
Hacking With Nmap - Scanning Techniques
amiable_indian
 
PPTX
Classification of vulnerabilities
Mayur Mehta
 
PDF
Ti1220 Lecture 2: Names, Bindings, and Scopes
Eelco Visser
 
PPTX
Web security
rakesh bandaru
 
PPTX
An Introduction to Ripple XRP
Tradefast
 
PPTX
Transport layer security (tls)
Kalpesh Kalekar
 
ODP
Side channel attacks
Stefan Fodor
 
PDF
Public Vs. Private Keys
101 Blockchains
 
PPTX
Digital certificates in e commerce
mahesh tawade
 
PDF
Unit 3_Private Key Management_Protection.pdf
KanchanPatil34
 
PPTX
The Future of Digital Currencies
Robin Teigland
 
PDF
Introduction to Multi Party Computation
Vineet Kumar
 
PPTX
Wireless Attacks
primeteacher32
 
PDF
PKI in Korea
The World Bank
 
PPTX
Cia security model
Imran Ahmed
 
PPT
Secure Socket Layer
Naveen Kumar
 
PPTX
Digital signature
CHESStest{perfect Kadhu}
 
PPT
6 buffer overflows
drewz lin
 
PDF
basic encryption and decryption
Rashmi Burugupalli
 
Pgp
precy02
 
Hacking With Nmap - Scanning Techniques
amiable_indian
 
Classification of vulnerabilities
Mayur Mehta
 
Ti1220 Lecture 2: Names, Bindings, and Scopes
Eelco Visser
 
Web security
rakesh bandaru
 
An Introduction to Ripple XRP
Tradefast
 
Transport layer security (tls)
Kalpesh Kalekar
 
Side channel attacks
Stefan Fodor
 
Public Vs. Private Keys
101 Blockchains
 
Digital certificates in e commerce
mahesh tawade
 
Unit 3_Private Key Management_Protection.pdf
KanchanPatil34
 
The Future of Digital Currencies
Robin Teigland
 
Introduction to Multi Party Computation
Vineet Kumar
 
Wireless Attacks
primeteacher32
 
PKI in Korea
The World Bank
 
Cia security model
Imran Ahmed
 
Secure Socket Layer
Naveen Kumar
 
Digital signature
CHESStest{perfect Kadhu}
 
6 buffer overflows
drewz lin
 
basic encryption and decryption
Rashmi Burugupalli
 
Ad

Similar to Codes and Isogenies (20)

PPT
Signyourd digital signature certificate provider
Kishankant Yadav
 
PDF
1508.07756v1
Samir Crypticus
 
PPTX
Reed solomon Encoder and Decoder
Ameer H Ali
 
PPT
Threshold and Proactive Pseudo-Random Permutations
Aleksandr Yampolskiy
 
PDF
Low-rank methods for analysis of high-dimensional data (SIAM CSE talk 2017)
Alexander Litvinenko
 
PDF
ENBIS 2018 presentation on Deep k-Means
tthonet
 
PPT
cipherrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr.ppt
SnehaPavithran6
 
PPTX
Unit 3
GunasundariSelvaraj
 
PPTX
Unit 3
Gunasundari Selvaraj
 
PDF
Triggering patterns of topology changes in dynamic attributed graphs
INSA Lyon - L'Institut National des Sciences Appliquées de Lyon
 
PDF
Tucker tensor analysis of Matern functions in spatial statistics
Alexander Litvinenko
 
PPTX
01 - DAA - PPT.pptx
KokilaK25
 
PPT
Crypto cs36 39
sravanbabu
 
PPTX
R Language Introduction
Khaled Al-Shamaa
 
PDF
Pythran: Static compiler for high performance by Mehdi Amini PyData SV 2014
PyData
 
PDF
Digital Signatures: Reassessing security of randomizable signatures
Priyanka Aash
 
PDF
Empowering Fourier-based Pricing Methods for Efficient Valuation of High-Dime...
Chiheb Ben Hammouda
 
PPT
Randomized algorithms ver 1.0
Dr. C.V. Suresh Babu
 
PDF
R package 'bayesImageS': a case study in Bayesian computation using Rcpp and ...
Matt Moores
 
PDF
Quantum Machine Learning and QEM for Gaussian mixture models (Alessandro Luongo)
MeetupDataScienceRoma
 
Signyourd digital signature certificate provider
Kishankant Yadav
 
1508.07756v1
Samir Crypticus
 
Reed solomon Encoder and Decoder
Ameer H Ali
 
Threshold and Proactive Pseudo-Random Permutations
Aleksandr Yampolskiy
 
Low-rank methods for analysis of high-dimensional data (SIAM CSE talk 2017)
Alexander Litvinenko
 
ENBIS 2018 presentation on Deep k-Means
tthonet
 
cipherrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr.ppt
SnehaPavithran6
 
Unit 3
GunasundariSelvaraj
 
Unit 3
Gunasundari Selvaraj
 
Triggering patterns of topology changes in dynamic attributed graphs
INSA Lyon - L'Institut National des Sciences Appliquées de Lyon
 
Tucker tensor analysis of Matern functions in spatial statistics
Alexander Litvinenko
 
01 - DAA - PPT.pptx
KokilaK25
 
Crypto cs36 39
sravanbabu
 
R Language Introduction
Khaled Al-Shamaa
 
Pythran: Static compiler for high performance by Mehdi Amini PyData SV 2014
PyData
 
Digital Signatures: Reassessing security of randomizable signatures
Priyanka Aash
 
Empowering Fourier-based Pricing Methods for Efficient Valuation of High-Dime...
Chiheb Ben Hammouda
 
Randomized algorithms ver 1.0
Dr. C.V. Suresh Babu
 
R package 'bayesImageS': a case study in Bayesian computation using Rcpp and ...
Matt Moores
 
Quantum Machine Learning and QEM for Gaussian mixture models (Alessandro Luongo)
MeetupDataScienceRoma
 
Ad

More from Priyanka Aash (20)

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
Priyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 

Recently uploaded (20)

PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 

Codes and Isogenies

  • 1. SESSION ID: #RSAC David Jao CODES AND ISOGENIES CRYP-F02 Professor University of Waterloo
  • 2. SESSION ID: CRYP-F02 REVOCABLE IDENTITY-BASED ENCRYPTION FROM CODES WITH RANK METRIC Somitra Kumar Sanadhya Associate Professor CSE, IIT Ropar, India Joint work with Donghoon Chang (IIIT Delhi), Amit Kumar Chauhan (IIT Ropar), and Sandeep Kumar (IIIT Delhi & University of Delhi, India) Date: 04/20/2018 Session: CRYP-F02 Time: 10:15 AM - 11:00 AM
  • 3. Thanks to US Department of State for not providing Nonimmigrant Visa to Dr. Somitra Kumar Sanadhya. Dr. Reza Azarderakhsh kindly agrees to present our work at CT-RSA 2018. We would like to thank Dr. Reza Azarderakhsh for accepting our request. 2
  • 4. Motivation Identity-based Crypto: To resolve the problem of key management in standard PKE. Encrypt Decrypt m CT = (id, c) Bob decrypts Didid PP PP, MSK Setup (Decryption Key) id Alice encrypts Bob’s identity 1k m/⊥ Key Authority PKG 3
  • 5. Motivation Identity-based Crypto: To resolve the problem of key management in standard PKE. Encrypt Decrypt m CT = (id, c) Bob decrypts Didid PP PP, MSK Setup (Decryption Key) id Alice encrypts Bob’s identity 1k m/⊥ Key Authority PKG Problem: how to efficiently revoke past users in identity-based encryption (IBE) ? 3
  • 6. Revocable IBE (RIBE) Adding efficient revocation procedure to IBE ... Encrypt Decrypt m CT = (id, t, c) Bob decrypts (id, t) PP PP, MSK Setup Key Authority id Alice encrypts 1k tTime Did,t = {SKid, KUt} m/⊥ Private Key Gen Key Update Bob’s identity PP, MSK, id SKid PP, MSK, t KUt Revocation PP, id, t Yes/No revoked status of user id at time t Decryption key 4
  • 7. Revocable IBE (RIBE) Adding efficient revocation procedure to IBE ... Encrypt Decrypt m CT = (id, t, c) Bob decrypts (id, t) PP PP, MSK Setup Key Authority id Alice encrypts 1k tTime Did,t = {SKid, KUt} m/⊥ Private Key Gen Key Update Bob’s identity PP, MSK, id SKid PP, MSK, t KUt Revocation PP, id, t Yes/No revoked status of user id at time t Decryption key • Initially, the key update is public to all users. At a later time, stop publishing the key updates for a revoked user ! 4
  • 8. Key Generation on a Binary Tree • Upon registration, the key authority provides the user u3 with a set of distinct private keys for each node in Path(v) on a binary tree BT. root u1 u2 u3 u4 u5 u6 u7 u8 v Path(v) θ θ θr • To generate the key for a user u, one can choose a random value r • split r into two parts r1 and r2 for each node • generate private-key SKid on (id, r1) using private key generation algorithm • do key-updates KUt on (t, r2) using key-updates algorithm • The decryption-key is: DKid,t = {SKid, KUt} for a node on a path corresponding to a user u. 5
  • 9. How to revoke a user ? • Run the Revocation algorithm R(id∗, t∗, RL) : • adds revoked user id∗ to the revocation list RL at revoked time t∗ . • Do the key-updates for non-revoked users (the number of key-updates are logarithmic in the number of users). • Stop sending key-updates for a revoked user for the time t ≥ t∗. 6
  • 10. How to do Key-Updates for a user ? • Run the Key-Update-Nodes algorithm KUNodes(BT, RL, t) : • returns a minimal set Y ⊂ BT of nodes for which key update needs to be published. KUNodes(BT, RL, t) X, Y ← φ ∀(vi, ti) ∈ RL if ti ≤ t then add Path(vi) to X ∀θ ∈ X if θ /∈ X then add θ to Y if θr /∈ X then add θr to Y If Y = φ then add root to Y Return Y 7
  • 11. Examples of Key-Updates Algorithm √ × √ √ √ × × × u1 u2 u3 u4 u5 u6 u7 u8 u1 u2 u3 u4 u5 u6 u7 u8 (a) No user is revoked (b) User u3 is revoked shows that the key-updates KUt is published for those nodes at time t. 8
  • 12. Selective-Revocable-ID Security of RIBE Challenger Attacker (PP, MSK, RL) ← S(1k ) (id∗ , t∗ ) PP id SKid ← SK(PP, MSK, id) t KUt ← KU(PP, MSK, t) c∗ ← Encrypt(PP, id∗ , t∗ , mb) (id∗ , m0, m1) b ← {0, 1} SK(PP, MSK, ·) KU(PP, MSK, ·) A b ∈ {0, 1} R(id∗ , t∗ , RL)RL A targets to attack id∗ at time t∗ doesn’t make queryA with (id, t) = (id∗ , t∗ ) (Updated) for t ≥ t∗ . A outputs The advantage of A is defined as Advind-srid-cpa A,RIBE (k) := Pr[b = b] − 1 2 . 9
  • 13. A Bit of (R)IBE History • Boneh and Franklin : Identity-based Encryption from Weil Pairing, CRYPTO 2001. • Boldyreva, Goyal and Kumar : Identity-based Encryption (from Weil pairing) with Efficient Revocation, ACM CCS 2008. • Agrawal, Boneh and Boyen : Efficient Lattice (H)IBE in the Standard Model, EUROCRYPT 2010. • Chen, Lim, Ling, Wang and Nguyen : Revocable Identity-Based Encryption from Lattices, ACISP 2012. • Gaborit, Hauteville, Phan and Tillich : Identity-based Encryption from Codes with Rank Metric, CRYPTO 2017. 10
  • 14. Our Work • We construct Revocable IBE (RIBE) from Codes with Rank Metric. • Highlights of RIBE : • Constructed from Low Rank Parity-Check (LRPC) codes. • Master Secret Key (MSK) is defined as the “Trapdoor” generated through the RankSign algorithm1. • Provides IND-sRID-CPA security which relies mainly on the Rank Syndrome Decoding (RSD) problem1. • Binary-Tree data structure2 is used to add efficient revocation procedure to IBE. 1 Gaborit et al. RankSign: An Efficient Signature Algorithm based on the Rank Metric, PQCrypto 2014. 2 Boldyreva, Goyal, and Kumar. Identity-based Encryption with Efficient Revocation, ACM CCS 2008. 11
  • 15. Rank Metric over Fn qm • Let Fqm be a m-dimensional vector space over the field Fq with prime q. • Let B = (b1, . . . , bm) be a basis of Fqm . • Let x = (x1, . . . , xn) ∈ Fn qm , then each coordinate xj can be expressed in terms of basis B as : xj = m i=1 mij bi where mij ∈ Fq • The m × n matrix associated with x is defined as M(x) = (mij)1≤i≤m, 1≤j≤n. • Rank weight of x is defined as x = Rank M(x) • Rank distance (metric) d(x, y) between elements x and y in Fn qm is defined as d(x, y) = x − y 12
  • 16. Rank Code • A linear code C of dimension k and length n is a subspace of dimension k of Fn qm embedded with the rank metric. • C can be represented by two ways : • by a generator matrix G ∈ Fk×n qm . Each rows of G is an element of a basis of C, C = {xG | x ∈ Fk qm } • by a parity-check matrix H ∈ F (n−k)×n qm . Each rows of H determines a parity-check equation verified by its elements of C : C = {x ∈ Fn qm | HxT = 0} 13
  • 17. Low Rank Parity-Check (LRPC) Codes LRPC Codes • Let H = (hij)1≤i≤n−k, 1≤j≤n ∈ F (n−k)×n qm be a full rank matrix. • All the elements of H generate an Fq-subspace F of dimension d: F = hij Fq • The code C[n, k, d]qm with parity-check matrix H is called a LRPC code of weight d. Such a matrix H is called a homogeneous matrix of weight d. 14
  • 18. Augmented Low Rank Parity-Check Codes Augmented LRPC Codes • Let H ∈ F (n−k)×n qm be a homogeneous matrix of full rank and of weight d. • R ∈ F (n−k)× qm be a random matrix. • P ∈ GLn−k(Fqm )) and Q ∈ GLn+ (Fq) be two invertible matrices. • H = P(R|H)Q be the parity-check matrix of a code C of type [n + , k + ]. We call such a code, an LRPC+ code. If = 0, then C is a LRPC code. Definition (LRPC+ Problem) Given an LRPC+ code, distinguish it from a random code with the same parameters. 15
  • 19. Rank Syndrome Decoding Problem Definition (Rank Syndrome Decoding (RSD) Problem) Instance : a parity-check matrix H in F (n−k)×n qm , a syndrome s in Fn−k qm and an integer w. Question : does there exist x ∈ Fn qm such that H.xT = s and wR(x) ≤ w ? Definition (Decisional Rank Syndrome Decoding (DRSD) Problem) Instance : a generator matrix G in Fk×n qm , m ∈ Fk qm and x ∈ Fn qm of weight w. Question : can we distinguish the pair (G, mG + x) from (G, y) with y $ ←− Fn qm ? 16
  • 20. Rank Support Learning Problem Definition (Rank Support Learning (RSL) Problem) • Let A be a random full-rank matrix of size (n − k) × n over Fqm and U be a subspace of Fqm of dimension w. • Let O be an oracle which gives samples of the form (A, Av), where v $ ←− Un. • The RSL problem is to recover V given only access to the oracle. That is, Pr[A(A, AV) = V] ≤ , V $ ←− Un×N where N be the number of queries made to the oracle O. • The DRSL problem is to distinguish (A, AV) from (A, Y) with Y $ ←− F (n−k)×N qm . 17
  • 21. Overview of RIBE from LRPC Codes Set up Public Parameters PP = (A, G, u) A ∈ F (k+ )×(n+ ) qm , full-rank matrix G ∈ Fk ×n qm , a generator matrix u ∈ F (n+ ) qm , uniformly random where MSK = (H, P, Q, R) Compute p1 = Hash(id) and p2 = Hash(t) Encryption of m ∈ Fk qm PP = (A, G, u) Compute p1 = Hash(id) and p2 = Hash(t) Decryption of CT CT = (id, t, C, x) If Rank((e1 + e2)V ) ≤ 2wr, recover m. for a simple code which can decode upto 2wr errors such that H AT = 0 Compute p1 = Hash(id) Syndrome x1 = H pT 1 + H uT 1 Sample e1 as H eT 1 = x1 using MSK Compute s1 as p1 + u1 = s1A + e1 KUt := s2 Compute p2 = Hash(t) Syndrome x2 = H pT 2 + H uT 2 Sample e2 as H eT 2 = x2 using MSK Compute s2 as p2 + u2 = s2A + e2 Private-Key Gen Key-Update Gen Choose V ∈ F (n+ )×n qm randomly of weight w A p1 + p2 + u V + 0 mG = C x (s | −1) C x = −(e1 + e2)V − mG Define “Decryption Key” DKid,t := s := s1 + s2 Define u2 = u − u1Choose u1 randomly SKid := s1 Set Up Public Parameters Generate “Trapdoor as MSK” from RankSign algorithm Construct from Augmented LRPC Codes with parity-check matrix H = P(R|H)Q 18
  • 22. Security of RIBE Theorem Suppose there exists an adversary A against the IND-sRID-CPA security, who makes at most qH1 and qH2 distinct queries to the H1 and H2 random oracles, then the advantage of adversary A is given by the following expression ribe ≤ qH1 + qH2 . 2 q + drsd + lrpc+ + drsl, where ribe, drsd, drsl and lrpc+ are respectively the bound on the advantage of the attacks against the RIBE system, the DRSD, DRSL and LRPC+ problems. 19
  • 23. Proof Sketch (Selective-Revocable-ID security of RIBE) Suppose A be a probabilistic polynomial time adversary who wishes to break the se- curity of RIBE in selective-revocable-ID security. Goal : To show that a PPT adversary A has a negligible advantage in winning the orig- inal IND-sRID-CPA game. Transitions of Games: Game G0 Game G1 Game G2 Game G3 Game G4 Real Game IND-sRID-CPA Generate decryption keys Define matrix A as random Choose challenged ciphertext Fully Random w/o knowledge of trapdoor matrix to generate codewords randomlyCT∗ = (id∗ , t∗ , c∗ , x∗ ) Game |Pr[AG0 ] − Pr[AG1 ]| ≤ 2 q + drsd |Pr[AG1 ] − Pr[AG2 ]| ≤ lrpc+ |Pr[AG2 ] − Pr[AG3 ]| ≤ drsl Pr[AG3 ] = Pr[AG4 ] = 1 2 20
  • 24. Practical set of Parameters We choose the parameters of the simple code in such a way that it can decode up to 2wr errors and the decoding error with failure probability ≈ 1 q −2wr+1 is small. Scheme n n − k m q d r dGV dsign IBE3 100 20 96 2192 5 12 16 11 20 RIBE 100 20 96 2192 5 12 16 11 20 Scheme Public Key Size (Bytes) n k w IBE5 4,239,360 of A 96 9 66 4 RIBE 4,497,408 of (A, u) 96 9 66 2 With the above parameters, one can achieve decoding failure probability ≈ 2−576. 3 Gaborit et al.: Identity-based Encryption from Codes with Rank Metric, CRYPTO 2017. 21
  • 25. Conclusion and Future Work • We built the revocable IBE from codes with rank metric. • We formally proved the selective-ID CPA security of revocable IBE in the random oracle model. • As an extension of this work, one might think of constructing Revocable IBE with adaptive-ID CCA security, which is a strongest security model. • Another extension could be a scheme secure in standard model. 22
  • 26. 23
  • 27. AN EXPOSURE MODEL FOR SUPERSINGULAR ISOGENY DIFFIE-HELLMAN KEY EXCHANGE Brian Koziel, Reza Azarderakhsh, David Jao Assistant Professor Florida Atlantic University
  • 28. Current PKC is safe until large-scale quantum computers are available • ECDH, ECDSA: Protected by the Elliptic curve discrete logarithm problem 2
  • 29. Current PKC is safe until large-scale quantum computers are available • ECDH, ECDSA: Protected by the Elliptic curve discrete logarithm problem • RSA: Protected by the factorization and discrete logarithm problems 2
  • 30. Current PKC is safe until large-scale quantum computers are available • ECDH, ECDSA: Protected by the Elliptic curve discrete logarithm problem • RSA: Protected by the factorization and discrete logarithm problems • Large-scale quantum computers with Shor’s algorithm will BREAK the security assumptions for these primitives Figure: Quantum Computer (The Verge) 2
  • 31. NIST has started a PQC standardization process Primary Post-Quantum Cryptography (PQC) Candidates: • Code-Based: McEliece 3
  • 32. NIST has started a PQC standardization process Primary Post-Quantum Cryptography (PQC) Candidates: • Code-Based: McEliece • Hash-based: Lamport, Merkle Signatures 3
  • 33. NIST has started a PQC standardization process Primary Post-Quantum Cryptography (PQC) Candidates: • Code-Based: McEliece • Hash-based: Lamport, Merkle Signatures • Lattice-based: NTRU, LWE 3
  • 34. NIST has started a PQC standardization process Primary Post-Quantum Cryptography (PQC) Candidates: • Code-Based: McEliece • Hash-based: Lamport, Merkle Signatures • Lattice-based: NTRU, LWE • Multivariate: Rainbow Signature 3
  • 35. NIST has started a PQC standardization process Primary Post-Quantum Cryptography (PQC) Candidates: • Code-Based: McEliece • Hash-based: Lamport, Merkle Signatures • Lattice-based: NTRU, LWE • Multivariate: Rainbow Signature • Isogeny-based: SIDH, SIKE 3
  • 36. NIST has started a PQC standardization process Primary Post-Quantum Cryptography (PQC) Candidates: • Isogeny-based: SIDH, SIKE Figure: E : y2 = x3 − x Left: E/Z Right: E/F127 3
  • 37. SIDH offers the smallest key sizes of known quantum-resistant algorithms Table: Comparison of different post-quantum key exchange and encryption algorithms at 128-bit quantum security level. Key sizes are in Bytes Algorithm NTRU New Hope McBits SIDH Compressed SIDH Type Lattice Ring-LWE Code Isogeny Isogeny Public Key 6,130 2,048 1,046,739 576 336 Private Key 6,743 2,048 10,992 48 48 Performance Slow Very Fast Slow Very Slow Very Slow 4
  • 38. SIDH offers the smallest key sizes of known quantum-resistant algorithms Table: Comparison of different post-quantum key exchange and encryption algorithms at 128-bit quantum security level. Key sizes are in Bytes Algorithm NTRU New Hope McBits SIDH Compressed SIDH Type Lattice Ring-LWE Code Isogeny Isogeny Public Key 6,130 2,048 1,046,739 576 336 Private Key 6,743 2,048 10,992 48 48 Performance Slow Very Fast Slow Very Slow Very Slow • Small key sizes reduce transmission cost and storage requirement 4
  • 39. Why would I want to use SIDH or SIKE as a quantum alternative? Pros :) • Very small public/private keys • Implementations resemble ECC • Security based on supersingular isogeny problem • SIKE: IND-CCA KEM alternative to SIDH → static keys can be reused! • No possibility for decryption error • No complicated error distributions, rejection sampling, etc. • Conservative security analysis when assuming generic attacks Cons :( • Newest candidate for PQC applications • Very slow • SIDH has security concerns if keys are reused 5
  • 40. Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 6
  • 41. Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem 6
  • 42. Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem • 2009: Charles et al. - Hash functions from supersingular isogenies 6
  • 43. Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem • 2009: Charles et al. - Hash functions from supersingular isogenies • 2010: Stolbunov - First published isogeny-based public-key cryptosystem based on isogenies between ordinary curves 6
  • 44. Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem • 2009: Charles et al. - Hash functions from supersingular isogenies • 2010: Stolbunov - First published isogeny-based public-key cryptosystem based on isogenies between ordinary curves • 2010: Childs et al. - Quantum subexponential attack on Stolbunov’s public-key cryptosystem 6
  • 45. Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem • 2009: Charles et al. - Hash functions from supersingular isogenies • 2010: Stolbunov - First published isogeny-based public-key cryptosystem based on isogenies between ordinary curves • 2010: Childs et al. - Quantum subexponential attack on Stolbunov’s public-key cryptosystem • 2011: Jao and De Feo - Supersingular Isogeny Diffie-Hellman (SIDH) proposed 6
  • 46. Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem • 2009: Charles et al. - Hash functions from supersingular isogenies • 2010: Stolbunov - First published isogeny-based public-key cryptosystem based on isogenies between ordinary curves • 2010: Childs et al. - Quantum subexponential attack on Stolbunov’s public-key cryptosystem • 2011: Jao and De Feo - Supersingular Isogeny Diffie-Hellman (SIDH) proposed • 2016: Galbraith et al. - Active attack against SIDH with static key re-use 6
  • 47. Isogeny-Based Cryptography History • 1996: Couveignes - First mention of isogenies in cryptography. Published in 2006 • 1999: Galbraith - First published cryptanalysis of isogeny problem • 2009: Charles et al. - Hash functions from supersingular isogenies • 2010: Stolbunov - First published isogeny-based public-key cryptosystem based on isogenies between ordinary curves • 2010: Childs et al. - Quantum subexponential attack on Stolbunov’s public-key cryptosystem • 2011: Jao and De Feo - Supersingular Isogeny Diffie-Hellman (SIDH) proposed • 2016: Galbraith et al. - Active attack against SIDH with static key re-use • 2017: Jao et al. - Supersingular Isogeny Key Encapsulation (SIKE) submitted to NIST PQC process 6
  • 48. Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field 7
  • 49. Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime 7
  • 50. Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime • There exists some isogeny φ : E1 → E2 with a fixed, smooth degree that is public 7
  • 51. Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime • There exists some isogeny φ : E1 → E2 with a fixed, smooth degree that is public Supersingular Isogeny Problem Given P, Q ∈ E1 and φ(P), φ(Q) ∈ E2, compute the secret isogeny, φ 7
  • 52. Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime • There exists some isogeny φ : E1 → E2 with a fixed, smooth degree that is public Supersingular Isogeny Problem Given P, Q ∈ E1 and φ(P), φ(Q) ∈ E2, compute the secret isogeny, φ • The best known attack is based on the claw finding algorithm 7
  • 53. Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime • There exists some isogeny φ : E1 → E2 with a fixed, smooth degree that is public Supersingular Isogeny Problem Given P, Q ∈ E1 and φ(P), φ(Q) ∈ E2, compute the secret isogeny, φ • The best known attack is based on the claw finding algorithm • For SIDH/SIKE: 7
  • 54. Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime • There exists some isogeny φ : E1 → E2 with a fixed, smooth degree that is public Supersingular Isogeny Problem Given P, Q ∈ E1 and φ(P), φ(Q) ∈ E2, compute the secret isogeny, φ • The best known attack is based on the claw finding algorithm • For SIDH/SIKE: • Classical attack O(p1/4) 7
  • 55. Isogeny-Based Cryptography underlying security Consider two supersingular elliptic curves defined over a large prime extension field • E1/Fp2 and E2/Fp2 , where p is a large prime • There exists some isogeny φ : E1 → E2 with a fixed, smooth degree that is public Supersingular Isogeny Problem Given P, Q ∈ E1 and φ(P), φ(Q) ∈ E2, compute the secret isogeny, φ • The best known attack is based on the claw finding algorithm • For SIDH/SIKE: • Classical attack O(p1/4) • Quantum attack O(p1/6) 7
  • 56. Visualizing the Supersingular Isogeny Problem Consider a graph where each node represents supersingular isomorphism classes Isomorphism Class 8
  • 57. Visualizing the Supersingular Isogeny Problem For = 2, each node is connected by three unique 2-isogenies Isomorphism Class 2-isogeny 9
  • 58. Visualizing the Supersingular Isogeny Problem Consider finding an isogeny from Class A to Class B when = 2 Isomorphism Class 2-isogeny A B 10
  • 59. Visualizing the Supersingular Isogeny Problem For large isogeny graphs (i.e., p is 512 bits or more), finding an isogeny path is HARD. Isomorphism Class 2-isogeny A B 11
  • 60. The SIDH protocol resembles standard Diffie-Hellman Diffie-Hellman Alice Bob A g, p B gAmodp gBmodp (gB)Amodp (gA)Bmodp gBAmodp ≡ gABmodp 12
  • 61. The SIDH protocol resembles standard Diffie-Hellman Diffie-Hellman Alice Bob A g, p B gAmodp gBmodp (gB)Amodp (gA)Bmodp gBAmodp ≡ gABmodp Supersingular Isogeny Diffie-Hellman Alice Bob φA E0/Fp2 φB φA : E0 → EA φB : E0 → EB E0/ A E0/ B φA : EB → EBA φB : EA → EAB EBA = E0/ B, A EAB = E0/ A, B j(EBA)modp ≡ j(EAB)modp 12
  • 62. SIDH Protocol E0 EA = E0/ A φA E0/ [mA]PA + [nA]QA
  • 63. SIDH Protocol E0 EA = E0/ A EB = E0/ B φA E0/ [mA]PA + [nA]QA φB E0/ [mB]PB + [nB]QB
  • 64. SIDH Protocol E0 EA = E0/ A {φA(PB), φA(QB)} EB = E0/ B {φB(PA), φB(QA)} φA E0/ [mA]PA + [nA]QA φB E0/ [mB]PB + [nB]QB
  • 65. SIDH Protocol E0 EA = E0/ A {φA(PB), φA(QB)} EB = E0/ B {φB(PA), φB(QA)} φA E0/ [mA]PA + [nA]QA φB E0/ [mB]PB + [nB]QB φB EA/ [mA]φB(PA) + [nA]φB(QA)
  • 66. SIDH Protocol E0 EA = E0/ A {φA(PB), φA(QB)} EB = E0/ B {φB(PA), φB(QA)} E0/ A, B φA E0/ [mA]PA + [nA]QA φB E0/ [mB]PB + [nB]QB φB EA/ [mA]φB(PA) + [nA]φB(QA) φAEB/ [mB]φA(PB) + [nB]φA(QB) 13
  • 67. SIDH Computations Secret Kernel Generation • Inputs: • Supersingular elliptic curve E(Fp2 ), torsion basis {P,Q}, private keys m, n • Compute R = [m]P + [n]Q Large-Degree Isogeny • Inputs: • Supersingular elliptic curve E, secret kernel point R • Compute φ : E → E/ R by iteratively computing isogenies SIDH Isogeny Evaluation and Computation PA PD Mult. InversionAddition Addition SquaringMult. Inversion Double Point Multiplication Large degree Isogeny comput PQC protocols Extended group ops Group ops pF 2 p F Arithmetic Arithmetic Figure: Breakdown of supersingular isogeny computations 14
  • 68. Visualizing the large-degree isogeny computation • Large-degree isogenies can be computed by iteratively computing small-degree isogenies • Set E0 = E and R0 = ker(φ) • Find kernel point ker(φi) = e−i−1Ri • Compute ith isogeny φi : Ei → Ei/ e−i−1Ri = Ei+1 • Push kernel point to new curve Ri+1 = φi(Ri) Point mult by Evaluate Isogeny Get -isogeny with Velu s formulas 15
  • 69. Creating an exposure model for SIDH • Exposure Model → Assessing the security of a cryptosystem if certain pieces of information are divulged 16
  • 70. Creating an exposure model for SIDH • Exposure Model → Assessing the security of a cryptosystem if certain pieces of information are divulged • Necessary to account for weak implementations or new attacks 16
  • 71. Creating an exposure model for SIDH • Exposure Model → Assessing the security of a cryptosystem if certain pieces of information are divulged • Necessary to account for weak implementations or new attacks • Looking specifically at the large-degree isogeny 16
  • 72. Why might intermediate values be exposed? • Poor implementation • New attacks on large-degree isogeny • Cache prime and probe • Spectre and Meltdown • Intermediate values not cleared • Unexpected reset • etc. etc. 17
  • 73. What are the exposure classes? • CLASS 1: Intermediate curve is exposed 18
  • 74. What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies 18
  • 75. What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half 18
  • 76. What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half • CLASS 2: Intermediate kernel point is exposed 18
  • 77. What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half • CLASS 2: Intermediate kernel point is exposed • Some variant of the secret kernel point is leaked 18
  • 78. What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half • CLASS 2: Intermediate kernel point is exposed • Some variant of the secret kernel point is leaked • If corresponding curve can be found, then remaining isogenies can be computed → this is very bad 18
  • 79. What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half • CLASS 2: Intermediate kernel point is exposed • Some variant of the secret kernel point is leaked • If corresponding curve can be found, then remaining isogenies can be computed → this is very bad • CLASS 3: Intermediate basis point is exposed 18
  • 80. What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half • CLASS 2: Intermediate kernel point is exposed • Some variant of the secret kernel point is leaked • If corresponding curve can be found, then remaining isogenies can be computed → this is very bad • CLASS 3: Intermediate basis point is exposed • If corresponding curve is found, then isogeny decisions are revealed 18
  • 81. What are the exposure classes? • CLASS 1: Intermediate curve is exposed • An attacker can now split the large-degree isogeny into two separate isogenies • Worst case scenario could cut the security assumption in half • CLASS 2: Intermediate kernel point is exposed • Some variant of the secret kernel point is leaked • If corresponding curve can be found, then remaining isogenies can be computed → this is very bad • CLASS 3: Intermediate basis point is exposed • If corresponding curve is found, then isogeny decisions are revealed • After the corresponding curve has been found, this situation resembles the intermediate curve scenario 18
  • 82. Visualization of an exposed kernel point • With an exposed kernel point (CLASS 2), an attacker can find the corresponding curve and compute the remaining isogenies that compose the secret isogeny Point mult by Evaluate Isogeny Get -isogeny with Velu s formulas Leaked point and corresponding isomorphism class Hidden kernel point and base isomorphism class (a) (b) 19
  • 83. An exposed kernel point is a disaster as it can be used to retrieve private keys General attack procedure for point after k -isogenies and j point multiplications by Intermediate kernel point is of the form S = φk−1:0([ jm]P + [ jn]Q) on curve Ek (CLASS 2). Original secret kernel point is of the form R = [m]P + [n]Q 20
  • 84. An exposed kernel point is a disaster as it can be used to retrieve private keys General attack procedure for point after k -isogenies and j point multiplications by Intermediate kernel point is of the form S = φk−1:0([ jm]P + [ jn]Q) on curve Ek (CLASS 2). Original secret kernel point is of the form R = [m]P + [n]Q 1 Find isogenous curve Ek to find first k isogenies (difficulty O( k)) 20
  • 85. An exposed kernel point is a disaster as it can be used to retrieve private keys General attack procedure for point after k -isogenies and j point multiplications by Intermediate kernel point is of the form S = φk−1:0([ jm]P + [ jn]Q) on curve Ek (CLASS 2). Original secret kernel point is of the form R = [m]P + [n]Q 1 Find isogenous curve Ek to find first k isogenies (difficulty O( k)) 2 Push torsion basis through k isogenies • {φk−1:0(P), φk−1:0(Q)} 20
  • 86. An exposed kernel point is a disaster as it can be used to retrieve private keys General attack procedure for point after k -isogenies and j point multiplications by Intermediate kernel point is of the form S = φk−1:0([ jm]P + [ jn]Q) on curve Ek (CLASS 2). Original secret kernel point is of the form R = [m]P + [n]Q 1 Find isogenous curve Ek to find first k isogenies (difficulty O( k)) 2 Push torsion basis through k isogenies • {φk−1:0(P), φk−1:0(Q)} 3 Perform generalized elliptic curve discrete log (simple for SIDH curves) → result is k − j bits of private key • φk−1:0([ jm]P + [ jn]Q) = φk−1:0([m ]P) + φk−1:0([n ]Q) 20
  • 87. An exposed kernel point is a disaster as it can be used to retrieve private keys General attack procedure for point after k -isogenies and j point multiplications by Intermediate kernel point is of the form S = φk−1:0([ jm]P + [ jn]Q) on curve Ek (CLASS 2). Original secret kernel point is of the form R = [m]P + [n]Q 1 Find isogenous curve Ek to find first k isogenies (difficulty O( k)) 2 Push torsion basis through k isogenies • {φk−1:0(P), φk−1:0(Q)} 3 Perform generalized elliptic curve discrete log (simple for SIDH curves) → result is k − j bits of private key • φk−1:0([ jm]P + [ jn]Q) = φk−1:0([m ]P) + φk−1:0([n ]Q) 4 Perform exhaustive search on the point multiples j for the rest of the key (difficulty O( j)) • Remaining secret key bits is some secret multiple of the point order: m ≡ x × m mod j 20
  • 88. A random pre-isogeny isomorphism protects against all but an exposed curve • V´elu’s formulas for isogenies are deterministic for a given kernel point and curve 21
  • 89. A random pre-isogeny isomorphism protects against all but an exposed curve • V´elu’s formulas for isogenies are deterministic for a given kernel point and curve • An isomorphism moves from one curve to another within an isomorphism class 21
  • 90. A random pre-isogeny isomorphism protects against all but an exposed curve • V´elu’s formulas for isogenies are deterministic for a given kernel point and curve • An isomorphism moves from one curve to another within an isomorphism class • A random isomorphism will scale the curve 21
  • 91. A random pre-isogeny isomorphism protects against all but an exposed curve • V´elu’s formulas for isogenies are deterministic for a given kernel point and curve • An isomorphism moves from one curve to another within an isomorphism class • A random isomorphism will scale the curve • This scaling changes the output curves of isogenies and obfuscates any points that are exposed 21
  • 92. Visualization of a pre-isogeny isomorphism • The pre-isogeny isomorphism obfuscates any exposed points throughout the isogeny operation After Isomorphism Before Isomorphism 22
  • 93. Visualization of a pre-isogeny isomorphism • The pre-isogeny isomorphism obfuscates any exposed points throughout the isogeny operation • Protects against CLASS 2 and CLASS 3 exposures After Isomorphism Before Isomorphism 22
  • 94. A pre-isogeny isomorphism is a computationally cheap countermeasure • For short Weierstrass curves, this requires a random number and several field operations 23
  • 95. A pre-isogeny isomorphism is a computationally cheap countermeasure • For short Weierstrass curves, this requires a random number and several field operations • Major cost is generating random numbers Table: Cost of Pre-isogeny Isomorphism Protocol r δ I M S SIDH Round 1 1 0 1 9 3 SIDH Round 2 1 0 1 5 3 SIDH Indirect Key Validation 1 4 1 15 5 (Kirkwood et al. Validiation) • Let r be the cost to generate a random number, I be a finite-field inversion, M be a finite-field multiplication, S be a finite-field squaring, and δ be a finite-field comparison 23
  • 96. Conclusion • SIDH/SIKE are up and coming candidates for PQC standardization 24
  • 97. Conclusion • SIDH/SIKE are up and coming candidates for PQC standardization • These primitives feature the smallest known public key sizes for quantum-resistant PKC 24
  • 98. Conclusion • SIDH/SIKE are up and coming candidates for PQC standardization • These primitives feature the smallest known public key sizes for quantum-resistant PKC • We created an exposure model for the large-degree isogeny computation 24
  • 99. Conclusion • SIDH/SIKE are up and coming candidates for PQC standardization • These primitives feature the smallest known public key sizes for quantum-resistant PKC • We created an exposure model for the large-degree isogeny computation • We showed that an exposed intermediate kernel point (CLASS 2) can reveal a party’s private key 24
  • 100. Conclusion • SIDH/SIKE are up and coming candidates for PQC standardization • These primitives feature the smallest known public key sizes for quantum-resistant PKC • We created an exposure model for the large-degree isogeny computation • We showed that an exposed intermediate kernel point (CLASS 2) can reveal a party’s private key • We proposed a pre-isogeny isomorphism as a cheap countermeasure to protect against exposing intermediate points in the future 24
  • 101. Conclusion • SIDH/SIKE are up and coming candidates for PQC standardization • These primitives feature the smallest known public key sizes for quantum-resistant PKC • We created an exposure model for the large-degree isogeny computation • We showed that an exposed intermediate kernel point (CLASS 2) can reveal a party’s private key • We proposed a pre-isogeny isomorphism as a cheap countermeasure to protect against exposing intermediate points in the future • Thank you very much for your attention. Questions? 24