cryptographic schemes based on isogenies

Cryptographic Schemes Based on Isogenies

Anton Stolbunov

Trondheim, January 23, 2012

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

2 / 22

Outline

[Ch. 1] Introduction

[Ch. 2] Constructing Cryptographic Schemes Based on Isogenies

[Ch. 3] Security Reductions for Schemes Based on Group Action

[Ch. 4] Improved Algorithm for the Isogeny Problem


3 / 22

Motivation for Research

— security of current asymmetric cryptographic schemes isdecreasing (index calculus algorithms, Shor’s algorithm, etc.);

— cryptographic schemes based on new hard computationalproblems are needed;

— elliptic curves and imaginary quadratic fields are well studiedand good algorithms are available.


4 / 22

Research Questions

1. How can isogenies between ordinary elliptic curves be usedfor building cryptographic schemes? Which schemes can bebuilt? What is the efficiency of such schemes?

2. On which computational problems does the security of theproposed schemes depend?

3. What is the computational complexity of these problems?


5 / 22

Related Work: Cryptographic SchemesBased on Isogenies

[Teske 2003] key escrow system;[Rostovtsev et al. 2004] ordered digital signature scheme;[Rostovtsev, Stolbunov 2006] public-key encryption scheme;[Couveignes 2006] key agreement, authentication and Σ-protocols[Charles et al. 2009] hash using supersingular-curve isogenies;[Weiwei, Debiao 2010], [Debiao et al. 2011] authenticated key

agreement protocols;[Jao, De Feo 2011] key agreement and public-key encryption

using supersingular-curve isogenies.


6 / 22

Elliptic CurvesLet F be a field, char(F ) 6= 2,3.An elliptic curve E/F is a non-singularalgebraic curve defined by

Y 2 = X 3 + aX + b,

where a and b lie in F .

Let L ⊇ F be an extension field.E(L) := {points over L} ∪ {P∞} is calledthe group of points of E over L.

j(E) := 17284a3

4a3 + 27b2 the j-invariant.

ExampleE(F47) :Y 2 = X 3 + X + 5


7 / 22

IsogeniesAn isogeny φ from E1 to E2 is a (nonconstant) homomorphism

φ : E1(F )→ E2(F )

that is given by rational functions.

Example (cont.)E1/F47 : Y 2 = X 3 + X + 5, j(E1) = 27;E2/F47 : Y 2 = X 3 + 32X + 19, j(E2) = 24.

φ : E1 → E2

(X ,Y ) 7→(

X 2 − 17X + 22X − 17

,X 2 + 13X − 15X 2 + 13X + 7

Y).

ker(φ) = {(17,0),P∞}, deg(φ) = 2.


8 / 22

Class Group Action on j-Invariants in CLet K be an imaginary quadratic field and OK its ring of integers.CL(OK ) = {[a1], . . . , [ah]} ideal class group of OK .ELLσ(OK ) := {j(a1), . . . , j(ah)} set of j-invariants of the fractionalideals of OK for a fixed embedding σ of K in C.The action ∗ of CL(OK ) on ELLσ(OK ) is defined as

∗ : CL(OK )× ELLσ(OK ) → ELLσ(OK )

([a], j(b)) 7→ j(a−1b).

H = K (j(OK )) Hilbert class field of K . All j(ai) lie in OH .p a prime ideal of OH above a prime p that splits completely in OH .Reduction modulo p maps the elements j(ai) to j-invariants ofordinary elliptic curves over OH/p ∼= Fp.


9 / 22

Class Group Action on a Set ofIsogenous Ordinary Elliptic CurvesELLp,n(OK ) := {j(E/Fp) : #E(Fp) = n, End(E) ∼= OK}.The group CL(OK ) acts simply transitively on the set ELLp,n(OK ).

Example (cont.)E : Y 2 = X 3 + X + 5 over F47. j(E) = 27. EndF47

(E) ∼= O−152.

CL(O−152) Permutations on ELL47,42(O−152)

g = [(3,2, ·)] (27 12 15 24 41 19)g2 = [(6,4, ·)] (27 15 41)(19 12 24)g3 = [(2,0, ·)] (27 24)(19 15)(41 12)g4 = [(6,−4, ·)] (27 41 15)(19 24 12)g5 = [(3,−2, ·)] (27 19 41 24 15 12)g6 = [(1,0, ·)] (27)(19)(41)(24)(15)(12)

27 //

&&

WW

��

12

��

��

GG

��

19

BB 88

oo // 15

��xx41

\\

OO

24oo

ff


CONSTRUCTING CRYPTOGRAPHIC

SCHEMES BASED ON ISOGENIES

(Chapter 2)


11 / 22

Key Agreement Protocol KA1System parametersFinite abelian group G acting by ∗ on a set X ; an element x ∈ X .

The protocol (simplified)

A B

Input: − Input: −a R←− G b R←− GmA ← a ∗ x mB ← b ∗ x

mA //mBoo

kA ← a ∗mB kB ← b ∗mAOutput: kA Output: kB

mA

b

��x

aFF

b

��

k

mB

a

FF


12 / 22

More Schemes Based on Group Action

— public-key encryption scheme PE ;— authenticated key agreement protocols;— digital signature scheme;— secret-key encryption scheme;— no-key secret message transfer protocol;— commitment scheme.


13 / 22

Proposed Implementation Detailsfor Schemes Based on Isogenies

— system parameter generation algorithm;— representation of elements of CL(OK );— efficient implementation of class group action on ELLp,n(OK ).

One action is O(log(p)5.3) bit operations;— random sampling from the class group;— pseudo-random sampling from a large class group.


14 / 22

Practical ImplementationCreated an open-source package ClassEll for PARI/GP.

Average serial running time of one class group action

Security (bits) dlog pe (bits) Time (seconds)

75 224 19

80 244 2196 304 56112 364 90128 428 229

timings for Intel Core i7 920 @ 3.6 GHz


SECURITY REDUCTIONS

FOR SCHEMES BASED ON GROUP ACTION

(Chapter 3)


16 / 22

Computational ProblemsAn abelian group G acts by ∗ on a set X .

Problem (Group Action Inverse (GAIP))Given x , y ∈ G ∗ x, find g such that g ∗ x = y.

x ? // y

Problem (Decisional Diffie-Hellman GroupAction (DDHAP))Given x , y , z, r ∈ G ∗ x,decide whether r = (ab) ∗ x for some a and bsatisfying y = a ∗ x and z = b ∗ x.

yb��

x

a DD

b��

k? r

zaDD

Reducibility of ProblemsCan solve GAIP =⇒ can solve DDHAP.


17 / 22

Security Reductions

TheoremIf the DDHAP is hard, then the KA1 protocol is secure in thesession-key authenticated-link model of Canetti and Krawczyk.

TheoremIf the DDHAP is hard and the hash function family is entropysmoothing, then the PE encryption scheme is IND-CPA secure(indistinguishability of encryptions in the chosen-plaintext attack).


IMPROVED ALGORITHM

FOR THE ISOGENY PROBLEM

(Chapter 4)

Co-authored with Steven Galbraith


19 / 22

The Isogeny ProblemProblem (Isogeny Problem for Ordinary Elliptic Curves)Let E1/Fq and E2/Fq be ordinary elliptic curves satisfying#E1(Fq) = #E2(Fq). Compute an Fq-isogeny φ : E1 → E2.

Can solve IP with “comparable conductors”⇐⇒ can solve CL-GAIP.

Exponential-Time Classical Algorithms[Galbraith 1999] uses an O(

√# ELL) database of elliptic curves;

[Galbraith, Hess and Smart (GHS) 2002] use the parallel collisionsearch algorithm. We improve the GHS algorithm.

Subexponential-Time Quantum Algorithm[Childs, Jao and Soukharev 2010] use algorithms for the hidden

shift problem.www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

20 / 22

Proposed GHS ImprovementOur ideaModify the random walk on the isogeny graph such thatlower-degree (i.e. faster) isogenies are used more often.

Results

— provided formulae for the expected running time of the parallelcollision search with uneven partitioning, and its variance;

— experimentally measured the average running time for variouspartitionings with ±0.1 % precision and 99.7 % confidence;

— results apply to generic adding walks with uneven partitioning;— gave recommendations on frequencies of isogeny degrees;— asymptotic complexity of isogeny search is

O(

q1/4+o(1) log2(q) log(log(q)))

operations in Fq.


21 / 22

Quantified Improvement over GHSExpected time of an isogeny search over a 160-bit prime fieldusing ClassEll on a single-core 2.67 GHz CPU, years

geometric progression ratio of partitioning

# partitions 1 3/4 1/2 1/3 1/4

4 8708 6940 5429 4727 46905 6455 4495 2758 1925 16526 5514 3396 1755 1130 9887 5068 2827 1334 904 8588 4891 2530 1154 847 8489 4930 2415 1093 842 85610 5549 2548 1110 858 87012 7409 2915 1157 891 90314 9519 3255 1205 923 93216 12200 3541 1242 949 955

Approximately 14× improvement over the GHS algorithm!www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

22 / 22

Conclusions

— many cryptographic schemes can be implemented usingordinary-curve isogenies;

— cryptographic operations are polynomial-time, but slower thancontemporary alternatives;

— exponential complexity of the isogeny problem in thepre-quantum world. Short keys and low bandwidth usage.


cryptographic schemes based on isogenies

Documents