Practical post-quantum key exchange from supersingular ...
Transcript of Practical post-quantum key exchange from supersingular ...
Craig Costello
Practical post-quantum key exchange from supersingular isogenies
Invited talk at SPACE 2016December 18, 2016
CRRao AIMSCS, Hyderabad, India
https://www.microsoft.com/en-us/research/project/sidh-library/SIDH library (v2.0 coming soon)
Full version of Cryptoโ16 paper(joint with P. Longa and M. Naehrig)
http://eprint.iacr.org/2016/413
Full version of compression paper(joint with D. Jao, P. Longa, M. Naehrig, D. Urbanik, J. Renes)
http://eprint.iacr.org/2016/963
Diffie-Hellman key exchange (circa 1976)
๐ =685408003627063761059275919665781694368639459527871881531452
๐ = 123456789
๐ = 1606938044258990275541962092341162602522202993782792835301301
๐ =362059131912941987637880257325269696682836735524942246807440
๐๐ mod ๐ = 78467374529422653579754596319852702575499692980085777948593
๐๐๐ mod ๐ = 437452857085801785219961443000845969831329749878767465041215
560048104293218128667441021342483133802626271394299410128798 = ๐๐ mod ๐
Diffie-Hellman key exchange (circa 2016)
๐ = 123456789
๐ =5809605995369958062859502533304574370686975176362895236661486152287203730997110225737336044533118407251326157754980517443990529594540047121662885672187032401032111639706440498844049850989051627200244765807041812394729680540024104827976584369381522292361208779044769892743225751738076979568811309579125511333093243519553784816306381580161860200247492568448150242515304449577187604136428738580990172551573934146255830366405915000869643732053218566832545291107903722831634138599586406690325959725187447169059540805012310209639011750748760017095360734234945757416272994856013308616958529958304677637019181594088528345061285863898271763457294883546638879554311615446446330199254382340016292057090751175533888161918987295591531536698701292267685465517437915790823154844634780260102891718032495396075041899485513811126977307478969074857043710
716150121315922024556759241239013152919710956468406379442914941614357107914462567329693649
๐๐๐ =330166919524192149323761733598426244691224199958894654036331526394350099088627302979833339501183059198113987880066739419999231378970715307039317876258453876701124543849520979430233302777503265010724513551209279573183234934359636696506968325769489511028943698821518689496597758218540767517885836464160289471651364552490713961456608536013301649753975875610659655755567474438180357958360226708742348175045563437075840969230826767034061119437657466993989389348289599600338950372251336932673571743428823026014699232071116171392219599691096846714133643382745709376112500514300983651201961186613464267685926563624589817259637248558104903657371981684417053993082671827345252841433337325420088380059232089174946086536664984836041334031650438692639106287627157575758383128971053401037407031731509582807639509448704617983930135028
7596589383292751993079161318839043121329118930009948197899907586986108953591420279426874779423560221038468
๐ =7147687166405; 9571879053605547396582692405186145916522354912615715297097100679170037904924330116019497881089087696131592831386326210951294944584400497488929803858493191812844757232102398716043906200617764831887545755623377085391250529236463183321912173214641346558452549172283787727566955898452199622029450892269665074265269127802446416400\90259271040043389582611419862375878988193612187945591802864062679\86483957813927304368495559776413009721221824915810964579376354556\65546298837778595680891578821511273574220422646379170599917677567\30420698422392494816906777896174923072071297603455802621072109220\54662739697748553543758990879608882627763290293452560094576029847\39136138876755438662247926529997805988647241453046219452761811989\97464772529088780604931795419514638292288904557780459294373052654\10485180264002079415193983851143425084273119820368274789460587100\30497747706924427898968991057212096357725203480402449913844583448
๐ =655456209464694; 93360682685816031704969423104727624468251177438749706128879957701\93698826859762790479113062308975863428283798589097017957365590672\8357138638957122466760949930089855480244640303954430074800250796203638661931522988606354100532244846391589798641210273772558373965\48653931285483865070903191974204864923589439190352993032676961005\08840431979272991603892747747094094858192679116146502863521484987\08623286193422239171712154568612530067276018808591500424849476686\706784051068715397706852664532638332403983747338379697022624261377163163204493828299206039808703403575100467337085017748387148822224875309641791879395483731754620034884930540399950519191679471224\05558557093219350747155777569598163700850920394705281936392411084\43600686183528465724969562186437214972625833222544865996160464558\54629937016589470425264445624157899586972652935647856967092689604\42796501209877036845001246792761563917639959736383038665362727158
1974966481832271932862620186142505559719097997625337606540081479948757754456670542185781051331382174972068905995549284294506678994768546685955940340934936375624510789382969603134886961788481424913516872530546022029662470461057707715772483216821171742461283211956785376315202786494034647973536919967369935770926871783856022988735589541210564305228996197614537270822178234757462238037900142350513967990494465082246618501681499574014746384567166244019067013944724470150525694177463721850933025357393837919800705723814217290296516393042343612687649717077634843006689239728687091216655686698309786578047401579166115635085698868474877726766712073860961529476071145597063402090591037030181826355218987380945462945580355697525966763466146993277420884712557411847558661178122098955149524361601993365326052422101474898256696660124195726100495725510022002932814218768060112310763455404567248761396399633344901857872119208518550803791724
๐๐
(mod q)=
4116046620695933066832285256534418724107779992205720799935743972371563687620383783327424719396665449687938178193214952698336131699379861648113207956169499574005182063853102924755292845506262471329301240277031401312209687711427883948465928161110782751969552580451787052540164697735099369253619948958941630655511051619296131392197821987575429848264658934577688889155615145050480918561594129775760490735632255728098809700583965017196658531101013084326474277865655251213287725871678420376241901439097879386658420056919119973967264551107584485525537442884643379065403121253975718031032782719790076818413945341143157261205957499938963479817893107541948645774359056731729700335965844452066712238743995765602919548561681262366573815194145929420370183512324404671912281455859090458612780918001663308764073238447199488070126873048860279221761629281961046255219584327714817248626243962413613075956770018017385724999495117779149416882188
=๐๐
(mod q)
ECDH key exchange (1999 โ nowish)
๐ = (48439561293906451759052585252797914202762949526041747995844080717082404635286,36134250956749795798585127919587881956611106672985015071877198253568414405109)
๐ = 2256 โ 2224 + 2192 + 296 โ 1๐ = 115792089210356248762697446949407573530086143415290314195533631308867097853951
๐ =891306445912460335776397706414628550231450284928352556031837219223173
24614395
๐ธ/๐ ๐: ๐ฆ2 = ๐ฅ3 โ3๐ฅ +๐
๐ =100955574639327864188069383161907080327719109190584053916797810821934
05190826
[a]๐ = (84116208261315898167593067868200525612344221886333785331584793435449501658416,102885655542185598026739250172885300109680266058548048621945393128043427650740)
[b]๐ = (101228882920057626679704131545407930245895491542090988999577542687271695288383,77887418190304022994116595034556257760807185615679689372138134363978498341594)
[ab]๐ = (101228882920057626679704131545407930245895491542090988999577542687271695288383,77887418190304022994116595034556257760807185615679689372138134363978498341594)
#๐ธ = 115792089210356248762697446949407573529996955224135760342422259061068512044369
โข Large-scale quantum computers break RSA, finite fields, elliptic curves
โข Aug 2015: NSA announces plans to transition to quantum-resistant algorithms
โข Yesterday: NIST published final call โ Nov 30, 2017 deadlinehttp://csrc.nist.gov/groups/ST/post-quantum-crypto/
Forthcoming post-quantum standardsโฆ
Current confidence may be smaller, but so are current key sizes!
Popular post-quantum public key primitives
โข Lattice-based (e.g., NTRUโ98, LWEโ05)
โข Code-based (e.g., McElieceโ78)
โข Hash-based (e.g., Merkle treesโ79)
โข Multivariate-based (e.g., HFEv-โ96)
โข Isogeny-based (Jao and De Feo SIDHโ11)
SIDH: history
โข 1999: Couveignes gives talk โHard homogenous spacesโ (eprint.iacr.org/2006/291)
โข 2006 (OIDH): Rostovsev and Stolbunov propose ordinary isogeny DH
โข 2010 (OIDH break): Childs-Jao-Soukharev give quantum subexponential alg.
โข 2011 (SIDH): Jao and De Feo fix by choosing supersingular curves
Crucial difference: supersingular (i.e., non-ordinary) endomorphism ring
is not commutative (resists above attack)
โข Recall that every elliptic curve ๐ธ over a field ๐พ with char ๐พ > 3 can be defined by
๐ธ โถ ๐ฆ2 = ๐ฅ3 + ๐๐ฅ + ๐,
where ๐, ๐ โ ๐พ, 4๐3 + 27๐2 โ 0
โข For any extension ๐พโฒ/๐พ, the set of ๐พโฒ-rational points forms a group with identity
โข The ๐-invariant ๐ ๐ธ = ๐ ๐, ๐ = 1728 โ 4๐3
4๐3+27๐2determines isomorphism
class over เดฅ๐พ
โข E.g., ๐ธโฒ: ๐ฆ2 = ๐ฅ3 + ๐๐ข2๐ฅ + ๐๐ข3 is isomorphic to ๐ธ for all ๐ข โ ๐พโ
โข Recover a curve from ๐: e.g., set ๐ = โ3๐ and ๐ = 2๐ with ๐ = ๐/(๐ โ 1728)
Elliptic Curves and ๐-invariants
Isogenies
โข Isogeny: morphism (rational map)๐ โถ ๐ธ1 โ ๐ธ2that preserves identity, i.e. ๐ โ1 = โ2
โข Degree of (separable) isogeny is number of elements in kernel, same as its degree as a rational map
โข Given finite subgroup ๐บ โ ๐ธ1, there is a unique curve ๐ธ2 and isogeny ๐ โถ ๐ธ1 โ ๐ธ2 (up to isomorphism) having kernel ๐บ. Write ๐ธ2 = ๐(๐ธ1) = ๐ธ1/โจ๐บโฉ.
โข The multiplication-by-๐ map: ๐ โถ ๐ธ โ ๐ธ, ๐ โฆ ๐ ๐
โข The ๐-torsion subgroup is the kernel of ๐๐ธ ๐ = ๐ โ ๐ธ เดฅ๐พ โถ ๐ ๐ = โ
โข Found as the roots of the ๐๐กโ division polynomial ๐๐
โข If char ๐พ doesnโt divide ๐, then ๐ธ ๐ โ โค๐ ร โค๐
Torsion subgroups
Recall example from tutorial: ๐ธ/๐ฝ11: ๐ฆ2= ๐ฅ3 + 4๐2
๐4
๐1
๐3
๐ธ2/๐ฝ11: ๐ฆ2= ๐ฅ3 + 5๐ฅ
๐ธ4/๐ฝ112: ๐ฆ2= ๐ฅ3 + (4๐ + 3)๐ฅ
๐ธ1/๐ฝ11: ๐ฆ2= ๐ฅ3 + 2
๐ธ3/๐ฝ112: ๐ฆ2= ๐ฅ3 + 7๐ + 3 ๐ฅ
โข Observe ๐ธ 3 โ โค3 ร โค3 , i.e., 4 cyclic subgroups of order 3 (2-dimensional)โข Veluโs formulas: given ๐ธ and subgroup ๐บ โ ๐ธ, outputs ๐ธโฒ = ๐(๐ธ) and ๐(๐ธ)
โข SIDH works in set ๐๐2 of supersingular curves (up to โ ) over a fixed field
โข Theorem: #๐๐2 =๐
12+ ๐, ๐ โ {0,1,2}
โข Thm (Tate): ๐ธ1 and ๐ธ2 isogenous if and only if #๐ธ1 = #๐ธ2โข Thm (Mestre): all supersingular curves over ๐ฝ๐2 in same isogeny class
โข Fact (see prev. e.g.): for every prime โ not dividing ๐, there existsโ + 1 isogenies of degree โ originating from any supersingular curve
The supersingular isogeny graph
Upshot: immediately leads to (โ + 1) directed regular graph ๐(๐๐2 , โ)
Supersingular isogeny graph for โ = 2: ๐(๐2412, 2)
Recall (from tutorials) that
supersingular isogeny graphs
are Ramanujan: rapid mixing!
Credit to Fre Vercauteren for example and pictureโฆ
Supersingular isogeny graph for โ = 3: ๐(๐2412, 3)
Recall (from tutorials) that
supersingular isogeny graphs
are Ramanujan: rapid mixing!
Credit to Fre Vercauteren for example and pictureโฆ
DH ECDH SIDH
elements integers ๐ modulo
prime
points ๐ in curve
group
curves ๐ธ in isogeny
class
secrets exponents ๐ฅ scalars ๐ isogenies ๐
computations ๐, ๐ฅ โฆ ๐๐ฅ ๐, ๐ โฆ ๐ ๐ ๐, ๐ธ โฆ ๐(๐ธ)
hard problem given ๐, ๐๐ฅ
find ๐ฅgiven ๐, ๐ ๐
find ๐given ๐ธ,๐(๐ธ)
find ๐
Analogues between Diffie-Hellman instantiations
๐ธ0 ๐ธ๐ด = ๐ธ0/โจ๐ดโฉ
๐ธ0/โจ๐ตโฉ = ๐ธ๐ต ๐ธ๐ด๐ต = ๐ธ0/โจ๐ด, ๐ตโฉ
๐๐ด
๐๐ต
๐๐ดโฒ
๐๐ตโฒ
params public privateSIDH in a nutshell:
e.g., Alice computes 2-isogenies, Bob computes 3-isogenies
๐ธ0 ๐ธ๐ด = ๐ธ0/โจ๐๐ด + ๐ ๐ด ๐๐ดโฉ
๐ธ0/โจ๐๐ต + ๐ ๐ต ๐๐ตโฉ = ๐ธ๐ต ๐ธ๐ด๐ต = ๐ธ0/โจ๐ด, ๐ตโฉ
๐๐ด
๐๐ต
๐๐ดโฒ
๐๐ตโฒ
(๐๐ต(๐๐ด), ๐๐ต(๐๐ด)) = (๐ ๐ต , ๐๐ต)
(๐ ๐ด, ๐๐ด) = (๐๐ด(๐๐ต), ๐๐ด(๐๐ต))
๐ธ๐ด/โจ๐ ๐ด + ๐ ๐ต ๐๐ดโฉ โ ๐ธ0/โจ๐๐ด + ๐ ๐ด ๐๐ด , ๐๐ต + ๐ ๐ต ๐๐ตโฉ โ ๐ธ๐ต/โจ๐ ๐ต + ๐ ๐ด ๐๐ตโฉ
Jao & De Feoโs key: Alice sends her isogeny evaluated at Bobโs generators, vice versa
params public privateSIDH in a nutshell:
SIDH shared secret is the ๐-invariant of ๐ธ๐ด๐ต
Non-commutativity
resolved by
sending points in
public keys
SIDH: security
โข Setting: supersingular elliptic curves ๐ธ/๐ฝ๐2 where ๐ is a large prime
โข Hard problem: Given ๐, ๐ โ ๐ธ and ๐ ๐ ,๐ ๐ โ ๐(๐ธ), compute ๐(where ๐ has fixed, smooth, public degree)
โข Best (known) attacks: classical ๐(๐1/4) and quantum ๐(๐1/6)
โข Confidence: above complexities are optimal for (above generic) claw attack
Motivation
Can we actually securely deploy SIDH?
๐ = 23723239 โ 1
Parameters
๐ โ 2768 gives โ 192 bits classical and 128 bits quantum security against best known attacks
๐ธ0 /๐ฝ๐2 โถ ๐ฆ2 = ๐ฅ3 + ๐ฅ
#๐ธ0 = ๐ + 1 2 = 23723239 2 Easy ECDLP
๐๐ด, ๐๐ต โ ๐ธ0 ๐ฝ๐ , ๐๐ด = ๐ ๐๐ด , ๐๐ต = ๐ ๐๐ต
PK = ๐ฅ ๐ , ๐ฅ ๐ , ๐ฅ ๐ โ ๐ โ ๐ฝ๐23
564 bytes
376 bytes
params public private
48 bytes ๐ ๐ด, ๐ ๐ต โ โค
188 bytes ๐(๐ธ๐ด๐ต) โ ๐ฝ๐2
โข Computing isogenies of prime degree โ at least ๐ โ
โข We need exponential #secretsโ #isogeniesโ#kernel subgroups
โข Upshot: isogenies must have exponential degree. Canโt compute unless smooth!
โข We will only use isogenies of degree โ๐ for โ โ {2,3}
Exploiting smooth degree isogenies
โข Suppose secret point ๐ 0 has order 2372, we need ๐ โถ ๐ธ โ ๐ธ/โจ๐ 0โฉ
โข Factor ๐ = ๐371โฆ๐1๐0, with ๐๐ are 2-isogenies, and walk to ๐ธ/โจ๐ 0โฉ
๐0 = ๐ธ0 โ ๐ธ0/โจ โ4 ๐ 0โฉ , ๐ 1 = ๐0 ๐ 0 ;
๐1 = ๐ธ1 โ ๐ธ1/โจ โ3 ๐ 1โฉ , ๐ 2 = ๐1(๐ 1);
โฎ โฎ๐370 = ๐ธ370 โ ๐ธ370/โจ โ
1 ๐ 370โฉ , ๐ 371 = ๐370(๐ 370);๐371 = ๐ธ371 โ ๐ธ371/โจ๐ 371โฉ .
โข The above is naรฏve: there is a much faster way (see [DJPโ14]).
โข SIDH requires two types of arithmetic: [๐]๐ โ ๐ธ and ๐ โถ ๐ธ โ ๐ธโฒ
Exploiting smooth degree isogenies
Our performance improvements
1. Projective isogenies โ โ1 everywhere
2. Fast ๐ฝ๐2 arithmetic
3. Tight public parameters
( just 1 todayโฆ )
๐ธa,b โถ ๐๐ฆ2 = ๐ฅ3 + ๐๐ฅ2 + ๐ฅ
Point and isogeny arithmetic in โ1
๐ธ(A:B:C) โถ ๐ต๐2๐ = ๐ถ๐3 + ๐ด๐2๐ + ๐ถ๐๐2
๐ฅ, ๐ฆ โ (๐ โถ ๐ โถ ๐) ๐, ๐ โ (๐ด โถ ๐ต โถ ๐ถ)
โ1 point arithmetic (Montgomery): ๐ โถ ๐ โฆ (๐โฒ: ๐โฒ)
โ1 isogeny arithmetic (this work): ๐ด โถ ๐ถ โฆ ๐ดโฒ: ๐ถโฒ
ECDH: move around different points on a fixed curve.
SIDH: move around different points and different curves
The Montgomery ๐ต coefficient only fixes the quadratic twist. Can ignore it
in SIDH since ๐ ๐ธ = ๐(๐ธโฒ)
what wasโฆ
โฆ is now (division-free):
Division in ๐ฝp
Performance benchmarks
Table: millions of clock cycles for DH operations on 3.4GHz Intel Core i7-4770 (Haswell)
SIDH operation This work* Prior work
(AFJโ14)
Alice key generation 46 149
Bob key generation 52 152
Alice shared secret 44 118
Bob shared secret 50 122
Total 192 540
*includes full protection against timing and cache attacks
โข No clear frontrunner for PQ key exchange
โข Hybrid particularly good idea for (relatively young) SIDH
โข Hybrid particularly easy for SIDH
BigMont: a strong SIDH+ECDH hybrid
There are exponentially many ๐ด such that ๐ธ๐ด /๐ฝ๐2: ๐ฆ2 = ๐ฅ3 + ๐ด๐ฅ2 + ๐ฅ is in the
supersingular isogeny class. These are all unsuitable for ECDH.
There are also exponentially many ๐ด such that ๐ธ๐ด /๐ฝ๐2: ๐ฆ2 = ๐ฅ3 + ๐ด๐ฅ2 + ๐ฅ is
suitable for ECDH, e.g. ๐ด = 624450.
SIDH vs. SIDH+ECDH hybrid
comparison SIDH SIDH+ECDH
bit security
(hard problem)
classical 192 (SSDDH) 384 (ECDHP)
quantum 128 (SSDDH) 128 (SSDDH)
public key size (bytes) 564 658
Speed
(cc x 106)
Alice key gen. 46 52
Bob key gen. 52 58
Alice shared sec. 44 50
Bob shared sec. 50 57
Colossal amount of classical security almost-for-free (โ no more code)
SIDH vs. lattice โDHโ primitives
Table: ms for full DH round (Alice + Bob) on 2.6GHz Intel Xeon i5 (Sandy Bridge) See โFrodoโ for benchmarking details.
Name Primitive Full DH
(ms)
PK size
(bytes)
Frodo LWE 2.600 11,300
NewHope R-LWE 0.310 1,792
NTRU NTRU 2.429 1,024
SIDH Supersingular
Isogeny
900 564
All numbers above are for plain C implementations (e.g., SIDH w. assembly optimizations is 56ms)
โข Azarderakhsh, Jao, Kalach, Koziel, Leonardi: instead of sending points with ๐ธ, send scalars w.r.t. deterministic basis generating ๐ธ[๐]
โข e.g., instead of sending ๐ โ ๐ธ(๐ฝ๐2)[2372], send ๐ผ, ๐ฝ โ โค2372 such that ๐ =
๐ผ ๐ + ๐ฝ ๐ for some โcanonicalโ basis {๐, ๐ } of ๐ธ(๐ฝ๐2)[2372] that Alice and
Bob can compute from ๐ธ alone
โข Azarderakhsh et al. show that decomposing ๐ โฆ ๐ผ, ๐ฝ costs roughly 10 times a full round of SIDH!!!
Compression of public keys
(C-Jao-Longa-Naehrig-Renes-Urbanik: http://eprint.iacr.org/2016/963)
Efficient compression of public keys
โข Three stages to SIDH public key compression ๐ โฆ ๐ผ, ๐ฝ
โข Step 1: compute deterministic basis ๐, ๐ โ ๐ธ[๐]
โข Step 2: compute pairings to transform discrete logarithms into ๐๐โ
โข Step 3: solve discrete logarithms using Pohlig-Hellman
โข Step 1: much faster bases computations using 2 & 3 descent
โข Step 2: much faster pairing computations using optimized Tate not Weil
โข Step 3: much faster PH using optimized windowing approach
Performance benchmarks
Table: millions of clock cycles for DH operations (Haswell) scaled โ see paper.
Full round SIDH
(Alice+Bob)
This work* Prior work
(AJKKLโ16)
no compression 192 535
compression 510 15,395
Compressed SIDH vs. lattice โDHโ primitives
Name Primitive Full DH
(ms)
PK size
(bytes)
Frodo LWE 2.600 11,300
NewHope R-LWE 0.310 1,792
NTRU NTRU 2.429 1,024
SIDH Supersingular
Isogeny
โ 2390 330
Compressed SIDH roughly 2-3 slower than uncompressed SIDH.
โข Issues regarding public key validation: Asiacrypt2016 paper by Galbraith-Petit-Shani-Ti
โข NSA countermeasure: โFailure is not an option: standardization issues for PQ key agreementโ
โข Thus, library currently supports ephemeral DH only
Validating public keys
โข Cryptanalysis!
โข Faster SIDH
โข SIDH with static keys
โข SI signatures
Future work
https://www.microsoft.com/en-us/research/project/sidh-library/
SIDH library (v2.0 coming soon)
Full version of Cryptoโ16 paper(joint with P. Longa and M. Naehrig)
http://eprint.iacr.org/2016/413
Full version of compression paper(joint with D. Jao, P. Longa, M. Naehrig, D. Urbanik, J. Renes)
http://eprint.iacr.org/2016/963
Thanks!