On the Security of Supersingular Isogeny Cryptosystems

Galbraith, Steven D.; Petit, Christophe; Shani, Barak; Ti, Yan Bo

doi:10.1007/978-3-662-53887-6_3

Cited by 138 publications

(83 citation statements)

References 29 publications

(39 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We stress that Problems 3 and 4 are potentially easier than Problems 1 and 2 because special primes are used and extra points are revealed. Furthermore, it is shown in Section 4 of [22] that if End(E) is known and one can find any isogeny from E to E then one can compute the specific isogeny of degree e 1 1 . The following problem, on the other hand, offers better foundations for cryptography based on supersingular isogeny problems.…”

Section: Hard Problem Candidates Related To Isogeniesmentioning

confidence: 99%

“…The fastest classical attack on the first scheme has heuristic running time ofÕ( p 1/4 ) bit operations, and the fastest quantum attack (see Section 5.1 of [19]) has running time ofÕ( p 1/6 ). Galbraith, Petit, Shani and Ti [22] and Petit [36] showed that revealing auxiliary points may be dangerous in certain contexts. It is therefore highly advisable to build cryptographic schemes based on the most general, standard and potentially hardest isogeny problems.…”

Section: Introductionmentioning

confidence: 99%

“…This computational problem has heuristic classical complexity ofÕ( p 1/2 ) bit operations, and quantum complexityÕ( p 1/4 ). In particular, the second scheme does not involve sending auxiliary points and so avoids the attacks of [22,36]. The identification scheme is based on a sigma protocol that is very similar to the proof of graph isomorphism.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Identification Protocols and Signature Schemes Based on Supersingular Isogeny Problems

2019

Self Cite

View full text Add to dashboard Cite

We present signature schemes whose security relies on computational assumptions relating to isogeny graphs of supersingular elliptic curves. We give two schemes, both of them based on interactive identification protocols. The first identification protocol is due to De Feo, Jao and Plût. The second one, and the main contribution of the paper, makes novel use of an algorithm of Kohel, Lauter, Petit and Tignol for the quaternion version of the -isogeny problem, for which we provide a more complete description and analysis, and is based on a more standard and potentially stronger computational problem. Both identification protocols lead to signatures that are existentially unforgeable under chosen message attacks in the random oracle model using the wellknown Fiat-Shamir transform, and in the quantum random oracle model using another transform due to Unruh. A version of the first signature scheme was independently published by Yoo, Azarderakhsh, Jalali, Jao and Soukharev. This is the full version of a paper published at ASIACRYPT 2017.

show abstract

Section: Hard Problem Candidates Related To Isogeniesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Identification Protocols and Signature Schemes Based on Supersingular Isogeny Problems

2019

Self Cite

View full text Add to dashboard Cite

show abstract

“…As pointed out in [15], the original SIDH key agreement protocol is not secure when using the same secret over multiple instances of the protocol. This can be fixed by a Fujisaki-Okamoto transform [2] at the cost of a drastic loss of performance, requiring additional points in the protocol, and loss of flexibility, for example, the inability to reuse keys.…”

Section: The Csidh Static-static Key Exchangementioning

confidence: 99%

A Note on the Security of CSIDH

Biasse

Iezzi

Jacobson

2018

Progress in Cryptology – INDOCRYPT 2018

View full text Add to dashboard Cite

We propose an algorithm for computing an isogeny between two elliptic curves E1, E2 defined over a finite field such that there is an imaginary quadratic order O satisfying O ≃ End(Ei) for i = 1, 2. This concerns ordinary curves and supersingular curves defined over Fp (the latter used in the recent CSIDH proposal). Our algorithm has heuristic asymptotic run time e O √ log(|∆|) and requires polynomial quantum memory and e O √ log(|∆|) classical memory, where ∆ is the discriminant of O. This asymptotic complexity outperforms all other available method for computing isogenies. We also show that a variant of our method has asymptotic run time eÕ √ log(|∆|) while requesting only polynomial memory (both quantum and classical).

show abstract

“…In SIDH, however, a Diffie-Hellman oracle defines no binary operation on any set, let alone an interesting algebraic structure. This plurality of spaces makes it hard to adapt hidden-number-problemstyle arguments [21,5] for hardcore bits to the SIDH context in a natural way, though a valiant effort has been made by Galbraith, Petit, Shani, and Ti [68].…”

Section: Supersingular Isogeny Diffie-hellmanmentioning

confidence: 99%

Pre- and Post-quantum Diffie–Hellman from Groups, Actions, and Isogenies

Smith¹

2018

Arithmetic of Finite Fields

View full text Add to dashboard Cite

Diffie-Hellman key exchange is at the foundations of publickey cryptography, but conventional group-based Diffie-Hellman is vulnerable to Shor's quantum algorithm. A range of "post-quantum Diffie-Hellman" protocols have been proposed to mitigate this threat, including the Couveignes, Rostovtsev-Stolbunov, SIDH, and CSIDH schemes, all based on the combinatorial and number-theoretic structures formed by isogenies of elliptic curves. Pre-and post-quantum Diffie-Hellman schemes resemble each other at the highest level, but the further down we dive, the more differences emerge-differences that are critical when we use Diffie-Hellman as a basic component in more complicated constructions. In this survey we compare and contrast pre-and post-quantum Diffie-Hellman algorithms, highlighting some important subtleties.

show abstract

On the Security of Supersingular Isogeny Cryptosystems

Cited by 138 publications

References 29 publications

Identification Protocols and Signature Schemes Based on Supersingular Isogeny Problems

Identification Protocols and Signature Schemes Based on Supersingular Isogeny Problems

A Note on the Security of CSIDH

Pre- and Post-quantum Diffie–Hellman from Groups, Actions, and Isogenies

Contact Info

Product

Resources

About