Towards Practical Key Exchange from Ordinary Isogeny Graphs

Feo, Luca De; Kieffer, Jean; Smith, Benjamin

doi:10.1007/978-3-030-03332-3_14

Cited by 54 publications

(49 citation statements)

References 58 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…On the positive side, the resulting system would have much stronger quantum security. Indeed, the best known quantum attacks are exponential in the size of the key space (≈ 2 2λ here), but only subexponential in p (see [7,13,6]). Since our modification more than doubles the size of p without changing the size of the key space, quantum security is automatically increased.…”

Section: Derandomized Csidh Algorithmsmentioning

confidence: 99%

Stronger and Faster Side-Channel Protections for CSIDH

Cervantes-Vázquez

Chenu

Chi-Domínguez

et al. 2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

CSIDH is a recent quantum-resistant primitive based on the difficulty of finding isogeny paths between supersingular curves. Recently, two constant-time versions of CSIDH have been proposed: first by Meyer, Campos and Reith, and then by Onuki, Aikawa, Yamazaki and Takagi. While both offer protection against timing attacks and simple power consumption analysis, they are vulnerable to more powerful attacks such as fault injections. In this work, we identify and repair two oversights in these algorithms that compromised their constant-time character. By exploiting Edwards arithmetic and optimal addition chains, we produce the fastest constant-time version of CSIDH to date. We then consider the stronger attack scenario of fault injection, which is relevant for the security of CSIDH static keys in embedded hardware. We propose and evaluate a dummy-free CSIDH algorithm. While these CSIDH variants are slower, their performance is still within a small constant factor of lessprotected variants. Finally, we discuss derandomized CSIDH algorithms.Note: A previous version of this article incorrectly claimed that a test in Algorithm 2 leaks information through the timing channel. We are grateful to Prof. Onuki for point out our mistake.

show abstract

Section: Derandomized Csidh Algorithmsmentioning

confidence: 99%

Stronger and Faster Side-Channel Protections for CSIDH

Cervantes-Vázquez

Chenu

Chi-Domínguez

et al. 2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…One technique suggested by De Feo, Kieffer, and Smith [42,23] to compute the CRS group action is to use the (classical) modular polynomials Φ (X, Y ), which vanish exactly on the pairs of j-invariants that are connected by a cyclicisogeny. For prime , the polynomial Φ (X, Y ) is symmetric and has degree + 1 in the two variables, hence fixing one of the variables to some j-invariant and finding the roots of the resulting univariate polynomial suffices to find neighbours in the -isogeny graph.…”

Section: Computing -Isogenies Using Modular Polynomialsmentioning

confidence: 99%

“…Switching from j-invariants to other geometric invariants does not solve this problem. This is already a problem for CRS, and is already solved in [42,23] using the Bostan-Morain-Salvy-Schost algorithm. The application of this algorithm in the CRS context is slightly simpler than the application explained above, since there is no need for isogeny verification: one knows that E B is -isogenous to E A , and the only question is whether the kernel is in the correct Frobenius eigenspace.…”

Section: Disambiguating Directionsmentioning

confidence: 99%

“…Like the original CRS [20,64,68] isogeny-based cryptosystem, CSIDH has public keys and ciphertexts only about twice as large as traditional elliptic-curve keys and ciphertexts for a similar security level against all known pre-quantum attacks. CRS was accelerated recently by De Feo, Kieffer, and Smith [23]; CSIDH builds upon this and chooses curves in a different way, obtaining much better speed.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Quantum Circuits for the CSIDH: Optimizing Quantum Evaluation of Isogenies

Bernstein

Lange

Martindale

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

DOI to the publisher's website. • The final author version and the galley proof are versions of the publication after peer review. • The final published version features the final layout of the paper including the volume, issue and page numbers. Link to publication General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal. If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the "Taverne" license above, please follow below link for the End User Agreement:

show abstract

“…Most recently, two independent works revisited isogeny-based cryptosystems by restricting themselves to cases where the subexponential attacks based on the action of Cl(O) was applicable. The scheme known as CSIDH by Castryck et al [10] uses supersingular curves and isogenies defined over F p , while the scheme of De Feo, Kieffer and Smith [14] uses ordinary curves with many practical optimizations. In both cases, the appeal of using commutative structures is to allow more functionalities, such as static-static key exchange protocols that are not possible with SIDH without an expensive Fujisaki-Okamoto transform [2].…”

Section: Introductionmentioning

confidence: 99%

A Note on the Security of CSIDH

Biasse

Iezzi

Jacobson

2018

Progress in Cryptology – INDOCRYPT 2018

View full text Add to dashboard Cite

We propose an algorithm for computing an isogeny between two elliptic curves E1, E2 defined over a finite field such that there is an imaginary quadratic order O satisfying O ≃ End(Ei) for i = 1, 2. This concerns ordinary curves and supersingular curves defined over Fp (the latter used in the recent CSIDH proposal). Our algorithm has heuristic asymptotic run time e O √ log(|∆|) and requires polynomial quantum memory and e O √ log(|∆|) classical memory, where ∆ is the discriminant of O. This asymptotic complexity outperforms all other available method for computing isogenies. We also show that a variant of our method has asymptotic run time eÕ √ log(|∆|) while requesting only polynomial memory (both quantum and classical).

show abstract

Towards Practical Key Exchange from Ordinary Isogeny Graphs

Cited by 54 publications

References 58 publications

Stronger and Faster Side-Channel Protections for CSIDH

Stronger and Faster Side-Channel Protections for CSIDH

Quantum Circuits for the CSIDH: Optimizing Quantum Evaluation of Isogenies

A Note on the Security of CSIDH

Contact Info

Product

Resources

About