77
1/22 On the Cost of Computing Isogenies Between Supersingular Elliptic Curves Gora Adj 1 , Daniel Cervantes-V´ azquez 2 , Jes´ us-Javier Chi-Dom´ ınguez 2 , Alfred Menezes 1 , and Francisco Rodr´ ıguez-Henr´ ıquez 2 1 Department of Combinatorics & Optimization, University of Waterloo 2 Computer Science Department, CINVESTAV-IPN August 17, 2018

On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

Page 1: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

1/22

On the Cost of Computing Isogenies BetweenSupersingular Elliptic Curves

Gora Adj 1, Daniel Cervantes-Vazquez 2, Jesus-JavierChi-Domınguez 2, Alfred Menezes 1, and Francisco

Rodrıguez-Henrıquez 2

1Department of Combinatorics & Optimization, University of Waterloo

2Computer Science Department, CINVESTAV-IPN

August 17, 2018

Page 2: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

1/22

Agenda

1 Introduction

2 SIDH overview

3 CSSI problem

4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations

5 Conclusions

Page 3: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

1/22

Outline

1 Introduction

2 SIDH overview

3 CSSI problem

4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations

5 Conclusions

Page 4: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

2/22

Introduction

The Supersingular Isogeny Diffie-Hellman (SIDH) key agreementscheme was proposed by De Feo andJao [De Feo & Jao’11, De Feo, Jao and Plut’14].

• It is one of 69 candidates being considered by the (NIST) forinclusion in a forthcoming standard for quantum-safecryptography [Jao et al.’17].

• Its security is based on the difficulty of the ComputationalSupersingular Isogeny (CSSI) problem (CSSI problem wasintroduced in [Charles et al.’09]).

Page 5: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

2/22

Introduction

The Supersingular Isogeny Diffie-Hellman (SIDH) key agreementscheme was proposed by De Feo andJao [De Feo & Jao’11, De Feo, Jao and Plut’14].

• It is one of 69 candidates being considered by the (NIST) forinclusion in a forthcoming standard for quantum-safecryptography [Jao et al.’17].

• Its security is based on the difficulty of the ComputationalSupersingular Isogeny (CSSI) problem (CSSI problem wasintroduced in [Charles et al.’09]).

Page 6: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

2/22

Introduction

The Supersingular Isogeny Diffie-Hellman (SIDH) key agreementscheme was proposed by De Feo andJao [De Feo & Jao’11, De Feo, Jao and Plut’14].

• It is one of 69 candidates being considered by the (NIST) forinclusion in a forthcoming standard for quantum-safecryptography [Jao et al.’17].

• Its security is based on the difficulty of the ComputationalSupersingular Isogeny (CSSI) problem (CSSI problem wasintroduced in [Charles et al.’09]).

Page 7: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

2/22

Introduction: main contributions

One of our main contributions is the observation that VW goldencollision search can be used to solve CSSI.

Thus, there are two classical attacks on CSSI:

• Meet-in-the middle, and

• VW golden collision search.

We argue that, even though VW is slower than MITM, it is lesscostly, and thus should be used to select parameters for resistanceto known classical attacks.

Remarks: two facts about VW golden collision search:

1 it is not well known, and

2 it is different from the “usual” VW collision search.

Page 8: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

2/22

Introduction: main contributions

One of our main contributions is the observation that VW goldencollision search can be used to solve CSSI.Thus, there are two classical attacks on CSSI:

• Meet-in-the middle, and

• VW golden collision search.

We argue that, even though VW is slower than MITM, it is lesscostly, and thus should be used to select parameters for resistanceto known classical attacks.

Remarks: two facts about VW golden collision search:

1 it is not well known, and

2 it is different from the “usual” VW collision search.

Page 9: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

2/22

Introduction: main contributions

One of our main contributions is the observation that VW goldencollision search can be used to solve CSSI.Thus, there are two classical attacks on CSSI:

• Meet-in-the middle, and

• VW golden collision search.

We argue that, even though VW is slower than MITM, it is lesscostly, and thus should be used to select parameters for resistanceto known classical attacks.

Remarks: two facts about VW golden collision search:

1 it is not well known, and

2 it is different from the “usual” VW collision search.

Page 10: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

2/22

Introduction: main contributions

One of our main contributions is the observation that VW goldencollision search can be used to solve CSSI.Thus, there are two classical attacks on CSSI:

• Meet-in-the middle, and

• VW golden collision search.

We argue that, even though VW is slower than MITM, it is lesscostly, and thus should be used to select parameters for resistanceto known classical attacks.

Remarks: two facts about VW golden collision search:

1 it is not well known, and

2 it is different from the “usual” VW collision search.

Page 11: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

2/22

Introduction

Flow of this presentation

In this talk, we will review the VW golden collision search as itapplies to CSSI problem.

Remark: we are not accounting for the memory access costs, whichare expected to be quite expensive.

Page 12: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

2/22

Introduction

Flow of this presentation

In this talk, we will review the VW golden collision search as itapplies to CSSI problem.Remark: we are not accounting for the memory access costs, whichare expected to be quite expensive.

Page 13: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

2/22

Outline

1 Introduction

2 SIDH overview

3 CSSI problem

4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations

5 Conclusions

Page 14: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

3/22

SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]

SIDH framework:

• p = `eAA `eBB d − 1 is a prime number,

• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.

• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.

General description SIDH:

RA ← [nA] + [mA]

RB ← [nB ] + [mB ]

E

E/〈RA,RB〉

The shared secret key is j(E/〈RA,RB〉).

Page 15: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

3/22

SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]

SIDH framework:

• p = `eAA `eBB d − 1 is a prime number,

• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.

• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.

General description SIDH:

RA ← [nA] + [mA]

RB ← [nB ] + [mB ]

E

E/〈RA,RB〉

The shared secret key is j(E/〈RA,RB〉).

Page 16: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

3/22

SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]

SIDH framework:

• p = `eAA `eBB d − 1 is a prime number,

• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.

• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.

General description SIDH:

RA ← [nA]PA + [mA]QA

RB ← [nB ]PB + [mB ]QB

E E/〈RA〉

E/〈RB〉 E/〈RA,RB〉

φA

φB

The shared secret key is j(E/〈RA,RB〉).

Page 17: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

3/22

SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]

SIDH framework:

• p = `eAA `eBB d − 1 is a prime number,

• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.

• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.

General description SIDH:

RA ← [nA]PA + [mA]QA

RB ← [nB ]PB + [mB ]QB

E E/〈RA〉

E/〈RB〉 E/〈RA,RB〉

φA

φB

φA(PB

),φA(QB

),E/〈RA〉

The shared secret key is j(E/〈RA,RB〉).

Page 18: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

3/22

SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]

SIDH framework:

• p = `eAA `eBB d − 1 is a prime number,

• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.

• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.

General description SIDH:

RA ← [nA]PA + [mA]QA

RB ← [nB ]PB + [mB ]QB

E E/〈RA〉

E/〈RB〉 E/〈RA,RB〉

φA

φB

φA(PB

),φA(QB

),E/〈RA〉

φB(PA

),φB(QA

),E/〈RB〉

The shared secret key is j(E/〈RA,RB〉).

Page 19: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

3/22

SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]

SIDH framework:

• p = `eAA `eBB d − 1 is a prime number,

• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.

• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.

General description SIDH:

φB(RA)← [nA]φB(PA) + [mA]φB(QA)

φA(RB)← [nB ]φA(PB) + [mB ]φA(QB)

E E/〈RA〉

E/〈RB〉 E/〈RA,RB〉

φA

φB φ′B

φA(PB

),φA(QB

),E/〈RA〉

φB(PA

),φB(QA

),E/〈RB〉

φ′A

The shared secret key is j(E/〈RA,RB〉).

Page 20: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

3/22

SIDH overview[De Feo, Jao and Plut’14, Jao et al.’17]

SIDH framework:

• p = `eAA `eBB d − 1 is a prime number,

• E is a supersingular elliptic curve defined over Fp2 with#E (Fp2) = (p + 1)2.

• E [`eAA ](Fp2) = 〈PA,QA〉 and E [`eBB ](Fp2) = 〈PB ,QB〉.

General description SIDH:

φB(RA)← [nA]φB(PA) + [mA]φB(QA)

φA(RB)← [nB ]φA(PB) + [mB ]φA(QB)

E E/〈RA〉

E/〈RB〉 E/〈RA,RB〉

φA

φB φ′B

φA(PB

),φA(QB

),E/〈RA〉

φB(PA

),φB(QA

),E/〈RB〉

φ′A

The shared secret key is j(E/〈RA,RB〉).

Page 21: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

3/22

Outline

1 Introduction

2 SIDH overview

3 CSSI problem

4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations

5 Conclusions

Page 22: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

4/22

CSSI problem

As a consequence, SIDH based its security in the hardness of thefollowing problem

Problem (CSSI)

Given the public parameters `A, `B , eA, eB , p, E , PA, QA, and theelliptic curve E/〈RA〉, compute a degree-`eAA isogenyφA : E → E/〈RA〉.

Page 23: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

5/22

CSSI modeled as Collision FindingProblem

Let’s write (R, `, e) to mean either (RA, `A, eA) or (RB , `B , eB),E1 = E , and E2 = E/〈R〉. Notice that the degree-(`e) isogenyφ : E → E/〈R〉 can be writen as the composition of twodegree-`e/2 isogenies.

φR0

R0 =[`e2

]R

φR1

R1 = φR0(R)

E1 E1/〈R0〉 E2

Page 24: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

5/22

CSSI modeled as Collision FindingProblem

Let’s write (R, `, e) to mean either (RA, `A, eA) or (RB , `B , eB),E1 = E , and E2 = E/〈R〉. Therefore, E1 and E2 satisfies:

φ[`e/2]R1

∀R1 ∈ E1[`e ](Fp2)of order `e

just onecollision

φ[`e/2]R2

∀R2 ∈ E2[`e ](Fp2)of order `e

E1 j(E1/〈R1〉) E2j(E2/〈R2〉)

Page 25: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

5/22

Outline

1 Introduction

2 SIDH overview

3 CSSI problem

4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations

5 Conclusions

Page 26: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

5/22

Outline

1 Introduction

2 SIDH overview

3 CSSI problem

4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations

5 Conclusions

Page 27: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

6/22

Meet-in-the-middle attack

Let’s ilustrate how MITM works by an example. Let `A = 2,`B = 3, eA = 4, eB = 2, p = 24 · 32 · 5− 1,

E1 : y2 = x3 +(0x040 · i + 0x1F0

)x +

(0x1E6 · i + 0x0C7

),

P1 = (0x16E · i + 0x1B4, 0x10B · i + 0x05F),

Q1 = (0x203 · i + 0x0CC, 0x047 · i + 0x0C5), and

E2 : y2 = x3 +(0x1CF · i + 0x047

)x +

(0x1EA · i + 0x00D

).

Then, the goal is to find a degree-24 isogeny from E1 to E2.

Page 28: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

6/22

Meet-in-the-middle attack

First, compute the degree-22 isogeny tree rooted at E1, and storeits leaves.

E1

E12

0x000 · i + 0x000

0x000 · i + 0x000

E11

0x000 · i + 0x088

0x000 · i + 0x000

E10

0x000 · i + 0x000

0x000 · i + 0x000

E2

E20

0x000 · i + 0x000

0x000 · i + 0x000

E21

0x000 · i + 0x000

0x000 · i + 0x000

E22

0x000 · i + 0x000

0x000 · i + 0x000

Page 29: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

6/22

Meet-in-the-middle attack

First, compute the degree-22 isogeny tree rooted at E1, and storeits leaves.

E1

E12

0x255 · i + 0x01D

0x081 · i + 0x2C5

0x10D · i + 0x25F

0x031 · i + 0x09D

0x059 · i +0x1B1

E11

0x088 · i + 0x01F

0x160 · i + 0x108

0x0450x160 · i + 0x108

0x0FF · i + 0x053

E10

0x00A

0x0F9 · i + 0x150

0x07F · i + 0x0DD0x1F5 · i + 0x046

0x17

7· i

+0x

0CB

E2

E20

0x000 · i + 0x000

0x000 · i + 0x000

E21

0x000 · i + 0x000

0x000 · i + 0x000

E22

0x000 · i + 0x000

0x000 · i + 0x000

Page 30: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

6/22

Meet-in-the-middle attack

Second, compute degree-22 isogenies at E2 until the match isfound.

E1

E12

0x255 · i + 0x01D

0x081 · i + 0x2C5

0x10D · i + 0x25F

0x031 · i + 0x09D

0x059 · i +0x1B1

E11

0x088 · i + 0x01F

0x160 · i + 0x108

0x0450x160 · i + 0x108

0x0FF · i + 0x053

E10

0x00A

0x0F9 · i + 0x150

0x07F · i + 0x0DD0x1F5 · i + 0x046

0x17

7· i

+0x

0CB

E2

E20

0x0A0 · i + 0x1B30x101 · i + 0x0DC

0x05B0x14D · i + 0x23F

0x127 · i +0x026

E21

0x07F · i + 0x0DD0x047 · i + 0x218

0x000 · i + 0x000

0x22D · i + 0x228

E22

0x000 · i + 0x0000x00 · i + 0x000

0x000 · i + 0x0000x00 · i + 0x000

0x00· i

+0x

000

Page 31: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

6/22

Meet-in-the-middle attack

Then, we can reconstruct φA : E1 → E2 by composing the followingisogenies:

E1φ0−→ E10

φ1−→ E100

Fp2 -isomorphism−−−−−−−−−−→

ψE210

φ2−→ E21φ3−→ E2

E1

E12

0x255 · i + 0x01D

0x081 · i + 0x2C5

0x10D · i + 0x25F

0x031 · i + 0x09D

0x059 · i +0x1B1

E11

0x088 · i + 0x01F

0x160 · i + 0x108

0x0450x160 · i + 0x108

0x0FF · i + 0x053

E10

0x00A

0x0F9 · i + 0x150

0x07F · i + 0x0DD0x1F5 · i + 0x046

0x17

7· i

+0x

0CB

E2

E20

0x0A0 · i + 0x1B30x101 · i + 0x0DC

0x05B0x14D · i + 0x23F

0x127 · i +0x026

E21

0x07F · i + 0x0DD0x047 · i + 0x2180x241 · i + 0x16E

0x000 · i + 0x0000x144 · i + 0x238

0x22D · i + 0x228

0x144 · i + 0x14E

E22

0x000 · i + 0x0000x00 · i + 0x000

0x000 · i + 0x0000x00 · i + 0x000

0x00· i

+0x

000

Page 32: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

6/22

Meet-in-the-middle attack

Now, let λ be the discrete log of φA(QA) in base φA(PA) (or viceversa). Then, the secret kernel of Alice is 〈QA − [λ]PA〉 (orPA − [λ]QA). In our example, λ = 3.

E1

E12

0x255 · i + 0x01D

0x081 · i + 0x2C5

0x10D · i + 0x25F

0x031 · i + 0x09D

0x059 · i +0x1B1

E11

0x088 · i + 0x01F

0x160 · i + 0x108

0x0450x160 · i + 0x108

0x0FF · i + 0x053

E10

0x00A

0x0F9 · i + 0x150

0x07F · i + 0x0DD0x1F5 · i + 0x046

0x17

7· i

+0x

0CB

E2

E20

0x0A0 · i + 0x1B30x101 · i + 0x0DC

0x05B0x14D · i + 0x23F

0x127 · i +0x026

E21

0x07F · i + 0x0DD0x047 · i + 0x2180x241 · i + 0x16E

0x000 · i + 0x0000x144 · i + 0x238

0x22D · i + 0x228

0x144 · i + 0x14E

E22

0x000 · i + 0x0000x00 · i + 0x000

0x000 · i + 0x0000x00 · i + 0x000

0x00· i

+0x

000

Page 33: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

7/22

Meet-in-the-middle attack

Clearly, The average-case time complexity is 1.5N and it has space

complexity N, where N ≈ (`A + 1)`eA/2−1A ≈ p1/4 (Infeasible for

N ≥ 280).

Consequently, using m processors and w cells of memory, therunning time of MITM is approximately

(w/m + N/m)N

w≈ N2/(w ·m) ≈ p1/2/(w ·m).

Page 34: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

7/22

Meet-in-the-middle attack

Clearly, The average-case time complexity is 1.5N and it has space

complexity N, where N ≈ (`A + 1)`eA/2−1A ≈ p1/4 (Infeasible for

N ≥ 280).Consequently, using m processors and w cells of memory, therunning time of MITM is approximately

(w/m + N/m)N

w≈ N2/(w ·m) ≈ p1/2/(w ·m).

Page 35: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

8/22

Meet-in-the-middle attack: experiments

MITM-basic MITM-DFS

expected measured clock clock

eA eB d time space time cycles cycles

32 20 23 217.17 220.72 217.26 234.50 231.73

34 21 109 218.17 221.83 218.24 235.49 232.71

36 22 31 219.17 222.87 219.14 236.43 233.67

38 23 271 220.17 223.99 220.20 237.59 234.60

40 25 71 221.17 225.04 221.15 238.63 235.71

42 26 37 222.17 226.09 222.11 239.83 236.78

44 27 37 223.17 227.14 223.25 241.07 237.87

Meet-in-the-middle attacks for finding a 2eA -isogeny between twosupersingular elliptic curves over Fp2 with p = 2eA · 3eB · d − 1. The‘expected time’ and ‘measured time’ columns give the expected numberand the actual number of degree-2eA/2 isogeny computations forMITM-basic. The space is measured in bytes.

Page 36: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

8/22

Outline

1 Introduction

2 SIDH overview

3 CSSI problem

4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations

5 Conclusions

Page 37: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

9/22

Collision search problem

Let S be a finite set of size M. The goal is to find a collision for arandom function f : S → S .

Page 38: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

10/22

VW collision search

Firstly, let’s define an element x of S to be distinguished if it hassome easily-testable distinguishing property, and let θ be theproportion of elements of S that are distinguished.

Then, using m processors, the expected time complexity of the VWmethod is approximately 1

m

√πM/2 + 2.5/θ.

Page 39: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

10/22

VW collision search

Firstly, let’s define an element x of S to be distinguished if it hassome easily-testable distinguishing property, and let θ be theproportion of elements of S that are distinguished.

Then, using m processors, the expected time complexity of the VWmethod is approximately 1

m

√πM/2 + 2.5/θ.

Page 40: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

11/22

VW golden collision search

A random function f : S → S is expected to have (M − 1)/2unordered collisions.

Suppose that we seek a particular one ofthese collisions, called a golden collision, which can be efficientlyrecognized.Consequently, one continues generating distinguished points andcollisions until the golden collision is encountered.

Page 41: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

11/22

VW golden collision search

A random function f : S → S is expected to have (M − 1)/2unordered collisions. Suppose that we seek a particular one ofthese collisions, called a golden collision, which can be efficientlyrecognized.

Consequently, one continues generating distinguished points andcollisions until the golden collision is encountered.

Page 42: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

11/22

VW golden collision search

A random function f : S → S is expected to have (M − 1)/2unordered collisions. Suppose that we seek a particular one ofthese collisions, called a golden collision, which can be efficientlyrecognized.Consequently, one continues generating distinguished points andcollisions until the golden collision is encountered.

Page 43: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

11/22

VW golden collision searchThe golden collision might occur with very small probabilitycompared to other collision.

Thus, it is necessary to change theversion of f periodically.

0

1020

2

17

197

15 4

9

25

1 12 13

22

26

11

8

621

27

5

3242318

16

14

Functional graph of a random function f : {0, . . . , 27} → {0, . . . , 27}.The desire golden collision is marked with Orange.

Page 44: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

11/22

VW golden collision searchThe golden collision might occur with very small probabilitycompared to other collision. Thus, it is necessary to change theversion of f periodically.

0

1020

2

17

197

15 4

9

25

1 12 13

22

26

11

8

621

27

5

3242318

16

14

Functional graph of a random function f : {0, . . . , 27} → {0, . . . , 27}.The desire golden collision is marked with Orange.

Page 45: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

12/22

VW golden collision search

Let

• w be the number of elements we can store in memory,

• θ = 2.25√w/M,

• 10w be the number of distinguished elements that eachversion of f produces,

• 210 ≤ w ≤ M/210.

Heuristically, van Oorschot and Wiener saw that each version of fgenerates approximately 1.3w collisions, of which approximately1.1w are distinct. In addition, the expected running time to findthe golden collisions when m processors are employed is

1

m

(2.5√M3/w

). (1)

Page 46: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

12/22

VW golden collision search

Let

• w be the number of elements we can store in memory,

• θ = 2.25√w/M,

• 10w be the number of distinguished elements that eachversion of f produces,

• 210 ≤ w ≤ M/210.

Heuristically, van Oorschot and Wiener saw that each version of fgenerates approximately 1.3w collisions, of which approximately1.1w are distinct.

In addition, the expected running time to findthe golden collisions when m processors are employed is

1

m

(2.5√M3/w

). (1)

Page 47: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

12/22

VW golden collision search

Let

• w be the number of elements we can store in memory,

• θ = 2.25√w/M,

• 10w be the number of distinguished elements that eachversion of f produces,

• 210 ≤ w ≤ M/210.

Heuristically, van Oorschot and Wiener saw that each version of fgenerates approximately 1.3w collisions, of which approximately1.1w are distinct. In addition, the expected running time to findthe golden collisions when m processors are employed is

1

m

(2.5√M3/w

). (1)

Page 48: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

13/22

Solving CSSI with VW golden collisionsearch

Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.

Then, f : S → S can be described as follows:

Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.

Page 49: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

13/22

Solving CSSI with VW golden collisionsearch

Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.

Then, f : S → S can be described as follows:

Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.

Page 50: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

13/22

Solving CSSI with VW golden collisionsearch

Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.

Then, f : S → S can be described as follows:

(c, b, k) ∈ S R =

{[` · k]Pc + Qc , if b = `,Pc + [b · `e/2−1 + k]Qc , otherwise.

j = j(Ec/〈R〉) ∈ Fp2

Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.

Page 51: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

13/22

Solving CSSI with VW golden collisionsearch

Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.

Then, f : S → S can be described as follows:

(c, b, k) ∈ S R =

{[` · k]Pc + Qc , if b = `,Pc + [b · `e/2−1 + k]Qc , otherwise.

j = j(Ec/〈R〉) ∈ Fp2

hc

Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.

Page 52: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

13/22

Solving CSSI with VW golden collisionsearch

Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.

Then, f : S → S can be described as follows:

(c, b, k) ∈ S R =

{[` · k]Pc + Qc , if b = `,Pc + [b · `e/2−1 + k]Qc , otherwise.

j = j(Ec/〈R〉) ∈ Fp2

hc

Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.

Page 53: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

13/22

Solving CSSI with VW golden collisionsearch

Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.

Then, f : S → S can be described as follows:

(c, b, k) ∈ S R =

{[` · k]Pc + Qc , if b = `,Pc + [b · `e/2−1 + k]Qc , otherwise.

j = j(Ec/〈R〉) ∈ Fp2

hc

fc

Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.

Page 54: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

13/22

Solving CSSI with VW golden collisionsearch

Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.

Then, f : S → S can be described as follows:

(c, b, k) ∈ S R =

{[` · k]Pc + Qc , if b = `,Pc + [b · `e/2−1 + k]Qc , otherwise.

(c ′, b′, k ′) ∈ S j = j(Ec/〈R〉) ∈ Fp2

hc

fc

gn

Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.

Page 55: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

13/22

Solving CSSI with VW golden collisionsearch

Let n ∈ {0, 1}64, S = {1, 2} × {0, . . . , `} × {0, . . . , `e/2−1 − 1},and {P1,Q1}, {P2,Q2} be bases for E1[`e/2],E2[`e/2], respectively.

Then, f : S → S can be described as follows:

(c, b, k) ∈ S R =

{[` · k]Pc + Qc , if b = `,Pc + [b · `e/2−1 + k]Qc , otherwise.

(c ′, b′, k ′) ∈ S j = j(Ec/〈R〉) ∈ Fp2

hc

f=gn◦fc◦hc fc

gn

Here, gn is defined by using (iteratively) a hash function andreturning its log2 #S least significant bits.

Page 56: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

14/22

Solving CSSI with VW golden collisionsearch

e p w 28 210 212 214 216

50 250331179− 1 c1 1.37 1.36 1.37 1.41 1.49

c2 1.14 1.12 1.12 1.11 1.09

60 26033731− 1 c1 1.37 1.34 1.34 1.35 1.36

c2 1.15 1.13 1.13 1.12 1.12

70 270332127− 1 c1 1.33 1.34 1.34 1.34 1.34

c2 1.13 1.14 1.13 1.13 1.13

80 28032571− 1 c1 1.35 1.32 1.33 1.34 1.33

c2 1.14 1.12 1.13 1.13 1.13

Observed number c1w of collisions and number c2w of distinct collisionsper CSSI-based random function fn. The numbers are averages for 25function versions (except for (e,w) ∈ {(80, 212), (80, 214), (80, 216)} forwhich 5 function versions were used).

Page 57: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

14/22

Solving CSSI with VW golden collisionsearch

Therefore, using m processors and w cells of memory, the VWmethod can be used to find this golden collision in expected time

1

m

(2.5√

8N3/w)≈ 7.1p3/8/(w1/2m).

Page 58: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

15/22

Solving CSSI with VW golden collisionsearch: experiments

median average

expected measured clock measured clock

eA eB d w time time cycles time cycles

32 20 23 29 223.20 223.55 240.79 224.38 241.62

34 21 109 29 224.70 224.54 241.89 226.02 243.37

36 22 31 210 225.70 226.06 243.51 227.25 244.70

38 23 271 211 226.70 226.15 243.70 227.69 245.23

40 25 71 211 228.20 226.36 243.99 229.01 246.64

42 26 37 212 229.20 228.92 246.52 230.95 248.55

44 27 37 213 230.20 229.78 247.46 230.91 248.58

Van Oorschot-Wiener golden collision search for finding a 2eA -isogenybetween two supersingular elliptic curves over Fp2 withp = 2eA · 3eB · d − 1. The expected and measured times list the numberof degree-2eA/2 isogeny computations.

Page 59: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

16/22

Solving CSSI with VW golden collisionsearch: 128-, 160-, 192-bit security

p ≈ 2448 p ≈ 2512 p ≈ 2536 p ≈ 2614

# processors space calendar total calendar total calendar total calendar totalm w time time time time time time time time

Meet-in-the-middle using Depth-first search48 64 106 154 138 186 150 198 188 23648 80 90 138 122 170 134 182 172 22064 80 74 138 106 170 118 182 156 220

van Oorschot and Wiener golden collision search48 64 88 136 112 160 121 169 149 19748 80 80 128 104 152 113 161 141 18964 80 64 128 88 152 97 161 125 189

Time complexity estimates of CSSI attacks for p ≈ 2448, p ≈ 2512,p ≈ 2536 and p ≈ 2614. All numbers are expressed in their base-2logarithms. The unit of time is a 2e/2-isogeny computation 2, and we areignoring communication costs.

Conclusion: MITM is more costly than VW golden collision search.

2Calendar time is the elapsed time taken for a computation, whereas totaltime is the sum of the time expended by all m processors.

Page 60: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

16/22

Solving CSSI with VW golden collisionsearch: 128-, 160-, 192-bit security

p ≈ 2448 p ≈ 2512 p ≈ 2536 p ≈ 2614

# processors space calendar total calendar total calendar total calendar totalm w time time time time time time time time

Meet-in-the-middle using Depth-first search48 64 106 154 138 186 150 198 188 23648 80 90 138 122 170 134 182 172 22064 80 74 138 106 170 118 182 156 220

van Oorschot and Wiener golden collision search48 64 88 136 112 160 121 169 149 19748 80 80 128 104 152 113 161 141 18964 80 64 128 88 152 97 161 125 189

Time complexity estimates of CSSI attacks for p ≈ 2448, p ≈ 2512,p ≈ 2536 and p ≈ 2614. All numbers are expressed in their base-2logarithms. The unit of time is a 2e/2-isogeny computation 2, and we areignoring communication costs.

Conclusion: MITM is more costly than VW golden collision search.2Calendar time is the elapsed time taken for a computation, whereas total

time is the sum of the time expended by all m processors.

Page 61: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

16/22

Outline

1 Introduction

2 SIDH overview

3 CSSI problem

4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations

5 Conclusions

Page 62: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

17/22

Comments about quantum attacks

Tani’s algorithm

The fastest known quantum attack on CSSI is Tani’s algorithm[Tani’09], which has an running time equal to O(p1/6) and requiresO(p1/6) space.

Grover’s algorithm

Clearly, CSSI can also be solved by an application of Grover’squantum search [Grover’96], which has a running time equal toO(p1/4). However, using m quantum circuits only yields a speedupby a factor of

√m [Zalka’99].

Tani vs Grover: the recent work of Jaques and Schanck argue thatTani’s algorithm is more costly than Grover’s algorithm using allreasonable cost measures [Jaques & Schank’18].

Page 63: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

17/22

Comments about quantum attacks

Tani’s algorithm

The fastest known quantum attack on CSSI is Tani’s algorithm[Tani’09], which has an running time equal to O(p1/6) and requiresO(p1/6) space.

Grover’s algorithm

Clearly, CSSI can also be solved by an application of Grover’squantum search [Grover’96], which has a running time equal toO(p1/4). However, using m quantum circuits only yields a speedupby a factor of

√m [Zalka’99].

Tani vs Grover: the recent work of Jaques and Schanck argue thatTani’s algorithm is more costly than Grover’s algorithm using allreasonable cost measures [Jaques & Schank’18].

Page 64: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

17/22

Comments about quantum attacks

Tani’s algorithm

The fastest known quantum attack on CSSI is Tani’s algorithm[Tani’09], which has an running time equal to O(p1/6) and requiresO(p1/6) space.

Grover’s algorithm

Clearly, CSSI can also be solved by an application of Grover’squantum search [Grover’96], which has a running time equal toO(p1/4). However, using m quantum circuits only yields a speedupby a factor of

√m [Zalka’99].

Tani vs Grover: the recent work of Jaques and Schanck argue thatTani’s algorithm is more costly than Grover’s algorithm using allreasonable cost measures [Jaques & Schank’18].

Page 65: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

17/22

Comments about quantum attacksNIST suggests that 240 is the maximum depth of a quantumcircuit that can be executed in one year using presently envisionedquantum computing architectures [NIST’16].

Thus, assuming that the maximum circuit depth is 2k , the numberof quantum circuits needed to perform Grover’s search in one year

for p ≈ 2r is approximately(2r4

2k

)2.

Maximum depth of p ≈ 2448 p ≈ 2512 p ≈ 2536 p ≈ 2614

a quantum circuit m m m m

40 144 176 188 227

64 96 128 140 179

Number of quantum circuits needed to perform Grover’s search in oneyear for p ≈ 2448, p ≈ 2512, p ≈ 2536, and p ≈ 2614. All numbers areexpressed in their base-2 logarithms.

Page 66: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

17/22

Comments about quantum attacksNIST suggests that 240 is the maximum depth of a quantumcircuit that can be executed in one year using presently envisionedquantum computing architectures [NIST’16].

Thus, assuming that the maximum circuit depth is 2k , the numberof quantum circuits needed to perform Grover’s search in one year

for p ≈ 2r is approximately(2r4

2k

)2.

Maximum depth of p ≈ 2448 p ≈ 2512 p ≈ 2536 p ≈ 2614

a quantum circuit m m m m

40 144 176 188 227

64 96 128 140 179

Number of quantum circuits needed to perform Grover’s search in oneyear for p ≈ 2448, p ≈ 2512, p ≈ 2536, and p ≈ 2614. All numbers areexpressed in their base-2 logarithms.

Page 67: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

17/22

Outline

1 Introduction

2 SIDH overview

3 CSSI problem

4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations

5 Conclusions

Page 68: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

18/22

Recommendations

Assuming m ≤ 264 and w ≤ 280, we suggest

• p434 = 22163137 − 1 (instead of p751 = 23723239 − 1[Costello et al.’16]) in order to achieve 128-bit security,

• p546 = 22733172 − 1 (instead of p964 = 24863301 − 1[Jao et al.’17]) in order to achieve 160-bit security, and

• p610 = 23053192 − 1 in order to achieve 192-bit security.

Page 69: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

18/22

RecommendationsSIDH operations are about 4.8 times faster when p434 is usedinstead of p751.

Protocol CLN library [Costello et al.’16] CLN + enhancementsphase p751 p434 p546 p751 p434 p546

KeyGen.

Alice 35.7 7.51 13.20 26.9 5.3 10.5

Bob 39.9 8.32 14.84 30.5 6.0 11.7

SharedSecret

Alice 33.6 7.01 12.56 24.9 5.0 10.0

Bob 38.4 7.94 14.35 28.6 5.8 11.5

Performance of the SIDH protocol. All timings are reported in 106 clockcycles, measured on an Intel Core i7-6700 supporting a Skylakemicro-architecture. The “CLN + enhancements” columns are for ourimplementation that incorporates improved formulas for degree-4 anddegree-3 isogenies from [Costello & Hisil’17] and Montgomery laddersfrom [Faz-Hernandez et al.’17] into the CLN library.

Page 70: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

18/22

Outline

1 Introduction

2 SIDH overview

3 CSSI problem

4 How to solve Collision Finding Problem?Meet-in-the-middleVW golden collision searchComments about quantum attacksRecommendations

5 Conclusions

Page 71: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

19/22

Conclusions

• We showed that VW Golden Collision search can be used toattack CSSI.

• First implementations of MITM and Golden collision searchCSSI attacks reported.

• The implementations confirm that the performance of theseattacks is accurately predicted by their heuristic analysis.

• Our concrete cost analysis of the attacks leads to theconclusion that golden collision search is more cost effectivethat the meet-in-the-middle attack.

• SIDH operations are about 4.8 times faster when p434 is usedinstead of p751.

Page 72: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

19/22

Conclusions

SIDH parameters with p434 could be deemed to meet the securityrequirements in NIST’s Category 2 [NIST’16] (classical andquantum security comparable or greater than that of SHA-256with respect to collision resistance).

SIDH parameters with p610 could be deemed to meet the securityrequirements in NIST’s Category 4 [NIST’16] (classical andquantum security comparable to that of SHA-384).

Page 73: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

20/22

Thank you for your attention

I look forward to your comments and questions.e-mail: [email protected]

We thank Steven Galbraith for the suggestion to traverse theMITM trees using depth-first search. We also thank Sam Jaquesfor the many discussions on Grover’s and Tani’s algorithms.

Page 74: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

19/22

Reference I

I D. Jao and L. De Feo, “Towards quantum-resistantcryptosystems from supersingular elliptic curve isogenies”,Post-Quantum Cryptography — PQCrypto 2011, LNCS 7071(2011), 19–34.

I D. Charles, E. Goren and K. Lauter, “Cryptographic hashfunctions from expander graphs”, Journal of Cryptology, 22(2009), 93–113.

I J.M. Pollard, “Monte Carlo Methods for Index Computation(mod p)”. Mathematics of Computation, 32 (1978).

I P. van Oorschot and M. Wiener, “Improving implementablemeet-in-the-middle attacks by orders of magnitude”, Advancesin Cryptology — CRYPTO ’96, LNCS 1109 (1996), 229–236.

Page 75: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

20/22

Reference II

I L. De Feo, D. Jao and J. Plut, “Towards quantum-resistantcryptosystems from supersingular elliptic curve isogenies”,Journal of Mathematical Cryptology, 8 (2014), 209–247.

I D. Jao et al., “Supersingular isogeny key encapsulation”,Round 1 submission, NIST Post-Quantum CryptographyStandardization, November 30, 2017.

I Wikipedia, “Sunway TaihuLight”,https://en.wikipedia.org/wiki/Sunway_TaihuLight.

I Wikipedia, “Exabyte”,https://en.wikipedia.org/wiki/Exabyte#Google.

Page 76: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

21/22

Reference III

I National Institute of Standards and Technology, “Submissionrequirements and evaluation criteria for the post-quantumcryptography standardization process”, December 2016.Available from https://csrc.nist.gov/csrc/media/

projects/post-quantum-cryptography/documents/

call-for-proposals-final-dec-2016.pdf.

I L. Grover, “A fast quantum mechanical algorithm for databasesearch”, Proceedings of the Twenty-Eighth Annual Symposiumon Theory of Computing — STOC ’96, ACM Press (1996),212–219.

I S. Tani, “Claw finding algorithms using quantum walk”,Theoretical Computer Science, 410 (2009), 5285–5297.

I C. Zalka, “Grover’s quantum searching algorithm is optimal”,Physical Review A, 60 (1999), 2746–2751.

Page 77: On the Cost of Computing Isogenies Between Supersingular ...computacion.cs.cinvestav.mx/~jjchi/files/cssi_SAC18.pdf · 1/22 On the Cost of Computing Isogenies Between Supersingular

22/22

Reference IV

I C. Costello and H. Hisil, “A simple and compact algorithm forSIDH with arbitrary degree isogenies”, Advances in Cryptology— ASIACRYPT 2017, LNCS 10624 (2017), 303–329.

I A. Faz-Hernandez, J. Lopez, E. Ochoa-Jimenez and F.Rodrıguez-Henrıquez, “A faster software implementation of thesupersingular isogeny Diffie-Hellman key exchange protocol”,IEEE Transactions on Computers, to appear; also available fromhttp://eprint.iacr.org/2017/1015.

I C. Costello, P. Longa and M. Naehrig, “Efficient algorithms forsupersingular isogeny Diffie-Hellman”, Advances in Cryptology— CRYPTO 2016, LNCS 9814 (2016), 572–601.

I S. Jaques and J. Schanck, “Cost analyses of Tani’s algorithm”,in preparation.