207 research outputs found

    CSIDH on the surface

    Get PDF
    For primes p≡3mod4, we show that setting up CSIDH on the surface, i.e., using supersingular elliptic curves with endomorphism ring Z[(1+−p−−−√)/2], amounts to just a few sign switches in the underlying arithmetic. If p≡7mod8 then horizontal 2-isogenies can be used to help compute the class group action. The formulas we derive for these 2-isogenies are very efficient (they basically amount to a single exponentiation in Fp) and allow for a noticeable speed-up, e.g., our resulting CSURF-512 protocol runs about 5.68% faster than CSIDH-512. This improvement is completely orthogonal to all previous speed-ups, constant-time measures and construction of cryptographic primitives that have appeared in the literature so far. At the same time, moving to the surface gets rid of the redundant factor Z3 of the acting ideal-class group, which is present in the case of CSIDH and offers no extra security

    OSIDH and SiGamal : cryptosystems from supersingular elliptic curves (Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties)

    Get PDF
    We introduce two cryptosystems, OSIDH and SiGamal, which use isogenies between supersingular elliptic curves over a finite field. And we consider computational problems on which these cryptosystems are based. In particular, we discuss a relation between these problems and problems to find the image of a point under a secret isogeny

    Post-Quantum Cryptography from Supersingular Isogenies (Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties)

    Get PDF
    This paper is based on a presentation made at RIMS conference on “Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties”, so-called “Supersingular 2020”. Post-quantum cryptography is a next-generation public-key cryptosystem that resistant to cryptoanalysis by both classical and quantum computers. Isogenies between supersingular elliptic curves present one promising candidate, which is called isogeny-based cryptography. In this paper, we give an introduction to two isogeny-based key exchange protocols, SIDH [17] and CSIDH [2], which are considered as a standard in the subject so far. Moreover, we explain briefly our recent result [24] about cycles in the isogeny graphs used in some parameters of SIKE, which is a key encapsulation mechanism based on SIDH

    Hard Homogenous Spaces and Commutative Supersingular Isogeny based Diffie-Hellman

    Get PDF
    Tema ovog rada jest proces stvaranja 3D stvarnih ili imaginarnih objekata pomoću alata SolidWorks koji je u današnje vrijeme jedan od najpoznatijih alata kod modeliranja mehaničkih i projektnih objekata. Kako bi ga što više približio svakoj osobi, ukratko sam naveo najvažnije činjenice o samom alatu, prošao kroz njegovu povijest, objasnio za što ga možemo koristiti te najvećim dijelom prikazao kako se od jednog tehničkog nacrta dođe do gotovog objekta i modela

    SCALLOP:Scaling the CSI-FiSh

    Get PDF
    International audienceWe present SCALLOP: SCALable isogeny action based on Oriented supersingular curves with Prime conductor, a new group action based on isogenies of supersingular curves. Similarly to CSIDH and OSIDH, we use the group action of an imaginary quadratic order’s class group on the set of oriented supersingular curves. Compared to CSIDH, the main benefit of our construction is that it is easy to compute the class-group structure; this data is required to uniquely represent—and efficiently act by — arbitrary group elements, which is a requirement in, e.g., the CSI-FiSh signature scheme by Beullens, Kleinjung and Vercauteren. The index-calculus algorithm used in CSI-FiSh to compute the class-group structure has complexity L(1/2), ruling out class groups much larger than CSIDH-512, a limitation that is particularly problematic in light of the ongoing debate regarding the quantum security of cryptographic group actions.Hoping to solve this issue, we consider the class group of a quadratic order of large prime conductor inside an imaginary quadratic field of small discriminant. This family of quadratic orders lets us easily determine the size of the class group, and, by carefully choosing the conductor, even exercise significant control on it—in particular supporting highly smooth choices. Although evaluating the resulting group action still has subexponential asymptotic complexity, a careful choice of parameters leads to a practical speedup that we demonstrate in practice for a security level equivalent to CSIDH-1024, a parameter currently firmly out of reach of index-calculus-based methods. However, our implementation takes 35 seconds (resp. 12.5 minutes) for a single group-action evaluation at a CSIDH-512-equivalent (resp. CSIDH-1024-equivalent) security level, showing that, while feasible, the SCALLOP group action does not achieve realistically usable performance yet

    Rational isogenies from irrational endomorphisms

    Get PDF
    In this paper, we introduce a polynomial-time algorithm to compute a connecting O\mathcal{O}-ideal between two supersingular elliptic curves over Fp\mathbb{F}_p with common Fp\mathbb{F}_p-endomorphism ring O\mathcal{O}, given a description of their full endomorphism rings. This algorithm provides a reduction of the security of the CSIDH cryptosystem to the problem of computing endomorphism rings of supersingular elliptic curves. A similar reduction for SIDH appeared at Asiacrypt 2016, but relies on totally different techniques. Furthermore, we also show that any supersingular elliptic curve constructed using the complex-multiplication method can be located precisely in the supersingular isogeny graph by explicitly deriving a path to a known base curve. This result prohibits the use of such curves as a building block for a hash function into the supersingular isogeny graph
    corecore