On the effectiveness of isogeny walks for extending cover attacks on elliptic curves

Cryptographic systems based on the elliptic curve discrete logarithm problem (ECDLP) are widely deployed in the world today. In order for such a system to guarantee a particular security level, the elliptic curve selected must be such that it avoids a number of well-known attacks. Beyond this, one also needs to be wary of attacks whose reach can be extended via the use of isogenies. It is an open problem as to whether there exists a field for which the isogeny walk strategy can render all elliptic curves unsuitable for cryptographic use. This thesis provides a survey of the theory of elliptic curves from a cryptographic perspective and overviews a few of the well-known algorithms for computing elliptic curve discrete logarithms. We perform some experimental verification for the assumptions used in the analysis of the isogeny walk strategy for extending Weil descent-type cover attacks, and explore its applicability to elliptic curves of cryptographic size. In particular, we demonstrate for the first time that the field F_2^{150} is partially weak for elliptic curve cryptography

On the post-quantum future of Elliptic Curve Cryptography

This thesis is a literature study on current published quantum-resistant isogeny-based key exchange protocols. Here we cover the topic from foundations. Chapters 1 and 2 discuss classical computation models, algorithm complexity, and how these concepts support the security of modern elliptic curve cryptography methods, such as ECDH and ECDSA. Next, in Chapters 3 to 5, we present quantum computation models, and how Shor's algorithm on quantum computers presents a threat to the future security of classical asymmetric cryptography. We explore the foundations of isogeny-based cryptography, and two key exchange protocols of this kind: SIDH and CSIDH. Appendices A and B are provided for readers wanting more in-depth background explanations on the algebraic geometry of elliptic curves, and quantum mechanics respectively

Ramanujan Graphs and the Random Reducibility of Discrete Log on Isogenous Elliptic Curves

Cryptographic applications using an elliptic curve over a finite field filter curves for suitability using their order as the primary criterion: e.g. checking that their order has a large prime divisor before accepting it. It is therefore natural to ask whether the discrete log problem (dlog) has the same difficulty for all curves with the same order; if so it would justify the above practice. We prove that this is essentially true by showing random reducibility of dlog among such curves, assuming the Generalized Riemann Hypothesis (GRH). Our reduction proof works for curves with (nearly) the same endomorphism rings, but it is unclear if such a reduction exists in general. This suggests that in addition to the order, the conductor of its endomorphism ring may play a role. The random self-reducibility for dlog over finite fields is well known; the non-trivial part here is that one must relate non-isomorphic algebraic groups of two isogenous curves. We construct certain expander graphs with elliptic curves as nodes and low degree isogenies as edges, and utilize the rapid mixing of random walks on this graph. We also briefly look at some recommended curves, compare “random ” type NIST FIPS 186-2 curves to other special curves from this standpoint, and suggest a parameter to measure how generic a given curve is