The Existence of Cycles in the Supersingular Isogeny Graphs Used in SIKE

In this paper, we consider the structure of isogeny graphs in SIDH, that is an isogeny-based key-exchange protocol. SIDH is the underlying protocol of SIKE, which is one of the candidates for NIST post quantum cryptography standardization. Since the security of SIDH is based on the hardness of the path-finding problem in isogeny graphs, it is important to study those structure. The existence of cycles in isogeny graph is related to the path-finding problem, so we investigate cycles in the graphs used in SIKE. In particular, we focus on SIKEp434 and SIKEp503, which are the parameter sets of SIKE claimed to satisfy the NIST security level 1 and 2, respectively. We show that there are two cycles in the 3-isogeny graph in SIKEp434, and there is no cycles in the other graphs in SIKEp434 and SIKEp503

Post-Quantum Cryptography from Supersingular Isogenies (Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties)

This paper is based on a presentation made at RIMS conference on “Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties”, so-called “Supersingular 2020”. Post-quantum cryptography is a next-generation public-key cryptosystem that resistant to cryptoanalysis by both classical and quantum computers. Isogenies between supersingular elliptic curves present one promising candidate, which is called isogeny-based cryptography. In this paper, we give an introduction to two isogeny-based key exchange protocols, SIDH [17] and CSIDH [2], which are considered as a standard in the subject so far. Moreover, we explain briefly our recent result [24] about cycles in the isogeny graphs used in some parameters of SIKE, which is a key encapsulation mechanism based on SIDH

Isogeny-based post-quantum key exchange protocols

The goal of this project is to understand and analyze the supersingular isogeny Diffie Hellman (SIDH), a post-quantum key exchange protocol which security lies on the isogeny-finding problem between supersingular elliptic curves. In order to do so, we first introduce the reader to cryptography focusing on key agreement protocols and motivate the rise of post-quantum cryptography as a necessity with the existence of the model of quantum computation. We review some of the known attacks on the SIDH and finally study some algorithmic aspects to understand how the protocol can be implemented

Collisions in Supersingular Isogeny Graphs and the SIDH-based Identification Protocol

The digital signature schemes that have been proposed so far in the setting of the Supersingular Isogeny Diffie-Hellman scheme (SIDH) were obtained by applying the Fiat-Shamir transform - and a quantum-resistant analog, the Unruh transform - to an interactive identification protocol introduced by De Feo, Jao and Plût. The security of the resulting schemes is therefore deduced from that of the base identification protocol. In this paper, we revisit the proofs that have appeared in the literature for the special soundness property of the aforementioned SIDH-based identification protocol. All such proofs consider the same extraction algorithm, which is claimed to always extract the witness for a statement x when given two valid transcripts, with the same commitment and different challenges, relative to x itself. We show that this is not always the case, with some explicit counterexamples. The general argument fails due to some special cycles, which we call collisions, in supersingular isogeny graphs. We provide some theoretical results on their existence, and discuss their impact on the security of the SIDH-based digital signatures. Relying on the Generalised Riemann Hypothesis, we also introduce an alternative extractor for which we rigorously prove the special soundness property

Faster Key Generation of Supersingular Isogeny Diffie-Hellman

Supersingular isogeny Diffe-Hellman (SIDH) is attractive for its relatively small public key size, but it is still unsatisfactory due to its effciency, compared to other post-quantum proposals. In this paper, we focus on the performance of SIDH when the starting curve is $E_6 : y^2 = x^3 + 6x^2 + x$, which is fixed in Round-3 SIKE implementation. Inspired by the previous work, we present several tricks to accelerate key generation of SIDH and each process of SIKE. Our experimental results show that the performance of this work is at least $6.09\%$ faster than that of the current SIKE implementation, and we can further improve the performance when large storage is available

Action de Groupe Supersingulières et Echange de Clés Post-quantique

Alice and Bob want to exchange information and make sure that an eavesdropper will not be able to listen to them, even with a quantum computer.To that aim they use cryptography and in particular a key-exchange protocol. These type of protocols rely on number theory and algebraic geometry. However current protocols are not quantum resistant, which is the reason why new cryptographic tools must be developed. One of these tools rely on isogenies, i.e. homomorphisms between elliptic curves. In this thesis the first contribution is an implementation of an isogeny-based key-exchange protocol resistant against side-channel attacks (timing and power consumption analysis, fault injection). We also generalize this protocol to a larger set of elliptic curves.Alice et Bob souhaitent échanger des informations sans qu’un attaquant, même muni d’un ordinateur quantique, puisse les entendre. Pour cela, ils ont recours à la cryptologie et en particulier à un protocole d’échange de clés. Ces protocoles reposent sur la théorie des nombres et la géométrie algébrique. Cependant les protocoles actuellement utilisés ne résistent pas aux attaques quantiques, c’est pourquoi il est nécessaire de développer de nouveaux outils cryptographiques. L’un de ces outils repose sur les isogénies, c’est-à-dire des homomorphismes entre des courbes elliptiques. Dans cette thèse nous proposons une implémentation d’un des protocoles d’échange de clés basé sur les isogénies qui résiste aux attaques par canaux auxiliaires (étude de la durée d’exécution, de la consommation de courant et injection de fautes). Nous généralisons également ce protocole à un plus grand ensemble de courbes elliptiques

A faster way to the CSIDH

Recently Castryck, Lange, Martindale, Panny, and Renes published CSIDH, a new key exchange scheme using supersingular elliptic curve isogenies. Due to its small key sizes, and the possibility of a non-interactive and a static-static key exchange, CSIDH seems very interesting for practical applications. However, the performance is rather slow. Therefore, we employ some techniques to speed up the algorithms, mainly by restructuring the elliptic curve point multiplications and by using twisted Edwards curves in the isogeny image curve computations, yielding a speed-up factor of 1.33 in comparison to the implementation of Castryck et al. Furthermore, we suggest techniques for constant-time implementations

Adventures in Supersingularland

In this paper, we study isogeny graphs of supersingular elliptic curves. Supersingular isogeny graphs were introduced as a hard problem into cryptography by Charles, Goren, and Lauter for the construction of cryptographic hash functions [CGL06]. These are large expander graphs, and the hard problem is to find an efficient algorithm for routing, or path-finding, between two vertices of the graph. We consider four aspects of supersingular isogeny graphs, study each thoroughly and, where appropriate, discuss how they relate to one another. First, we consider two related graphs that help us understand the structure: the `spine' $\mathcal{S}$, which is the subgraph of $\mathcal{G}_\ell(\overline{\mathbb{F}_p})$ given by the $j$-invariants in $\mathbb{F}_p$, and the graph $\mathcal{G}_\ell(\mathbb{F}_p)$, in which both curves and isogenies must be defined over $\mathbb{F}_p$. We show how to pass from the latter to the former. The graph $\mathcal{S}$ is relevant for cryptanalysis because routing between vertices in $\mathbb{F}_p$ is easier than in the full isogeny graph. The $\mathbb{F}_p$-vertices are typically assumed to be randomly distributed in the graph, which is far from true. We provide an analysis of the distances of connected components of $\mathcal{S}$. Next, we study the involution on $\mathcal{G}_\ell(\overline{\mathbb{F}_p})$ that is given by the Frobenius of $\mathbb{F}_p$ and give heuristics on how often shortest paths between two conjugate $j$-invariants are preserved by this involution (mirror paths). We also study the related question of what proportion of conjugate $j$-invariants are $\ell$-isogenous for $\ell = 2,3$. We conclude with experimental data on the diameters of supersingular isogeny graphs when $\ell = 2$ and compare this with previous results on diameters of LPS graphs and random Ramanujan graphs.Comment: 46 pages. Comments welcom