Key Compression for Isogeny-Based Cryptosystems

We present a method for key compression in quantumresistant isogeny-based cryptosystems, which allows a reduction in and transmission costs of per-party public information by a factor of two, with no e ect on security. We achieve this reduction by associating a canonical choice of elliptic curve to each j-invariant, and representing elements on the curve as linear combinations with respect to a canonical choice of basis. This method of compressing public information can be applied to numerous isogeny-based protocols, such as key exchange, zero-knowledge identi cation, and public-key encryption. We performed personal computer and ARM implementations of the key exchange with compression and decompression in C and provided timing results, showing the computational cost of key compression and decompression at various security levels. Our results show that isogeny-based cryptosystems achieve by far the smallest possible key sizes among all existing families of post-quantum cryptosystems at practical security levels; e.g. 3073-bit public keys at the quantum 128-bit security level, comparable to (non-quantum) RSA key sizes.

[1]  William Whyte,et al.  Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches , 2009, ACNS.

[2]  Ricardo Dahab,et al.  A Panorama of Post-quantum Cryptography , 2014, Open Problems in Mathematics and Computational Science.

[3]  Kouichi Sakurai,et al.  Elliptic Curves with the Montgomery-Form and Their Cryptographic Applications , 2000, Public Key Cryptography.

[4]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[5]  Vikram Singh A Practical Key Exchange for the Internet using Lattice Cryptography , 2015, IACR Cryptol. ePrint Arch..

[6]  Çetin Kaya Koç Open Problems in Mathematics and Computational Science , 2014, Springer International Publishing.

[7]  Dieter Fishbein,et al.  Machine-Level Software Optimization of Cryptographic Protocols , 2014 .

[8]  Edlyn Teske,et al.  The Pohlig-Hellman Method Generalized for Group Structure Computation , 1999, J. Symb. Comput..

[9]  J. Silverman Advanced Topics in the Arithmetic of Elliptic Curves , 1994 .

[10]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[11]  Kristin E. Lauter,et al.  Computing Hilbert Class Polynomials , 2008, ANTS.

[12]  Reynald Lercier,et al.  Counting the Number of Points on Elliptic Curves over Finite Fields: Strategies and Performance , 1995, EUROCRYPT.

[13]  Kristin E. Lauter,et al.  Evaluating Large Degree Isogenies and Applications to Pairing Based Cryptography , 2008, Pairing.

[14]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[15]  Éric Schost,et al.  Fast algorithms for computing isogenies between elliptic curves , 2006, Math. Comput..

[16]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[17]  Reinier Bröker,et al.  CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES , 2007 .

[18]  P. Stevenhagen,et al.  ELLIPTIC FUNCTIONS , 2022 .

[19]  Jean Marc Couveignes,et al.  Hard Homogeneous Spaces , 2006, IACR Cryptol. ePrint Arch..

[20]  David Jao,et al.  Constructing elliptic curve isogenies in quantum subexponential time , 2010, J. Math. Cryptol..

[21]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[22]  G. Ballew,et al.  The Arithmetic of Elliptic Curves , 2020, Elliptic Curves.

[23]  Scott R. Fluhrer Quantum Cryptanalysis of NTRU , 2015, IACR Cryptol. ePrint Arch..

[24]  David Jao,et al.  A Quantum Algorithm for Computing Isogenies between Supersingular Elliptic Curves , 2014, INDOCRYPT.

[25]  Steven D. Galbraith,et al.  Extending the GHS Weil Descent Attack , 2002, EUROCRYPT.

[26]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[27]  J. Tate Endomorphisms of abelian varieties over finite fields , 1966 .

[28]  Seiichiro Tani,et al.  Claw finding algorithms using quantum walk , 2007, Theor. Comput. Sci..

[29]  Greg Kuperberg A Subexponential-Time Quantum Algorithm for the Dihedral Hidden Subgroup Problem , 2005, SIAM J. Comput..

[30]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[31]  Paulo S. L. M. Barreto,et al.  MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes , 2013, 2013 IEEE International Symposium on Information Theory.

[32]  Steven D. Galbraith,et al.  Computing isogenies between supersingular elliptic curves over F_p , 2013 .

[33]  Stephen C. Pohlig,et al.  An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance , 2022, IEEE Trans. Inf. Theory.

[34]  S. Lang,et al.  Abelian varieties over finite fields , 2005 .

[35]  Steven D. Galbraith,et al.  Improved algorithm for the isogeny problem for ordinary elliptic curves , 2011, Applicable Algebra in Engineering, Communication and Computing.

[36]  Anton Stolbunov,et al.  Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves , 2010, Adv. Math. Commun..

[37]  William Whyte,et al.  A quantum-safe circuit-extension handshake for Tor , 2015, IACR Cryptol. ePrint Arch..

[38]  L. Washington Elliptic Curves: Number Theory and Cryptography , 2003 .

[39]  M. Hellman The Mathematics of Public-Key Cryptography , 1979 .

[40]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2014, J. Math. Cryptol..