Cryptographic Schemes Based on Isogenies

In this thesis we use isogenies between ordinary elliptic curves for the construction of new cryptographic schemes. The thesis is organized into an introductory chapter followed by three articles. In the introduction we motivate our work by the necessity of exploring new computationally hard problems applicable to cryptography. We describe our work and results, and survey the related work. We also give the background material from algebraic number theory and provide explanatory examples. In the first paper we propose a number of cryptographic schemes based on the group action on a set: a public-key encryption scheme PE , a key agreement protocol KA1, three authenticated key agreement protocols, and some related schemes. We construct an implementation of these schemes for the action of the ideal class group CL(OK) of an imaginary quadratic field K on the set ELLp,n(OK) of isomorphism classes of elliptic curves over Fp with n points and the endomorphism ring OK . Implementation details, such as representation of set and group elements, group action, sampling from CL(OK), and cryptosystem parameter generation, are described as well. The paper presents speed measurements of our trial implementation. In the second paper we provide security reductions for the protocol KA1 and the encryption scheme PE . For the KA1 protocol we use the notion of session key security in the authenticated-link model proposed by Canetti and Krawczyk. For the PE scheme we use a version of the semantic security notion proposed by Goldwasser and Micali. We prove that the security of the KA1 protocol and the PE scheme is based on the decisional Diffie-Hellman group action (DDHA) problem, which is defined in our paper. The class-group DDHA problem is reducible to the isogeny problem: given two isogenous ordinary elliptic curves, compute an isogeny between them. The isogeny problem is studied in our third paper. A low storage algorithm for this problem was proposed by Galbraith, Hess and Smart (GHS) in 2002. We give an improvement of the GHS algorithm by modifying the pseudorandom walk so that lower-degree isogenies are used more frequently. This is motivated by the fact that high degree isogenies are slower to compute than low degree ones. We analyse the running time of the parallel collision search algorithm when the partitioning is uneven. We also give experimental results. We conclude that our isogeny problem algorithm is around 14 times faster than the GHS algorithm when constructing horizontal isogenies between random isogenous elliptic curves over a 160-bit prime field. The expected running time of our improved algorithm indicates that the computational complexity of the isogeny problem is currently exponential in log(p). This page is intentionally left blank.

[1]  Kristin E. Lauter,et al.  Modular polynomials via isogeny volcanoes , 2010, Math. Comput..

[2]  Joseph H. Silverman,et al.  The arithmetic of elliptic curves , 1986, Graduate texts in mathematics.

[3]  Jung Hee Cheon,et al.  New Public-Key Cryptosystem Using Braid Groups , 2000, CRYPTO.

[4]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[5]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[6]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[7]  V. Pan,et al.  Polynomial and Matrix Computations , 1994, Progress in Theoretical Computer Science.

[8]  Oded Goldreich Randomized Methods in Computation-Lecture Notes , 2001 .

[9]  Gaetan Bisson,et al.  Computing the endomorphism ring of an ordinary elliptic curve over a finite field , 2009, IACR Cryptol. ePrint Arch..

[10]  Jianhua Chen,et al.  An Authenticated Key Agreement Protocol Using Isogenies Between Elliptic Curves , 2011, Int. J. Comput. Commun. Control.

[11]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[12]  Anitha Srinivasan,et al.  Computations of class numbers of real quadratic fields , 1998, Math. Comput..

[13]  J. Silverman Advanced Topics in the Arithmetic of Elliptic Curves , 1994 .

[14]  Edmund Taylor Whittaker,et al.  A Course of Modern Analysis , 2021 .

[15]  Alexander Rostovtsev,et al.  Public-Key Cryptosystem Based on Isogenies , 2006, IACR Cryptol. ePrint Arch..

[16]  Jean Marc Couveignes,et al.  Hard Homogeneous Spaces , 2006, IACR Cryptol. ePrint Arch..

[17]  David Jao,et al.  Constructing elliptic curve isogenies in quantum subexponential time , 2010, J. Math. Cryptol..

[18]  Jack Jie Dai,et al.  Random random walks on the integers mod n , 1997 .

[19]  Chris Monico,et al.  Semirings and Semigroup Actions in Public-Key Cryptography , 2002 .

[20]  Edlyn Teske,et al.  An Elliptic Curve Trapdoor System , 2004, Journal of Cryptology.

[21]  M. Abramowitz,et al.  Handbook of Mathematical Functions With Formulas, Graphs and Mathematical Tables (National Bureau of Standards Applied Mathematics Series No. 55) , 1965 .

[22]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[23]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[24]  S. Galbraith Constructing Isogenies between Elliptic Curves Over Finite Fields , 1999 .

[25]  J. Pollard A monte carlo method for factorization , 1975 .

[26]  K. Gandhi Primes of the form x2 + ny2 , 2012 .

[27]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[28]  Joachim Rosenthal,et al.  Public key cryptography based on semigroup actions , 2005, Adv. Math. Commun..

[29]  Kristin E. Lauter,et al.  Computing Modular Polynomials , 2004, IACR Cryptol. ePrint Arch..

[30]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[31]  Sean Hallgren,et al.  Fast quantum algorithms for computing the unit group and class group of a number field , 2005, STOC '05.

[32]  Karim Belabas,et al.  Small generators of the ideal class group , 2007, Math. Comput..

[33]  S. Blackburn The Number of Partitions in Pollard Rho , 2011 .

[34]  D. Kohel Endomorphism rings of elliptic curves over finite fields , 1996 .

[35]  Takuji Nishimura,et al.  Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator , 1998, TOMC.

[36]  Michael J. Jacobson Applying sieving to the computation of quadratic class groups , 1999, Math. Comput..

[37]  David Chaum,et al.  An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations , 1987, EUROCRYPT.

[38]  R. Schoof Journal de Theorie des Nombres de Bordeaux 7 (1995), 219{254 , 2022 .

[39]  Kenneth G. Paterson,et al.  Modular Security Proofs for Key Agreement Protocols , 2005, ASIACRYPT.

[40]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[41]  J. Tate Endomorphisms of abelian varieties over finite fields , 1966 .

[42]  K. McCurley,et al.  A rigorous subexponential algorithm for computation of class groups , 1989 .

[43]  Michael J. Jacobson,et al.  Numerical Results on Class Groups of Imaginary Quadratic Fields , 2006, ANTS.

[44]  Tanja Lange,et al.  Breaking ECC2K-130 , 2009, IACR Cryptol. ePrint Arch..

[45]  Alfred Menezes,et al.  Another Look at "Provable Security" , 2005, Journal of Cryptology.

[46]  R. Brent,et al.  Factorization of the eighth Fermat number , 1981 .

[47]  Jean-François Biasse,et al.  Improvements in the computation of ideal class groups of imaginary quadratic number fields , 2010, Adv. Math. Commun..

[48]  Mikhail I. Dyakonov,et al.  Is Fault-Tolerant Quantum Computation Really Possible? , 2006, quant-ph/0610117.

[49]  Vivek Kapoor,et al.  Elliptic curve cryptography , 2008, UBIQ.

[50]  J. Couveignes Isogeny cycles and the Schoof-Elkies-Atkin algorithm , 1996 .

[51]  B. Harris PROBABILITY DISTRIBUTIONS RELATED TO RANDOM MAPPINGS , 1960 .

[52]  Ed Dawson,et al.  Faster Group Operations on Elliptic Curves , 2009, AISC.

[53]  C. Popescu,et al.  A Secure Authenticated Key Agreement Protocol , 2022 .

[54]  A. Rapoport Cycle distributions in random nets. , 1948, The Bulletin of mathematical biophysics.

[55]  Jianhua Chen,et al.  A Random Number Generator Based on Isogenies Operations , 2010, IACR Cryptol. ePrint Arch..

[56]  I. S. Gradshteyn,et al.  Table of Integrals, Series, and Products , 1976 .

[57]  Christof Zalka,et al.  Shor's discrete logarithm quantum algorithm for elliptic curves , 2003, Quantum Inf. Comput..

[58]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[59]  Cas J. F. Cremers Feasibility of multi-protocol attacks , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[60]  Christian Cachin,et al.  Smoothing Probability Distributions andSmooth Entropy ( Extended Abstract ) , 1996 .

[61]  Alfred Menezes,et al.  Elliptic Curve Cryptography: The Serpentine Course of a Paradigm Shift , 2011, IACR Cryptol. ePrint Arch..

[62]  Yu. A. Brychkov,et al.  Integrals and series , 1992 .

[63]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .

[64]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[65]  T. T. Soong,et al.  Fundamentals of Probability and Statistics for Engineers , 2004 .

[66]  Arthur Schmidt,et al.  Quantum Algorithm for Solving the Discrete Logarithm Problem in the Class Group of an Imaginary Quadratic Field and Security Comparison of Current Cryptosystems at the Beginning of Quantum Computer Age , 2006, ETRICS.

[67]  David Jao,et al.  Do All Elliptic Curves of the Same Order Have the Same Difficulty of Discrete Log? , 2004, ASIACRYPT.

[68]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[69]  Stéphane Beauregard Circuit for Shor's algorithm using 2n+3 qubits , 2003, Quantum Inf. Comput..

[70]  Steven D. Galbraith,et al.  Extending the GHS Weil Descent Attack , 2002, EUROCRYPT.

[71]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[72]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[73]  J. L. Massey,et al.  An introduction to contemporary cryptology , 1988, Proc. IEEE.

[74]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[75]  Martin Rötteler,et al.  Quantum algorithms for highly non-linear Boolean functions , 2008, SODA '10.

[76]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[77]  John Sullivan,et al.  Another Look at , 1979 .

[78]  Joseph Lipka,et al.  A Table of Integrals , 2010 .

[79]  Wan-Su Bao,et al.  A quantum algorithm for searching a target solution of fixed weight , 2011 .

[80]  Alfred Menezes,et al.  Another Look at "Provable Security". II , 2006, INDOCRYPT.

[81]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[82]  Kristin E. Lauter,et al.  Computing Hilbert Class Polynomials , 2008, ANTS.

[83]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[84]  Ueli Maurer,et al.  Smoothing probability distributions and smooth entropy , 1997, Proceedings of IEEE International Symposium on Information Theory.

[85]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[86]  R. Venkatesan,et al.  Expander graphs based on GRH with an application to elliptic curve cryptography , 2008, 0811.0647.

[87]  I. S. Gradshteyn,et al.  1 – ELEMENTARY FUNCTIONS , 1980 .

[88]  Anton Stolbunov,et al.  Reductionist Security Arguments for Public-Key Cryptographic Schemes Based on Group Action , 2009 .

[89]  E. Kushilevitz Foundations of Cryptography Foundations of Cryptography , 2014 .

[90]  Kristin E. Lauter,et al.  Cryptographic Hash Functions from Expander Graphs , 2008, Journal of Cryptology.

[91]  W. Waterhouse,et al.  Abelian varieties over finite fields , 1969 .

[92]  Shirley Dex,et al.  JR 旅客販売総合システム(マルス)における運用及び管理について , 1991 .

[93]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[94]  Steven D. Galbraith,et al.  Improved algorithm for the isogeny problem for ordinary elliptic curves , 2011, Applicable Algebra in Engineering, Communication and Computing.

[95]  Anton Stolbunov,et al.  Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves , 2010, Adv. Math. Commun..

[96]  Han Weiwei,et al.  An Authenticated Key Agreement Protocol Using Isogenies Between Elliptic Curves , 2010, 2010 Second International Workshop on Education Technology and Computer Science.

[97]  Sean Hallgren,et al.  Quantum algorithms for some hidden shift problems , 2003, SODA '03.

[98]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[99]  Edlyn Teske On random walks for Pollard's rho method , 2001, Math. Comput..