Efficient Algorithms for Supersingular Isogeny Diffie-Hellman

We propose a new suite of algorithms that significantly improve the performance of supersingular isogeny Diffie-Hellman SIDH key exchange. Subsequently, we present a full-fledged implementation of SIDH that is geared towards the 128-bit quantum and 192-bit classical security levels. Our library is the first constant-time SIDH implementation and is upi¾?to 2.9 times faster than the previous best non-constant-time SIDH software. The high speeds in this paper are driven by compact, inversion-free point and isogeny arithmetic and fast SIDH-tailored field arithmetic: on an Intel Haswell processor, generating ephemeral public keys takes 46 million cycles for Alice and 52 million cycles for Bob, while computing the shared secret takes 44 million and 50 million cycles, respectively. The size of public keys is only 564 bytes, which is significantly smaller than most of the popular post-quantum key exchange alternatives. Ultimately, the size and speed of our software illustrates the strong potential of SIDH as a post-quantum key exchange candidate and we hope that these results encourage a wider cryptanalytic effort.

[1]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[2]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[3]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[4]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[5]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[6]  Paulo S. L. M. Barreto,et al.  Efficient Implementation of Pairing-Based Cryptosystems , 2004, Journal of Cryptology.

[7]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[8]  Anton Stolbunov,et al.  Cryptographic Schemes Based on Isogenies , 2012 .

[9]  Ralph C. Merkle,et al.  Secrecy, authentication, and public key systems , 1979 .

[10]  Paul Barrett,et al.  Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor , 1986, CRYPTO.

[11]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[12]  Alexander Rostovtsev,et al.  Public-Key Cryptosystem Based on Isogenies , 2006, IACR Cryptol. ePrint Arch..

[13]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[14]  John M. Martinis,et al.  State preservation by repetitive error detection in a superconducting quantum circuit , 2015, Nature.

[15]  Steven D. Galbraith,et al.  Improved algorithm for the isogeny problem for ordinary elliptic curves , 2011, Applicable Algebra in Engineering, Communication and Computing.

[16]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[17]  Kouichi Sakurai,et al.  Efficient Elliptic Curve Cryptosystems from a Scalar Multiplication Algorithm with Recovery of the y-Coordinate on a Montgomery-Form Elliptic Curve , 2001, CHES.

[18]  Dan Page,et al.  Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel , 2002, IACR Cryptol. ePrint Arch..

[19]  Steven D. Galbraith,et al.  Computing isogenies between supersingular elliptic curves over Fp\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mat , 2013, Designs, Codes and Cryptography.

[20]  Steven D. Galbraith,et al.  Computing pairings using x-coordinates only , 2009, Des. Codes Cryptogr..

[21]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[22]  Michael Hamburg,et al.  Fast and compact elliptic-curve cryptography , 2012, IACR Cryptol. ePrint Arch..

[23]  Seiichiro Tani,et al.  Claw finding algorithms using quantum walk , 2007, Theor. Comput. Sci..

[24]  Stephen C. Pohlig,et al.  An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance , 2022, IEEE Trans. Inf. Theory.

[25]  Benjamin Smith,et al.  Fast, uniform, and compact scalar multiplication for elliptic curves and genus 2 Jacobians with applications to signature schemes , 2015, IACR Cryptol. ePrint Arch..

[26]  Shengyu Zhang Promised and Distributed Quantum Search , 2005, COCOON.

[27]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[28]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[29]  Eric R. Verheul,et al.  Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems , 2001, Journal of Cryptology.

[30]  Tolga Acar,et al.  Analyzing and comparing Montgomery multiplication algorithms , 1996, IEEE Micro.

[31]  Reinier Bröker,et al.  CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES , 2007 .

[32]  S. Galbraith Constructing Isogenies between Elliptic Curves Over Finite Fields , 1999 .

[33]  C. D. Walter,et al.  Montgomery exponentiation needs no final subtractions , 1999 .

[34]  R. Schoelkopf,et al.  Superconducting Circuits for Quantum Information: An Outlook , 2013, Science.

[35]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[36]  David Jao,et al.  A Quantum Algorithm for Computing Isogenies between Supersingular Elliptic Curves , 2014, INDOCRYPT.

[37]  Steven D. Galbraith,et al.  Easy decision-Diffie-Hellman groups , 2004, IACR Cryptol. ePrint Arch..

[38]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[39]  Steven D. Galbraith,et al.  Computing isogenies between supersingular elliptic curves over F_p , 2013 .

[40]  Michael Hamburg,et al.  Ed448-Goldilocks, a new elliptic curve , 2015, IACR Cryptol. ePrint Arch..

[41]  Patrick Longa,et al.  Faster Explicit Formulas for Computing Pairings over Ordinary Curves , 2011, EUROCRYPT.

[42]  Michele Mosca,et al.  Cybersecurity in an Era with Quantum Computers: Will We Be Ready? , 2017, IEEE Security & Privacy.

[43]  Andrew V. Sutherland Identifying supersingular elliptic curves , 2011, 1107.1140.

[44]  Reza Azarderakhsh,et al.  Key Compression for Isogeny-Based Cryptosystems , 2016, AsiaPKC '16.

[45]  Reza Azarderakhsh,et al.  Efficient Implementations of A Quantum-Resistant Key-Exchange Protocol on Embedded systems , 2014 .

[46]  Michael Scott,et al.  Computing the Tate Pairing , 2005, CT-RSA.

[47]  M. Scott Implementing cryptographic pairings , 2007 .

[48]  Steven D. Galbraith,et al.  Extending the GHS Weil Descent Attack , 2002, EUROCRYPT.

[49]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[50]  Daniel Smith-Tone,et al.  Report on Post-Quantum Cryptography , 2016 .

[51]  David Jao,et al.  Constructing elliptic curve isogenies in quantum subexponential time , 2010, J. Math. Cryptol..

[52]  Arjen K. Lenstra,et al.  Generating RSA Moduli with a Predetermined Portion , 1998, ASIACRYPT.

[53]  J. Tate Endomorphisms of abelian varieties over finite fields , 1966 .