ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL - - PowerPoint PPT Presentation
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques de Marseille Number-Theoretic Methods in Cryptology 2019 Sorbonne Universit, Institut de Mathmatiques de Jussieu Paris, 26 June 2019 Leonardo
LEONARDOCOLÒ & DAVIDKOHEL
Institut de Mathématiques de Marseille Number-Theoretic Methods in Cryptology 2019 Sorbonne Université, Institut de Mathématiques de Jussieu Paris, 26 June 2019
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019
Introduction Isogeny Graphs
Definition Given an elliptic curve 𝐹 over 𝑙, and a finite set of primes 𝑇, we can associate an isogeny graph Γ = (𝐹, 𝑇)
▶ whose vertices are elliptic curves isogenous to E over ̄
𝑙, and
▶ whose edges are isogenies of degree ℓ ∈ 𝑇.
The vertices are defined up to ̄ 𝑙-isomorphism (therefore represented by 𝑘-invariants), and the edges from a given vertex are defined up to a ̄ 𝑙-isomorphism of the codomain. If 𝑇 = {ℓ}, then we call Γ an ℓ-isogeny graph. For an elliptic curve 𝐹/𝑙 and prime ℓ ≠ char(𝑙), the full ℓ-torsion subgroup is a 2-dimensional 𝔾ℓ-vector space. Consequently, the set of cyclic subgroups is in bijection with ℙ1(𝔾ℓ), which in turn are in bijection with the set of ℓ-isogenies from 𝐹. Thus the ℓ-isogeny graph of 𝐹 is (ℓ + 1)-regular (as a directed multigraph). In characteristic 0, if End(𝐹) = ℤ, then this graph is a tree.
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 1 / 25
Introduction Isogeny Graphs
Let End(𝐹) = 𝒫 ⊆ 𝐿. The class group Cl(𝒫) (finite abelian group) acts faithfully and transitively on the set of elliptic curves with endomorphism ring 𝒫: 𝐹 ⟶ 𝐹/𝐹[𝔟] 𝐹[𝔟] = {𝑄 ∈ 𝐹 | 𝛽(𝑄) = 0 ∀𝛽 ∈ 𝔟} Thus, the CM isogeny graphs can be modelled by an equivalent category of fractional ideals of 𝐿.
OK Z [π] End(E)
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 2 / 25
Introduction Isogeny Graphs
The supersingular isogeny graphs are remarkable because the vertex sets are finite : there are [𝑞/12] + 𝜗𝑞 curves. Moreover
▶ every supersingular elliptic curve can be defined over 𝔾𝑞2; ▶ all ℓ-isogenies are defined over 𝔾𝑞2; ▶ every endomorphism of 𝐹 is defined over 𝔾𝑞2.
The lack of a commutative group acting on the set of supersingular elliptic curves/𝔾𝑞2 makes the isogeny graph more complicated. For this reason, supersingular isogeny graphs have been proposed for
▶ cryptographic hash functions (Goren–Lauter), ▶ post-quantum SIDH key exchange protocol.
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 3 / 25
OSIDH Motivation
A new key exchange protocol, CSIDH, analogous to SIDH, uses only 𝔾𝑞-rational elliptic curves (up to 𝔾𝑞-isomorphism), and 𝔾𝑞-rational isogenies. The constraint to 𝔾𝑞-rational isogenies can be interpreted as an orientation of the supersingular graph by the subring ℤ[𝜌] of End(𝐹) generated by the Frobenius endomorphism 𝜌. We introduce a general notion of orienting supersingular elliptic curves. Motivation
▶ Generalize CSIDH. ▶ Key space of SIDH: in order to have the two key spaces of similar size,
we need to take ℓ𝑓𝐵
𝐵 ≈ ℓ𝑓𝐶 𝐶 ≈ √𝑞. This implies that the space of choices
for the secret key is limited to a fraction of the whole set of supersingular 𝑘-invariants over 𝔾𝑞2.
▶ A feature shared by SIDH and CSIDH is that the isogenies are
constructed as quotients of rational torsion subgroups. The need for rational points limits the choice of the prime 𝑞
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 4 / 25
OSIDH Orientations
Let 𝒫 be an order in an imaginary quadratic field. An 𝒫-orientation on a supersingular elliptic curve 𝐹 is an inclusion 𝜅 ∶ 𝒫 ↪ End(𝐹), and a 𝐿-orientation is an inclusion 𝜅 ∶ 𝐿 ↪ End0(𝐹) = End(𝐹) ⊗ℤ ℚ. An 𝒫-orientation is primitive if 𝒫 ≃ End(𝐹) ∩ 𝜅(𝐿). Theorem The category of 𝐿-oriented supersingular elliptic curves (𝐹, 𝜅), whose mor- phisms are isogenies commuting with the 𝐿-orientations, is equivalent to the category of elliptic curves with CM by 𝐿. Let 𝜚 ∶ 𝐹 → 𝐺 be an isogeny of degree ℓ. A 𝐿-orientation 𝜅 ∶ 𝐿 ↪ End0(𝐹) determines a 𝐿-orientation 𝜚∗(𝜅) ∶ 𝐿 ↪ End0(𝐺) on 𝐺, defined by 𝜚∗(𝜅)(𝛽) = 1 ℓ 𝜚 ∘ 𝜅(𝛽) ∘ ̂ 𝜚.
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 5 / 25
OSIDH Action of the class group
▶ SS(𝑞) = {supersingular elliptic curves over 𝔾𝑞 up to isomorphism}. ▶ SS𝒫(𝑞) = {𝒫-oriented s.s. elliptic curves over 𝔾𝑞 up to 𝐿-isomorphism}. ▶ SS𝑞𝑠 𝒫 (𝑞) =subset of primitive 𝒫-oriented curves.
The set SS𝒫(𝑞) admits a transitive group action: 𝒟 ℓ(𝒫) × SS𝒫(𝑞) SS𝒫(𝑞) ([𝔟] , 𝐹) [𝔟] ⋅ 𝐹 = 𝐹/𝐹[𝔟] Proposition The class group 𝒟 ℓ(𝒫) acts faithfully and transitively on the set of 𝒫- isomorphism classes of primitive 𝒫-oriented elliptic curves. In particular, for fixed primitive 𝒫-oriented 𝐹, we obtain a bijection of sets: 𝒟 ℓ(𝒫) SS𝑞𝑠
𝒫 (𝑞)
[𝔟] [𝔟] ⋅ 𝐹
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 6 / 25
OSIDH Action of the class group
We define a vortex to be the ℓ-isogeny subgraph whose vertices are isomorphism classes of 𝒫-oriented elliptic curves with ℓ-maximal endomorphism ring, equipped with an action of 𝒟 ℓ(𝒫).
Cℓ(O)
Instead of considering the union of different isogeny graphs, we focus on one single crater and we think of all the other primes as acting on it: the resulting
ℓ(𝒫).
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 7 / 25
OSIDH Action of the class group
The action of 𝒟 ℓ(𝒫) extends to the union ⋃𝑗 𝑇𝑇𝒫𝑗 (𝑞) over all superorders 𝒫𝑗 containing 𝒫 via the surjections 𝒟 ℓ(𝒫) → 𝒟 ℓ(𝒫𝑗). We define a whirlpool to be a complete isogeny volcano acted on by the class
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 8 / 25
OSIDH Action of the class group
Actually, we would like to take the ℓ-isogeny graph on the full 𝒟 ℓ(𝒫𝐿)-orbit. This might be composed of several ℓ-isogeny orbits (craters), although the class group is transitive.
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 8 / 25
OSIDH Isogeny chains and ladders
Definition An ℓ-isogeny chain of length 𝑜 from 𝐹0 to 𝐹 is a sequence of isogenies of degree ℓ: 𝐹0
𝜚0
⟶ 𝐹1
𝜚1
⟶ 𝐹2
𝜚2
⟶ …
𝜚𝑜−1
⟶ 𝐹𝑜 = 𝐹. The ℓ-isogeny chain is without backtracking if ker (𝜚𝑗+1 ∘ 𝜚𝑗) ≠ 𝐹𝑗[ℓ], ∀𝑗. The isogeny chain is descending (or ascending, or horizontal) if each 𝜚𝑗 is descending (or ascending, or horizontal, respectively). Suppose that (𝐹𝑗, 𝜚𝑗) is a descending ℓ-isogeny chain with 𝒫𝐿 ⊆ End(𝐹0), … , 𝒫𝑜 = ℤ + ℓ𝑜𝒫𝐿 ⊆ End(𝐹𝑜) If 𝔯 is a split prime in 𝒫𝐿 over 𝑟 ≠ ℓ, 𝑞, and then the isogeny 𝜔0 ∶ 𝐹0 → 𝐺0 = 𝐹0/𝐹0 [𝔯], can be extended to the ℓ-isogeny chain by pushing forward the cyclic group 𝐷0 = 𝐹0 [𝔯]: 𝐷0 = 𝐹0 [𝔯] , 𝐷1 = 𝜚0(𝐷0), … , 𝐷𝑜 = 𝜚𝑜−1(𝐷𝑜−1) and defining 𝐺𝑗 = 𝐹𝑗/𝐷𝑗.
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 9 / 25
OSIDH Isogeny chains and ladders
Definition An ℓ-ladder of length 𝑜 and degree 𝑟 is a commutative diagram of ℓ-isogeny chains (𝐹𝑗, 𝜚𝑗), (𝐺𝑗, 𝜚′
𝑗) of length 𝑜 connected by 𝑟-isogenies 𝜔𝑗 ∶ 𝐹𝑗 → 𝐺𝑗
E0 E1 E2 En F0 F1 F2 Fn
φ0 φ1 φ2 φn−1 φ′ φ′
1
φ′
2
φ′
n−1
ψ0 ψ1 ψ2 ψn
We also refer to an ℓ-ladder of degree 𝑟 as a 𝑟-isogeny of ℓ-isogeny chains. We say that an ℓ-ladder is ascending (or descending, or horizontal) if the ℓ-isogeny chain (𝐹𝑗, 𝜚𝑗) is ascending (or descending, or horizontal, respectively). We say that the ℓ-ladder is level if 𝜔0 is a horizontal 𝑟-isogeny. If the ℓ-ladder is descending (or ascending), then we refer to the length of the ladder as its depth (or, respectively, as its height).
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 10 / 25
OSIDH Modular isogenies
We say that a subring of End(𝐹) is effective if we have explicit polynomials or rational functions which represent its generators.
𝒫 ⊂ End(𝐹), are the subrings 𝒫 = ℤ[𝜌] generated by Frobenius In the Couveignes-Rostovtsev-Stolbunov constructions, or in the CSIDH protocol, one works with 𝒫 = ℤ[𝜌].
▶ For large finite fields, the class group of 𝒫 is large and the primes 𝔯 in 𝒫
have no small generators. Factoring the division polynomial 𝜔𝑟(𝑦) to find the kernel polynomial of degree (𝑟 − 1)/2 for 𝐹[𝔯] becomes relatively expensive.
▶ In SIDH, the ordinary protocol of De Feo, Smith, and Kieffer, or CSIDH, the
curves are chosen such that the points of 𝐹[𝔯] are defined over a small degree extension 𝜆/𝑙, and working with rational points in 𝐹(𝜆).
▶ We propose the use of an effective CM order 𝒫𝐿 of class number 1.
The kernel polynomial can be computed directly without need for a splitting field for 𝐹[𝔯], and the computation of a generator isogeny is a one-time precomputation.
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 11 / 25
OSIDH Modular isogenies
The use of modular curves for efficient computation of isogenies has an established history (see Elkies) Modular Curve The modular curve X(1) ≃ ℙ1 classifies elliptic curves up to isomorphism, and the function 𝑘 generates its function field. The modular polynomial Φ𝑛(𝑌, 𝑍 ) defines a correspondence in X(1) × X(1) such that Φ𝑛(𝑘(𝐹), 𝑘(𝐹′)) = 0 if and only if there exists a cyclic 𝑛-isogeny 𝜚 from 𝐹 to 𝐹′, possibly over some extension field. Definition A modular ℓ-isogeny chain of length 𝑜 over 𝑙 is a finite sequence (𝑘0, 𝑘1, … , 𝑘𝑜) in 𝑙 such that Φℓ(𝑘𝑗, 𝑘𝑗+1) = 0 for 0 ≤ 𝑗 < 𝑜. A modular ℓ-ladder of length 𝑜 and degree 𝑟 over 𝑙 is a pair of modular ℓ-isogeny chains (𝑘0, 𝑘1, … , 𝑘𝑜) and (𝑘′
0, 𝑘′ 1, … , 𝑘′ 𝑜),
such that Φ𝑟(𝑘𝑗, 𝑘′
𝑗) = 0.
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 12 / 25
OSIDH OSIDH - Introduction
We consider an elliptic curve 𝐹0 with an effective endomorphism ring (eg. 𝑘0 = 0, 1728) and a chain of ℓ-isogenies. 𝐹0 𝐹1 𝐹2 𝐹𝑜
ℓ ℓ ℓ ℓ
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 13 / 25
OSIDH OSIDH - Introduction
We consider an elliptic curve 𝐹0 with an effective endomorphism ring (eg. 𝑘0 = 0, 1728) and a chain of ℓ-isogenies.
▶ For ℓ = 2 (or 3) a suitable candidate for 𝒫𝐿 could be the Gaussian integers
ℤ[𝑗] or the Eisenstein integers ℤ[𝜕]. 𝐹0 𝐹1 𝐹2 𝐹𝑜
ℓ ℓ ℓ ℓ 𝒫𝐿
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 13 / 25
OSIDH OSIDH - Introduction
We consider an elliptic curve 𝐹0 with an effective endomorphism ring (eg. 𝑘0 = 0, 1728) and a chain of ℓ-isogenies.
▶ Horizontal isogenies must be endomorphisms
𝐹0 𝐹1 𝐹2 𝐹𝑜
ℓ ℓ ℓ ℓ 𝒫𝐿
𝐺0
𝑟
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 13 / 25
OSIDH OSIDH - Introduction
We consider an elliptic curve 𝐹0 with an effective endomorphism ring (eg. 𝑘0 = 0, 1728) and a chain of ℓ-isogenies.
▶ We push forward our 𝑟-orientation obtaining 𝐺1.
𝐹0 𝐹1 𝐹2 𝐹𝑜
ℓ ℓ ℓ ℓ 𝒫𝐿
𝐺0
𝑟
𝐺1
ℓ 𝑟
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 13 / 25
OSIDH OSIDH - Introduction
We consider an elliptic curve 𝐹0 with an effective endomorphism ring (eg. 𝑘0 = 0, 1728) and a chain of ℓ-isogenies.
▶ We repeat the process for 𝐺2.
𝐹0 𝐹1 𝐹2 𝐹𝑜
ℓ ℓ ℓ ℓ 𝒫𝐿
𝐺0
𝑟
𝐺1
ℓ 𝑟
𝐺2
ℓ 𝑟
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 13 / 25
OSIDH OSIDH - Introduction
We consider an elliptic curve 𝐹0 with an effective endomorphism ring (eg. 𝑘0 = 0, 1728) and a chain of ℓ-isogenies.
▶ And again till 𝐺𝑜.
𝐹0 𝐹1 𝐹2 𝐹𝑜
ℓ ℓ ℓ ℓ 𝒫𝐿
𝐺0
𝑟
𝐺1
ℓ 𝑟
𝐺2
ℓ 𝑟
𝐺𝑜
ℓ ℓ 𝑟
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 13 / 25
OSIDH OSIDH - Introduction
In order to have the action of 𝒟 ℓ(𝒫) cover a large portion of the supersingular elliptic curves, we require ℓ𝑜 ∼ 𝑞, i.e., 𝑜 ∼ logℓ(𝑞).
▶ #𝑇𝑇𝑞𝑠 𝒫 (𝑞) = ℎ(𝒫𝑜) =class number of 𝒫𝑜 = ℤ + ℓ𝑜𝒫𝐿. ▶ Class Number Formula
ℎ(ℤ + 𝑛𝒫𝐿) = ℎ(𝒫𝐿)𝑛 [𝒫×
𝐿 ∶ 𝒫×] ∏ 𝑞∣𝑛
(1 − (Δ𝐿 𝑞 ) 1 𝑞)
▶ Units
𝒫×
𝐿 =
⎧ { ⎨ { ⎩ {±1} if Δ𝐿 < −4 {±1, ±𝑗} if Δ𝐿 = −4 {±1, ±𝜕, ±𝜕2} if Δ𝐿 = −3 ⇒ [𝒫×
𝐿 ∶ 𝒫×] =
⎧ { ⎨ { ⎩ 1 if Δ𝐿 < −4 2 if Δ𝐿 = −4 3 if Δ𝐿 = −3
▶ Number of Supersingular curves
#SS(𝑞) = [ 𝑞 12] + 𝜗𝑞 𝜗𝑞 ∈ {0, 1, 2} Therefore, ℎ(ℓ𝑜𝒫𝐿) = 1 ⋅ ℓ𝑜 2 or 3 (1 − (Δ𝐿 ℓ ) 1 ℓ ) = [ 𝑞 12] + 𝜗𝑞 ⟹ 𝑞 ∼ ℓ𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 14 / 25
OSIDH OSIDH - Introduction
If we look at modular polynomials Φℓ(𝑌, 𝑍 ) and Φ𝑟(𝑌, 𝑍 ) we realize that all we need are the 𝑘-invariants: 𝑘0 𝑘1 𝑘𝑜
ℓ ℓ ℓ ℓ 𝒫𝐿
𝑘′
𝑟
𝑘′
1
ℓ 𝑟 ℓ 𝑟
𝑘′
𝑜
ℓ ℓ 𝑟
⎧ { ⎨ { ⎩ Φℓ(𝑘1, 𝑘2) = 0 Φℓ(𝑘′
1, 𝑍 ) = 0
Φ𝑟(𝑘2, 𝑍 ) = 0
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 15 / 25
OSIDH OSIDH - Introduction
If we look at modular polynomials Φℓ(𝑌, 𝑍 ) and Φ𝑟(𝑌, 𝑍 ) we realize that all we need are the 𝑘-invariants: 𝑘0 𝑘1 𝑘𝑜
ℓ ℓ ℓ ℓ 𝒫𝐿
𝑘′
𝑟
𝑘′
1
ℓ 𝑟 ℓ 𝑟
𝑘′
𝑜
ℓ ℓ 𝑟
⎧ { ⎨ { ⎩ Φℓ(𝑘1, 𝑘2) = 0 Φℓ(𝑘′
1, 𝑍 ) = 0
Φ𝑟(𝑘2, 𝑍 ) = 0 Since 𝑘2 is given (the initial chain is known) and supposing that 𝑘′
1 has already
been constructed, 𝑘′
2 is determined by a system of two equations
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 15 / 25
OSIDH OSIDH - Introduction
E0 E0 E0 E′′
1
E′
1
E1 q q ¯ q q2 𝐹′
𝑗 ≠ 𝐹″ 𝑗 if and only if 𝔯2 ∩ 𝒫𝑗 is not principal and the probability that a random
ideal in 𝒫𝑗 is principal is 1/ℎ(𝒫𝑗). In fact, we can do better; we write 𝒫𝐿 = ℤ[𝜕] and we observe that if 𝔯2 was principal, then 𝑟2 = N(𝔯2) = N(𝑏 + 𝑐ℓ𝑗𝜕) since it would be generated by an element of 𝒫𝑗 = ℤ + ℓ𝑗𝒫𝐿. Now N(𝑏 + 𝑐ℓ𝑗) = 𝑏2 ± 𝑏𝑐𝑢ℓ𝑗 + 𝑐2𝑡ℓ2𝑗 where 𝜕2 + 𝑢𝜕 + 𝑡 = 0 Thus, as soon as ℓ2𝑗 > > 𝑟2, we are guaranteed that 𝔯2 is not principal.
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 16 / 25
OSIDH A first attempt
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 ALICE BOB Choose a primitive 𝒫𝐿-orientation of 𝐹0
𝐹0 𝐺0 𝐹0 𝐻0
Push it forward to depth 𝑜 𝐹0 = 𝐺0 → 𝐺1 → … → 𝐺𝑜 ⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
𝜚𝐵
𝐹0 = 𝐻0 → 𝐻1 → … → 𝐻𝑜 ⏟⏟ ⏟ ⏟ ⏟ ⏟⏟⏟ ⏟ ⏟ ⏟ ⏟⏟
𝜚𝐶
Exchange data {𝐻𝑗}𝑜
𝑗=1
{𝐺𝑗}𝑜
𝑗=1
Compute shared secret Compute 𝜚𝐵 ⋅ {𝐻𝑗} Compute 𝜚𝐶 ⋅ {𝐺𝑗} In the end, Alice and Bob will share a new chain 𝐹0 → 𝐼1 → … → 𝐼𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 17 / 25
OSIDH A first attempt
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 ALICE BOB Choose a primitive 𝒫𝐿-orientation of 𝐹0
𝐹0 𝐺0 𝐹0 𝐻0
Push it forward to depth 𝑜 𝐹0 = 𝐺0 → 𝐺1 → … → 𝐺𝑜 ⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
𝜚𝐵
𝐹0 = 𝐻0 → 𝐻1 → … → 𝐻𝑜 ⏟⏟ ⏟ ⏟ ⏟ ⏟⏟⏟ ⏟ ⏟ ⏟ ⏟⏟
𝜚𝐶
Exchange data {𝐻𝑗}𝑜
𝑗=1
{𝐺𝑗}𝑜
𝑗=1
Compute shared secret Compute 𝜚𝐵 ⋅ {𝐻𝑗} Compute 𝜚𝐶 ⋅ {𝐺𝑗} In the end, Alice and Bob will share a new chain 𝐹0 → 𝐼1 → … → 𝐼𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 17 / 25
OSIDH A first attempt
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 ALICE BOB Choose a primitive 𝒫𝐿-orientation of 𝐹0
𝐹0 𝐺0 𝐹0 𝐻0
Push it forward to depth 𝑜 𝐹0 = 𝐺0 → 𝐺1 → … → 𝐺𝑜 ⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
𝜚𝐵
𝐹0 = 𝐻0 → 𝐻1 → … → 𝐻𝑜 ⏟⏟ ⏟ ⏟ ⏟ ⏟⏟⏟ ⏟ ⏟ ⏟ ⏟⏟
𝜚𝐶
Exchange data {𝐻𝑗}𝑜
𝑗=1
{𝐺𝑗}𝑜
𝑗=1
Compute shared secret Compute 𝜚𝐵 ⋅ {𝐻𝑗} Compute 𝜚𝐶 ⋅ {𝐺𝑗} In the end, Alice and Bob will share a new chain 𝐹0 → 𝐼1 → … → 𝐼𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 17 / 25
OSIDH A first attempt
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 ALICE BOB Choose a primitive 𝒫𝐿-orientation of 𝐹0
𝐹0 𝐺0 𝐹0 𝐻0
Push it forward to depth 𝑜 𝐹0 = 𝐺0 → 𝐺1 → … → 𝐺𝑜 ⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
𝜚𝐵
𝐹0 = 𝐻0 → 𝐻1 → … → 𝐻𝑜 ⏟⏟ ⏟ ⏟ ⏟ ⏟⏟⏟ ⏟ ⏟ ⏟ ⏟⏟
𝜚𝐶
Exchange data {𝐻𝑗}𝑜
𝑗=1
{𝐺𝑗}𝑜
𝑗=1
Compute shared secret Compute 𝜚𝐵 ⋅ {𝐻𝑗} Compute 𝜚𝐶 ⋅ {𝐺𝑗} In the end, Alice and Bob will share a new chain 𝐹0 → 𝐼1 → … → 𝐼𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 17 / 25
OSIDH A first attempt
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 ALICE BOB Choose a primitive 𝒫𝐿-orientation of 𝐹0
𝐹0 𝐺0 𝐹0 𝐻0
Push it forward to depth 𝑜 𝐹0 = 𝐺0 → 𝐺1 → … → 𝐺𝑜 ⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
𝜚𝐵
𝐹0 = 𝐻0 → 𝐻1 → … → 𝐻𝑜 ⏟⏟ ⏟ ⏟ ⏟ ⏟⏟⏟ ⏟ ⏟ ⏟ ⏟⏟
𝜚𝐶
Exchange data {𝐻𝑗}𝑜
𝑗=1
{𝐺𝑗}𝑜
𝑗=1
Compute shared secret Compute 𝜚𝐵 ⋅ {𝐻𝑗} Compute 𝜚𝐶 ⋅ {𝐺𝑗} In the end, Alice and Bob will share a new chain 𝐹0 → 𝐼1 → … → 𝐼𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 17 / 25
OSIDH A first attempt
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 ALICE BOB Choose a primitive 𝒫𝐿-orientation of 𝐹0
𝐹0 𝐺0 𝐹0 𝐻0
Push it forward to depth 𝑜 𝐹0 = 𝐺0 → 𝐺1 → … → 𝐺𝑜 ⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
𝜚𝐵
𝐹0 = 𝐻0 → 𝐻1 → … → 𝐻𝑜 ⏟⏟ ⏟ ⏟ ⏟ ⏟⏟⏟ ⏟ ⏟ ⏟ ⏟⏟
𝜚𝐶
Exchange data {𝐻𝑗}𝑜
𝑗=1
{𝐺𝑗}𝑜
𝑗=1
Compute shared secret Compute 𝜚𝐵 ⋅ {𝐻𝑗} Compute 𝜚𝐶 ⋅ {𝐺𝑗} In the end, Alice and Bob will share a new chain 𝐹0 → 𝐼1 → … → 𝐼𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 17 / 25
OSIDH A first attempt
𝐹0 𝐹1 𝐹2 𝐹3 𝐹𝑜 𝐹′
1
𝐹0 𝐹1 𝐹2 𝐹𝑜 𝐹″
1
𝐺𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 18 / 25
OSIDH A first attempt
𝐹0 𝐹1 𝐹2 𝐹3 𝐹𝑜 𝐹′
1
𝐹0 𝐹1 𝐹2 𝐹𝑜 𝐹″
1
𝐺0 𝐺𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 18 / 25
OSIDH A first attempt
𝐹0 𝐹1 𝐹2 𝐹3 𝐹𝑜 𝐹′
1
𝐹0 𝐹1 𝐹2 𝐹𝑜 𝐹″
1
𝐺0 𝐺1 𝐺1 𝐺𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 18 / 25
OSIDH A first attempt
𝐹0 𝐹1 𝐹2 𝐹3 𝐹𝑜 𝐹′
1
𝐹0 𝐹1 𝐹2 𝐹𝑜 𝐹″
1
𝐺0 𝐺1 𝐺1 𝐺2 𝐺2 𝐺𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 18 / 25
OSIDH A first attempt
𝐹0 𝐹1 𝐹2 𝐹3 𝐹𝑜 𝐹′
1
𝐹0 𝐹1 𝐹2 𝐹𝑜 𝐹″
1
𝐺0 𝐺1 𝐺1 𝐺2 𝐺2 𝐺3 𝐺4 𝐺5 𝐺𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 18 / 25
OSIDH A first attempt
𝐹0 𝐹1 𝐹2 𝐹3 𝐹𝑜 𝐹′
1
𝐹0 𝐹1 𝐹2 𝐹𝑜 𝐹″
1
𝐺0 𝐺1 𝐺1 𝐺2 𝐺2 𝐺3 𝐺4 𝐺5 𝐺𝑜 𝐺𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 18 / 25
OSIDH A first attempt
𝐹0 𝐹1 𝐹2 𝐹3 𝐹𝑜 𝐹′
1
𝐹0 𝐹1 𝐹2 𝐹𝑜 𝐺1 𝐺2 𝐺3 𝐺4 𝐺5 𝐺𝑜 𝐹″
1 = 𝐻1
𝐻2 𝐻3 𝐻4 𝐻5 𝐻𝑜 𝐻0 𝐻1 𝐻2 𝐻𝑜
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 18 / 25
OSIDH A first attempt
E0 F0 G0 H0 E1 F1 G1 H1 E2 F2 G2 H2 En Fn Gn Hn Bob Alice
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 18 / 25
OSIDH A first attempt
In reality, sharing (𝐺𝑗) and (𝐻𝑗) reveals too much of the private data. From the short exact sequence of class groups: 1 → (𝒫𝐿/ℓ𝑜𝒫𝐿)× 𝒫×
𝐿 (ℤ/ℓ𝑜ℤ)× → 𝒟
ℓ(𝒫) → 𝒟 ℓ(𝒫𝐿) → 1 an adversary can compute successive approximations (mod ℓ𝑗) to 𝜚𝐵 and 𝜚𝐶 modulo ℓ𝑜 hence in 𝒟 ℓ(𝒫).
ψA m
ℓ O
K
ψA m
ℓ2 OK ψA m
ℓ
3
O
K
ψA m
ℓ
4
O
K
ψ
A
m
ℓnOK
E0 E1 E2 E3 E4 En F1 F2 F3 F4 Fn
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 19 / 25
OSIDH The protocol
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 and a set of splitting primes 𝔮1, … , 𝔮𝑢 ⊆ 𝒫𝑜 ⊆ End(𝐹𝑜) ∩ 𝐿 ⊆ 𝒫𝐿 ALICE BOB Choose integers in a bound [−𝑠, 𝑠] (𝑓1, … , 𝑓𝑢) (𝑒1, … , 𝑒𝑢) Construct an isogenous curve 𝐺𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1
1 ⋯ 𝔮𝑓𝑢 𝑢 ]
𝐻𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑒1
1 ⋯ 𝔮𝑒𝑢 𝑢 ]
Precompute all directions ∀𝑗
𝐺 (−𝑠)
𝑜,𝑗 ←𝐺 (−𝑠+1) 𝑜,𝑗
←…←𝐺 (1)
𝑜,𝑗←𝐺𝑜
𝐻(−𝑠)
𝑜,𝑗 ←𝐻(−𝑠+1) 𝑜,𝑗
←…←𝐻(1)
𝑜,𝑗←𝐻𝑜
... and their conjugates
𝐺𝑜→𝐺 (1)
𝑜,𝑗→…→𝐺 (𝑠−1) 𝑜,𝑗
→𝐺 (𝑠)
𝑜,1
𝐻𝑜→𝐻(1)
𝑜,𝑗→…→𝐻(𝑠−1) 𝑜,𝑗
→𝐻(𝑠)
𝑜,1
Exchange data 𝐻𝑜+directions 𝐺𝑜+directions Compute shared data Takes 𝑓𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. Takes 𝑒𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. In the end, they share 𝐼𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1+𝑒1
1
⋅ … ⋅ 𝔮𝑓𝑢+𝑒𝑢
𝑢
]
∫ ∫
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 20 / 25
OSIDH The protocol
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 and a set of splitting primes 𝔮1, … , 𝔮𝑢 ⊆ 𝒫𝑜 ⊆ End(𝐹𝑜) ∩ 𝐿 ⊆ 𝒫𝐿 ALICE BOB Choose integers in a bound [−𝑠, 𝑠] (𝑓1, … , 𝑓𝑢) (𝑒1, … , 𝑒𝑢) Construct an isogenous curve 𝐺𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1
1 ⋯ 𝔮𝑓𝑢 𝑢 ]
𝐻𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑒1
1 ⋯ 𝔮𝑒𝑢 𝑢 ]
Precompute all directions ∀𝑗
𝐺 (−𝑠)
𝑜,𝑗 ←𝐺 (−𝑠+1) 𝑜,𝑗
←…←𝐺 (1)
𝑜,𝑗←𝐺𝑜
𝐻(−𝑠)
𝑜,𝑗 ←𝐻(−𝑠+1) 𝑜,𝑗
←…←𝐻(1)
𝑜,𝑗←𝐻𝑜
... and their conjugates
𝐺𝑜→𝐺 (1)
𝑜,𝑗→…→𝐺 (𝑠−1) 𝑜,𝑗
→𝐺 (𝑠)
𝑜,1
𝐻𝑜→𝐻(1)
𝑜,𝑗→…→𝐻(𝑠−1) 𝑜,𝑗
→𝐻(𝑠)
𝑜,1
Exchange data 𝐻𝑜+directions 𝐺𝑜+directions Compute shared data Takes 𝑓𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. Takes 𝑒𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. In the end, they share 𝐼𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1+𝑒1
1
⋅ … ⋅ 𝔮𝑓𝑢+𝑒𝑢
𝑢
]
∫ ∫
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 20 / 25
OSIDH The protocol
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 and a set of splitting primes 𝔮1, … , 𝔮𝑢 ⊆ 𝒫𝑜 ⊆ End(𝐹𝑜) ∩ 𝐿 ⊆ 𝒫𝐿 ALICE BOB Choose integers in a bound [−𝑠, 𝑠] (𝑓1, … , 𝑓𝑢) (𝑒1, … , 𝑒𝑢) Construct an isogenous curve 𝐺𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1
1 ⋯ 𝔮𝑓𝑢 𝑢 ]
𝐻𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑒1
1 ⋯ 𝔮𝑒𝑢 𝑢 ]
Precompute all directions ∀𝑗
𝐺 (−𝑠)
𝑜,𝑗 ←𝐺 (−𝑠+1) 𝑜,𝑗
←…←𝐺 (1)
𝑜,𝑗←𝐺𝑜
𝐻(−𝑠)
𝑜,𝑗 ←𝐻(−𝑠+1) 𝑜,𝑗
←…←𝐻(1)
𝑜,𝑗←𝐻𝑜
... and their conjugates
𝐺𝑜→𝐺 (1)
𝑜,𝑗→…→𝐺 (𝑠−1) 𝑜,𝑗
→𝐺 (𝑠)
𝑜,1
𝐻𝑜→𝐻(1)
𝑜,𝑗→…→𝐻(𝑠−1) 𝑜,𝑗
→𝐻(𝑠)
𝑜,1
Exchange data 𝐻𝑜+directions 𝐺𝑜+directions Compute shared data Takes 𝑓𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. Takes 𝑒𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. In the end, they share 𝐼𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1+𝑒1
1
⋅ … ⋅ 𝔮𝑓𝑢+𝑒𝑢
𝑢
]
∫ ∫
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 20 / 25
OSIDH The protocol
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 and a set of splitting primes 𝔮1, … , 𝔮𝑢 ⊆ 𝒫𝑜 ⊆ End(𝐹𝑜) ∩ 𝐿 ⊆ 𝒫𝐿 ALICE BOB Choose integers in a bound [−𝑠, 𝑠] (𝑓1, … , 𝑓𝑢) (𝑒1, … , 𝑒𝑢) Construct an isogenous curve 𝐺𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1
1 ⋯ 𝔮𝑓𝑢 𝑢 ]
𝐻𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑒1
1 ⋯ 𝔮𝑒𝑢 𝑢 ]
Precompute all directions ∀𝑗
𝐺 (−𝑠)
𝑜,𝑗 ←𝐺 (−𝑠+1) 𝑜,𝑗
←…←𝐺 (1)
𝑜,𝑗←𝐺𝑜
𝐻(−𝑠)
𝑜,𝑗 ←𝐻(−𝑠+1) 𝑜,𝑗
←…←𝐻(1)
𝑜,𝑗←𝐻𝑜
... and their conjugates
𝐺𝑜→𝐺 (1)
𝑜,𝑗→…→𝐺 (𝑠−1) 𝑜,𝑗
→𝐺 (𝑠)
𝑜,1
𝐻𝑜→𝐻(1)
𝑜,𝑗→…→𝐻(𝑠−1) 𝑜,𝑗
→𝐻(𝑠)
𝑜,1
Exchange data 𝐻𝑜+directions 𝐺𝑜+directions Compute shared data Takes 𝑓𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. Takes 𝑒𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. In the end, they share 𝐼𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1+𝑒1
1
⋅ … ⋅ 𝔮𝑓𝑢+𝑒𝑢
𝑢
]
∫ ∫
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 20 / 25
OSIDH The protocol
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 and a set of splitting primes 𝔮1, … , 𝔮𝑢 ⊆ 𝒫𝑜 ⊆ End(𝐹𝑜) ∩ 𝐿 ⊆ 𝒫𝐿 ALICE BOB Choose integers in a bound [−𝑠, 𝑠] (𝑓1, … , 𝑓𝑢) (𝑒1, … , 𝑒𝑢) Construct an isogenous curve 𝐺𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1
1 ⋯ 𝔮𝑓𝑢 𝑢 ]
𝐻𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑒1
1 ⋯ 𝔮𝑒𝑢 𝑢 ]
Precompute all directions ∀𝑗
𝐺 (−𝑠)
𝑜,𝑗 ←𝐺 (−𝑠+1) 𝑜,𝑗
←…←𝐺 (1)
𝑜,𝑗←𝐺𝑜
𝐻(−𝑠)
𝑜,𝑗 ←𝐻(−𝑠+1) 𝑜,𝑗
←…←𝐻(1)
𝑜,𝑗←𝐻𝑜
... and their conjugates
𝐺𝑜→𝐺 (1)
𝑜,𝑗→…→𝐺 (𝑠−1) 𝑜,𝑗
→𝐺 (𝑠)
𝑜,1
𝐻𝑜→𝐻(1)
𝑜,𝑗→…→𝐻(𝑠−1) 𝑜,𝑗
→𝐻(𝑠)
𝑜,1
Exchange data 𝐻𝑜+directions 𝐺𝑜+directions Compute shared data Takes 𝑓𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. Takes 𝑒𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. In the end, they share 𝐼𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1+𝑒1
1
⋅ … ⋅ 𝔮𝑓𝑢+𝑒𝑢
𝑢
]
∫ ∫
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 20 / 25
OSIDH The protocol
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 and a set of splitting primes 𝔮1, … , 𝔮𝑢 ⊆ 𝒫𝑜 ⊆ End(𝐹𝑜) ∩ 𝐿 ⊆ 𝒫𝐿 ALICE BOB Choose integers in a bound [−𝑠, 𝑠] (𝑓1, … , 𝑓𝑢) (𝑒1, … , 𝑒𝑢) Construct an isogenous curve 𝐺𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1
1 ⋯ 𝔮𝑓𝑢 𝑢 ]
𝐻𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑒1
1 ⋯ 𝔮𝑒𝑢 𝑢 ]
Precompute all directions ∀𝑗
𝐺 (−𝑠)
𝑜,𝑗 ←𝐺 (−𝑠+1) 𝑜,𝑗
←…←𝐺 (1)
𝑜,𝑗←𝐺𝑜
𝐻(−𝑠)
𝑜,𝑗 ←𝐻(−𝑠+1) 𝑜,𝑗
←…←𝐻(1)
𝑜,𝑗←𝐻𝑜
... and their conjugates
𝐺𝑜→𝐺 (1)
𝑜,𝑗→…→𝐺 (𝑠−1) 𝑜,𝑗
→𝐺 (𝑠)
𝑜,1
𝐻𝑜→𝐻(1)
𝑜,𝑗→…→𝐻(𝑠−1) 𝑜,𝑗
→𝐻(𝑠)
𝑜,1
Exchange data 𝐻𝑜+directions 𝐺𝑜+directions Compute shared data Takes 𝑓𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. Takes 𝑒𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. In the end, they share 𝐼𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1+𝑒1
1
⋅ … ⋅ 𝔮𝑓𝑢+𝑒𝑢
𝑢
]
∫ ∫
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 20 / 25
OSIDH The protocol
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 and a set of splitting primes 𝔮1, … , 𝔮𝑢 ⊆ 𝒫𝑜 ⊆ End(𝐹𝑜) ∩ 𝐿 ⊆ 𝒫𝐿 ALICE BOB Choose integers in a bound [−𝑠, 𝑠] (𝑓1, … , 𝑓𝑢) (𝑒1, … , 𝑒𝑢) Construct an isogenous curve 𝐺𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1
1 ⋯ 𝔮𝑓𝑢 𝑢 ]
𝐻𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑒1
1 ⋯ 𝔮𝑒𝑢 𝑢 ]
Precompute all directions ∀𝑗
𝐺 (−𝑠)
𝑜,𝑗 ←𝐺 (−𝑠+1) 𝑜,𝑗
←…←𝐺 (1)
𝑜,𝑗←𝐺𝑜
𝐻(−𝑠)
𝑜,𝑗 ←𝐻(−𝑠+1) 𝑜,𝑗
←…←𝐻(1)
𝑜,𝑗←𝐻𝑜
... and their conjugates
𝐺𝑜→𝐺 (1)
𝑜,𝑗→…→𝐺 (𝑠−1) 𝑜,𝑗
→𝐺 (𝑠)
𝑜,1
𝐻𝑜→𝐻(1)
𝑜,𝑗→…→𝐻(𝑠−1) 𝑜,𝑗
→𝐻(𝑠)
𝑜,1
Exchange data 𝐻𝑜+directions 𝐺𝑜+directions Compute shared data Takes 𝑓𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. Takes 𝑒𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. In the end, they share 𝐼𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1+𝑒1
1
⋅ … ⋅ 𝔮𝑓𝑢+𝑒𝑢
𝑢
]
∫ ∫
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 20 / 25
OSIDH The protocol
PUBLIC DATA: A chain of ℓ-isogenies 𝐹0 → 𝐹1 → … → 𝐹𝑜 and a set of splitting primes 𝔮1, … , 𝔮𝑢 ⊆ 𝒫𝑜 ⊆ End(𝐹𝑜) ∩ 𝐿 ⊆ 𝒫𝐿 ALICE BOB Choose integers in a bound [−𝑠, 𝑠] (𝑓1, … , 𝑓𝑢) (𝑒1, … , 𝑒𝑢) Construct an isogenous curve 𝐺𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1
1 ⋯ 𝔮𝑓𝑢 𝑢 ]
𝐻𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑒1
1 ⋯ 𝔮𝑒𝑢 𝑢 ]
Precompute all directions ∀𝑗
𝐺 (−𝑠)
𝑜,𝑗 ←𝐺 (−𝑠+1) 𝑜,𝑗
←…←𝐺 (1)
𝑜,𝑗←𝐺𝑜
𝐻(−𝑠)
𝑜,𝑗 ←𝐻(−𝑠+1) 𝑜,𝑗
←…←𝐻(1)
𝑜,𝑗←𝐻𝑜
... and their conjugates
𝐺𝑜→𝐺 (1)
𝑜,𝑗→…→𝐺 (𝑠−1) 𝑜,𝑗
→𝐺 (𝑠)
𝑜,1
𝐻𝑜→𝐻(1)
𝑜,𝑗→…→𝐻(𝑠−1) 𝑜,𝑗
→𝐻(𝑠)
𝑜,1
Exchange data 𝐻𝑜+directions 𝐺𝑜+directions Compute shared data Takes 𝑓𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. Takes 𝑒𝑗 steps in 𝔮𝑗-isogeny chain & push forward information for 𝑘 > 𝑗. In the end, they share 𝐼𝑜 = 𝐹𝑜/𝐹𝑜 [𝔮𝑓1+𝑒1
1
⋅ … ⋅ 𝔮𝑓𝑢+𝑒𝑢
𝑢
]
∫ ∫
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 20 / 25
OSIDH The protocol
The first step consists of choosing the secret keys; these are represented by a sequence of integers (𝑓1, … , 𝑓𝑢) such that |𝑓𝑗| ≤ 𝑠. The bound 𝑠 is taken so that the number (2𝑠 + 1)𝑢 of curves that can be reached is sufficiently large. This choice of integers enables Alice to compute a new elliptic curve 𝐺𝑜 = 𝐹𝑜 𝐹𝑜[𝔮𝑓1
1 ⋯ 𝔮𝑓𝑢 𝑢 ]
by means of constructing the following commutative diagram
E0 E1 En
E0 E0[p1]
= E0 F (1)
n E0 E0[pe1
1 ]
= E0 F (e1)
n E0 E0[pe1
1 p2]
= E0 F (e1,1)
n E0 E0[pe1
1 pe2 2 ]
= E0 F (e1,e2)
n E0 E0[pe1
1 ...pet−1 t−1 ]
= E0 F (e1,...,et−1)
n E0 E0[pe1
1 ...pet t ]
= E0 F0 F1 Fn F (e1,...,et)
n
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 21 / 25
OSIDH The protocol
Once that Alice obtain from Bob the curve 𝐻𝑜 together with the collection of data encoding the directions, she takes 𝑓1 steps in the 𝔮1-isogeny chain and push forward all the 𝔮𝑗-isogeny chains for 𝑗 > 1.
Gn p1 p2 p3 p4 G(−1)
n,1
G(1)
n,1
G(1)
n,2
G(−1)
n,2
G(2)
n,1
G(r)
n,1
G(−2)
n,1
G(e1)
n,1
G(−r)
n,1
G(r)
n,2
G(−r)
n,2
G(e1,1)
n,2
G(e1,e2)
n,2
G(e2)
n,2
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 22 / 25
OSIDH Hard problems
Endomorphism ring problem Given a supersingular elliptic curve 𝐹/𝔾𝑞2 and 𝜌 = [𝑞], determine End(𝐹) as an abstract ring or an explicit basis for it over ℤ (or for End0(𝐹) over ℚ). Endomorphism Generators Problem Given a supersingular elliptic curve 𝐹/𝔾𝑞2, 𝜌 = [𝑞], an imaginary quadratic
(𝒫, 𝔯𝑜)-orientations of 𝐹 for (𝔯, 𝑜) ∈ 𝑇, determine
Suppose 𝑇 = {(𝔯, 𝑜)} = {(𝔯1, 𝑜1), … , (𝔯𝑢, 𝑜𝑢)} where 𝔯1, … , 𝔯𝑢 are pairwise distinct primes such that [0, … , 𝑜1] × … × [0, … , 𝑜𝑢] ⟶ 𝒟 ℓ(𝒫) (𝑓1, … , 𝑓𝑢) ⟶ [𝔯𝑓1
1 ⋅ … ⋅ 𝔯𝑓𝑢 𝑢 ]
is injective. Then, the problem should remain difficult.
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 23 / 25
OSIDH Security
Consider an arbitrary supersingular endomorphism ring 𝒫 ⊂ with discriminant 𝑞2. There is a positive definite rank 3 quadratic form disc ∶ 𝒫/ℤ ℤ 𝛽 |disc(𝛽)| = |disc (ℤ [𝛽]) | ⋀2 (𝒫) ⊇ ℤ ∧ 𝒫
=
representing discriminants of orders embedding in 𝒫. The general order 𝒫 has a reduced basis 1 ∧ 𝛽1, 1 ∧ 𝛽2, 1 ∧ 𝛽3 satisfying |disc(1 ∧ 𝛽𝑗)| = Δ𝑗 where Δ𝑗 ∼ 𝑞2/3 (Minkowski bound: 𝑑1𝑞2 ≤ Δ1Δ2Δ3 ≤ 𝑑2𝑞2). In order to hide 𝒫𝑜 in 𝒫 we impose ℓ2𝑜|Δ𝐿| > 𝑑𝑞2/3 ⇒ 𝑜 ∼ logℓ(𝑞) 3 so that there is no special imaginary quadratic subring in 𝒫 = End(𝐹𝑜).
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 24 / 25
Future work:
▶ Security analysis and setting security parameters. ▶ Implementation and algorithmic optimization. ▶ Use of canonical liftings.
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 25 / 25
Future work:
▶ Security analysis and setting security parameters. ▶ Implementation and algorithmic optimization. ▶ Use of canonical liftings.
Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 25 / 25