Twitter: @PatrickLonga Outline Motivation: the quantum menace - PowerPoint PPT Presentation

Ell lliptic curves and is isogenies • Let 𝐹 1 and 𝐹 2 be elliptic curves defined over an extension field 𝑀 . • An isogeny is a (non-constant) rational map 𝜚 : 𝐹 1 → 𝐹 2 that preserves identity, i.e., 𝜚(𝒫 𝐹 1 ) → 𝒫 𝐹 2 . Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 12

Ell lliptic curves and is isogenies • Let 𝐹 1 and 𝐹 2 be elliptic curves defined over an extension field 𝑀 . • An isogeny is a (non-constant) rational map 𝜚 : 𝐹 1 → 𝐹 2 that preserves identity, i.e., 𝜚(𝒫 𝐹 1 ) → 𝒫 𝐹 2 . Relevant properties: • Isogenies are group homomorphisms. • For every finite subgroup 𝐻 ⊆ 𝐹 1 , there is a unique curve 𝐹 2 (up to isomorphism) and isogeny 𝜚 : 𝐹 1 → 𝐹 2 with kernel 𝐻 . Write 𝐹 2 = 𝜚 𝐹 1 = 𝐹 1 / 𝐻 . • (Separable) isogenies have deg 𝜚 = # ker 𝜚 . Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 12

Supersingular curves • An elliptic curve 𝐹/𝑀 is supersingular if #𝐹(𝑀) ≡ 1(mod 𝑞) . • All supersingular curves can be defined over 𝔾 𝑞 2 . • There are ~ 𝒒/𝟐𝟑 isomorphism classes of supersingular curves. Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 13

Supersingular is isogeny graphs • Vertices: the ~ 𝑞/12 isomorphism classes of supersingular curves over 𝔾 𝑞 2 . Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

Supersingular is isogeny graphs • Vertices: the ~ 𝑞/12 isomorphism classes of supersingular curves over 𝔾 𝑞 2 . Same j-invariant Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

Supersingular is isogeny graphs • Vertices: the ~ 𝑞/12 isomorphism classes of supersingular curves over 𝔾 𝑞 2 . • Edges: isogenies of a fixed prime degree 𝓂 ∤ 𝑞 𝓂 = 2 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

Supersingular is isogeny graphs • Vertices: the ~ 𝑞/12 isomorphism classes of supersingular curves over 𝔾 𝑞 2 . • Edges: isogenies of a fixed prime degree 𝓂 ∤ 𝑞 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝓂 = 2 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

Supersingular is isogeny graphs • Vertices: the ~ 𝑞/12 isomorphism classes of supersingular curves over 𝔾 𝑞 2 . • Edges: isogenies of a fixed prime degree 𝓂 ∤ 𝑞 For any prime 𝓂 ∤ 𝑞 , there exist (𝓂 + 1) isogenies of degree 𝓂 originating from every supersingular curve. 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝜚 2 𝓂 = 2 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

Supersingular is isogeny graphs • Vertices: the ~ 𝑞/12 isomorphism classes of supersingular curves over 𝔾 𝑞 2 . • Edges: isogenies of a fixed prime degree 𝓂 ∤ 𝑞 For any prime 𝓂 ∤ 𝑞 , there exist (𝓂 + 1) isogenies of degree 𝓂 originating from every supersingular curve. 𝜚 3 𝜚 2 𝜚 2 𝜚 2 𝜚 3 𝜚 3 𝜚 2 𝜚 3 𝜚 2 𝜚 3 𝜚 3 𝜚 2 𝜚 3 𝜚 3 𝜚 2 𝜚 2 𝜚 3 𝜚 2 𝜚 3 𝜚 2 𝜚 3 𝜚 3 𝜚 2 𝜚 2 𝜚 3 𝜚 2 𝜚 3 𝜚 3 𝓂 = 2 𝓂 = 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 14

SID IDH in in a nutshell Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

SID IDH in in a nutshell 𝐹 0 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

SID IDH in in a nutshell 𝐹 𝐵 𝐹 0 𝐹 𝐶 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

SID IDH in in a nutshell 𝐹 𝐵 𝐹 𝐶𝐵 𝐹 0 𝐹 𝐵𝐶 Same j-invariant 𝐹 𝐶 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 15

SID IDH: : setup Set 𝓂 ∈ 2,3 , supersingular curve 𝐹 0 /𝔾 𝑞 2 with a prime 𝑞 = 𝑔 ∙ 2 𝑓 𝐵 3 𝑓 𝐶 − 1 such that 2 𝑓 𝐵 ≈ 3 𝑓 𝐶 and 𝑔 small. • Then: 𝐹 2 𝑓 𝐵 , 𝐹[3 𝑓 𝐶 ] ⊂ 𝐹 0 (𝔾 𝑞 2 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 16

SID IDH: : setup Set 𝓂 ∈ 2,3 , supersingular curve 𝐹 0 /𝔾 𝑞 2 with a prime 𝑞 = 𝑔 ∙ 2 𝑓 𝐵 3 𝑓 𝐶 − 1 such that 2 𝑓 𝐵 ≈ 3 𝑓 𝐶 and 𝑔 small. • Then: 𝐹 2 𝑓 𝐵 , 𝐹[3 𝑓 𝐶 ] ⊂ 𝐹 0 (𝔾 𝑞 2 ) works over 𝐹[2 𝑓 𝐵 ] using 2-isogenies and linearly independent points 𝑄 𝐵 , 𝑅 𝐵 . works over 𝐹[3 𝑓 𝐶 ] using 3-isogenies and linearly independent points 𝑄 𝐶 , 𝑅 𝐶 . Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 16

SID IDH protocol private Alice private Bob public params E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

SID IDH protocol private Alice private Bob public params E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

SID IDH protocol private Alice private Bob public params 𝐹 𝐵 = 𝐹 0 / 𝐵 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

SID IDH protocol private Alice private Bob public params 𝐹 𝐵 = 𝐹 0 / 𝐵 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 𝐶 = 𝐹 0 / 𝐶 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

SID IDH protocol private Alice private Bob public params 𝐹 𝐵 = 𝐹 0 / 𝐵 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 𝐶 = 𝐹 0 / 𝐶 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

SID IDH protocol private Alice private Bob 𝑆 𝐵 , 𝑇 𝐵 = {𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 (𝑅 𝐶 )} public params 𝐹 𝐵 = 𝐹 0 / 𝐵 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 𝐶 = 𝐹 0 / 𝐶 𝑆 𝐶 , 𝑇 𝐶 = {𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 (𝑅 𝐵 )} Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

SID IDH protocol private Alice private Bob 𝑆 𝐵 , 𝑇 𝐵 = {𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 (𝑅 𝐶 )} public params 𝐹 𝐵 = 𝐹 0 / 𝐵 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 ′ ) = 𝐵′ = 𝑆 𝐶 + [𝑡 𝐵 ]𝑇 𝐶 𝑙𝑓𝑠(𝜚 𝐵 𝐹 𝐶𝐵 = 𝐹 𝐶 / 𝐵′ ′ 𝜚 𝐵 𝐹 𝐶 = 𝐹 0 / 𝐶 𝑆 𝐶 , 𝑇 𝐶 = {𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 (𝑅 𝐵 )} 𝐵′ = 𝜚 𝐶 𝑄 𝐵 + [𝑡 𝐵 ]𝜚 𝐶 𝑅 𝐵 = 𝜚 𝐶 𝑄 𝐵 + [𝑡 𝐵 ]𝑅 𝐵 = 𝜚 𝐶 𝐵 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

SID IDH protocol private Alice private Bob 𝑆 𝐵 , 𝑇 𝐵 = {𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 (𝑅 𝐶 )} public params 𝐹 𝐵 = 𝐹 0 / 𝐵 ′ 𝜚 𝐶 E ’ s are isogenous curves 𝐹 𝐵𝐶 = 𝐹 𝐵 / 𝐶 ′ P ’ s, Q ’ s, R ’ s, S ’ s are points ′ 𝑙𝑓𝑠 𝜚 𝐶 = 𝐶′ = 𝑆 𝐵 + [𝑡 𝐶 ]𝑇 𝐵 𝐹 0 ′ ) = 𝐵′ = 𝑆 𝐶 + [𝑡 𝐵 ]𝑇 𝐶 𝑙𝑓𝑠(𝜚 𝐵 𝐹 𝐶𝐵 = 𝐹 𝐶 / 𝐵′ ′ 𝜚 𝐵 𝐹 𝐶 = 𝐹 0 / 𝐶 𝑆 𝐶 , 𝑇 𝐶 = {𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 (𝑅 𝐵 )} 𝐵′ = 𝜚 𝐶 𝑄 𝐵 + [𝑡 𝐵 ]𝜚 𝐶 𝑅 𝐵 = 𝜚 𝐶 𝑄 𝐵 + [𝑡 𝐵 ]𝑅 𝐵 = 𝜚 𝐶 𝐵 𝐶 ′ = 𝜚 𝐵 𝑄 𝐶 + [𝑡 𝐶 ]𝜚 𝐵 𝑅 𝐶 = 𝜚 𝐵 𝑄 𝐶 + [𝑡 𝐶 ]𝑅 𝐶 = 𝜚 𝐵 𝐶 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

SID IDH protocol private Alice private Bob 𝑆 𝐵 , 𝑇 𝐵 = {𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 (𝑅 𝐶 )} public params 𝐹 𝐵 = 𝐹 0 / 𝐵 ′ 𝜚 𝐶 E ’ s are isogenous curves 𝐹 𝐵𝐶 = 𝐹 𝐵 / 𝐶 ′ P ’ s, Q ’ s, R ’ s, S ’ s are points ′ 𝑙𝑓𝑠 𝜚 𝐶 = 𝐶′ = 𝑆 𝐵 + [𝑡 𝐶 ]𝑇 𝐵 𝐹 0 ′ ) = 𝐵′ = 𝑆 𝐶 + [𝑡 𝐵 ]𝑇 𝐶 𝑙𝑓𝑠(𝜚 𝐵 𝐹 𝐶𝐵 = 𝐹 𝐶 / 𝐵′ ′ 𝜚 𝐵 𝐹 𝐶 = 𝐹 0 / 𝐶 𝑆 𝐶 , 𝑇 𝐶 = {𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 (𝑅 𝐵 )} 𝐵′ = 𝜚 𝐶 𝑄 𝐵 + [𝑡 𝐵 ]𝜚 𝐶 𝑅 𝐵 = 𝜚 𝐶 𝑄 𝐵 + [𝑡 𝐵 ]𝑅 𝐵 = 𝜚 𝐶 𝐵 𝐶 ′ = 𝜚 𝐵 𝑄 𝐶 + [𝑡 𝐶 ]𝜚 𝐵 𝑅 𝐶 = 𝜚 𝐵 𝑄 𝐶 + [𝑡 𝐶 ]𝑅 𝐶 = 𝜚 𝐵 𝐶 ′ (𝜚 𝐵 (𝐹 0 )) ≅ 𝐹 0 / 𝑄 ′ (𝜚 𝐶 𝐹 0 ) 𝐹 𝐵𝐶 = 𝜚 𝐶 𝐵 + [𝑡 𝐵 ]𝑅 𝐵 , 𝑄 𝐶 + [𝑡 𝐶 ]𝑅 𝐶 ≅ 𝐹 𝐶𝐵 = 𝜚 𝐵 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

SID IDH protocol private Alice private Bob 𝑆 𝐵 , 𝑇 𝐵 = {𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 (𝑅 𝐶 )} public params 𝐹 𝐵 = 𝐹 0 / 𝐵 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 0 / 𝐵, 𝐶 𝐹 𝐶 = 𝐹 0 / 𝐶 𝑆 𝐶 , 𝑇 𝐶 = {𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 (𝑅 𝐵 )} 𝐵′ = 𝜚 𝐶 𝑄 𝐵 + [𝑡 𝐵 ]𝜚 𝐶 𝑅 𝐵 = 𝜚 𝐶 𝑄 𝐵 + [𝑡 𝐵 ]𝑅 𝐵 = 𝜚 𝐶 𝐵 𝐶 ′ = 𝜚 𝐵 𝑄 𝐶 + [𝑡 𝐶 ]𝜚 𝐵 𝑅 𝐶 = 𝜚 𝐵 𝑄 𝐶 + [𝑡 𝐶 ]𝑅 𝐶 = 𝜚 𝐵 𝐶 ′ (𝜚 𝐵 (𝐹 0 )) ≅ 𝐹 0 / 𝑄 ′ (𝜚 𝐶 𝐹 0 ) 𝐹 𝐵𝐶 = 𝜚 𝐶 𝐵 + [𝑡 𝐵 ]𝑅 𝐵 , 𝑄 𝐶 + [𝑡 𝐶 ]𝑅 𝐶 ≅ 𝐹 𝐶𝐵 = 𝜚 𝐵 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 17

SID IDH protocol Drawback: • SIDH is not secure when keys are reused (Galbraith-Petit-Shani-Ti 2016) • Only recommended in ephemeral mode Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 18

Supersingular is isogeny key encapsulation (S (SIK IKE) • IND-CCA secure key encapsulation: no problem reusing keys! • Uses a variant of Hofheinz – Hövelmanns – Kiltz (HHK) transform: IND-CPA PKE → IND-CCA KEM • HHK transform is secure in both the classical and quantum ROM models • Offline key generation gives performance boost (no perf loss SIDH → SIKE) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 19

Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑡 𝐶 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐶 ) 2. Set 𝑙𝑓𝑠 𝜚 𝐶 = 𝑄 𝐶 + [𝑡 𝐶 ]𝑅 𝐶 3. pk 𝐶 = {𝜚 𝐶 𝐹 0 , 𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 𝑅 𝐵 } 4. 𝑡 ∈ 𝑆 {0,1} 𝑜 5. keypair: sk 𝐶 = (𝑡, 𝑡 𝐶 ) , pk 𝐶 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑡 𝐶 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐶 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐶 = 𝑄 𝐶 + [𝑡 𝐶 ]𝑅 𝐶 3. pk 𝐶 = {𝜚 𝐶 𝐹 0 , 𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 𝑅 𝐵 } 1. message 𝑛 ∈ 𝑆 0,1 𝑜 4. 𝑡 ∈ 𝑆 {0,1} 𝑜 2. 𝑠 = 𝐻 𝑛, pk 𝐶 mod 2 𝑓 𝐵 pk 𝐶 5. keypair: sk 𝐶 = (𝑡, 𝑡 𝐶 ) , pk 𝐶 3. Set 𝑙𝑓𝑠 𝜚 𝐵 = 𝑄 𝐵 + [𝑠]𝑅 𝐵 4. pk 𝐵 = {𝜚 𝐵 𝐹 0 , 𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 𝑅 𝐶 } ′ (𝜚 𝐶 (𝐹 0 ))) 5. 𝑘 = 𝑘 𝐹 𝐵𝐶 = 𝑘(𝜚 𝐵 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑡 𝐶 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐶 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐶 = 𝑄 𝐶 + [𝑡 𝐶 ]𝑅 𝐶 3. pk 𝐶 = {𝜚 𝐶 𝐹 0 , 𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 𝑅 𝐵 } 1. message 𝑛 ∈ 𝑆 0,1 𝑜 4. 𝑡 ∈ 𝑆 {0,1} 𝑜 2. 𝑠 = 𝐻 𝑛, pk 𝐶 mod 2 𝑓 𝐵 pk 𝐶 encryption 5. keypair: sk 𝐶 = (𝑡, 𝑡 𝐶 ) , pk 𝐶 3. Set 𝑙𝑓𝑠 𝜚 𝐵 = 𝑄 𝐵 + [𝑠]𝑅 𝐵 4. pk 𝐵 = {𝜚 𝐵 𝐹 0 , 𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 𝑅 𝐶 } ′ (𝜚 𝐶 (𝐹 0 ))) 5. 𝑘 = 𝑘 𝐹 𝐵𝐶 = 𝑘(𝜚 𝐵 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑡 𝐶 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐶 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐶 = 𝑄 𝐶 + [𝑡 𝐶 ]𝑅 𝐶 3. pk 𝐶 = {𝜚 𝐶 𝐹 0 , 𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 𝑅 𝐵 } 1. message 𝑛 ∈ 𝑆 0,1 𝑜 4. 𝑡 ∈ 𝑆 {0,1} 𝑜 2. 𝑠 = 𝐻 𝑛, pk 𝐶 mod 2 𝑓 𝐵 pk 𝐶 encryption 5. keypair: sk 𝐶 = (𝑡, 𝑡 𝐶 ) , pk 𝐶 3. Set 𝑙𝑓𝑠 𝜚 𝐵 = 𝑄 𝐵 + [𝑠]𝑅 𝐵 Decaps 4. pk 𝐵 = {𝜚 𝐵 𝐹 0 , 𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 𝑅 𝐶 } 𝑑 = (pk 𝐵 , 𝐺(𝑘) ⊕ 𝑛) ′ (𝜚 𝐶 (𝐹 0 ))) ′ (𝜚 𝐵 (𝐹 0 ))) 5. 𝑘 = 𝑘 𝐹 𝐵𝐶 = 𝑘(𝜚 𝐵 1. 𝑘′ = 𝑘 𝐹 𝐶𝐵 = 𝑘(𝜚 𝐶 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑) 2 . 𝑛 ′ = 𝐺(𝑘′) ⊕ 𝑑[2] 3 . 𝑠 ′ = 𝐻 𝑛 ′ , pk 𝐶 mod 2 𝑓 𝐵 4 . Set 𝑙𝑓𝑠 𝜚 𝐵 = 𝑄 𝐵 + [𝑠′]𝑅 𝐵 ′ = {𝜚 𝐵 𝐹 0 , 𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 𝑅 𝐶 } 5. pk 𝐵 ′ = 𝑑[1] then 6. If pk 𝐵 Shared key: 𝑡𝑡 = 𝐼(𝑛 ′ , 𝑑) 7 . Else 𝑡𝑡 = 𝐼(𝑡, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑡 𝐶 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐶 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐶 = 𝑄 𝐶 + [𝑡 𝐶 ]𝑅 𝐶 3. pk 𝐶 = {𝜚 𝐶 𝐹 0 , 𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 𝑅 𝐵 } 1. message 𝑛 ∈ 𝑆 0,1 𝑜 4. 𝑡 ∈ 𝑆 {0,1} 𝑜 2. 𝑠 = 𝐻 𝑛, pk 𝐶 mod 2 𝑓 𝐵 pk 𝐶 encryption 5. keypair: sk 𝐶 = (𝑡, 𝑡 𝐶 ) , pk 𝐶 3. Set 𝑙𝑓𝑠 𝜚 𝐵 = 𝑄 𝐵 + [𝑠]𝑅 𝐵 Decaps 4. pk 𝐵 = {𝜚 𝐵 𝐹 0 , 𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 𝑅 𝐶 } 𝑑 = (pk 𝐵 , 𝐺(𝑘) ⊕ 𝑛) ′ (𝜚 𝐶 (𝐹 0 ))) ′ (𝜚 𝐵 (𝐹 0 ))) 5. 𝑘 = 𝑘 𝐹 𝐵𝐶 = 𝑘(𝜚 𝐵 1. 𝑘′ = 𝑘 𝐹 𝐶𝐵 = 𝑘(𝜚 𝐶 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑) 2 . 𝑛 ′ = 𝐺(𝑘′) ⊕ 𝑑[2] 3 . 𝑠 ′ = 𝐻 𝑛 ′ , pk 𝐶 mod 2 𝑓 𝐵 decryption 4 . Set 𝑙𝑓𝑠 𝜚 𝐵 = 𝑄 𝐵 + [𝑠′]𝑅 𝐵 ′ = {𝜚 𝐵 𝐹 0 , 𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 𝑅 𝐶 } 5. pk 𝐵 ′ = 𝑑[1] then 6. If pk 𝐵 Shared key: 𝑡𝑡 = 𝐼(𝑛 ′ , 𝑑) 7 . Else 𝑡𝑡 = 𝐼(𝑡, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

Supersingular is isogeny key encapsulation (S (SIK IKE) KeyGen 1. 𝑡 𝐶 ∈ 𝑆 [0, 2 log 2 3 𝑓𝐶 ) Encaps 2. Set 𝑙𝑓𝑠 𝜚 𝐶 = 𝑄 𝐶 + [𝑡 𝐶 ]𝑅 𝐶 3. pk 𝐶 = {𝜚 𝐶 𝐹 0 , 𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 𝑅 𝐵 } 1. message 𝑛 ∈ 𝑆 0,1 𝑜 4. 𝑡 ∈ 𝑆 {0,1} 𝑜 2. 𝑠 = 𝐻 𝑛, pk 𝐶 mod 2 𝑓 𝐵 pk 𝐶 encryption 5. keypair: sk 𝐶 = (𝑡, 𝑡 𝐶 ) , pk 𝐶 3. Set 𝑙𝑓𝑠 𝜚 𝐵 = 𝑄 𝐵 + [𝑠]𝑅 𝐵 Decaps 4. pk 𝐵 = {𝜚 𝐵 𝐹 0 , 𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 𝑅 𝐶 } 𝑑 = (pk 𝐵 , 𝐺(𝑘) ⊕ 𝑛) ′ (𝜚 𝐶 (𝐹 0 ))) ′ (𝜚 𝐵 (𝐹 0 ))) 5. 𝑘 = 𝑘 𝐹 𝐵𝐶 = 𝑘(𝜚 𝐵 1. 𝑘′ = 𝑘 𝐹 𝐶𝐵 = 𝑘(𝜚 𝐶 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑) 2 . 𝑛 ′ = 𝐺(𝑘′) ⊕ 𝑑[2] 3 . 𝑠 ′ = 𝐻 𝑛 ′ , pk 𝐶 mod 2 𝑓 𝐵 decryption 4 . Set 𝑙𝑓𝑠 𝜚 𝐵 = 𝑄 𝐵 + [𝑠′]𝑅 𝐵 ′ = {𝜚 𝐵 𝐹 0 , 𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 𝑅 𝐶 } 5. pk 𝐵 ′ = 𝑑[1] then partial re-encryption 6. If pk 𝐵 Shared key: 𝑡𝑡 = 𝐼(𝑛 ′ , 𝑑) 𝐺, 𝐻, 𝐼 instantiated with cSHAKE256. 7 . Else 𝑡𝑡 = 𝐼(𝑡, 𝑑) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 20

Computation la layers protocol SIDH, SIKE Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

Computation la layers protocol SIDH, SIKE high-level point and 𝑄 + 𝑡 𝑅 , 𝓂 𝑓 -degree isogenies curve arithmetic Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

Computation la layers protocol SIDH, SIKE high-level point and 𝑄 + 𝑡 𝑅 , 𝓂 𝑓 -degree isogenies curve arithmetic low-level point and 2 𝑄, 3 𝑄, 𝑄 + 𝑅, 𝜚(𝑄) curve arithmetic Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

Computation la layers protocol SIDH, SIKE high-level point and 𝑄 + 𝑡 𝑅 , 𝓂 𝑓 -degree isogenies curve arithmetic low-level point and 2 𝑄, 3 𝑄, 𝑄 + 𝑅, 𝜚(𝑄) curve arithmetic 𝔾 𝑞 2 add, mul, sqr, inv extension field arithmetic Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

Computation la layers protocol SIDH, SIKE high-level point and 𝑄 + 𝑡 𝑅 , 𝓂 𝑓 -degree isogenies curve arithmetic low-level point and 2 𝑄, 3 𝑄, 𝑄 + 𝑅, 𝜚(𝑄) curve arithmetic 𝔾 𝑞 2 add, mul, sqr, inv extension field arithmetic 𝔾 𝑞 add, mul, inv field arithmetic Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 21

Hig igh-level point and curve ari rithmetic Two main internal computations: • Double-scalar multiplications to construct kernels 𝑄 + 𝑡 𝑅 • Smooth, 𝓶 𝒇 -degree isogeny computations 𝜚: 𝐹 0 → 𝐹′ Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 22

Computing 𝑄 + 𝑡 𝑅 Three-point differential ladder (x-only, variable point) • De Feo-Jao-Plût (2014), step cost = 1DBL + 2ADD • Faz-Hernández et al. (2018), step cost = 1DBL + 1ADD Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 23

Computing 𝑄 + 𝑡 𝑅 [F [Faz-Hernández – López – Ochoa-Jiménez – Rodríg íguez-Henríquez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 𝟑 = 𝑹 − 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) 𝟑 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

Computing 𝑄 + 𝑡 𝑅 [F [Faz-Hernández – López – Ochoa-Jiménez – Rodríg íguez-Henríquez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 𝟑 = 𝑹 − 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) 𝟑 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 − 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

Computing 𝑄 + 𝑡 𝑅 [Faz-Hernández – López – Ochoa-Jiménez – Rodríg [F íguez-Henríquez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 𝟑 = 𝑹 − 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) 𝟑 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 − 𝑄 𝒕 𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 − 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

Computing 𝑄 + 𝑡 𝑅 [Faz-Hernández – López – Ochoa-Jiménez – Rodríg [F íguez-Henríquez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 𝟑 = 𝑹 − 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) 𝟑 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 − 𝑄 𝒕 𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 − 𝑄 𝒕 𝟑 = 𝟐 𝑄 + 4 𝑅 8 𝑅 [4]𝑅 − 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

Computing 𝑄 + 𝑡 𝑅 [Faz-Hernández – López – Ochoa-Jiménez – Rodríg [F íguez-Henríquez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 𝟑 = 𝑹 − 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) 𝟑 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 − 𝑄 𝒕 𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 − 𝑄 𝒕 𝟑 = 𝟐 𝑄 + 4 𝑅 8 𝑅 [4]𝑅 − 𝑄 𝒕 𝟒 = 𝟐 𝑄 + 12 𝑅 16 𝑅 [4]𝑅 − 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

Computing 𝑄 + 𝑡 𝑅 [Faz-Hernández – López – Ochoa-Jiménez – Rodríg [F íguez-Henríquez 20 2018 18] 𝑺 𝟐 = 𝑸 𝑺 𝟏 = 𝑹 𝑺 𝟑 = 𝑹 − 𝑸 𝒕 = (𝟏𝟐𝟐𝟏𝟏) 𝟑 𝒕 𝟏 = 𝟏 𝑄 2 𝑅 [2]𝑅 − 𝑄 𝒕 𝟐 = 𝟏 𝑄 4 𝑅 [4]𝑅 − 𝑄 𝒕 𝟑 = 𝟐 𝑄 + 4 𝑅 8 𝑅 [4]𝑅 − 𝑄 𝒕 𝟒 = 𝟐 𝑄 + 12 𝑅 16 𝑅 [4]𝑅 − 𝑄 𝒕 𝟓 = 𝟏 𝑸 + 𝟐𝟑 𝑹 32 𝑅 [20]𝑅 − 𝑄 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 24

Computing 𝓂 𝑓 -degree is isogenies • Construct it as a composition of multiple (small, prime-degree) isogenies 𝐹 𝐵 𝐹 0 𝐹 0 / 𝐵, 𝐶 𝐹 𝐶 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 25

Computing 𝓂 𝑓 -degree is isogenies • Construct it as a composition of multiple (small, prime-degree) isogenies 𝐹 𝐵 𝐹 0 𝐹 0 / 𝐵, 𝐶 𝐹 𝐶 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 25

Computing 𝓂 𝑓 -degree is isogenies • Construct it as a composition of multiple (small, prime-degree) isogenies 𝐹 𝐵 𝐹 0 𝐹 0 / 𝐵, 𝐶 𝐹 𝐶 𝜚 𝐶 : 𝐹 0 → 𝐹 𝐶 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ ⋯ ∙∙ 𝜚 𝑓−1 𝐹 0 𝐹 1 𝐹 2 𝐹 3 𝐹 4 𝐹 𝐶 𝜚 𝑓−1 𝜚 0 𝜚 2 𝜚 1 𝜚 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 25

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 Compute 3 4 -degree isogeny: 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 𝐹 4 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 • Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 𝑓−𝑗−1 ]𝑄 𝑗 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 • Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 𝑓−𝑗−1 ]𝑄 𝑗 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 • Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 𝑓−𝑗−1 ]𝑄 𝑗 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 • Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 𝑓−𝑗−1 ]𝑄 𝑗 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 • Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 𝑓−𝑗−1 ]𝑄 𝑗 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 ( + ) slope: point operations Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 • Iteratively compute: 𝐹 4 𝐹 𝑗+1 = 𝐹 𝑗 / [𝓂 𝑓−𝑗−1 ]𝑄 𝑗 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 ( + ) slope: point operations ( − ) slope: isogeny operations Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 𝐹 4 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 𝜚 3 𝐹 4 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 3 𝐹 4 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 3 𝐹 4 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 3 𝐹 4 𝜚 0 = 𝐹 0 / 81𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 3 𝐹 4 𝜚 0 = 𝐹 0 / 81𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 1 = 𝜚 0 (𝐹 0 ) 3 𝑄 3 𝑄 1 = 𝜚 0 (𝑄 0 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 3 𝐹 4 𝜚 0 = 𝐹 0 / 81𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 1 = 𝜚 0 (𝐹 0 ) 3 𝑄 3 𝑄 1 = 𝜚 0 (𝑄 0 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 3 𝐹 4 𝜚 1 = 𝐹 1 / 27𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 3 𝐹 4 𝜚 1 = 𝐹 1 / 27𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 2 = 𝜚 1 (𝐹 1 ) 3 𝑄 3 𝑄 2 = 𝜚 1 (𝑄 1 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 1 = 𝐹 1 / 27𝑄 0 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 2 = 𝜚 1 (𝐹 1 ) 3 𝑄 3 𝑄 2 = 𝜚 1 (𝑄 1 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 2 = 𝐹 2 / 9𝑄 2 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝑄 3 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 2 = 𝐹 2 / 9𝑄 2 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 3 = 𝜚 2 (𝐹 2 ) 3 𝑄 3 𝑄 3 = 𝜚 2 (𝑄 2 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 3 3 𝑄 0 𝑄 3 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 2 = 𝐹 2 / 9𝑄 2 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 3 = 𝜚 2 (𝐹 2 ) 3 𝑄 3 𝑄 3 = 𝜚 2 (𝑄 2 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝑄 3 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 3 = 𝐹 3 / 3𝑄 3 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 3 𝑄 3 Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26

Computing 𝓂 𝑓 -degree is isogenies • Example: Bob ( 𝓂 = 3 ) computes 𝐹 𝐶 = 𝜚 𝐶 (𝐹 0 ) 𝐹 0 𝑄 0 Let base point 𝑄 0 ∈ 𝐹 0 . Assume 𝑓 = 4 𝜚 0 𝐹 1 Compute 3 4 -degree isogeny: 3 𝑄 0 𝑄 1 𝜚 1 𝜚 𝐶 : 𝐹 0 → 𝐹 4 𝐹 2 3 2 𝑄 0 𝜚 𝐶 = 𝜚 0 ∙ 𝜚 1 ∙ 𝜚 2 ∙ 𝜚 3 𝑄 2 𝜚 2 𝜚 0 𝐹 3 𝐹 4 = 𝐹 0 / 𝑄 0 3 3 𝑄 0 𝑄 3 𝜚 0 𝜚 1 𝜚 3 𝐹 4 𝜚 3 = 𝐹 3 / 3𝑄 3 3 4 𝑄 0 3 3 𝑄 1 3 2 𝑄 2 𝐹 4 = 𝜚 3 (𝐹 3 ) 3 𝑄 3 𝑄 4 𝑄 4 = 𝜚 3 (𝑄 3 ) Latincrypt, Oct 2019 Patrick Longa – Practical quantum-resistant key exchange from supersingular isogenies 26