Efficient compression of SIDH public keys
Craig Costello1 David Jao2 Patrick Longa1
Michael Naehrig1 Joost Renes3 David Urbanik2
1Microsoft Research, Redmond, USA
2University of Waterloo, Ontario, Canada
3Radboud University, Nijmegen, The Netherlands
1 May 2017
1 May 2017 1 / 14
Supersingular-isogeny Diffie-Hellman
I Post-quantum secure (ephemeral) key exchange [JF11]
I Based on hardness of finding large-degree isogenies
I Small keys (≈ 564 bytes public)
I Relatively slow compared to other PQ proposals
I Key compression (≈ 385 bytes), at very high cost [Aza+16]
This talkI Key size reduced by 12.5% (≈ 330 bytes)
I Compression up to 66× faster
I Decompression up to 15× faster
1 May 2017 2 / 14
Supersingular-isogeny Diffie-Hellman
I Post-quantum secure (ephemeral) key exchange [JF11]
I Based on hardness of finding large-degree isogenies
I Small keys (≈ 564 bytes public)
I Relatively slow compared to other PQ proposals
I Key compression (≈ 385 bytes), at very high cost [Aza+16]
This talkI Key size reduced by 12.5% (≈ 330 bytes)
I Compression up to 66× faster
I Decompression up to 15× faster
1 May 2017 2 / 14
Isogeny graphs
p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 2
p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 3
17
41
40
0
24
48
66
2
2
2
3
22
22
2
2
3
2
1 May 2017 3 / 14
Isogeny graphs
p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 2
p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 3
17
41
40
0
24
48
662
2
2
3
22
22
2
2
3
2
1 May 2017 3 / 14
Isogeny graphs
p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 2
p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 3
17
41
40
0
24
48
66
2
2
2
3
22
22
2
2
3
2
1 May 2017 3 / 14
Isogeny graphs
p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 2
p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x , j(E ) = 24, ` = 3
17
41
40
0
24
48
66
2
2
2
3
22
22
2
2
3
2
1 May 2017 3 / 14
Key generation
= private party A, = private party B, = public keys
17
41
40
0
24
48
66
17
41
40
0
24
48
66
2
2
2
3
22
22
2
2
3
2
1 May 2017 4 / 14
Key generation
= private party A, = private party B, = public keys
17
41
40
0
24
48
66
17
41
40
0
24
48
66
2
2
2
3
22
22
2
2
3
2
1 May 2017 4 / 14
Supersingular-isogeny Diffie-Hellman [JF11]
= private party A, = private party B, = public key
↗↗↗ = 2-graph walk, ↘↘↘ = 3-graph walk,
E
EA
EB
EAB
EA[`e ] = 〈P,Q〉
∈ Fp2 (= 2 log p bits)
∈ F2p2 (= 4 log p bits)
EA[`e ] = 〈R,S〉
(α, β, γ, δ) ∈ Z4`e (≈ 2 log p bits)
φA
φB
1 May 2017 5 / 14
Supersingular-isogeny Diffie-Hellman [JF11]
= private party A, = private party B, = public key
↗↗↗ = 2-graph walk, ↘↘↘ = 3-graph walk,
E
EA
EB
EAB
EA[`e ] = 〈P,Q〉
∈ Fp2 (= 2 log p bits)
∈ F2p2 (= 4 log p bits)
EA[`e ] = 〈R,S〉
(α, β, γ, δ) ∈ Z4`e (≈ 2 log p bits)
φA
φB
1 May 2017 5 / 14
Supersingular-isogeny Diffie-Hellman [JF11]
= private party A, = private party B, = public key
↗↗↗ = 2-graph walk, ↘↘↘ = 3-graph walk,
E
EA
EB
EAB
EA[`e ] = 〈P,Q〉
∈ Fp2 (= 2 log p bits)
∈ F2p2 (= 4 log p bits)
EA[`e ] = 〈R,S〉
(α, β, γ, δ) ∈ Z4`e (≈ 2 log p bits)
φA
φB
1 May 2017 5 / 14
Supersingular-isogeny Diffie-Hellman [JF11]
= private party A, = private party B, = public key
↗↗↗ = 2-graph walk, ↘↘↘ = 3-graph walk,
E
EA
EB
EAB
EA[`e ] = 〈P,Q〉
∈ Fp2 (= 2 log p bits)
∈ F2p2 (= 4 log p bits)
EA[`e ] = 〈R,S〉
(α, β, γ, δ) ∈ Z4`e (≈ 2 log p bits)
φA
φB
1 May 2017 5 / 14
Supersingular-isogeny Diffie-Hellman [JF11]
= private party A, = private party B, = public key
↗↗↗ = 2-graph walk, ↘↘↘ = 3-graph walk,
E
EA
EB
EAB
EA[`e ] = 〈P,Q〉
∈ Fp2 (= 2 log p bits)
∈ F2p2 (= 4 log p bits)
EA[`e ] = 〈R,S〉
(α, β, γ, δ) ∈ Z4`e (≈ 2 log p bits)
φA
φB
1 May 2017 5 / 14
Public-key compression [Aza+16]
Compression
〈P,Q〉〈R, S〉
〈αR + βS , γR + δS〉(α, β, γ, δ)
Decompression
(α, β, γ, δ)〈R, S〉
(α, β, γ, δ)〈P,Q〉
Expensive
Significantly improve efficiency (up to 66×)
Significantly improve efficiency (up to 15×)
1 May 2017 6 / 14
Public-key compression [Aza+16]
Compression
〈P,Q〉〈R, S〉
〈αR + βS , γR + δS〉(α, β, γ, δ)
Decompression
(α, β, γ, δ)〈R, S〉
(α, β, γ, δ)〈P,Q〉
Expensive
Significantly improve efficiency (up to 66×)
Significantly improve efficiency (up to 15×)
1 May 2017 6 / 14
Public-key compression [Aza+16]
Compression
〈P,Q〉〈R, S〉
〈αR + βS , γR + δS〉(α, β, γ, δ)
Decompression
(α, β, γ, δ)〈R, S〉
(α, β, γ, δ)〈P,Q〉
Expensive
Significantly improve efficiency (up to 66×)
Significantly improve efficiency (up to 15×)
1 May 2017 6 / 14
Finding a canonical basis
Find R, S such that E [2372] = 〈R,S〉, where
#E (Fp2) =(23723239
)2.
1 May 2017 7 / 14
Finding a canonical basis
Find R, S such that E [2372] = 〈R,S〉, where
#E (Fp2) =(23723239
)2.
Finding an element of order 2372
1 Deterministically pick R ∈ E (Fp2) \ 2E (Fp2)
1 May 2017 7 / 14
Finding a canonical basis
Find R, S such that E [2372] = 〈R,S〉, where
#E (Fp2) =(23723239
)2.
Finding an element of order 2372
1 Deterministically pick R ∈ E (Fp2) \ 2E (Fp2)
For E : y2 = x(x − γ)(x − δ),
R ∈ 2E (Fp2) ⇐⇒ xR , xR − δ, xR − γ are squares
1 May 2017 7 / 14
Finding a canonical basis
Find R, S such that E [2372] = 〈R,S〉, where
#E (Fp2) =(23723239
)2.
Finding an element of order 2372
1 Deterministically pick a non-square xR ∈ Fp2
For E : y2 = x(x − γ)(x − δ),
R ∈ 2E (Fp2) ⇐⇒ xR , xR − δ, xR − γ are squares
1 May 2017 7 / 14
Finding a canonical basis
Find R, S such that E [2372] = 〈R,S〉, where
#E (Fp2) =(23723239
)2.
Finding an element of order 2372
1 Deterministically pick a non-square xR ∈ Fp2
2 If x3R + Ax2R + xR is not a square, goto 1
1 May 2017 7 / 14
Finding a canonical basis
Find R, S such that E [2372] = 〈R,S〉, where
#E (Fp2) =(23723239
)2.
Finding an element of order 2372
1 Deterministically pick a non-square xR ∈ Fp2
2 If x3R + Ax2R + xR is not a square, goto 1
3 Set R ← (xR ,√x3R + Ax2R + xR)
1 May 2017 7 / 14
Finding a canonical basis
Find R, S such that E [2372] = 〈R,S〉, where
#E (Fp2) =(23723239
)2.
Finding an element of order 2372
1 Deterministically pick a non-square xR ∈ Fp2
2 If x3R + Ax2R + xR is not a square, goto 1
3 Set R ← (xR ,√x3R + Ax2R + xR)
4 Set R ← [3239]R
1 May 2017 7 / 14
Finding a canonical basis
Find R, S such that E [2372] = 〈R,S〉, where
#E (Fp2) =(23723239
)2.
Finding an element of order 2372
1 Deterministically pick a non-square xR ∈ Fp2
2 If x3R + Ax2R + xR is not a square, goto 1
3 Set R ← (xR ,√x3R + Ax2R + xR)
4 Set R ← [3239]R
Finding a canonical basis of E [2372]
1 Pick R ∈ E (Fp2) of order 2372
2 Pick S ∈ E (Fp2) of order 2372
3 If E [2372] 6= 〈R, S〉, goto 2.1 May 2017 7 / 14
Transferring to µn via reduced Tate pairing
Transfer the discrete logs to µn
e = e(R,S) eβ = e(R,P) eδ = e(R,Q)
e−α = e(S ,P) e−γ = e(S ,Q)
such that P = αR + βS and Q = γR + δS
......
......
...
Optimized formulas for fn,R and fn,S !
1 May 2017 8 / 14
Transferring to µn via reduced Tate pairing
Transfer the discrete logs to µn
e = e(R,S) eβ = e(R,P) eδ = e(R,Q)
e−α = e(S ,P) e−γ = e(S ,Q)
such that P = αR + βS and Q = γR + δS
e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)
f0 ← fn,R
f0 ← f0(S)
...
......
......
Optimized formulas for fn,R and fn,S !
1 May 2017 8 / 14
Transferring to µn via reduced Tate pairing
Transfer the discrete logs to µn
e = e(R,S) eβ = e(R,P) eδ = e(R,Q)
e−α = e(S ,P) e−γ = e(S ,Q)
such that P = αR + βS and Q = γR + δS
e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)
f0 ← fn,R f1← fn,R
f0 ← f0(S) f1 ← f1(P)
......
......
...
Optimized formulas for fn,R and fn,S !
1 May 2017 8 / 14
Transferring to µn via reduced Tate pairing
Transfer the discrete logs to µn
e = e(R,S) eβ = e(R,P) eδ = e(R,Q)
e−α = e(S ,P) e−γ = e(S ,Q)
such that P = αR + βS and Q = γR + δS
e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)
f0 ← fn,R
f0 ← f0(S) f1 ← f0(P)
......
......
...
Optimized formulas for fn,R and fn,S !
1 May 2017 8 / 14
Transferring to µn via reduced Tate pairing
Transfer the discrete logs to µn
e = e(R,S) eβ = e(R,P) eδ = e(R,Q)
e−α = e(S ,P) e−γ = e(S ,Q)
such that P = αR + βS and Q = γR + δS
e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)
f0 ← fn,R f2← fn,R
f0 ← f0(S) f1 ← f0(P) f2 ← f2(Q)
......
...
......
Optimized formulas for fn,R and fn,S !
1 May 2017 8 / 14
Transferring to µn via reduced Tate pairing
Transfer the discrete logs to µn
e = e(R,S) eβ = e(R,P) eδ = e(R,Q)
e−α = e(S ,P) e−γ = e(S ,Q)
such that P = αR + βS and Q = γR + δS
e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)
f0 ← fn,R
f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q)
......
...
......
Optimized formulas for fn,R and fn,S !
1 May 2017 8 / 14
Transferring to µn via reduced Tate pairing
Transfer the discrete logs to µn
e = e(R,S) eβ = e(R,P) eδ = e(R,Q)
e−α = e(S ,P) e−γ = e(S ,Q)
such that P = αR + βS and Q = γR + δS
e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)
f0 ← fn,R f3 ← fn,S
f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q) f3 ← f3(P)
......
......
...
Optimized formulas for fn,R and fn,S !
1 May 2017 8 / 14
Transferring to µn via reduced Tate pairing
Transfer the discrete logs to µn
e = e(R,S) eβ = e(R,P) eδ = e(R,Q)
e−α = e(S ,P) e−γ = e(S ,Q)
such that P = αR + βS and Q = γR + δS
e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)
f0 ← fn,R f3 ← fn,S f4← fn,S
f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q) f3 ← f3(P) f4 ← f4(Q)
......
......
...
Optimized formulas for fn,R and fn,S !
1 May 2017 8 / 14
Transferring to µn via reduced Tate pairing
Transfer the discrete logs to µn
e = e(R,S) eβ = e(R,P) eδ = e(R,Q)
e−α = e(S ,P) e−γ = e(S ,Q)
such that P = αR + βS and Q = γR + δS
e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)
f0 ← fn,R f3 ← fn,S
f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q) f3 ← f3(P) f4 ← f3(Q)
......
......
...
Optimized formulas for fn,R and fn,S !
1 May 2017 8 / 14
Transferring to µn via reduced Tate pairing
Transfer the discrete logs to µn
e = e(R,S) eβ = e(R,P) eδ = e(R,Q)
e−α = e(S ,P) e−γ = e(S ,Q)
such that P = αR + βS and Q = γR + δS
e(R,S) e(R,P) e(R,Q) e(S ,P) e(S ,Q)
f0 ← fn,R f3 ← fn,S
f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q) f3 ← f3(P) f4 ← f3(Q)
......
......
...
Optimized formulas for fn,R and fn,S !1 May 2017 8 / 14
Efficient discrete logarithms (Pohlig-Hellman)
For e0, e1, e2, e3, e4 ∈ µ`e , compute α, β, γ, δ such that
e1 = e−α0 , e2 = eβ0 , e3 = e−γ0 , e4 = eδ0
As µ`e ⊂ Gp+1 ⊂ Fp2 , I ≈M, S ≈ 2s, C ≈ 2m + 1s
DL`e#G1 = `e
DL` DL` · · · DL`#G1 = `
1 May 2017 9 / 14
Efficient discrete logarithms (Pohlig-Hellman)
For e0, e1, e2, e3, e4 ∈ µ`e , compute α, β, γ, δ such that
e1 = e−α0 , e2 = eβ0 , e3 = e−γ0 , e4 = eδ0
As µ`e ⊂ Gp+1 ⊂ Fp2 , I ≈M, S ≈ 2s, C ≈ 2m + 1s
DL`e#G1 = `e
DL` DL` · · · DL`#G1 = `
1 May 2017 9 / 14
Nested Pohlig-Hellman
PH1#G1 = `e1
#G2 = `e2 PH2 PH2 · · · PH2
#G3 = `e3 PH3 PH3 · · · PH3
#Gn = `en
......
PHn PHn · · · PHn
#Gn+1 = ` DL` DL` · · · DL`
1 May 2017 10 / 14
Comparison
# windows Fp2 table size
n w1 w2 w3 w4 M S Fp2
0 – – – – 372 69 378 375
1 19 – – – 375 7 445 43
2 51 7 – – 643 4 437 25
3 84 21 5 – 716 3 826 25
4 114 35 11 3 1 065 3 917 27
Options for different time-memory trade-offs [Sut11]
1 May 2017 11 / 14
Signature size reduction
I The quadruple (α, β, γ, δ) ∈ Z4`e determines
P = αR + βS , Q = γR + δS .
These determine 〈P + λQ〉, for some λ ∈ Z∗`e
I Thus we only need P,Q up to scalar, and compress to
[α : β : γ : δ] .
As P,Q form a basis of E [`e ], either α or β is invertible
I Normalizing, we represent it in Z3`e × Z2
1 May 2017 12 / 14
Benchmarks (for ` = 2)
This work [Aza+16] Speed-up
Key size (bytes) 328 385 –
SIDH (cc × 106) 80 – –
Compression (cc × 106) 109 6 081 56×
Decompression (cc × 106) 42 539 13×
Full no comp. (cc × 106) 192 535 2.8×
Full comp. (cc × 106) 469 15 395 31×
Software available at
https://github.com/Microsoft/PQCrypto-SIDH
1 May 2017 13 / 14
References I
[Aza+16] Reza Azarderakhsh, David Jao, Kassem Kalach, Brian Koziel andChristopher Leonardi. “Key Compression for Isogeny-BasedCryptosystems”. In: Proceedings of the 3rd ACM InternationalWorkshop on ASIA Public-Key Cryptography, AsiaPKC@AsiaCCS,Xi’an, China, May 30 - June 03, 2016. Ed. by Keita Emura,Goichiro Hanaoka and Rui Zhang. ACM, 2016, pp. 1–10. doi:10.1145/2898420.2898421. url:http://doi.acm.org/10.1145/2898420.2898421.
[JF11] David Jao and Luca De Feo. “Towards Quantum-ResistantCryptosystems from Supersingular Elliptic Curve Isogenies”. In:Post-Quantum Cryptography - 4th International Workshop,PQCrypto 2011, Taipei, Taiwan, November 29 - December 2,2011. Proceedings. 2011, pp. 19–34. doi:10.1007/978-3-642-25405-5_2. url:http://dx.doi.org/10.1007/978-3-642-25405-5_2.
1 May 2017 15 / 14
References II
[Sut11] Andrew V. Sutherland. “Structure computation and discretelogarithms in finite abelian p-groups”. In: Math. Comput. 80.273(2011), pp. 477–500. doi: 10.1090/S0025-5718-10-02356-2.url: http://dx.doi.org/10.1090/S0025-5718-10-02356-2.
1 May 2017 16 / 14
Top Related