scispace - formally typeset
Search or ask a question
Journal ArticleDOI

Constructing elliptic curve isogenies in quantum subexponential time

01 Feb 2014-Journal of Mathematical Cryptology (Walter de Gruyter GmbH)-Vol. 8, Iss: 1, pp 1-29
TL;DR: In this article, a quantum algorithm for constructing an isogeny between two elliptic curves is presented, where the isogenies from an elliptic curve E to itself form the endomorphism ring of the curve; this ring is an imaginary quadratic order O∆ of discriminant ∆ < 0.
Abstract: Quantum computation has the potential for dramatic impact on cryptography. Shor’s algorithm [16] breaks the two most widely used public-key cryptosystems, RSA encryption and elliptic curve cryptography. Related quantum algorithms could break other classical cryptographic protocols, such as Buchmann-Williams key exchange [8] and algebraically homomorphic encryption [5]. Thus there is considerable interest in understanding which classical cryptographic schemes are or are not secure against quantum attacks, both from a practical perspective and as a potential source of new quantum algorithms that outperform classical computation. While it is well known that quantum computers can efficiently solve the discrete logarithm problem in elliptic curve groups, other computations involving elliptic curves may be significantly more difficult. In particular, Couveignes [4] and Rostovtsev and Stolbunov [15, 17] proposed publickey cryptosystems based on the presumed difficulty of constructing an isogeny between two given elliptic curves. Informally, an isogeny is a map between curves that preserves their algebraic structure. Isogenies play a major role in classical computational number theory, yet as far as we are aware they have yet to be studied from the standpoint of quantum computation. In this work, we present a quantum algorithm for constructing an isogeny between two ordinary elliptic curves. The isogenies from an elliptic curve E to itself form the endomorphism ring of the curve; this ring is an imaginary quadratic order O∆ of discriminant ∆ < 0. Given two isogenous ordinary elliptic curves E0, E1 over Fq with the same endomorphism ring O∆, we show how to construct an isogeny φ : E0 → E1 (specified by its kernel, represented by a smooth ideal class [b] ∈ Cl(O∆)). The output of this algorithm is sufficient to recover the private key in all proposed isogeny-based public-key cryptosystems [4, 15, 17]. The running time of our algorithm is subexponential—specifically, assuming the Generalized Riemann Hypothesis (GRH), it runs in time L(12 , √ 3 2 ), where L( 2 , c) := exp [ (c+ o(1)) √ ln q ln ln q ] .

Content maybe subject to copyright    Report

Citations
More filters
Book ChapterDOI
01 Jan 2018
TL;DR: The Diffie–Hellman scheme resulting from the group action allows for public-key validation at very little cost, runs reasonably fast in practice, and has public keys of only 64 bytes at a conjectured AES-128 security level, matching NIST’s post-quantum security category I.
Abstract: We propose an efficient commutative group action suitable for non-interactive key exchange in a post-quantum setting. Our construction follows the layout of the Couveignes–Rostovtsev–Stolbunov cryptosystem, but we apply it to supersingular elliptic curves defined over a large prime field \(\mathbb F_p\), rather than to ordinary elliptic curves. The Diffie–Hellman scheme resulting from the group action allows for public-key validation at very little cost, runs reasonably fast in practice, and has public keys of only 64 bytes at a conjectured AES-128 security level, matching NIST’s post-quantum security category I.

333 citations

Book ChapterDOI
14 Aug 2016
TL;DR: This paper proposes a new suite of algorithms that significantly improve the performance of supersingular isogeny Diffie-Hellman SIDH key exchange and presents a full-fledged implementation of SidH that is geared towards the 128-bit quantum and 192-bit classical security levels.
Abstract: We propose a new suite of algorithms that significantly improve the performance of supersingular isogeny Diffie-Hellman SIDH key exchange. Subsequently, we present a full-fledged implementation of SIDH that is geared towards the 128-bit quantum and 192-bit classical security levels. Our library is the first constant-time SIDH implementation and is upi¾?to 2.9 times faster than the previous best non-constant-time SIDH software. The high speeds in this paper are driven by compact, inversion-free point and isogeny arithmetic and fast SIDH-tailored field arithmetic: on an Intel Haswell processor, generating ephemeral public keys takes 46 million cycles for Alice and 52 million cycles for Bob, while computing the shared secret takes 44 million and 50 million cycles, respectively. The size of public keys is only 564 bytes, which is significantly smaller than most of the popular post-quantum key exchange alternatives. Ultimately, the size and speed of our software illustrates the strong potential of SIDH as a post-quantum key exchange candidate and we hope that these results encourage a wider cryptanalytic effort.

226 citations

Journal ArticleDOI
TL;DR: Current state of the art on post-quantum cryptosystems and how they can be applied to blockchains and DLTs are studied, as well as their main challenges.
Abstract: Blockchain and other Distributed Ledger Technologies (DLTs) have evolved significantly in the last years and their use has been suggested for numerous applications due to their ability to provide transparency, redundancy and accountability. In the case of blockchain, such characteristics are provided through public-key cryptography and hash functions. However, the fast progress of quantum computing has opened the possibility of performing attacks based on Grover’s and Shor’s algorithms in the near future. Such algorithms threaten both public-key cryptography and hash functions, forcing to redesign blockchains to make use of cryptosystems that withstand quantum attacks, thus creating which are known as post-quantum, quantum-proof, quantum-safe or quantum-resistant cryptosystems. For such a purpose, this article first studies current state of the art on post-quantum cryptosystems and how they can be applied to blockchains and DLTs. Moreover, the most relevant post-quantum blockchain systems are studied, as well as their main challenges. Furthermore, extensive comparisons are provided on the characteristics and performance of the most promising post-quantum public-key encryption and digital signature schemes for blockchains. Thus, this article seeks to provide a broad view and useful guidelines on post-quantum blockchain security to future blockchain researchers and developers.

206 citations

Book ChapterDOI
04 Dec 2016
TL;DR: In this paper, the authors studied cryptosystems based on supersingular isogenies, and showed that the security of all schemes of this type depends on the difficulty of computing the endomorphism ring of a superingular elliptic curve.
Abstract: We study cryptosystems based on supersingular isogenies. This is an active area of research in post-quantum cryptography. Our first contribution is to give a very powerful active attack on the supersingular isogeny encryption scheme. This attack can only be prevented by using a (relatively expensive) countermeasure. Our second contribution is to show that the security of all schemes of this type depends on the difficulty of computing the endomorphism ring of a supersingular elliptic curve. This result gives significant insight into the difficulty of the isogeny problem that underlies the security of these schemes. Our third contribution is to give a reduction that uses partial knowledge of shared keys to determine an entire shared key. This can be used to retrieve the secret key, given information leaked from a side-channel attack on the key exchange protocol. A corollary of this work is the first bit security result for the supersingular isogeny key exchange: Computing any component of the j-invariant is as hard as computing the whole j-invariant.

200 citations

Book ChapterDOI
08 Dec 2019
TL;DR: In this paper, a new record class group computation of an imaginary quadratic field having 154-digit discriminant, surpassing the previous record of 130 digits, was reported.
Abstract: In this paper we report on a new record class group computation of an imaginary quadratic field having 154-digit discriminant, surpassing the previous record of 130 digits. This class group is central to the CSIDH-512 isogeny based cryptosystem, and knowing the class group structure and relation lattice implies efficient uniform sampling and a canonical representation of its elements. Both operations were impossible before and allow us to instantiate an isogeny based signature scheme first sketched by Stolbunov. We further optimize the scheme using multiple public keys and Merkle trees, following an idea by De Feo and Galbraith. We also show that including quadratic twists allows to cut the public key size in half for free. Optimizing for signature size, our implementation takes 390 ms to sign/verify and results in signatures of 263 bytes, at the expense of a large public key. This is 300 times faster and over 3 times smaller than an optimized version of SeaSign for the same parameter set. Optimizing for public key and signature size combined, results in a total size of 1468 bytes, which is smaller than any other post-quantum signature scheme at the 128-bit security level.

138 citations

References
More filters
Journal ArticleDOI
TL;DR: In this paper, the authors considered factoring integers and finding discrete logarithms on a quantum computer and gave an efficient randomized algorithm for these two problems, which takes a number of steps polynomial in the input size of the integer to be factored.
Abstract: A digital computer is generally believed to be an efficient universal computing device; that is, it is believed able to simulate any physical computing device with an increase in computation time by at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. This paper considers factoring integers and finding discrete logarithms, two problems which are generally thought to be hard on a classical computer and which have been used as the basis of several proposed cryptosystems. Efficient randomized algorithms are given for these two problems on a hypothetical quantum computer. These algorithms take a number of steps polynomial in the input size, e.g., the number of digits of the integer to be factored.

7,427 citations

Journal ArticleDOI
TL;DR: The main result of the paper is to demonstrate the reduction of the elliptic curve logarithm problem to the logarathm problem in the multiplicative group of an extension of the underlying finite field, thus providing a probabilistic subexponential time algorithm for the former problem.
Abstract: Elliptic curve cryptosystems have the potential to provide relatively small block size, high-security public key schemes that can be efficiently implemented. As with other known public key schemes, such as RSA and discrete exponentiation in a finite field, some care must be exercised when selecting the parameters involved, in this case the elliptic curve and the underlying field. Specific classes of curves that give little or no advantage over previously known schemes are discussed. The main result of the paper is to demonstrate the reduction of the elliptic curve logarithm problem to the logarithm problem in the multiplicative group of an extension of the underlying finite field. For the class of supersingular elliptic curves, the reduction takes probabilistic polynomial time, thus providing a probabilistic subexponential time algorithm for the former problem. >

1,049 citations

Journal ArticleDOI
TL;DR: In this paper, it was shown that HOmk(A', A") is a free module of rank 2g over the ring Z l of l-adic integers, and the canonical map is Z-free.
Abstract: Almost all of the general facts about abelian varieties which we use without comment or refer to as "well known" are due to WEIL, and the references for them are [12] and [3]. Let k be a field, k its algebraic closure, and A an abelian variety defined over k, of dimension g. For each integer m > 1, let A m denote the group of elements aeA(k) such that ma=O. Let l be a prime number different from the characteristic of k, and let T~(A) denote the projective limit of the groups A~ with respect to the maps A~n.l~Av, which are induced by multiplication by l. It is well known that Tt(A) is a free module of rank 2g over the ring Z l of l-adic integers. The group G=Gal(k./k) operates on Tt(A). Let A' and A" be abelian varieties defined over k. The group HOmk(A', A") of homomorphisms of A' into A" defined over k is Z-free, and the canonical map

811 citations

Book
01 Jan 1989
Abstract: FROM FERMAT TO GAUSS. Fermat, Euler and Quadratic Reciprocity. Lagrange, Legendre and Quadratic Forms. Gauss, Composition and Genera. Cubic and Biquadratic Reciprocity. CLASS FIELD THEORY. The Hilbert Class Field and p = x 2 + ny 2 . The Hilbert Class Field and Genus Theory. Orders in Imaginary Quadratic Fields. Class Fields Theory and the Cebotarev Density Theorem. Ring Class Field and p = x 2 + ny 2 . COMPLEX MULTIPLICATION. Elliptic Functions and Complex Multiplication. Modular Functions and Ring Class Fields. Modular Functions and Singular j--Invariants. The Class Equation. Ellpitic Curves. References. Index.

600 citations

Journal ArticleDOI
TL;DR: Gauthier-Villars as mentioned in this paper implique l'accord avec les conditions générales d'utilisation (http://www.numdam.org/conditions).
Abstract: © Gauthier-Villars (Éditions scientifiques et médicales Elsevier), 1969, tous droits réservés. L’accès aux archives de la revue « Annales scientifiques de l’É.N.S. » (http://www. elsevier.com/locate/ansens) implique l’accord avec les conditions générales d’utilisation (http://www.numdam.org/conditions). Toute utilisation commerciale ou impression systématique est constitutive d’une infraction pénale. Toute copie ou impression de ce fichier doit contenir la présente mention de copyright.

589 citations