Supersingular isogeny-based cryptography: a survey. (English) Zbl 1479.94255
Summary: With the advent of quantum computers that showed the viability of Shor’s Algorithm to factor integers, it became apparent that asymmetric cryptographic algorithms might soon become insecure. Since then, a large number of new algorithms that are conjectured to be quantum-secure have been proposed, many of which come with non-negligible trade-offs compared to current cryptosystems. Because of this, both research and standardization attempts are an ongoing effort.
In this survey, we describe one of the most promising approaches to post-quantum cryptography: cryptosystems based on supersingular isogenies. Building on top of isogenies is promising not only because they have been a well-studied topic for many decades, but also because the algorithms proposed in recent literature promise decent performance at small key sizes, especially compared to other post-quantum candidates.
After introducing the basic mathematical backgrounds required to understand the fundamental idea behind the use of supersingular isogenies as well as their relation to elliptic curves, we explain the most important protocols that have been proposed in recent years, starting with the so-called Supersingular Isogeny Diffie-Hellman. We discuss the novel approaches to well-established protocols that supersingular isogeny-based schemes introduce, analyze why it is difficult to translate certain cryptographic schemes into the supersingular isogeny case and argue that while the discussed cryptographic schemes promise to be both performant and quantum-secure, they instead introduce a trade-off in the form of increased protocol complexity.
In this survey, we describe one of the most promising approaches to post-quantum cryptography: cryptosystems based on supersingular isogenies. Building on top of isogenies is promising not only because they have been a well-studied topic for many decades, but also because the algorithms proposed in recent literature promise decent performance at small key sizes, especially compared to other post-quantum candidates.
After introducing the basic mathematical backgrounds required to understand the fundamental idea behind the use of supersingular isogenies as well as their relation to elliptic curves, we explain the most important protocols that have been proposed in recent years, starting with the so-called Supersingular Isogeny Diffie-Hellman. We discuss the novel approaches to well-established protocols that supersingular isogeny-based schemes introduce, analyze why it is difficult to translate certain cryptographic schemes into the supersingular isogeny case and argue that while the discussed cryptographic schemes promise to be both performant and quantum-secure, they instead introduce a trade-off in the form of increased protocol complexity.
MSC:
| 94A60 | Cryptography |
| 81P94 | Quantum cryptography (quantum-theoretic aspects) |
| 14G50 | Applications to coding theory and cryptography of arithmetic geometry |
Software:
SageMathReferences:
| [1] | Bellare, M., and Namprempre, C., Authenticated Encryption: Relations Among Notions and Analysis of the Generic Composition Paradigm, In Okamoto, T., editor, Advances in Cryptology - ASIACRYPT 2000, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 531-545 (2000). · Zbl 0973.68059 |
| [2] | Bellare, M., and Rogaway, P., “Random Oracles are Practical: A Paradigm for Designing Efficient Protocols,” Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS ’93, ACM, New York, NY, USA, pp. 62-73 (1993). |
| [3] | Blake, I. F., Seroussi, G., and Smart, N. P., Advances in Elliptic Curve Cryptography (London Mathematical Society Lecture Note Series), Cambridge University Press, New York, NY, USA (2005). · Zbl 1089.94018 |
| [4] | Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., and Zhandry, M., Random Oracles in a Quantum World, In Lee, D. H., and Wang, X., editors, Advances in Cryptology - ASIACRYPT 2011, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 41-69 (2011). · Zbl 1227.94033 |
| [5] | Charles, D. X., Lauter, K. E., and Goren, E. Z., “Cryptographic hash functions from expander graphs,” J. Cryptol., 22(1): 93-113 (2009). · Zbl 1166.94006 |
| [6] | Childs, A. M., Jao, D., and Soukharev, V., “Constructing elliptic curve isogenies in quantum subexponential time,” J. Mathematical Cryptology, 8: 1-29 (2014). · Zbl 1283.81046 |
| [7] | Cohen, H., Frey, G., Avanzi, R., Doche, C., Lange, T., Nguyen, K., and Vercauteren, F., Handbook of Elliptic and Hyperelliptic Curve Cryptography, Chapman & Hall/CRC, 2nd edition (2012). · Zbl 1082.94001 |
| [8] | Couveignes, J.-M., Hard Homogeneous Spaces, Cryptology ePrint Archive, Report 2006/291, https://eprint.iacr.org/2006/291 (2006). |
| [9] | Cramer, R., and Shoup, V., A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack, In Krawczyk, H., editor, Advances in Cryptology - CRYPTO ’98, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 13-25 (1998). · Zbl 0931.94018 |
| [10] | De Feo, L., Mathematics of Isogeny Based Cryptography, CoRR, abs/1711.04062 (2017). |
| [11] | De Feo, L., Jao, D., and Plût, J., “Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies,” J. Mathematical Cryptology, 8(3): 209-247 (2014). · Zbl 1372.94419 |
| [12] | Diffie, W., and Hellman, M., “New directions in cryptography,” IEEE Trans. Inf. Theor., 22(6): 644-654 (1976). · Zbl 0435.94018 |
| [13] | Fouquet, M., and Morain, F., Isogeny Volcanoes and the Sea Algorithm, In Proceedings of the 5th International Symposium on Algorithmic Number Theory, ANTS-V, Springer-Verlag, Berlin, Heidelberg, pp. 276-291 (2002). · Zbl 1058.11041 |
| [14] | Fujisaki, E., and Okamoto, T., “Secure integration of asymmetric and symmetric encryption schemes,” J. Cryptol., 26(1): 80-101 (2013). · Zbl 1291.94085 |
| [15] | Galbraith, S. D., Mathematics of Public Key Cryptography, Cambridge University Press, New York, NY, USA, 1st edition (2012). · Zbl 1238.94027 |
| [16] | Galbraith, S. D., Petit, C., Shani, B., and Ti, Y. B., On the Security of Supersingular Isogeny Cryptosystems, In ASIACRYPT (1), Springer, pp. 63-91 (2016). · Zbl 1404.94073 |
| [17] | Galbraith, S. D., Petit, C., and Silva, J., Identification protocols and signature schemes based on supersingular isogeny problems. In Takagi, T., and Peyrin, T., editors, Advances in Cryptology - ASIACRYPT 2017, Springer International Publishing, Cham, pp. 3-33 (2017). · Zbl 1420.94065 |
| [18] | Galbraith, S. D., and Vercauteren, F., Computational Problems in Supersingular Elliptic Curve Isogenies, Cryptology ePrint Archive, Report 2017/774, https://eprint.iacr.org/2017/774 (2017). |
| [19] | Gélin, A., and Wesolowski, B., Loop-abort Faults on Supersingular Isogeny Cryptosystems, In Lange, T., and Takagi, T., editors, Post-Quantum Cryptography, Springer International Publishing, Cham, pp. 93-106 (2017). · Zbl 1437.94065 |
| [20] | Hofheinz, D., Hövelmanns, K., and Kiltz, E., A Modular Analysis of the Fujisaki-Okamoto Transformation, In Kalai, Y., and Reyzin, L., editors, Theory of Cryptography, Springer International Publishing, Cham, pp. 341-371 (2017). · Zbl 1410.94082 |
| [21] | Jao, D., Azarderakhsh, R., Campagna, M., Costello, C., De Feo, L., Hess, B., Jalali, A., Koziel, B., LaMacchia, B., Longa, P., Naehrig, M., Renes, J., Soukharev, V., and Urbanik, D., Supersingular Isogeny Key Encapsulation, 11 (2017). |
| [22] | Jao, D., and De Feo, L., “Towards Quantum-resistant Cryptosystems from Supersingular Elliptic Curve Isogenies,” Proceedings of the 4th International Conference on Post-Quantum Cryptography, PQCrypto’11, Springer-Verlag, Berlin, Heidelberg, pp. 19-34 (2011). · Zbl 1290.94094 |
| [23] | Jiang, S., Britt, K. A., McCaskey, A. J., Humble, T. S., and Kais, S., “Quantum annealing for prime factorization,” Scientific Reports, 8(1): 17667 (2018). |
| [24] | Kirkwood, D., Lackey, B. C., McVey, J., Motley, M., Solinas, J. A., and Tuller, D., Failure is Not an Option: Standardization Issues for Post-quantum Key Agreement, In Workshop on Cybersecurity in a Post-Quantum World, https://www.nist.gov/news-events/events/2015/04/workshop-cybersecurity-post-quantum-world (2015). |
| [25] | National Institute of Standards and Technology, Post-quantum cryptography, https://csrc.nist.gov/Projects/Post-Quantum-Cryptography, Retrived: 2018-07-20. |
| [26] | Petit, C., Faster Algorithms for Isogeny Problems Using Torsion Point Images, In Takagi, T., and Peyrin, T., editors, Advances in Cryptology - ASIACRYPT 2017, Springer International Publishing, Cham, pp. 330-353 (2017). · Zbl 1409.94898 |
| [27] | Rostovtsev, A., and Stolbunov, A., Public-key Cryptosystem Based on Isogenies, Cryptology ePrint Archive, Report 2006/145, https://eprint.iacr.org/2006/145 (2006). |
| [28] | Shor, P. W., “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM J. Comput., 26(5): 1484-1509 (1997). · Zbl 1005.11065 |
| [29] | Silverman, J. H., The Arithmetic of Dynamical Systems, volume 241 of Graduate Texts in Mathematics, Springer (2007). · Zbl 1130.37001 |
| [30] | Stolbunov, A., “Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves,” Advances in Mathematics of Communications, 4(2): 215-235 (2010). · Zbl 1213.94136 |
| [31] | The Sage Developers, SageMath, The Sage Mathematics Software System (Version 9.1), https://www.sagemath.org (2020). |
| [32] | Ti, Y. B., Fault Attack on Supersingular Isogeny Cryptosystems, IACR Cryptology ePrint Archive https://eprint.iacr.org/2017/379.pdf (2017). · Zbl 1437.94075 |
| [33] | Vandersypen, L. M. K., Steffen, M., Breyta, G., Yannoni, C. S., Sherwood, M. H., and Chuang, I. L., “Experimental realization of Shor”s quantum factoring algorithm using nuclear magnetic resonance,” Nature, 414: 883-887 (2001). |
| [34] | Vélu, J., “Isogénies entre courbes elliptiques,” Comptes Rendus de l’Académie des Sciences de Paris, 273: 238-241 (1971). · Zbl 0225.14014 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
