ABSTRACT
We present a method for key compression in quantumresistant isogeny-based cryptosystems, which allows a reduction in and transmission costs of per-party public information by a factor of two, with no e ect on security. We achieve this reduction by associating a canonical choice of elliptic curve to each j-invariant, and representing elements on the curve as linear combinations with respect to a canonical choice of basis. This method of compressing public information can be applied to numerous isogeny-based protocols, such as key exchange, zero-knowledge identi cation, and public-key encryption. We performed personal computer and ARM implementations of the key exchange with compression and decompression in C and provided timing results, showing the computational cost of key compression and decompression at various security levels. Our results show that isogeny-based cryptosystems achieve by far the smallest possible key sizes among all existing families of post-quantum cryptosystems at practical security levels; e.g. 3073-bit public keys at the quantum 128-bit security level, comparable to (non-quantum) RSA key sizes.
- P. S. Barreto. A Panorama of Post-quantum Cryptography. Springer, 2014.Google ScholarCross Ref
- J.-F. Biasse, D. Jao, and A. Sankar. A quantum algorithm for computing isogenies between supersingular elliptic curves. In Progress in Cryptology -- INDOCRYPT 2014, volume 8885 of Lecture Notes in Computer Science, pages 428--442. Springer International Publishing, 2014.Google Scholar
- R. Broker. Constructing supersingular elliptic curves. J. Comb. Number Theory, 1:269--273, 2009.Google Scholar
- A. Childs, D. Jao, and V. Soukharev. Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol, 8:1--29, 2014.Google ScholarCross Ref
- H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen, and F. Vercauteren. Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman & Hall/CRC, 2012. Google ScholarDigital Library
- L. De Feo, D. Jao, and J. Plût. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. Journal of Mathematical Cryptology, 8(3):209--247, 2014.Google ScholarCross Ref
- R. Dingledine and N. Mathewson. Tor protocol specification. https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt.Google Scholar
- D. Fishbein. Machine-level software optimization of cryptographic protocols. Master's thesis, University of Waterloo, 2014. http://hdl.handle.net/10012/8400.Google Scholar
- S. Fluhrer. Quantum cryptanalysis of NTRU. Cryptology ePrint Archive, Report 2015/676, 2015.Google Scholar
- P. Hirschhorn, J. Hoffstein, N. Howgrave-Graham, and W. Whyte. Choosing NTRUEncrypt parameters in light of combined lattice reduction and MI™ approaches. In In Proc. ACNS 2009, LNCS 5536, pages 437--455. Springer-Verlag, 2009. Google ScholarDigital Library
- V. Miller. Short programs for functions on curves. Unpublished, 1986.Google Scholar
- R. Misoczki, J.-P. Tillich, N. Sendrier, and P. S. L. M. Barreto. MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes. Cryptology ePrint Archive, Report 2012/409, 2012.Google Scholar
- K. Okeya, H. Kurumatani, and K. Sakurai. Elliptic curves with the montgomery-form and their cryptographic applications. In H. Imai and Y. Zheng, editors, Public Key Cryptography, volume 1751 of Lecture Notes in Computer Science, pages 238--257. Springer Berlin Heidelberg, 2000. Google ScholarDigital Library
- S. Pohlig and M. Hellman. An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Transactions on Information Theory, 1978. Google ScholarDigital Library
- J. Schanck, W. Whyte, and Z. Zhang. A quantum-safe circuit-extension handshake for Tor. Cryptology ePrint Archive, Report 2015/287, 2015.Google Scholar
- P. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing, 26:1484--1509, 1997. Google ScholarDigital Library
- J. Silverman. The Arithmetic of Elliptic Curves. Springer, 1986.Google ScholarCross Ref
- V. Singh. A practical key exchange for the internet using lattice cryptography. Cryptology ePrint Archive, Report 2015/138, 2015.Google Scholar
- A. Stolbunov. Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. NISK, pages 97--109, 2009.Google Scholar
- S. Tani. Claw finding algorithms using quantum walk. Theoretical Computer Science, 410:5285--5297, 2009. Google ScholarDigital Library
- E. Teske. The Pohlig-Hellman method generalized for group structure computation. J. Symbolic Computation, pages 521--534, 1999. Google ScholarDigital Library
- J. Vélu. Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris Sér. A-B, 273:A238--A241, 1971.Google Scholar
- Wikipedia. Post-quantum cryptography -- Wikipedia, the Free Encyclopedia, 2015. https://en.wikipedia.org/w/index.php?title=Post-quantum_cryptography&oldid=684559487, {Online; accessed 14-October-2015}.Google Scholar
- Wikipedia. Supersingular isogeny key exchange -- Wikipedia, the Free Encyclopedia, 2015. https://en.wikipedia.org/w/index.php?title=Supersingular_Isogeny_Key_Exchange&oldid=679293871, {Online; accessed 14-October-2015}.Google Scholar
Index Terms
- Key Compression for Isogeny-Based Cryptosystems
Recommendations
Towards Practical Key Exchange from Ordinary Isogeny Graphs
Advances in Cryptology – ASIACRYPT 2018AbstractWe revisit the ordinary isogeny-graph based cryptosystems of Couveignes and Rostovtsev–Stolbunov, long dismissed as impractical. We give algorithmic improvements that accelerate key exchange in this framework, and explore the problem of generating ...
Compact Stateful Deterministic Wallet from Isogeny-Based Signature Featuring Uniquely Rerandomizable Public Keys
Cryptology and Network SecurityAbstractDeterministic wallets are promising cryptographic primitives that are employed in cryptocurrencies to safeguard user’s fund. In CCS’19, a generic construction of deterministic wallets was proposed by Das et al. leveraging signature schemes with ...
Identification Scheme and Forward-Secure Signature in Identity-Based Setting from Isogenies
Provable and Practical SecurityAbstractIdentity-based cryptography (IBC) introduced by Adi Shamir [17] has paved the way for authenticating the public key of a user without the use of certificates. In addition to identity-based encryption (IBE), a full-fledged identity-based system ...
Comments