Multiparty Non-Interactive Key Exchange and More From Isogenies on Elliptic Curves

1 Introduction

Let 𝔽_q be a finite field, let E be an ordinary elliptic curve over 𝔽_q, and let X be the set of isomorphism classes of elliptic curves over 𝔽_q that are 𝔽_q-isogenous to E. The set X is almost always large (containing on the order of q elements). Moreover, under suitable conditions on E, the set X is endowed with a free and transitive action ∗ by a certain abelian group G, which is the ideal class group of the endomorphism ring of E. The action ∗ maps a given g ∈ G and E ∈ X to a curve g ∗ E ∈ X.

This action, originally defined by Deuring [16], has a number of properties that makes it useful in cryptography. First, for a fixed curve E ∈ X, the map G → X defined by g ↦ g ∗ E is believed to be a one-way function. In other words, given a random curve E′ ∈ X it is difficult to find an element g ∈ G such that E′ = g ∗ E. This suggests a Diffie–Hellman two-party key exchange protocol, proposed by Couveignes [14] and Rostovtsev and Stolbunov [38]: Alice chooses a random a ∈ G and publishes E_a := a ∗ E; Bob chooses a random b ∈ G and publishes E_b := b ∗ E. Their shared key is the curve E_ab := (ab) ∗ E = a ∗ E_b = b ∗ E_a, which they can both compute. To ensure that both parties obtain the same key, their shared key is the j-invariant of the curve E_ab. More recently, De Feo, Jao, and Plût [20], Galbraith [24], Castryck et al. [11], and De Feo, Kieffer, and Smith [21] proposed variants of this protocol with better security and efficiency. Moreover, a supersingular version of the isogeny problem was introduced and proposed as the basis for a collision resistant hash function [12]. Security of this one-way function was further studied in [19].

Second, as alluded to above, the star operator satisfies the following useful property: the abelian varieties A₁ := (g₁ ∗ E) × ⋯ × (g_n ∗ E) and A₂ := (g₁ ⋯ g_n) ∗ E × Eⁿ⁻¹ are isomorphic for all g₁, …, g_n ∈ G (see Appendix A.4 of [3]). As we will see in the next section, this suggests an n-party non-interactive key exchange protocol, as well as many other cryptographic constructions. This property leads to a more general cryptographic primitive that we call a cryptographic invariant map, defined in the next section. This primitive has properties that are similar to those of cryptographic multilinear maps [6, 25], which have found numerous applications in cryptography (e.g, [4, 7, 26, 27]). We discuss applications of cryptographic invariant maps in Section 3. In Remark 4.4 we explain why we use ordinary and not supersingular elliptic curves. Section 4 describes our approach to constructing cryptographic invariant maps from isogenies. This work leads to the following question in algebraic geometry.

An open problem.   To make the cryptographic applications discussed above viable we must first overcome an important technical challenge. While the varieties A₁ and A₂ defined above are isomorphic, they are presented differently. Our applications require an efficient way to compute an invariant that is the same for A₁ and A₂. In addition, the invariant must distinguish non-isomorphic varieties. We do not know any such computable isomorphism invariant, and we present this as an open problem. In Section 5 we explain why some natural proposals for isomorphism invariants do not seem to work. In Remarks 2.4 and 4.2 we show that a solution to this open problem, even for n = 2, would solve the isogeny decision Diffie–Hellman problem. Further, we give evidence that computing a particular isomorphism invariant might be equivalent to solving the elliptic curve isogeny problem, which is believed (or hoped) to be a quantum-resistant hard problem. Thus, Section 5 might be useful from the point of view of cryptanalysis of isogeny-based cryptography.

2 Cryptographic invariant maps

3 Applications

We show that suitable cryptographic invariant maps can be used to solve a number of important problems in cryptography.

n-way Non-Interactive Key Exchange (NIKE).   We show how to use a cryptographic invariant map to construct a Non-Interactive Key Exchange (NIKE) protocol in which n parties create a shared secret key that only they can efficiently calculate, without any interaction among the n parties. Currently, secure n-party NIKE for n > 3 is only known from general purpose indistinguishability obfuscation (e.g., [8]). Our NIKE construction is similar to the one in [6, 25, 32] and satisfies a “static” notion of security.

1. Setup(λ): run (X, S, G, e) ←R MapGen(λ) and choose x←RX. Output pp := (X, S, G, e, x).

2. For i = 1, …, n, party i chooses a random g_i←RG, computes x_i := g_i ∗ x ∈ X, and publishes x_i on a public bulletin board.

3. The shared key between the n-parties is

   k:=en−1((g1⋯gn)∗x,x,…,x)∈S.

   Party i ∈ {1, …, n} computes k by obtaining x₁, …, x_n from the bulletin board, then choosing some j ∈ {1, …, n} where j ≠ i, and computing

   k=en−1(x1,…,xj−1,gi∗xj,xj+1,…,xn)∈S,

   where x_i is omitted from the input to e_n−1.

All n parties obtain the same key k by the invariance property of e_n−1. Static security follows from the n-way decision Diffie–Hellman assumption, as in [6]. Alternatively, we can rely on the weaker n-way computational Diffie–Hellman assumption by applying a hash function H : S → K to the key k. We model H as a random oracle in the security analysis. We leave the question of an adaptively-secure NIKE, in the sense of [22, 37], from an invariant map for future work.

Unique signatures and verifiable random functions (VRF).   A digital signature scheme is made up of three algorithms: a key generation algorithm that outputs a public key and a secret key, a signing algorithm that signs a given message using the secret key, and a verification algorithm that verifies a signature on a given message using the public key. A signature scheme is a unique signature scheme if for every public key and every message, there is at most one signature that will be accepted as a valid signature for that message under the public key. While a number of unique signature schemes are known in the random oracle model (e.g., [2, 5]), it is quite hard to construct unique signatures without random oracles [17, 35]. Unique signatures are closely related to a simpler object called a verifiable random function, or VRF [36]. Previous results show how to construct unique signatures and VRFs from multilinear maps without random oracles [6]. The same constructions work with a cryptographic invariant map. The unique signature scheme works as follows: The secret key is a random (g_1,0, g_1,1, …, g_n,0, g_n,1) ←RG²ⁿ. The public key is (x, y_1,0, …, y_n,1) ∈ X²ⁿ⁺¹ where x←RX and y_i,b := g_i,b ∗ x for i = 1, …, n and b = 0, 1. The signature on an n-bit message m ∈ {0, 1}ⁿ is σ:=(∏i=1ngi,mi)∗x∈X. To verify a signature σ, check that e_n(σ, x, …, x) = e_n(y_1,m1, …, y_n,mn). The security analysis of this construction is the same as in [6].

Constrained PRFs and broadcast encryption.   We next describe how to construct constrained pseudorandom functions [7, 9, 33] for bit-fixing constraints from a cryptographic invariant map. Such constrained PRFs in turn can be used to build broadcast encryption with short ciphertexts [7].

A pseudorandom function (PRF) is a function F : 𝓚 × 𝓐 → 𝓑 that is computable in polynomial time. Here, 𝓚 is the key space, 𝓐 is the domain, and 𝓑 is the codomain. Intuitively, PRF security requires that, for a random key k ∈ 𝓚, an adversary who obtains pairs (a, F(k, a)), for a ∈ 𝓐 of its choice, cannot distinguish these pairs from pairs (a, f(a)) where f is a random function 𝓐 → 𝓑.

A bit-fixing constrained PRF is a PRF where a key k ∈ 𝓚 can be constrained to only evaluate the PRF on a subset of the domain 𝓐, where 𝓐 = {0, 1}ⁿ. Specifically, for V ⊆ [n] = {1, …, n} and a function v : V → {0, 1}, let 𝓐_v = {a ∈ 𝓐:∀ i ∈ V, a_i = v(i)}. A constrained key k_v enables one to evaluate F(k, a) for all a ∈ 𝓐_v, but reveals nothing about F(k, a) for a ∉ 𝓐_v. We refer to [7] for the complete definition of this concept, and its many applications.

We now explain how to construct bit-fixing constrained PRFs from cryptographic invariant maps. The construction and security proof are essentially the same as in Boneh and Waters [7], but translated to our setting. One complication is that the construction of Boneh and Waters requires a way to operate on invariants in S. We get around this by delaying the evaluation of the invariant to the very last step. We thus obtain the following bit-fixing constrained PRF:

1. Setup(λ): run (X, S, G, e) ←R MapGen(λ) and choose x←RX.

   Next choose α←RG and d_i,b←RG for i ∈ [n] and b ∈ {0, 1}.

   Output the key k = (X, S, G, e, α, {d_i,b}_i,b).

2. The PRF is defined as: F(k,a)=en((α×∏i=1ndi,ai)∗x,x,…,x).

   Here, a ∈ {0, 1}ⁿ specifies a subset product of the set of d_i,b’s.

3. Constrain(k, v): Let V ⊆ [n] be the support of the function v, and assume V is not empty. The constrained key k_v is constructed as follows. Set D_i,b = d_i,b∗ x for i ∉ V. Let i₀ be the smallest element of V. Choose ∣V∣ − 1 random g_i ∈ G for i ∈ V ∖ {i₀}, and set g_i0 = α × ∏_i∈Vd_i,vi × (∏_i∈V∖{i0}g_i)⁻¹ ∈ G. Let h_i = g_i∗ x for i ∈ V.

   The constrained key is k_v = ({D_i,b}_{i∉V,b∈{0,1}}, {h_i}_i∈V).

4. Eval(k_v, a): To evaluate F(k, a) using the constrained key k_v do the following. If a ∉ 𝓐_v, output ⋄. Otherwise, for i = 1, …, n, let C_i = D_i,ai if i ∉ V, and let C_i = h_i otherwise. Output e_n(C₁, …, C_n). Then, by construction,

   en(C1,…,Cn)=en∏i∉Vdi,ai∏i∈Vgi∗x,x,…,x=F(k,a).

The security proof is as in [7]. This construction can be further extended to a verifiable random function (VRF) by adapting Fuchsbauer [23] similarly.

Witness encryption.   Witness encryption, due to Garg et al. [27], can be used to construct Identity-Based Encryption, Attribute-Based Encryption, broadcast encryption [42], and secret sharing for NP statements. Witness encryption is a form of encryption where a public key is simply an NP statement, and a secret key is a witness for that statement. More precisely, a witness encryption scheme is a pair of algorithms:

1. Enc(x, m) is a randomized polynomial-time algorithm that takes as input an NP statement x and a message m, and outputs a ciphertext c;

2. Dec(x, w, c) is a deterministic polynomial-time algorithm that takes as input a statement x, supposed witness w, and ciphertext c, and attempts to produce the message m.

We require that if w is a valid witness for x, then for any message m, if c←R Enc(x, m), then Dec(x, w, c) outputs m with probability 1.

The basic notion of security for witness encryption is soundness security, which requires that if x is false, then Enc(x, m) hides all information about m. A stronger notion called extractable security, due to Goldwasser et al. [28], requires, informally, that if one can learn any information about m from Enc(x, m), then it must be the case that one “knows” a witness for x.

We briefly describe how to construct witness encryption from invariant maps. It suffices to give a construction from any NP-complete problem. There are at least two natural constructions from multilinear maps that we can use. One approach is to adapt the original witness encryption scheme of Garg et al. [27] based on the Exact Cover problem. This approach unfortunately also requires the same graded structure as needed by Boneh and Waters [7]. However, we can apply the same ideas as in our constrained PRF construction to get their scheme to work with invariant maps. Another is the scheme of Zhandry [42] based on Subset Sum.^[1]

As with the constructions of Garg et al. and Zhandry, the security of these constructions can be justified in an idealized attack model for the cryptographic invariant map, allowing only the operations explicitly allowed by the map–-namely the group action and the map operation. Justification in idealized models is not a proof, but provides heuristic evidence for security.

4 Cryptographic invariant maps from isogenies

We begin by recalling some facts that are presented in more detail in Appendix A of [3]. Let E be an ordinary elliptic curve over a finite field 𝔽_q such that the ring ℤ[π] generated by its Frobenius endomorphism π is integrally closed. This implies in particular that ℤ[π] is the full endomorphism ring 𝒪 of E. Let Cl(𝒪) denote the ideal class group of this ring, and let Ell(𝒪) denote the isogeny class of E; that is, isomorphism classes of elliptic curves over 𝔽_q which are 𝔽_q-isogenous to E. There exists a free and transitive action ∗ of Cl(𝒪) on Ell(𝒪), and there is a way to represent elements of Cl(𝒪) (namely, as products of prime ideals of small norm) that makes this action efficiently computable. Moreover, one can efficiently sample close to uniform elements in Cl(𝒪) under that representation. In addition, the “star operator” ∗ satisfies the following property: for any choice of ideal classes 𝔞₁, …, 𝔞_n, 𝔞′₁, …, 𝔞′_n in Cl(𝒪), the abelian varieties

are isomorphic over 𝔽_q if and only if 𝔞₁ ⋯ 𝔞_n = 𝔞′₁ ⋯ 𝔞′_n in Cl(𝒪). In particular:

Denote by Ab(E) the set of abelian varieties over 𝔽_q that are a product of the form (2), and assume that we can efficiently compute an isomorphism invariant for abelian varieties in Ab(E). In other words, assume that we have an efficiently computable map isom : Ab(E) → S to some set S that to any tuple E₁, …, E_n of elliptic curves isogenous to E associates an element isom(E₁ × ⋯ × E_n) of S such that isom(E₁ × ⋯ × E_n) = isom(E′₁ × ⋯ × E′_n) if and only if the products E₁ × ⋯ × E_n and E′₁ × ⋯ × E′_n are isomorphic as abelian varieties. The curves E_i are given for example by their j-invariants, and in particular, the ideal classes 𝔞_i such that E_i ≅ 𝔞_i ∗ E are not supposed to be known.

Based on such an isomorphism invariant isom, we construct a cryptographic invariant map as follows. The algorithm MapGen(λ) computes a sufficiently large base field 𝔽_q, and an elliptic curve E over 𝔽_q such that the ring ℤ[π] generated by its Frobenius endomorphism is integrally closed (this can be done efficiently: see again Appendix A of [3]). The algorithm then outputs the public parameters pp = (X, S, G, e) where:

1. X = Ell(𝒪) is the isogeny class of E over 𝔽_q;

2. S is the codomain of the isomorphism invariant isom;

3. G = Cl(𝒪) is the ideal class group of 𝒪; and

4. the map e_n : Xⁿ → S is given by e_n(E₁, …, E_n) = isom(E₁ × ⋯ × E_n).

The facts recalled at the beginning of this section show that G acts efficiently on X freely and transitively in the sense of Definition 2.1, and that the properties of Definition 2.2 are satisfied. In particular, the invariance property follows from (2), and the non-degeneracy from the fact that the abelian varieties in (1) are isomorphic only if the corresponding products of ideal classes coincide. Thus, this approach does provide a cryptographic invariant map assuming isom exists.

5 Some natural candidate cryptographic invariant maps

In order to instantiate a cryptosystem based on the ideas in this paper, it remains to find an efficiently computable map isom : Ab(E) → S for some set S, as in the previous section. Below we give evidence that several natural candidates fail, either because efficiently computing them would break the cryptographic security, or because they are not in fact isomorphism invariants.

Our primary roadblock is that while E₁ × ⋯ × E_n and E′₁ × ⋯ × E′_n can be isomorphic as unpolarized abelian varieties, they are not necessarily isomorphic as polarized abelian varieties with their product polarizations. The first three proposals below for invariants are invariants of the isomorphism class as polarized abelian varieties, but are not invariants of the isomorphism class as unpolarized abelian varieties. We do not know a way for the different parties to choose polarizations on their product varieties in a compatible way, to produce the same invariant, without solving the elliptic curve isogeny problem.

At present, we do not know an invariant of abelian varieties in dimension ≥ 2 that does not require choosing a polarization, with the exception of what we call the “Deligne invariant”, described below.

The theta null invariant.   One natural candidate is given by Mumford′s theta nulls, presented in detail in Appendix B of [3]. Unfortunately, in order to compute even a single theta null, one must first choose a principal polarization, and the resulting invariant does depend on this choice of polarization in a crucial way. In [3, Proposition B.7] we show that, as a result, the theta nulls do not in fact provide an isomorphism invariant as unpolarized abelian varieties.

Igusa invariants.   Suppose n = 2 and End E⊗Q≅Q(−d) with d ∈ ℕ square-free. If d ≠ 1, 3, 7, 15, then for E₁ and E₂ in the isogeny class of E, the product E₁ × E₂ is the Jacobian of a genus 2 curve C (see [30]). It is possible to compute such a genus 2 curve C, given a suitable principal polarization on E₁ × E₂. For each such C, one could then compute the Igusa invariants [31] of C. The number of genus 2 curves C such that E₁ × E₂ is isomorphic to the Jacobian variety of C is large ([29] and [34, Theorem 5.1]), and unfortunately the Igusa invariants are different for different choices of C. There are many principal polarizations on each element of Ab(E), and no compatible way for the different parties to choose the same one.

Invariants of Kummer surfaces.   When n = 2, another approach is to consider the Kummer surface of A = E₁ × E₂, which is the quotient K = A/{±1}. The surface K itself does not depend on a polarization. But extracting an invariant from K, for example as in [10, Chapter 3], does depend on having a projective embedding of K.

Deligne invariant.   A natural candidate is an isomorphism invariant studied by Deligne [15]. Suppose A is an ordinary abelian variety over k = 𝔽_q. The Serre-Tate canonical lift of A to characteristic 0 produces an abelian variety over the ring of Witt vectors W(k̄). Fixing an embedding α of W(k̄) into ℂ, we can view this lift as a complex abelian variety A^(α). Let T_α(A) denote the first integral homology group of A^(α). The theorem in [15, §7] shows that ordinary abelian varieties A and B over 𝔽_q are isomorphic if and only if there is an isomorphism T_α(A) → T_α(B) that respects the action of F.

A natural candidate for a cryptographic invariant map is the map that sends (E₁, …, E_n) to the isomorphism invariant

Specifying the isomorphism class of T_α(E₁ × ⋯ × E_n) as a ℤ[F]-module is equivalent to specifying the action of F as a 2n × 2n integer matrix, unique up to conjugacy over ℤ. However, we show in Theorem 5.1 below that being able to compute T_α(E) for an elliptic curve E in polynomial time would yield a polynomial-time algorithm to solve the elliptic curve isogeny problem of recovering 𝔞 given E and 𝔞∗ E, and conversely.