supersingular isogeny key exchange

Supersingular isogeny Diffie–Hellman key exchange (SIDH or SIKE) is an insecure proposal for a post-quantum cryptographic algorithm to establish a secret key between two parties over an untrusted communications channel. It is analogous to the Diffie–Hellman key exchange, but is based on walks in a supersingular isogeny graph and was designed to resist cryptanalytic attack by an adversary in possession of a quantum computer. Before it was broken, SIDH boasted one of the smallest key sizes of all post-quantum key exchanges; with compression, SIDH used 2688-bit{{Cite journal|last1=Costello|first1=Craig|last2=Jao|first2=David|last3=Longa|first3=Patrick|last4=Naehrig|first4=Michael|last5=Renes|first5=Joost|last6=Urbanik|first6=David|date=2016-10-04|title=Efficient compression of SIDH public keys|journal=Cryptology ePrint Archive |url=https://eprint.iacr.org/2016/963}} public keys at a 128-bit quantum security level. SIDH also distinguishes itself{{Disputed inline|Forward secrecy claim|date=September 2022}} from similar systems such as NTRU and Ring-LWE {{Citation needed|reason=LWE article claims Ring-LWE does support forward secrecy|date=January 2022}} by supporting perfect forward secrecy, a property that prevents compromised long-term keys from compromising the confidentiality of old communication sessions. These properties seemed to make SIDH a natural candidate to replace Diffie–Hellman (DHE) and elliptic curve Diffie–Hellman (ECDHE), which are widely used in Internet communication. However, SIDH is vulnerable to a devastating key-recovery attack published in July 2022 and is therefore insecure. The attack does not require a quantum computer.{{Cite conference | author1-first=Wouter |author1-last=Castryck |author2-first= Thomas|author2-last= Decru |chapter=An efficient key recovery attack on SIDH |chapter-url=https://eprint.iacr.org/2022/975.pdf | title=Advances in Cryptology – EUROCRYPT 2023 |series= Lecture Notes in Computer Science|volume= 14008|publisher=Springer |doi=10.1007/978-3-031-30589-4_15 | isbn= 978-3-031-30589-4 |date=2023 |editor1=Carmit Hazay | editor2= Martijn Stam | conference= International Association for Cryptologic Research |pages= 423–447}}{{Cite news |title=Post-quantum encryption contender is taken out by single-core PC and 1 hour |work=arstechnica |url=https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/ |access-date=}}

Introduction

For certain classes of problems, algorithms running on quantum computers are naturally capable of achieving lower time complexity than on classical computers. That is, quantum algorithms can solve certain problems faster than the most efficient algorithm running on a traditional computer. For example, Shor's algorithm can factor an integer N in polynomial time, while the best-known factoring classic algorithm, the general number field sieve, operates in sub-exponential time. This is significant to public key cryptography because the security of RSA is dependent on the infeasibility of factoring integers, the integer factorization problem. Shor's algorithm can also efficiently solve the discrete logarithm problem, which is the basis for the security of Diffie–Hellman, elliptic curve Diffie–Hellman, elliptic curve DSA, Curve25519, ed25519, and ElGamal. Although quantum computers are currently in their infancy, the ongoing development of quantum computers and their theoretical ability to compromise modern cryptographic protocols (such as TLS/SSL) has prompted the development of post-quantum cryptography.{{cite web|last=Utsler|first=Jim|title=Quantum Computing Might Be Closer Than Previously Thought|url=http://www.ibmsystemsmag.com/mainframe/trends/IBM-Research/quantum_computing/|publisher=IBM|accessdate=27 May 2013|year=2013|archive-date=14 May 2016|archive-url=https://web.archive.org/web/20160514122141/http://www.ibmsystemsmag.com/mainframe/trends/IBM-Research/quantum_computing/|url-status=dead}}

SIDH was created in 2011 by De Feo, Jao, and Plut.{{cite web|last=De Feo|first=Luca|title=Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies|url=http://eprint.iacr.org/2011/506.pdf|work=PQCrypto 2011|publisher=Springer|accessdate=4 May 2014|author2=Jao, Plut }} It uses conventional elliptic curve operations and is not patented. SIDH provides perfect forward secrecy and thus does not rely on the security of long-term private keys. Forward secrecy improves the long-term security of encrypted communications, helps defend against mass surveillance, and reduces the impact of vulnerabilities like Heartbleed.{{cite web|last=Higgins|first=Parker|title=Long Term Privacy with Forward Secrecy|url=https://www.eff.org/deeplinks/2011/11/long-term-privacy-forward-secrecy|publisher=Electronic Frontier Foundation|accessdate=4 May 2014|date=2011-11-30}}{{cite web|last=Zhu|first=Yan|title=Why the Web Needs Perfect Forward Secrecy More Than Ever|url=https://www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy|publisher=Electronic Frontier Foundation|accessdate=4 May 2014|date=2014-04-08}}

Background

The j-invariant of an elliptic curve given by the Weierstrass equation $y^2 = x^3 + ax + b$ is given by the formula:

: $j(E) = 1728 \frac{4a^3}{4a^3+27b^2}$ .

Isomorphic curves have the same j-invariant; over an algebraically closed field, two curves with the same j-invariant are isomorphic.

The supersingular isogeny Diffie-Hellman protocol (SIDH) works with the graph whose vertices are (isomorphism classes of) supersingular elliptic curves and whose edges are isogenies between those curves. An isogeny $\phi: E \to E'$ between elliptic curves $E$ and $E'$ is a rational map which is also a group homomorphism. If separable, $\phi$ is determined by its kernel up to an isomorphism of target curve $E'$ .

The setup for SIDH is a prime of the form $p = l_A^{e_A}\cdot l_B^{e_B}\cdot f \mp 1$ , for different (small) primes $l_A$ and $l_B$ , (large) exponents $e_A$ and $e_B$ , and small cofactor $f$ , together with a supersingular elliptic curve $E$ defined over $\mathbb{F}_{p^2}$ . Such a curve has two large torsion subgroups, $E[l_A^{e_A}]$ and $E[l_B^{e_B}]$ , which are assigned to Alice and Bob, respectively, as indicated by the subscripts. Each party starts the protocol by selecting a (secret) random cyclic subgroup of their respective torsion subgroup and computing the corresponding (secret) isogeny. They then publish, or otherwise provide the other party with, the equation for the target curve of their isogeny along with information about the image of the other party's torsion subgroup under that isogeny. This allows them both to privately compute new isogenies from $E$ whose kernels are jointly generated by the two secret cyclic subgroups. Since the kernels of these two new isogenies agree, their target curves are isomorphic. The common j-invariant of these target curves may then be taken as the required shared secret.

Since the security of the scheme depends on the smaller torsion subgroup, it is recommended to choose $l_A^{e_A} \approx l_B^{e_B}$ .

An excellent reference for this subject is De Feo's article "Mathematics of Isogeny Based Cryptography."{{cite arXiv|title = Mathematics of Isogeny Based Cryptography|eprint = 1711.04062|date = 2017|first = Luca|last = De Feo|class = cs.CR}}

Security

The most straightforward way to attack SIDH is to solve the problem of finding an isogeny between two supersingular elliptic curves with the same number of points. At the time of the original publication due to De Feo, Jao and Plût, the best attack known against SIDH was based on solving the related claw-finding problem, which led to a complexity of {{Math|O(p^1/4)}} for classical computers and {{Math|O(p^1/6)}} for quantum computers. This suggested that SIDH with a 768-bit prime (p) would have a 128-bit security level. A 2014 study of the isogeny problem by Delfs and Galbraith confirmed the {{Math|O(p^1/4)}} security analysis for classical computers.{{cite arXiv|eprint = 1310.7789|title = Computing isogenies between supersingular elliptic curves over F_p|date = 29 Oct 2013|last1 = Delfs|first1 = Christina|last2 = Galbraith|class = math.NT}} The classical security {{Math|O(p^1/4)}} remained unaffected by related cryptanalytic work of Biasse, Jao and Sankar as well as Galbraith, Petit, Shani and Yan.{{Cite conference|chapter-url=http://cacr.uwaterloo.ca/techreports/2014/cacr2014-24.pdf |access-date =11 December 2016

}}{{Cite conference|chapter-url=https://eprint.iacr.org/2016/859.pdf|last1=Galbraith|first1= Stephen D.| first2= Christophe| last2=Petit | s2cid= 10607050 | first3= Barak | last3= Shani | last4= Yan | first4= Boti

| date=2016 | chapter= On the Security of Supersingular Isogeny Cryptosystems|editor1=Junghee Cheon|editor2=Takagi Tsuyoshi |title= Advances in Cryptology – ASIACRYPT 2016|series= Lecture Notes in Computer Science|volume= 10031|publisher= Springer |doi=10.1007/978-3-662-53887-6_3 | conference=International Association for Cryptologic Research |isbn=978-3-662-53887-6 | pages=63–91 | place= 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016 }}

A more intricate attack strategy is based on exploiting the auxiliary elliptic-curve points present in SIDH public keys, which in principle reveal a lot of additional information about the secret isogenies, but this information did not seem computationally useful for attackers at first. Petit in 2017 first demonstrated a technique making use of these points to attack some rather peculiar SIDH variants.{{Cite conference |last=Petit |first=Christophe |title=Advances in Cryptology – ASIACRYPT 2017 |chapter=Faster Algorithms for Isogeny Problems Using Torsion Point Images |date=2017 |chapter-url=http://pure-oai.bham.ac.uk/ws/files/42837397/FasterAlgorithms.pdf |journal=Asiacrypt 2017 |series=Lecture Notes in Computer Science |volume=10625 |pages=330–353 |doi=10.1007/978-3-319-70697-9_12 |isbn=978-3-319-70696-2 |s2cid=2992191 |language=en}} Despite follow-up work extending the attack to much more realistic SIDH instantiations, the attack strategy still failed to break "standard" SIDH as employed by the NIST PQC submission SIKE.

In July 2022, Castryck and Decru published an efficient key-recovery attack on SIKE that exploits the auxiliary points. Using a single-core computer, SIKEp434 was broken within approximately an hour, SIKEp503 within approximately 2 hours, SIKEp610 within approximately 8 hours and SIKEp751 within approximately 21 hours.{{Cite web |last=Cepelewicz |first=Jordana |date=2022-08-24 |title='Post-Quantum' Cryptography Scheme Is Cracked on a Laptop |url=https://www.quantamagazine.org/post-quantum-cryptography-scheme-is-cracked-on-a-laptop-20220824/ |access-date=2022-08-24 |website=Quanta Magazine |language=en}} The attack relies on gluing together multiple of the elliptic curves appearing in the SIDH construction, giving an abelian surface (more generally, an abelian variety), and computing a specially crafted isogeny defined by the given auxiliary points on that higher-dimensional object.

It should be stressed that the attack crucially relies on the auxiliary points given in SIDH, and there is no known way to apply similar techniques to the general isogeny problem.

Efficiency

During a key exchange, entities A and B will each transmit information of 2 coefficients modulo {{Math|p²}} defining an elliptic curve and 2 elliptic curve points. Each elliptic curve coefficient requires {{Math|log₂ p²}} bits. Each elliptic curve point can be transmitted in {{Math|1 + log₂ p²}} bits; hence, the transmission is {{Math|4 + 4 log₂ p²}} bits. This is 6144 bits for a 768-bit modulus {{Mvar|p}} (128-bit security). However, this can be reduced by over half to 2640 bits (330 bytes) using key-compression techniques, the latest of which appears in recent work by authors Costello, Jao, Longa, Naehrig, Renes and Urbanik.{{cite web|last1=Costello|first1=Craig|last2=Jao|first2=David|last3=Longa|first3=Patrick|last4=Naehrig|first4=Michael|last5=Renes|first5=Joost|last6=Urbanik|first6=David|title=Efficient Compression of SIDH public keys|url=https://eprint.iacr.org/2016/963|accessdate=8 October 2016}} With these compression techniques, SIDH has a similar bandwidth requirement to traditional 3072-bit RSA signatures or Diffie-Hellman key exchanges. This small space requirement makes SIDH applicable to context that have a strict space requirement, such as Bitcoin or Tor. Tor's data cells must be less than 517 bytes in length, so they can hold 330-byte SIDH keys. By contrast, NTRUEncrypt must exchange approximately 600 bytes to achieve a 128-bit security and cannot be used within Tor without increasing the cell size.{{Cite web|url = http://eprint.iacr.org/2016/229|author1=Azarderakhsh|author2=Jao|author3=Kalach|author4=Koziel|author5=Leonardi|title= Key Compression for Isogeny-Based Cryptosystems|website = eprint.iacr.org|access-date = 2016-03-02}}

In 2014, researchers at the University of Waterloo developed a software implementation of SIDH. They ran their partially optimized code on an x86-64 processor running at 2.4 GHz. For a 768-bit modulus they were able to complete the key exchange computations in 200 milliseconds thus demonstrating that the SIDH is computationally practical.{{Cite thesis|url = https://uwspace.uwaterloo.ca/handle/10012/8400|title = Machine-Level Software Optimization of Cryptographic Protocols|date = 30 April 2014|accessdate = 21 June 2014|website = University of Waterloo Library - Electronic Theses|publisher = University of Waterloo|last = Fishbein|first = Dieter| type=Master Thesis }}

In 2016, researchers from Microsoft posted software for the SIDH which runs in constant time (thus protecting against timing attacks) and is the most efficient implementation to date. They write: "The size of public keys is only 564 bytes, which is significantly smaller than most of the popular post-quantum key exchange alternatives. Ultimately, the size and speed of our software illustrates the strong potential of SIDH as a post-quantum key exchange candidate and we hope that these results encourage a wider cryptanalytic effort."{{Cite journal|last1=Costello|first1=Craig|last2=Longa|first2=Patrick|last3=Naehrig|first3=Michael|date=2016-01-01|title=Efficient algorithms for supersingular isogeny Diffie-Hellman|journal=Cryptology ePrint Archive |url=https://eprint.iacr.org/2016/413}} The code is open source (MIT) and is available on GitHub: [https://github.com/microsoft/PQCrypto-SIDH https://github.com/microsoft/PQCrypto-SIDH].

In 2016, researchers from Florida Atlantic University developed efficient ARM implementations of SIDH and provided a comparison of affine and projective coordinates.{{Cite journal|last1=Koziel|first1=Brian|last2=Jalali|first2=Amir|last3=Azarderakhsh|first3=Reza|last4=Kermani|first4=Mehran|last5=Jao|first5=David|date=2016-11-03|title=NEON-SIDH: Efficient Implementation of Supersingular Isogeny Diffie-Hellman Key Exchange Protocol on ARM|journal=Cryptology ePrint Archive |url=https://eprint.iacr.org/2016/669}}{{Cite journal|last1=Jalali|first1=A.|last2=Azarderakhsh|first2=R.|last3=Kermani|first3=M. Mozaffari|last4=Jao|first4=D.|title=Supersingular Isogeny Diffie-Hellman Key Exchange on 64-bit ARM|journal=IEEE Transactions on Dependable and Secure Computing|volume=PP|issue=99|pages=902–912|doi=10.1109/TDSC.2017.2723891|issn=1545-5971|year=2019|s2cid=51964822}} In 2017, researchers from Florida Atlantic University developed the first FPGA implementations of SIDH.{{Cite journal|last1=Koziel|first1=Brian|last3=Azarderakhsh|first3=Reza|last2=Kermani|first2=Mehran|title=Fast Hardware Architectures for Supersingular Isogeny Diffie-Hellman Key Exchange on FPGA|journal=Cryptology ePrint Archive |

url=http://eprint.iacr.org/2016/1044|date=2016-11-07}}

The supersingular isogeny Diffie-Hellman method

While several steps of SIDH involve complex isogeny calculations, the overall flow of SIDH for parties A and B is straightforward for those familiar with a Diffie-Hellman key exchange or its elliptic curve variant.

=Setup =

These are public parameters that can be shared by everyone in the network, or they can be negotiated by parties A and B at the beginning of a session.

A prime of the form $p = w_A^{e_A}\cdot w_B^{e_B}\cdot f \pm 1.$
A supersingular elliptic curve $E$ over $\mathbb{F}_{p^2}$ .
Fixed elliptic points $P_A, Q_A, P_B, Q_B$ on $E$ .
The order of $P_A$ and $Q_A$ is $(w_A)^{e_A}$ . The order of $P_B$ and $Q_B$ is $(w_B)^{e_B}$ .

=Key exchange=

In the key exchange, parties A and B will each create an isogeny from a common elliptic curve E. They each will do this by creating a random point in what will be the kernel of their isogeny. The kernel of their isogeny will be spanned by $R_A$ and $R_B$ respectively. The different pairs of points used ensure that parties A and B create different, non-commuting, isogenies. A random point ( $R_A$ , or $R_B$ ) in the kernel of the isogenies is created as a random linear combination of the points $P_A$ , $Q_A$ and $P_B$ , $Q_B$ .

Using $R_A$ , or $R_B$ , parties A and B then use Velu's formulas for creating isogenies $\phi_A$ and $\phi_B$ respectively. From this they compute the image of the pairs of points $P_A$ , $Q_A$ or $P_B$ , $Q_B$ under the $\phi_B$ and $\phi_A$ isogenies respectively.

As a result, A and B will now have two pairs of points $\phi_A(P_B)$ , $\phi_A(Q_B)$ and $\phi_B(P_A)$ , $\phi_B(Q_A)$ respectively. A and B now exchange these pairs of points over a communications channel.

A and B now use the pair of points they receive as the basis for the kernel of a new isogeny. They use the same linear coefficients they used above with the points they received to form a point in the kernel of an isogeny that they will create. They each compute points $S_{BA}$ and $S_{AB}$ and use [https://eprint.iacr.org/2011/430.pdf Velu's formulas] to construct new isogenies.

To complete the key exchange, A and B compute the coefficients of two new elliptic curves under these two new isogenies. They then compute the j-invariant of these curves. Unless there were errors in transmission, the j-invariant of the curve created by A will equal to the j-invariant of the curve created by B.

Notationally, the SIDH key exchange between parties A and B works as follows:

1A. A generates two random integers $m_A, n_A < (w_A)^{e_A}.$

2A. A generates $R_A := m_A \cdot (P_A)+ n_A\cdot (Q_A).$

3A. A uses the point $R_A$ to create an isogeny mapping $\phi_A: E\rightarrow E_A$ and curve $E_A$ isogenous to $E.$

4A. {{Not a typo|A}} applies $\phi_A$ to $P_B$ and $Q_B$ to form two points on $E_A: \phi_A(P_B)$ and $\phi_A(Q_B).$

5A. A sends to B $E_A, \phi_A(P_B)$ , and $\phi_A(Q_B).$

1B - 4B: Same as A1 through A4, but with A and B subscripts swapped.

5B. B sends to A $E_B,\phi_B(P_A)$ , and $\phi_B(Q_A).$

6A. A has $m_A, n_A, \phi_B(P_A)$ , and $\phi_B(Q_A)$ and forms $S_{BA} := m_A(\phi_B(P_A)) + n_A(\phi_B(Q_A)).$

7A. A uses $S_{BA}$ to create an isogeny mapping $\psi_{BA}$ .

8A. A uses $\psi_{BA}$ to create an elliptic curve $E_{BA}$ which is isogenous to $E$ .

9A. A computes $K := \text{ j-invariant } (E_{BA})$ of the curve $E_{BA}$ .

6B. Similarly, B has $m_B, n_B, \phi_A(P_B)$ , and $\phi_A(Q_B)$ and forms $S_{AB} = m_B (\phi_A(P_B)) + n_B(\phi_A(Q_B))$ .

7B. B uses $S_{AB}$ to create an isogeny mapping $\psi_{AB}$ .

8B. B uses $\psi_{AB}$ to create an elliptic curve $E_{AB}$ which is isogenous to $E$ .

9B. B computes $K := \text{ j-invariant } (E_{AB})$ of the curve $E_{AB}$ .

The curves $E_{AB}$ and $E_{BA}$ are guaranteed to have the same j-invariant. A function of $K$ is used as the shared key.

Sample parameters

The following parameters were taken as an example by De Feo et al.:

The prime for the key exchange was selected with {{Math|1=w_A = 2}}, {{Math|1=w_B = 3}}, {{Math|1=e_A = 63}}, {{Math|1=e_B = 41}} and {{Math|1=f = 11}}, so that {{Math|1=p = 2⁶³ · 3⁴¹ · 11 − 1}}.

The starting curve {{Math|E₀}} was {{Math|1=y² = x³ + x}}.

Luca De Feo, one of the authors of the paper defining the key exchange, has posted software that implements the key exchange for these and other parameters.{{Cite web|title = defeo/ss-isogeny-software|url = https://github.com/defeo/ss-isogeny-software|website = GitHub|accessdate = 2015-05-29}}

Similar systems, signatures, and uses

A predecessor to the SIDH was published in 2006 by Rostovtsev and Stolbunov. They created the first Diffie-Hellman replacement based on elliptic curve isogenies. Unlike the method of De Feo, Jao, and Plut, the method of Rostovtsev and Stolbunov used ordinary elliptic curves{{cite web|last=Rostovtsev|first=Alexander|title=PUBLIC-KEY CRYPTOSYSTEM BASED ON ISOGENIES|url=https://eprint.iacr.org/2006/145.pdf|publisher=Springer|accessdate=10 May 2014|author2=Stolbunov|archiveurl=https://web.archive.org/web/20130626185658/http://eprint.iacr.org/2006/145.pdf|archivedate=26 June 2013|year=2006|url-status=bot: unknown}} and was found to have a subexponential quantum attack.{{cite journal|last=Childs|first=Andrew M|title=Constructing elliptic curve isogenies in quantum subexponential time|arxiv=1012.4019|author2=Jao, Soukharev|doi=10.1515/jmc-2012-0016|volume=8|journal=Journal of Mathematical Cryptology|pages=1–29|year=2014|s2cid=1902409}}

In March 2014, researchers at the Chinese State Key Lab for Integrated Service Networks and Xidian University extended the security of the SIDH to a form of digital signature with strong designated verifier.{{Cite journal|url = http://dl.acm.org/citation.cfm?id=2608696|title = Toward quantum-resistant strong designated verifier signature|last1 = Sun|first1 = Xi|date = 2 March 2014|journal = International Journal of Grid and Utility Computing|accessdate = 21 June 2014|doi = 10.1504/IJGUC.2014.060187|last2 = Tian|volume=5|issue = 2|page=80}} In October 2014, Jao and Soukharev from the University of Waterloo presented an alternative method of creating undeniable signatures with designated verifier using elliptic curve isogenies.{{Cite book|chapter-url = http://cacr.uwaterloo.ca/techreports/2014/cacr2014-15.pdf|last1 = Jao|first1 = David|date = 3 October 2014|accessdate = 28 April 2016|doi = 10.1007/978-3-319-11659-4_10|last2 = Soukharev|first2 = Vladimir| chapter=Isogeny-Based Quantum-Resistant Undeniable Signatures |title = Post-Quantum Cryptography|volume = 8772|pages = 160–179|series = Lecture Notes in Computer Science|isbn = 978-3-319-11658-7|citeseerx = 10.1.1.465.149}}{{Importance inline|reason=Both of these are extremely specific examples of rather obscure SIDH-based constructions. It seems very odd to list these two and nothing else.|date=December 2023}}

References

Category:Cryptographic algorithms

Category:Broken cryptography algorithms

Category:Post-quantum cryptography