Security Analysis of Isogeny-Based Cryptosystems

Loading...
Thumbnail Image

Date

2020-08-20

Authors

Leonardi, Christopher

Advisor

Jao, David

Journal Title

Journal ISSN

Volume Title

Publisher

University of Waterloo

Abstract

Let $E$ be a supersingular elliptic curve over a finite field. In this document we study public-key encryption schemes which use non-constant rational maps from $E$. The purpose of this study is to determine if such cryptosystems are secure. Supersingular Isogeny Diffie-Hellman (SIDH) and other supersingular isogeny-based cryptosystems are considered. The content is naturally divided by cryptosystem, and in the case of SIDH, further divided by type of cryptanalysis: SIDH when the endomorphism ring of the base elliptic curve is given (as is done in practice), repeated use of keys in SIDH, and endomorphism ring constructing algorithms. In each case the relevent background material is presented to develop the theory. In studying the security of SIDH when the endomorphism ring of the base curve $E$ is known, one of the main results is the following. This theorem is then used to reduce the security of such an SIDH instantiation to the problem of finding particular endomorphisms in $\End(E)$. \begin{thm} Given \begin{enumerate} \item a supersingular elliptic curve $E/\FQ$ such that $p = N_1 N_2 - 1$ for coprime $N_1\approx N_2$, where $N_2$ is $\log p$-smooth, \item an elliptic curve $E'$ that is the codomain of an $N_1$-isogeny $\phi:E\rightarrow E'$, \item the action of $\phi$ on $E[N_2]$, and \item a $k$-endomorphism $\psi$ of $E$, where $\gcd(k, N_1) = 1$, and if $\g$ is the greatest integer such that $g\mid N_2^2$ and $g\mid k$, then $\h := \frac{k}{g} < N_1$, \end{enumerate} there exists a classical algorithm with worst case runtime $\tilde{O}(\h^3)$ which decides whether $\psi(\ker\phi) = \ker\phi$ or not, but may give false positives with probability $\approx \frac{1}{\sqrt{p}}$. Further, if $\h$ is $\log{p}$-smooth, then the runtime is $\tilde{O} (\sqrt{\h})$. \end{thm} In studying the security of repeated use of SIDH public keys, the main result presented is the following theorem, which proves that performing multiple pairwise instances of SIDH prevents certain active attacks when keys are reused. \begin{thm} Assuming that the CSSI problem is intractable, it is computationally infeasible for a malicious adversary, with non-negligible probability, to modify a public key $(E_B,\phi_B(P_A),\phi_B(Q_A))$ to some $(E_B,R,S)$ which is malicious for SIDH. \end{thm} It is well known that the problem of computing hidden supersingular isogenies can be reduced to computing the endomorphism rings of the domain and codomain elliptic curves. A novel algorithm for computing an order in the endomorphism ring of a supersingular elliptic curve is presented and analyzed to have runtime $O(p^{1/2}(\log p)^2)$. In studying non-SIDH cryptosystems, four other isogeny-based cryptosystems are examined. The first three were all proposed by the same authors and use secret endomorphisms. These are each shown to be either totally insecure (private keys can be recovered directly from public keys) or impractical to implement efficiently. The fourth scheme is a novel proposal which attempts to combine isogenies with the learning with errors problem. This proposal is also shown to be totally insecure.

Description

Keywords

cryptography, isogeny, security, post quantum

LC Subject Headings

Citation