Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

Authors:
David Jao;Luca De Feo
Affiliations:
Department of Combinatorics and Optimization, University of Waterloo, Waterloo, Ontario, Canada;Laboratoire PRiSM, Université de Versailles, Versailles, France
Venue:
PQCrypto'11 Proceedings of the 4th international conference on Post-Quantum Cryptography
Year:
2011

Citing 8
Cited 0

The Pohlig-Hellman method generalized for group structure computation

Journal of Symbolic Computation
Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels

EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
Extending the GHS Weil Descent Attack

EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
The Weil and Tate Pairings as Building Blocks for Public Key Cryptosystems

ANTS-V Proceedings of the 5th International Symposium on Algorithmic Number Theory
Full Cryptanalysis of LPS and Morgenstern Hash Functions

SCN '08 Proceedings of the 6th international conference on Security and Cryptography for Networks
Cryptographic Hash Functions from Expander Graphs

Journal of Cryptology
Claw finding algorithms using quantum walk

Theoretical Computer Science
Promised and distributed quantum search

COCOON'05 Proceedings of the 11th annual international conference on Computing and Combinatorics

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present new candidates for quantum-resistant public-key cryptosystems based on the conjectured difficulty of finding isogenies between supersingular elliptic curves. The main technical idea in our scheme is that we transmit the images of torsion bases under the isogeny in order to allow the two parties to arrive at a common shared key despite the noncommutativity of the endomorphism ring. Our work is motivated by the recent development of a subexponential-time quantum algorithm for constructing isogenies between ordinary elliptic curves. In the supersingular case, by contrast, the fastest known quantum attack remains exponential, since the noncommutativity of the endomorphism ring means that the approach used in the ordinary case does not apply. We give a precise formulation of the necessary computational assumption along with a discussion of its validity. In addition, we present implementation results showing that our protocols are multiple orders of magnitude faster than previous isogeny-based cryptosystems over ordinary curves.