We introduce a special class of supersingular curves over Fp2 , characterized by the existence of non-integer endomorphisms of small degree. A
number of properties of this set is proved. Most notably, we show that when
this set partitions into subsets in such a way that curves within each subset
have small-degree isogenies between them, but curves in distinct subsets have
no small-degree isogenies between them. Despite this, we show that isogenies
between these curves can be computed efficiently, giving a technique for computing isogenies between certain prescribed curves that cannot be reasonably
connected by searching on ell-isogeny graphs.
more »
« less
SUPERSINGULAR CURVES WITH SMALL NON-INTEGER ENDOMORPHISMS
We introduce a special class of supersingular curves over Fp2 , characterized by the existence of non-integer endomorphisms of small degree. A
number of properties of this set is proved. Most notably, we show that when
this set partitions into subsets in such a way that curves within each subset
have small-degree isogenies between them, but curves in distinct subsets have
no small-degree isogenies between them. Despite this, we show that isogenies
between these curves can be computed efficiently, giving a technique for computing isogenies between certain prescribed curves that cannot be reasonably
connected by searching on ell-isogeny graphs.
more »
« less
- Award ID(s):
- 1701567
- PAR ID:
- 10183711
- Date Published:
- Journal Name:
- Algorithmic number theory symposium (ANTS)
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Problems relating to the computation of isogenies between elliptic curves defined over finite fields have been studied for a long time. Isogenies on supersingular elliptic curves are a candidate for quantum-safe key exchange protocols because the best known classical and quantum algorithms for solving well-formed instances of the isogeny problem are exponential. We propose an implementation of supersingular isogeny Diffie-Hellman (SIDH) key exchange for complete Edwards curves. Our work is motivated by the use of Edwards curves to speed up many cryptographic protocols and improve security. Our work does not actually provide a faster implementation of SIDH, but the use of complete Edwards curves and their complete addition formulae provides security benefits against side-channel attacks. We provide run time complexity analysis and operation counts for the proposed key exchange based on Edwards curves along with comparisons to the Montgomery form.more » « less
-
We present new results and speedups for the large-degree isogeny computations within the extended supersingular isogeny Diffie-Hellman (eSIDH) key agreement framework. As proposed by Cervantes-Vázquez, Ochoa-Jiménez, and Rodríguez-Henríquez, eSIDH is an extension to SIDH and fourth round NIST post-quantum cryptographic standardization candidate SIKE. By utilizing multiprime large-degree isogenies, eSIDH and eSIKE are faster than the standard SIDH/SIKE and amenable to parallelization techniques that can noticeably increase their speed with multiple cores. Here, we investigate the use of multiprime isogeny strategies to speed up eSIDH and eSIKE in serial implementations. These strategies have been investigated for other isogeny schemes such as CSIDH. We apply them to the eSIDH/eSIKE scenario to speed up the multiprime strategy by about 10%. When applied to eSIDH, we achieve a 7–8% speedup for Bob’s shared key agreement operation. When applied to eSIKE, we achieve a 3–4% speedup for key decapsulation. Historically, SIDH and SIKE have been considerably slower than its competitors in the NIST PQC standardization process. These results continue to highlight the various speedups achievable with the eSIKE framework to alleviate these speed concerns. Though eSIDH and eSIKE are susceptible to the recent devastating attacks on SIKE, our analysis applies to smooth degree isogeny computations in general, and isogeny-based signature schemes which use isogenies of smooth (not necessarily powersmooth) degree.more » « less
-
Abstract We describe a framework for constructing an efficient non-interactive key exchange (NIKE) protocol for n parties for any n ≥ 2. Our approach is based on the problem of computing isogenies between isogenous elliptic curves, which is believed to be difficult. We do not obtain a working protocol because of a missing step that is currently an open mathematical problem. What we need to complete our protocol is an efficient algorithm that takes as input an abelian variety presented as a product of isogenous elliptic curves, and outputs an isomorphism invariant of the abelian variety. Our framework builds a cryptographic invariant map , which is a new primitive closely related to a cryptographic multilinear map, but whose range does not necessarily have a group structure. Nevertheless, we show that a cryptographic invariant map can be used to build several cryptographic primitives, including NIKE, that were previously constructed from multilinear maps and indistinguishability obfuscation.more » « less
-
A finite set of integers A is a sum-dominant (also called a More Sums Than Differences or MSTD) set if |A+A| > |A−A|. While almost all subsets of {0, . . . , n} are not sum-dominant, interestingly a small positive percentage are. We explore sufficient conditions on infinite sets of positive integers such that there are either no sum-dominant subsets, at most finitely many sum-dominant subsets, or infinitely many sum-dominant subsets. In particular, we prove no subset of the Fibonacci numbers is a sum-dominant set, establish conditions such that solutions to a recurrence relation have only finitely many sum-dominant subsets, and show there are infinitely many sum-dominant subsets of the primes.more » « less