Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [isogeny]

Elliptic curve isogenies are structure-preserving maps between elliptic curves which have been proposed as a foundation of post-quantum cryptosystems.

Elliptic curve isogenies are structure-preserving maps between elliptic curves which have been proposed as a foundation of post-quantum cryptosystems.

An isogeny between two elliptic curves is a non-constant group homomorphism which is given by rational maps. The problem of finding an isogeny between two given curves is conjectured to be hard even for quantum computers, hence computing random isogenies is a suitable primitive for post-quantum cryptography.

Cryptosystems based on (variants of) this hard problem include the Hard Homogeneous Spaces scheme of CouveignesRostovtsev–Stolbunov and Jao–De Feo's Supersingular-Isogeny Diffie-Hellman with its actively secure variant SIKE.

51 questions
16
votes
1 answer

The death of isogeny-based cryptography?

Wouter Castryck and Thomas Decru recently broke SIDH. From the abstract: We present an efficient key recovery attack on the Supersingular Isogeny Diffie-Hellman protocol (SIDH), based on a "glue-and-split" theorem due to Kani. The referenced Kani…
Danial
  • 161
  • 1
  • 3
7
votes
1 answer

CSIDH - l ideal generators

I am trying to study the CSIDH algorithm. I have some beginner background in elliptic curves and I have been following Andrew Sutherland's lectures (https://math.mit.edu/classes/18.783/2019/lectures.html) to understand the endomorphism rings and the…
honzaik
  • 507
  • 4
  • 12
6
votes
2 answers

How to get an optimal strategy in computing isogenies for SIDH/SIKE

How to get a strategy $(s_1,...,s_{t-1})$ as mentioned in section 1.3.7 of SIKE spec? If possible, can anyone give me an example? And why do we need to compute all leaf point? I though we just need the right most leaf point to get an isogeny of…
Hzt
  • 107
  • 6
6
votes
2 answers

Finding the subgroup in isogeny-based cryptography

Isogeny-based cryptography is one of the newest post-quantum cryptography. Hardness of this system is based on finding isogeny between two elliptic curves. Also this is theorem: Elliptic curves are isogenous over $F_p$ if and only if they have…
Meysam Ghahramani
  • 2,353
  • 1
  • 18
  • 32
6
votes
3 answers

Supersingular Isogeny Key Exchange broken?

Found this report detailing a quantum algorithm for computing isogenies between supersingular elliptic curves. https://cacr.uwaterloo.ca/techreports/2014/cacr2014-24.pdf with the quote "recommendation to avoid using base curves defined over $\mathbb…
Zaphod1001
  • 461
  • 2
  • 7
5
votes
1 answer

SIKE: choice of n

The "Supersingular Isogeny Key Encapsulation" proposal submited to PQC-NIST (PDF) defines the value $n$ to be from set $\{192,256,320\}$ (see point 1.4). Does anybody have an idea to what it corresponds to exactly? Can I use, let say P751 and with…
Kris Kwiatkowski
  • 365
  • 1
  • 8
5
votes
1 answer

Any Supersingular Isogeny-based Diffie-Hellman (SIDH) key exchange recommended Curve Domain Parameters?

For existing ECDH, I understand that there are recommended Elliptic Curve Domain Parameters. May I know if there are such similar considerations in SIDH? Any recommended Curve Domain Parameters?
Nathan Aw
  • 2,357
  • 3
  • 18
  • 22
5
votes
1 answer

Can Microsoft's SIDH (Supersingular Isogeny) keypairs be reused for encryption? If not, why?

I was considering using Microsoft's SIDH implementation for post-quantum public-key encryption because of its relatively small key size. I realized however, thanks to Issue #4, that it might not be as ideal as I had hoped: SIKE is IND-CCA2 secure,…
user55672
5
votes
1 answer

Parameter choice Supersingular Isogeny DH

In “Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies” by DeFeo, Jao and Plut (PDF), the public parameters are defined as: Supersingular curve $E$, and bases $P, Q$ generating the torsion subgroup $E[l]$…
Fleeep
  • 512
  • 2
  • 12
4
votes
0 answers

How can I calculate the security level provided by a supersingular Elliptic Curve?

I want to know what security level is provided by an elliptic curve used in Supersingular isogeny Diffie–Hellman key exchange (SIDH). Is there any mathematical convention to follow or by looking at different parameters we can find the security…
Aisha
  • 83
  • 6
4
votes
2 answers

Elliptic Curve Isogenies, Frobenius endomorphism relation to characteristic equation

In Schoof's 1995 paper, Counting points on elliptic curves over finite fields, page 236, Proposition 6.1(i) states: Let $\mathbb{E}$ be an elliptic curve over $\mathbb{F}_p$. Suppose that its $j$-invariant is not supersingular and that $j\neq 0 $…
user48965
  • 41
  • 1
4
votes
2 answers

How does the key size in supersingular isogeny schemes relate to their security level?

I'm looking at the De Feo, Jao, and Plût 2014 paper: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. My understanding of section 3.2 Key Exchange, is that Alice's private key is the isogeny $\phi_A : E…
Mike Ounsworth
  • 3,717
  • 1
  • 20
  • 29
3
votes
2 answers

Independent parameters basis for torsion-groups in SIDH: Is the Weil-pairing necessary?

In the original SIDH paper by De Feo, Jao and Plût, the basis points $P_A$ and $Q_A$ are supposed to be independent points in $E(\mathbb{F}_{p^2})$ of order $\ell_A^{e_A}$ for some small prime $\ell_A$ on some supersingular curve $E$. To check…
Jo_K_Er
  • 33
  • 5
3
votes
1 answer

SIDH: key agreement - why does it work?

In SIDH both parties agree on the key in following way: Alice calculates a kernel $R = mPB + nQB$ Thanks to Velu formulas (and further improvements), she can now compute isogeny $\phi_a$ She uses $\phi_a$ to start hers random walk and ends up with…
Kris Kwiatkowski
  • 365
  • 1
  • 8
3
votes
1 answer

Why are computations (isogeny) in SIDH done in an extended prime field?

While reading the SIDH key exchange protocol, I noticed that all the isogeny computations and curves are defined over the extended prime field $\mathbb{F}_{p^2}$. Does it make the problem computationally hard for the attacker or what is the…
samar
  • 53
  • 3
1
2 3 4