• No results found

New New Directions in Cryptography

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "New New Directions in Cryptography"

Copied!
91
0
0

Loading.... (view fulltext now)

Download now ( 91 Page )

Full text

(1)

New New Directions in Cryptography

Nick Egbert

Student Colloquium Talk

20 Februrary 2019

(2)

Overview

1

Cryptography overview The general problem Classical Diffie-Hellman

2

Elliptic curve basics Definition Group structure

3

Elliptic curves in cryptography How they’re used today

Advantages and potential doom

4

Post-quantum cryptography

Supersingular elliptic curves

Isogenies

(3)

The problem

Alice Bob

Message

Eve Secure channel

Unsecure channel Trusted courier

Very inefficient

(4)

The problem

Alice Bob

Message

Eve Secure channel

Unsecure channel Trusted courier

Very inefficient

(5)

The problem

Alice Bob

Message

Eve

Secure channel

Unsecure channel Trusted courier

Very inefficient

(6)

The problem

Alice Bob

Message

Eve Secure channel

Unsecure channel

Trusted courier

Very inefficient

(7)

The problem

Alice Bob

Message

Eve Secure channel

Unsecure channel Trusted courier

Very inefficient

(8)

The problem

Alice Bob

Message

Secure channel

Unsecure channel Trusted courier

Very inefficient

(9)

The solution

There are two basic types of encryption: symmetric and asymmetric.

In symmetric encryption, both parties have the same key for encrypting and decrypting.

Asymmetric encryption is not symmetric.

Asymmetric encryption is generally used to establish a shared key.

(10)

The solution

There are two basic types of encryption: symmetric and asymmetric.

In symmetric encryption, both parties have the same key for encrypting and decrypting.

Asymmetric encryption is not symmetric.

Asymmetric encryption is generally used to establish a shared key.

(11)

The solution

There are two basic types of encryption: symmetric and asymmetric.

In symmetric encryption, both parties have the same key for encrypting and decrypting.

Asymmetric encryption is not symmetric.

Asymmetric encryption is generally used to establish a shared key.

(12)

The solution

There are two basic types of encryption: symmetric and asymmetric.

In symmetric encryption, both parties have the same key for encrypting and decrypting.

Asymmetric encryption is not symmetric.

Asymmetric encryption is generally used to establish a shared key.

(13)

The solution

Alice Bob

Secure channel

Unsecure channel

Trusted courier

(14)

The solution

Alice Bob

Secure channel

Unsecure channel

Trusted courier

(15)

Discrete log problem (DLP)

Let p be a prime number, and let a, b ∈ Z such that a, b 6≡ 0 mod p.

Suppose we know there exists k ∈ Z such that a

k

≡ b (mod p).

The (classical) discrete log problem is to find k.

More generally, if G is a group and a, b ∈ G , and given a

k

= b,

the discrete log problem is to find k.

(16)

Discrete log problem (DLP)

Let p be a prime number, and let a, b ∈ Z such that a, b 6≡ 0 mod p.

Suppose we know there exists k ∈ Z such that a

k

≡ b (mod p).

The (classical) discrete log problem is to find k.

More generally, if G is a group and a, b ∈ G , and given a

k

= b,

the discrete log problem is to find k.

(17)

Diffie-Hellman Key Exchange (1976)

Alice and Bob publicly agree upon a prime p and a generator g ∈ G = F

×p

.

Alice picks a random integer a ∈ {2, . . . , p − 2} and computes A = g

a

mod p.

Bob picks a random integer b ∈ {2, . . . , p − 2} and computes B = g

b

mod p.

The integers a, b are kept secret, and Alice and Bob transmit A and B publicly.

They compute a shared secret K = B

a

= g

ba

= g

ab

= A

b

.

Security relies upon the DLP.

(18)

Diffie-Hellman Key Exchange (1976)

Alice and Bob publicly agree upon a prime p and a generator g ∈ G = F

×p

.

Alice picks a random integer a ∈ {2, . . . , p − 2} and computes A = g

a

mod p.

Bob picks a random integer b ∈ {2, . . . , p − 2} and computes B = g

b

mod p.

The integers a, b are kept secret, and Alice and Bob transmit A and B publicly.

They compute a shared secret K = B

a

= g

ba

= g

ab

= A

b

.

Security relies upon the DLP.

(19)

Diffie-Hellman Key Exchange (1976)

Alice and Bob publicly agree upon a prime p and a generator g ∈ G = F

×p

.

Alice picks a random integer a ∈ {2, . . . , p − 2} and computes A = g

a

mod p.

Bob picks a random integer b ∈ {2, . . . , p − 2} and computes B = g

b

mod p.

The integers a, b are kept secret, and Alice and Bob transmit A and B publicly.

They compute a shared secret K = B

a

= g

ba

= g

ab

= A

b

.

Security relies upon the DLP.

(20)

Diffie-Hellman Key Exchange (1976)

Alice and Bob publicly agree upon a prime p and a generator g ∈ G = F

×p

.

Alice picks a random integer a ∈ {2, . . . , p − 2} and computes A = g

a

mod p.

Bob picks a random integer b ∈ {2, . . . , p − 2} and computes B = g

b

mod p.

The integers a, b are kept secret, and Alice and Bob transmit A and B publicly.

They compute a shared secret K = B

a

= g

ba

= g

ab

= A

b

.

Security relies upon the DLP.

(21)

Diffie-Hellman Key Exchange (1976)

Public parameters:

g, p Alice

a ∈

R

{2, . . . , p − 2}

A = g

a

mod p

K = B

a

= g

ba

Bob

b ∈

R

{2, . . . , p − 2}

B = g

b

mod p

K = A

b

= g

ab

A

B

(22)

Issues with DH

When G = F

×q

, the DLP can be solved in subexponential time.

This requires larger keys.

In the 1980s, Victor Miller and Neal Koblitz independently suggested

using elliptic curves for cryptography.

(23)

What is an elliptic curve?

An elliptic curve E is the graph of an equation of the form y

2

+ a

1

xy + a

3

y = x

3

+ a

2

x

2

+ a

4

x + a

6

with coefficients in some field K .

If charK 6= 2, 3, then via a change of variables, we may assume E has the form

y

2

= x

3

+ Ax + B.

To be considered an elliptic curve, we require that 4A

3

+ 27B

2

6= 0,

so that x

3

+ Ax + B does not have any repeated roots.

(24)

What is an elliptic curve?

An elliptic curve E is the graph of an equation of the form y

2

+ a

1

xy + a

3

y = x

3

+ a

2

x

2

+ a

4

x + a

6

with coefficients in some field K .

If charK 6= 2, 3, then via a change of variables, we may assume E has the form

y

2

= x

3

+ Ax + B.

To be considered an elliptic curve, we require that 4A

3

+ 27B

2

6= 0,

so that x

3

+ Ax + B does not have any repeated roots.

(25)

What is an elliptic curve?

An elliptic curve E is the graph of an equation of the form y

2

+ a

1

xy + a

3

y = x

3

+ a

2

x

2

+ a

4

x + a

6

with coefficients in some field K .

If charK 6= 2, 3, then via a change of variables, we may assume E has the form

y

2

= x

3

+ Ax + B.

To be considered an elliptic curve, we require that 4A

3

+ 27B

2

6= 0,

so that x

3

+ Ax + B does not have any repeated roots.

(26)

Examples

E 1 : y

2

= x

3

− x E

2

: y

2

= x

3

+ x

(27)

Examples

E

1

: y

2

= x

3

− x (mod 683)

(28)

Examples

E

1

: y

2

= x

3

− x (mod 683)

(29)

Group structure

E (K ) = {(x , y ) ∈ K × K | y

2

= x

3

+ Ax + B} ∪ {∞}

Rational points plus the point at infinity form a group, where addition

law is given by “chord-and-tangent” method

(30)

Adding points

E : y

2

= x

3

− 24003 ∗ x + 1296702

(31)

Assumptions

For q = p

n

, where p is prime, we consider only E (F

q

).

We will assume that charK 6= 2, 3 and that E : y

2

= x

3

+ Ax + B.

Later, we will want to write E in the form y

2

= x

3

+ Ax

2

+ x , referred to as a Montgomery curve.

We define the j -invariant of E to be

j (E ) = 1728 4A

3

4A

3

+ 27B

2

Fact: E

1

, E

2

are isomorphic over F

q

if and only if j (E

1

) = j (E

2

).

(32)

Assumptions

For q = p

n

, where p is prime, we consider only E (F

q

).

We will assume that charK 6= 2, 3 and that E : y

2

= x

3

+ Ax + B.

Later, we will want to write E in the form y

2

= x

3

+ Ax

2

+ x , referred to as a Montgomery curve.

We define the j -invariant of E to be

j (E ) = 1728 4A

3

4A

3

+ 27B

2

Fact: E

1

, E

2

are isomorphic over F

q

if and only if j (E

1

) = j (E

2

).

(33)

Assumptions

For q = p

n

, where p is prime, we consider only E (F

q

).

We will assume that charK 6= 2, 3 and that E : y

2

= x

3

+ Ax + B.

Later, we will want to write E in the form y

2

= x

3

+ Ax

2

+ x , referred to as a Montgomery curve.

We define the j -invariant of E to be

j (E ) = 1728 4A

3

4A

3

+ 27B

2

Fact: E

1

, E

2

are isomorphic over F

q

if and only if j (E

1

) = j (E

2

).

(34)

Assumptions

For q = p

n

, where p is prime, we consider only E (F

q

).

We will assume that charK 6= 2, 3 and that E : y

2

= x

3

+ Ax + B.

Later, we will want to write E in the form y

2

= x

3

+ Ax

2

+ x , referred to as a Montgomery curve.

We define the j -invariant of E to be j (E ) = 1728 4A

3

4A

3

+ 27B

2

Fact: E

1

, E

2

are isomorphic over F

q

if and only if j (E

1

) = j (E

2

).

(35)

Assumptions

For q = p

n

, where p is prime, we consider only E (F

q

).

We will assume that charK 6= 2, 3 and that E : y

2

= x

3

+ Ax + B.

Later, we will want to write E in the form y

2

= x

3

+ Ax

2

+ x , referred to as a Montgomery curve.

We define the j -invariant of E to be j (E ) = 1728 4A

3

4A

3

+ 27B

2

Fact: E

1

, E

2

are isomorphic over F

q

if and only if j (E

1

) = j (E

2

).

(36)

ECDH

ECDH = “Elliptic Curve Diffie-Hellman”

Alice and Bob agree on an elliptic curve E and a field F

q

such that the DLP is hard for E (F

q

).

They agree on a point P ∈ E (F

q

) of large (usually prime) order.

(37)

ECDH

Public parameters:

E (F

q

), P Alice

a ∈

R

Z P

a

= aP

K = aP

b

= abP

Bob b ∈

R

Z P

b

= bP

K = bP

a

= baP

(38)

Advantages of ECDH

Using elliptic curves allows for much smaller key sizes: an RSA 4096-bit key provides the same level of security as a 313-bit EC key.

The group law for elliptic curves can be performed efficiently.

(39)

Post-quantum cryptography

In 1994, Peter Shor published an algorithm that solves the DLP (and factoring large numbers) in polynomial time.

This effectively breaks any cryptosystem based on the hardness of these two problems.

Is cryptography broken in a post-quantum world?

Fear not.

There have been several major developments in the past ten years. Many of them use isogeny graphs of supersingular elliptic curves.

(40)

Post-quantum cryptography

In 1994, Peter Shor published an algorithm that solves the DLP (and factoring large numbers) in polynomial time.

This effectively breaks any cryptosystem based on the hardness of these two problems.

Is cryptography broken in a post-quantum world?

Fear not.

There have been several major developments in the past ten years. Many of them use isogeny graphs of supersingular elliptic curves.

(41)

Post-quantum cryptography

In 1994, Peter Shor published an algorithm that solves the DLP (and factoring large numbers) in polynomial time.

This effectively breaks any cryptosystem based on the hardness of these two problems.

Is cryptography broken in a post-quantum world?

Fear not.

There have been several major developments in the past ten years.

Many of them use isogeny graphs of supersingular elliptic curves.

(42)

Post-quantum cryptography

In 1994, Peter Shor published an algorithm that solves the DLP (and factoring large numbers) in polynomial time.

This effectively breaks any cryptosystem based on the hardness of these two problems.

Is cryptography broken in a post-quantum world?

Fear not.

There have been several major developments in the past ten years.

Many of them use isogeny graphs of supersingular elliptic curves.

(43)

Supersingular elliptic curves

Definition

Let E be an elliptic curve over F

q

. We define the n-torsion subgroup to be E [n] = {P ∈ E (F

q

) | nP = ∞}.

Remark

E [n] is a subgroup of E (F

q

). In general, we can’t expect that E [n] ⊂ E (F

q

).

Theorem

Let p = char F

q

. If p does not divide n, then

E [n] ∼ = Z

n

⊕ Z

n

.

(44)

Supersingular elliptic curves

Definition

Let E be an elliptic curve over F

q

. We define the n-torsion subgroup to be E [n] = {P ∈ E (F

q

) | nP = ∞}.

Remark

E [n] is a subgroup of E (F

q

). In general, we can’t expect that E [n] ⊂ E (F

q

).

Theorem

Let p = char F

q

. If p does not divide n, then

E [n] ∼ = Z

n

⊕ Z

n

.

(45)

Supersingular elliptic curves

Definition

Let E be an elliptic curve over F

q

. We define the n-torsion subgroup to be E [n] = {P ∈ E (F

q

) | nP = ∞}.

Remark

E [n] is a subgroup of E (F

q

). In general, we can’t expect that E [n] ⊂ E (F

q

).

Theorem

Let p = char F

q

. If p does not divide n, then

E [n] ∼ = Z

n

⊕ Z

n

.

(46)

Supersingular elliptic curves

Definition

An elliptic curve E /F

q

is called supersingular if E [p] = {∞}, where p is the characteristic of F

q

.

Theorem

Let E /F

q

be an elliptic curve, where q = p

n

. Let t = q + 1 − #E (F

q

).

Then E is supersingular if and only if

t ≡ 0 (mod p).

(47)

Isogenies

Definition

Let E

1

, E

2

be elliptic curves over F

q

. An isogeny from E

1

to E

2

is a nonconstant homomorphism

α : E

1

(F

q

) → E

2

(F

q

) given by rational maps.

Definition

We may write α(x , y ) = (r

1

(x ), yr

2

(x )), where r

1

, r

2

are rational functions.

Writing r

1

(x ) =

p(x )q(x )

, the degree of α is

deg α = max(deg p, deg q).

(48)

Endomorphisms of elliptic curves

Definition

An endomorphism of E is an isogeny from E to itself.

Example

The multiplication by n map:

[n] : E → E (x , y ) 7→ n(x , y )

Example

The Frobenius endomorphism:

π : E → E

(x , y ) 7→ (x

p

, y

p

)

(49)

Endomorphisms of elliptic curves

Definition

An endomorphism of E is an isogeny from E to itself.

Example

The multiplication by n map:

[n] : E → E (x , y ) 7→ n(x , y )

Example

The Frobenius endomorphism:

π : E → E

(x , y ) 7→ (x

p

, y

p

)

(50)

Endomorphisms of elliptic curves

Definition

An endomorphism of E is an isogeny from E to itself.

Example

The multiplication by n map:

[n] : E → E (x , y ) 7→ n(x , y )

Example

The Frobenius endomorphism:

π : E → E

(51)

Quick aside on ANT

Let K = Q( √

−p). Let O

K

denote the ring of integers of K , i.e.,

α ∈ K | f (α) = 0 for some monic f ∈ Z[x] .

An order O ∈ K is a ring such that Z ( O ⊆ O

K

.

A fractional ideal of O is of the form αa, where α ∈ K

×

and a is an O-ideal. A principal fractional ideal is of the form αO.

We say a fractional ideal a is invertible if ∃b such that ab = O.

(52)

Quick aside on ANT

Let K = Q( √

−p). Let O

K

denote the ring of integers of K , i.e.,

α ∈ K | f (α) = 0 for some monic f ∈ Z[x] .

An order O ∈ K is a ring such that Z ( O ⊆ O

K

.

A fractional ideal of O is of the form αa, where α ∈ K

×

and a is an O-ideal. A principal fractional ideal is of the form αO.

We say a fractional ideal a is invertible if ∃b such that ab = O.

(53)

Quick aside on ANT

Let K = Q( √

−p). Let O

K

denote the ring of integers of K , i.e.,

α ∈ K | f (α) = 0 for some monic f ∈ Z[x] .

An order O ∈ K is a ring such that Z ( O ⊆ O

K

.

A fractional ideal of O is of the form αa, where α ∈ K

×

and a is an O-ideal. A principal fractional ideal is of the form αO.

We say a fractional ideal a is invertible if ∃b such that ab = O.

(54)

Quick aside on ANT

Let K = Q( √

−p). Let O

K

denote the ring of integers of K , i.e.,

α ∈ K | f (α) = 0 for some monic f ∈ Z[x] .

An order O ∈ K is a ring such that Z ( O ⊆ O

K

.

A fractional ideal of O is of the form αa, where α ∈ K

×

and a is an O-ideal. A principal fractional ideal is of the form αO.

We say a fractional ideal a is invertible if ∃b such that ab = O.

(55)

Ideal class group

By construction, the set of invertible fractional ideals I (O) forms an abelian group under multiplication of ideals.

The set of principal ideals P(O) is a (normal) subgroup, so we may consider the ideal class group of O

cl(O) = I (O)/P(O).

Let E /F

p

be a supersingular elliptic curve. Then End

Fp

(E ) ∼ = O,

where O is an order in an imaginary quadratic field.

(56)

Ideal class group

By construction, the set of invertible fractional ideals I (O) forms an abelian group under multiplication of ideals.

The set of principal ideals P(O) is a (normal) subgroup, so we may consider the ideal class group of O

cl(O) = I (O)/P(O).

Let E /F

p

be a supersingular elliptic curve. Then End

Fp

(E ) ∼ = O,

where O is an order in an imaginary quadratic field.

(57)

Ideal class group

By construction, the set of invertible fractional ideals I (O) forms an abelian group under multiplication of ideals.

The set of principal ideals P(O) is a (normal) subgroup, so we may consider the ideal class group of O

cl(O) = I (O)/P(O).

Let E /F

p

be a supersingular elliptic curve. Then End

Fp

(E ) ∼ = O,

where O is an order in an imaginary quadratic field.

(58)

Class group action

Let E /F

p

be an elliptic curve. Define E [a] =

n

P ∈ E (F

p

) | α(P) = 0 ∀α ∈ a o

.

We can define the action of the O-ideal a on E as the image E

0

under the isogeny

φ : E → E

0

whose kernel is E [a]. We denote E

0

= a ∗ E .

Fact: an isogeny is uniquely determined by its kernel (up to

isomorphism).

(59)

Class group action

Let E /F

p

be an elliptic curve. Define E [a] =

n

P ∈ E (F

p

) | α(P) = 0 ∀α ∈ a o

.

We can define the action of the O-ideal a on E as the image E

0

under the isogeny

φ : E → E

0

whose kernel is E [a]. We denote E

0

= a ∗ E .

Fact: an isogeny is uniquely determined by its kernel (up to

isomorphism).

(60)

Class group action

Let E /F

p

be an elliptic curve. Define E [a] =

n

P ∈ E (F

p

) | α(P) = 0 ∀α ∈ a o

.

We can define the action of the O-ideal a on E as the image E

0

under the isogeny

φ : E → E

0

whose kernel is E [a]. We denote E

0

= a ∗ E .

Fact: an isogeny is uniquely determined by its kernel (up to

isomorphism).

(61)

Class group action

Let S be the set of supersingular elliptic curves

E

A

/F

p

: y

2

= x

3

+ Ax

2

+ x , where p ≥ 5 and p ≡ 3 (mod 8).

In this case, End

Fp

(E

A

) ∼ = Z[ √

−p].

a ∗ E

A

is an `-isogeny if and only if a = h[`], π ± 1i

(62)

Class group action

Let S be the set of supersingular elliptic curves

E

A

/F

p

: y

2

= x

3

+ Ax

2

+ x , where p ≥ 5 and p ≡ 3 (mod 8).

In this case, End

Fp

(E

A

) ∼ = Z[ √

−p].

a ∗ E

A

is an `-isogeny if and only if a = h[`], π ± 1i

(63)

Class group action

Let S be the set of supersingular elliptic curves

E

A

/F

p

: y

2

= x

3

+ Ax

2

+ x , where p ≥ 5 and p ≡ 3 (mod 8).

In this case, End

Fp

(E

A

) ∼ = Z[ √

−p].

a ∗ E

A

is an `-isogeny if and only if a = h[`], π ± 1i

(64)

CSIDH

In November 2018, Castryck, Lange, Martindale, Panny and Renes published a paper on their algorithm CSIDH, which stands for Commutative Supersingular Isogeny Diffie-Hellman.

CSIDH is thought to be a suitable post-quantum replacement for ECDH.

Key sizes are extremely small.

(65)

CSIDH

In November 2018, Castryck, Lange, Martindale, Panny and Renes published a paper on their algorithm CSIDH, which stands for Commutative Supersingular Isogeny Diffie-Hellman.

CSIDH is thought to be a suitable post-quantum replacement for ECDH.

Key sizes are extremely small.

(66)

CSIDH

In November 2018, Castryck, Lange, Martindale, Panny and Renes published a paper on their algorithm CSIDH, which stands for Commutative Supersingular Isogeny Diffie-Hellman.

CSIDH is thought to be a suitable post-quantum replacement for ECDH.

Key sizes are extremely small.

(67)

Isogeny graphs

Let p, ` be distinct primes. The isogeny graph G

`

over F

p

has

Vertices: Elliptic curves EA ∈ S with End(EA) ∼= Z[√

−p]

Edges: (EA, EB), where there is an `-isogeny between EA and EB

For illustration we will fix p = 419.

In general, the CSIDH authors pick p = 4`

1

· · · `

n

− 1, where

`

1

, . . . , `

n

are distinct odd primes.

(68)

Isogeny graphs

Let p, ` be distinct primes. The isogeny graph G

`

over F

p

has

Vertices: Elliptic curves EA ∈ S with End(EA) ∼= Z[√

−p]

Edges: (EA, EB), where there is an `-isogeny between EA and EB

For illustration we will fix p = 419.

In general, the CSIDH authors pick p = 4`

1

· · · `

n

− 1, where

`

1

, . . . , `

n

are distinct odd primes.

(69)

Isogeny graphs

Let p, ` be distinct primes. The isogeny graph G

`

over F

p

has

Vertices: Elliptic curves EA ∈ S with End(EA) ∼= Z[√

−p]

Edges: (EA, EB), where there is an `-isogeny between EA and EB

For illustration we will fix p = 419.

In general, the CSIDH authors pick p = 4`

1

· · · `

n

− 1, where

`

1

, . . . , `

n

are distinct odd primes.

(70)

Isogeny graph G

3

E

0

E

158

E

410

E

368

E

404

E

75

E

144

E

191

E

174

E

413

E

379

E

124

E E E

295

E

40

E

6

E

245

E

228

E

275

E

344

E

15

E

51

E

9

E

261

(71)

Isogeny graph G

5

E

0

E

158

E

410

E

368

E

404

E

75

E

144

E

191

E

174

E

413

E

379

E

124

E

199

E

390

E

29

E

220

E

295

E

40

E

6

E

245

E

228

E

275

E

344

E

15

E

51

E

9

E

261

(72)

Isogeny graph G

5

E

0

E

158

E

410

E

368

E

404

E

75

E

144

E

191

E

174

E

413

E

379

E

124

E E E

295

E

40

E

6

E

245

E

228

E

275

E

344

E

15

E

51

E

9

E

261

(73)

Isogeny graph G

5

E

0

E

158

E

410

E

368

E

404

E

75

E

144

E

191

E

174

E

413

E

379

E

124

E

199

E

390

E

29

E

220

E

295

E

40

E

6

E

245

E

228

E

275

E

344

E

15

E

51

E

9

E

261

(74)

Isogeny graph G

5

E

0

E

158

E

410

E

368

E

404

E

75

E

144

E

191

E

174

E

413

E

379

E

124

E E E

295

E

40

E

6

E

245

E

228

E

275

E

344

E

15

E

51

E

9

E

261

(75)

Isogeny graph G

7

E

0

E

158

E

410

E

368

E

404

E

75

E

144

E

191

E

174

E

413

E

379

E

124

E

199

E

390

E

29

E

220

E

295

E

40

E

6

E

245

E

228

E

275

E

344

E

15

E

51

E

9

E

261

(76)

CSIDH

CSIDH stands for Commutative Supersingular Isogeny Diffie-Hellman.

It is proposed as a post-quantum drop-in replacement for (EC)DH.

They use the action of the ideal class group and the supersingular

isogeny graph to establish keys.

(77)

Isogeny graph used in CSIDH

E

0

E

158

E

410

E

368

E

404

E

75

E

144

E

191

E

174

E

413

E

379

E

124

E

199

E

390

E

29

E

220

E

295

E

40

E

6

E

245

E

228

E

275

E

344

E

15

E

51

E

9

E

261

∪ G

5

∪ G

7

(78)

Isogeny graph used in CSIDH

E

0

E

158

E

410

E

368

E

404

E

75

E

144

E

191

E

174

E

413

E

379

E

124

E

199

E

390

E

29

E

220

E

295

E

40

E

6

E

245

E

228

E

275

E

344

E

15

E

51

E

9

E

261

∪ G

7

(79)

Isogeny graph used in CSIDH

E

0

E

158

E

410

E

368

E

404

E

75

E

144

E

191

E

174

E

413

E

379

E

124

E

199

E

390

E

29

E

220

E

295

E

40

E

6

E

245

E

228

E

275

E

344

E

15

E

51

E

9

E

261

(80)

Diffie-Hellman with CSIDH

Alice Bob

a = [+, −, +, −] b = [+, +, +, −]

E0 E158 E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9

E261 E158 E0

E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9 E261

(81)

Diffie-Hellman with CSIDH

Alice Bob

a = [+

, −, +, −] b = [+

, +, +, −]

E0 E158 E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9

E261 E158 E0

E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9 E261

(82)

Diffie-Hellman with CSIDH

Alice Bob

a = [+, −

, +, −] b = [+, +

, +, −]

E0 E158 E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9

E261 E158 E0

E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9 E261

(83)

Diffie-Hellman with CSIDH

Alice Bob

a = [+, −, +

, −] b = [+, +, +

, −]

E0 E158 E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9

E261 E158 E0

E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9 E261

(84)

Diffie-Hellman with CSIDH

Alice Bob

a = [+, −, +, −

] b = [+, +, +, −

]

E0 E158 E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9

E261 E158 E0

E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9 E261

(85)

Diffie-Hellman with CSIDH

Alice Bob

a = [+, −, +, −] b = [+, +, +, −]

E0 E158 E410 E368 E404 E75 E144 E191 E174

E413 E379

E124 E199

E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9

E261 E158 E0

E410 E368 E404 E75 E144 E191 E174

E413 E379

E124 E199

E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9 E261

(86)

Diffie-Hellman with CSIDH

Alice Bob

a = [+

, −, +, −] b = [+

, +, +, −]

E0 E158 E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9

E261 E158 E0

E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9 E261

(87)

Diffie-Hellman with CSIDH

Alice Bob

a = [+, −

, +, −] b = [+, +

, +, −]

E0 E158 E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9

E261 E158 E0

E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9 E261

(88)

Diffie-Hellman with CSIDH

Alice Bob

a = [+, −, +

, −] b = [+, +, +

, −]

E0 E158 E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9

E261 E158 E0

E410 E368 E404 E75 E144 E191 E174

E413 E379

E124

E199 E390 E29 E220 E295

E40 E6

E245 E228 E275 E344 E15 E51 E9 E261

References

Download now ( PDF - 91 Page - 1.00 MB )

Related documents

Pathway for Skin Penetration.ppt

skin ( we hope to the target skin layer)..

The Effect of the Open and Closed System Suctions on Cardiopulmonary Parameters: Time and Costs in Patients Under Mechanical Ventilation

Objectives: This study aimed to compare the effects of the open and closed system suctioning methods on blood pressure, mean arterial pressure, heart rate, percentage of

Open Journal Systems

In summary, sodium hypochlorite is the most signi fi cant solution and the only option, which capable of dissolving the organic tissues such as bio fi lm and the organic parts

COINCIDENCE RELATIONS BETWEEN GENE CONVERSION AND MITOTIC RECOMBINATION IN SACCHAROMYCES

However, the present study reports evidence for the coincident association of heteroallelic repair with mitotic recombination for both linked and unlinked markers

Understanding Striped Bass (Morone saxatilis) and Sunshine Hybrid Striped Bass (FEMALE M. chrysops x MALE M. saxatilis) Growth Using Metabolomic Analysis of Liver Tissues.

Runt and Top Grade liver histology striped bass full data set (N=71 fish) hepatic somatic index versus average steatosis scores. One liver weight was accidentally not collected

Evaluting Motivational Factors and Its Impact on Employee Performance in Valley Group

Factors from employee performance consists EMP as employee performance whereas as factor for different motivational factor consists OC as organizational culture, WE as work

An Effective Method for Online Social Voting Using Collaborative Filtering Based Recommendation Systems

Amid this paper, we have a tendency to create bunch gathering of Matrix factorization (MF) and nearest neighbor (NN) - based recommender systems (RSs) that

Carbohydrates and Fungal Toxin Exposure Influence the Vaginal Microbiota, Metabolome, and Reproductive Health of Women

Antimicrobial and immune modulatory effects of lactic acid and short chain fatty acids produced by vaginal microbiota associated with eubiosis and bacterial