Introduction to Supersingular Isogeny Diffie-Hellman

Pedro Miguel Sosa

March 18, 2017

Abstract Quantum cryptographic protocols in these past few

years. This has yielded many different Post-Quantum
This paper aims to give researchers an approach- Cryptographic (PQC) schemes based on lattices,
able introduction to the Supersingular Isogeny Diffie- codes, hashes, multivariate equations, and most re-
Hellman key exchange (SIDH-KEX). SIDH is one of cently elliptic curves.
the few post-quantum key exchange algorithms based This paper will focus on Supersingular Isogenies
on elliptic curves that has shown potential due to Diffie-Hellman (SIDH), which is the one of the few
its small key sizes and quick timing. This paper PQC algorithm based on elliptic curves. It was cre-
will briefly describe the history and motivation of ated in 2011 by De Feo, Jao and Plut [2] and has since
SIDH. Furthermore, we will present a simple con- been implemented and optimized by others. In 2016,
struction of the algorithm along with the mathemat- researchers at Microsoft published a version of SIDH
ical background needed to understand it. Lastly, we which ran in constant time and used public keys of
will present the recommended parameters to use for size 564 bytes, showing that SIDH had “strong po-
potential implementations. tential as a PQC candidate”[3].

1 Background 2 Security and Efficiency

As studies in the area of quantum computing seem
Security Although both ECDH and SIDH use el-
to yield promising results, cryptography researchers
liptic curves, their underlying problem is different.
are seeking new cryptosystems that could withstand
ECDH’s hardness rests upon the discrete logarithm
attacks from such machines. While quantum comput-
problem, whereas SIDH’s hardness rests up the dif-
ers do not affect secret key cryptography as much1 ,
ficulty of finding the isogeny mapping between two
most of the popular public key cryptosystems become
supersingular elliptic curves with the same number
vulnerable [1].
of points.
Most popular public key cryptosystems used today
It has been proven [4, 5] that SIDH’s security
rely on the hardness of the factorization problem. For 1

classical machines, the best known attacks would take against classical computers is O(p 4 ), while the secu-
exponential time, however, quantum computers are rity against quantum computers has been theorized
1

able to do factoring in polynomial time using Shor’s to be O(p 6 ).

algorithm.
As a result, there has been an important push Efficiency SIDH has become substantially more ef-
towards the study and implementation of Post- ficient since its release in 2011. The latest imple-
1 It is enough for most secret key cryptographic schemes to mentations published in 2016 runs in constant time
increase their key sizes to provide protection against quantum and has a public key size of 564 bytes. This key size
adversaries. is among the smallest in comparison to other PQC

1
 j-Invariant The j-invariant is a descriptor that can
be computed for any particular curve using said
curves parameters. Most importantly, isomorphic
curves will always share the same j-invariant value.
The exact equation for the j-invariant will vary de-
pending on the underlying form of the elliptic curve.
In the case of elliptic curves in the Weierstrass form,
the j-invariant is calculated as follows:

4a3
j(E) = 1728 · 4a3 +27b2

Figure 1: Visual Representation of SIDH-KEX Supersingular curves While it might seem a bit
confusing, supersingular curves are non-singular el-
liptic curves as one would expect to find in other el-
key exchange alternatives. This latest implementa- liptic curve scheme. The term “supersingular ” actu-
tion has been added to the Open Quantum Safe’s ally refers to the fact that they have “singular” values
“OpenSSL” project to be used for Internet applica- of the j-invariant and its Hasse invariant is 0. Refer
tions 2 . to section 4.3 for a concrete curve suggestion.

3 Preliminaries 4 Supersingular Isogeny Diffie-

Hellman
In this section we will discuss some of the mathemat-
ical constructs and finer details necessary to further Intuitively, the SIDH key exchange works by hav-
understand the SIDH-KEX. ing both parties generate a secret key, which will be
an isogeny based on the known public curve E and
points Pa , Qa , Pb , Qb (which reside on E). Then each
Elliptic Curves Similar to other elliptic curve
party will create and exchange a new curve derived
cryptographic schemes, we will assume our chosen
from their secret isogenies. This new curves can be
elliptic curve E over Fp2 to be non-singular and of
considered the “public keys”. Afterwards, by merg-
the Weierstrass form: y 2 = x3 + ax + b. As such,
ing their “private key” isogenies and the other party’s
all point addition and multiplication must be calcu-
“public key” curve, each party will be able to gener-
lated by using the functions defined for these types
ate a final curve. For both parties, these final curves
of curves.
will have the same j-invariant (since they are isoge-
nous with respect to each other). As such the value
Isogeny An isogeny is a surjective and homomor- of this j-invariant becomes the shared secret.
phic structure preserving function that maps two
groups together. In the case of elliptic curves case, a
isogeny φ will map points on the domain curve E to 4.1 Public Parameters
points on a co-domain curve E ′ . These isogenies are
Initially there will be 4 global public parameters:
calculated using Vélu’s formulas [6] as φ : E → E/κ,
- A prime p
where κ is defined as the kernel.
- A supersingular elliptic curve E over Fp2
2 Repository: github.com/open-quantum-safe/openssl - Four fixed points Pa , Qa , Pb , Qb on E

2
4.2 Key Exchange 5 Future Work
- Party A While SIDH seem very promising, there are still some
1. Randomly generate ma , na issues that remain to be solved. Current implemen-
2. Ra = [ma ]Pa + [na ]Qa tations assume both parties are honest peers, and
3. φa : E → Ea = E/hRa i thus, an misbehaving/attacking party could leak in-
4. Pb′ , Q′b = φa (Pb ), φa (Qb ) formation and weaken then security of the scheme.
5. Send (Ea , Pb′ , Q′b ) to Party B Another issue is the lack of crypto-analitic research
6. Receive (Eb , Pa′ , Q′a ) from Party B done for this scheme, as the literature in which one
7. Calculate Sab = [ma ]Pa′ + [na ]Q′a can rely is rather limited.
8. φab = Ea → Eab = Ea /hSab i. Being a relatively new field, there are still many un-
9. Compute k = jab = j-invariant(Eab ) knowns as to what supersingular isogenies can also be
used for. Aside from key exchange, some researchers
- Party B have also worked on applying supersingular curves to
1. Randomly generate mb , nb build digital signature schemes [7, 8].
2. Rb = [mb ]Pb + [nb ]Qb However, with the recent promising developments
3. φb : E → Eb = E/hRb i in SIDH, work with supersingular curves is bound to
4. Pa′ , Q′a = φb (Pa ), φb (Qa ) gather more research in the upcoming years.
5. Send (Eb , Pa′ , Q′a ) to Party A
6. Receive (Ea , Pb′ , Q′b ) from Party A
7. Calculate Sba = [mb ]Pb′ + [nb ]Q′b References
8. φba = Ea → Eba = Eb /hSba i.
9. Compute k ′ = jba = j-invariant(Eba ) [1] D. J. Bernstein, “Introduction to post-quantum
cryptography,” in Post-Quantum Cryptography,
Notice that since both curves are isogneous to each pp. 1–14, Springer, 2009.
other, they will have the same j-invariant. As such,
[2] D. Jao and L. De Feo, “Towards quantum-
the shared key k calculated by both parties will be
resistant cryptosystems from supersingular ellip-
the same.
tic curve isogenies,” in QCrypto 2011, pp. 19–34,
Springer Berlin Heidelberg, 2011.

[3] C. Costello, P. Longa, and M. Naehrig, “Effi-

4.3 Parameter Selection cient algorithms for supersingular isogeny diffie-
hellman,” in Annual Cryptology Conference,
The latest work by Costello et al. [3], defined the pp. 572–601, Springer, 2016.
curve E = y 2 +x3 +x and the prime p = 2372 ·3239 −1.
Furthermore they established the four points on E to [4] C. Delfs and S. D. Galbraith, “Computing iso-
be: √ genies between supersingular elliptic curves over
- Pa = [3239 ](11, 113 + 11) fp ,” in Designs, Codes and Cryptography, vol. 78,
- Qa = τ (Pa ) √ pp. 425–440, Springer, 2016.
- Pb = [2372 ](6, 63 + 6)
- Qb = τ (Pb ) [5] J.-F. Biasse, D. Jao, and A. Sankar, “A quan-
where τ is a distortion map from E(Fp2 ) → E(Fp2 ) : tum algorithm for computing isogenies between
(x, y) → (−x, iy). This was done purposely so as to supersingular elliptic curves,” in International
avoid having to store both Qa and Qb in memory and Conference in Cryptology in India, pp. 428–442,
instead derive them from their respective Pi points. Springer, 2014.

3
[6] J. Vélu, “Isogénies entre courbes elliptiques,” in
CR Acad. Sci. Paris Sér. AB, vol. 273, pp. A238–
A241, 1971.
[7] D. Jao and V. Soukharev, “Isogeny-based
quantum-resistant undeniable signatures,” in In-
ternational Workshop on Post-Quantum Cryptog-
raphy, pp. 160–179, Springer, 2014.
[8] X. Sun, H. Tian, and Y. Wang, “Toward
quantum-resistant strong designated verifier sig-
nature,” in International Journal of Grid and
Utility Computing 4, vol. 5, pp. 80–86, Inder-
science Publishers Ltd, 2014.