SIKESupersingularIsogenyKeyEncapsulationSIKEIINDCCA2KEMIBasedonSupersingularIsogenyDi14eHellmanSIDHIUsesHofheinzetaltransformationTCC2017onSIDHtoachieveCCAsecurityTheSIKEprotocolspeci12 ID: 849809
Download Pdf The PPT/PDF document "SupersingularIsogenyKeyEncapsulationPres..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1 SupersingularIsogenyKeyEncapsulationPres
SupersingularIsogenyKeyEncapsulationPresentedbyDavidJaoUniversityofWaterlooandevolutionQ,Inc.Fulllistofsubmitters:RezaAzarderakhsh,FAUAmirJalali,LinkedInMichaelNaehrig,MSRMattCampagna,AmazonDavidJao,UWGeovandroPereira,UWCraigCostello,MSRBrianKoziel,TIJoostRenes,RadboudLucaDeFeo,UVSQBrianLaMacchia,MSRVladimirSoukharev,ISGBa
2 silHess,ISGPatrickLonga,MSRDavidUrbanik,
silHess,ISGPatrickLonga,MSRDavidUrbanik,UofThttps://sike.orgAugust23,2019 SIKESupersingularIsogenyKeyEncapsulation(SIKE)IIND-CCA2KEMIBasedonSupersingularIsogenyDie-Hellman(SIDH)IUsesHofheinzetal.transformation(TCC2017)onSIDHtoachieveCCAsecurityTheSIKEprotocolspecies:IParametersetsIKey/ciphertextformatsIEncapsulat
3 ion/decapsulationmechanismsIChoiceofsymm
ion/decapsulationmechanismsIChoiceofsymmetricprimitives(hashfunctions,etc.) OverviewofSIDH1.Publicparameters:SupersingularellipticcurveEoverFp2.2.AlicechoosesakernelAE(Fp2)andsendsE=AtoBob.3.BobchoosesakernelBE(Fp2)andsendsE=BtoAlice.4.ThesharedsecretisE=hA;Bi=(E=A)=A(B)=(E=B)=B(A): Die-Hellman(DH)
4 g gx gy gxy SIDH E E=A E=B E=hA;Bi
g gx gy gxy SIDH E E=A E=B E=hA;Bi B A ChangesforSIKEinsecondroundINewparametersets:SIKEp434,SIKEp503,SIKEp610,SIKEp751, SIKEp964INewstartingcurveE:y2=x3+6x2+xIKeycompression:40%smallerpublickeysandciphertextsIUpdatedsecurityanalysis Parametersets Scheme primeplog2pSecuritylevel SIKEp434 221631371433.14
5 NIST1SIKEp503 225031591502.01NIST2SI
NIST1SIKEp503 225031591502.01NIST2SIKEp610 230531921609.31NIST3SIKEp751 237232391750.81NIST5 Newstartingcurve Thepreviousstartingcurvey2=x3+xhascomplexmultiplicationsymmetries,reducingkeyentropy.IRedkernelpointyieldscurveisomorphictostartingcurve.IBlueandgreenkernelpointsyieldcurvesisomorphictoeachother. Keycom
6 pression Scheme PublickeyDecaps(x86 64)
pression Scheme PublickeyDecaps(x86 64) SIKEp434 330bytes11.3106ccSIKEp434 compressed 196bytes18.9106ccSIKEp503 378bytes15.6106ccSIKEp503 compressed 224bytes25.5106ccSIKEp610 462bytes28.6106ccSIKEp610 compressed 273bytes45.5106ccSIKEp751 564bytes45.4106ccSIKEp751 compressed 331bytes72.8106cc
7 Securityanalysis SIKEp434 SIKEp610 Atta
Securityanalysis SIKEp434 SIKEp610 Attackcost GDW GDW Grover[1] 12611610 17116010 Tani(optimal#G)[2] 12411425 16915925 Tani(optimalDW)[2] 13112210 17716610 VanOorschot-Wiener[2] 13214128 17714173 1.AframeworkforreducingtheoverheadofthequantumoracleforusewithGrover'salgorithmwithapplicationstocryptanalysisofSIKE,Benjam
8 inI.PringandJean-FrancoisBiasse,Mat
inI.PringandJean-FrancoisBiasse,MathCrypt20192.QuantumcryptanalysisintheRAMmodel:Claw-ndingattacksonSIKE,SamJaquesandJohnSchanck,CRYPTO2019 Recentimplementations Decapsulationtimes,cc106 SIKEp503SIKEp751 ARM64(NIST2ndround) 47.4159.5ARM64[1] 39.7138.4CortexM4[2] 183491 1.ARMv8SIKE:OptimizedSupersingularIsogen
9 yKeyEncapsulationonARMv8Processors,AmirJ
yKeyEncapsulationonARMv8Processors,AmirJalali,RezaAzarderakhsh,MehranMozaariKermani,MatthewCampagna,andDavidJao,IEEETCAS,10.1109/TCSI.2019.2920869.Codeavailableathttps://github.com/amirjalali65/armv8-sike2.SIKERound2SpeedRecordonARMCortex-M4,HwajeongSeo,AmirJalali,andRezaAzarderakhsh,2019/535. SummarySIKEadvantages:IS
10 mallestpublickeysizeIStraightforwardpara
mallestpublickeysizeIStraightforwardparameterselectionINodecryptionerror,Gaussians,rejectionsampling,etc.IGenericattacksarewellunderstoodIOnlyKEMproposalnotbasedonlattices/codes/LW[ER]SIKEdisadvantages:ISlowIFutureanalysismayuncovernon-genericattacksagainstSIKE(thoughnoneareknownsofar)Futurework:ICryptanalysisandside-chann