Cryptology ePrint Archive: Report 2011/506

Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

Luca De Feo and David Jao and Jérôme Plût

Abstract: We present new candidates for quantum-resistant public-key cryptosystems based on the conjectured difficulty of finding isogenies between supersingular elliptic curves. The main technical idea in our scheme is that we transmit the images of torsion bases under the isogeny in order to allow the parties to construct a shared commutative square despite the noncommutativity of the endomorphism ring. Our work is motivated by the recent development of a subexponential-time quantum algorithm for constructing isogenies between ordinary elliptic curves. In the supersingular case, by contrast, the fastest known quantum attack remains exponential, since the noncommutativity of the endomorphism ring means that the approach used in the ordinary case does not apply. We give a precise formulation of the necessary computational assumptions along with a discussion of their validity, and prove the security of our protocols under these assumptions. In addition, we present implementation results showing that our protocols are multiple orders of magnitude faster than previous isogeny-based cryptosystems over ordinary curves.

This paper is an extended version of~\cite{pqcrypto}. We add a new zero-knowledge identification scheme, and detailed security proofs for the protocols. We also present a new, asymptotically faster, algorithm for key generation, a thorough study of its optimization, and new experimental data.

Category / Keywords: public-key cryptography / elliptic curves, isogenies, quantum-resistant cryptosystems

Publication Info: PQCrypto 2011

Date: received 15 Sep 2011, last revised 4 Jul 2012

Contact author: djao at math uwaterloo ca

Available format(s): PDF | BibTeX Citation

Note: Extended version.

Version: 20120704:152925 (All versions of this report)

Short URL: ia.cr/2011/506

Discussion forum: Show discussion | Start new discussion