On the Practicality of Post-Quantum TLS Using Large-Parameter CSIDH

Fabio Campos; Jorge Chavez-Saab; Jesús-Javier Chi-Domínguez; Michael Meyer; Krijn Reijnders; Francisco Rodríguez-Henríquez; Peter Schwabe; Thom Wiggers

Paper 2023/793

On the Practicality of Post-Quantum TLS Using Large-Parameter CSIDH

Fabio Campos

, RheinMain University of Applied Sciences, Radboud University Nijmegen

Jorge Chavez-Saab, CINVESTAV-IPN, Technology Innovation Institute

Jesús-Javier Chi-Domínguez

, Technology Innovation Institute

Michael Meyer, University of Regensburg

Krijn Reijnders, Radboud University Nijmegen

Francisco Rodríguez-Henríquez, CINVESTAV-IPN, Technology Innovation Institute

Peter Schwabe, Max Planck Institute for Security and Privacy, Radboud University Nijmegen

Thom Wiggers

, PQShield

Abstract

The isogeny-based scheme CSIDH is considered to be the only efficient post-quantum non-interactive key exchange (NIKE) and poses small bandwidth requirements, thus appearing to be an attractive alternative for classical Diffie--Hellman schemes. A crucial CSIDH design point, still under debate, is its quantum security when using prime fields of 512 to 1024 bits. Most work has focused on prime fields of that size and the practicality of CSIDH with large parameters, 2000 to 9000 bits, has so far not been thoroughly assessed, even though analysis of quantum security suggests these parameter sizes. We fill this gap by providing two CSIDH instantiations: A deterministic and dummy-free instantiation based on SQALE, aiming at high security against physical attacks, and a speed-optimized constant-time instantiation that adapts CTIDH to larger parameter sizes. We provide implementations of both variants, including efficient field arithmetic for fields of such size, and high-level optimizations. Our deterministic and dummy-free version, dCSIDH, is almost twice as fast as SQALE, and, dropping determinism, CTIDH at these parameters is thrice as fast as dCSIDH. We investigate their use in real-world scenarios through benchmarks of TLS using our software. Although our instantiations of CSIDH have smaller communication requirements than post-quantum KEM and signature schemes, both implementations still result in too-large handshake latency (tens of seconds), which hinder further consideration of using CSIDH in practice for conservative parameter set instantiations.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Preprint.
Keywords: post-quantum cryptography isogenies CSIDH TLS
Contact author(s): campos @ sopmac de
jorge saab @ tii ae
jesus dominguez @ tii ae
michael @ random-oracles org
krijn @ cs ru nl
francisco rodriguez @ tii ae
peter @ cryptojedi org
thom @ thomwiggers nl
History: 2023-06-06: approved; 2023-05-30: received; See all versions
Short URL: https://ia.cr/2023/793
License: CC0

BibTeX

@misc{cryptoeprint:2023/793,
      author = {Fabio Campos and Jorge Chavez-Saab and Jesús-Javier Chi-Domínguez and Michael Meyer and Krijn Reijnders and Francisco Rodríguez-Henríquez and Peter Schwabe and Thom Wiggers},
      title = {On the Practicality of Post-Quantum TLS Using Large-Parameter CSIDH},
      howpublished = {Cryptology ePrint Archive, Paper 2023/793},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/793}},
      url = {https://eprint.iacr.org/2023/793}
}