Paper 2024/1556

The module action for isogeny based cryptography

Damien Robert, Inria Bordeaux - Sud-Ouest Research Centre, Institut de Mathématiques de Bordeaux
Abstract

We extend the usual ideal action on oriented elliptic curves to a (Hermitian) module action on oriented (polarised) abelian varieties. Oriented abelian varieties are naturally enriched in $R$-modules, and our module action comes from the canonical power object construction on categories enriched in a closed symmetric monoidal category. In particular our action is canonical and gives a fully fledged symmetric monoidal action. Furthermore, we give algorithms to compute this action in practice, generalising the usual algorithms in rank~$1$. The action allows us to unify in the same framework, on the one hand isogeny based cryptography based on ordinary or oriented elliptic curves, and on the other hand the one based on supersingular elliptic curves defined over $\mathbb{F}_{p^2}$. In particular, from our point of view, supersingular elliptic curves over $\mathbb{F}_p$ are given by a rank~$1$ module action, while (the Weil restriction) of those defined over $\mathbb{F}_{p^2}$ are given by a rank~$2$ module action. As a consequence, rank~$2$ module action inversion is at least as hard as the supersingular isogeny path problem. We thus propose to use Hermitian modules as an avatar of a cryptographic symmetric monoidal action framework. This generalizes the more standard cryptographic group action framework, and still allows for a NIKE (Non Interactive Key Exchange). The main advantage of our action is that, presumably, Kuperberg's algorithm does not apply. Compared to CSIDH, this allows for more compact keys and much better scaling properties. In practice, we propose the key exchange scheme $\otimes$-MIKE (Tensor Module Isogeny Key Exchange). Alice and Bob start from a supersingular elliptic curve $E_0/\mathbb{F}_p$ and both compute a $2^n$-isogeny over $\mathbb{F}_{p^2}$. They each send the $j$-invariant of their curve. Crucially, unlike SIDH, no torsion information at all is required. Their common secret, given by the module action, is then a dimension~$4$ principally polarised abelian variety. We obtain a very compact post-quantum NIKE: only 64B for NIST level~$1$ security.

Note: Important update on the (un)security of MIKE if we do not take isogenies of coprime degrees on Alice and Bob's side. Also several minor clarifications, notably added an appendix on how to see Waterhouse's derived mixed Ext functors in group schemes as the standard Ext sheaf functors on fppf sheafs.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Preprint.
Keywords
isogeniesabelian varietiesmodules
Contact author(s)
damien robert @ inria fr
History
2024-10-18: last of 2 revisions
2024-10-03: received
See all versions
Short URL
https://ia.cr/2024/1556
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1556,
      author = {Damien Robert},
      title = {The module action for isogeny based cryptography},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1556},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1556}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.