Authenticated logarithmic-order supersingular isogeny group key exchange

Abstract

We present the first constant-round, tree-based, group key exchange protocol based on SIDH with logarithmic-order communication and memory complexity, where the only previous isogeny-based group key exchange, SIBD, has linear-order communication and memory complexity. We call our protocol the supersingular isogeny tree-based group key exchange (SIT). We show that our protocol satisfies post-quantum security through a reduction to the supersingular decisional Diffie–Hellman (SSDDH) problem in the security model of Manulis, Suzuki, and Ustaoglu. We also construct a peer-to-peer (sequential) version of SIT. Finally, we present a compiler that turns SIT into an authenticated group key exchange while maintaining the same complexity and security as SIT, resulting in the authenticated SIT group key exchange (A-SIT).