Abstract
AbstractWe consider the problem of producing an efficient, practical, quantum-resistant non-interactive key exchange (NIKE) protocol based on Supersingular Isogeny Diffie-Hellman (SIDH). An attack of Galbraith, Petit, Shani and Ti rules out the use of naïve forms of the SIDH construction for this application, as they showed that an adversary can recover private key information when supplying an honest party with malformed public keys. Subsequently, Azarderakhsh, Jao and Leonardi presented a method for overcoming this attack using multiple instances of the SIDH protocol, but which increases the costs associated with performing a key exchange by factors of up to several thousand at typical security levels. In this paper, we present two new techniques to reduce the cost of SIDH-based NIKE, with various possible tradeoffs between key size and computational cost.
Highlights
The Supersingular Isogeny Diffie-Hellman (SIDH) protocol [10, 15] is a promising candidate for quantumresistant key exchange
We consider the problem of producing an efficient, practical, quantum-resistant non-interactive key exchange (NIKE) protocol based on Supersingular Isogeny Diffie-Hellman (SIDH)
An attack of Galbraith, Petit, Shani and Ti rules out the use of naïve forms of the SIDH construction for this application, as they showed that an adversary can recover private key information when supplying an honest party with malformed public keys
Summary
The Supersingular Isogeny Diffie-Hellman (SIDH) protocol [10, 15] is a promising candidate for quantumresistant key exchange. To facilitate computation of the shared secret, Alice and Bob’s public keys contain additional information about the quotient maps φA : E → E/A and φB : E → E/B. The first approach is to modify the k-SIDH construction using extra automorphisms in a way that greatly increases the likelihood of obtaining malformed secret keys, allowing us to decrease the values of α and β. Using this approach, the computational cost remains quadratic, but with much smaller constants. On zero-knowledge proofs of validity for SIDH keys, may be useful for other authentication protocols such as digital signatures
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.