Skip to main content
Springer Nature Link
Log in

Pre- and Post-quantum Diffie–Hellman from Groups, Actions, and Isogenies

  • Conference paper
  • First Online:
Arithmetic of Finite Fields (WAIFI 2018)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 11321))

Included in the following conference series:

Abstract

Diffie–Hellman key exchange is at the foundations of public-key cryptography, but conventional group-based Diffie–Hellman is vulnerable to Shor’s quantum algorithm. A range of “post-quantum Diffie–Hellman” protocols have been proposed to mitigate this threat, including the Couveignes, Rostovtsev–Stolbunov, SIDH, and CSIDH schemes, all based on the combinatorial and number-theoretic structures formed by isogenies of elliptic curves. Pre- and post-quantum Diffie–Hellman schemes resemble each other at the highest level, but the further down we dive, the more differences emerge—differences that are critical when we use Diffie–Hellman as a basic component in more complicated constructions. In this survey we compare and contrast pre- and post-quantum Diffie–Hellman algorithms, highlighting some important subtleties.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    More generally, Armknecht, Gagliardoni, Katzenbeisser, and Peter have shown that no group-homomorphic cryptosystem can be secure against a quantum adversary, essentially because of the existence of Shor’s algorithm [8].

  2. 2.

    Some protocols do use the shared secret \(S\) as a key, most notably the textbook ElGamal encryption presented at the start of Sect. 4.

  3. 3.

    If Alice immediately encrypts a message under \(K\) and sends the ciphertext to Bob with \(E\), then this is “hashed ElGamal” encryption (see [1] for a full encryption scheme in this style).

  4. 4.

    Recall that \(L_X[\alpha ,c] = \exp ((c + o(1))(\log X)^\alpha (\log \log X)^{1-\alpha })\).

  5. 5.

    At least, it is the only improvement as far as asymptotic complexity is concerned: implementation and distribution have improved substantially. It is, nevertheless, quite dumbfounding that in over thirty years of cryptographically-motivated research, we have only scraped a tiny constant factor away from the classical asymptotic complexity of the DLP in a generic prime-order elliptic curve over a prime finite field.

  6. 6.

    Not entirely seamlessly: some operations, like hashing into \(\mathcal {G}\), become slightly more complicated when we pass from finite fields to elliptic curves (see [108]).

  7. 7.

    While quotienting by \(\pm 1\) is useful in curve-based cryptosystems, it is counterproductive in multiplicative groups of finite fields. There, the pseudo-scalar multiplication is \((m,P+1/P) \mapsto P^m + 1/P^m\); computing this is slightly slower than computing simple exponentiations, and saves no space at any point.

  8. 8.

    Buchmann, Scheidler, and Williams later proposed what they claimed was the first group-less key exchange in the infrastructure of real quadratic fields [29]. Mireles Morales investigated the infrastructure in the analogous even-degree hyperelliptic function field case [102], relating it to a subset of the class group of the field; in view of his work, it is more appropriate to describe infrastructure key exchange as group-based. In any case, coming nearly a decade after Miller, this would not have been the first non-group Diffie–Hellman.

  9. 9.

    If we require this property to hold for all \(P\) in \(\mathcal {X}\), then \(\mathcal {F}\) is a commutative magma. Diffie–Hellman protocols where \(\mathcal {F}\) is equipped with a semigroup or semiring structure have been investigated [97], though the results are only of theoretical interest.

  10. 10.

    The term one-way group action is used for the HHS framework in [35] and [23]. This hints at a more general setting, where actions are not necessarily simple or transitive.

  11. 11.

    Algorithm 9 becomes the usual BSGS for DLPs in \(\mathfrak {G} = \langle {\mathfrak {e}}\rangle \) if we let \(\mathcal {X} = \mathfrak {G} \) (with the group operation as the action), let \(P = 1\), and let \(Q\) be the discrete log target.

  12. 12.

    It might seem odd that some black-box group algorithms like BSGS and Pollard \(\rho \) adapt easily to PHSes, but not others like Pohlig–Hellman. But looking closer, BSGS and Pollard \(\rho \) in groups only require translations, and not a full group law. We can therefore see BSGS and Pollard \(\rho \) not as black-box group algorithms, but rather as black-box PHS algorithms that are traditionally applied with \(\mathcal {X} = \mathfrak {G} \).

  13. 13.

    Biasse, Jacobson, and Iezzi [19] have made some preliminary steps in this direction, and claim a classical complexity of \(O(\sqrt{N/M})\) for vectorization when \(\mathfrak {G}\) contains a subgroup of order \(M\). However, their algorithm assumes we can correctly guess the subgroup orbits of the vectorization targets—and this is a problem for which we have no solution that improves on exhaustive search (or vectorization). When run as a probabilistic vectorization algorithm, therefore, their algorithm runs in time \(O(\sqrt{MN})\), which is actually a factor-of-\(\sqrt{M}\) slowdown over BSGS.

  14. 14.

    An elliptic curve is by definition a pair \((\mathcal {E},0_\mathcal {E})\), where \(\mathcal {E}\) is a curve of genus 1 and \(0_\mathcal {E}\) is a distinguished point on \(\mathcal {E}\) (which becomes the identity element of the group of points; cf. Example 3); so it makes sense that a morphism \((\mathcal {E},0_{\mathcal {E}}) \rightarrow (\mathcal {E}',0_{\mathcal {E}'})\) in the category of elliptic curves should be a mapping of algebraic curves \(\mathcal {E}\rightarrow \mathcal {E}'\) preserving the distinguished points, that is, mapping \(0_\mathcal {E}\) onto \(0_{\mathcal {E}'}\).

  15. 15.

    If we consider endomorphisms defined over \(\mathbb {F}_{p^2}\), then the ring is noncommutative.

  16. 16.

    We use classical modular polynomials here for simplicity, but alternative modular polynomials such as Atkin’s, which have smaller degree, are better in practice. These degrees are still in \(O(\ell )\), so the asymptotic efficiency of this approach does not change.

References

  1. Abdalla, M., Bellare, M., Rogaway, P.: DHAES: an encryption scheme based on the Diffie–Hellman problem. IACR Cryptology ePrint Archive 1999:7 (1999)

    Google Scholar 

  2. Adj, G., Cervantes-Vázquez, D., Chi-Domínguez, J., Menezes, A., Rodríguez-Henríquez, F.: On the cost of computing isogenies between supersingular elliptic curves. IACR Cryptology ePrint Archive 2018:313 (2018)

    Google Scholar 

  3. Agashe, A., Lauter, K.E., Venkatesan, R.: Constructing elliptic curves with a known number of points over a prime field. In: High Primes and Misdemeanors: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams [30], pp. 1–17

    Google Scholar 

  4. Aguilar, C., Gaborit, P., Lacharme, P., Schrek, J., Zémor, G.: Noisy Diffie–Hellman protocols (2010). Slides presented at the recent results session of PQC 2010. https://pqc2010.cased.de/rr/03.pdf

  5. Akavia, A.: Solving hidden number problem with one bit oracle and advice. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 337–354. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_20

    Chapter  Google Scholar 

  6. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 327–343. USENIX Association (2016)

    Google Scholar 

  7. Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 211–223. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_16

    Chapter  MATH  Google Scholar 

  8. Armknecht, F., Gagliardoni, T., Katzenbeisser, S., Peter, A.: General impossibility of group homomorphic encryption in the quantum world. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 556–573. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_32

    Chapter  Google Scholar 

  9. Azarderakhsh, R., et al.: Supersingular isogeny key encapsulation (2017)

    Google Scholar 

  10. Balasubramanian, R., Koblitz, N.: The improbability that an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm. J. Cryptol. 11(2), 141–145 (1998)

    Article  MathSciNet  MATH  Google Scholar 

  11. Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_1

    Chapter  MATH  Google Scholar 

  12. Benaloh, J.: Simple verifiable elections. In: Wallach, D.S., Rivest, R.L. (eds.) 2006 USENIX/ACCURATE Electronic Voting Technology Workshop, EVT 2006, Vancouver, BC, Canada, 1 August 2006. USENIX Association (2006)

    Google Scholar 

  13. Bentahar, K.: The equivalence between the DHP and DLP for elliptic curves used in practical applications, revisited. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 376–391. Springer, Heidelberg (2005). https://doi.org/10.1007/11586821_25

    Chapter  MATH  Google Scholar 

  14. Bernstein, D.J.: Curve25519: new Diffie–Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_14

    Chapter  Google Scholar 

  15. Bernstein, D.J.: Differential addition chains. Preprint (2006)

    Google Scholar 

  16. Bernstein, D.J., Chuengsatiansup, C., Lange, T., Schwabe, P.: Kummer strikes back: new DH speed records. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 317–337. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_17

    Chapter  Google Scholar 

  17. Bernstein, D.J., et al.: Faster discrete logarithms on FPGAs. IACR Cryptology ePrint Archive 2016:382. Document ID: 01ac92080664fb3a778a430e028e55c8 (2016)

    Google Scholar 

  18. Bernstein, D.J., Lange, T., Schwabe, P.: On the correct use of the negation map in the Pollard rho method. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 128–146. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_8

    Chapter  Google Scholar 

  19. Biasse, J., Iezzi, A., Jacobson Jr., M.: A note on the security of CSIDH. CoRR, abs/1806.03656 (2018)

    Google Scholar 

  20. Boneh, D.: The decision Diffie–Hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054851

    Chapter  Google Scholar 

  21. Boneh, D., Lipton, R.J.: Algorithms for black-box fields and their application to cryptography (extended abstract). In: Koblitz [83], pp. 283–297

    Google Scholar 

  22. Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie–Hellman and related schemes. In: Koblitz [83], pp. 129–142

    MATH  Google Scholar 

  23. Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH and ordinary isogeny-based schemes. IACR Cryptology ePrint Archive 2018:537 (2018)

    Google Scholar 

  24. Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, 17–21 May 2015, pp. 553–570. IEEE Computer Society (2015)

    Google Scholar 

  25. Bos, J.W., Friedberger, S.: Fast arithmetic modulo \(2^xp^y\pm 1\). In: Burgess, N., Bruguera, J.D., de Dinechin, F. (eds.) IEEE Symposium on Computer Arithmetic - ARITH 2017, pp. 148–155. IEEE Computer Society (2017)

    Google Scholar 

  26. Bos, J.W., Friedberger, S.: Arithmetic considerations for isogeny based cryptography. IACR Cryptology ePrint Archive 2018:376 (2018)

    Google Scholar 

  27. Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0

    Book  MATH  Google Scholar 

  28. Bröker, R., Lauter, K.E., Sutherland, A.V.: Modular polynomials via isogeny volcanoes. Math. Comput. 81(278), 1201–1231 (2012)

    Article  MathSciNet  MATH  Google Scholar 

  29. Buchmann, J., Scheidler, R., Williams, H.C.: A key-exchange protocol using real quadratic fields. J. Cryptol. 7, 171–199 (1994)

    Article  MathSciNet  MATH  Google Scholar 

  30. van der Poorten, A., Stein, A. (eds.): High Primes and Misdemeanors: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams. Fields Institute Communications Series, vol. 42. American Mathematical Society

    Google Scholar 

  31. Buchmann, J., Takagi, T., Vollmer, U.: Number field cryptography. In: van der Poorten, A., Stein, A. (eds.) [30]. High Primes and Misdemeanors: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams, pp. 111–125

    Google Scholar 

  32. Buchmann, J.A., Williams, H.C.: A key exchange system based on real quadratic fields. In: Brassard [27], pp. 335–343

    Google Scholar 

  33. Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28

    Chapter  Google Scholar 

  34. Cassels, J.W.S.: Lectures on Elliptic Curves. London Mathematical Society Student Texts, vol. 24 Cambridge University Press (1991)

    Google Scholar 

  35. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. IACR Cryptology ePrint Archive 2018:383 (2018)

    Google Scholar 

  36. Cheon, J.H.: Security analysis of the strong Diffie–Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_1

    Chapter  Google Scholar 

  37. Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)

    Article  MathSciNet  MATH  Google Scholar 

  38. Coron, J.-S., Nielsen, J.B. (eds.): EUROCRYPT 2017. LNCS, vol. 10210. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7

    Book  MATH  Google Scholar 

  39. Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi and Peyrin [130], pp. 303–329

    Chapter  Google Scholar 

  40. Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. In: Coron and Nielsen [38], pp. 679–706

    Google Scholar 

  41. Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie–Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_21

    Chapter  Google Scholar 

  42. Costello, C., Smith, B.: Montgomery curves and their arithmetic. J. Cryptogr. Eng. 8, 227–240 (2017)

    Article  Google Scholar 

  43. Couveignes, J.M.: Hard homogeneous spaces. IACR Cryptology ePrint Archive 2006:291 (2006)

    Google Scholar 

  44. Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)

    Article  MathSciNet  MATH  Google Scholar 

  45. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)

    MathSciNet  MATH  Google Scholar 

  46. Déchène, I.: On the security of generalized Jacobian cryptosystems. Adv. Math. Commun. 1(4), 413–426 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  47. Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Cryptogr. 78(2), 425–440 (2016)

    MathSciNet  MATH  Google Scholar 

  48. den Boer, B.: Diffie–Hellman is as strong as discrete log for certain primes. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 530–539. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_38

    Chapter  Google Scholar 

  49. Deneuville, J.-C., Gaborit, P., Zémor, G.: Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 18–34. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_2

    Chapter  Google Scholar 

  50. Diem, C., Thomé, E.: Index calculus in class groups of non-hyperelliptic curves of genus three. J. Cryptol. 21(4), 593–611 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  51. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  52. Ding, J.: New cryptographic constructions using generalized learning with errors problem. IACR Cryptology ePrint Archive 2012:387 (2012)

    Google Scholar 

  53. Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. IACR Cryptology ePrint Archive, 2012:688 (2012)

    Google Scholar 

  54. Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_11

    Chapter  Google Scholar 

  55. ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)

    Article  MathSciNet  MATH  Google Scholar 

  56. Enge, A., Gaudry, P., Thomé, E.: An L(1/3) discrete logarithm algorithm for low degree curves. J. Cryptol. 24(1), 24–41 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  57. Faz-Hernández, A., López, J., Ochoa-Jiménez, E., Rodríguez-Henríquez, F.: A faster software implementation of the supersingular isogeny Diffie–Hellman key exchange protocol. IEEE Trans. Comput. PP(99), 1 (2017)

    Google Scholar 

  58. De Feo, L.: Mathematics of isogeny based cryptography. CoRR, abs/1711.04062 (2017)

    Google Scholar 

  59. De Feo, L., Kieffer, J., Smith, B.: Towards practical key exchange from ordinary isogeny graphs. IACR Cryptology ePrint Archive 2018:485 (2018)

    Google Scholar 

  60. Fouquet, M., Morain, F.: Isogeny volcanoes and the SEA algorithm. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 276–291. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45455-1_23

    Chapter  Google Scholar 

  61. Freire, E.S.V., Hofheinz, D., Kiltz, E., Paterson, K.G.: Non-interactive key exchange. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 254–271. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_17

    Chapter  MATH  Google Scholar 

  62. Frey, G., Müller, M., Rück, H.: The tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Trans. Inf. Theory 45(5), 1717–1719 (1999)

    Article  MathSciNet  MATH  Google Scholar 

  63. Fried, J., Gaudry, P., Heninger, N., Thomé, E.: A kilobit hidden SNFS discrete logarithm computation. In: Coron and Nielsen [38], pp. 202–231

    Google Scholar 

  64. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34

    Chapter  Google Scholar 

  65. Galbraith, S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math. 2, 118–138 (1999)

    Article  MathSciNet  MATH  Google Scholar 

  66. Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS Weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_3

    Chapter  Google Scholar 

  67. Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3

    Chapter  Google Scholar 

  68. Galbraith, S.D., Smith, B.: Discrete logarithms in generalized Jacobians. IACR Cryptology ePrint Archive 2006:333 (2006)

    Google Scholar 

  69. Galbraith, S.D., Vercauteren, F.: Computational problems in supersingular elliptic curve isogenies. Quantum Inf. Process. 17, 265 (2017)

    Article  MathSciNet  MATH  Google Scholar 

  70. Gaudry, P.: Fast genus 2 arithmetic based on Theta functions. J. Math. Cryptol. 1(3), 243–265 (2007). https://eprint.iacr.org/2005/314/

  71. Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44(12), 1690–1702 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  72. Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15(1), 19–46 (2002)

    Article  MathSciNet  MATH  Google Scholar 

  73. Gaudry, P., Thomé, E., Thériault, N., Diem, C.: A double large prime variation for small genus hyperelliptic index calculus. Math. Comput. 76(257), 475–492 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  74. Grémy, L., Guillevic, A.: DiscreteLogDB, a database of computations of discrete logarithms (2017). https://gitlab.inria.fr/dldb/discretelogdb

  75. Guillevic, A., Morain, F.: Discrete logarithms. In: El Mrabet and Joye [103], Chap. 9

    Google Scholar 

  76. Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki–Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12

    Chapter  MATH  Google Scholar 

  77. Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 553–571. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_31

    Chapter  Google Scholar 

  78. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2

    Chapter  MATH  Google Scholar 

  79. Jao, D., Miller, S.D., Venkatesan, R.: Expander graphs based on GRH with an application to elliptic curve cryptography. J. Number Theory 129(6), 1491–1504 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  80. Kleinjung, T., Diem, C., Lenstra, A.K., Priplata, C., Stahlke, C.: Computation of a 768-bit prime field discrete logarithm. In: Coron and Nielsen [38], pp. 185–201

    Google Scholar 

  81. Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  82. Koblitz, N.: Hyperelliptic cryptosystems. J. Cryptol. 1(3), 139–150 (1989)

    Article  MathSciNet  MATH  Google Scholar 

  83. Koblitz, N. (ed.): CRYPTO 1996. LNCS, vol. 1109. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5

    Book  MATH  Google Scholar 

  84. Kohel, D.R.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California at Berkley (1996)

    Google Scholar 

  85. Kohel, D.R., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17(A), 418–432 (2014)

    MathSciNet  MATH  Google Scholar 

  86. Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  87. Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: Severini, S., Brandao, F. (eds.) 8th Conference on the Theory of Quantum Computation. Communication and Cryptography (TQC 2013). Leibniz International Proceedings in Informatics (LIPIcs), vol. 22, pp. 20–34. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany (2013)

    Google Scholar 

  88. Langley, A., Hamburg, M., Turner, S.: Elliptic curves for security. RFC, 7748, pp. 1–22 (2016)

    Google Scholar 

  89. Lenstra, A.K., Lenstra, H.W. (eds.): The Development of the Number field Sieve. LNM, vol. 1554. Springer, Heidelberg (1993). https://doi.org/10.1007/BFb0091534

    Book  MATH  Google Scholar 

  90. Lenstra, A.K., Verheul, E.R.: The XTR public key system. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 1–19. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_1

    Chapter  Google Scholar 

  91. Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052240

    Chapter  Google Scholar 

  92. Lochter, M., Merkle, J.: Elliptic curve cryptography (ECC) brainpool standard curves and curve generation. RFC, 5639, pp. 1–27 (2010)

    Google Scholar 

  93. Marlinspike, M., Perrin, T.: The X3DH key agreement protocol (2016)

    Google Scholar 

  94. Martin-Lopez, E., Laing, A., Lawson, T., Alvarez, R., Zhou, X.-Q., O’Brien, J.L.: Experimental realization of Shor’s quantum factoring algorithm using qubit recycling. Nat. Photon. 6(11), 773–776, 11 (2012)

    Article  Google Scholar 

  95. Maurer, U.M.: Towards the equivalence of breaking the Diffie–Hellman protocol and computing discrete logarithms. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 271–281. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_26

    Chapter  Google Scholar 

  96. Maurer, U.M., Wolf, S.: The relationship between breaking the Diffie–Hellman protocol and computing discrete logarithms. SIAM J. Comput. 28(5), 1689–1721 (1999)

    Article  MathSciNet  MATH  Google Scholar 

  97. Maze, G., Monico, C., Rosenthal, J.: Public key cryptography based on semigroup actions. Adv. Math. Commun. 1(4), 489–507 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  98. Menezes, A., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993)

    Article  MathSciNet  MATH  Google Scholar 

  99. Mestre, J.: La méthode des graphes. Exemples et applications. In: Proceedings of the International Conference on Class Numbers and Fundamental Units of Algebraic Number Fields (Katata), pp. 217–242 (1986)

    Google Scholar 

  100. Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_31

    Chapter  Google Scholar 

  101. Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  102. Mireles Morales, D.J.: An analysis of the infrastructure in real function fields. IACR Cryptology ePrint Archive 2008:299 (2008)

    Google Scholar 

  103. El Mrabet, N., Joye, M. (eds.): Guide to Pairing-Based Cryptography. Chapman and Hall/CRC, New York (2016)

    MATH  Google Scholar 

  104. Murty, V.K.: Abelian varieties and cryptography. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 1–12. Springer, Heidelberg (2005). https://doi.org/10.1007/11596219_1

    Chapter  Google Scholar 

  105. Muzereau, A., Smart, N.P., Vercauteren, F.: The equivalence between the DHP and DLP for elliptic curves used in practical applications. LMS J. Comput. Math. 7, 50–72 (2004)

    Article  MathSciNet  MATH  Google Scholar 

  106. National Institute of Standards and Technology (NIST). SP 800–56A recommendations for pair-wise key-establishment schemes using discrete logarithm cryptography

    Google Scholar 

  107. NIST. Post-quantum cryptography standardization

    Google Scholar 

  108. Ochoa-Jiménez, E., Rodríguez-Henríquez, F., Tibouchi, M.: Discrete logarithms. In: El Mrabet and Joye [103], Chap. 8

    Google Scholar 

  109. Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_12

    Chapter  MATH  Google Scholar 

  110. Perrin, T., Marlinspike, M.: The double ratchet algorithm (2016)

    Google Scholar 

  111. Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi and Peyrin [130], pp. 330–353

    Chapter  Google Scholar 

  112. Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (corresp). IEEE Trans. Inf. Theory 24(1), 106–110 (1978)

    Article  MATH  Google Scholar 

  113. Pollard, J.M.: Monte Carlo methods for index computation (mod \(p\)). Math. Comput. 32(143), 918–924 (1978)

    MathSciNet  MATH  Google Scholar 

  114. Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space, June 2004. arXiv:quant-ph/0406151

  115. Renes, J., Schwabe, P., Smith, B., Batina, L.: \(\mu \)Kummer: efficient hyperelliptic signatures and key exchange on microcontrollers. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 301–320. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_15

    Chapter  Google Scholar 

  116. Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC, 8446, pp. 1–160 (2018)

    Google Scholar 

  117. Robert, D.: Theta functions and cryptographic applications. Ph.D. thesis, Université Henri Poincaré - Nancy I, July 2010

    Google Scholar 

  118. Roetteler, M., Naehrig, M., Svore, K.M., Lauter, K.E.: Quantum resource estimates for computing elliptic curve discrete logarithms. In: Takagi and Peyrin [130], pp. 241–270

    Chapter  Google Scholar 

  119. Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive 2006:145 (2006)

    Google Scholar 

  120. Rubin, K., Silverberg, A.: Torus-based cryptography. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 349–365. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_21

    Chapter  Google Scholar 

  121. Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard [27], pp. 239–252

    Google Scholar 

  122. Shanks, D.: Class number, a theory of factorization and genera. Proc. Symp. PureMath. 20, 415–440 (1971)

    Article  MathSciNet  MATH  Google Scholar 

  123. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of the 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)

    Google Scholar 

  124. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18

    Chapter  Google Scholar 

  125. Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106. Springer, New York (1992)

    Google Scholar 

  126. Smart, N.P.: The discrete logarithm problem on elliptic curves of trace one. J. Cryptol. 12(3), 193–196 (1999)

    Article  MathSciNet  MATH  Google Scholar 

  127. Smith, B.: Isogenies and the discrete logarithm problem in jacobians of genus 3 hyperelliptic curves. J. Cryptol. 22(4), 505–529 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  128. Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  129. Sutherland, A.V.: Accelerating the CM method. LMS J. Comput. Math. 15, 172–204 (2012)

    Article  MathSciNet  MATH  Google Scholar 

  130. Takagi, T., Peyrin, T. (eds.): ASIACRYPT 2017. LNCS, vol. 10625. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9

    Book  MATH  Google Scholar 

  131. Tani, S.: Claw finding algorithms using quantum walk. Theor. Comput. Sci. 410(50), 5285–5297 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  132. Thormarker, E.: Post-quantum cryptography: supersingular isogeny Diffie–Hellman key exchange. Ph.D. thesis, Stockholm University (2017)

    Google Scholar 

  133. Urbanik, D., Jao, D.: SoK: the problem landscape of SIDH. In: Proceedings of the 5th ACM on ASIA Public-Key Cryptography Workshop, APKC 2018, pp. 53–60. ACM, New York (2018)

    Google Scholar 

  134. van Dam, W., Hallgren, S., Ip, L.: Quantum algorithms for some hidden shift problems. SIAM J. Comput. 36(3), 763–778 (2006)

    Article  MathSciNet  MATH  Google Scholar 

  135. Vélu, J.: Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris Sér. A-B 273, A238–A241 (1971)

    Google Scholar 

  136. Wenger, E., Wolfger, P.: Harder, better, faster, stronger: elliptic curve discrete logarithm computations on FPGAs. J. Cryptogr. Eng. 6(4), 287–297 (2016)

    Article  Google Scholar 

Download references

Acknowledgements

I am grateful to Luca De Feo, Florian Hess, Jean Kieffer, and Antonin Leroux for the many hours they spent discussing these cryptosystems with me; and the organisers, chairs, and community of WAIFI 2018.

Author information

Authors and Affiliations

  1. Inria and Laboratoire d’Informatique de l’École polytechnique (LIX), Université Paris–Saclay, Palaiseau, France

    Benjamin Smith

Authors
  1. Benjamin Smith
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Benjamin Smith .

Editor information

Editors and Affiliations

  1. Department of Informatics, University of Bergen, Bergen, Norway

    Lilya Budaghyan

  2. Centro de Investigación y de Estudios Avanzados del Instituto Politécnico Nacional, Mexico, Mexico

    Francisco Rodríguez-Henríquez

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Smith, B. (2018). Pre- and Post-quantum Diffie–Hellman from Groups, Actions, and Isogenies. In: Budaghyan, L., Rodríguez-Henríquez, F. (eds) Arithmetic of Finite Fields. WAIFI 2018. Lecture Notes in Computer Science(), vol 11321. Springer, Cham. https://doi.org/10.1007/978-3-030-05153-2_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-05153-2_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-05152-5

  • Online ISBN: 978-3-030-05153-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics