Abstract
We introduce SQIsignHD, a new post-quantum digital signature scheme inspired by SQIsign. SQIsignHD exploits the recent algorithmic breakthrough underlying the attack on SIDH, which allows to efficiently represent isogenies of arbitrary degrees as components of a higher dimensional isogeny. SQIsignHD overcomes the main drawbacks of SQIsign. First, it scales well to high security levels, since the public parameters for SQIsignHD are easy to generate: the characteristic of the underlying field needs only be of the form \(2^{f}3^{f'}-1\). Second, the signing procedure is simpler and more efficient. Our signing procedure implemented in C runs in 28 ms, which is a significant improvement compared to SQISign. Third, the scheme is easier to analyse, allowing for a much more compelling security reduction. Finally, the signature sizes are even more compact than (the already record-breaking) SQIsign, with compressed signatures as small as 109 bytes for the post-quantum NIST-1 level of security. These advantages may come at the expense of the verification, which now requires the computation of an isogeny in dimension 4, a task whose optimised cost is still uncertain, as it has been the focus of very little attention. Our experimental sagemath implementation of the verification runs in around 600 ms, indicating the potential cryptographic interest of dimension 4 isogenies after optimisations and low level implementation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
One could improve slightly the scheme by defining \(\ell ^e\)-good integers as integers q such that \(\ell ^e-q=sq'\), with s a smooth integer whose prime factors are all congruent to 1 modulo 4 and \(q'\) is a prime congruent to 1 modulo 4. Indeed, all we really need is that \(\ell ^e-q\) is easy to factor so Cornacchia’s algorithm can be applied efficiently. This alternate definition would improve a bit the search for \(\ell ^e\)-good integer, but we went for the simplest definition.
- 2.
Actually, we will not have exactly \(D_\tau =D_\psi =\ell '^{2f'}\) but \(D_\tau \) and \(D_\psi \) will be divisors of \(\ell '^{2f'}\) close to \(\ell '^{2f'}\). It will be the same for \(D_{\psi '}\) (see Algorithm 1). We assume equality to simplify the exposition.
- 3.
We can compute the norm of \(\sigma '\) on \(E'_2[m]\) (which is \(\deg (\sigma ') \mod m\)) for a bunch of small primes m and apply the Chinese remainder theroem.
- 4.
Which essentially consists in computing a chain of 3-isogenies in dimension 1. The signature also needs to compute similar isogenies, and in this case the low level C implementation only takes 1–2 ms, which shows the potential of improvements of writing a low level implementation of the verification.
References
Ahrens, K.: Sieving for large twin smooth integers using single solutions to Prouhet-Tarry-Escott. Cryptology ePrint Archive, Paper 2023/219. (2023). https://eprint.iacr.org/2023/219
Azarderakhsh, R., Jao, D., Kalach, K., Koziel, B., Leonardi, C.: Key compression for isogeny-based cryptosystems. In: Proceedings of the 3rd ACM International Workshop on ASIA Public-Key Cryptography, Xi’an, China, pp. 1–10. ACM (2016)
Bernstein, D.J., De Feo, L., Leroux, A., Smith, B.: Faster computation of isogenies of large prime degree. In: Open Book Series, Proceedings of the Fourteenth Algorithmic Number Theory Symposium - ANTS XIV 4.1, pp. 39–55 (2020)
Bruno, G., et al.: Cryptographic smooth neighbors. Cryptology ePrint Archive, Paper 2022/1439 (2022). https://eprint.iacr.org/2022/1439
Castryck, W., Decru, T.: An efficient key recovery attack on SIDH. In: Advances in Cryptology - EUROCRYPT 2023: 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, 23–27 April 2023, Proceedings, Part V, Lyon, Springer, France, pp. 423–447 (2023). ISBN: 978-3-031-30588-7. https://doi.org/10.1007/978-3-031-30589-4_15
Cornacchia, G.: Su di un metodo per la risoluzione in numeri interi dell’equazione \(\sum _{h=0}^n C_h x^{n-h}y^h=P\). Giornale di matematiche di Battaglini 46, 33–90 (1908)
Costello, C., Meyer, M., Naehrig, M.: Sieving for twin smooth integers with solutions to the prouhet-tarry-escott problem. In: Canteaut, A., Standaert, F.-X. (ed.) Advances in Cryptology - EUROCRYPT 2021. Springer, Cham, pp. 272–301 (2021). https://doi.org/10.1007/978-3-030-77870-5_10, ISBN: 978-3-030-77870-5
Couveignes, J.-M.: Hard Homogeneous Spaces. Cryptology ePrint Archive, Report 2006/291 (2006). https://eprint.iacr.org/2006/291
Dartois, P., Leroux, A., Robert, D., Wesolowski, B.: SQIsignHD: new dimensions in cryptography. Cryptology ePrint Archive, Paper 2023/436 (2023). https://eprint.iacr.org/2023/436
De Feo, L., Kohel, D., Leroux, A., Petit, C., Wesolowski, B.: SQISign: compact post-quantum signatures from quaternions and isogenies. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 64–93. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_3
Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Cryptography 78(2), 425–440 (2016). https://doi.org/10.1007/s10623-014-0010-1
Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_11
De Feo, L., Leroux, A., Longa, P., Wesolowski, B.: New algorithms for the deuring correspondence. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology - EUROCRYPT 2023. LNCS, vol. 14008, pp. 659–690. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30589-4_23
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Galbraith, Steven D.., Petit, Christophe, Silva, Javier: Identification protocols and signature schemes based on supersingular isogeny problems. J. Cryptology 33(1), 130–175 (2019). https://doi.org/10.1007/s00145-019-09316-0
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing. STOC 1996. Philadelphia, Pennsylvania, Association for Computing Machinery, USA, pp. 212–219 (1996). ISBN: 0897917855. https://doi.org/10.1145/237814.237866
Hazay, C., Lindell, Y.: Efficient Secure Two-Party Protocols: Techniques and Constructions. 1st. Springer, Berlin (2010). ISBN: 3642143024
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Kani, E.: The number of curves of genus two with elliptic differentials. J. für die reine und angewandte Mathematik 485, 93–122 (1997). https://doi.org/10.1515/crll.1997.485.93
Kohel, D., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion - isogeny path problem. LMS J. Comput. Math. 17 (2014). https://doi.org/10.1112/S1461157014000151
de Lagrange, J. L.: Démonstration d’un théoreme d’arithmétique. In: Nouveau Mémoire de l’Académie Royale des Sciences de Berlin, pp. 123–133 (1770)
Leroux, A.: Quaternion algebras and isogeny-based cryptography (2022). http://www.lix.polytechnique.fr/Labo/Antonin.LEROUX/manuscrit_these.pdf
Lin, K., Wang, W., Xu, Z., Zhao, C.-A.: A faster software implementation of SQISign. Cryptology ePrint Archive, Paper 2023/753 (2023). https://eprint.iacr.org/2023/753
Lubicz, D., Robert, D.: Computing isogenies between abelian varieties. Compos. Math. 148(5), 1483–1515 (2012). https://doi.org/10.1112/S0010437X12000243
Lubicz, D., Robert, D.: Computing separable isogenies in quasi-optimal time. LMS J. Comput. Math. 18(1), 98–216 (2015). https://doi.org/10.1112/S146115701400045X
Lubicz, D., Robert, D.: Fast change of level and applications to isogenies. 9, 7 (2023). https://doi.org/10.1007/s40993-022-00407-9
Maino, L., Martindale, C., Panny, L., Pope, G., Wesolowski, B.: A direct key recovery attack on SIDH. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology - EUROCRYPT 2023. LNCS, vol. 14008, pp. 448–471. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30589-4_16
PARI/GP version 2.13.4. http://pari.math.u-bordeaux.fr/. The PARI Group. Univ. Bordeaux (2022)
Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theor. 24(1), 106–110 (1978)
Pollack, P., Treviño, E.: Finding the four squares in lagrange’s theorem. Integers 18A, A15 (2018)
Rabin, J.O., Shallit, M.O.: Randomized algorithms in number theory. Commun. Pure Appl. Math. 39(S1), S239–S256 (1986). https://doi.org/10.1002/cpa.3160390713
Robert, D.: Evaluating isogenies in polylogarithmic time. Cryptology ePrint Archive, Paper 2022/1068 (2022). https://eprint.iacr.org/2022/1068
Robert, D.: Breaking SIDH in polynomial time. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology - EUROCRYPT 2023. EUROCRYPT 2023, LNCS, vol. 14008, pp. 472–503. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30589-4_17
Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006). https://eprint.iacr.org/2006/145
Rouse, J., Thompson, K.: Quaternary quadratic forms with prime discriminant (2022). arXiv: 2206.00412 [math.NT]
The Sage Developers. SageMath, the Sage Mathematics Software System (Version 10.0) (2023). https://www.sagemath.org
The SQIsign team. SQIsign (2023). https://www.sqisign.org
Vélu, J.: Isogénies entre courbes elliptiques. In: Comptes-rendus de l’Académie des Sciences, vol. 273, pp. 238–241, July 1971. https://gallica.bnf.fr
Venturi, D., Villani, A.: Zero-knowledge proofs and applications, May 2015. http://danieleventuri.altervista.org/files/zeroknowledge. pdf
Voight, J.: Quaternion algebras. v.0.9.23, August 2020. https://math.dartmouth.edu/~jvoight/quat.html
Wesolowski, B.: The supersingular isogeny path and endomorphism ring problems are equivalent. In: FOCS 2021 - 62nd Annual IEEE Symposium on Foundations of Computer Science. Denver, Colorado, United States, February 2022. https://hal.archives-ouvertes.fr/hal-03340899
Zanon, G.H.M., Simplicio, M.A., Pereira, G.C.C.F., Doliskani, J., Barreto, P.S.L.M.: Faster isogeny-based compressed key agreement. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 248–268. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_12
Acknowledgements
We thank Luca De Feo for his advice all along this project and for suggesting the title of this paper. This project was supported by ANR grant CIAO (ANR-19-CE48-0008), PEPR PQ-TLS (the France 2030 program under grant agreement ANR-22-PETQ-0008 PQ-TLS) and the European Research Council under grant No. 101116169 (AGATHA CRYPTY).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Dartois, P., Leroux, A., Robert, D., Wesolowski, B. (2024). SQIsignHD: New Dimensions in Cryptography. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14651. Springer, Cham. https://doi.org/10.1007/978-3-031-58716-0_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-58716-0_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58715-3
Online ISBN: 978-3-031-58716-0
eBook Packages: Computer ScienceComputer Science (R0)
