 Thanks for the introduction. Good morning everyone. Yeah, so this is joint work with my My two colleagues at MSR Patrick Longer and Michael Narrag who are both up the front here Okay, so We've heard some different opinions on when or if quantum computers are going to come and destroy all of the public key crypto that we're currently using and A lot of people some people think that it's never going to happen Some people think that they already exist and a lot of us have are in some camp somewhere in the middle But the agencies and companies around the world are doing the due diligence and have announced that the standards are going to be updated In the next decade or so anyway so in August last year you might have seen the the announcement from the NSA that the the sweet bee Cryptography will be the sweet bees is going to be updated to include post quantum algorithms and In this just this month following a sequence of announcements NIST have said and even said last night that They're going to be pushing for an agenda over the next five years With a deadline late next year to look at post quantum candidates. Now. This is just the Examples in the states, but in Europe and Asia and all over the world. There's many many many companies groups and organizations that are Investing a lot of time effort and money into examining post quantum candidates to see what we're going to do to replace All of these all of these things that will fall if a quantum computer or when a quantum computer comes So in our group, we've been seriously looking at this problem as well And and in general when you go and look at any of these documents that talk about post quantum cryptography You see sort of four common themes or four common arenas that people are considering Or seriously considering to look for post-common quantum primitives lattice-based lattice-based stuff like Andrew and lwe and its ring variants Code-based cryptography hash-based and multivariate based and often after these sort of four strong pillars of of post quantum primitives you see a paragraph or a Subsection mentioning all of the other ones and sometimes you see isogeny base mentioned along alongside Some other ones, but we sort of from all the study we've done so far We think that the that isogeny base is worth being considered as one of the five The five pillars that we should be looking at for post quantum public key public key crypto So in this way in this talk, we're going to be looking at That this this fifth one isogeny base crypto by it was the super-single isogeny Dippy Holman that was introduced by Jao and DeFeo in 2011 I think one of the reasons that it might not yet be considered as as stronger of an option as the other four is because of simply because it hasn't withstood the test of time It's it's much newer than these other four But on the other hand it really offers a lot more Or in some situations it shows a lot of potential Compared to these to these other four primitives in particular Yes, it's it's a lot younger and it's so that the confidence is a bit smaller But so the key sizes The best attacks against SIDH are exponential in the in the size of the the prime field And therefore we've we've got a primitive to do Diffie Holman where the the the public keys are a lot smaller than a lot of these other variants and so Yes, okay, so the first thing I want to warn you about is not to be deterred by the word super singular because for those that have been in the game of curve-based crypto for a long time will know that Super singular curves have had a rough ride in in cryptography starting with the original ecc papers that recommended super singular curves as an option Because they were easy to count the number of or to write down the number of points on them And then in the 90s we saw the attacks by by Frey Rock and the MOV attack that showed that we could use a pairing to Attack the the finite field version and then they were brought back when pairings were used for constructive purposes And then we decided that there were ordinary pairing friendly curves that were better than super singular curves And in recent times those super singular curves that that seemed to survive that the low characteristic ones as you saw in the last talk have been Have been attacked, but all of this is kind of irrelevant with respect to this talk Because all of those highs and lows of super singular curves have related to the discrete log problem And the point is that in this work the discrete log problem is is irrelevant This has nothing to do with the discrete log problem. In fact The curves that that we use in SIDH You'd be hard-pressed to find a curve that has an easier discrete log problem than the than the curves we use So the discrete log problem is easy on these curves. It's got nothing to do with that So if the word super singular makes you feel cautious don't try to ignore that that hunch Okay, some basic facts about Isogenes for anyone that's done the that knows the basics of elliptic curve cryptography You deal with isogenes all the time If you're computing a doubling map The multiplication by two that that's an isogeny. It's just a particular case of an isogeny where the Where the domain and the co-domain that the curves e1 and e2 are the same curve But an isogen is is more general than that Then the multiplication by and that which is an amorphism and isogeny is is a Is a map that takes Points on the curvy one to points on the curve e2 so when you come to double the point you do some computations in its x and y coordinates and magically you land on the On the same curve and I saw do is kind of even less magic than that if you like you still do some Computations in the x and y coordinates, but you land on a different curve It's all it's all very natural Because it's a it's a group homomorphism and so It's it's a very natural one-to-one correspondence or connection between Isogenes and and their kernels so if you write down a kernel or specify a kernel By the definition of it being a group homomorphism if if the isogeny maps a point P to The identity or the point of infinity if you like then it would map any multiple of that point to the point of infinity, so It's we naturally have this correspondence between an isogeny and its kernel And it should be said that up to ice up to isomorphism if you if you specify a subgroup on an elliptic curve There exists an isogeny And an image curve a unique isogeny and image curve such that that subgroup is the is the kernel group and and we write the we either write that the image curve is the Sojournity one or to the a one question with the with the subgroup Now the degree the degree of an isogeny is the number of elements in its kernel Which is the same as its degree as a rational map, so you should think of an isogeny as being as I said a generalized The the the general case of an anamorphism, which is where the the two curves are the same And if you're used to dealing with an isomorphism then an isomorphism is just an isogeny of degree one where the Where the the kernel is trivial and so high degree isogenes have a non-trivial kernel But these are just an isogeny is just a general a Generalization of these these two things that we're probably used to dealing with if we've done even the basic ECC stuff Okay, so here's a here's a a brief history of SIDH and where it where it comes from In 2006 after a series of papers of Russian papers by Stolbenov and his advisor Rust of serve they proposed doing isogeny based Diffie helman but they they chose ordinary curves to to instantiate the the Diffie helman And in 2010 Charles Jau and Sukarev gave a quantum sub-exponential algorithm to attack To attack the ordinary case when the when the The curves used were ordinary so in 2011 Jau and DeFeo fixed this by choosing By instead choosing super singular curves for those that don't know the difference that There's a lot of equivalent definitions of ordinary and super singular But an elliptic curve is either one or the other So the natural thing to do if ordinary curves were were broken or there's a sub-exponential attack was to look at the super singular case And that's what Jau and DeFeo did successfully in 2011 So the the yeah, as I said, there's a lot of equivalent definitions You can see silver or nor or any of the good elliptic curve books to see what the difference between super singular and an ordinary is but for our purposes The the important thing is that the the endomorphism ring Of of super singular curves is non-commutative In in the ordinary case, it's commutative and that's what allowed them to do this quantum sub-exponential attack but this non commutative commutativity of the endomorphism ring is what What makes the attack not work in the in the super singular case? So that's what gives us this This confidence that at least that attack isn't applicable in the super singular case okay, so This is kind of the cheat sheet for For you that if if you don't take anything else away from the talk if nothing else makes sense then Hopefully you just take this slide away on the in the two left columns, we've got the The Diffie-Hulman that we're used to doing find out feel Diffie-Hulman and elliptic curve Diffie-Hulman where our elements are Elements modular prime our exponents are typically integers and We've got these analogs of you know the fundamental operation in in Diffie-Hulman based base crypto exponentiation in the group and Of course the hard problem is that is the the discrete log problem the inverting that operation So in the SIDH case Our elements are curves in an isogenic class. I'll talk more about that in a second And our secrets are the isogenes Okay, and so the the fundamental operation that we're going to do in SIDH is to to get our secret isogenic and to map it and to apply it to a Apply it to a curve E and Output the the isogenic evaluated at that curve Okay, so the problem that we're basing our security on is given the curve and its image curve to go and find what that secret Isogenic was now although this I Said that it's only been around since 2011 We've got some confidence because this problem this general isogenic problem has been studied by by mathematicians and Cryptographers for some time it's appeared in several other contexts as well. So we've got confidence that it is hard to solve now What do these? as far as what sort of a setting we've got what it looks like it's you shouldn't really think of the The elements as being a group. It's not a group as such But but what we've got is a very well connected graph a Well connected regular graph where the nodes are elliptic curves or rather isomorphism classes of elliptic curves so every node in this graph is an elliptic curve and The edges in the graph are the isogenes between them And in the super singular case, we've got a really big graph. It's well connected. It's it's regular And it's got this this nice property that that John DeFeo talk about this Romano's young property where We're told that if you from from any point in the graph so long as you were you walk far enough You you can lend at any other point in the graph And and in the SIDH we certainly walk much further than that to make sure that from any point in this regular graph we can land at any other point okay So here's here's the very simplified version of of SIDH. Here's SIDH in a nutshell sweeping a lot of details on the under the rug in this slide, but There's this public base curve E naught that everybody has and what Alice is going to do is she's going to Choose her secret isogeny and the way she does that is just by choosing a secret subgroup on E naught remember subgroups and isogenes are in or in correspondence with one another so Alice chooses this secret subgroup and computes the isogeny at E naught computes 5a and Publishes her public key as E of a A technicality is that Alice is going to compute two to isogenes and Bob's going to compute three isogenes as long as these two Things are co-prime. It just it's just a nice way to make sure that they don't interact with each other and and Everything is well behaved, but Bob's going to do the same thing He's going to evaluate his isogeny at the base curve and publish his public key eb Then they're going to compute some different isogeny to land at the shared secret e of a b now the obstruction that Joe and Defeo had to overcome this kind of non-trivial obstruction is that because the anamorphism ring isn't commutative and They that fire babe could not just be applied to to this image curve as is And so a technicality that I won't get into too much details about is how they overcame this but essentially what they have to do is and I ask you not to worry about keeping the details here, but these are just for for future reference what they have to do is is evaluate also evaluate their isogenes at some generator points and this means that they can That they can eventually arrive at the same kernel. So without without this extra information It's hard to know what what these 5b dash and 5a dash should be but so long as Alice and Bob not only compute their the isogen is curved but also Evaluate the isogeny at some public generators at each other's public generators, then that's enough for them to arrive at this this shared secret So that's the obstruction that was overcame in this 2011 paper and I should say that because these the nodes in the graph are isomorphism classes the shared secret is the Jane variant which is Which is the same regardless of which curve they arrive at as long as it's in the same isomorphism class Okay, so that's how that's how SIDH works in a nutshell. There's some some details that are swept under the rug like the fact that in That these Secrets are chosen as subgroups of the torsion and the torsion's two-dimensional two-dimensional which is why there's Which is why there's two points here chosen We the way we actually choose this secret subgroup is to choose a secret scalar and to compute this This this two-dimensional PA plus SA SA times qA which chooses a unique subgroup in the two-dimensional torsion We couldn't just fix one generator here because it would always be the same subgroup that we're in Okay So what about the security again sweeping many details under the rug, but The security the setting is these elliptic curves Over fp squared where P is a large prime all super singular elliptic curves are defined over fp squared and our hard problem here is Not only given the curve and its image But given those two points on the curve and their image under the iso genie So it looks like the iso genie problem with a little bit of extra information that that is Believe not to add any advantage at least in the abstract sense of the problem so the hard problem is Yeah, given that given the curve and its image try to find this secret iso genie. What with the secret subgroup that was used Equivalently to compute that iso genie the only difference between this and the general the general iso genie problem is that because of the nature of the system the Iso genie that we're dealing with here has a fixed public and smooth degree But yeah, we believe that this doesn't The problem is still very very hard under this under this situation now the best known attacks The best known classical attacks are bigger of p to the one fourth in the in the prime characteristic of the field and That's the best classical attack and the best quantum attack is is bigger of p to the one on six now the nice sort of confidence confidence building Fact about this is that these are sort of given this this problem of trying to connect Trying to connect two nodes in a graph where the degree of the connection is known This is a classical sort of problem in computer science called the claw problem and as as Joe and DeFeo say These complexities are optimal for for such a problem. So the best known attacks are currently Generic which kind of reminds us of of ECC in a way But the best known attack is Polaro, which is generic. It doesn't use any of the underlying structure Which is which is confidence building for now the the It should be said and I should have said earlier that one of the things that we really like about the SIDH being having such small keys is The keys are so small But even if these attacks even if different attacks come around where these exponents are even better The problem is still very interesting so long as it's not a catastrophic, you know sub exponential or polynomial time attack Then SIDH is very interesting compared to the other the other four The other four post quantum primitives Okay, so let's start to talk about how we how we do these computations We need to compute we need to compute Isogenes of some degree now should be said that computing an isogenic of degree of prime to get prime degree L has complexity at least big O of L So it's it if exponentially large primes. It's these algorithms are exponential But we need an exponential number of Isogenes and kernel subgroups for this for this problem to be hard. So the upshot is that The isogenes must have exponential degree but to be able to compute them We need to do these things in logarithmic time. And so we can't do that unless they're unless they're smooth So we're gonna only be using isogenes of degree L to the e for L being two or three And so this is how this is briefly how it works Suppose we've got a point R naught of order two to the two to the three seventy-two This is actually from our implementation the parameters that we used then Of course, we can't specify all two to the three seventy-two points in the kernel of that In the subgroup of our not to compute that isogenic in one go. We have to factor this thing into two isogenes so what we're going to do is start with our R naught and Multiply it by two to the three seventy-one to almost kill it And then this point has order two which means that we can we can proceed from a naught to a one using a two isogenic and Then we evaluate that two isogenic at our naught To get our one and then we almost kill our one on the new curve And we keep doing this all the way down until we've computed three hundred and seventy-one two isogenes The product of which is the is the large the large secret isogenic I Should say that there's a much faster way than this sort of this is like the naive way in in the in the Joe and DeFeo and and flute follow-up paper or the extended version they show a much faster way But for the purposes of this talk, it's just to show that there's two types of arithmetic that's going on in SIDH Namely, there's a lot of arithmetic happening on a fixed curve So when we when we're varying points on a fixed curve and then we have to compute an isogenic to get to a new curve and do Arithmetic on that new curve. So it's not only the traditional ECC arithmetic that we're used to but also this isogenic arithmetic Okay, so the motivation for our for our work was We looked at the the original implementation the proof of concept implementation that which was which was really encouraging in terms of performance But we wanted to know whether we could securely deploy SIDH in practice And I suppose one of the one of the fundamental things we wanted to do was to see if we could mimic the the level of constant time side channel resistant Software that we but we've come to be able to implement in there in the traditional number theoretic settings So we wanted to sort of strive for that same level of constant time behavior and see whether this brought up any new issues as far as As far as SIDH goes So as far as performance goes we sort of had three improvements over the over the original implementation, but I'll only briefly talk about one of them today Namely not number one if you want to learn about the other two then come up and talk to one of us or read the paper So I'll talk about this projective isogenes and the fact that we're now working in P1 everywhere in one slide So in ECDH as I said, we usually move around with different points on one fixed curve in SIDH we do that as well as move around with We move around with different points on a fixed curve and then we change curves and move around on a new curve so the This contribution was sort of mimicking what was already done in the ECDH case By Montgomery and others which was to show that instead of working with both the X and Y coordinates on a curve Or rather when you cast that into a projective space to avoid inversions you work with XYZ in P2 Instead of working with all three of those you can drop one of the coordinates you can drop the Y coordinate and just work in in P1 So this is what Montgomery showed you could do very efficiently when the curve is fixed In our case we wanted to do that and to do the same thing when we when we proceed from curve to curve around the isogenic graph, so it was particularly nice especially in the case of Montgomery curves where Instead of updating these A and B coefficients from curve to curve we decided to work with them projectively to avoid inversions and We realized that instead of working with all three projective coordinates On a curve like this we can again ignore the B coefficient When when working in the Montgomery form and the reason is that the B coefficient All it does is tell you whether you're on the curve or its quadratic twist and in the context of SIDH Both of these things have the same J invariant So it's it's kind of nice that we can ignore whether we're on the curve or its quadratic twist We end up with the same shared secret even if we ignore these these B computations So mimicking that the arithmetic of Montgomery on the on the curves. We're able to do similar arithmetic In the isogenic in the isogenic graph Okay, just quickly this is these are the parameters we chose we were striving for up 128 bits of Security against the best-known quantum attack. So our prime is roughly 768 bits in size This is our starting curve. That's public for everybody to know Here's the number of points on the curve. It's got an easy easy DLP We our public parameters. These are the generators that Alice and Bob have to know Of each other to evaluate their isogenies out Their secret subgroup or secret isogeny is chosen by 48 bite private keys Their public keys are three Three x coordinates which represent the the the x coordinates of the of the evaluated isogeny and Also determined the evaluated curve the details are in the paper and at the end of the day They come to compute this this common J invariant one element of fp squared, which is a hundred and eighty-eight bytes Okay, let me quickly talk about performance So in this in this is our our performance compared to the the prior implementation I it's somewhere between two two point five and three times faster than that work, but I should say that there's a Lot of different things going on and namely that the most important one is that this work is is in constant time So the prior stuff did a lot of inversions, but was was calling non-constant time inversion routines for that In our case we avoided a lot of inversions Because we wanted them we wanted to compute them using Fermat's theorem in constant time So a decent a decent saving over the the prior work and just very quickly I thought that One other thing that we thought was really good to look at was to see how this how this would perform with it with a hybrid a hybrid scheme that was Incorporated classical ECC with Post quantum SIDH. So the the motivation here is especially because SIDH is so young We might want to pair this with With the electric curve discreet log problem to at least give us some sort of strong classical guarantee that these things not going to fall To anything but a quantum computer and in the hybrid case is very Very attractive especially in the in the terms of SIDH because you can do a lot of code sharing you've got all this Arithmetic lying around to do the Montgomery ladder On your on your super singular curves anyway, but of course for the ECDLP we don't want We don't want such a curve. We want it to be to have a hard ECDLP So it's as easy as just changing one constant and using all the same software and for very little For very little overhead. Yeah, you get a lot more classical security based on a much more long-standing problem Which is which is quite attractive All right, I thought I'd finish on a slide that compares SIDH to Some of the popular lattice primitives around so this is the performance of These are the performance numbers taken from the paper Frodo Which which looked at implementing a plain LWE like Divi helman analog and So you can see the trade-off here in the in the last column You've got the size of the public keys and it shows that SIDH is significantly smaller than these other lattice these other ladder schemes But you show that we have a quite a significant performance gap here But what I should say is that these numbers are these numbers are for the plain C implementation of this work and This is really favorable to the lattice primitives for example our assembly implementation Is is you know 14 or 15 times faster than our plain C implementation in the speed up on the other cases Isn't isn't anywhere near as extreme so When you come to look at this look at a hardcore implementation of these schemes It's sort of much closer than this gap Suggests, but nevertheless this is this is what it looks like It's a trade-off for small keys for a little a little slower performance For for ephemeral Divi helman. I should give some Just finished by advertising that there's a paper coming into Asia Crypt I've got to stop paper coming to Asia Crypt that's talking about public key validation and They just got accepted to Asia Crypt by Gal Braith petite shoney and tea And so our library only supports ephemeral SIDH. There's some issues with public key validation there Thanks very much