 SIDH with arbitrary degree isogenes by Craig Costello and Hussain Hussain. Craig with that. Okay, thank you very much for the introduction. So yeah, as we saw yesterday in the best made-in-talk, isogeny-based cryptos are more general nowadays than just Diffie Hellman. So we could title this isogeny-based crypto with arbitrary degree isogenes but certainly Diffie Hellman based on isogenes is the most popular instantiation of a white-sogeny-based crypto. Why is it so popular? Well, going back to Diffie Hellman, the first instantiation in the 70s, we've got Diffie and Hellman just saying to do integer arithmetic modulo q in a multiplicative group and exchanging these, this base point g to the power of their, both of their secrets and doing Diffie Hellman that way. And then Covert to Miller came along 10 years later and said, instead of doing it this way, why don't you use the group of points on an elliptic curve? So rather than trading these integers, we're going to trade points on elliptic curves on a fixed and well-chosen elliptic curve that has high ECB or P security. But as you saw in Dustin's talk, both of these first variants are going to fall victim to quantum attacks should a large scale of quantum computer ever be built. So so many years later, Joe and the favor proposed not to just stay fixed on a fixed elliptic curves and just trade points, but rather to, rather to move about elliptic curves. So to compute our sogenies between elliptic curves in this super city or our subject graph. So this is the story that we're dealing with today in SIDH. And this is the cheat sheet that I always show in SIDH talks that I would say if you don't take anything else away from the talk, this is kind of the one thing you should remember at least to try and put it in perspective of what you used to see in the Diffie elements. So in traditional, in these red, in these red quantum insecure variants, you're used to seeing the base elements being used just by a lot of prime, the secret experiments being integers, the fundamental computation is this exponentiation in the group. And the hard problem is the discrete log problem. Okay, points on elliptic curve. It's exactly the same thing, but we're, our group governments are playing on the elliptic curve. We still do this experimentation in the group that we call the scalar multiplication. Over here in SIDH land, it's a bit different now. Our elements are curves in the super single isogenic class. So the fundamental computation now is different. So our secrets in SIDH are isogenies. And the fundamental computation is given a given elliptic curve, what you do is you use your secret isogenic and you apply to that elliptic curve to move about in the isogenic graph to this image curve 5e. So then the hard problem here is given the base curve and the image curve, you want to know what that secret isogenic was. Again, in all of these scenarios, the story is a little more complicated. As you'll see in Christoph's talk next, this isn't the actual hard problem we use, but it's basically the fundamental underlying hard problem. There's additional information in SIDH. And of course, we do decisional variance and sort of dipping home in variance of these problems. But basically, this is the, this is the scenario we're dealing with in SIDH. So I've pinched this really nice gift from Walter Kastrick, who wrote a blog post recently about SIDH. I could encourage anyone that's interested to go and read that blog. But this is the story with SIDH. This is how it works. So basically, what we're dealing with, the setting here is the super singular isogenic class over FB squared. So as soon as you go and fix a prime P, you've got this big isogenic class of curves that are all connected in a well connected regular graph. So if you like, and you don't want to think about the elliptic curve jargon, you can kind of abstract away from that and just think of SIDH in the graph there, in a sense. So there's a bunch of points in this. For a fixed P, and we're going to have an exponentially large P, there's roughly P over 12 isomorphism classes in that, in the super singular isogenic class. And the public parameters is this starting curve E, but Alice and Bob both start on. What Alice is going to do is, is choose a secret subgroup on that starting curve. And in turn, that determines a secret isogenic, which is, in this case, a secret walk through the isogenic graph. So she's going to take little tiny steps of baby isogenes all along the way to eventually have a, to compute an exponentially large isogenic and land on E sub A over here. She's going to send that curve to Bob. Bob's going to do the same thing, send Alice E sub B. And then they're both going to compute a related secret subgroup on each other's curves and use that to walk to the same target curve here. So that's kind of SIDH without getting into the nitty-gritty details. It's, the computation we're doing here is a bunch of little isogenic computations to do one exponentially large isogenic computation. Okay. So in the case of stealing mass pictures from the Lerben crew, this is another nice picture I stole from Frey. This is a, this is an isogenic graph when the prime is 241. So this is a very small toy is an equal and there's 20 nodes in this graph. So as I said, roughly P over 12 nodes in the isogenic graph and we can assume here that Alice, so what Alice is going to do is she's going to use two isogenes. So in SIDH currently we use two and three isogenes. Alice uses two isogenes or two of the E isogenes and Bob uses three isogenes. So here as we'll see the reason why in a couple of slides, but basically if you're doing two isogenes, each one of these nodes is connected to three other nodes. So it has three edges in the graph. So each these these nodes are isomorphism classes of elliptic curves or J invariance that represent the isomorphism class and then what we're going to do is a bunch of computations at each node and eventually Alice is going to come down to have a choice of three two-torsion points and then in choosing that two-torsion point she's going to move in one of those three directions. So Alice and Bob deal with the same graph on the next slide. It's exactly the same set of nodes. It's just Bob has a different set of edges here. So Bob instead of having each isomorphism or each node connected to three other nodes, he's going to use three isogenes where there's four cyclic subgroups of all the three that Bob can choose and he's going to have a choice of four different basic little little isogeny jumps at each from each node. Okay. So this is the part of the only thing you need to know at least with respect to this talk as far as the correspondence between isogenes and subgroups. It's going to be a very important point. So what is an isogenes first of all? You can think of it in either a geometric or an algebraic sense. So geometrically it's a map from points in our case from points on elliptic curve to points on another elliptic curve. But algebraically it's also a group homomorphism between the two groups. In this talk we're going to be dealing with separable isogenes. So you can think of computing an isogeny you can equate it to determining if any finite subgroup on the starting curve E. So as soon as you fix a finite subgroup on the first curve that uniquely up to isomorphism determines an isogeny and the image curve which we write E sub G. You might see that as E prime on the later slides but essentially there's this one-to-one correspondence between subgroups on E and isogenes. So if you want to compute in this case I'll give them an example here of a tiny super singular elliptic curve over f11 squared. If you want to compute a 3-isogeny, its group order is divisible by 3 so we're going to have rational 3-isogenes here. Here's our starting elliptic curve. If you want to compute a 3-isogeny on that elliptic curve you can look at any of the cyclic subgroups over 3. So in this case there's four of them and any one of those subgroups will give rise to a different isogeny. Okay so if I choose this subgroup here I'm going to get end up on this image curve E1 and this is my map that takes us to E1. And so having four options here in the case of 3-isogenes corresponds to this previous picture where at each node you've got four options and in the 2-isogeny case we've got three cyclic subgroups of order 2. Okay so now the rest of the talk is essentially talking about how to compute these isogenes in cases where we're not dealing with L equals 2 or L equals 3. So the way we know how to compute isogenes given a finite subgroup on the starting curve is with Baylou's formulas. Okay so if you input into Baylou's formulas so we're starting on this curve E we input into Baylou's formulas that the curve constants that define the curve A and B and we also specify the subgroup G that determines the isogeny. Baylou's formulas will magically give you the image curve so that the two coefficients of E prime A prime and B prime and it will also tell you how to map points from E to E question G. So it'll also define these polynomials that talk about how to move points from E under that isogeny to E question G. So in SIDH we need to do both of these things we need to from our starting curve we need to be able to define what these polynomials are and we need to be able to update the the curve coefficients on the to give the image curve that's how we walk around the isogeny graph. The only other thing I'll say is in the south is that in optimized implementations of SIDH we liked well we've in our implementation we've figured out that you can actually do both point and isogeny arithmetic in the projective space of dimension one and so if you're dealing with elliptic curves over or any curves over fields it's kind of as simple as it gets p1 so we've always known that you can do all sense the days of Montgomery's paper we know that you can do axon arithmetic that was kind of the basis of the last talk so we typically rather than dealing with affine points we move into projective space and then Montgomery said we don't really need or at least Miller in his central paper said we don't need the white water to do diffie helmet and then Montgomery said if we're dealing on Montgomery curves we can drop the white water and do things very efficiently but in SIDH we not only have to do point arithmetic on a fixed curve we have to do that and we have to move between curves in the in the isogeny class so you can also do a somewhat kind of analog of that but in the curve world so instead of dealing with the coefficients a and b we're going to kind of use them cast them into projective space to avoid doing inversions and then because this b coefficient on Montgomery curves just determines the twist which twist you're working on we can drop that because that's the the the artisan offensive class is independent of which quadratic twist you're on okay so all the arithmetic we want to do is going to be in p1 okay so as I said the motivation here is um all of the SIDH all of the SIDH uh and our sojourney implementations today have dealt with Alice doing two two of the our sojourners and Bob do this should be three to the E prime these E's are different we choose these to be roughly the same size um two two E's roughly the same size as three to the E prime but but today it's just been two and three so we wanted to look at what happens in the Montgomery curves when we um when we moved to odd L where L is bigger than two or three and the other thing I should say is we're dealing with cyclic hydrogen is here so generated by one by the sub grid generated by one oh okay by the generator so now this is the problems we immediately run into so when we venture beyond degrees two and three um there's problems with with just applying values formulas out of a textbook to Montgomery curves the first one is that they're they look really really nasty and complicated so um these are the this is the maps that take uh coordinates say if I'm if I've fixed my point like the generator of my kernel p these are the these are the quarter maps that will take a point on e to a point on e prime and what I have to do here is I have to cycle through the sub group generated by p and compute this expression to move the x coordinate and compute this expression to move the y coordinate and so when you come to try to optimize or to try and compute these things fast in practice the way that it stands here in in this sort of additive case is kind of it's computationally costly and it's not very nice the other the other thing that kind of makes this difficult to use is that they lose formulas don't really preserve the Montgomery form so if I if my starting curve is in Montgomery form there's no guarantee that this e prime will also be in Montgomery form in fact it won't happen so typically we land on an image curve that looks like this but our a4 is not one and our a6 is not zero so it's not in the the form we want we're going to have to use some sort of isomorphism to convert it to Montgomery form but in practice this often requires that we compute some sort of square root or some solve some solve some polynomial equation over the field which is way too expensive so that's that's the problems that we were trying to trying to overcome and I suppose this is if there was one slide that sums up the whole talk this is the slide so the theorem theorem one is kind of the crux of the paper if we've got a point p of odd order L on a Montgomery curve then there's an isogeny that that is relative to the isogeny on the previous slide relative to the Baylor's formulas on the previous side is very very simple so it'll take the point x y on the on e to a point with these coordinates on e prime where f of x is just this this this product here of x evaluated at terms that are determined by all of the L points all of the L points in the in the kernel of p okay so it also the theorem also guarantees that the image curve is Montgomery which is what we want and commutationally it's already a lot a lot more simple than than Baylor's formulas out of the textbook so there's a lot of work that went into deriving this initially a lot of emails between Hussain and I that ended up with arriving at this formula and then I think as well the crux of the paper is the proof of why this works and there was a lot of emails between Hussain and I and between Stephen who gave us a lot of help proving this this that this formula actually works and then it's mathematically true so the the theorem is kind of stated in general terms over a general field but we wanted to we wanted to apply it of course to to SIDH so recall that in SIDH we can we can drop the white coordinate and we can ignore what the B coordinate was so we really only we're kind of working on these question varieties that you saw in the previous talk and so we're really only interested in how fast we can compute this map from what we can evaluate the isogenic under this map and how fast we can compute the coefficient on the isogenous curve so the first thing I should say is that because we're dealing in an odd cyclic subgroup the x-coordinate of the i-th multiple of p is the same as the x-coordinate of the l-i-th multiple of p so we don't have to we don't have to all the way up to l or l-1 we can go halfway and then just square these products they're going to be the same value and the next thing of course is that we want to deal in projective space to avoid inversions so then we get these when we're evaluating at the point the projected point x x-colon z on on e the updated coordinates on the on the image curve are given by these expressions and anyone that's familiar with Montgomery arithmetic will realize that these are these are exactly the formulae that appear in it in the differential Montgomery editions or at least each sub sub term in these each each component of these products is exactly the the form that we're used to dealing with and it was Montgomery that realized instead of computing a multiplication here a multiplication here in two more over here we can instead just do only uh only two multiplications so we can we can subtract z from x add z to x and then do this the same thing with the um with the kernel points in each in each part of the product and then we've all we've got the only difference between these two terms on the numerator and denominator is that this change of sign so we really only need four uh sorry two multiplications to compute all of this for each each value of the product and then at the end we've got this um this final product and a and a square in two so when it comes to putting all this into a nice uh simple uh simple algorithm it looks it looks quite compact and quite easy compared to what we would ordinarily do in with valence formulas um there's kind of no telling if we would just do valence formulas how how complicated it would be but in in uh in the Montgomery case and with this with this theorem as it is it's very very simple so if we input the generator of our kernel and we input an element that we want to uh evaluate uh the isogenia then all we have to do is um cycle through all the multiples of of p in the kernel and then each time we simply compute we absorb this um this part of the product into x prime and z prime and at the very end we square it and then multiply by the original points um so I think each time I think we're incurring sort of four multiplications uh for each for each value in the kernel so we can kind of already here see that l is allowed to be up the well l can be arbitrary up to something um reasonable so we can choose l to be five seven nine and so on um and still compute this somewhat efficiently the only other thing I'll say is uh before getting to kind of applications or potential applications is there's another part of the paper that discusses um a trick we could do to avoid having to compute the isogenist curve so if you recall the theorem um the theorem said that we compute the updated curve coefficient a prime like this um but this kind of the the larger l gets so the larger um larger degree of isogen is this updating the curve coefficient gets more and more expensive relatively to relative to computing um to evaluating our isogenia points so one trick we can use is to sort of see this like very simple correspondence between um two torsion points on Montgomery curves uh and the curve coefficient a so rather than looking at how a becomes updated into a prime we're just going to evaluate the isogeny at two torsion points so a is just a relates to the two torsion point like this on the on the domain curve and on the co-domain curve it's going to be exactly the same thing so we just push that two torsion point through the odd degree isogeny it'll still have order two on the um on the domain curve but then we can not have to compute the updated curve like this anymore we can essentially use exactly the same function um with it with the modification in the on the image curve to to to find that constant if we need it so we really only need one function to do these odd degree isogenies not not two now here's one potential upshot so the the overall upshot is that we're not really restricted to um two and three isogenies anymore we could do uh sodh with um as the title says arbitrary but still let's keep it kind of small degrees um and I should say that uh as I said before at the start that we try to um we try to keep these at least Alice's power of two and Bob's power of uh Bob's power of three relatively balanced okay so those are about the same size um so some recent work by Boston Friedberger showed that at least in their implementation they were able to achieve faster um underlying field arithmetic by using um 19 to the power of 88 which is about the same size as 3 to the 239 for whatever reason that that um that prime proved to be faster than they were doing that they're underlying through arithmetic so here you can imagine um any as I said at the top that our as L grows large of course we have to do less 19 isogenies we might only have to do 88 of them rather than 239 three isogenies but as L grows large um that isogenie computation becomes more and more uh expensive relatively speaking but if this field arithmetic was faster than this field arithmetic then you could imagine a situation where um you still you still let some parties suffer the slower 19 isogenies to give the other party Alice much faster two isogenies or somewhat faster two isogenies because uh she's working over the somewhat faster field so you can imagine a situation like a client server in a real world where the server's the bottleneck um giving the server the luxury of computing two isogenies over a faster field so to kind of um motivate perhaps future work from people that are better at arithmetic than than I um in in traditional ecc where we're used to being able to just pick whatever problems we want there's an exponential number of curves over those primes and so we can find secure secure curves over any problems that look like this that are that are very fast in in software or hardware um but in in SIDX we're kind of we're kind of restricted to problems that look like this and and these problems prove to be somewhere between 1.5 and and and two times slower to implement the underlying field arithmetic and if you mostly if you get that speed up in the field arithmetic it filters up through the whole I mean all of the implementation comes back to the finite field so um if we can speed up the field arithmetic we get a we get that same speed up roughly speaking in the whole the whole situation one thing um that's kind of tempting I mean we could look at primes that look like this but there's also primes that look friendly that uh at least to me they they look like they're almost friendly to SIDH implementations so these primes that Hamburg picked um to do fast ecc over they they feel like they're almost SIDH friendly so if you add one um which gives you the which gives you the group order you can imagine Alice in this case doing 2 to the 224 so nothing different for Alice but here the factorization is a bunch of different primes so this paper would allow you to at least do that in theory but we'd need these primes to be small manageable enough to for Alice to be able to to do the much faster field arithmetic here so I kind of want to pose a question to see if anyone out there can come up with SIDH friendly primes where perhaps this factorization is that the primes here are manageable even if one or two of the primes were too big to compute those isogenes you can still ignore that in the SIDH implementations and then one more slide on some some related work so I should say that Dustin Moody and Dan Schumow had already figured essentially the analog of all this out in the Edwards case six years ago so these Edwards Twisted Edwards curves and Montgomery curves are virally equivalent so they've already done the analogous results a long time ago their formulas are multiplicative as well and and look really nice and recently Yoast has among several other things essentially solved the last piece of the Montgomery puzzle we can now do three we could before do three five any cyclic odd degree Montgomery isogeny but there was a kind of a caveat in the two isogeny case that that ghost has overcome and just to tie this work back to to Dustin's talk yesterday I should say that there's a submission based on on SIDH but called psych super singular isogeny key encapsulation encapsulation it's the adaptive security the adaptively secure version of SIDH that was submitted to to NIST last week so I would like to sort of promote more people to start looking into SIDH both from a constructive and and a cryptographic point of view and I'll be happy to take any questions okay thanks beautifully illustrated cool so one of the I mean you have to compute the isogeny and then you have to compute the image of two points and the receiver has to be able to combine some appropriate linear combination of these points to get the code right yes so how do you deal with the sign ambiguity in the points when you drag them over so that kind of goes back to the paper from last year we don't just drag the x-coordinated so if you're if the points that you want to compute the image of a p and q we push them down to p1 with xp and xq but we also drag through the x-coordinated difference so we evaluate we evaluate the isogeny at basically three points all the way through so and it seems like that might make the public keys bigger by one element one fp squared element but those three those three x-coordinates uniquely determine the long gone recurve where they are on that same line. More questions? Great. So I have two questions. Yep okay so the first one is you said that it's uh you have to do a product of l by u so the larger the belt the less efficient you get so does it mean that it's better to stick with the world of p-minus and being with world of p3? At the moment yes yeah at the moment it's still most efficient to stick with uh two or three yeah um the only the only potential for this work to be like immediately practically relevant is at least in my mind if someone comes along and finds really cool primes where um where that unbalancing thing could work but at the moment um yeah the the the speed up you could get in finding a different field isn't enough to justify moving away from from three isogenies. In the paper there's a whole section on showing that um how the performance slows down as these I think we computed up to um degree 300 isogenies to show how the performance degrades relatively slowly but um it's still there so yeah. And so how the does it turn that into p-minus by both and p-minus I think? How does it turn that it's faster? Even though it has a p-minus point which is the multiple of 19? Yeah so their p plus one was two to the something the 19 to the something and it was about the same size as two to the something three to the something basically uh yeah so I don't I don't know how they what the trick was that made the 19 power faster but um to give a sort of I don't know high-level answer I think what they were saying was we we did Montgomery arithmetic on both of these primes um and we optimised it to a similar level and the results were that the the 19 power was faster um it could I don't know what the what the trick was that made it maybe that power of 19 is close to closer to a power of two than the power of three or something like that or maybe just the size of the prime um was the reason because in SIDH these these primes are sort of much more special like there's not so many of them um where p plus one is smooth like that so they're much more scarce than what we're used to being able to to cherry pick primes from so maybe even the size of their of their prime was played apart but you'd have to read that paper and see. Thanks again.