 Hi, I am Giovanna Perena and this work is about giving an alternative approach to tackling two of the main bottlenecks in isogenic-based key compression, namely, pairings and discrete logarithms. This is a joint work with all of our rhythm. Okay, so let's start with some motivation and the background. It is well known that classical lift curves and pairings offer many opportunities to do research on different mathematical objects, from multi-precision arithmetic, the finite field arithmetic, and curve arithmetic. Now isogenous that are believed to be post-quantum secure, introduce the arithmetic of maps between curves. And key compression takes it to another level. It also includes discrete logarithms over finite fields to be used constructively. And now in this work we suggest to use discrete logarithms over elliptic curves. The techniques for key compression here not only applies to keys, but also to ciphertexts. So it also applies to psych. And also it's not only restricted to cans, key encapsulation mechanisms, but also to isogenic-based signatures. So if you are a big fan of elliptic curves and you want to research post-quantum cryptography and you also want small keys, psych is a good candidate for that. Now let's go through the necessary background for this work. We start by describing the usual SIDH psych setting, where we define a prime P of the from 2 to the n times 3 to the n minus 1. And we build a quadratic extension of the finite field fp by joining the imaginary number i. All the curves in this work will be super singular. And they usually represented in their Montgomery farm unless stated or otherwise. And here EA denotes the curve in its Montgomery farm and A is just the Montgomery coefficient. In the second round of this competition, the psych team also suggested to use the curve v6 as the publicly initial curve shared among all the users. And they also defined two pairs of torsion generators, denoted here p6 and q6, where if i is equal to 2, they are going to generate the 2 to the n torsion. And if i is equal to 3, they are going to generate the 3 to the n torsion of the curve e6. And previously to e6, the curve e0 was the actual initial curve adopted in psych, but it was replaced in the second round of NIST because actually any two isogeny departing from e0 would pass through e6 anyways. So we wanted to avoid that. That is a very special property of the curve e0. Also the curve e0 comes with a pair of torsion generators, p0 and q0, that we will make using this work. And it has other special properties that I am going to describe. So we know that the curve e0 is connected to the curve 6 via actual isogeny, generated by the point i and 0. And we also denote by capital phi, the Frobenius and the Morpheus and only 0. And by tr, the trace map that takes points to the base field and is defined by the sun of the point t to its Frobenius map. So we also have a distortion map available on the curve e0. That is usually hard to find on general elliptic curves, but in here we can make use of it. For the purposes of this work, we are going to consider SIDH private keys as triples where SL is going to be an integer mod L to the e. We have also an isogeny phi of the grid lambda to the e to the lambda, whose kernel is generated by the point p6 plus SL q6. And we also have access to its dual phi hat. And here lambda is going to be co-prime to L. The public key in turn can be seen as a triple, a pq, where a is going to be the Montgomery coefficient of the image curve of phi e in here. And p and q are going to be two points on e. That will be the image of the isogeny phi evaluated on the original torsion basis p6 and q6. So now we can move on to the ideas behind the SIDH key compression. So let the e be the public key elliptic curve. It is always possible to build a canonical basis for the L to the a torsion, here denoted by the points R and S, that everyone agrees upon. And because the private isogeny phi preserves the linear independence of the points p6 and q6, the points p and q are also going to be a basis for that same torsion. This means that a base change matrix should exist. And it's given by these a's and b's coefficients here that are just small integers mod L today. The first idea for key compression was given by Asadarash and others, where instead of transmitting the x coordinates of points p and q to represent those points, which have storage for log p, we can actually transmit these four coefficients that are the representations p and q in terms of that canonical basis, so everyone can recover p and q. And these coefficients are just half the bit length of the prime p. So in total, only two log p would be transmitted. One improvement to this approach was given by Costello and others that showed that only three coefficients need to be transmitted. The observations that during the compression, we have to compute a subgroup generated by the point p plus S, L, then q. And if you expand these out in terms of R and S, you basically have, you can multiply this point by the inverse of AP, if AP is invertible, mod L today. And this still gives an equivalent subgroup. So basically, you just need these three coefficients with multiples of AP and inverse. And if AP is not invertible by construction, we will have that BP is going to be invertible because of this base change matrix. So I haven't actually explained how to compute the four coefficients a's and b's. So for example, if you look at the structure of R, it is decomposed into two cyclic subgroups generated by p and q. And if you want to retrieve, for example, the coefficient AP, you would have to project R onto that subgroup generated by p. And you can use Polly-Hellman, for example, because this is a smooth order subgroup. So in the original works, the tool used to decompose R into these cyclic subgroups is the pairing. So basically, we are going to move these discrete logarithm instances onto the cyclic subgroups over the quadratic extension of the finite field. And here are the five pairings suggested to do this computation. Actually, the first one, the pairing g, which is the pairing between the points p and q, can be precomputed because we can work out the details and see that it only depends on public parameters. But the other four need to be computed on demand. So also have these u's and v's. Basically, these are going to be elements over the finite field. And then you can just use Polly-Hellman to solve order L to the discrete logs over the finite field and then retrieve the actual four coefficients. We now reveal how to compute smooth order discrete logarithms over the finite field. We are giving a generator g of order L to the e of the finite field and a challenge of the from g to the d, where the exponent d is represented in base L, where the digits are smaller numbers mod L. So in the original Polly-Hellman, it was suggested to solve this problem by computing a sequence r0 up to r e minus 1, where it started r0 with the challenge. And then it started recovering the partial digits are d0 up to dk, up to d minus 1, by doing consecutive explanations by L and solving smaller discrete logarithms. And then we're moving the computed digits from the previous r's to compute the next r's. So as I'm now telling you 2018, I'll show you how to reformulate this problem in terms of graph, very similar to the strategy used to solve and compute the smooth order isogens. So basically the root of the graph is going to be the challenge and going to the left on the graph means raising to the power of L and going to the right is going to model removing a digit or multiplying by g to the minus L to the j plus k times the digit dk. So basically we can, using an optimal strategy to traverse this graph and compute all the digits. This was sort of expected, it was mentioned by Victor Schup a long time ago, that there would exist an optimal strategy for this problem, but no one had given a solution before. So now I'm also showing that if we use a windowed version of the discrete logarithm, meaning that we work with base L to the w instead of L to represent the digits, we can do some nice pre-computation. So basically we represent the digits in base capital L, which is L to the w, first in w and the right traversals will correspond to removing now large digits, mod L to the w and the left traversals are going to correspond to raising the element to the power of capital L or L to the w. So basically we have a much smaller graph, basically we have size e over w instead of e, but now going to the left is going to be more expensive because now we are powering by L to the w. So basically when you go to the left it's going to be the same cost as the original graph, on the other hand going to the right can be made cheaper if you pre-compute this guy that is multiplied on the right here to remove the digits. So basically you can introduce this table to u dk equal to those powers of g, and because g is public you can do this pre-computation. So basically the right edge traversal is going to be a table lookup in one single multiplication. And in this case the table size increases exponentially L to the w, so in w, so you can not go use a very large w, but even for small w you can save some multiplications. We can now move on to the contributions. So before going to the first optimization I should mention that the previous window at bully-helman technique works well when w divides the exponent e. It turns out that for psych p434 and p751 the exponent e is a prime number for the three-torsion, so no w is going to divide e. So Zanuatau also suggested an approach to address this issue by using an extra table of the same size of the previous table t. So in their approach let t be e mod w, it's what's going to happen is that if you use the original description by raising the elements to the power of L to the w when you go to the left, when you get to the first leaf here you basically get an element of order L to the t instead of L to the w. So basically we are going to be recovering less information about the digits. So what Zanuatau proposed was to fix the order of the elements on the leaves by in the very first left traversal from the right most diagonal we are going to raise the elements by the power of L to the t instead of L to the w and then after that we just go as usual. So basically this is going to fix the order of the elements and when they get to the leaves they can still recover the full digits except to the right most one. And for going to the right if you are at the right most diagonal you can just proceed as usual by removing the digits using a table t. On the other hand when are below the right most diagonal the digits will be shifted by L to the t because of this first exponentiation. So basically this table is not exactly what you need they suggested a shifted table that gives you the exact elements that you have to use to remove the digits and this new table has the same size of the previous one. So in order to reduce the storage requirements we suggest the following approach. Let d the discrete logarithm be written as q times L to the minus t plus r using the hydrogen division algorithm or q is just a small number less than L to the t. So instead of computing the original log of the challenge in base g we suggest to compute log of the challenge to the L to the t in base g to the L to the t. So now the exponent of the new challenge will be a multiple of w and then we can recover the remainder r. So also have the remainder r we can note that there is a relation between the challenge and the remainder r and the powers of g and the left hand side here c times g to the minus r can be computed once you have r and the right hand side which involves small powers of g to the L minus t you can basically pre-compute. So this is a composite by public values and then you can create this table which we call it t small that has those powers and then it can just compare the table entries with this element to see what's the correct value for q. And if you compare this new table with the previous shift the table proposed as unknown at all we can see that we can basically reduce the entire table can consume less than one percent of the size of the previous table. So one of the remarks is that because we had even the original table t in addition to t shift the overall reduction here is going to be a factor two when you compare with both tables t shift and t. And this optimization applies to discrete logs over finite fields so it applies to the official site and it will also be used when solving discrete logs over elite curves. So we learned how to project the discrete logarithms of r and s with respect to p and q by using binary pairings and then solving the discrete logarithms over finite fields. It turns out that there's a way to avoid those pairings and just solving the discrete logarithms over the base field on the elite curve E0. So equation one is stated in terms of the elite curve E which is the image public curve. So it turns out that we can use the global isogen if we had and efficiently move the problem back to the curve E6. So this isogen if you had can be efficiently computed as described before by nirhegan. So once you have moved the problem to E6 you can see that we still have the original coefficients that are presented by the homomorphisms are a property of the isogenes and then also are in only six you can again translate the problem to the curve E0 using that two isogenes that connects them. So basically the key idea now is that we can define an element g over the base field of order l to the n and you know that the trace of a point is always on the on the base field of E0. So we can apply independently the trace map and also the trace map composed with the distortion of psi on E0 to get equations like this. We are going to apply this to the equation two here and then we can see that the projection of the trace on the point b0, q0, r0 and s0 are going to be multiples of that same generator g. Now by looking at the equations above we can see that recovering the discrete logarithms of the traces of the points p, q, r and s in base g we need to solve these eight discrete logarithms which are simpler over the base field and for example the first four discrete logarithms only involve public points so they can be pre-computed so basically the last four need to be computed on demand and these are all over the base field and once you have computed and recovered these z and c's you can basically solve a linear system of equations over the integers mod l to the e to recover for example a, b and bp you solve the system composed by equations 3 and 5 and to recover a, q and b, q you solve the system composed by equations 4 and 6 by removing the g in here and just working with integers. Now the instance of the discrete logarithms we have to solve are over the initial curve e0 over fb and the modeling to solve this logarithm via pulley helman is very similar to the finite field k's where you just start with the challenge is being the root of the tree which is now is going to be a point on the curve retaining additive notation here and basically going to the left now instead of raising to the power of l you just multiply the point by l and going to the right just removing a digit by doing a point subtraction and we should note that now the sine of the point the y coordinate of the point will make a difference so basically we have to work with full projective coordinates and we did some investigation of different curve models to do this multiplications by l to our tree a point doubling or tripling and a point subtraction when we found that for l equal to 3 projective twisted adwords model gives the best formulas and for l equal to 2 the inverted twisted adwords model will give the best formula for us and here we should mention that solving the small discrete logarithms at the leaves you can still use tables by computing those multiples of the generator but the thing is that to compare with the table entries we still have to do some extra field multiplications because we have projective points as the leaves so there's some extra multiplications to be done another optimization that I call it 2 prime here regards the case where l is equal to 2 it turns out that in this case uh reconstructing the original coefficients uh is not trivial so basically there is an issue when we try to move the problem from the curvy 6 to the curvy 0 uh because now the order of the points have uh is 2 to the m which is not co-prime to the degree of the isogeny which is 2 so basically what can happen is that the kernel generator of the isogeny phi 2 maybe a multiple of any of these two points are 6 or s6 and in this case the resulting points the image points are 0 or s0 is not going to be a full order point so we may lose some information about the coefficients a's and b's and in the paper we give two different approaches um for this problem which turned it out to be non-trivial and the first one is simpler but it has twice as a star g as the second one and then the second one may just more elaborate uh we can we were able to reduce this star g requirement so if you want to see all the tricks and ideas behind then uh you can have a look at the paper now we move on to the results and final remarks so we have implemented our algorithms in magma to validate our ideas and for example in the case of psi p751 and now we go to 3 we have some star g figures uh compared to previous works so basically if you look at the total star g size we are improving by um a ratio of 28 percent or 20 percent depending on the torsion we are working on and um in terms of time performance and when you look at the number of fp multiplications equivalent um basically um our work uh is faster if in the case where no pre-computation is used it's about 24 to 48 percent faster depending on the torsion uh but when pre-computation is used it uh it's a bit slower um because of the the structure of the squid logarithm over the elliptic curve so in summary we gave a new technique that improved memory requirements when solving the squid logarithms and based out to the w where w does not divide the exponent this applies to official psi can also for the elliptic curve version of the squid logarithm and we also proposed an alternative approach to map the squid logarithms to elliptic curve the squid logarithms instead of using parents and this new approach provides improved storage compared to previous techniques and it is faster when no pre-computation is used it thank you for your attention