 Hello everyone, I'm Taco Boris Fota from University of Roma Tree, Italy, and I'm going to present Shields and Heals, iZugini-based PKEs from the Key Validation Method for SIDAs. This is a joint work with Christophe Petit from the University of Lviv-Bixel and the University of Birmingham. The security of the cryptographic protocols we use today rely on integer factorization and the discrete logarithm problems. But as we all know, the Petit show algorithm designed in 1994 can solve this integer factorization problem and the discrete logarithm problem in polynomial time using a quantum computer. In 2016, NIST launched a standardization process at the end of which new post-quantum secure cryptographic protocols such as key encapsulation mechanisms and signatures will be chosen. So today we start at the third round of the competition and they had problems underlying the security of the schemes. In this third round come from lattices, codes, multivariate, iZugini and hash base. iZugini-based protocols have the advantage that they provide very compact keys and the disadvantage that they are relatively slow compared to other candidates and iZugini-based cryptography in general is a very young field. SIDH, which is the building block in Psyche, uses super-singular iZugini and in general super-singular iZugini does not commute. To make the diagram commute, because SIDH is a defilement type key exchange, so to make the diagram commute in SIDH, Java and DeFeu, they publish images of some torsion points. There have been several attacks that exploit these torsion point images among which we have the passive attacks of PT and recent improvement and the famous GPST adaptive attack on SIDH and the recent new adaptive attack on SIDH by PT and iZugini-based scheme engaged in the NIST standardization process uses the Fujizaki Okamoto transform to counter the GPST adaptive attack. Using this transform implies that there is key disclosure and re-encryption is the key validation method used in the scheme is public key re-encryption. So at least like recomputed, the public key of Bob to make sure that Bob honestly computed is public key. There have been other variants to the GPST adaptive attack among which case side which consists in running multiple instances of SIDH in parallel and the recent paper by DeFeu and Koutos which designed a proof of iZugini knowledge which designs a proof of iZugini knowledge. This is a signature scheme from which that Bob can use to prove that he computed an iZugini of the correct degree and the torsion points in his public key were also computed honestly. The problem about the issue with case side and the recent proof of iZugini knowledge is that these countermeasures are costly so there is a lot of computations to be done and the keys are also very large. So in this paper what we do is that we suggest a new countermeasure to the GPST adaptive attack and we incorporate this countermeasure into an interactive key exchange protocol. We also derive two iNCCA secure PKE shields and heels with conjecture iNCCA security. This talk will be organized as follows. First we will talk about elliptic growth analysis. Next we will describe SIDH and the GPST adaptive attack. You will then present our countermeasure, present the key exchange heels side, the public key inclusion scheme shields and heels and we will summarize our contribution. So elliptic curves are smooth projective algebraic curves of genus one and when the characteristic of the field of definition of the curve is different from two and three then and every elliptic curve is isomorphic to a short waisted length. Isomorphism classes of elliptic curve are determined by the G-in variant so the G-in variant is the invariant of isomorphism classes of elliptic curve. Every elliptic curve has a unique a billion loop structure and for any integer n compared to the characteristic of the field of definition of the curve the n-torsion group is a dimension two free group. That is the n-torsion group is generated by two linearly independent points of order n. Over finite fields there are only two possibilities for the endomorphism ring of analytic curve and this endomorphism ring can be either isomorphic to an order in an imaginary quadratic field in which case we say that the curve is ordinary or to a maximal order in the quaternion algebra ramified at p and infinity in which case we say the curve is super singular. As you are using these are maps between elliptic curve and they are also morphisms with respect to the group structure of the elliptic curve. Isosciences are given by very formulas and their degree is up to some precision the size of their canal. Isosciences when their canals are given they are efficiently computable when their degree isosciences of given canal are efficiently computable when their degrees when their degree is smooth and we don't know how to compute them efficiently when their degree is not is not smooth. The pure isogenic problem is the following given two isosciences of E1 and E2 compute an isogenic phi from E1 to E2. This ends the part about elliptic curves and isogenies. One should note that this even this pure isogenic is not always the direct the concrete problem underlying the security of isogenic based schemes and in the case of SIDH you have more information you don't only have E1 and E2 but you also have the action of phi on some torsion points. So let's present SIDH. So SIDH is a deferment type the exchange. So since you have elliptic curve and isogenic what you expect to do is to start with some elliptic curve easier you compute secret isogenies then you exchange the public curves and you compute some other secret isogenies to come to obtain the shared secret. But as we stressed before super singular isogenies they don't commute in general so you don't know how you would you don't know how the the isogenic phi B or phi A prime are defined and you don't expect to have the same shared curve. So what Jawa and Defiou do in their scheme is that they provide torsion point images that will help Alice to push through the isogenic phi A to phi B without knowing phi B but also reveal some torsion points Alice will also reveal some the images of some torsion points that will help Bob to push through again of his isogenic through phi A without knowing phi A and having this new this and pushing these kernels through secret isogenic will help to make the diagram commute. So now we have Ezio and the respective torsion torsion group basis Alice computes her secret isogenic and evaluates her secret isogenic on Bob's torsion group basis Bob does the same and the new public the public keys are the curves and the respective torsion point images. Now with these torsion point images they can make the diagram to commute and they obtain the same shared curve the same this and they obtain to they obtain the same shared curve which can be used as the shared secret. So the shared secret here is the gene variant of this of this curve. Since SIDH is a Defiouman type key exchange then we have the Q recovery problem the computational Defiouman problem DDS problems and so forth. So here we present the key recovery problem and the computational Defiouman problem. So the key recovery problem is the problem of completing an isogenic when its action and some torsion points is given. So here and we are given Ezio and EA the torsion points P, B, Q, B and their images too. So and their images to Phi A and you are asked to compute Phi A or equivalently the kernel of Phi A or the integer alpha that defines the kernel of Phi E. The computational Defiouman you are given the curve E0, the curve EA and the curve EB together with the respective torsion point images and you are asked to compute the shared secret. So here we will be interested in the first problem that is the super singularization problem with torsion points that in an adaptive attack setting. So we suppose that you are given access to a key exchange oracle and you want to recover to recover alpha that leads also to the GPS adaptive attack. So in the GPS adaptive attack one suppose that at least the first participant in the key exchange has a static key and is honest and there is a second participant Bob who is malicious and wants to recover at least secret. So one also suppose that he is given access to a key exchange oracle that has input that has inputs E, R, S and E dash where E, R, S stands as the public key of Bob in the SIDH instance and E dash is some non-super singular curve that Bob wants to check if this is the shared curve in the SIDH instance or not obtained the shared curve computed by Alice in the SIDH instance or not. So the oracle will return 1 if this curve E dash is the shared curve computed by Alice in the SIDH instance and 0 if not. The idea of the attack is to progressively recover each bit of the secret alpha from the you can recover from the least bit to the most significant bit by replacing the torsion points in Bob's public key by some maliciously computed ones and when querying the oracle Bob will distinguish whether the curve computed by Alice is the curve he obtained or not and with this Bob can guess which bit what is the bit of what are the bits of alpha. So in the very first version of SIDH the only validation the only key validation method was the pairing check so this point R, I and S, I are chosen such that the pairing check is the pairing check equation is successful and they are also chosen such that the curve obtained by Alice equals the curve computed by Bob when the bit Bob is attacking is 1 and is different when the bit Bob is attacking is 0 that is the key exchange oracle will effectively help Bob to distinguish whether the bit he is attacking is 1 or 0. With this you can totally recover alpha in polynomial time and this is the main reason why in psych you use Fuzizaki with a motor transform to counter this adaptive attack. Now the order as we said before the other countermeasures suggested are very costly so we will now suggest a new countermeasure to the GPSD adaptive attack. Note that in SIDH as far as Bob only scales the images of the torsion points by some integer lambda complying to the order of the torsion points this will not affect the execution of the scheme this will not affect the curve the shared curve and the isogen is computed in this scheme. So we start by noticing that our countermeasures starts by noticing that the isogen is the commute in reality I think this is not by Leonardo Christopher Leonardo saying that when you use the value formulas the isogen is in fact the commute on evaluation not only on the end curve but on evaluation so composing this equation by by the dual of phi a dash you get to the a times phi b equals phi a dash the the dual of phi a dash composed with phi b dash composed with phi b this equation this equation implies that if Alice would magically compute the right hand side of the equation then he could also manage to compute phi b and some torsion points so if Alice has the action of phi b of phi b dash on some torsion points then he can evaluate the action of phi b on the same torsion points but there is this this integer two to the a in the equation which will sort of kill the torsion point to the two to the two to the at least two to the a part of the torsion point so what we do is that we get we use points of order two to the two a such that the two to the a we can only the two to the two to the a part of the torsion points are you will be left with a free two to the a another two to the a part when when when verifying this equation so you choose p two and q two such that two to the a p two equals to p a two to the a q two equals to q a then the equation translates to phi b of p a which is phi b of two to the a p two is phi a dash dual composed with phi b dash composed with phi a of p two so here p two has order two to the two a so if Bob can reveal the action of phi b dash on points of order two to the two a then Alice can compute phi a dash dual composed with phi b dash composed with phi a of p two hence she can obtain phi b of p a the same for q two and q a so why would Bob honestly compute phi b dash let's go back to s ideation so if we look here we will see that phi b dash is normally should normally be the push the push forward of phi a of phi b dash should normally be the push forward of phi b true phi a so if you include some maliciousness in phi b and you want to use phi b dash to cancel the maliciousness you included in phi b then you will need to know the action of phi a on the torsion group you are you are malicious you are manipulating and Bob is manipulating is manipulating the torsion group of order the torsion group of order two to the two to the a torsion group so he will need to know the action of phi a on the two to the a torsion group hence he needs to know Alice's secret because the action of phi a on the two to the a torsion group is equivalent to knowing the Alice's secret so here to sort of maliciously compute phi b such that the equation or the diagram stays commutative at least in some cases what we need to do to know phi a so that's the intuition why Bob should not mess up with phi b dash so yes we have to explain this and this also maybe explain why Bob should not mess up with with phi b dash so now this concretely presents the counter measure so we are revealing the action of isogeneous through many points through many torsion groups and so there will be many points will be involved here and you if you don't get it from the first presentation then don't don't blame yourself I think I also will not be able to get it from the first presentation so let's start then at the beginning now you have p2 your points p2 q2 you also have a pb and qb for both torsion points now Bob will be revealing isogeneous of the will be revealing the action of phi b to p2 and q2 p2 and q2 have other two to the two a and the isogeneous of Bob is three to the b which is roughly two to the a so the scheme is in balance and to counter the p2 torsion points attack which applies on in balance s id h we set the endomorphism ring of the starting curve to be on we set the starting curve easier to be a singular curve with unknown and the morphism so now Alice Alice will compute phi a and the images of both torsion points she will also compute phi a evaluate phi a on p2 and q2 and keep this secret she will generate a canonical two to the two a torsion basis of ea and compute the coordinate of these points in this canonical basis and she will add this coordinates to her secretly Bob evaluates phi b on p2 and q2 to obtain r a s a he evaluates phi b dash on the canonical basis r a s a to obtain r a b s a b he publishes he sends his public key and this r a b s a b to Alice when Alice receives when Alice receives r a b and s a b she evaluates psi a on r a and s and s a to obtain the shared curve and these torsion points note that here we just note psi a just to highlight that what would have been malicious then this would possibly not be the push forward of phi a through phi b that's why we denote it by psi dash instead of phi a dash so with this information Alice can now run the key validation she first of all check the pairing equation on the torsion points in book she's probably key then she computes she checks if phi a dash of r a equals to e1 r a b plus f1 s a b note that phi a dash of r a phi psi a dash of r a s stands for phi a composed with phi b of p2 and e1 r a b plus f1 s a b here stands for psi not psi phi b dash composed with phi a of p2 so she's like checking if phi she's like checking this this equation so she's like checking this equation which corresponds to phi a dash composed with phi b equals to phi b dash composed with phi a on the 2 to the a 2 to the 2a torsion group so if all the checks are correct then Bob's public then Bob's torsion points are harmless then the key is the the key is the key is valid and if the checks are not correct then Bob torsion points Bob is certainly malicious and the key is invalid so she can reject as she can abort the key exchange now let's see how to incorporate our countermeasure in a key exchange protocol we present inside so the aim here is to derive a key exchange from the key validation we have just presented note that in the key validation Bob publishes the images phi b dash r a phi b dash s a of the points r a and s a and these points lie they lie on the shared curve so if you publish these these point these torsion point images in clear then an adversary can use the torsion points to recover the the shared curve what we do is that instead of publishing these images these torsion point images in clear you generate a canonical basis of the 2 to the 2a torsion of eab and you publish the coordinate of these points in this canonical canonical basis the scheme is interactive because this this information needs to be done needs to be shared online it cannot be precom precomputed so the key generation is the same because that now Bob also uses points of other three to the 2b instead of three to the b only at least generates as public and secret key pairs as in the key validation hope those the same now to perform the key exchange Alice computes isosunify a dash and she also computes the images of the canonical three to the 2b torsion group of eb that Bob will use in his key validation and she will publish the the component the the the the coordinates of this torsion point in in the canonical basis of eba Bob does the same as in the key validation now with this with these coordinates that are published each of each party can run the the can run the key validation Alice will run the key validation on her side as presented previously but also on the key validation on his side and if the checks are correct then each party then each party was honest they will have the same shape key which will be valid and if the checks are incorrect then one of the parties where was malicious and and they will about they will about the the key exchange so the the interactive part here is the part in which these coordinates are are computed and sent through the public channel so what about the security of his side the computational defeat element problem is the following you are given easy ea and eb and the respective torsion point images but you are also given the coordinates of some torsion points on the shared curve in some canonical basis and you are asked to compute the shared curve the difference between the computational defeat one problem in sidh first is that the instance is in balance because you have points of order two to two to the two a while you are computing isogeneous of degree roughly two to the a second point is that oh sorry second point is that you have the coordinates of some points on the shared curve in a canonical basis so these are the two main differences between this this computational different problem and the computational different man problem in sidh the decision of the fear man problem is not hard here effectively because of these coordinates that are a review in fact if you are given a random super singular curve e dash and you want to check if e dash equals to eab or not then all you need to do is to generate the canonical basis on e dash and recover the respect the corresponding points if this corresponding point they are they are there if they verify the pairing equation with the canonical points rbsb and ra sa then then the curve e dash is eab with overwhelming probability if not then the curve e dash is not not eab as well so this can be used to discard curves that are that are not the shared secret in in the in the sidh in the hillside instance so the decision if you have one type problem for hillside is not is not hard nevertheless you will show how to derive through a pke scheme from from hillside so now we present shields and hills the pke is we derive from from hillside so the key generation is the same now for encryption the key generation is the same for encryption what will compute his part of the hillside key exchange and for a given place text m m here will be an integer modulo two to the two a and an integer rich musical prime with two what we scale the coefficient e three f three e four and m and f four by m and x all all of this with the hash of the g of the shared secret note that scaling these coefficients since they are coordinates of point in some canonical basis then scaling this coefficient is exactly scaling those points with with the scholar m and when you scale those point with the scholar m since ellipse can recompute those point in the key value in the key validation then all she needs to do is to solve a discrete logarithm problem and note that here we are talking about point of order two to this way so the discrete logarithm problem is efficient with respect to the polyhagman algorithm so now during decryption all all he needs to do is to compute the hillside the underlying hillside key exchange then the decryption is essentially solving the discrete logarithm between uh five a dash of r a and the points she recorded she she computed during the the key validation when she computes m since there are two points when she computes m prim m dash using one of the points she checks if it it is the same m dash which is obtained from the order with the order point if it is the case then she returns the coefficient the the integer m dash if not she aborts the decryption note that in shills bob is using torsion points of a of order three to the three to the two b but since bob does not run any key validation on a least public key then bob would use only torsion points of order three to the b and so one can change the prime size to obtain to have a more efficient scheme which this is what is done in she in hills so the public is the the public parameters now are easy p2 q2 pb and qb and the scheme is exactly is exactly the same as in shills the difference between the two is that in shills bob can like use bob can like always stay on the side of the tree is always right when regardless of whether he is like encrypting messages or he is did he is receiving cipher text that he needs to decrypt and at least also can always stay in the side of the two israelis regardless of whether he is encrypting messages or he's receiving cipher text to to decrypt while in hills bob can only encrypt cipher text using three israelis he cannot like receive cipher text while using three israelis and in some context this may be important especially like for in implementation where you can have a device in which you only need to to to store the computation of three israelis you don't need to scroll to store both the israelis and and two israelis now for the security and the i n cc is security relies on the following problem which is which consists of distinguishing a bit random basis of the shared curve and the and the real images of the torsion points r a and s a through the isogeny five b dash so here you are given you have the first basis b zero which is the which is made up of the images five a five b dash r a five b dash s a of the torsion points r a and s a through five b the five b dash and another another random uniformly random basis r s of two to the two a torsion group of eab such that the pairing equation for r s is is verified so the pairing r and s satisfy the pairing equation now what the adversary is asked to do is to distinguish given a random basis is to distinguish if this basis is b zero or is just a random basis satisfying uh satisfying the pairing equation for the i n cc a security it could not come off with an i n cc a proof maybe also i do that we don't we are not aware of any i n cc attack so any non i n cc attack on the scheme one of the main reason we believe could justify the reason why we could not come with or be approved is the fact that in the key validation method we do not verify that bob effectively computed an isogeny of degree three to the b so there is there is no validation on the isogeny nevertheless we counter or attack all known attacks that exploit this weakness of the key validation now let's summarize the contribution of the people the contribution of the people by comparing our schemes to existing existing ones so hillside we compare each side with k side because k side h was the only existing countermeasure so the only existing non fuzhizaki okamoto transform countermeasure to the gps the adaptive attack when we were writing the paper so we can see that the hillside bits k side in terms of efficiency and parameter public key and private key sizes in fact in hillside you you compute only four isogenies in the full execution of the key exchange while in k side you compute up to k square modern k square isogenies also as well as k side hillside is if it is compatible with static static keys but hillside is not a non-interactive key exchange so this is one of the main issue in hillside it's not is not a non-interactive key exchange another issue is the fact that you need a trusted setup for the static curve easier so they are these are the two main drawbacks of hillside compared to to k side g h so now let's compare shills and hills to site and shills and hills they have larger parameters but one of the interesting fact about the two schemes is that in shills and hills you compute only four isogenies while inside you compute five isogenies are computed so if one could come up with a better with a better countermeasure if one could improve on this countermeasure in such a way that either the field characteristic of the the characteristic of the field use is reduced like say we use by example the same primes as in psych or s i d h then this will be very good this will lead to a very great speed up on shills and hills and we may even have schemes that that try to compete with psych in terms of efficiency so we believe that improving this countermeasure will lead to very nice the public key inclusion scheme or interactive key actions that that have nice efficiency advantages so as open problems we have a kept analysis the key validation is new so keep analyzing it is a good project can the key validation method be improved there is there is in fact too much overheat the key validation and we believe it can be improved and for this point we are currently working on refinements of the of the of the key validation method and we hope that the result we are we are having will be online in the upcoming months the last open problem is the NCC security of shills and hills so since it is only a conjecture can we like contract the conjecture or can we like redesign the scheme such that we can like proof provide the proof and ICC security proof that's it for my presentation thank you and the paper will be online before the live presentation at the at the conference thank you for listening