 Okay, so I was asked to speak about elliptic curves in a post-quantum session. That doesn't look too good So before We get into this. Let's forget about quantum computers for a minute And let's admire the awesomeness of elliptic curves Yeah, I know there are still some haters out there So some people still say what have elliptic curves ever done for us and for those guys I have the following slide. So these are all the awesome things we can do with elliptic curves factoring primality proving We have simple and fast key exchange and digital signatures. So we have e cdh e e cdsa x255 19 we have at dsa and even very modern things with funny names like 4 q and snore q and And all this comes with very small and compact parameters So yeah due to the availability of generic attacks only and Not to forget pairings, right? These are the only practical multi-linear maps. We have they brought a lot of nice applications and Yeah, all these things are very Awesome So unlike in the rsa setting in elliptic curves, we fix specific parameters. So we have a set of fixed specific curves You might recognize some of those So here are two sets of Curves that are widely used these days and those two sets come from quite different selection processes So the first ones are the NIST curves With all their P's and no 521 is not a typo And then the second set is curved 25519 and curve 448 those have been Recommended by the IRTF for using TLS 1.3 Well, yes, there are some trust issues with some of those curves Because there's a perception that these four letter institutions Were inappropriately influenced by some three letter entities like NSA or djb Well, anyway, these are the curves that many of you know and that are used In the wild and now let's take a look at something completely different So this is some other elliptic curve And if you take a look at this prime It's first of all really large. It has 751 bits And it doesn't look quite like the primes we know from these other curves on the previous slide So it's not close to a power of two like 25519 It's actually close to a power of two times a power of three And then this curve Given here is actually defined over a Prime field Fp But we'll take a look at it over the quadratic extension field because everything happens in that universe over Fp Squared that is interesting for us. So this curve is super singular and its group order is Smooth you can see it down there. So over Fp. It's actually p plus one and over Fp squared It's p plus one squared and this curve is really bad for ECC, right? The main reasons are it's super singular and it has a smooth group order So the smooth group order makes sure we can easily solve Dlps in any subgroup and easily means in a matter of milliseconds and Also because it's super singular we have the whale pairing that is actually a multiplicative transfer of the discrete logarithm from the curve To a finite field and in this case it's really Fp squared So the DLP even becomes easier if you move it over to this finite field So this curves fails most criteria for being a secure Curve for traditional ECC, but maybe we can use these other Properties in a different context So one of these properties is that this curve has a really large number of subgroups So if you just take a look at the set of points, which have a specific order So all the orders that divide 2 to the 3 is 72 This group of points can be generated by two Points and you can easily generate any point in there by taking scale linear combinations with these scalars ma and na as shown here And if you count the number of such subgroups That have full order and you can easily generate those by making sure that one of these Coefficients is odd Then you will see there are a lot of these subgroups namely three times two to the 371 So we have a huge set of subgroups and we might get the idea to take these as secret keys, right? we can easily generate them and You might notice I put the subscripts a here, so I'm gonna assign This torsion group to Alice so Alice now has this large set and can choose secret points For her subgroups and then the same holds for the three power torsion Just analogously The same happens and I'm gonna assign this to Bob So Bob has this universe of subgroups here. He can choose from And now I have to at some point have to mention the word I saw Janice right so what is the connection there? So from these subgroups We can come up with I saw Janice. So what is an I saw Janice actually just a map between two elliptic curves It's a rational map. So these are the natural maps that Exist between elliptic curves and you can think of those as just fractions of polynomials in the coefficients of the points you're mapping And there's an additional condition here for being an I saw Janie, which is that it is a group homomorphism and Then there's correspondence between the finite subgroups and an I saw Janie is given via the kernel So all these elements that map to zero or to the neutral element on the elliptic curve By this map, that's a subgroup and if you start out with such a subgroup You will get an I saw Janie from it with that kernel actually. There's a unique second curve and a map between those up to isomorphism And we were going to write this curve e2 as e1 modulo g modulo this subgroup and then there's something that's called the degree of The I saw Janie, which is almost what you think it is It's sort of the degree of the polynomials involved But in the case that's interesting for us. It's also the number of elements in this subgroup So what this gives us is we start out with this huge set of subgroups and they had a large order, right? so what what we get from this is I saw Janie's with a very large degree and Okay, what can we do with those so we can start on a certain curve? Maybe the one I started out with and then we can walk It can map I saw Janie's to other curves and actually what we're doing is we walk in a certain graph and that is the Supersingular I saw Janie graph so the vertices are all the curves that you can reach by I saw Janie's from a certain starting point Over fp squared And it turns out there are quite a few so there are p over 12 such curves So have we have also a very large set of These I saw just curves so they all have the same group order So if we start with the one I gave you in the beginning then all these other curves We end up on have the same structure. They have this torsion in the same way as the starting curve and then the edges so now I Used my artistic skills to put some curves here think about these as the Isomorphism classes and there are more curves outside the slide and now we We're going to draw edges, but I'm not going to draw the these high-degree isogenous only prime degree isogenous so here are two isogenous and It turns out this graph is connected and three regular so every node has three Edges here there can be loops and double edges But this is how a generic part of that graph should look and then if you take the three graph instead So now we're not drawing two isogenous, but we're drawing three isogenous becomes a four regular graph So you get more edges and you might notice that things that were connected before now might not be connected and things that are close Here might be far away in the three graphs So we have the same set of nodes, but we can walk through it in a different way Depending on whether we take the two or the three isogenous Okay, so now I have to start talking about how we actually compute this Stuff so that's an operation. We want to use so we want to choose these secret keys We want to come up with the isogenous and we want to actually compute the isogenous so there are formulas values formulas allow you to take the kernel subgroup and Come up with the isogenous come up with formulas that allow you to map points between curves the problem is the costs for this is Proportional to the size of the subgroup so if you think back to these large subgroups There's no way we can actually do this large isogenous in one go But luckily we chose the degree to be smooth so we can really walk through the graph in little steps For example in the two isogenous graph. We walk through it with two isogenous So here's one example If we take this one point of this order, then we can decompose it into 372 two isogenes and I just wrote down the first one down there what you do is you take this point are not You do a scalar multiplication by the factor of two to the three seventy one And what that gives you is a point of order two which lies in this kernel and itself generates a small order two subgroup which you can use with the formulas to compute this little first two isogenous and Then you map everything To the new curve and you keep on going so the next one You'll take the point R1 to a scalar multiplication to generate a point of order two and then you can do the next step The little two isogenic phi one So now we have these operations We have all our secrets which are subgroups we get isogenes and we have this operation and we can take a look at how we would Try to come up with a Diffie-Hellman key exchange from that so Here's a comparison between you have seen this already in the previous Talk recall of the standard Diffie-Hellman Settings so the original one was integers modular prime your secrets were exponents the computation is just an exponentiation and The hard problem is the discrete log problem module of p then on elliptic curves the classical case You're working on a group of points Do a scalar multiplication k times p and again the discrete log on the elliptic curve But now for the isogenic case we work on this class of isogenous curves so this graph and secrets are isogenes and The operation is taking a curve and applying the isogenic coming up with the second curve So a little more Detail here. How would that look so e is the curve from the start Now Alice and Bob both go ahead and select their secret subgroup by picking these scalars m and n in their respective cases and Then just doing what I told you just walk to the other curve in the graph Now these red Curves they are the public keys. They are public information. They sent them to the other party And now they somehow need to complete this diagram. They sort of need to arrive at a common Curve that we can take as the shared key and for this to be possible in this setting we need some more information, so we have to extend the public keys by the images of the generator points under the secret isogeny, so what Alice will do she will send Phi a of pb and Phi a of qb as well So why is that so what Bob can do now is compute the image of his secret point R Under Alice's secret isogen by just doing the same operation He did to come up with R now on these images and because this is a group homomorphism This will be the image of the secret point So this is just a way to make sure that a similar operation now can be done on Alice's public key Right and vice versa. So now we can arrive at this shared secret curve E mod r comma s Okay, so how let's start thinking about parameters and sizes and timings So how large are these keys? They can actually be represented with just 564 bytes So essentially you could take three X coordinates over fp squared So basically three fp squared elements will allow you to generate to represent this and this is 564 bits so compared to what we saw in the in the previous talk and Even the the one before this is still quite a bit smaller than the lattice based schemes even the ring learning with errors which had around two kilobytes right per direction or The new ones time create introduced shorter still one kilobyte Alright, so it's really really small, but unfortunately. I have to disappoint you Lara no update It's still as low as It was so these are timings in millions of cycles So the total is around 56 milliseconds on this machine and Yeah, it is a bit slow Right so compared to the to lattice stuff. That's definitely not competitive yet If you really need the size if you really need to have small keys, then that might be an option But hopefully people can speed this up So if you want to look at the code we have a We have released the code under the link shown here And you can just take it and play around so what about security? Yeah, there's a whole bunch of problems related to this key exchange as usual I just put the overarching super singular isogenic problem here that is that corresponds to the discrete log problem for the other cases So the problem is you're given two curves you want any to over Fp squared And you know, there's an isogenic between them of a certain fixed and smooth degree and Now giving those two curves together with two points and their images find the isogenic so in terms of attacks So it seems So this is not really a very a general isogenic problem, right if you would take two Random curves in that class You're not guaranteed that they're connected by a isogenic of this specific degree So that's an additional condition here That means also because this is a bit shorter than you would usually expect This means that the best attacks we know are actually attacks via a standard generic claw finding algorithm So you would start from both ends build up trees of Isogenes and then find a match in the middle, right? And it turns out the other classical complexity is O of p over to the 1 4th and the quantum Attacks of p to the 1 6th and for these are good these attacks these algorithms are optimal so we We think this has post quantum security roughly 125 bits All right So we do have this key exchange now, which is which produces pretty small public keys But it's slow. So let's make the keys even smaller and the protocol even slower We can do something to keys to compress them even further and This relates to what I said on the one of the first few slides that this curve is actually really bad for Traditional ecc because it has the DLP's can be solved easily and it has a pairing and now we're going to use these things in a constructive way namely, it is way better to Represent points not by their coordinates, but by these scalars That were used to generate them or in this case. I mean we will be mapped to this curve So they weren't generated but we can They are Presentable by the two scalars in a certain basis of the torsion group, right? But for that we need to solve discrete locks But we can do it in milliseconds. So we can actually just solve them and come up with these scalars So what does that mean as I mentioned the original public key is? Three fp squared elements, which is six log p Bits and that was the number we saw five sixty four bytes but now we can Replace both of these points by their scalars in the decomposition By the discreet logs And we can even normalize by one So there's definitely one among the four that can be inverted modulo the order so we can just get rid of one and only have three Elements of size two to the three seventy two So that comes down to seven over two log p and which is 330 bytes in the setting I showed So what do we have to do for this to happen? So we we get this public key these points first of all because this curve We're working on is a random curve We just came up with during the key exchange, right? So we we chose this path we walked there and then we have the curve equation Now we first need to come up with a basis for the torsion group So we need to deterministically compute a basis because the person who will Decompress will need to use the same basis And then we can even use the pairings We map everything over to the finite field fp squared and then we can simultaneously solve these discreet logs for these coefficients and The costs well it is fast But it costs as much as about one whole key exchange. So Pretty slow in total. All right, the last thing I'd like to mention is There's a problem if you want to use this in a static setting So there are similar problems for the lattice based schemes It seems that is somehow inherent to some of these post quantum candidates And here in the isotope setting it has to do with these points we give out actually So assume we have a slightly simplified setting here the first scalar is one in Alice's public key static key secret And then imagine Bob and Alice do this protocol and Bob behaves honestly Until a certain point when he has to send his public key So he computes these images of Alice's points, but he doesn't send the original public key He slightly modifies the second point by adding this multiple of the first point And then he goes on and does the rest of the protocol honestly So he will come up with the honest shared secret in the end which is Really the curve that comes from the subgroup on the left down here But Alice when she uses the public key that Bob sent her she will compute the point on the right So she has this additional term in there And it turns out that those two groups are the same exactly when the least significant bit of NA is zero So Bob now can use Alice as an oracle he can try to connect if he can if the connection works Then the bit must have been zero if not it was one So Yeah, this allows Bob to just get at the least significant bit and there's a slightly more complicated way, but as simple to get the other bits so with a sort of yeah and Connections here Bob can reconstruct Alice's secret key There is a countermeasure to this But the countermeasure is Basically the Fujisaki Okamoto transform, which means Alice would have to recompute everything that Bob did and The cost for that would be more than to do do an ephemeral key exchange in the first place So it doesn't really make sense to do static here at this point Okay, so let me end with in the interest of keeping elliptic curves in cryptography Please Help by taking another look at isogeny-based crypto. Yeah, so crypt analysis is a bit understudied I think so we need people that really want to break this and We need people to speed it up it is too slow as you have seen so we would need an order or two of magnitude to get there And then there are some open problems like public key validation that doesn't allow the static attacks and In terms of signatures the only thing we have right now is applying the Fiat-Chemere transform to an identification protocol And it's quite inefficient So this talk was mainly about People's other people's work So I just put the most immediate references here Those are a good start to find all the people that were involved in all this work And I'm done. Thank you Any any questions we have time for a question or two So why don't I ask a question so? Right, so there's a generalization of elliptic curves called higher genius curves Hypersipers now, you know hyper elliptic and such how do these things behave in those kind of environments? It's all very much more complicated Stay away All right, good good. Okay, but this is a very reasonable survival alternative for bandwidth constraints environments great Okay, so let's thank Michael again