By Victoria de Quehen, Security Researcher, ISARA Corporation
Published July 27th, 2018
One of the most widely deployed public key cryptographic algorithms is the elliptic curve Diffie-Hellman key exchange (ECDH). This, as well as most currently used protocols, is vulnerable to attacks using quantum computers. Isogeny-based cryptography offers the closest quantum-safe cryptographic primitives to ECDH.
A large group of researchers and developers working on isogeny-based cryptography united their efforts to put forth a single submission to NIST’s call for submissions: Supersingular Isogeny Key Encapsulation (SIKE) [4]. This is a key encapsulation mechanism (KEM) that is closely related to the quantum-resistant key agreement Supersingular Isogeny Diffie-Hellman (SIDH) introduced by Jao and De Feo [3].
What are the Advantages of Isogeny-Based Cryptography?
Supersingular Isogeny Diffie-Hellman (SIDH) is a key exchange protocol [3]. It is an algorithm that allows two parties to jointly establish a shared secret key over an insecure channel. You can use SIDH wherever you use ephemeral ECDH or DH. It is implemented in the ISARA Radiate™ 1.4 Toolkit, and using ISARA Radiate’s Open SSL Connector, is integrated into protocols in OpenSSL.
If you are using OpenSSL, then you can use one of our TLS cipher- suites that feature SIDH as a key exchange algorithm. If you are not using OpenSSL, then you can directly call into our toolkit.
Supersingular Isogeny Key Encapsulation (SIKE) is a KEM [4]. It will be implemented in an upcoming release of the ISARA Radiate Toolkit.
In SIDH two parties wish to agree upon a key. Its form is similar to that of Diffie-Hellman and Elliptic Curve Diffie-Hellman. Let us first review Elliptic Curve Diffie-Hellman, and then see the differences.
Figure 1: ECDH. Scalar multiplication can be thought of as a function between elliptic curves. One party calculates the arrows in red, and the other party calculates the arrows in blue. The dotted lines represent the parties exchanging the points [NA] · P and [NB] · P.
The main difference is that the scalar multiplication is replaced by a type of function between elliptic curves called an isogeny. Also instead of calculating the image of a point P under two different functions, the parties calculate the image of the entire elliptic curve under the two different functions.
Figure 2: SIDH
Most descriptions of SIDH and SIKE seem far more complicated. This is because the functions are harder to describe and calculate than with ECDH. Not only are the algorithms for calculating images of isogenies computationally more expensive, but the parties also need to keep track of and exchange certain points on the curve, in order to later calculate the functions ψA and ψB. That being said, the overall framework of SIDH really is very similar to ECDH.
These algorithms are built on the hard problem of finding isogenies between elliptic curves. Given two elliptic curves, it has long been considered to be extremely difficult to find an isogeny from one elliptic curve to the other. In particular, knowing E, EA and EB are thought to give no information about the isogenies φA and φB. This means that an attacker cannot calculate ψA, ψB or EAB. Therefore an attacker cannot figure out the secret key.
To learn more, check out our Isogeny-Based Cryptography Tutorial here
If you have further questions, set up a meeting with our team here.
Learn about the other five areas of math used in quantum-safe cryptography in our blog series, “Math Paths to Quantum-Safe Security”: