Periodic Reporting for period 2 - ISOCRYPT (Isogeny-based Toolbox for Post-quantum Cryptography)
Reporting period: 2023-07-01 to 2024-12-31
A quantum computer exploits quantum-mechanical effects such as superposition to solve hard mathematical problems that are intractable on classical computers. The most prominent example is Shor’s algorithm that renders all widely deployed cryptographic systems such as included in TLS totally insecure, and thus also all digital services that crucially rely on them.
Post-quantum cryptography deals with the design and analysis of cryptographic algorithms that remain secure against attacks not only by classical computers, but also by quantum computers. The threat of quantum computers is a very real and pressing issue as evidenced by the ongoing NIST standardization effort for post-quantum cryptographic algorithms. Since the classical hard mathematical problems, i.e. factoring and discrete logarithm problem, can be broken by Shor's algorithm, we need to find new hard mathematical problems that can be used as the basis of post-quantum cryptosystems. The current state of the art in post-quantum cryptography is well illustrated by the submissions to the NIST competition, which can be divided up into 6 categories depending on the type of hard problem (in a broad sense) they rely on: lattices, multivariate polynomials, hash trees, codes, multi-party-computation in the head and finally, isogenies between elliptic curves. Isogenies are maps between elliptic curves, and hard problems related to the computation of such maps, have recently been proposed as a candidate for post-quantum cryptography.
What the NIST standardization effort shows is that there are very few hard mathematical problems that remain hard in the presence of quantum computers, and at the same time are sufficiently versatile to be used in cryptographic algorithms. Furthermore, some of these hard problems are very much limited in the functionality they offer: hash trees and multivariate polynomials are only useful for signature schemes, whereas codes are mainly used for encryption. The ISOCRYPT project focuses solely on isogeny-based cryptography, the most recent and thus fairly immature approach to post-quantum cryptography. This is evidenced by the fact that only one isogeny based key encapsulation mechanism (SIKE) was submitted to NIST and that it was selected as one of the 8 alternate candidates (not a finalist) where NIST stated that: ''Further research in isogeny-based cryptography is encouraged."
Despite its immature nature, isogeny-based cryptography looks extremely promising: it typically results in more compact cryptosystems and is sufficiently versatile to allow for a multitude of cryptographic applications, unlike the hash-, code- and multivariate polynomial-based approach mentioned above, which have rather limited applications. As such, isogeny-based cryptography has the potential to become the only fully fledged alternative to lattice-based cryptography, due to its versatility and compact key / ciphertext sizes, but most importantly, it relies on a totally different hard mathematical problem, thereby providing much needed diversity. However, to inspire confidence a lot more research is required on the purported security, its efficiency and especially post-quantum secure applications. The goal of the ISOCRYPT project is to develop the full potential of isogeny-based cryptography and to provide a comprehensive toolbox to enable real world deployment of isogeny-based cryptography, including security analysis, efficient and secure implementation and a suite of quantum-safe applications. To achieve this goal, a number of key research challenges need to be solved: determining the exact security of isogeny-based systems, providing efficient and secure implementations and building a suite isogeny-based post-quantum secure applications. Our approach to solving these challenges relies on a deep exploration of the mathematical properties of isogenies, guided by the functionalities needed to build practical applications.
Post-quantum cryptography deals with the design and analysis of cryptographic algorithms that remain secure against attacks not only by classical computers, but also by quantum computers. The threat of quantum computers is a very real and pressing issue as evidenced by the ongoing NIST standardization effort for post-quantum cryptographic algorithms. Since the classical hard mathematical problems, i.e. factoring and discrete logarithm problem, can be broken by Shor's algorithm, we need to find new hard mathematical problems that can be used as the basis of post-quantum cryptosystems. The current state of the art in post-quantum cryptography is well illustrated by the submissions to the NIST competition, which can be divided up into 6 categories depending on the type of hard problem (in a broad sense) they rely on: lattices, multivariate polynomials, hash trees, codes, multi-party-computation in the head and finally, isogenies between elliptic curves. Isogenies are maps between elliptic curves, and hard problems related to the computation of such maps, have recently been proposed as a candidate for post-quantum cryptography.
What the NIST standardization effort shows is that there are very few hard mathematical problems that remain hard in the presence of quantum computers, and at the same time are sufficiently versatile to be used in cryptographic algorithms. Furthermore, some of these hard problems are very much limited in the functionality they offer: hash trees and multivariate polynomials are only useful for signature schemes, whereas codes are mainly used for encryption. The ISOCRYPT project focuses solely on isogeny-based cryptography, the most recent and thus fairly immature approach to post-quantum cryptography. This is evidenced by the fact that only one isogeny based key encapsulation mechanism (SIKE) was submitted to NIST and that it was selected as one of the 8 alternate candidates (not a finalist) where NIST stated that: ''Further research in isogeny-based cryptography is encouraged."
Despite its immature nature, isogeny-based cryptography looks extremely promising: it typically results in more compact cryptosystems and is sufficiently versatile to allow for a multitude of cryptographic applications, unlike the hash-, code- and multivariate polynomial-based approach mentioned above, which have rather limited applications. As such, isogeny-based cryptography has the potential to become the only fully fledged alternative to lattice-based cryptography, due to its versatility and compact key / ciphertext sizes, but most importantly, it relies on a totally different hard mathematical problem, thereby providing much needed diversity. However, to inspire confidence a lot more research is required on the purported security, its efficiency and especially post-quantum secure applications. The goal of the ISOCRYPT project is to develop the full potential of isogeny-based cryptography and to provide a comprehensive toolbox to enable real world deployment of isogeny-based cryptography, including security analysis, efficient and secure implementation and a suite of quantum-safe applications. To achieve this goal, a number of key research challenges need to be solved: determining the exact security of isogeny-based systems, providing efficient and secure implementations and building a suite isogeny-based post-quantum secure applications. Our approach to solving these challenges relies on a deep exploration of the mathematical properties of isogenies, guided by the functionalities needed to build practical applications.
The work performed during the first half of the ISOCRYPT project has resulted in progress towards achieving our main objectives in the following way:
Objective 1: Security analysis of isogeny-based cryptography
We managed to completely break the only isogeny-based cryptosystem that was submitted to the NIST competition and which survived all the way into the final round. In 2022, two of the ISOCRYPT team members, Castryck and Decru, managed to break this system in polynomial time and the attack was also very efficient in practice. SIDH was supposedly hard to break even up to 2^128 operations, but the attack could break the system in a matter of seconds. This is undoubtedly one of the most influential cryptanalytical results in the past decade. This attack was reported upon in many scientific magazines such as Ars Technica, MIT Review, Quanta Magazine, EOS Magazine, The Economist. The corresponding paper received the best paper award at Eurocrypt 2023, and the authors were also rewarded with a $50.000 prize from Microsoft for breaking the SIKE challenges (which are based on SIDH). Furthermore, the techniques used in the attack can also be applied in constructive applications, and has opened up a whole new approach to isogeny-based cryptography. This technique relies on efficient higher dimensional isogenies to represent large degree isogenies between two elliptic curves.
As a further contribution, we published several papers identifying weak instances of other types of isogeny-based cryptosystems such as those based on class groups and M-SIDH and FESTA. Finally, we also identified another weak instance specifically exploiting a quantum computer.
Objective 2: Efficient and secure implementation of isogeny-based cryptography
We published several papers on improving the efficiency of the basic building block, namely the computation of isogenies, and this both in dimension 1 (elliptic curves) and dimension 2 (hyperelliptic curves). In some applications, the results are now that the protocols run more than twice as fast and even up to ten times as fast compared to the state of the art.
Objective 3: New isogeny-based primitives, protocols and applications
We have designed several new algorithms for distributed key generation in isogeny-based cryptography, i.e. where several parties want to jointly generate a key pair that can then be used in a multiparty setting.
Furthermore, we are currently working on improved signature schemes by exploiting the new techniques that were introduced in the SIDH-attack.
Objective 1: Security analysis of isogeny-based cryptography
We managed to completely break the only isogeny-based cryptosystem that was submitted to the NIST competition and which survived all the way into the final round. In 2022, two of the ISOCRYPT team members, Castryck and Decru, managed to break this system in polynomial time and the attack was also very efficient in practice. SIDH was supposedly hard to break even up to 2^128 operations, but the attack could break the system in a matter of seconds. This is undoubtedly one of the most influential cryptanalytical results in the past decade. This attack was reported upon in many scientific magazines such as Ars Technica, MIT Review, Quanta Magazine, EOS Magazine, The Economist. The corresponding paper received the best paper award at Eurocrypt 2023, and the authors were also rewarded with a $50.000 prize from Microsoft for breaking the SIKE challenges (which are based on SIDH). Furthermore, the techniques used in the attack can also be applied in constructive applications, and has opened up a whole new approach to isogeny-based cryptography. This technique relies on efficient higher dimensional isogenies to represent large degree isogenies between two elliptic curves.
As a further contribution, we published several papers identifying weak instances of other types of isogeny-based cryptosystems such as those based on class groups and M-SIDH and FESTA. Finally, we also identified another weak instance specifically exploiting a quantum computer.
Objective 2: Efficient and secure implementation of isogeny-based cryptography
We published several papers on improving the efficiency of the basic building block, namely the computation of isogenies, and this both in dimension 1 (elliptic curves) and dimension 2 (hyperelliptic curves). In some applications, the results are now that the protocols run more than twice as fast and even up to ten times as fast compared to the state of the art.
Objective 3: New isogeny-based primitives, protocols and applications
We have designed several new algorithms for distributed key generation in isogeny-based cryptography, i.e. where several parties want to jointly generate a key pair that can then be used in a multiparty setting.
Furthermore, we are currently working on improved signature schemes by exploiting the new techniques that were introduced in the SIDH-attack.
Further cryptanalytic work is required to get a more complete picture of the hardness of the different assumption in isogeny-based cryptography underlying novel protocols. Also a better understanding of the concrete hardness of the basic isogeny problem is needed.
For applications, we expect that the technique of using higher dimensional representations of isogenies will find many more applications than the current signature scheme such as threshold signatures and hopefully even an non-interactive key exchange protocol.
Since the use of higher dimensional isogenies is now central to many novel applications, we also expect to improve the efficiency of computing smooth degree isogenies in higher dimensions.
For applications, we expect that the technique of using higher dimensional representations of isogenies will find many more applications than the current signature scheme such as threshold signatures and hopefully even an non-interactive key exchange protocol.
Since the use of higher dimensional isogenies is now central to many novel applications, we also expect to improve the efficiency of computing smooth degree isogenies in higher dimensions.