Advertisement

Pre- and Post-quantum Diffie–Hellman from Groups, Actions, and Isogenies

  • Benjamin SmithEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11321)

Abstract

Diffie–Hellman key exchange is at the foundations of public-key cryptography, but conventional group-based Diffie–Hellman is vulnerable to Shor’s quantum algorithm. A range of “post-quantum Diffie–Hellman” protocols have been proposed to mitigate this threat, including the Couveignes, Rostovtsev–Stolbunov, SIDH, and CSIDH schemes, all based on the combinatorial and number-theoretic structures formed by isogenies of elliptic curves. Pre- and post-quantum Diffie–Hellman schemes resemble each other at the highest level, but the further down we dive, the more differences emerge—differences that are critical when we use Diffie–Hellman as a basic component in more complicated constructions. In this survey we compare and contrast pre- and post-quantum Diffie–Hellman algorithms, highlighting some important subtleties.

Notes

Acknowledgements

I am grateful to Luca De Feo, Florian Hess, Jean Kieffer, and Antonin Leroux for the many hours they spent discussing these cryptosystems with me; and the organisers, chairs, and community of WAIFI 2018.

References

  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: DHAES: an encryption scheme based on the Diffie–Hellman problem. IACR Cryptology ePrint Archive 1999:7 (1999)Google Scholar
  2. 2.
    Adj, G., Cervantes-Vázquez, D., Chi-Domínguez, J., Menezes, A., Rodríguez-Henríquez, F.: On the cost of computing isogenies between supersingular elliptic curves. IACR Cryptology ePrint Archive 2018:313 (2018)Google Scholar
  3. 3.
    Agashe, A., Lauter, K.E., Venkatesan, R.: Constructing elliptic curves with a known number of points over a prime field. In: High Primes and Misdemeanors: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams [30], pp. 1–17Google Scholar
  4. 4.
    Aguilar, C., Gaborit, P., Lacharme, P., Schrek, J., Zémor, G.: Noisy Diffie–Hellman protocols (2010). Slides presented at the recent results session of PQC 2010. https://pqc2010.cased.de/rr/03.pdf
  5. 5.
    Akavia, A.: Solving hidden number problem with one bit oracle and advice. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 337–354. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_20CrossRefGoogle Scholar
  6. 6.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 327–343. USENIX Association (2016)Google Scholar
  7. 7.
    Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 211–223. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36288-6_16zbMATHCrossRefGoogle Scholar
  8. 8.
    Armknecht, F., Gagliardoni, T., Katzenbeisser, S., Peter, A.: General impossibility of group homomorphic encryption in the quantum world. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 556–573. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54631-0_32CrossRefGoogle Scholar
  9. 9.
    Azarderakhsh, R., et al.: Supersingular isogeny key encapsulation (2017)Google Scholar
  10. 10.
    Balasubramanian, R., Koblitz, N.: The improbability that an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm. J. Cryptol. 11(2), 141–145 (1998)MathSciNetzbMATHCrossRefGoogle Scholar
  11. 11.
    Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_1zbMATHCrossRefGoogle Scholar
  12. 12.
    Benaloh, J.: Simple verifiable elections. In: Wallach, D.S., Rivest, R.L. (eds.) 2006 USENIX/ACCURATE Electronic Voting Technology Workshop, EVT 2006, Vancouver, BC, Canada, 1 August 2006. USENIX Association (2006)Google Scholar
  13. 13.
    Bentahar, K.: The equivalence between the DHP and DLP for elliptic curves used in practical applications, revisited. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 376–391. Springer, Heidelberg (2005).  https://doi.org/10.1007/11586821_25zbMATHCrossRefGoogle Scholar
  14. 14.
    Bernstein, D.J.: Curve25519: new Diffie–Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006).  https://doi.org/10.1007/11745853_14CrossRefGoogle Scholar
  15. 15.
    Bernstein, D.J.: Differential addition chains. Preprint (2006)Google Scholar
  16. 16.
    Bernstein, D.J., Chuengsatiansup, C., Lange, T., Schwabe, P.: Kummer strikes back: new DH speed records. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 317–337. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_17CrossRefGoogle Scholar
  17. 17.
    Bernstein, D.J., et al.: Faster discrete logarithms on FPGAs. IACR Cryptology ePrint Archive 2016:382. Document ID: 01ac92080664fb3a778a430e028e55c8 (2016)Google Scholar
  18. 18.
    Bernstein, D.J., Lange, T., Schwabe, P.: On the correct use of the negation map in the Pollard rho method. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 128–146. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19379-8_8CrossRefGoogle Scholar
  19. 19.
    Biasse, J., Iezzi, A., Jacobson Jr., M.: A note on the security of CSIDH. CoRR, abs/1806.03656 (2018)Google Scholar
  20. 20.
    Boneh, D.: The decision Diffie–Hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0054851CrossRefGoogle Scholar
  21. 21.
    Boneh, D., Lipton, R.J.: Algorithms for black-box fields and their application to cryptography (extended abstract). In: Koblitz [83], pp. 283–297Google Scholar
  22. 22.
    Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie–Hellman and related schemes. In: Koblitz [83], pp. 129–142zbMATHGoogle Scholar
  23. 23.
    Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH and ordinary isogeny-based schemes. IACR Cryptology ePrint Archive 2018:537 (2018)Google Scholar
  24. 24.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, 17–21 May 2015, pp. 553–570. IEEE Computer Society (2015)Google Scholar
  25. 25.
    Bos, J.W., Friedberger, S.: Fast arithmetic modulo \(2^xp^y\pm 1\). In: Burgess, N., Bruguera, J.D., de Dinechin, F. (eds.) IEEE Symposium on Computer Arithmetic - ARITH 2017, pp. 148–155. IEEE Computer Society (2017)Google Scholar
  26. 26.
    Bos, J.W., Friedberger, S.: Arithmetic considerations for isogeny based cryptography. IACR Cryptology ePrint Archive 2018:376 (2018)Google Scholar
  27. 27.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, New York (1990).  https://doi.org/10.1007/0-387-34805-0zbMATHCrossRefGoogle Scholar
  28. 28.
    Bröker, R., Lauter, K.E., Sutherland, A.V.: Modular polynomials via isogeny volcanoes. Math. Comput. 81(278), 1201–1231 (2012)MathSciNetzbMATHCrossRefGoogle Scholar
  29. 29.
    Buchmann, J., Scheidler, R., Williams, H.C.: A key-exchange protocol using real quadratic fields. J. Cryptol. 7, 171–199 (1994)MathSciNetzbMATHCrossRefGoogle Scholar
  30. 30.
    van der Poorten, A., Stein, A. (eds.): High Primes and Misdemeanors: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams. Fields Institute Communications Series, vol. 42. American Mathematical SocietyGoogle Scholar
  31. 31.
    Buchmann, J., Takagi, T., Vollmer, U.: Number field cryptography. In: van der Poorten, A., Stein, A. (eds.) [30]. High Primes and Misdemeanors: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams, pp. 111–125Google Scholar
  32. 32.
    Buchmann, J.A., Williams, H.C.: A key exchange system based on real quadratic fields. In: Brassard [27], pp. 335–343Google Scholar
  33. 33.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44987-6_28CrossRefGoogle Scholar
  34. 34.
    Cassels, J.W.S.: Lectures on Elliptic Curves. London Mathematical Society Student Texts, vol. 24 Cambridge University Press (1991)Google Scholar
  35. 35.
    Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. IACR Cryptology ePrint Archive 2018:383 (2018)Google Scholar
  36. 36.
    Cheon, J.H.: Security analysis of the strong Diffie–Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_1CrossRefGoogle Scholar
  37. 37.
    Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)MathSciNetzbMATHCrossRefGoogle Scholar
  38. 38.
    Coron, J.-S., Nielsen, J.B. (eds.): EUROCRYPT 2017. LNCS, vol. 10210. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56620-7zbMATHCrossRefGoogle Scholar
  39. 39.
    Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi and Peyrin [130], pp. 303–329CrossRefGoogle Scholar
  40. 40.
    Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. In: Coron and Nielsen [38], pp. 679–706Google Scholar
  41. 41.
    Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie–Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_21CrossRefGoogle Scholar
  42. 42.
    Costello, C., Smith, B.: Montgomery curves and their arithmetic. J. Cryptogr. Eng. 8, 227–240 (2017)CrossRefGoogle Scholar
  43. 43.
    Couveignes, J.M.: Hard homogeneous spaces. IACR Cryptology ePrint Archive 2006:291 (2006)Google Scholar
  44. 44.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)MathSciNetzbMATHCrossRefGoogle Scholar
  45. 45.
    De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  46. 46.
    Déchène, I.: On the security of generalized Jacobian cryptosystems. Adv. Math. Commun. 1(4), 413–426 (2007)MathSciNetzbMATHCrossRefGoogle Scholar
  47. 47.
    Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Cryptogr. 78(2), 425–440 (2016)MathSciNetzbMATHGoogle Scholar
  48. 48.
    den Boer, B.: Diffie–Hellman is as strong as discrete log for certain primes. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 530–539. Springer, New York (1990).  https://doi.org/10.1007/0-387-34799-2_38CrossRefGoogle Scholar
  49. 49.
    Deneuville, J.-C., Gaborit, P., Zémor, G.: Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 18–34. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59879-6_2CrossRefGoogle Scholar
  50. 50.
    Diem, C., Thomé, E.: Index calculus in class groups of non-hyperelliptic curves of genus three. J. Cryptol. 21(4), 593–611 (2008)MathSciNetzbMATHCrossRefGoogle Scholar
  51. 51.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  52. 52.
    Ding, J.: New cryptographic constructions using generalized learning with errors problem. IACR Cryptology ePrint Archive 2012:387 (2012)Google Scholar
  53. 53.
    Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. IACR Cryptology ePrint Archive, 2012:688 (2012)Google Scholar
  54. 54.
    Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78372-7_11CrossRefGoogle Scholar
  55. 55.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)MathSciNetzbMATHCrossRefGoogle Scholar
  56. 56.
    Enge, A., Gaudry, P., Thomé, E.: An L(1/3) discrete logarithm algorithm for low degree curves. J. Cryptol. 24(1), 24–41 (2011)MathSciNetzbMATHCrossRefGoogle Scholar
  57. 57.
    Faz-Hernández, A., López, J., Ochoa-Jiménez, E., Rodríguez-Henríquez, F.: A faster software implementation of the supersingular isogeny Diffie–Hellman key exchange protocol. IEEE Trans. Comput. PP(99), 1 (2017)Google Scholar
  58. 58.
    De Feo, L.: Mathematics of isogeny based cryptography. CoRR, abs/1711.04062 (2017)Google Scholar
  59. 59.
    De Feo, L., Kieffer, J., Smith, B.: Towards practical key exchange from ordinary isogeny graphs. IACR Cryptology ePrint Archive 2018:485 (2018)Google Scholar
  60. 60.
    Fouquet, M., Morain, F.: Isogeny volcanoes and the SEA algorithm. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 276–291. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45455-1_23CrossRefGoogle Scholar
  61. 61.
    Freire, E.S.V., Hofheinz, D., Kiltz, E., Paterson, K.G.: Non-interactive key exchange. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 254–271. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36362-7_17zbMATHCrossRefGoogle Scholar
  62. 62.
    Frey, G., Müller, M., Rück, H.: The tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Trans. Inf. Theory 45(5), 1717–1719 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  63. 63.
    Fried, J., Gaudry, P., Heninger, N., Thomé, E.: A kilobit hidden SNFS discrete logarithm computation. In: Coron and Nielsen [38], pp. 202–231Google Scholar
  64. 64.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_34CrossRefGoogle Scholar
  65. 65.
    Galbraith, S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math. 2, 118–138 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  66. 66.
    Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS Weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_3CrossRefGoogle Scholar
  67. 67.
    Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_3CrossRefGoogle Scholar
  68. 68.
    Galbraith, S.D., Smith, B.: Discrete logarithms in generalized Jacobians. IACR Cryptology ePrint Archive 2006:333 (2006)Google Scholar
  69. 69.
    Galbraith, S.D., Vercauteren, F.: Computational problems in supersingular elliptic curve isogenies. Quantum Inf. Process. 17, 265 (2017)MathSciNetzbMATHCrossRefGoogle Scholar
  70. 70.
    Gaudry, P.: Fast genus 2 arithmetic based on Theta functions. J. Math. Cryptol. 1(3), 243–265 (2007). https://eprint.iacr.org/2005/314/
  71. 71.
    Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44(12), 1690–1702 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  72. 72.
    Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15(1), 19–46 (2002)MathSciNetzbMATHCrossRefGoogle Scholar
  73. 73.
    Gaudry, P., Thomé, E., Thériault, N., Diem, C.: A double large prime variation for small genus hyperelliptic index calculus. Math. Comput. 76(257), 475–492 (2007)MathSciNetzbMATHCrossRefGoogle Scholar
  74. 74.
    Grémy, L., Guillevic, A.: DiscreteLogDB, a database of computations of discrete logarithms (2017). https://gitlab.inria.fr/dldb/discretelogdb
  75. 75.
    Guillevic, A., Morain, F.: Discrete logarithms. In: El Mrabet and Joye [103], Chap. 9Google Scholar
  76. 76.
    Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki–Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70500-2_12zbMATHCrossRefGoogle Scholar
  77. 77.
    Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 553–571. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74143-5_31CrossRefGoogle Scholar
  78. 78.
    Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25405-5_2zbMATHCrossRefGoogle Scholar
  79. 79.
    Jao, D., Miller, S.D., Venkatesan, R.: Expander graphs based on GRH with an application to elliptic curve cryptography. J. Number Theory 129(6), 1491–1504 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  80. 80.
    Kleinjung, T., Diem, C., Lenstra, A.K., Priplata, C., Stahlke, C.: Computation of a 768-bit prime field discrete logarithm. In: Coron and Nielsen [38], pp. 185–201Google Scholar
  81. 81.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  82. 82.
    Koblitz, N.: Hyperelliptic cryptosystems. J. Cryptol. 1(3), 139–150 (1989)MathSciNetzbMATHCrossRefGoogle Scholar
  83. 83.
    Koblitz, N. (ed.): CRYPTO 1996. LNCS, vol. 1109. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5zbMATHCrossRefGoogle Scholar
  84. 84.
    Kohel, D.R.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California at Berkley (1996)Google Scholar
  85. 85.
    Kohel, D.R., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17(A), 418–432 (2014)MathSciNetzbMATHGoogle Scholar
  86. 86.
    Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)MathSciNetzbMATHCrossRefGoogle Scholar
  87. 87.
    Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: Severini, S., Brandao, F. (eds.) 8th Conference on the Theory of Quantum Computation. Communication and Cryptography (TQC 2013). Leibniz International Proceedings in Informatics (LIPIcs), vol. 22, pp. 20–34. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany (2013)Google Scholar
  88. 88.
    Langley, A., Hamburg, M., Turner, S.: Elliptic curves for security. RFC, 7748, pp. 1–22 (2016)Google Scholar
  89. 89.
    Lenstra, A.K., Lenstra, H.W. (eds.): The Development of the Number field Sieve. LNM, vol. 1554. Springer, Heidelberg (1993).  https://doi.org/10.1007/BFb0091534zbMATHCrossRefGoogle Scholar
  90. 90.
    Lenstra, A.K., Verheul, E.R.: The XTR public key system. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 1–19. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44598-6_1CrossRefGoogle Scholar
  91. 91.
    Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052240CrossRefGoogle Scholar
  92. 92.
    Lochter, M., Merkle, J.: Elliptic curve cryptography (ECC) brainpool standard curves and curve generation. RFC, 5639, pp. 1–27 (2010)Google Scholar
  93. 93.
    Marlinspike, M., Perrin, T.: The X3DH key agreement protocol (2016)Google Scholar
  94. 94.
    Martin-Lopez, E., Laing, A., Lawson, T., Alvarez, R., Zhou, X.-Q., O’Brien, J.L.: Experimental realization of Shor’s quantum factoring algorithm using qubit recycling. Nat. Photon. 6(11), 773–776, 11 (2012)CrossRefGoogle Scholar
  95. 95.
    Maurer, U.M.: Towards the equivalence of breaking the Diffie–Hellman protocol and computing discrete logarithms. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 271–281. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48658-5_26CrossRefGoogle Scholar
  96. 96.
    Maurer, U.M., Wolf, S.: The relationship between breaking the Diffie–Hellman protocol and computing discrete logarithms. SIAM J. Comput. 28(5), 1689–1721 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  97. 97.
    Maze, G., Monico, C., Rosenthal, J.: Public key cryptography based on semigroup actions. Adv. Math. Commun. 1(4), 489–507 (2007)MathSciNetzbMATHCrossRefGoogle Scholar
  98. 98.
    Menezes, A., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993)MathSciNetzbMATHCrossRefGoogle Scholar
  99. 99.
    Mestre, J.: La méthode des graphes. Exemples et applications. In: Proceedings of the International Conference on Class Numbers and Fundamental Units of Algebraic Number Fields (Katata), pp. 217–242 (1986)Google Scholar
  100. 100.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986).  https://doi.org/10.1007/3-540-39799-X_31CrossRefGoogle Scholar
  101. 101.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  102. 102.
    Mireles Morales, D.J.: An analysis of the infrastructure in real function fields. IACR Cryptology ePrint Archive 2008:299 (2008)Google Scholar
  103. 103.
    El Mrabet, N., Joye, M. (eds.): Guide to Pairing-Based Cryptography. Chapman and Hall/CRC, New York (2016)zbMATHGoogle Scholar
  104. 104.
    Murty, V.K.: Abelian varieties and cryptography. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 1–12. Springer, Heidelberg (2005).  https://doi.org/10.1007/11596219_1CrossRefGoogle Scholar
  105. 105.
    Muzereau, A., Smart, N.P., Vercauteren, F.: The equivalence between the DHP and DLP for elliptic curves used in practical applications. LMS J. Comput. Math. 7, 50–72 (2004)MathSciNetzbMATHCrossRefGoogle Scholar
  106. 106.
    National Institute of Standards and Technology (NIST). SP 800–56A recommendations for pair-wise key-establishment schemes using discrete logarithm cryptographyGoogle Scholar
  107. 107.
    NIST. Post-quantum cryptography standardizationGoogle Scholar
  108. 108.
    Ochoa-Jiménez, E., Rodríguez-Henríquez, F., Tibouchi, M.: Discrete logarithms. In: El Mrabet and Joye [103], Chap. 8Google Scholar
  109. 109.
    Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11659-4_12zbMATHCrossRefGoogle Scholar
  110. 110.
    Perrin, T., Marlinspike, M.: The double ratchet algorithm (2016)Google Scholar
  111. 111.
    Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi and Peyrin [130], pp. 330–353CrossRefGoogle Scholar
  112. 112.
    Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (corresp). IEEE Trans. Inf. Theory 24(1), 106–110 (1978)zbMATHCrossRefGoogle Scholar
  113. 113.
    Pollard, J.M.: Monte Carlo methods for index computation (mod \(p\)). Math. Comput. 32(143), 918–924 (1978)MathSciNetzbMATHGoogle Scholar
  114. 114.
    Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space, June 2004. arXiv:quant-ph/0406151
  115. 115.
    Renes, J., Schwabe, P., Smith, B., Batina, L.: \(\mu \)Kummer: efficient hyperelliptic signatures and key exchange on microcontrollers. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 301–320. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53140-2_15CrossRefGoogle Scholar
  116. 116.
    Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC, 8446, pp. 1–160 (2018)Google Scholar
  117. 117.
    Robert, D.: Theta functions and cryptographic applications. Ph.D. thesis, Université Henri Poincaré - Nancy I, July 2010Google Scholar
  118. 118.
    Roetteler, M., Naehrig, M., Svore, K.M., Lauter, K.E.: Quantum resource estimates for computing elliptic curve discrete logarithms. In: Takagi and Peyrin [130], pp. 241–270CrossRefGoogle Scholar
  119. 119.
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive 2006:145 (2006)Google Scholar
  120. 120.
    Rubin, K., Silverberg, A.: Torus-based cryptography. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 349–365. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_21CrossRefGoogle Scholar
  121. 121.
    Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard [27], pp. 239–252Google Scholar
  122. 122.
    Shanks, D.: Class number, a theory of factorization and genera. Proc. Symp. PureMath. 20, 415–440 (1971)MathSciNetzbMATHCrossRefGoogle Scholar
  123. 123.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of the 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)Google Scholar
  124. 124.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997).  https://doi.org/10.1007/3-540-69053-0_18CrossRefGoogle Scholar
  125. 125.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106. Springer, New York (1992)Google Scholar
  126. 126.
    Smart, N.P.: The discrete logarithm problem on elliptic curves of trace one. J. Cryptol. 12(3), 193–196 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  127. 127.
    Smith, B.: Isogenies and the discrete logarithm problem in jacobians of genus 3 hyperelliptic curves. J. Cryptol. 22(4), 505–529 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  128. 128.
    Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)MathSciNetzbMATHCrossRefGoogle Scholar
  129. 129.
    Sutherland, A.V.: Accelerating the CM method. LMS J. Comput. Math. 15, 172–204 (2012)MathSciNetzbMATHCrossRefGoogle Scholar
  130. 130.
    Takagi, T., Peyrin, T. (eds.): ASIACRYPT 2017. LNCS, vol. 10625. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9zbMATHCrossRefGoogle Scholar
  131. 131.
    Tani, S.: Claw finding algorithms using quantum walk. Theor. Comput. Sci. 410(50), 5285–5297 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  132. 132.
    Thormarker, E.: Post-quantum cryptography: supersingular isogeny Diffie–Hellman key exchange. Ph.D. thesis, Stockholm University (2017)Google Scholar
  133. 133.
    Urbanik, D., Jao, D.: SoK: the problem landscape of SIDH. In: Proceedings of the 5th ACM on ASIA Public-Key Cryptography Workshop, APKC 2018, pp. 53–60. ACM, New York (2018)Google Scholar
  134. 134.
    van Dam, W., Hallgren, S., Ip, L.: Quantum algorithms for some hidden shift problems. SIAM J. Comput. 36(3), 763–778 (2006)MathSciNetzbMATHCrossRefGoogle Scholar
  135. 135.
    Vélu, J.: Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris Sér. A-B 273, A238–A241 (1971)Google Scholar
  136. 136.
    Wenger, E., Wolfger, P.: Harder, better, faster, stronger: elliptic curve discrete logarithm computations on FPGAs. J. Cryptogr. Eng. 6(4), 287–297 (2016)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Inria and Laboratoire d’Informatique de l’École polytechnique (LIX)Université Paris–SaclayPalaiseauFrance

Personalised recommendations