Welcome to the resource topic for 2024/1556
Title:
The module action for isogeny based cryptography
Authors: Damien Robert
Abstract:We extend the usual ideal action on oriented elliptic curves to a (Hermitian) module action on oriented (polarised) abelian varieties. Oriented abelian varieties are naturally enriched in R-modules, and our module action comes from the canonical power object construction on categories enriched in a closed symmetric monoidal category. In particular our action is canonical and gives a fully fledged symmetric monoidal action. Furthermore, we give algorithms to compute this action in practice, generalising the usual algorithms in rank~1.
The action allows us to unify in the same framework, on the one hand isogeny based cryptography based on ordinary or oriented elliptic curves, and on the other hand the one based on supersingular elliptic curves defined over \mathbb{F}_{p^2}. In particular, from our point of view, supersingular elliptic curves over \mathbb{F}_p are given by a rank~1 module action, while (the Weil restriction) of those defined over \mathbb{F}_{p^2} are given by a rank~2 module action. As a consequence, rank~2 module action inversion is at least as hard as the supersingular isogeny path problem.
We thus propose to use Hermitian modules as an avatar of a cryptographic symmetric monoidal action framework. This generalizes the more standard cryptographic group action framework, and still allows for a NIKE (Non Interactive Key Exchange). The main advantage of our action is that, presumably, Kuperberg’s algorithm does not apply. Compared to CSIDH, this allows for more compact keys and much better scaling properties.
In practice, we propose the key exchange scheme \otimes-MIKE (Tensor Module Isogeny Key Exchange). Alice and Bob start from a supersingular elliptic curve E_0/\mathbb{F}_p and both compute a 2^n-isogeny over \mathbb{F}_{p^2}. They each send the j-invariant of their curve. Crucially, unlike SIDH, no torsion information at all is required. Their common secret, given by the module action, is then a dimension~4 principally polarised abelian variety. We obtain a very compact post-quantum NIKE: only 64B for NIST level~1 security.
ePrint: https://eprint.iacr.org/2024/1556
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .