Постквантовые криптосистемы: открытые вопросы и существующие решения. Криптосистемы на изогениях и кодах, исправляющих ошибки
Постквантовые криптосистемы: открытые вопросы и существующие решения. Криптосистемы на изогениях и кодах, исправляющих ошибки
Аннотация:
Представлен обзор основных постквантовых криптографических схем на основе кодов, исправляющих ошибки, и изогений эллиптических кривых, а также вычислительно трудных задач, лежащих в их основе. Особое внимание уделено описанию атак на представленные схемы. В частности, для кодовых криптосистем описаны атаки на основе информационных совокупностей и расщепления носителя, для криптосистем на изогениях дано подробное описание атаки Кастрика — Декру на схему SIDH/SIKE.
Табл. 2, библиогр. 43.
Литература:
- Малыгина Е. С., Токарева Н. Н., Куценко А. В. [и др.]. Постквантовые криптосистемы: открытые вопросы и существующие решения. Криптосистемы на решётках // Дискрет. анализ и исслед. операций. 2023. Т. 30, № 4. С. 46–90.
- Courtois N. T., Finiasz M., Sendrier N. How to achieve a McEliece-based digital signature scheme // Advances in cryptology — ASIACRYPT’01. Proc. Int. Conf. Theory and Application of Cryptology (Gold Coast, Australia, Dec. 9–13, 2001). Heidelberg: Springer, 2001. P. 157–174. (Lect. Notes Comput. Sci.; V. 2248).
- Stern J. A new paradigm for public key identification // IEEE Trans. Inf. Theory. 1996. V. 42, No. 6. P. 1757–1768.
- Childs A., Jao D., Soukharev V. Constructing elliptic curve isogenies in quantum subexponential time // J. Math. Cryptology. 2014. V. 8, No. 1. P. 1–29. DOI: 10.1515/jmc-2012-0016.
- McEliece R. J. A public-key cryptosystem based on algebraic coding theory // The deep space network. Progress report 42-44. Pasadena, CA: California Inst. Technol., 1978. P. 114–116.
- Niederreiter H. Knapsack-type cryptosystems and algebraic coding theory // J. Prob. Contr. Inform. Theory. 1986. V. 15, No. 2. P. 159–166.
- Niederreiter H., Xing C. Algebraic geometry in coding theory and cryptography. Princeton, NJ: Princeton Univ. Press, 2009. 272 p.
- Minder L., Shokrollahi A. Cryptanalysis of the Sidelnikov cryptosystem // Advances in cryptology — EUROCRYPT’07. Proc. Int. Conf. Theory and Applications of Cryptographic Techniques (Barcelona, Spain, May 20–24, 2007). Heidelberg: Springer, 2007. P. 347–360. (Lect. Notes Comput. Sci.; V. 4515). DOI: 10.1007/978-3-540-72540-4_20.
- Berlekamp E., McEliece R. J., van Tilborg H. On the inherent intractability of certain coding problems // IEEE Trans. Inf. Theory. 1978. V. 24, No. 3. P. 384–386.
- Lee P. J., Brickell E. F. An observation on the security of McEliece’s publickey cryptosystem // Advances in cryptology — EUROCRYPT’88. Proc. Workshop Theory and Application of Cryptographic Techniques (Davos, Switzerland, May 25–27, 1988). Heidelberg: Springer, 1988. P. 275–280. (Lect. Notes Comput. Sci.; V. 330).
- Petrank E., Roth R. Is code equivalence easy to decide? // IEEE Trans. Inf. Theory. 1997. V. 43, No. 5. P. 1602–1604.
- Sendrier N. Finding the permutation between equivalent linear codes: The support splitting algorithm // IEEE Trans. Inf. Theory. 2000. V. 46, No. 4. P. 1193–1203. DOI: 10.1109/18.850662.
- Misoczki R., Tillich J.-P., Sendrier N., Barreto P. MDPC-McEliece: New McEliece variants from moderate density parity-check codes // Proc. IEEE Int. Symp. Information Theory (Istanbul, Turkey, Jul. 7–12, 2013). Los Alamitos, CA: IEEE Comput. Soc., 2013. P. 2069–2073. DOI: 10.1109/ISIT.2013.6620590.
- Drucker N., Gueron S., Kostic D. QC-MDPC decoders with several shades of gray // Post-quantum cryptography. Proc. Int. Conf. (Paris, France, Apr. 15–17, 2020). Cham: Springer, 2020. P. 35–50. (Lect. Notes Comput. Sci.; V. 12100).
- Torres R. C., Sendrier N. Analysis of information set decoding for a sublinear error weight // Post-quantum cryptography. Proc. Int. Conf. (Fukuoka, Japan, Feb. 24–26, 2016). Cham: Springer, 2016. P. 144–161. (Lect. Notes Comput. Sci.; V. 9606).
- Fujisaki E., Okamoto T. Secure integration of asymmetric and symmetric encryption schemes // J. Cryptology. 2013. V. 26. P. 80–101.
- Bindel N., Hamburg M., Hövelmanns K., Hülsing A., Persichetti E. Tighter proofs of CCA security in the quantum random oracle model // Theory of cryptography. Proc. Int. Conf. (Nuremberg, Germany, Dec. 1–5, 2019). Cham: Springer, 2019. P. 61–90. (Lect. Notes Comput. Sci.; V. 11892). DOI: 10.1007/978-3-030-36033-7_3.
- Aguilar-Melchor C., Blazy O., Deneuville J.-C., Gaborit P., Zémor G. Efficient encryption from random quasi-cyclic codes // IEEE Trans. Inf. Theory. 2018. V. 64, No. 5. P. 3927–3943.
- Aragon N., Gaborit P., Zémor G. HQC-RMRS, an instantiation of the HQC encryption framework with a more efficient auxiliary error-correcting code. Ithaca, NY: Cornell Univ., 2005. (Cornell Univ. Libr. e-Print Archive; arXiv:2005.10741).
- Doche C., Lange T. Arithmetic of elliptic curves // Handbook of elliptic and hyperelliptic curve cryptography. Boca Raton, FL: Chapman & Hall/CRC Press, 2006. P. 267–302.
- Болотов А. А., Гашков С. Б., Фролов А. Б., Часовских А. А. Элементарное введение в эллиптическую криптографию: Алгебраические и алгоритмические основы. М.: КомКнига, 2006.
- Sutherland A. Ellipic curves. Isogenies. Lecture notes. Cambridge, MA: MIT, 2022. Available at math.mit.edu/classes/18.783/2022/LectureNotes4.pdf (accessed Dec. 22, 2023).
- Vélu J. Isogénies entre courbes elliptiques // C. R. Acad. Sci. Paris. Sér. A. 1971. V. 273. P. 238-241.
- Duquesne S., Lange T. Arithmetic of hyperelliptic curves //Handbook of elliptic and hyperelliptic curve cryptography. Boca Raton, FL: Chapman & Hall/CRC Press, 2006. P. 303–353.
- Kani E. The number of curves of genus two with elliptic differentials // J. Reine Angew. Math. 1997. V. 485. P. 93-122.
- Flynn E. V., Ti Y. B. Genus two isogeny cryptography // Post-quantum cryptography. Proc. Int. Conf. (Chongquin, China, May 10–12, 2019). Cham: Springer, 2019. P. 286–306. (Lect. Notes Comput. Sci.; V. 11505).
- Castryck W., Decru T., Smith B. Hash functions from superspecial genus-2 curves using Richelot isogenies // J. Math. Cryptology. 2020. V. 14, No. 1. P. 268–292.
- Alamati N., de Feo L., Montgomery H., Patranabis S. Cryptographic group actions and applications. San Diego: Univ. California, 2020. (Cryptology ePrint Archive, Paper ID 2020/1188). Available at eprint.iacr.org/2020/ 1188.pdf (accessed Dec. 22, 2023).
- De Feo L., Jao D., Plût J. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. San Diego: Univ. California, 2011. (Cryptology ePrint Archive, Paper ID 2011/506). Available at eprint.iacr.org/ 2011/506.pdf (accessed Dec. 22, 2023).
- Castryck W., Decru T. An efficient key recovery attack on SIDH. San Diego: Univ. California, 2022. (Cryptology ePrint Archive, Paper ID 2022/975). Available at eprint.iacr.org/2022/975.pdf (accessed Dec. 22, 2023).
- Castryck W., Lange T., Martindale C., Panny L., Renes J. CSIDH: An efficient post-quantum commutative group action. San Diego: Univ. California, 2018. (Cryptology ePrint Archive, Paper ID 2018/383). Available at eprint. iacr.org/2018/383.pdf (accessed Dec. 22, 2023).
- Chi-Domínguez J.-J., Rodríguez-Henríquez F. Optimal strategies for CSIDH // J. Adv. Math. Commun. 2022. V. 16, No. 2. P. 383–411.
- Cohen H. A course in computational algebraic number theory. Berlin: Springer, 1993. 536 p.
- Maino L., Martindale C. An attack on SIDH with arbitrary starting curve. San Diego: Univ. California, 2022. (Cryptology ePrint Archive, Paper ID 2022/1026). Available at eprint.iacr.org/2022/1026.pdf (accessed Dec. 22, 2023).
- Robert D. Breaking SIDH in polynomial time. San Diego: Univ. California, 2022. (Cryptology ePrint Archive, Paper ID 2022/1038). Available at eprint.iacr.org/2022/1038.pdf (accessed Dec. 22, 2023).
- Howe E. W., Leprevost F., Poonen B. Large torsion subgroups of split Jacobians of curves of genus two or three // J. Forum Math. 2000. V. 12, No. 3. P. 315–364.
- Bruin N., Flynn E. V., Testa D. Descent via (3, 3)-isogeny on Jacobians of genus 2 curves // J. Acta Arithmetica. 2014. V. 165, No. 3. P. 201–223.
- Cosset R., Robert D. Computing (ℓ, ℓ)-isogenies in polynomial time on Jacobians of genus 2 curves // Math. Comput. 2015. V. 84, No. 294. P. 1953–1975.
- Milio E. Computing isogenies between Jacobians of curves of genus 2 and 3 // Math. Comput. 2020. V. 89, No. 323. P. 1331–1364.
- De Feo L., Dobson S., Galbraith S. D., Zobernig L. SIDH proof of knowledge. San Diego: Univ. California, 2021. (Cryptology ePrint Archive, Paper ID 2021/1023). Available at eprint.iacr.org/2021/1023.pdf (accessed Dec. 22, 2023).
- De Feo L., Kieffer J., Smith B. Towards practical key exchange from ordinary isogeny graphs // Advances in cryptology — ASIACRYPT’18. Proc. Int. Conf. Theory and Application of Cryptology (Brisbane, Australia, Dec. 2–6, 2018). Cham: Springer, 2018. P. 365–394. (Lect. Notes Comput. Sci.; V. 11274).
- Dartois P., de Feo L. On the security of OSIDH // Public-key cryptography — PKC 2022. Proc. 25th IACR Int. Conf. Practice and Theory of PublicKey Cryptography (Yokohama, Japan, Mar. 8–11, 2022). Pt. I. Cham: Springer, 2022. P. 52–81. (Lect. Notes Comput. Sci.; V. 13177).
- Colò L., Kohel D. Orienting supersingular isogeny graphs // J. Math. Cryptology. 2020. V. 14, No. 1. P. 414–437.
Работа первого, третьего и четвёртого авторов выполнена при поддержке Северо-западного центра математических исследований им. С. Ковалевской (Балтийский федеральный университет им. И. Канта) в рамках соглашения с Министерством науки и высшего образования Российской Федерации (соглашение № 075–02–2023–934). Работа второго, пятого, шестого, седьмого и восьмого авторов выполнена при поддержке Математического центра в Академгородке в рамках соглашения с Министерством науки и высшего образования Российской Федерации (соглашение № 075–15–2022–282).
Малыгина Екатерина Сергеевна
- Балтийский федеральный университет им. И. Канта,
ул. Александра Невского, 14, 236041 Калининград, Россия - Новосибирский гос. университет,
ул. Пирогова, 2, 630090 Новосибирск, Россия
E-mail: emalygina@kantiana.ru
Куценко Александр Владимирович
- Новосибирский гос. университет,
ул. Пирогова, 2, 630090 Новосибирск, Россия
E-mail: alexandrkutsenko@bk.ru
Новосёлов Семён Александрович
- Балтийский федеральный университет им. И. Канта,
ул. Александра Невского, 14, 236041 Калининград, Россия
E-mail: novsem@gmail.com
Колесников Никита Сергеевич
- Балтийский федеральный университет им. И. Канта,
ул. Александра Невского, 14, 236041 Калининград, Россия
E-mail: nikolesnikov100@gmail.com
Бахарев Александр Олегович
- Новосибирский гос. университет,
ул. Пирогова, 2, 630090 Новосибирск, Россия
E-mail: a.bakharev@g.nsu.ru
Хильчук Ирина Сергеевна
- Новосибирский гос. университет,
ул. Пирогова, 2, 630090 Новосибирск, Россия
E-mail: irina.khilchuk@gmail.com
Шапоренко Александр Сергеевич
- Новосибирский гос. университет,
ул. Пирогова, 2, 630090 Новосибирск, Россия
E-mail: shaporenko.alexandr@gmail.com
Токарева Наталья Николаевна
- Новосибирский гос. университет,
ул. Пирогова, 2, 630090 Новосибирск, Россия - Балтийский федеральный университет им. И. Канта,
ул. Александра Невского, 14, 236041 Калининград, Россия
E-mail: crypto1127@mail.ru
Статья поступила 11 мая 2023 г.
После доработки — 7 августа 2023 г.
Принята к публикации 22 сентября 2023 г.
Abstract:
This paper is a survey of modern post-quantum cryptographic schemes based on codes and isogenies. Special attention is paid to cryptanalysis of these schemes. In particular, for code-based cryptosystems we describe the information set decoding and the support splitting algorithm as main attacks, and for cryptosystems based on isogenies we describe in detail the Castryck — Decru attack on SIDH/SIKE.
Tab. 2, bibliogr. 43.
References:
- E. S. Malygina, N. N. Tokareva, A. V. Kutsenko [et al.]. Post-quantum cryptosystems: Open questions and solutions. Lattice-based cryptosystems, Diskretn. Anal. Issled. Oper. 30 (4), 46–90 (2023) [Russian] [J. Appl. Ind. Math. 17 (4), 767–790 (2023)].
- N. T. Courtois, M. Finiasz, and N. Sendrier, How to achieve a McEliecebased digital signature scheme, in Advances in Cryptology — ASIACRYPT’01, Proc. Int. Conf. Theory and Application of Cryptology (Gold Coast, Australia, Dec. 9–13, 2001) (Springer, Heidelberg, 2001), pp. 157–174 (Lect. Notes Comput. Sci., Vol. 2248).
- J. Stern, A new paradigm for public key identification, IEEE Trans. Inf. Theory 42 (6), 1757–1768 (1996).
- A. Childs, D. Jao, and V. Soukharev, Constructing elliptic curve isogenies in quantum subexponential time, J. Math. Cryptology 8 (1), 1–29 (2014), DOI: 10.1515/jmc-2012-0016.
- R. J. McEliece, A public-key cryptosystem based on algebraic coding theory, in The Deep Space Network, Prog. Rep. 42-44 (California Inst. Tech., Pasadena, CA, 1978), pp. 114–116.
- H. Niederreiter, Knapsack-type cryptosystems and algebraic coding theory, J. Prob. Contr. Inform. Theory 15 (2), 159–166 (1986).
- H. Niederreiter and C. Xing, Algebraic Geometry in Coding Theory and Cryptography (Princeton Univ. Press, Princeton, NJ, 2009).
- L. Minder and A. Shokrollahi, Cryptanalysis of the Sidelnikov cryptosystem, in Advances in Cryptology — EUROCRYPT’07, Proc. Int. Conf. Theory and Applications of Cryptographic Techniques (Barcelona, Spain, May 20–24, 2007) (Springer, Heidelberg, 2007), pp. 347–360 (Lect. Notes Comput. Sci., Vol. 4515), DOI: 10.1007/978-3-540-72540-4_20.
- E. Berlekamp, R. J. McEliece, and H. van Tilborg, On the inherent intractability of certain coding problems, IEEE Trans. Inf. Theory 24 (3), 384–386 (1978).
- P. J. Lee and E. F. Brickell, An observation on the security of McEliece’s public-key cryptosystem, in Advances in Cryptology — EUROCRYPT’88, Proc. Workshop Theory and Application of Cryptographic Techniques (Davos, Switzerland, May 25–27, 1988) (Springer, Heidelberg, 1988), pp. 275–280 (Lect. Notes Comput. Sci., Vol. 330).
- E. Petrank and R. Roth, Is code equivalence easy to decide?, IEEE Trans. Inf. Theory 43 (5), 1602–1604 (1997).
- N. Sendrier, Finding the permutation between equivalent linear codes: The support splitting algorithm, IEEE Trans. Inf. Theory 46 (4), 1193–1203 (2000), DOI: 10.1109/18.850662.
- R. Misoczki, J.-P. Tillich, N. Sendrier, and P. Barreto, MDPC-McEliece: New McEliece variants from moderate density parity-check codes, in Proc. IEEE Int. Symp. Information Theory (Istanbul, Turkey, Jul. 7–12, 2013) (IEEE Comput. Soc., Los Alamitos, CA, 2013), pp. 2069–2073, DOI: 10.1109/ISIT.2013.6620590.
- N. Drucker, S. Gueron, and D. Kostic, QC-MDPC decoders with several shades of gray, in Post-Quantum Cryptography, Proc. Int. Conf. (Paris, France, Apr. 15–17, 2020) (Springer, Cham, 2020), pp. 35–50 (Lect. Notes Comput. Sci., Vol. 12100).
- R. C. Torres and N. Sendrier, Analysis of information set decoding for a sublinear error weight, in Post-Quantum Cryptography, Proc. Int. Conf. (Fukuoka, Japan, Feb. 24–26, 2016) (Springer, Cham, 2016), pp. 144–161 (Lect. Notes Comput. Sci., Vol. 9606).
- E. Fujisaki and T. Okamoto, Secure integration of asymmetric and symmetric encryption schemes, J. Cryptology 26, 80–101 (2013).
- N. Bindel, M. Hamburg, K. Hövelmanns, A. Hülsing, and E. Persichetti, Tighter proofs of CCA security in the quantum random oracle model, in Theory of Cryptography, Proc. Int. Conf. (Nuremberg, Germany, Dec. 1–5, 2019) (Springer, Cham, 2019), pp. 61–90 (Lect. Notes Comput. Sci., Vol. 11892), DOI: 10.1007/978-3-030-36033-7_3.
- C. Aguilar-Melchor, O. Blazy, J.-C. Deneuville, P. Gaborit, and G. Zémor, Efficient encryption from random quasi-cyclic codes, IEEE Trans. Inf. Theory 64 (5), 3927–3943 (2018).
- N. Aragon, P. Gaborit, and G. Zémor, HQC-RMRS, an instantiation of the HQC encryption framework with a more efficient auxiliary error-correcting code (Cornell Univ., Ithaca, NY, 2005) (Cornell Univ. Libr. e-Print Archive; arXiv:2005.10741).
- C. Doche and T. Lange, Arithmetic of elliptic curves, in Handbook of Elliptic and Hyperelliptic Curve Cryptography (Chapman & Hall/CRC Press, Boca Raton, FL, 2006), pp. 267–302.
- A. A. Bolotov, S. B. Gashkov, A. B. Frolov, and A. A. Chasovskikh, An Elementary Introduction to Ellipic Cryptography: Algebraic and Algorithmic Basics (KomKniga, Moscow, 2006) [Russian].
- A. Sutherland, Ellipic Curves. Isogenies, Lecture Notes (MIT, Cambridge, MA, 2022). Available at math.mit.edu/classes/18.783/2022/LectureNotes4.pdf (accessed Dec. 22, 2023).
- J. Vélu, Isogénies entre courbes elliptiques, C. R. Acad. Sci., Paris, Sér. A, 273, 238–241 (1971).
- S. Duquesne and T. Lange, Arithmetic of hyperelliptic curves, in Handbook of Elliptic and Hyperelliptic Curve Cryptography (Chapman & Hall/CRC Press, Boca Raton, FL, 2006), pp. 303–353.
- E. Kani, The number of curves of genus two with elliptic differentials, J. Reine Angew. Math. 485, 93-122 (1997).
- E. V. Flynn and Y. B. Ti, Genus two isogeny cryptography, in Post-Quantum Cryptography, Proc. Int. Conf. (Chongquin, China, May 10–12, 2019) (Springer, Cham, 2019), pp. 286–306 (Lect. Notes Comput. Sci., Vol. 11505).
- W. Castryck, T. Decru, and B. Smith, Hash functions from superspecial genus-2 curves using Richelot isogenies, J. Math. Cryptology 14 (1), 268–292 (2020).
- N. Alamati, L. de Feo, H. Montgomery, and S. Patranabis, Cryptographic group actions and applications (Univ. California, San Diego, 2020) (Cryptology ePrint Archive, ID 2020/1188). Available at eprint.iacr.org/ 2020/1188.pdf (accessed Dec. 22, 2023).
- L. De Feo, D. Jao, PlJ. ut, Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies (Univ. California, San Diego, 2011) (Cryptology ePrint Archive, ID 2011/506). Available at eprint.iacr.org/2011/ 506.pdf (accessed Dec. 22, 2023).
- W. Castryck and T. Decru, An efficient key recovery attack on SIDH (Univ. California, San Diego, 2022) (Cryptology ePrint Archive, ID 2022/975). Available at eprint.iacr.org/2022/975.pdf (accessed Dec. 22, 2023).
- W. Castryck, T. Lange, C. Martindale, L. Panny, and J. Renes, CSIDH: An efficient post-quantum commutative group action (Univ. California, San Diego, 2018) (Cryptology ePrint Archive, ID 2018/383). Available at eprint.iacr.org/2018/383.pdf (accessed Dec. 22, 2023).
- J.-J. Chi-Domínguez and F. Rodríguez-Henríquez, Optimal strategies for CSIDH, J. Adv. Math. Commun. 16 (2), 383–411 (2022).
- H. Cohen, A Course in Computational Algebraic Number Theory (Springer, Berlin, 1993).
- L. Maino and C. Martindale, An attack on SIDH with arbitrary starting curve (Univ. California, San Diego, 2022) (Cryptology ePrint Archive, ID 2022/1026). Available at eprint.iacr.org/2022/1026.pdf (accessed Dec. 22, 2023).
- D. Robert, Breaking SIDH in polynomial time (Univ. California, San Diego, 2022) (Cryptology ePrint Archive, ID 2022/1038). Available at eprint.iacr.org/2022/1038.pdf (accessed Dec. 22, 2023).
- E. W. Howe, F. Leprevost, and B. Poonen, Large torsion subgroups of split Jacobians of curves of genus two or three, J. Forum Math. 12 (3), 315–364 (2000).
- N. Bruin, E. V. Flynn, and D. Testa, Descent via (3, 3)-isogeny on Jacobians of genus 2 curves, J. Acta Arithmetica 165 (3), 201–223 (2014).
- R. Cosset and D. Robert, Computing (ℓ, ℓ)-isogenies in polynomial time on Jacobians of genus 2 curves, Math. Comput. 84 (294), 1953–1975 (2015).
- E. Milio, Computing isogenies between Jacobians of curves of genus 2 and 3, Math. Comput. 89 (323), 1331–1364 (2020).
- L. De Feo, S. Dobson, S. D. Galbraith, and L. Zobernig, SIDH proof of knowledge (Univ. California, San Diego, 2021) (Cryptology ePrint Archive, ID 2021/1023). Available at eprint.iacr.org/2021/1023.pdf (accessed Dec. 22, 2023).
- L. De Feo, J. Kieffer, and B. Smith, Towards practical key exchange from ordinary isogeny graphs, in Advances in Cryptology — ASIACRYPT’18, Proc. Int. Conf. Theory and Application of Cryptology (Brisbane, Australia, Dec. 2–6, 2018) (Springer, Cham, 2018), pp. 365–394 (Lect. Notes Comput. Sci., Vol. 11274).
- P. Dartois and L. de Feo, On the security of OSIDH, in Public-Key Cryptography — PKC 2022, Proc. 25th IACR Int. Conf. Practice and Theory of Public-Key Cryptography (Yokohama, Japan, Mar. 8–11, 2022), Pt. I (Springer, Cham, 2022), pp. 52–81 (Lect. Notes Comput. Sci., Vol. 13177).
- L. Colò and D. Kohel, Orienting supersingular isogeny graphs, J. Math. Cryptology 14 (1), 414–437 (2020).