Cryptography Reference
In-Depth Information
A
B
Input:
A, B,
sID
Input:
B
m
A
,n
A
∈
R
Z
/
e
A
Z
m
B
,n
B
∈
R
Z
/
e
B
Z
φ
A
:=
E
0
/
[
m
A
]
P
A
+[
n
A
]
Q
A
φ
B
:=
E
0
/
[
m
B
]
P
B
+[
n
B
]
Q
B
A,
sID
φ
A
(
P
B
)
,
φ
A
(
Q
B
)
,
E
A
−−−−−−→
B,
sID
φ
B
(
P
A
)
,
φ
B
(
Q
A
)
,
E
B
←−−−−−−
E
AB
:=
E
BA
:=
E
B
/
[
m
A
]
φ
B
(
P
A
)+[
n
A
]
φ
B
(
Q
A
)
E
A
/
[
m
B
]
φ
A
(
P
B
)+[
n
B
]
φ
A
(
Q
B
)
Output:
j
(
E
AB
)
,
sID
Output:
j
(
E
BA
)
,
sID
E
A
E
BA
E
0
E
AB
E
B
Fig. 1.
Key-exchange protocol using isogenies on supersingular curves
information must be communicated as part of the protocol in order to ensure
that both parties arrive at the same common value. This is in contrast to the
ordinary case [19], where the existence of an abelian class group allows for the
straightforward creation of a Die-Hellman type system.
3.1 Key Exchange
We fix as public parameters a supersingular curve
E
0
defined over
F
p
2
,and
which generate
E
0
[
e
A
]and
E
0
[
e
B
bases
{
P
A
,Q
A
}
and
{
P
B
,Q
B
}
] respectively,
=
E
0
[
e
A
]and
=
E
0
[
e
B
so that
P
A
,Q
A
P
B
,Q
B
]. Alice chooses two ran-
/
e
A
dom elements
m
A
,n
A
∈
R
Z
Z
, not both divisible by
A
, and computes an
isogeny
φ
A
:
E
0
→
E
A
with kernel
K
A
:=
[
m
A
]
P
A
+[
n
A
]
Q
A
. Alice also com-
for
E
0
[
e
B
]
under her secret isogeny
φ
A
, and sends these points to Bob together with
E
A
.
Similarly, Bob selects random elements
m
B
,n
B
∈
R
putes the image
{
φ
A
(
P
B
)
,φ
A
(
Q
B
)
}⊂
E
A
of the basis
{
P
B
,Q
B
}
/
e
B
Z
Z
and computes an
isogeny
φ
B
:
E
0
→
E
B
having kernel
K
B
:=
[
m
B
]
P
B
+[
n
B
]
Q
B
,alongwith
the points
{
φ
B
(
P
A
)
,φ
B
(
Q
A
)
}
. Upon receipt of
E
B
and
φ
B
(
P
A
)
,φ
B
(
Q
A
)
∈
E
B
