## Various news, mostly about isogeny cryptography

1. The NIST Post-Quantum Cryptography standardisation process has begun.
The Round 1 Submissions are here. Of particular interest to this blog is the SIKE proposal Supersingular Isogeny Key Encapsulation. The submitters of this proposal are David Jao, Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, Amir Jalali, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, Vladimir Soukharev and David Urbanik.

The submission contains an IND-CCA KEM based on SIDH. We briefly sketch the idea.
Let $E$ be the base curve and let $E_B$ be Bob’s public key (I’m omitting the points for brevity). The key encapsulation algorithm samples a random string $m$ and computes the hash value $r = G(m, E_B )$. Then $r$ is used to generate the ephemeral isogeny $\phi : E \to E_A$ as in standard SIDH. The ciphertext includes $E_A$ and $F( j( E_{AB} )) \oplus m$ where $F$ is another hash function. Decapsulation uses the usual SIDH ideas to compute $j( E_{AB} )$ and hence get $m$. Bob then recomputes $r$ and verifies the correctness of all the computations by Alice.

I highly recommend to view this submission if you are interested in isogeny crypto.

The First PQC Standardization Conference will take place in Florida on April 12-13, 2018.

2. The conference PQ Crypto 2018 takes place in Fort Lauderdale, Florida on April 11-13, 2018. There are two papers about supersingular isogeny crypto:

• Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira, Javad Doliskani, and Paulo S. L. M. Barreto. Faster isogeny-based compressed key agreement.
• Joost Renes. Computing Isogenies between Montgomery Curves Using the Action of (0,0).

3. I have posted to eprint the paper Authenticated key exchange for SIDH. The paper is a survey of issues and challenges with authenticated key exchange based on supersingular isogenies. I submitted a much less complete version of this paper to PQ Crypto and I am very grateful that it was rejected and that the referees told me lots of things I did not know about.

Some of the things I explain in this paper are: that an authenticated key exchange (AKE) protocol due to Jeong, Katz and Lee (from 2004) can be adapted to work with isogeny crypto; that this approach is more efficient than generic conversions from IND-CCA KEMs (e.g., the transform due to Boyd, Cliff, González Nieto and Paterson from 2009); that post-quantum security for AKE does not require quantum-secure arguments like the quantum random oracle model.

4. The Eurocrypt 2018 accepted papers are available. There are two papers that may be of particular interest to readers of this blog.

• Henry Corrigan-Gibbs and Dmitry Kogan. The Discrete-Logarithm Problem with Preprocessing.
• Kirsten Eisentraeger, Sean Hallgren, Kristin Lauter, Travis Morrison and Christophe Petit. Supersingular isogeny graphs and endomorphism rings: reductions and solutions.

This paper is a merge of the two papers 2017/986 and 2017/962.

5. The first volume of IACR Transactions on Cryptographic Hardware and Embedded Systems is available. It will be good to keep an eye on this journal, which is the new publication outlet for the CHES conference. The first issue contains a paper about Diffie-Hellman on Kummer surfaces.

6. The submission deadline for ASIACRYPT 2018 is May 11. Please submit your best papers and enjoy a December break in wonderful Brisbane!

— Steven Galbraith