Towards Isogeny-Based Password-Authenticated Key Establishment

2.1 Password-Authenticated Key Establishment

The PAKE security model of Bellare, Pointcheval, and Rogaway (BPR) [1] is very similar to the Canetti-Krawczyk (CK) security model [5] for authenticated key establishment. The complete model specification appears in Appendix A; here we only point out the major differences between the two. While the CK security model includes public-key infrastructure (i.e., each party registers a keypair, and the public keys are published), in the BPR model there are two kinds of parties—clients and servers—and clients choose passwords according to some distribution on a dictionary and share them with the servers. Of course, in the real world, passwords are low-entropy secrets; this is typically modelled by having passwords be chosen by parties uniformly from a set called the password dictionary which is small enough that it can be enumerated efficiently. In particular, attacks which involve “checking all passwords” are feasible. The examples in the following section illustrate this concept.

Two Insecure PAKEs

To illustrate the consequences of the low-entropy nature of passwords, we present two protocols which admit attacks that exploit it.

1. Diffie-Hellman + MAC Let MAC be a message authentication code protocol. Augment the Diffie-Hellman protocol by having each party send a MAC tag on each of their messages, using the password as the key; have the parties abort if any tag they receive is not consistent with the password and incoming message. Though this is reminiscent of the SIG-DH protocol of [5] (which is secure in the CK model), the low entropy of the password distribution means that it is susceptible to a straightforward offline dictionary attack: upon seeing a single message and tag (m, t), an adversary can simply check whether t = MAC_π(m) for each password π in the dictionary. With overwhelming probability equality will hold for exactly one password π^*, which is the party’s true password. Once the password is recovered, the adversary can successfully mount a man-in-the-middle attack.

2. Randomized-base Diffie-Hellman Consider a modified version of Diffie-Hellman in a group G = 〈g〉 of order N as follows. Let H be a hash function which maps the password dictionary into (ℤ/Nℤ)^*. Instead of using the fixed base g, parties use base g^H(π) when constructing their messages, so that if the ephemeral secret is a, the message is m = g^aH(π). The shared secret is constructed as in Diffie-Hellman: if the messages are m = g^aH(π) and m^′ = g^bH(π), the shared secret is (m^′)^a = g^abH(π) = m^b. An adversary can attack the protocol by intercepting a message m = g^aH(π) from Alice and inserting their own message m^′′ = g^c. Alice will compute a shared secret s = g^ac, while the adversary can compute a “potential” shared secret s′(π′)=mcH(π′)−1 for each password π^′. By issuing a password reveal query on Alice’s session, the adversary can determine Alice’s true password from s and the list of s^′(π^′).

2.2 Isogenies

We provide a brief review of the background information. For further details on the mathematical foundations of isogenies, we refer the reader to [15, 25]. Given two elliptic curves E₁ and E ₂ over some finite field 𝔽_q of size q, an isogeny ϕ:E1→E2 is an algebraic morphism which is a group homomorphism. The degree of ϕ, denoted deg(ϕ), is its degree as an algebraic morphism. Two elliptic curves are isogenous if there exists an isogeny between them. Given an isogeny ϕ:E1→E2 of degree n, there is another isogeny ϕˆ:E2→E1 (the dual isogeny) of degree n satisfying ϕ∘ϕˆ=ϕˆ∘ϕ=[n] (the multiplication-by-n map). Thus “being isogenous” is an equivalence relation. For any n ∈ N, define the subgroup E[n]={P∈E(Fˉq):nP=∞}. The group E [n] is isomorphic to (ℤ/nℤ)² whenever gcd(n, q) = 1 [25]. We define the endomorphism ring End(E) to be the set of all isogenies from E to itself, defined over the algebraic closure Fˉq of 𝔽_q. The endomorphism ring is a ring under the operations of point-wise addition and functional composition. If dim_Z(End(E)) = 2, then we say that E is ordinary; otherwise dim_Z(End(E)) = 4 and we say that E is supersingular. Two isogenous curves are either both ordinary or both supersingular. All elliptic curves used in this work are supersingular. The isogeny ϕ:E1→E2 is separable if the extension Fq(E1)/ϕ∗(Fq(E2)) is separable; we will only consider separable isogenies. An important property of a separable isogeny ϕ is that |kerϕ|=degϕ [25, III.4.10(c)]. The kernel uniquely defines the isogeny up to isomorphism. Methods for computing and evaluating isogenies are given in [4, 15, 16, 26]. We use isogenies whose kernels are cyclic; in this setting, knowledge of any single generator of the kernel allows for efficient evaluation of the isogeny (up to isomorphism); conversely, the ability to evaluate the isogeny via a black box allows for efficient determination of the kernel. Thus, in our application, the following are equivalent: knowledge of the isogeny, its kernel, or any generator of its kernel.

2.3 Isogeny-Based Cryptography

The first cryptographic construction to use supersingular elliptic curve isogenies is the hash function construction of Charles et al. [7], based on the isogeny graph path-finding problem. Public key cryptography based on isogenies was first introduced by Couveignes [10] and Rostovtsev & Stolbunov [23] using ordinary elliptic curves. Jao and De Feo [15] proposed the first public-key cryptosystem based on supersingular elliptic curve isogenies, along with a new assumption which was subsequently shown [8] to reduce to the path-finding assumption originally proposed in [7]. We review here the operation of the Jao and De Feo key exchange protocol SIDH, which is the foundation for our PAKE.

Fix a prime p of the form ℓAeAℓBeBf±1 where ℓ_A, ℓ_B are small primes, e_A, e_B ∈ N such that ℓAeA≈ℓBeB, and f ∈ N is a small cofactor. Fix a supersingular curve E defined over GF(p²), and bases {P_A, Q_A} and {P_B, Q_B} of E[ℓAeA] and E[ℓBeB] respectively. Alice chooses m_A, nA∈RZ/ℓAeAZ, not both divisible by ℓ_A, and computes an isogeny ϕ_A : E → E _A with kernel 〈m_AP_A + n _AQ _A〉. Alice computes the auxiliary points {ϕA(PB),ϕA(QB)}⊂EA, and sends these points to Bob along with E _A. Bob proceeds analogously. Upon receipt of EBandϕB(PA),ϕB(QA)∈EB from Bob, Alice computes an isogeny ϕA′:EB→EAB with kernel ⟨mAϕB(PA)+nAϕB(QA)⟩; Bob proceeds mutatis mutandis. Alice and Bob can then form a shared secret key using use the common j-of

With almost no loss in generality, private ephemeral keys with m = 1 can be used [9]. In this work we follow that convention.

2.4 The Möbius Action and Auxiliary Point Obfuscation

For a prime ℓ and an integer e, we define

to be the special linear and special reduced upper triangular groups modulo ℓ^e, respectively. If p=ℓAeAℓBeBf±1 is a prime and E is a supersingular elliptic curve defined over GF(p²), ₂(ℓ_A, e_A) acts on E[ℓAeA]2 in a way analogous with ordinary matrix-vector multiplication: if Ψ=αβγδ then ΨXY=αX+βYγX+δY. We use this action to mask auxiliary points, since for any X, Y∈E[ℓAeA] and any Ψ,Ψ′∈Y2(ℓA,eA), for X′Y′=Ψ−1Ψ′XY we have e(X, Y) = e(X^′ , Y^′), where e is the Tate pairing [24, Exercise 10.24]; this prevents a kind of offline dictionary attack, which we elaborate on in Section 4.1.

In the context of isogeny computations, this (left) action of ₂(ℓ_A, e_A) induces a new (right) action (the Möbius action) on Z/ℓAeAZ in the following way: if X′Y′=ΨXY where Ψ=αβγδ, then for any m∈Z/ℓAeAZ

thus we define the right action mΨ:=δm+βγm+α. The two actions are related as above: mapping the auxiliary basis by the action of on E[ℓAeA]2 is equivalent to mapping the m which defines the isogeny’s kernel by the action of on Z/ℓAeAZ. This action relates to a sort of “related-key attack” on SIDH: in an unauthenticated setting, an active adversary can force an honest party to compute a shared key corresponding to an ephemeral key chosen by the adversary and the image of the honest party’s ephemeral key under the action of a known matrix Ψ.

Note that given E_A with E_A = E_K/〈P_A + m_AQ_A〉 and Ψ∈Y2(ℓA,eA) it is easy to find (E_B, X_B, Y_B), E_AB,_Ψ satisfying EAB,Ψ=EB/⟨XB+mAΨYB⟩; simply set E_B = E_K/ ker ϕ for some ℓBeB -isogeny ϕ, and set [X_B, Y_B]^T = Ψ−1[ϕ(PB),ϕ(QB)]T.

2.5 Computational Assumptions

For brevity, the standard assumptions of SIDH appear in Appendix B.

As noted in Section 2.3, to compute the shared secret in SIDH the parties must have the images of the public torsion bases under the secret isogenies. While previous works ignored these “auxiliary points” in favour of standard authentication methods, such as signature schemes [18] or generic transforms [14] to add authentication, here we focus on how we can disrupt man-in-the-middle attacks by obfuscating them. In this section we define a new computational assumption related to computing these auxiliary points. We use the notation of Section 2.3 for our global parameters, and define the security parameter λ = ⌈log₂ p⌉. When P is a computational problem with some global parameters (such as the prime p and global curves and torsion points used in SIDH), we denote by Ins_P(γ) the set of all instances of problem P with global parameters γ. When A is an algorithm for a problem P and ϑ is an instance of P, A(ϑ) denotes the (possibly randomized) output of A on input ϑ. Unif(X) denotes the uniform distribution on a set X.

The asymmetry of the isogeny computations requires us to consider two variants of each of the computational problem: one for ℓAeA -isogenies, and the other for ℓBeB -isogenies. For brevity we present the “Type A” problem, advantage, and assumption here and omit the “Type B” variant, which is defined analogously.

4.1 Successes

4.2 Roadblocks