Abstract
We speed up the isogeny-based “SeaSign” signature scheme recently proposed by De Feo and Galbraith. The core idea in SeaSign is to apply the “Fiat–Shamir with aborts” transform to the parallel repeated execution of an identification scheme based on CSIDH. We optimize this general transform by allowing the prover to not answer a limited number of said parallel executions, thereby lowering the overall probability of rejection. The performance improvement ranges between factors of approximately 4.4 and 65.7 for various instantiations of the scheme, at the expense of roughly doubling the signature sizes.
Author list in alphabetical order; see https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf. This work was supported in part by the Commission of the European Communities through the Horizon 2020 program under project number 643161 (ECRYPT-NET) and in part by the Research Council KU Leuven grants C14/18/067 and STG/17/019. Date of this document: 2019.01.24.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
In other words: The action of \({\mathbb {Z}}^n\) on X factors through the quotient \(Q={\mathbb {Z}}^n/S\), where \(S\le {\mathbb {Z}}^n\) is the stabilizer of any \(E\in X\), and we assume that Q is “sufficiently” covered by “short” vectors in \({\mathbb {Z}}^n\) under the quotient map \({\mathbb {Z}}^n \twoheadrightarrow Q\).
- 2.
Note this representation matches the assumptions in Sect. 1.1.
- 3.
Technically there is no reason for \(\delta \) to be an integer: it is sufficient that \(\delta \in \frac{1}{B}\cdot {\mathbb {Z}}\), but we will assume \(\delta \in {\mathbb {Z}}\) throughout for simplicity.
- 4.
In [4], S is always a power of 2, but any \(S\ge 2\) works.
- 5.
The acronyms \({\mathcal {F}}\) and \({\mathcal {T}}\) refer to “full” and “truncated” ranges, respectively.
- 6.
This is why the tuples are processed in a random order: Proceeding sequentially and rejecting the remaining tail still leaks, since the number of
at the end would be correlated to the rejection probability. - 7.
Other optimizations could look at the sum of signing and verification time, or even take into account key generation time, but we will not delve into those options.
References
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIA-CRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Couveignes, J.M.: Hard homogeneous spaces. IACR Cryptology ePrint Archive 2006/291 (1997). https://ia.cr/2006/291
De Feo, L.: Mathematics of isogeny based cryptography (2017). https://defeo.lu/ema2017/poly.pdf
De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. IACR Cryptology ePrint Archive 2018/824 (2018). https://ia.cr/2018/824
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Jao, D., et al.: SIKE. Submission to [10]. http://sike.org
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIA-CRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_35
Meyer, M., Reith, S.: A faster way to the CSIDH. In: Chakraborty, D., Iwata, T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 137–152. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05378-9_8. https://ia.cr/2018/782
National Institute of Standards and Technology. Post-quantum cryptography standardization, December 2016. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization
Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive 2006/145 (2006). https://ia.cr/2006/145
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). https://arxiv.org/abs/quant-ph/9508027
Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)
The Sage Developers. SageMath, the sage mathematics software system (version 8.4) (2018). https://sagemath.org
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Script for Table 1
A Script for Table 1
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Decru, T., Panny, L., Vercauteren, F. (2019). Faster SeaSign Signatures Through Improved Rejection Sampling. In: Ding, J., Steinwandt, R. (eds) Post-Quantum Cryptography. PQCrypto 2019. Lecture Notes in Computer Science(), vol 11505. Springer, Cham. https://doi.org/10.1007/978-3-030-25510-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-25510-7_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25509-1
Online ISBN: 978-3-030-25510-7
eBook Packages: Computer ScienceComputer Science (R0)