[cryptography] Supersingular Isogeny DH
tiepelt at dev-nu11.de
Thu Jul 9 05:58:05 EDT 2015
well thanks for reply :)
The key exchange does not rely on using two different points.
I will try to explain i little more general:
I generate my l-torsion subgroup by two points:
<P, Q> = E[l]
During Key exchange i define my kernel using linear combination of
kernel = [m] * P + [n] * Q
So i wondered why i need two points. To generate the torsion subgroup it
would suffice to use one point:
<P> = E[l]
And to generate the kernel the linear combination of one points would
kernel = [m] * P
So why is the protocol using zwo points for each? I that purely a
security issue to ensure that the torsion subgroup is no cyclic anymore?
On 07/09/2015 10:24 AM, coderman wrote:
> On 7/8/15, Marcel <tiepelt at dev-nu11.de> wrote:
>> So my question is, why do i need to random values m_A and n_A to compute
>> the torsiongroup E[l_A] and respectively the kernel K_A ?
>> Why does is not suffice to use only 1 point to generate E[l_A] and
>> Kernel K_A ?
> it is late, and i may mis understand,
> yet the two are requisite for peers arriving at a shared secret by way
> of these constructed isogeny; and the random values necessary to not
> give too much (confirm secret values, without exposing secret values)
> i found this paper a helpful expansion on the subject:
> "In this paper, we mainly explore the efficiency of implementing recently
> proposed isogeny-based post-quantum public key cryptography..."
> specifically the graph on page 5. note that the key exchange relies on
> finding a path connecting vertices in a graph of supersingular
> isogenies - thus a pair on both ends, not just a pair arrived at among
> both participants.
> if this is clear as mud, i will try tomorrow on a fresh brain :)
> best regards,
More information about the cryptography