[cryptography] Supersingular Isogeny DH

Marcel tiepelt at dev-nu11.de
Thu Jul 9 05:58:05 EDT 2015

well thanks for reply :)
The key exchange does not rely on using two different points.

I will try to explain i little more general:
I generate my l-torsion subgroup by two points:
<P, Q> = E[l]
During Key exchange i define my kernel using linear combination of
random values:
m, n
kernel = [m] * P + [n] * Q

So i wondered why i need two points. To generate the torsion subgroup it
would suffice to use one point:
<P> = E[l]
And to generate the kernel the linear combination of one points would
suffice too:
kernel = [m] * P

So why is the protocol using zwo points for each? I that purely a
security issue to ensure that the torsion subgroup is no cyclic anymore?


On 07/09/2015 10:24 AM, coderman wrote:
> On 7/8/15, Marcel <tiepelt at dev-nu11.de> wrote:
>> ...
>> So my question is, why do i need to random values m_A and n_A to compute
>> the torsiongroup E[l_A] and respectively the kernel K_A ?
>> Why does is not suffice to use only 1 point to generate E[l_A] and
>> Kernel K_A ?
> it is late, and i may mis understand,
> yet the two are requisite for peers arriving at a shared secret by way
> of these constructed isogeny; and the random values necessary to not
> give too much (confirm secret values, without exposing secret values)
> i found this paper a helpful expansion on the subject:
>   http://cacr.uwaterloo.ca/techreports/2014/cacr2014-20.pdf
> "In this paper, we mainly explore the efficiency of implementing recently
> proposed isogeny-based post-quantum public key cryptography..."
> specifically the graph on page 5. note that the key exchange relies on
> finding a path connecting vertices in a graph of supersingular
> isogenies - thus a pair on both ends, not just a pair arrived at among
> both participants.
> if this is clear as mud, i will try tomorrow on a fresh brain :)
> best regards,

More information about the cryptography mailing list