Towards Isogeny-Based Password-Authenticated Key Establishment

Password authenticated key establishment (PAKE) is a cryptographic primitive that allows two parties who share a low-entropy secret (a password) to securely establish cryptographic keys in the absence of public key infrastructure. We propose the first quantum-resistant password-authenticated key exchange scheme based on supersingular elliptic curve isogenies. The scheme is built upon supersingular isogeny Diffie-Hellman [15], and uses the password to generate permutations which obscure the auxiliary points. We include elements of a security proof, and discuss roadblocks to obtaining a proof in the BPR model [1]. We also include some performance results.


Introduction
Many current cryptographic schemes are based on mathematical problems that are considered difficult for classical computers, but can easily be solved using quantum algorithms. To prepare for the emergence of quantum computers, we aim to design cryptographic primitives which will resist quantum attacks. One family of such primitives, proposed by Jao and De Feo [15]-commonly referred to as SIDH-uses isogenies between supersingular elliptic curves to construct quantum-resistant cryptographic protocols for public key cryptography. Subsequent work by Costache et al. [8] has shown that the security of SIDH reduces to the Supersingular Isogeny Graph problem originally proposed by Charles et al. [7].
Password-Authenticated Key Establishment (PAKE) is a primitive in which parties securely establish a common cryptographic key over an insecure channel using a password (modelled as a low-entropy secret). The first PAKE protocol was designed by Bellovin and Merritt in 1992 [3]. Today, many protocols of this type exist-most are based on the discrete logarithm problem in subgroups of Z * p or elliptic curve groups, and are not quantum-safe. Until this work, the only PAKEs built on quantum-safe foundations are lattice-based [12,27]. We propose the first PAKE based on isogenies between supersingular elliptic curves. It is derived from SIDH; notably, the additional operations required are not prohobitively expensive (elliptic curve arithmetic) and do not require additional rounds of communication, and the messages are the same size as in SIDH.
In particular, in SIDH, parties exchange elliptic curves which are images of a fixed public curve under ephemeral secret isogenies; then, each party computes the image of their peer's curve under a related isogeny. Parties also exchange certain points on their ephemeral curves to aid in the computation. In our PAKE protocol, these so-called "auxiliary points" are obfuscated by transforming them according to a certain group action, described in Section 2. The passive security of this protocol comes from the difficulty of finding the correct points (preventing o ine dictionary attacks) or performing the computation without them, while the active security from the fact that the adversary needs to "commit," in a sense, to a group element in order to actively attack the protocol (preventing all but the most basic online dictionary attacks).

Password-Authenticated Key Establishment
The PAKE security model of Bellare, Pointcheval, and Rogaway (BPR) [1] is very similar to the Canetti-Krawczyk (CK) security model [5] for authenticated key establishment. The complete model specification appears in Appendix A; here we only point out the major differences between the two. While the CK security model includes public-key infrastructure (i.e., each party registers a keypair, and the public keys are published), in the BPR model there are two kinds of parties-clients and servers-and clients choose passwords according to some distribution on a dictionary and share them with the servers. Of course, in the real world, passwords are low-entropy secrets; this is typically modelled by having passwords be chosen by parties uniformly from a set called the password dictionary which is small enough that it can be enumerated efficiently. In particular, attacks which involve "checking all passwords" are feasible. The examples in the following section illustrate this concept.

Two Insecure PAKEs
To illustrate the consequences of the low-entropy nature of passwords, we present two protocols which admit attacks that exploit it.
(i) Diffie-Hellman + MAC Let MAC be a message authentication code protocol. Augment the Diffie-Hellman protocol by having each party send a MAC tag on each of their messages, using the password as the key; have the parties abort if any tag they receive is not consistent with the password and incoming message. Though this is reminiscent of the SIG-DH protocol of [5] (which is secure in the CK model), the low entropy of the password distribution means that it is susceptible to a straightforward o ine dictionary attack: upon seeing a single message and tag (m, t), an adversary can simply check whether t = MACπ(m) for each password π in the dictionary. With overwhelming probability equality will hold for exactly one password π * , which is the party's true password. Once the password is recovered, the adversary can successfully mount a man-in-the-middle attack. (ii) Randomized-base Diffie-Hellman Consider a modified version of Diffie-Hellman in a group G = ⟨g⟩ of order N as follows. Let H be a hash function which maps the password dictionary into (Z/NZ) * . Instead of using the fixed base g, parties use base g H(π) when constructing their messages, so that if the ephemeral secret is a, the message is m = g aH (π) . The shared secret is constructed as in Diffie-Hellman: if the messages are m = g aH (π) and m ′ = g bH(π) , the shared secret is (m ′ ) a = g abH(π) = m b . An adversary can attack the protocol by intercepting a message m = g aH (π) from Alice and inserting their own message m ′′ = g c . Alice will compute a shared secret s = g ac , while the adversary can compute a "potential" shared secret s ′ (π ′ ) = m cH(π ′ ) −1 for each password π ′ . By issuing a password reveal query on Alice's session, the adversary can determine Alice's true password from s and the list of s ′ (π ′ ).

Isogenies
We provide a brief review of the background information. For further details on the mathematical foundations of isogenies, we refer the reader to [15,25]. Given two elliptic curves E 1 and E 2 over some finite field Fq of size q, an isogeny ϕ : E 1 → E 2 is an algebraic morphism which is a group homomorphism. The degree of ϕ,  2 whenever gcd(n, q) = 1 [25]. We define the endomorphism ring End(E) to be the set of all isogenies from E to itself, defined over the algebraic closureFq of Fq. The endomorphism ring is a ring under the operations of point-wise addition and functional composition. If dim Z (End(E)) = 2, then we say that E is ordinary; otherwise dim Z (End(E)) = 4 and we say that E is supersingular. Two isogenous curves are either both ordinary or both supersingular. All elliptic curves used in this work are supersingular. The isogeny ϕ : ) is separable; we will only consider separable isogenies. An important property of a separable isogeny ϕ is that | ker ϕ| = deg ϕ [25,III.4.10(c)]. The kernel uniquely defines the isogeny up to isomorphism. Methods for computing and evaluating isogenies are given in [4,15,16,26]. We use isogenies whose kernels are cyclic; in this setting, knowledge of any single generator of the kernel allows for efficient evaluation of the isogeny (up to isomorphism); conversely, the ability to evaluate the isogeny via a black box allows for efficient determination of the kernel. Thus, in our application, the following are equivalent: knowledge of the isogeny, its kernel, or any generator of its kernel.

Isogeny-Based Cryptography
The first cryptographic construction to use supersingular elliptic curve isogenies is the hash function construction of Charles et al. [7], based on the isogeny graph path-finding problem. Public key cryptography based on isogenies was first introduced by Couveignes [10] and Rostovtsev & Stolbunov [23] using ordinary elliptic curves. Jao and De Feo [15] proposed the first public-key cryptosystem based on supersingular elliptic curve isogenies, along with a new assumption which was subsequently shown [8] to reduce to the pathfinding assumption originally proposed in [7]. We review here the operation of the Jao and De Feo key exchange protocol SIDH, which is the foundation for our PAKE. Fix ⟩︀ ; Bob proceeds mutatis mutandis. Alice and Bob can then form a shared secret key using use the common j-invariant of With almost no loss in generality, private ephemeral keys with m = 1 can be used [9]. In this work we follow that convention.

The Möbius Action and Auxiliary Point Obfuscation
For a prime ℓ and an integer e, we define , where e is the Tate pairing [24, Exercise 10.24]; this prevents a kind of o ine dictionary attack, which we elaborate on in Section 4.1.
In the context of isogeny computations, this (left) action of Υ 2 (ℓ A , e A ) induces a new (right) action (the Möbius action) on Z/ℓ e A A Z in the following way: if thus we define the right action m Ψ := δm+β m+α . The two actions are related as above: mapping the auxiliary basis by the action of Ψ on E[ℓ e A A ] 2 is equivalent to mapping the m which defines the isogeny's kernel by the action of Ψ on Z/ℓ e A A Z. This action relates to a sort of "related-key attack" on SIDH: in an unauthenticated setting, an active adversary can force an honest party to compute a shared key corresponding to an ephemeral key chosen by the adversary and the image of the honest party's ephemeral key under the action of a known matrix Ψ.
Note that given

Computational Assumptions
For brevity, the standard assumptions of SIDH appear in Appendix B.
As noted in Section 2.3, to compute the shared secret in SIDH the parties must have the images of the public torsion bases under the secret isogenies. While previous works ignored these "auxiliary points" in favour of standard authentication methods, such as signature schemes [18] or generic transforms [14] to add authentication, here we focus on how we can disrupt man-in-the-middle attacks by obfuscating them. In this section we define a new computational assumption related to computing these auxiliary points. We use the notation of Section 2.3 for our global parameters, and define the security parameter λ = ⌈log 2 p⌉. When P is a computational problem with some global parameters (such as the prime p and global curves and torsion points used in SIDH), we denote by Ins P ( ) the set of all instances of problem P with global parameters . When A is an algorithm for a problem P and ϑ is an instance of P, A(ϑ) denotes the (possibly randomized) output of A on input ϑ. Unif(X) denotes the uniform distribution on a set X.
The asymmetry of the isogeny computations requires us to consider two variants of each of the computational problem: one for ℓ e A A -isogenies, and the other for ℓ e B B -isogenies. For brevity we present the "Type A" problem, advantage, and assumption here and omit the "Type B" variant, which is defined analogously.

Definition 2.1 (Auxillary Point Computation-A (SI-APC
With the notation above, we define SI- The SI-APC assumption is that for t and n polynomial in λ, Adv SI-APC A p (t, n) and Adv SI-APC B p (t, n) are negligible in λ.
Of course, the MOV attack [20] attack using the Pohlig-Hellman algorithm [22] can be used to solve extended discrete logarithms in supersingular elliptic curves, and so the SI-APC problem is equivalent to asking the adversary to find the image of any ℓ e B A -(or ℓ e B B -) torsion point-rather than the image of a particular basis; this phrasing is arguably more natural. The SI-APC problem reduces to the supersingular isogeny problem [11,Problem 5.2] by noting that finding a generator of the kernel of an isogeny ϕ allows one to compute the isogeny on the whole domain curve, by Vélu's formulas [26], whereas SI-APC require one to compute the isogeny on particular points (or equivalently, the restriction .) The hardness of Problem 2.1 has not been thoroughly studied; however, we note that if the problem could be solved efficiently, the auxiliary points needed in SIDH [11] would not have to be sent, and thus the bandwidth of SIDH could be reduced by omitting them. So far, there are no proposals for how to do away with auxiliary points in SIDH, and no known solutions to the SI-APC problems. Notably, however, it is shown in [21] that, under some heuristics, SI-APC is equivalent to the corresponding isogeny problems for some nonstandard variant SIDH parameter sets (e.g., when ℓ e A A ≫ ℓ e B B , or vice versa).

Our Protocol
The protocol builds on the SIDH scheme of Jao and De Feo [15]. Suppose a client A ∈ C and a server B ∈ S who share a common password π A wish to establish a shared secret key. The setup is as follows: ]︁ ; and, ]︁ ; (f) Sends (E B , X B , Y B ) to A; and, (g) Constructs the key K B , which is given by ; and, (c) Constructs the key K A , given by From the definitions of K A and K B , the correctness of the protocol follows if j(

Progress Toward-and Roadblocks to-a Security Theorem
Ideally, we would like a security theorem of the following form: for all adversaries A which run in time t and use n S , n E , n O queries to Send, Execute, and the random oracles respectively, we have where α ≥ 1, the terms Adv P j (poly(t, n S , n E , n O )) encode the success probability in solving the underlying computational problems. Intuitively, this says "the protocol is secure, up to terms related to an adversary's ability to solve the underlying computational problems plus a negligible probability, and up to online dictionary attacks which allow α password guesses per online session on average." In this section we present partial results toward a security theorem of this form for the protocol of Section 3, and discuss the roadblocks that have prevented us from establishing a complete security proof.

Successes A birthday-type bound.
The adversary can break the security of the protocol if, by chance, two sessions use the same ephemeral secret key. A straightforward birthday bound argument demonstrates that this occurs with probability at most

Preventing offline dictionary attacks from SIDH public key validation.
The auxiliary points (ϕ A (P B ), ϕ A (Q B )) (respectively, (ϕ B (P A ), ϕ B (Q A ))) used in SIDH are determined by the ephemeral secret key, and hence are information-theoretically determined by the public ephemeral curve E A (respectively, E B ). In [13], the authors demonstrate an attack on static-ephemeral SIDH which uses maliciously-generated false auxiliary points to determine one party's static public key; in response, auxiliary point verification procedures have been developed. The most robust known verification measure-present in [9]-ensures that the Tate pairing of the auxiliary points is correct; that is, one checks whether This has the potential to yield an o ine dictionary attack against protocols which obfuscate auxiliary points, as follows: upon receiving (E A , X A , Y A ) from a client whose password is π, the adversary constructs Ψ(π ′ ) = H A (E A ||π ′ ) for each password π ′ in the dictionary, and then constructs each

of points. Then, the adversary checks if
for each password π ′ . For any π ′ for which Equation 2 does not hold, the adversary is certain that the client's password is not π ′ , since the true auxiliary points R A (π) and S A (π) will satisfy it. This could allow the adversary to cut down the set of "possible passwords," without needing to launch an active attack.
Our choice of auxiliary point obfuscation method is not susceptible to this attack since for all Ψ ′ ∈ Υ 2 (ℓ A , e A ) we have in particular, the pairing value is the same for each pair of points R ′ A (π), S ′ A (π). The same argument applies to Bob's messages, and so this particular o ine dictionary attack is thwarted.

Enforcing knowledge of the auxiliary points.
In SIDH, the shared secret is j(E/ ⟨G A , G B ⟩), where G A and G B are the ephemeral secret kernel generators, and the (passive) security of the protocol is predicated only on an adversary's inability to compute this quantity from the messages. Notably, the shared secret is determined (information-theoretically) by E A and E B alone; the auxiliary points are required only to make the computation efficient. In contrast, in order for our protocol to be secure against o ine dictionary attacks, it is necessary to assume that it is difficult to recover not only the SIDH shared secret from E A and E B , but also the correct auxiliary points. The most natural idea is to make the SI-APC assumption as described in Section 2.5; unfortunately, if the session key depends only on the SIDH shared secret, we cannot extract a solution to an SI-APC instance from an adversary who wins the security game, and thus cannot relate the security of the protocol to the SI-APC assumption directly.
The solution: we must include auxiliary point information in the keying information. By including Ψ A and Ψ B as arguments to KDF, we can extract auxiliary points from the random oracle inputs of an adversary that wins the security game, and solve an instance of SI-APC. To solve an instance of SI-APC A we can insert the instance into a client's message, choosing the auxiliary points at random. With probability [SL 2 (ℓ B , e B ) : Υ 2 (ℓ B , e B )] −1 = (ℓ B + 1) −1 the randomly-chosen points are "valid" (in the sense that there exists an element of Υ 2 (ℓ B , e B ) that takes the true auxiliary points to the randomly-chosen points). Any adversary who wins the game with non-negligible advantage must make a KDF query with the correct Ψ A and Ψ B values, since KDF is a random oracle; thus any such adversary must obtain the correct Ψ A and Ψ B either by (i) Querying H A and H B on the correct values, or; (ii) Extracting them from the publicly-available, password-related information.
In the second case we can extract solutions to SI-APC A (respectively SI-APC B ), by using the Ψ A (respectively, Ψ B ) value from the adversary's correct KDF query.

Roadblocks Password information in messages.
In classical PAKE protocols, the message distribution is typically independent of the users' passwords; in contrast, in our protocol the password is information-theoretically determined by a given message, but extracting the information from the messages is assumed to be difficult. Nevertheless, the possibility of obtaining partial password information from the messages alone cannot easily be ruled out, and so it is very difficult to quantify the number of passwords that can be eliminated per actively-attacked session (the α in equation (1)). Notably, some other post-quantum PAKEs, such as RLWE-PAK and RLWE-PPK [12] also have message distributions which are not independent of the password.¹

Password guesses.
A typical PAKE security argument defines the notion of "password guess," and then argues that at most α password guesses can be made per session, under some computational assumption. A password guess on password π is intuitively "a KDF query in which the messages are those messages sent in a pair of matching sessions, the shared secret is the one that would be computed in the pair of matching sessions if the password were π, and the other inputs to KDF are consistent with the password and (if appropriate) have been the output of random oracle queries with password π." A natural-seeming notion for password guess on a client is that, for values (E, X, Y), where n A is the secret key which yields E. This is somewhat consistent with our intuition of what a password guess should be: A executes the protocol with A (pretending to be B) and computes the key that A would compute if her password were π. While this does model one form of password guess, the asymmetry of the protocol means that there is another form of password guess which is consistent with the messages of the protocol: by sending are the images of the true auxiliary points under the action of Ψ ′′ = H B (j(E ′ )||π ′′ ) and then computing sk , the adversary can test whether Ψ ′′ is A's true password by revealing A's session key sk and testing whether sk ′′ = sk. This type of password guess creates two difficulties for a security proof: (i) It is undetectable without knowledge of the ephemeral key n B , and; (ii) It is difficult to formulate a computational problem whose hardness can be used to bound the number of passwords that can be checked per session.
If the "natural" password guess were the only type, under the heuristic assumption that the messages reveal no password information, we can show that only one password can be guessed per session (and, furthermore, that the protocol is secure in the model of [1], under further assumptions) under the assumption that the following computational problem (and its B-type variant) is difficult:

Performance
It is clear from the protocol description in Section 3 that the message sizes in our protocol are identical to those of SIDH [11] for the same parameter set; in particular, the are among the smallest post-quantum message sizes at equivalent security levels. We implemented the scheme for the two parameter sets p434 and p503 from [14] to quantify the additional computational cost due to auxiliary point obfuscation/unobfuscation. Table 1 contains our performance results.

Conclusion
We have presented a proposal for an isogeny-based password-authenticated key establishment protocol based on supersingular isogeny Diffie-Hellman. Of particular interest is that our protocol explicitly makes use of the auxiliary points for security, rather than efficiency. We hope that the partial results presented here can serve as a stepping stone on the path to provably-secure isogeny-based PAKE.

A The Security Model
PAKE security is commonly proved in the model of Bellare, Pointcheval, and Rogaway [1], which we briefly review here.

Protocols.
Fundamentally, a protocol Π is a probabilistic algorithm which maps strings (in this context, concatenations of passwords, randomness, and protocol-specific messages and parameters) to strings (keys).

Parties and Party Identifiers.
Participants in protocols are called parties. Parties are either clients C or servers S. In this model, protocols are initiated by clients and responded to by servers. All clients are served by all servers. Each party P ∈ C ⊔ S is uniquely identified by a string a fixed length; if P is a party, we will also use P to refer to P's identifier string as needed.

Passwords.
We work in the symmetric password model: each client A ∈ C has a password π A , and each server has a collection {π A } A∈C .

Password Initialization.
In models of authenticated key establishment, parties establish public-key/private-key pairs and securely publish their public keys (e.g., [2,6,17]) in a pre-protocol "initialization" phase. Similarly, in this model there is a pre-protocol initialization phase where users generate passwords and "install" them on servers (i.e., servers get the passwords) securely.

Party Instances.
Associated to each party U ∈ C ⊔ S is a collection of party instances {Ω (n) U } n∈N . When the adversary interacts with a party he may be required to specify an instance. These instances model parties establishing keys at different times and with different partners, and these different key-establishing sessions may be attacked differently (or not at all) by the adversary.

Acceptance and Termination.
A party instance "accepts" when they compute a session key, and "terminates" when it will send no more messages. In our protocol, acceptance is always followed immediately by termination, but termination may occur without acceptance (e.g., in the case of ill-formed incoming messages).

The Security Experiment.
Informally, in the security experiment, a new entity (the adversary) attempts to break semantic security of the protocol after interacting with the parties and one additional "formal" party who "administrates" the game (the challenger). The security experiment proceeds in three stages (i) Initialization: The adversary chooses disjoint sets C and S of client and server identifiers. Each client A ∈ C generates a password according to a probability distribution on their password-space: π A ← P A ∀A ∈ C; then, each server B ∈ S receives all client passwords. Password-generation happens outof-view of the adversary, though the adversary knows each P A . (iii) The Game: To begin, we must define what it means for an oracle Ω (n) U to be fresh, which itself requires that we define partnered sessions:

Definition A.2 (Partnered Oracles). A pair of oracles Ω (n)
A and Ω (m) B are called partnered if all of the following are true: (a) A ∈ C and B ∈ S, or A ∈ S and B ∈ C.  V is the partner to Ω (n) U . (c) Corrupt(V , i) was issued for some V ∈ C ⊔ S and Send(U, n, M) was issued for some M ∈ M. Now, at any point during the protocol, A may make a Test(U, n) query. If Ω (n) U is not fresh or this is not the first Test query of the game, A loses the game; otherwise, the challenger answers the query appropriately. The game continues, and eventually A makes a guess b ′ at the value of b that the challenger chose in response to the Test query; the adversary wins if b ′ = b and loses otherwise. We define the adversary's advantage to be Adv Π Γ (A) = 2P[A wins the game Γ with protocol Π] − 1.

B Computational Assumptions of SIDH
In this section we present the SIDH and SSI problems [11,], whose presumed hardness underlies the security of SIDH (and, by extension, our protocol). When the global parameters and auxiliary points are clear from context, we abbreviate this as E AB = SIDH(E A , E B ). We also define variants of SIDH: These arise in SIDH by considering messages which are not well-formed. For an algorithm A which, given a valid SIDH instance, produces a list of candidate solutions to the instance, define its advantage as Intuitively, this quantity measures the maximum probability of solving a randomly chosen SIDH instance in time t if you are allowed to make n guesses. The SIDH assumption is that for t, n = poly(λ), Adv SIDH p (t, n) = negl(λ).
As in Section 2.5, the asymmetry the isogeny computations requires us to consider there are really two variants of each of the following computational problem: one for ℓ e A A -isogenies, and the other for ℓ e B Bisogenies. For brevity we present the "Type A" problem and advantage and omit the analogous "Type B" variant.
Definition B.2 (Supersingular Isogeny Problem-A (SSI A )). Let ϕ A : E → E A be an isogeny with kernel ⟨P A + n A Q A ⟩ for n A ← Unif(Z/ℓ e A A Z). The supersingular isogeny problem (type A) (SSI A ) is, given E, E A , ϕ A (P B ), and ϕ A (Q B ), to find a generator of ker ϕ A .
The SIDH problem reduces to both the Type A and type B variants of Problem B.2 by noting that knowledge of ker ϕ A , ϕ B (P A ) and ϕ B (Q A ) allows one to map E B to E AB , and the knowledge of ker ϕ B , ϕ A (P B ) and ϕ A (Q B ) allows one to map E A to E AB similarly. Recent work due to Costache et al. [8,Theorem 3.2] reduces the SIDH problem to the more general isogeny-graph path-finding problem of [7] in a similar fashion.