-
Notifications
You must be signed in to change notification settings - Fork 2
/
schemes.yml
194 lines (185 loc) · 5.54 KB
/
schemes.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
sidh:
name:
short: SIDH
long: Supersingular Isogeny Diffie-Hellman
type: Key Exchange
assumptions:
- sidh
references:
JDF11: 'https://doi.org/10.1007/978-3-642-25405-5_2'
DJP14: 'https://eprint.iacr.org/2011/506'
CLN16: 'https://eprint.iacr.org/2016/413'
comment: >-
[JDF11] explored using isogenies of degree $\ell^e$ for various
choices of $\ell$. It is only with [DJP14] that the choice of
$\ell=2,3$ became standard. The choice of having $p = 3 \bmod 4$ and
of a specific starting curve did not become standard until
[CLN16].
variants:
sidh-random:
name:
long: SIDH with random starting curve
type: Key Exchange
assumptions:
- cssi
references:
Pet17: 'https://eprint.iacr.org/2017/571'
BB+22: 'https://eprint.iacr.org/2022/518'
comment: >-
Folklore version SIDH, starting from a random curve of unknown
endomorphism ring. First published mention in [Pet17],
however it is currently not known how to generate such a curve
without a trusted setup (see [BB+22]).
sidh-prewalk:
name:
long: SIDH with initial secret walk
type: Key Exchange
assumptions:
- cssi
references:
Pet17: 'https://eprint.iacr.org/2017/571'
BdQ+19: 'https://eprint.iacr.org/2019/1333'
Cos21: 'https://eprint.iacr.org/2021/543'
comment: >-
Folklore version of SIDH where the initiator (Alice) selects a
random starting curve before starting the key exchange, and
transmits it along with its public key. First published
mention in [BdQ+19], Section 11.1, as a possible
countermeasure against torsion point attacks (see [Pet17]).
Also mentioned in [Cos21] for the same reason.
sike:
name:
short: SIKE
long: Supersingular Isogeny Key Encapsulation
type: KEM
assumptions:
- sidh
references:
SIKE: 'https://sike.org/'
comment: >-
Candidate to the NIST Post-Quantum Standardization process until
the 4th round.
bsidh:
name:
short: B-SIDH
type: Key Exchange
assumptions:
- bsidh
references:
Cos19: 'https://eprint.iacr.org/2019/1145'
comment: >-
More compact variant of SIDH exploiting torsion points both on the
curve and its twist.
crs:
name:
short: CRS
long: Couveignes-Rostovtsev-Stolbunov
type:
- Key Exchange
- Non Interactive Key Exchange
assumptions:
- parallelization>ordinary
references:
Cou06: 'https://eprint.iacr.org/2006/291'
RS06: 'https://eprint.iacr.org/2006/145'
DKS18: 'https://eprint.iacr.org/2018/485'
comment: >-
Ancestor of CSIDH based on the theory of complex multiplication on
ordinary curves defined over finite fields. Initially discovered
by Couveignes in '97 [Cou06], was left unpublished and was
independently rediscovered by [RS06]. [DKS18] introduce tweaks to
the parameters to improve performance.
csidh:
name:
short: CSIDH
type:
- Key Exchange
- Non Interactive Key Exchange
assumptions:
- parallelization>supersingular
references:
CL+18: 'https://eprint.iacr.org/2018/383'
CD19: 'https://eprint.iacr.org/2019/1404'
comment: >-
Variant of CRS based on the action of $\mathrm{Cl}(\sqrt{-p})$ on
supersingular curves defined over $\mathbb{F}_p$. Original
proposal with $p = 3 \bmod 8$ in [CL+18], minor variant wiht $p =
7 \bmod 8$ in [CD19].
osidh:
name:
short: OSIDH
long: Oriented SIDH
type:
- Key Exchange
- Non Interactive Key Exchange
assumptions:
- osidh
references:
CK20: 'https://eprint.iacr.org/2020/985'
comment: >-
Variant of CRS/CSIDH based on the action of a class group on a set
of supersingular curves reached by "volcano descent".
seasign:
name:
long: SeaSign
type:
- Σ-protocol
- Signature
assumptions:
- vector
references:
DG18: "https://eprint.iacr.org/2018/824"
comment: >-
Proof of knowledge and signature based on group actions. Usually
instantiated from [CSIDH](#scheme:csidh). Not very efficient.
csi-fish:
name:
short: CSI-FiSh
long: Commutative Supersingular Isogeny based Fiat-Shamir signatures
type:
- Σ-protocol
- Signature
assumptions:
- vector
references:
Sto10: 'https://dx.doi.org/10.3934/amc.2010.4.215'
BKV19: "https://eprint.iacr.org/2019/498"
comment: >-
Proof of knowledge and signature based on the group action
[CSIDH-512](#scheme:csidh), for which the class group structure
was computed on purpose.
sidh-sign:
name:
short: SIDH PoK
long: SIDH Proof of Knowledge
type:
- Σ-protocol
- Signature
assumptions:
- cssi>special-curve
- dssp
references:
DJP14: 'https://eprint.iacr.org/2011/506'
YA+17: 'https://eprint.iacr.org/2017/186'
DD+21: "https://eprint.iacr.org/2021/1023"
GK+21: "https://eprint.iacr.org/2021/1051"
comment: >-
Proof of knowledge and signature based on the SIDH assumption.
Initially proposed in [DJP14]. [YA+17] adapts it into a signature,
[DD+21] and [GK+21] fix mistakes in the security proof, [DD+21]
introduces a variant with stronger soundness guarantees.
weaksidh-sign:
name:
short: weakSIDH PoK
long: Weak SIDH Proof of Knowledge
type:
- Σ-protocol
- Signature
assumptions:
- ssisopath>short
- dssp
references:
DD+21: "https://eprint.iacr.org/2021/1023"
comment: >-
Proof of knowledge and signature based on the weakSIDH assumption,
i.e., the SIDH assumption without torsion point information.