Password-Based Authenticated Key Exchange from Standard Isogeny Assumptions

Abstract

The isogeny-based cryptosystems are considered as one of post-quantum cryptosystems. Taraskin et al. proposed a password-based authenticated key exchange (PAKE) scheme from isogeny by extending Jao et al.’s supersingular isogeny Diffie-Hellman (SIDH) protocol. In their scheme, a new group action is introduced in addition to SIDH due to non-commutativity of SIDH in order to embed the password to the DH public key. Also, in the security proof, new non-standard assumptions regarding the new group action are necessary. It is not clear if these assumptions are really hard. In this paper, we propose new PAKE schemes, SIDH-EKE and CSIDH-EKE, which are secure under the standard assumptions (corresponding to the computational DH assumption). Our schemes are obtained by a combination of SIDH (or CSIDH, commutative SIDH) and EKE (encrypted key exchange). We prove security of our schemes under the same standard assumptions as original SIDH and CSIDH in the random oracle model and ideal cipher model. CSIDH-EKE achieves more compact communication overhead than Taraskin et al.’s scheme.