[cryptography] Supersingular Isogeny DH

coderman coderman at gmail.com
Thu Jul 9 01:24:12 PDT 2015


On 7/8/15, Marcel <tiepelt at dev-nu11.de> wrote:
> ...
> So my question is, why do i need to random values m_A and n_A to compute
> the torsiongroup E[l_A] and respectively the kernel K_A ?
>
> Why does is not suffice to use only 1 point to generate E[l_A] and
> Kernel K_A ?

it is late, and i may mis understand,

yet the two are requisite for peers arriving at a shared secret by way
of these constructed isogeny; and the random values necessary to not
give too much (confirm secret values, without exposing secret values)

i found this paper a helpful expansion on the subject:
  http://cacr.uwaterloo.ca/techreports/2014/cacr2014-20.pdf
"In this paper, we mainly explore the efficiency of implementing recently
proposed isogeny-based post-quantum public key cryptography..."

specifically the graph on page 5. note that the key exchange relies on
finding a path connecting vertices in a graph of supersingular
isogenies - thus a pair on both ends, not just a pair arrived at among
both participants.

if this is clear as mud, i will try tomorrow on a fresh brain :)


best regards,



More information about the cypherpunks mailing list