Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
THREE-PARTY SUPERSINGULAR ELLIPTIC CURVE CRYPTOGRAPHY KEY AGREEMENT SCHEME
Document Type and Number:
WIPO Patent Application WO/2019/056103
Kind Code:
A1
Abstract:
There is provided a system, a method, and a supersingular elliptic curve cryptography key agreement scheme performed between three cryptographic correspondent devices. The cryptographic key agreement scheme includes public key generation by each of the cryptographic correspondent devices and determination of a common key by each of the cryptographic correspondent devices. The determination of the common key includes determination by each of the cryptographic correspondent devices of resultant elliptic curves and resultant auxiliary points, and the exchange of data between the cryptographic correspondent devices.

Inventors:
SOUKHAREV VLADIMIR (CA)
Application Number:
PCT/CA2018/051171
Publication Date:
March 28, 2019
Filing Date:
September 20, 2018
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
INFOSEC GLOBAL INC (CA)
International Classes:
H04L9/30; G06F7/72
Domestic Patent References:
WO2000014924A12000-03-16
Foreign References:
US20060248338A12006-11-02
Attorney, Agent or Firm:
BHOLE IP LAW (CA)
Download PDF:
Claims:
CLAIMS

A supersingular elliptic curve cryptography key agreement scheme to permit secure communications between a first cryptographic correspondent device, a second cryptographic correspondent device, and a third cryptographic correspondent device, each of the cryptographic correspondent devices comprising a processor and a memory, the memory configured to store a plurality of instructions which when executed by the processor cause the processor to implement the cryptographic key agreement scheme, the cryptographic key agreement scheme comprising:

performing, by the second cryptographic correspondent device, public key generation comprising determining second scalars, a second elliptic curve, a second isogeny, and second auxiliary points associated with the second cryptographic correspondent device;

receiving, by the second cryptographic correspondent device, first scalars, a first elliptic curve, a first isogeny, and first auxiliary points generated by the first cryptographic correspondent device;

performing, by the second cryptographic correspondent device:

determining a second intermediate kernel using the second scalars and the first auxiliary points;

determining a second intermediate elliptic curve using the second intermediate kernel and the first elliptic curve;

determining second intermediate auxiliary points using the first auxiliary points under the second isogeny; and

communicating, to the third cryptographic correspondent device, the second intermediate elliptic curve and the second intermediate auxiliary points, wherein the second intermediate elliptic curve and the second intermediate auxiliary points permit the third cryptographic correspondent device to determine a common key and communicate, to the first cryptographic correspondent device, a third intermediate elliptic curve and third intermediate auxiliary points, and

wherein the third intermediate elliptic curve and the third intermediate auxiliary points permit the first cryptographic correspondent device to determine the common key and communicate, to the second cryptographic correspondent device, a first intermediate elliptic curve and first intermediate auxiliary points; and

determining the common key, by the second cryptographic correspondent device, by:

determining a second resultant kernel using the second scalars and the first intermediate auxiliary points;

determining a second resultant elliptic curve using the second resultant kernel and the first intermediate elliptic curve; and

determining the common key using a j-invariant of the second resultant elliptic curve.

2. The cryptography scheme of claim 1 , wherein the second intermediate elliptic curve and the second intermediate auxiliary points permit the third cryptographic correspondent device to determine the common key by:

receiving the second scalars, the second elliptic curve, a second isogeny, and the second auxiliary points generated by the second cryptographic correspondent device;

determining a third intermediate kernel using third scalars and the second auxiliary points;

determining a third intermediate elliptic curve using the third intermediate kernel and the second elliptic curve;

determining third intermediate auxiliary points using the second auxiliary points under the second isogeny;

determining a third resultant kernel using the third scalars and the second intermediate auxiliary points;

determining a third resultant elliptic curve using the third resultant kernel and the second intermediate elliptic curve;

determining the common key using a j-invariant of the third resultant elliptic curve; and

communicating to the first cryptographic correspondent device the third intermediate elliptic curve and the third intermediate auxiliary points; and wherein the third intermediate elliptic curve and the third intermediate auxiliary points permit the first cryptographic correspondent device to determine the common key by:

receiving the third scalars, the third elliptic curve, a third isogeny, and the third auxiliary points generated by the third cryptographic correspondent device; determining a first intermediate kernel using first scalars and third auxiliary points;

determining a first intermediate elliptic curve using the first intermediate kernel and a third elliptic curve;

determining first intermediate auxiliary points using the third auxiliary points under the first isogeny;

determining a first resultant kernel using the first scalars and the third intermediate auxiliary points;

determining a first resultant elliptic curve using the first resultant kernel and the third intermediate elliptic curve;

determining the common key using a j-invariant of the first resultant elliptic curve; and

communicating to the second cryptographic correspondent device the first intermediate elliptic curve and the first intermediate auxiliary points.

The cryptography scheme of claim 2, wherein the public key generation by the second cryptographic correspondent device comprises:

selecting an originating elliptic curve and second basis points;

randomly selecting the second scalars;

determining a second kernel using the second scalars and the second basis points; determining the second elliptic curve using the second kernel and the originating elliptic curve via the second isogeny; and

determining the second auxiliary points using the first basis points and the third basis points under the second isogeny.

The cryptography scheme of claim 3, wherein the first cryptographic correspondent device is able to perform public key generation by: selecting first basis points;

randomly selecting the first scalars;

determining a first kernel using the first scalars and the first basis points;

determining the first elliptic curve using the first kernel and the originating elliptic curve via the first isogeny; and

determining the first auxiliary points using the second basis points and the third basis points under the first isogeny; and

wherein the third cryptographic correspondent device is able to perform public key generation by:

selecting third basis points;

randomly selecting the third scalars;

determining a third kernel using the third scalars and the third basis points;

determining the third elliptic curve using the third kernel and the originating elliptic curve via the third isogeny; and

determining the third auxiliary points using the first basis points and the second basis points under the third isogeny.

5. The cryptography scheme of claim 1 , wherein the second intermediate kernel is

determined by the second cryptographic correspondent device by adding a multiplication of a first of the second scalars and a first of the first auxiliary points that uses a first of the second basis points to a multiplication of a second of the second scalars and a second of the first auxiliary points that uses a second of the second basis points.

6. The cryptography scheme of claim 1 , wherein the second intermediate auxiliary points are determined by determining, under the second isogeny, the first auxiliary points that use the third basis points.

7. The cryptography scheme of claim 1 , wherein the second resultant kernel is determined by adding a multiplication of a first of the second scalars and a first of the first intermediate auxiliary points to a multiplication of a second of the second scalars and a second of the first intermediate auxiliary points.

8. The cryptography scheme of claim 1 , wherein the second auxiliary points comprise values for the first basis points under the second isogeny and the third basis points under the second isogeny.

9. The cryptography scheme of claim 1 , wherein the common key is static.

10. The cryptography scheme of claim 1 , wherein the common key is ephemeral.

1 1. A cryptographic correspondent device comprising a processor and a memory, the

cryptographic correspondent device in communication with a first cryptographic correspondent device and a third cryptographic correspondent device over a data communication system, the memory having stored thereon computer instructions which when executed by the processor cause the processor to implement a supersingular elliptic curve cryptography key agreement scheme comprising:

performing public key generation comprising determining second scalars, a second elliptic curve, a second isogeny, and second auxiliary points associated with the cryptographic correspondent device;

receiving, by the cryptographic correspondent device, first scalars, a first elliptic curve, a first isogeny, and first auxiliary points generated by the first cryptographic correspondent device;

performing, by the cryptographic correspondent device:

determining a second intermediate kernel using the second scalars and the first auxiliary points;

determining a second intermediate elliptic curve using the second intermediate kernel and the first elliptic curve;

determining second intermediate auxiliary points using the first auxiliary points under the second isogeny; and

communicating, to the third cryptographic correspondent device, the second intermediate elliptic curve and the second intermediate auxiliary points, wherein the second intermediate elliptic curve and the second intermediate auxiliary points permit the third cryptographic correspondent device to determine a common key and communicate, to the first cryptographic correspondent device, a third intermediate elliptic curve and third intermediate auxiliary points, and wherein the third intermediate elliptic curve and the third intermediate auxiliary points permit the first cryptographic correspondent device to determine the common key and communicate, to the second cryptographic correspondent device, a first intermediate elliptic curve and first intermediate auxiliary points; and

determining the common key, by the cryptographic correspondent device, by:

determining a second resultant kernel using the second scalars and the first intermediate auxiliary points;

determining a second resultant elliptic curve using the second resultant kernel and the first intermediate elliptic curve; and

determining the common key using a j-invariant of the second resultant elliptic curve.

12. The cryptographic correspondent device of claim 11 , wherein the second intermediate elliptic curve and the second intermediate auxiliary points permit the third cryptographic correspondent device to determine the common key by:

receiving the second scalars, the second elliptic curve, a second isogeny, and the second auxiliary points generated by the cryptographic correspondent device;

determining a third intermediate kernel using third scalars and the second auxiliary points;

determining a third intermediate elliptic curve using the third intermediate kernel and the second elliptic curve;

determining third intermediate auxiliary points using the second auxiliary points under the second isogeny;

determining a third resultant kernel using the third scalars and the second intermediate auxiliary points;

determining a third resultant elliptic curve using the third resultant kernel and the second intermediate elliptic curve;

determining the common key using a j-invariant of the third resultant elliptic curve; and communicating to the first cryptographic correspondent device the third intermediate elliptic curve and the third intermediate auxiliary points; and wherein the third intermediate elliptic curve and the third intermediate auxiliary points permit the first cryptographic correspondent device to determine the common key by:

receiving the third scalars, the third elliptic curve, a third isogeny, and the third auxiliary points generated by the third cryptographic correspondent device; determining a first intermediate kernel using first scalars and third auxiliary points;

determining a first intermediate elliptic curve using the first intermediate kernel and a third elliptic curve;

determining first intermediate auxiliary points using the third auxiliary points under the first isogeny;

determining a first resultant kernel using the first scalars and the third intermediate auxiliary points;

determining a first resultant elliptic curve using the first resultant kernel and the third intermediate elliptic curve;

determining the common key using a j-invariant of the first resultant elliptic curve; and

communicating to the cryptographic correspondent device the first intermediate elliptic curve and the first intermediate auxiliary points.

13. The cryptographic correspondent device of claim 12, wherein the public key generation by the cryptographic correspondent device comprises:

selecting an originating elliptic curve and second basis points;

randomly selecting the second scalars;

determining a second kernel using the second scalars and the second basis points; determining the second elliptic curve using the second kernel and the originating elliptic curve via the second isogeny; and

determining the second auxiliary points using the first basis points and the third basis points under the second isogeny.

14. The cryptographic correspondent device of claim 13, wherein the first cryptographic correspondent device is able to perform public key generation by:

selecting first basis points;

randomly selecting the first scalars;

determining a first kernel using the first scalars and the first basis points;

determining the first elliptic curve using the first kernel and the originating elliptic curve via the first isogeny; and

determining the first auxiliary points using the second basis points and the third basis points under the first isogeny; and

wherein the third cryptographic correspondent device is able to perform public key generation by:

selecting third basis points;

randomly selecting the third scalars;

determining a third kernel using the third scalars and the third basis points;

determining the third elliptic curve using the third kernel and the originating elliptic curve via the third isogeny; and

determining the third auxiliary points using the first basis points and the second basis points under the third isogeny.

15. The cryptographic correspondent device of claim 11 , wherein the second intermediate kernel is determined by the cryptographic correspondent device by adding a

multiplication of a first of the second scalars and a first of the first auxiliary points that uses a first of the second basis points to a multiplication of a second of the second scalars and a second of the first auxiliary points that uses a second of the second basis points.

16. The cryptographic correspondent device of claim 11 , wherein the second intermediate auxiliary points are determined by determining, under the second isogeny, the first auxiliary points that use the third basis points.

17. The cryptographic correspondent device of claim 11 , wherein the second resultant kernel is determined by adding a multiplication of a first of the second scalars and a first of the first intermediate auxiliary points to a multiplication of a second of the second scalars and a second of the first intermediate auxiliary points.

18. The cryptographic correspondent device of claim 11 , wherein the second auxiliary points comprise values for the first basis points under the second isogeny and the third basis points under the second isogeny.

19. The cryptographic correspondent device of claim 11 , wherein the common key is static.

20. The cryptographic correspondent device of claim 11 , wherein the common key is

ephemeral.

Description:
THREE-PARTY SUPERSINGULAR ELLIPTIC CURVE CRYPTOGRAPHY KEY AGREEMENT

SCHEME TECHNICAL FIELD

[0001] The following relates to data communication systems and schemes utilized in such systems; and more specifically, to three-party supersingular elliptic curve cryptography key agreement schemes.

BACKGROUND

[0002] Data communication systems are used to exchange information between devices. The information to be exchanged comprises data that is organized as strings of digital bits formatted so as to be recognizable by other devices and to permit the information to be processed and/or recovered.

[0003] The exchange of information may occur over a publically accessible network, such as a communication link between two devices, over a dedicated network within an organization, or may be between two devices within the same dedicated component, such as within a computer or point of sale device.

[0004] The devices may range from relatively large computer systems through to

telecommunication devices, cellular phones, monitoring devices, sensors, electronic wallets and smart cards, and a wide variety of devices that are connected to transfer data between two or more of such devices.

[0005] A large number of communication protocols have been developed to allow the exchange of data between different devices. The communication protocols permit the exchange of data in a robust manner, often with error correction and error detection functionality, and for the data to be directed to the intended recipient and recovered for further use.

[0006] Because the data may be accessible to other devices, it is vulnerable to interception and observation or manipulation. The sensitive nature of the information requires that steps are taken to secure the information and ensure its integrity.

[0007] A number of techniques collectively referred to as cryptographic encryption protocols, key agreement protocols, and authentication protocols have been developed to provide the required attributes and ensure security and/or integrity in the exchange of information. These techniques utilize a key that is combined with the data. An extensive survey of cryptography techniques is provided in Menezes, van Oorshot and Vanstone's Handbook of Applied

Cryptography, the contents of which are incorporated by reference.

[0008] There are two main types of cryptosystems, symmetric key cryptosystems and asymmetric or public key cryptosystems. In a symmetric key cryptosystem, the devices exchanging information share a common key that is known only to the devices intended to share the information. Symmetric key systems have the advantage that they are relatively fast and therefore able to process large quantities of data in a relatively short time, even with limited computing power. However, the keys must be distributed in a secure manner to the different devices, which leads to increased overhead and vulnerability if the key is compromised.

[0009] Asymmetric or public key cryptosystems utilize a key pair, one of which is public and the other private, associated with each device. The public key and private key are related by a "hard" mathematical problem so that even if the public key and the underlying problem are known, the private key cannot be recovered in a feasible time. One such problem is the factoring of the product of two large primes, as utilized in RSA cryptosystems. Another is the discrete log problem in a finite group. A generator, a, of the underlying group is identified as a system parameter and a random integer, k, generated for use as a private key. To obtain a public key, K, a k-fold group operation is performed so that K=f(a,k).

[0010] Different groups may be used in discrete log cryptosystems including the multiplicative group of a finite field, the group of integers in a finite cyclic group of order p, usually denoted Zp* and consisting of the integers 0 to p-1. The group operation is generally an operation such that a k = f(a,k).

[001 1] Another group that is used for enhanced security is an elliptic curve group. The elliptic curve group consists of elements, represented by pairs of field elements, one of which is designated x and the other y, that satisfy the equation of the chosen elliptic curve. For an elliptic curve group over field of size p, the elliptic curve would generally be defined by the relationship y 2 mod p = x 3 + ax + b mod p. Other curves are used for different groups, as is well known. Each such pair of elements is a point on the curve. P is an element on the elliptic curve group of a large order. The group operation is addition, so a private key k will have a corresponding public key kP = f(a,k).

[0012] Public key cryptosystems reduce the infrastructure necessary with symmetric key cryptosystems. A device may generate an integer k, and generate the corresponding public key kP. The public key is published so it is available to other devices. The device may then use a suitable signature protocol to sign a message using the private key k and other devices can confirm the integrity of the message using the public key kP.

[0013] Similarly, a device may encrypt a message to be sent to another device using the other devices public key. The message can then be recovered by the other device using the private key. However, these protocols are computationally intensive, and therefore relatively slow, compared with symmetric cryptosystem protocols.

[0014] Public key cryptosystems may also be used to establish a key that is shared between two devices. In its simplest form, as proposed by Diffie-Hellman, each device sends a public key to the other device. Both devices then combine the received public key with their private key to obtain a shared key.

[0015] One device, usually referred to as an entity (or correspondent), Alice, generates a private key k a and sends another device, or entity, Bob, the public key k a P.

[0016] Bob generates a private key kb and sends Alice the public key kbP

[0017] Alice computes k a ' kbP and Bob computes kb ' k a P so they share a common key

K=k a kbP=kbk a P. The shared key may then be used in a symmetric key protocol. Neither Alice nor Bob may recover the private key of the other, and third parties cannot reconstruct the shared key.

[0018] However, in the foreseeable future, such cryptography schemes may be compromised due to the emergence of quantum computing. Many practitioners skilled in the art believe that in less than a handful of decades, quantum computing will have widespread use. The emergence of quantum computers provides an evolutionary leap in computation power. However, adversaries or interlopers looking to intercept the encrypted communication may also gain access to the power of quantum computing to break encryption and gain access to supposedly secured communications. One of the important abilities of quantum computers is to efficiently, which means in polynomial time, factor large integers and solve the discrete logarithm problem (for example, given g and h = g x in group G, find x). A significant factor affecting cryptography's security is based on these two mathematical problems, which are considered to be safe in the realm of classical computing. This means that with the appearance of quantum computers, classical cryptosystems may no longer be safe. The field of 'post-quantum cryptography' is involved in developing cryptosystems for classical computers so that the classical computer systems would be quantum-resistant and secure against possible adversaries employing quantum computing. [0019] With respect to key agreement protocols for existing post-quantum cryptographic schemes, such approaches are generally only between two parties.

[0020] It is therefore an object of the present invention to provide a post-quantum cryptographic scheme in which the above disadvantages are obviated or mitigated and attainment of the desirable attributes is facilitated.

SUMMARY

[0021] In an aspect, there is provided a supersingular elliptic curve cryptography key agreement scheme to permit secure communications between a first cryptographic correspondent device, a second cryptographic correspondent device, and a third cryptographic correspondent device, each of the cryptographic correspondent devices comprising a processor and a memory, the memory configured to store a plurality of instructions which when executed by the processor cause the processor to implement the cryptographic key agreement scheme, the cryptographic key agreement scheme comprising: performing, by the second cryptographic correspondent device, public key generation comprising determining second scalars, a second elliptic curve, a second isogeny, and second auxiliary points associated with the second cryptographic correspondent device; receiving, by the second cryptographic correspondent device, first scalars, a first elliptic curve, a first isogeny, and first auxiliary points generated by the first cryptographic correspondent device; performing, by the second cryptographic correspondent device: determining a second intermediate kernel using the second scalars and the first auxiliary points; determining a second intermediate elliptic curve using the second intermediate kernel and the first elliptic curve; determining second intermediate auxiliary points using the first auxiliary points under the second isogeny; and communicating, to the third cryptographic correspondent device, the second intermediate elliptic curve and the second intermediate auxiliary points, wherein the second intermediate elliptic curve and the second intermediate auxiliary points permit the third cryptographic correspondent device to determine a common key and communicate, to the first cryptographic correspondent device, a third intermediate elliptic curve and third intermediate auxiliary points, and wherein the third intermediate elliptic curve and the third intermediate auxiliary points permit the first cryptographic correspondent device to determine the common key and communicate, to the second cryptographic correspondent device, a first intermediate elliptic curve and first intermediate auxiliary points; and determining the common key, by the second cryptographic correspondent device, by: determining a second resultant kernel using the second scalars and the first intermediate auxiliary points; determining a second resultant elliptic curve using the second resultant kernel and the first intermediate elliptic curve; and determining the common key using a j-invariant of the second resultant elliptic curve.

[0022] In a particular case, the second intermediate elliptic curve and the second intermediate auxiliary points permit the third cryptographic correspondent device to determine the common key by: receiving the second scalars, the second elliptic curve, a second isogeny, and the second auxiliary points generated by the second cryptographic correspondent device;

determining a third intermediate kernel using third scalars and the second auxiliary points;

determining a third intermediate elliptic curve using the third intermediate kernel and the second elliptic curve; determining third intermediate auxiliary points using the second auxiliary points under the second isogeny; determining a third resultant kernel using the third scalars and the second intermediate auxiliary points; determining a third resultant elliptic curve using the third resultant kernel and the second intermediate elliptic curve; determining the common key using a j-invariant of the third resultant elliptic curve; and communicating to the first cryptographic correspondent device the third intermediate elliptic curve and the third intermediate auxiliary points; and wherein the third intermediate elliptic curve and the third intermediate auxiliary points permit the first cryptographic correspondent device to determine the common key by: receiving the third scalars, the third elliptic curve, a third isogeny, and the third auxiliary points generated by the third cryptographic correspondent device; determining a first intermediate kernel using first scalars and third auxiliary points; determining a first intermediate elliptic curve using the first intermediate kernel and a third elliptic curve; determining first intermediate auxiliary points using the third auxiliary points under the first isogeny; determining a first resultant kernel using the first scalars and the third intermediate auxiliary points; determining a first resultant elliptic curve using the first resultant kernel and the third intermediate elliptic curve; determining the common key using a j-invariant of the first resultant elliptic curve; and communicating to the second cryptographic correspondent device the first intermediate elliptic curve and the first intermediate auxiliary points.

[0023] In another case, the public key generation by the second cryptographic correspondent device comprises: selecting an originating elliptic curve and second basis points; randomly selecting the second scalars; determining a second kernel using the second scalars and the second basis points; determining the second elliptic curve using the second kernel and the originating elliptic curve via the second isogeny; and determining the second auxiliary points using the first basis points and the third basis points under the second isogeny. [0024] In yet another case, the first cryptographic correspondent device is able to perform public key generation by: selecting first basis points; randomly selecting the first scalars;

determining a first kernel using the first scalars and the first basis points; determining the first elliptic curve using the first kernel and the originating elliptic curve via the first isogeny; and determining the first auxiliary points using the second basis points and the third basis points under the first isogeny; and wherein the third cryptographic correspondent device is able to perform public key generation by: selecting third basis points; randomly selecting the third scalars; determining a third kernel using the third scalars and the third basis points; determining the third elliptic curve using the third kernel and the originating elliptic curve via the third isogeny; and determining the third auxiliary points using the first basis points and the second basis points under the third isogeny.

[0025] In yet another case, the second intermediate kernel is determined by the second cryptographic correspondent device by adding a multiplication of a first of the second scalars and a first of the first auxiliary points that uses a first of the second basis points to a

multiplication of a second of the second scalars and a second of the first auxiliary points that uses a second of the second basis points.

[0026] In yet another case, the second intermediate auxiliary points are determined by determining, under the second isogeny, the first auxiliary points that use the third basis points.

[0027] In yet another case, the second resultant kernel is determined by adding a multiplication of a first of the second scalars and a first of the first intermediate auxiliary points to a multiplication of a second of the second scalars and a second of the first intermediate auxiliary points.

[0028] In yet another case, the second auxiliary points comprise values for the first basis points under the second isogeny and the third basis points under the second isogeny.

[0029] In yet another case, the common key is static.

[0030] In yet another case, the common key is ephemeral.

[0031] In another aspect, there is provided a cryptographic correspondent device comprising a processor and a memory, the cryptographic correspondent device in communication with a first cryptographic correspondent device and a third cryptographic correspondent device over a data communication system, the memory having stored thereon computer instructions which when executed by the processor cause the processor to implement a supersingular elliptic curve cryptography key agreement scheme comprising: performing public key generation comprising determining second scalars, a second elliptic curve, a second isogeny, and second auxiliary points associated with the cryptographic correspondent device; receiving, by the cryptographic correspondent device, first scalars, a first elliptic curve, a first isogeny, and first auxiliary points generated by the first cryptographic correspondent device; performing, by the cryptographic correspondent device: determining a second intermediate kernel using the second scalars and the first auxiliary points; determining a second intermediate elliptic curve using the second intermediate kernel and the first elliptic curve; determining second intermediate auxiliary points using the first auxiliary points under the second isogeny; and communicating, to the third cryptographic correspondent device, the second intermediate elliptic curve and the second intermediate auxiliary points, wherein the second intermediate elliptic curve and the second intermediate auxiliary points permit the third cryptographic correspondent device to determine a common key and communicate, to the first cryptographic correspondent device, a third intermediate elliptic curve and third intermediate auxiliary points, and wherein the third intermediate elliptic curve and the third intermediate auxiliary points permit the first

cryptographic correspondent device to determine the common key and communicate, to the second cryptographic correspondent device, a first intermediate elliptic curve and first intermediate auxiliary points; and determining the common key, by the cryptographic correspondent device, by: determining a second resultant kernel using the second scalars and the first intermediate auxiliary points; determining a second resultant elliptic curve using the second resultant kernel and the first intermediate elliptic curve; and determining the common key using a j-invariant of the second resultant elliptic curve.

[0032] In a particular case, the second intermediate elliptic curve and the second intermediate auxiliary points permit the third cryptographic correspondent device to determine the common key by: receiving the second scalars, the second elliptic curve, a second isogeny, and the second auxiliary points generated by the cryptographic correspondent device; determining a third intermediate kernel using third scalars and the second auxiliary points; determining a third intermediate elliptic curve using the third intermediate kernel and the second elliptic curve; determining third intermediate auxiliary points using the second auxiliary points under the second isogeny; determining a third resultant kernel using the third scalars and the second intermediate auxiliary points; determining a third resultant elliptic curve using the third resultant kernel and the second intermediate elliptic curve; determining the common key using a j- invariant of the third resultant elliptic curve; and communicating to the first cryptographic correspondent device the third intermediate elliptic curve and the third intermediate auxiliary points; and wherein the third intermediate elliptic curve and the third intermediate auxiliary points permit the first cryptographic correspondent device to determine the common key by: receiving the third scalars, the third elliptic curve, a third isogeny, and the third auxiliary points generated by the third cryptographic correspondent device; determining a first intermediate kernel using first scalars and third auxiliary points; determining a first intermediate elliptic curve using the first intermediate kernel and a third elliptic curve; determining first intermediate auxiliary points using the third auxiliary points under the first isogeny; determining a first resultant kernel using the first scalars and the third intermediate auxiliary points; determining a first resultant elliptic curve using the first resultant kernel and the third intermediate elliptic curve; determining the common key using a j-invariant of the first resultant elliptic curve; and communicating to the cryptographic correspondent device the first intermediate elliptic curve and the first intermediate auxiliary points.

[0033] In another case, the public key generation by the cryptographic correspondent device comprises: selecting an originating elliptic curve and second basis points; randomly selecting the second scalars; determining a second kernel using the second scalars and the second basis points; determining the second elliptic curve using the second kernel and the originating elliptic curve via the second isogeny; and determining the second auxiliary points using the first basis points and the third basis points under the second isogeny.

[0034] In yet another case, the first cryptographic correspondent device is able to perform public key generation by: selecting first basis points; randomly selecting the first scalars;

determining a first kernel using the first scalars and the first basis points; determining the first elliptic curve using the first kernel and the originating elliptic curve via the first isogeny; and determining the first auxiliary points using the second basis points and the third basis points under the first isogeny; and wherein the third cryptographic correspondent device is able to perform public key generation by: selecting third basis points; randomly selecting the third scalars; determining a third kernel using the third scalars and the third basis points; determining the third elliptic curve using the third kernel and the originating elliptic curve via the third isogeny; and determining the third auxiliary points using the first basis points and the second basis points under the third isogeny.

[0035] In yet another case, the second intermediate kernel is determined by the cryptographic correspondent device by adding a multiplication of a first of the second scalars and a first of the first auxiliary points that uses a first of the second basis points to a multiplication of a second of the second scalars and a second of the first auxiliary points that uses a second of the second basis points. [0036] In yet another case, the second intermediate auxiliary points are determined by determining, under the second isogeny, the first auxiliary points that use the third basis points.

[0037] In yet another case, the second resultant kernel is determined by adding a multiplication of a first of the second scalars and a first of the first intermediate auxiliary points to a multiplication of a second of the second scalars and a second of the first intermediate auxiliary points.

[0038] In yet another case, the second auxiliary points comprise values for the first basis points under the second isogeny and the third basis points under the second isogeny.

[0039] In yet another case, the common key is static.

[0040] In yet another case, the common key is ephemeral.

[0041] These and other aspects are contemplated and described herein. The foregoing summary sets out representative aspects of systems, methods, and cryptographic schemes to assist skilled readers in understanding the following detailed description.

DESCRIPTION OF THE DRAWINGS

[0042] An embodiment of the present invention will now be described by way of example only with reference to the accompanying drawings, in which:

[0043] FIG. 1 is a schematic representation of a system for key agreement in a three-party supersingular elliptic curve cryptography key agreement scheme, according to an embodiment;

[0044] FIG. 2 is a representation of a device used in the system of FIG. 1 ;

[0045] FIG. 3 is a chart showing facets of key agreement in a three-party supersingular elliptic curve cryptography key agreement scheme;

[0046] FIG. 4 is a flow chart showing public key generation in a method for key agreement in a three-party supersingular elliptic curve cryptography key agreement scheme, according to an embodiment;

[0047] FIG. 5 is a flow chart showing common key generation in a method for key agreement in a three-party supersingular elliptic curve cryptography key agreement scheme, according to an embodiment;

[0048] FIG. 6 is a conceptual block diagram of a three-party supersingular elliptic curve cryptography key agreement scheme, according to an embodiment.

DETAILED DESCRIPTION [0049] Embodiments will now be described with reference to the figures. It will be appreciated that for simplicity and clarity of illustration, where considered appropriate, reference numerals may be repeated among the figures to indicate corresponding or analogous elements. In addition, numerous specific details are set forth in order to provide a thorough understanding of the embodiments described herein. However, it will be understood by those of ordinary skill in the art that the embodiments described herein may be practiced without these specific details. In other instances, well-known methods, procedures and components have not been described in detail so as not to obscure the embodiments described herein. Also, the description is not to be considered as limiting the scope of the embodiments described herein.

[0050] It will also be appreciated that any module, unit, component, server, computer, computing device, mechanism, terminal or other device exemplified herein that executes instructions may include or otherwise have access to computer readable media such as storage media, computer storage media, or data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, or tape. Computer storage media may include volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. Examples of computer storage media include RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by an application, module, or both. Any such computer storage media may be part of the device or accessible or connectable thereto. Any application or module herein described may be implemented using computer readable/executable instructions that may be stored or otherwise held by such computer readable media and executed by the one or more processors.

[0051] Elliptic curves have proven themselves over time as reliable tools and primitives for use in cryptography, and have become an object not only of profound theoretical interest but of sound practical interest as well. Isogenies are a useful aspect of elliptic curves to be used in elliptic curve-based cryptography. An isogeny between a pair of elliptic curves is an algebraic morphism that maps an identity point of the first curve to an identity point of the second curve and preserves the structure. In the field of post-quantum cryptography, elliptic curve-based schemes are often referred to as isogeny-based schemes, meaning elliptic curve isogenies. The term 'scheme', as generally used herein, is to be understood as a term of art that generally encompasses, for example, protocols, algorithms, processes, and non-cryptographic techniques.

[0052] Isogeny-based schemes are recognized as valuable against attacks from adversaries with quantum computers because given two isogenous supersingular elliptic curves, finding an isogeny between them is intractable even for a quantum computer. The endomorphism ring for the elliptic curve is non-commutative, and as such, this problem becomes intractable for the quantum computer.

[0053] An isogeny between two elliptic curves (groups) £ and £' is a group homomorphism, i.e. a function that preserves structural properties of the groups. Given two elliptic curves £ and £' over the same finite field, it is easy to check if they are isogenous; namely they are isogenous if and only if they have the same size. Generally, the elliptic curve groups have the same size if they have the same cardinality. Nevertheless, finding the isogeny that maps between them is a difficult problem.

[0054] Elliptic curves can be of two types: ordinary and supersingular. For the traditional discrete logarithm problem, ordinary curves are typically believed to be more secure, as supersingular curves are vulnerable to attacks, such as an MOV attack. However, it is generally known that the discrete logarithm problem can be efficiently, meaning in polynomial time, solved using a quantum computer; this makes discrete logarithm-based cryptographic schemes insecure against quantum attacks, regardless of the underlying group.

[0055] In contrast, supersingular isogeny-based schemes can be secure against quantum attacks due to what is known as the "hard problem": given two isogenous elliptic curves, find an isogeny between them.

[0056] The approach to solving the isogeny problem between ordinary curves is as follows. It is known that there is a one-to-one correspondence between isogenies and ideals of the endomorphism ring of £ denoted End(E). Also, End(E) and End(E) are isomorphic. Combined, this means that there is a one-to-one correspondence between isogenies between £ and £', and ideals of the endomorphism ring. Hence, it is more convenient and in fact more efficient to work with elements of End(£), rather than directly with isogenies. Considering the ordinary case, End(E) is a commutative structure, meaning that a b = b a. Further mathematical

manipulations for the corresponding ideal class group CI(End(£)) may be done to reduce this problem to a problem that can be solved by a quantum computer in subexponential running time. Thus, ordinary elliptic curve isogeny may not be a good candidate for quantum-resistant schemes.

[0057] In contrast to ordinary curves, supersingular elliptic curves have the property that End(E) is a non-commutative structure. It does not even yield any group structure if one tries to obtain a corresponding ideal class group. The nature of quantum computer capabilities makes them in general unable to effectively solve problems in non-commutative structures. The fast algorithms of quantum computers cannot be applied in the case of supersingular elliptic curve schemes as there is no commutativity in there. Generally, the fastest attack using quantum computer is a fully exponential attack with 6th root complexity in the size of the input.

[0058] Turning to FIG. 1 , an embodiment of a data communication system 10 is shown. The data communication system 10 includes a plurality of cryptographic correspondent devices 12 interconnected by communication links 14. The devices 12 may be of any known type including a computer 12a, a server 12b, a cellphone 12c, ATM 12d, and smart card 12e. The

communication links 14 may be conventional fixed telephone lines, wireless connections implemented between the devices 12, near field communication connections such as

Bluetooth™, or other conventional forms of communication.

[0059] As shown in FIG. 2, the devices 12 can differ according to their intended purpose, but generally includes a communication module 20 for communication to the links 14. A memory 22 provides a storage medium for non-transient instructions to implement protocols and to store data as required. A secure memory module 24, which may be part of memory 22 or may be a separate module, is used to store private information, such as the private keys used in the encryption protocols and withstand tampering with that data. The instructions are executed by one or more processors which may be integral with, or separate from, an arithmetic logic unit (ALU) 26. The ALU 26 can perform the arithmetic operations instruction by the memory 22 using data stored in the memories 22, 24. A random or pseudo random number generator 28 is also incorporated to generate bit strings representing random numbers in a cryptographically secure manner.

[0060] It will be appreciated that the device 12 illustrated in FIG. 2, is highly schematic and representative of a device used in a data communication system.

[0061] The memory 22 stores system parameters for the cryptosystem to be implemented and a set of computer readable instructions to implement the required protocol. In the case of an elliptic curve cryptosystem, elliptic curve domain parameters can include, for example: · the field size p = -6 B B - S c c■ f ± 1, where t A , B and c are small primes, and is a co-factor;

· the elliptic curve coefficients (a, b);

· bases points {PA, QA} of Basis 'A' (collectively called "Basis A"), {PB, QB} of Basis 'B' (collectively called "Basis B"), and {Pc, Qc} of Basis 'C (collectively called "Basis C").

[0062] The parameters can be represented as bit strings, or any other suitable computer- readable representation. Basis, as referred to herein, includes the points that generate the entire torsion subgroup of the elliptic curve.

[0063] Ephemeral values computed by the ALU may also be stored within the secure module 24 if their value is intended to be secret.

[0064] An exemplary key agreement scheme diagram, according to embodiments herein, is shown in FIG. 3. This exemplary key agreement scheme is performed between three devices (or users), a first entity called Alice ("A") on a first computing device, a second entity called Bob ("B") on a second computing device, and a third entity called Charlie ("C") on a third computing device communicating with each other over a data communication system. Values associated with Alice will be denoted by the suffix A, those of Bob by the suffix B, and those of Charlie by the suffix C. Eo denotes an originating elliptic curve.

[0065] Entities Alice, Bob, and Charlie want to share a common key, and therefore implement the instructions stored in the memory 22 being the cryptographic scheme shown in Fig 3. The arrows represent secret isogenies between the elliptic curves. Solid-lined arrows in the diagram represent isogenies actually computed by at least one of the entities, while dash-lined arrows represent isogenies not required to be computed under the present scheme.

[0066] With reference to FIG. 3, the following is a three-party supersingular elliptic curve cryptography key agreement scheme according to an embodiment.

[0067] E[m] is defined to be a set of points in the elliptic curve E so that the order of these points divides m. That is, if P e E[m], then mP =∞ (identity point). A prime is constructed to be of the form p = f A A■ f B { e c c■ f ± 1, where { A , { B and { c are small primes, and is a co-factor. [0068] Supersingular elliptic curves £ are defined over F (finite field of size p 2 ). Where F is the quadratic extension of field W p . When m divides the order of the curve, the group structure of E[m] is isomorphic to (Z ) , the two-dimensional space of integers mod m. Hence, two elliptic curve points to generate the entire E[m] are needed. [0069] For the present embodiment, torsion group E £ A A ] has generators (P A , Q A ), torsion group E\f B has generators (P B , Q B ), and torsion group E[{ e c c ] has generators (P c , Q c ). [0070] As an example of the embodiment, a private key for Alice is represented by two scalar eA

values m A , n A Z„e A (integers modulo I ) . These values are used to compute the elliptic

A A

curve kernel point K A = m A P A + n A Q A . The point is used as the generator of the kernel of the isogeny, denoted (K^), to compute the corresponding isogeny φ^. In practice, isogenies are not explicitly stated, but their kernels are used instead to compute them. Let be the resulting curve to which the isogeny maps, that is φ Α . Ε→ E A = E/(K A ). thus becomes part of the public key corresponding to m^,n^. As also part of the public key, images φ Α Β ), ΦΛ ((?Β) and Φ Α (ΡΟ) > are computed by Alice.

[0071] FIG. 6 is a conceptual block diagram of a three-party supersingular elliptic curve cryptographic ("ECC") scheme 600, according to an embodiment. The three-party supersingular ECC scheme 600 permits secure communications between three cryptographic correspondent devices 12. Each of the cryptographic correspondent devices 12 includes at least a processor 26 and a memory 22. The memory 22 is configured to store a plurality of instructions which when executed by the processor 26 cause the processor 26 to implement the elliptic curve cryptographic scheme 600.

[0072] The three-party supersingular ECC scheme 600 includes random number generation operations 602, kernel determination operations 604, elliptic curve determination operations 606, auxiliary point determination operations 608, common key determination operations 610, and inter-entity communications 612.

[0073] In an embodiment of the three-party supersingular ECC scheme 600, a key generation protocol and key agreement protocol are detailed herein, involving the actions of the three entities, Alice ("A"), Bob ("S"), and Charlie ("C"). An originating elliptic curve E (or Eo) is public as well as first basis points(P 4 , Q A ), second basis points(P B , Q B ), and third basis points(P c , Q c ). [0074] For key generation, each user generates two scalars as their private key and computes the corresponding isogeny kernel. The resulting curve and the image of other users' bases points on that curve can be published as the public key. As an example, Alice performs the following: · Randomly selects first scalars m A , n A e TL„e A ;

A

· Determines a first kernel point K A = m A - P A + n A - Q A ; · Determines a first elliptic curve EA using the first kernel (K A ) by computing

<p A : E→ E A = E/(K A ) ; · Determines values for second basis points PB, QB and third basis points Pc, Qc under Alice's isogeny φ Α , namely images φ Α Β ), ΦΑ ^Β) an d <PA(PC) > <PA(QC) - these values are referred to as first auxiliary points;

· Retains m A , n A (and equivalents K A , φ Α ) as Alice's private keys; and · Publishes, or otherwise communicates, first elliptic curve EA and first auxiliary points (PA(PB), <PA(QB), <PA (PC), <PA (QC) as Alice's public key.

[0075] Similarly, Bob performs the following: · Randomly selects second scalars m B , n B e Z„e B ; · Determines a second kernel point K B = m B P B + n B Q B ; · Determines a second elliptic curve EB using the second kernel (K B ) by computing φ Β : E→ E B = E I (K B ) ; · Determines values for first basis points PA, QA, and third basis points Pc, Qc under Bob's isogeny φ Β , namely images ΦΒ(ΡΑ)> ΦΒ ( ( 2Α) AN< ^ 0s( p c)' 0s ( ( ?c) - these values are referred to as second auxiliary points;

· Retains m B , n B (and equivalent^ Κ Β , φ Β ) as Bob's private keys; and · Publishes, or otherwise communicates, second elliptic curve EB and second auxiliary points <PB (PA), <I>B (.QA), <I>B (PC), <I>B (.QC) as Bob ' s P ublic ke Y- [0076] Similarly, Charlie performs the following: · Randomly selects third scalars m c , n c e Z„e c ; · Determines a third kernel point K c = m c P c + n c Q c ; · Determines a third elliptic curve Ec using the third kernel (K c ) by computing

φ 0 : Ε→E C = E/(K C ) ; · Determines values for first basis points PA, QA, and second basis points PB, QB under Charlie's isogeny φ ε , namely images 0 c (¾)- 0c( ( ? / i) and 0C(¾)< 0C ((?B) - these values are referred to as third auxiliary points; · Retains m c , n c (and equivalent^ K c ^ c ) as Charlie's private keys; and · Publishes, or otherwise communicates, third elliptic curve Ec and third auxiliary points (PC(PA), <PC(.QA)> <PC(PBI CC?B) as Charlie's public key.

[0077] In an embodiment, a key agreement protocol can include the three parties (A, B, and C) performing the two-party key agreement with each other. This would require them to run three more rounds of data exchange to each other in order to send the data to be computed from the first round of data exchange. In total, this embodiment would take nine exchanges of data between parties (referred to herein as "passes").

[0078] In another embodiment, advantageously, with only four passes, the following key agreement protocol can be performed to obtain a common key: · Alice communicates to Bob data for first elliptic curve E A , and first auxiliary points ΦΑ(ΡΒ), ΦΑ<3Β) , <* 0 and tf (<2 c );

· Bob, upon receiving the data from Alice, determines:

o a second intermediate kernel K AB = m B φ Α Β ) + n B (p A (Q B ), which we

represent with isogeny φ ΑΒ ;

o a second intermediate elliptic curve E AB = E A /{K AB ) ; and o second intermediate auxiliary points Φ ΑΒ {.Φ Α {ΡΟ))> ΦΑΒ (.ΦΑ (ΛΟ E E AB ' .

· Bob communicates to Charlie data for second elliptic curve E B , second intermediate elliptic curve E AB , second auxiliary points Φ Β Α ), Φ Β ( Α) , 0B ( ;) * 0B 02C). and second intermediate auxiliary points φ ΑΒ Α (Ρα ' )), ΦΑΒ ΦΑ(ΛΟ)) · Charlie, upon receiving the data from Bob, determines:

o a third intermediate kernel K BC = m c φ Β (Ρα) + n c 0B (<?C). which we

represent with isogeny φ Β0

o a third intermediate elliptic curve E BC = E B /(K BC ) ; o third intermediate auxiliary points Φ Β Ο (ΦΒ (.ΡΑ)) > ΦΒ€(.ΦΒ ( Α e E BC ;

o a third resultant kernel K ABC = m c φ ΑΒ Α (Ρα)) + n c ΦΑΒ (.ΦΑ ^^ o a third resultant elliptic curve E ABC = E AB /(K ABC ) ; and

o a common key k = j(E ABC ), using the /-invariant of the third resultant elliptic curve E ABC ; · Charlie communicates to Alice data for third elliptic curve E c , third intermediate elliptic curve E BC , third auxiliary points <f> c (P A , <I>C(QA) , 0C (¾), 0C ((?B) , and third intermediate auxiliary points 0 bc (0B (¾) < ΦΒΟ ΟΡΒ ^Α · Alice, upon receiving the data from Charlie, determines: o a first intermediate kernel K AC = m A 0 C (¾) + N A · 0c(<?4). which we

represent with isogeny φ Αα o a first intermediate elliptic curve E AC = E C /(K AC ) ; o first intermediate auxiliary points Φ Α Ο (ΦΟ(ΡΒ))> 04C (0C((?B) E E AC o a first resultant kernel K BCA = m A 0 bc (0B (¾)) + n A

o a first resultant elliptic curve E BCA = E BC /(K BCA ) ; and o the common key k = j(E BCA ), using the /-invariant of the first resultant elliptic curve E BCA ; · Alice communicates to Bob data for the first intermediate elliptic curve E AC , and first intermediate auxiliary points Φ Α Ο (ΦΟ (ΡΒ))> ΦΑΟ (ΦΟ an d

· Bob, upon receiving the data from Alice, determines: o a second resultant kernel K ACB = m B Φ Α (ΦΟ (ΡΒ)) + N B ·

o a second resultant elliptic curve E ACB = E AC /(K ACB ) ; and

o the common key k = j(E ACB ), using the /-invariant of the second resultant elliptic curve E ACB ;

[0079] As stated above, the common key is equivalent to j(E ABC ). Advantageously, all resultant elliptic curves, E ABC , E ACB , and E BCA , are isomorphic to E/(K A , K B , K C ), and hence have an equivalent /-invariant value, representing the common key k. For the present purposes, if elliptic curves are isomorphic, they can be considered to be the same curve.

[0080] Advantageously, the above key agreement protocol has only four passes; namely, Alice to Bob, Bob to Charlie, Charlie to Alice, and Alice to Bob a second time. [0081] In further embodiments, if the public keys are published in advance, the first pass comprising Alice communicating to Bob data for the first elliptic curve E A , and the first auxiliary points <PA(PB) > <PA(QB) > 04( p c)' and does not need to be performed. In this case, advantageously, the key agreement protocol has only three passes.

[0082] In some cases, where the integrated encryption scheme and public-key encryption scheme is for three parties, where two of the parties want to send a message to the third party, and is based on supersingular elliptic curve isogenies, it can use the same primitives as the key agreement scheme. Then, the value of j-invariant of the resultant elliptic curve is hashed and the logical operation 'exclusive-or' (XOR) is applied to encrypt the message.

[0083] Elliptic curve isogenies have a number of intended advantages over other schemes in post-quantum cryptography; including those of lattice-based schemes, code-based schemes, hash-based schemes, and multivariate polynomials-based schemes. For example, elliptic curve isogenies can be applied to building key exchange, authentication, signature, and encryption schemes. While lattice-based cryptography may offer such wide applicability, security parameter selection in lattice-based schemes is a very difficult task, without an exact security level. In contrast, isogeny-based cryptosystems rely directly on the size of the underlying finite field defined by the selected prime number. A further intended advantage is that it may be possible to reuse many already existing libraries for elliptic curves in various programming languages.

[0084] The key transmission overhead size of elliptic curve isogeny schemes is also

advantageous over other schemes due to, in general, having a smaller size.

[0085] Further, elliptic curve isogeny schemes offer an advantage of being a clear way to understand a security level of an encryption scheme. Isogeny-based schemes also have the intended advantage of being able to reuse a lot of elliptic curve arithmetic already implemented in elliptic curve encryption schemes.

[0086] FIGS. 4 and 5 are flowcharts of an embodiment for a method 300 for key agreement in a three-party supersingular elliptic curve cryptography key agreement scheme. FIG. 4 shows an example of public key generation 400 as part of the method 300. FIG. 5 shows an example of a common key generation 500 as also part of the method 300. The method 300 is performed by a first entity "Alice" on a first cryptographic correspondent device 12, a second entity "Bob" on a second cryptographic correspondent device 12, and a third entity "Charlie" on a third

cryptographic correspondent device 12. Each of the cryptographic correspondent devices 12 comprising the processor (or ALU) 26, the memory 22, 24, the RNG 28 and the communication module 20. The memory 22, 24 configured to store a plurality of instructions which when executed by the processor 26 cause the processor 26 to implement the method 300. An originating elliptic curve E is public, as part of global public parameters in the key agreement, as well as first basis points(P 4 , Q A ) associated with Alice, second basis points(P B , Q B ) associated with Bob, and third basis points(P C , Q c ) associated with Charlie.

[0087] Turning to FIG. 4, at block 402, the RNG 28 associated with Alice randomly selects first scalars m A , n A e 1„e A . At block 404, the processor 26 associated with Alice determines a first

A

kernel point using the first scalars and the first basis points as K A = m A P A + n A Q A . At block 406, the processor 26 associated with Alice uses the first kernel point to determine a first elliptic curve EA by determining φ Α . E→ E A = E/(K A ). At block 408, the processor 26 associated with Alice determines first auxiliary points using second basis points PB, QB and third basis points Pc, Qc under Alice's isogeny φ Α as images φ Α Β ), φ Α (^ Β ) an d ΦΑ(Ρ ) > ΦΑ( )- At block 410, the communication module 20 associated with Alice publishes, communicates, or otherwise makes available, first elliptic curve EA and first auxiliary points Φ Α (ΡΒ), ΦΑ( ( 2Β) > ΦΑ(ΡΟ) > ΦΑ( ( 2Ο) as Alice's public key.

[0088] At block 412, the RNG 28 associated with Bob randomly selects second scalars m B , n B 6 ∑„e B . At block 414, the processor 26 associated with Bob determines a second kernel point using the second scalars and the second basis points as K B = m B P B + n B Q B . At block 416, the processor 26 associated with Bob uses the second kernel point to determine second elliptic curve EB by determining φ Β -. Ε→Ε Β = E/(K B ). At block 418, the processor 26 associated with Bob determines first auxiliary points using first basis points PA, QA, and third basis points Pc, Qc under Bob's isogeny φ Β as images φ Β Α ), ΦΒ ^Α an< J 0B (PC) < 0B ((?C) - At block 420, the communication module 20 associated with Bob publishes, communicates, or otherwise makes available, second elliptic curve EB and second auxiliary points

Φ Β {ΡΑ), ΦΒ {(2Α), ΦΒ {Ρ^, ΦΒ ^ as Bob's public key.

[0089] At block 422, the RNG 28 associated with Charlie randomly selects third scalars m c , n c e Z„e c . At block 424, the processor 26 associated with Charlie determines a third kernel point using the third scalars and the third basis points as K c = m c P c + n c Q c . At block 426, the processor 26 associated with Charlie uses the third kernel point to determine third elliptic curve Ec by determining φ α -. Ε→ E c = E/(K C ). At block 428, the processor 26 associated with Charlie determines first basis points PA, QA, and second basis points PB, QB under Charlie's isogeny 0 C as images 0 C (¾)< 0C an d Φc ( P B )> 0C ((?B) - At block 430, the communication module 20 associated with Charlie publishes, communicates, or otherwise makes available, third elliptic curve Ec and third auxiliary points 0 C (¾)< ΦΟ (&Α) > 0C (¾) < 0C ((?B) as Charlie's public key.

[0090] In some cases, each entity (Alice, Bob, and Charlie) can perform the above steps simultaneously. In further cases, each entity (Alice, Bob, and Charlie) can perform the above steps at different times.

[0091] Turning to FIG. 5, at block 502, in some cases, the communication module 20 associated with Alice communicates to Bob data for first elliptic curve E A , and first auxiliary points φ Α Β ), ΦΑ((2Β) > ΦΑ( Ρ Ο) > and 0^(<?c). representing Alice's public key. In further cases, block 502 can be omitted because data representing the public key can be published, communicated, or otherwise available beforehand.

[0092] At block 504, the processor 26 associated with Bob determines a second intermediate kernel using the second scalars and some of the first auxiliary points as K AB = m B φ Α Β ) + n B 0Λ((?Β) > and uses the second intermediate kernel and the first elliptic curve to determine a second intermediate elliptic curve as E AB = E A /(K AB ). At block 506, the processor 26 associated with Bob determines second intermediate auxiliary points using the first auxiliary points under Bob's isogeny , mapping from E A , φ ΑΒ as φ ΑΒ Α (Ρ , φ Α Β (ΦΑ<3 e E AB . At block 510, the communication module 20 associated with Bob communicates to Charlie data for the second elliptic curve E B , the second intermediate elliptic curve E AB , the second auxiliary points φ Β Α ), φ Β ( Α ), 0B(P c )< 0B ((?C), and the second intermediate auxiliary points φ ΑΒ Α (Ρα)),

[0093] At block 512, the processor 26 associated with Charlie determines a third intermediate kernel using the third scalars and some of the second auxiliary points K BC = m c φ Β (Ρ ) + n c 0B ((?C), and uses the third intermediate kernel and the second elliptic curve to determine a third intermediate elliptic curve E BC = E B /(K BC ). At block 514, the processor 26 associated with Charlie determines third intermediate auxiliary points using the second auxiliary points under Charlie's isogeny , mapping from E B , φ Βα as 0 bc (0B(¾)), 0BC(0B((LI)) e E BC . At block 516, the processor 26 associated with Charlie determines a third resultant kernel using the third scalars and the second intermediate auxiliary points as K ABC = m c φ ΑΒ Α (Ρο)) + n c 04B (04(<?C)). and uses the third resultant kernel and the second intermediate elliptic curve to determine a third resultant elliptic curve as E ABC = E AB /(K ABC ). At block 518, the processor 26 associated with Charlie determines a common key k = j(E ABC ), using the /-invariant of the third resultant elliptic curve E ABC - At block 520, the communication module 20 associated with Charlie communicates to Alice data for the third elliptic curve E c , the third intermediate elliptic curve E BC , the third auxiliary points Φ Ο Α ) > Φ Ο ( ( 1 Α ), 0C(¾) < 0C ((?B) > an d the third intermediate auxiliary points 0 bc (0B(¾)), 0BC W>B ((^)) - [0094] At block 522, the processor 26 associated with Alice determines a first intermediate kernel using the first scalars and some of the third auxiliary points as K AC = m A 0 C (¾) + N A 0c(<?4) . an d uses the first intermediate kernel and the third elliptic curve to determine a first intermediate elliptic curve E AC = E C /(K AC ). At block 522, the processor 26 associated with Alice determines first intermediate auxiliary points using the third auxiliary points under Alice's isogeny, mapping from E c , φ Αα φ α as ΦΜ^ Β ^' Φ Α ^Φ^ Β ) <≡ E AC . At block 526, the processor 26 associated with Alice determines a first resultant kernel using the first scalars and the third intermediate auxiliary points as K BCA = m A 0BC(0B (¾)) + N A · 0BC(0B ((?A)) > an d uses the first resultant kernel and the third intermediate elliptic curve to determine a first resultant elliptic curve as E BCA = E BC /(K BCA ). At block 528, the processor 26 associated with Alice determines the common key k = j(E BCA ), using the /-invariant of the first resultant elliptic curve E BCA . At block 530, the communication module 20 associated with Alice communicates to Bob data for the first intermediate elliptic curve E AC , and first intermediate auxiliary points

[0095] At block 532, the processor 26 associated with Bob determines a second resultant kernel using the second scalars and the first intermediate auxiliary points as K ACB = m B 04c(0c( p s)) + N B 04c(0c(<?s)). an d uses the second resultant kernel and the first intermediate elliptic curve to determine a second resultant elliptic curve as E ACB = E AC /(K ACB ). At block 534, the processor 26 associated with Bob determines the common key k = j(E ACB ), using the j- invariant of the second resultant elliptic curve E ACB .

[0096] The present embodiments, based on isogenies, provide the option of using public keys as ephemeral keys or as static keys. In some cases, using a static key can also have the advantage of being certifiable.

[0097] There are numerous possible applications for the embodiments of the three-party ECC scheme described herein; for example, Kerberos authentication protocol, or any other security protocol that requires a third party.

[0098] It is be appreciated that present embodiments described herein as applied to a three- party supersingular elliptic curve cryptography key agreement scheme can be extended by a person skilled in the art to a supersingular elliptic curve cryptography key agreement scheme having four or more parties.

[0099] Although the invention has been described with reference to certain specific

embodiments, various other aspects, advantages and modifications thereof will be apparent to those skilled in the art without departing from the spirit and scope of the invention as outlined in the claims appended hereto. The entire disclosures of all references recited above are incorporated herein by reference.