Here's something counterintuitive to non-practitioners: curve P-521 is often less secure in practice than curve P-256.
The latter is more popular, and so better tested. The risk of implementation bugs dwarfs the risk of partial cryptanalysis of ECC, so picking P-521 optimizes for the wrong thing.
Nearly finished! "Modeling and Analyzing Security Protocols with Tamarin: A Comprehensive Guide" (Basin, Cremers, Dreier, and Sasse) will be published by Springer in the near future.
I'm very happy to announce that a full draft of our book is now available for download at https://tamarin-prover.com/book/
This is a useful podcast on this topic: https://oxide-and-friends.transistor.fm/episodes/intel-after-gelsinger
(And I can certainly recommend Chip Wars, as they do.)
We extend the usual ideal action on oriented elliptic curves to a (Hermitian) module action on oriented (polarised) abelian varieties. Oriented abelian varieties are naturally enriched in $R$-modules, and our module action comes from the canonical power object construction on categories enriched in a closed symmetric monoidal category. In particular our action is canonical and gives a fully fledged symmetric monoidal action. Furthermore, we give algorithms to compute this action in practice, generalising the usual algorithms in rank~$1$. The action allows us to unify in the same framework, on the one hand isogeny based cryptography based on ordinary or oriented elliptic curves, and on the other hand the one based on supersingular elliptic curves defined over $\mathbb{F}_{p^2}$. In particular, from our point of view, supersingular elliptic curves over $\mathbb{F}_p$ are given by a rank~$1$ module action, while (the Weil restriction) of those defined over $\mathbb{F}_{p^2}$ are given by a rank~$2$ module action. As a consequence, rank~$2$ module action inversion is at least as hard as the supersingular isogeny path problem. We thus propose to use Hermitian modules as an avatar of a cryptographic symmetric monoidal action framework. This generalizes the more standard cryptographic group action framework, and still allows for a NIKE (Non Interactive Key Exchange). The main advantage of our action is that, presumably, Kuperberg's algorithm does not apply. Compared to CSIDH, this allows for more compact keys and much better scaling properties. In practice, we propose the key exchange scheme $\otimes$-MIKE (Tensor Module Isogeny Key Exchange). Alice and Bob start from a supersingular elliptic curve $E_0/\mathbb{F}_p$ and both compute a $2^n$-isogeny over $\mathbb{F}_{p^2}$. They each send the $j$-invariant of their curve. Crucially, unlike SIDH, no torsion information at all is required. Their common secret, given by the module action, is then a dimension~$4$ principally polarised abelian variety. We obtain a very compact post-quantum NIKE: only 64B for NIST level~$1$ security.
NIST PQC "onramp" Round 2 Candidates:
https://csrc.nist.gov/news/2024/pqc-digital-signature-second-round-announcement
Filippo Valsorda
Adam Langley
Cas Cremers
Sophie Schmieg
eprint-revision