178 research outputs found

    Cryptographic Group and Semigroup Actions

    Get PDF
    We consider actions of a group or a semigroup on a set, which generalize the setup of discrete logarithm based cryptosystems. Such cryptographic group actions have gained increasing attention recently in the context of isogeny-based cryptography. We introduce generic algorithms for the semigroup action problem and discuss lower and upper bounds. Also, we investigate Pohlig-Hellman type attacks in a general sense. In particular, we consider reductions provided by non-invertible elements in a semigroup, and we deal with subgroups in the case of group actions

    Some applications of higher dimensional isogenies to elliptic curves (overview of results)

    Get PDF
    We give some applications of the embedding Lemma . The first one is a polynomial time (in logq\log q) algorithm to compute the endomorphism ring End(E)\mathrm{End}(E) of an ordinary elliptic curve E/FqE/\mathbb{F}_q, provided we are given the factorisation of ΔπΔ_π. In particular, this computation can be done in quantum polynomial time. The second application is an algorithm to compute the canonical lift of E/FqE/\mathbb{F}_q, q=pnq=p^n, (still assuming that EE is ordinary) to precision mm in time O~(nmlogO(1)p)\tilde{O}(n m \log^{O(1)} p). We deduce a point counting algorithm of complexity O~(n2logO(1)p)\tilde{O}(n^2 \log^{O(1)} p). In particular the complexity is polynomial in logp\log p, by contrast of what is usually expected of a pp-adic cohomology computation. The third application is a quasi-linear CRT algorithm to compute Siegel modular polynomials of elliptic curves, which does not rely on any heuristic or conditional result (like GRH). We also outline how to generalize these algorithms to (ordinary) abelian varieties

    Quantum Complexity for Discrete Logarithms and Related Problems

    Get PDF
    This paper studies the quantum computational complexity of the discrete logarithm and related group-theoretic problems in the context of ``generic algorithms\u27\u27---that is, algorithms that do not exploit any properties of the group encoding. We establish a generic model of quantum computation for group-theoretic problems, which we call the quantum generic group model, as a quantum analog of its classical counterpart. Shor\u27s algorithm for the discrete logarithm problem and related algorithms can be described in this model. We show the quantum complexity lower bounds and (almost) matching algorithms of the discrete logarithm and related problems in this model. More precisely, we prove the following results for a cyclic group G\mathcal G of prime order. (1) Any generic quantum discrete logarithm algorithm must make Ω(logG)\Omega(\log |\mathcal G|) depth of group operation queries. This shows that Shor\u27s algorithm that makes O(logG)O(\log |\mathcal G|) group operations is asymptotically optimal among the generic quantum algorithms, even considering parallel algorithms. (2) We observe that some (known) variations of Shor\u27s algorithm can take advantage of classical computations to reduce the number and depth of quantum group operations. We introduce a model for generic hybrid quantum-classical algorithm that captures these variants, and show that these algorithms are almost optimal in this model. Any generic hybrid quantum-classical algorithm for the discrete logarithm problem with a total number of (classical or quantum) group operations QQ must make Ω(logG/logQ)\Omega(\log |\mathcal G|/\log Q) quantum group operations of depth Ω(loglogGloglogQ)\Omega(\log\log |\mathcal G| - \log\log Q). In particular, if Q=polylogGQ={\rm poly}\log |\mathcal G|, classical group operations can only save the number of quantum queries by a factor of O(loglogG)O(\log\log |\mathcal G|) and the quantum depth remains as Ω(loglogG)\Omega(\log\log |\mathcal G|). (3) When the quantum memory can only store tt group elements and use quantum random access memory (qRAM) of rr group elements, any generic hybrid quantum-classical algorithm must make either Ω(G)\Omega(\sqrt{|\mathcal G|}) group operation queries in total or Ω(logG/log(tr))\Omega(\log |\mathcal G|/\log (tr)) quantum group operation queries. In particular, classical queries cannot reduce the number of quantum queries beyond Ω(logG/log(tr))\Omega(\log |\mathcal G|/\log (tr)). As a side contribution, we show a multiple discrete logarithm problem admits a better algorithm than solving each instance one by one, refuting a strong form of the quantum annoying property suggested in the context of password-authenticated key exchange protocol

    Quantum Complexity for Discrete Logarithms and Related Problems

    Full text link
    This paper studies the quantum computational complexity of the discrete logarithm (DL) and related group-theoretic problems in the context of generic algorithms -- that is, algorithms that do not exploit any properties of the group encoding. We establish a generic model of quantum computation for group-theoretic problems, which we call the quantum generic group model. Shor's algorithm for the DL problem and related algorithms can be described in this model. We show the quantum complexity lower bounds and almost matching algorithms of the DL and related problems in this model. More precisely, we prove the following results for a cyclic group GG of prime order. - Any generic quantum DL algorithm must make Ω(logG)\Omega(\log |G|) depth of group operations. This shows that Shor's algorithm is asymptotically optimal among the generic quantum algorithms, even considering parallel algorithms. - We observe that variations of Shor's algorithm can take advantage of classical computations to reduce the number of quantum group operations. We introduce a model for generic hybrid quantum-classical algorithms and show that these algorithms are almost optimal in this model. Any generic hybrid algorithm for the DL problem with a total number of group operations QQ must make Ω(logG/logQ)\Omega(\log |G|/\log Q) quantum group operations of depth Ω(loglogGloglogQ)\Omega(\log\log |G| - \log\log Q). - When the quantum memory can only store tt group elements and use quantum random access memory of rr group elements, any generic hybrid algorithm must make either Ω(G)\Omega(\sqrt{|G|}) group operations in total or Ω(logG/log(tr))\Omega(\log |G|/\log (tr)) quantum group operations. As a side contribution, we show a multiple DL problem admits a better algorithm than solving each instance one by one, refuting a strong form of the quantum annoying property suggested in the context of password-authenticated key exchange protocol

    Jolt: Recovering TLS Signing Keys via Rowhammer Faults

    Get PDF
    Digital Signature Schemes such as DSA, ECDSA, and RSA are widely deployed to protect the integrity of security protocols such as TLS, SSH, and IPSec. In TLS, for instance, RSA and (EC)DSA are used to sign the state of the agreed upon protocol parameters during the handshake phase. Naturally, RSA and (EC)DSA implementations have become the target of numerous attacks, including powerful side-channel attacks. Hence, cryptographic libraries were patched repeatedly over the years. Here we introduce Jolt, a novel attack targeting signature scheme implementations. Our attack exploits faulty signatures gained by injecting faults during signature generation. By using the signature verification primitive, we correct faulty signatures and, in the process deduce bits of the secret signing key. Compared to recent attacks that exploit single bit biases in the nonce that require 2452^{45} signatures, our attack requires less than a thousand faulty signatures for a 256256-bit (EC)DSA. The performance improvement is due to the fact that our attack targets the secret signing key, which does not change across signing sessions. We show that the proposed attack also works on Schnorr and RSA signatures with minor modifications. We demonstrate the viability of Jolt by running experiments targeting TLS handshakes in common cryptographic libraries such as WolfSSL, OpenSSL, Microsoft SymCrypt, LibreSSL, and Amazon s2n. On our target platform, the online phase takes less than 2 hours to recover 192192 bits of a 256256-bit ECDSA key, which is sufficient for full key recovery. We note that while RSA signatures are protected in popular cryptographic libraries, OpenSSL remains vulnerable to double fault injection. We have also reviewed their Federal Information Processing Standard (FIPS) hardened versions which are slightly less efficient but still vulnerable to our attack. We found that (EC)DSA signatures remain largely unprotected against software-only faults, posing a threat to real-life deployments such as TLS, and potentially other security protocols such as SSH and IPSec. This highlights the need for a thorough review and implementation of faults checking in security protocol implementations

    Deuring for the People: Supersingular Elliptic Curves with Prescribed Endomorphism Ring in General Characteristic

    Get PDF
    Constructing a supersingular elliptic curve whose endomorphism ring is isomorphic to a given quaternion maximal order (one direction of the Deuring correspondence) is known to be polynomial-time assuming the generalized Riemann hypothesis [KLPT14; Wes21], but notoriously daunting in practice when not working over carefully selected base fields. In this work, we speed up the computation of the Deuring correspondence in general characteristic, i.e., without assuming any special form of the characteristic. Our algorithm follows the same overall strategy as earlier works, but we add simple (yet effective) optimizations to multiple subroutines to significantly improve the practical performance of the method. To demonstrate the impact of our improvements, we show that our implementation achieves highly practical running times even for examples of cryptographic size. One implication of these findings is that cryptographic security reductions based on KLPT-derived algorithms (such as [EHLMP18; Wes22]) have become tighter, and therefore more meaningful in practice. Another is the pure bliss of fast(er) computer algebra: We provide a Sage implementation which works for general primes and includes many necessary tools for computational number theorists\u27 and cryptographers\u27 needs when working with endomorphism rings of supersingular elliptic curves. This includes the KLPT algorithm, translation of ideals to isogenies, and finding supersingular elliptic curves with known endomorphism ring for general primes. Finally, the Deuring correspondence has recently received increased interest because of its role in the SQISign signature scheme [DeF+20]. We provide a short and self-contained summary of the state-of-the-art algorithms without going into any of the cryptographic intricacies of SQISign

    Towards a circular economy: fabrication and characterization of biodegradable plates from sugarcane waste

    Get PDF
    Bagasse pulp is a promising material to produce biodegradable plates. Bagasse is the fibrous residue that remains after sugarcane stalks are crushed to extract their juice. It is a renewable resource and is widely available in many countries, making it an attractive alternative to traditional plastic plates. Recent research has shown that biodegradable plates made from Bagasse pulp have several advantages over traditional plastic plates. For example, they are more environmentally friendly because they are made from renewable resources and can be composted after use. Additionally, they are safer for human health because they do not contain harmful chemicals that can leach into food. The production process for Bagasse pulp plates is also relatively simple and cost-effective. Bagasse is first collected and then processed to remove impurities and extract the pulp. The pulp is then molded into the desired shape and dried to form a sturdy plate. Overall, biodegradable plates made from Bagasse pulp are a promising alternative to traditional plastic plates. They are environmentally friendly, safe for human health, and cost-effective to produce. As such, they have the potential to play an important role in reducing plastic waste and promoting sustainable practices. Over the years, the world was not paying strict attention to the impact of rapid growth in plastic use. As a result, uncontrollable volumes of plastic garbage have been released into the environment. Half of all plastic garbage generated worldwide is made up of packaging materials. The purpose of this article is to offer an alternative by creating bioplastic goods that can be produced in various shapes and sizes across various sectors, including food packaging, single-use tableware, and crafts. Products made from bagasse help address the issue of plastic pollution. To find the optimum option for creating bagasse-based biodegradable dinnerware in Egypt and throughout the world, researchers tested various scenarios. The findings show that bagasse pulp may replace plastics in biodegradable packaging. As a result of this value-added utilization of natural fibers, less waste and less of it ends up in landfills. The practical significance of this study is to help advance low-carbon economic solutions and to produce secure bioplastic materials that can replace Styrofoam in tableware and food packaging production

    On the Multi-User Security of Short Schnorr Signatures with Preprocessing

    Get PDF
    The Schnorr signature scheme is an efficient digital signature scheme with short signature lengths, i.e., 4k4k-bit signatures for kk bits of security. A Schnorr signature σ\sigma over a group of size p22kp\approx 2^{2k} consists of a tuple (s,e)(s,e), where e{0,1}2ke \in \{0,1\}^{2k} is a hash output and sZps\in \mathbb{Z}_p must be computed using the secret key. While the hash output ee requires 2k2k bits to encode, Schnorr proposed that it might be possible to truncate the hash value without adversely impacting security. In this paper, we prove that short Schnorr signatures of length 3k3k bits provide kk bits of multi-user security in the (Shoup\u27s) generic group model and the programmable random oracle model. We further analyze the multi-user security of key-prefixed short Schnorr signatures against preprocessing attacks, showing that it is possible to obtain secure signatures of length 3k+logS3k + \log S bits. Here, SS denotes the size of the hint generated by our preprocessing attacker, e.g., if S=2k/2S=2^{k/2}, then we would obtain 3.5k3.5k-bit signatures. Our techniques easily generalize to several other Fiat-Shamir-based signature schemes, allowing us to establish analogous results for Chaum-Pedersen signatures and Katz-Wang signatures. As a building block, we also analyze the 11-out-of-NN discrete-log problem in the generic group model, with and without preprocessing

    New Design and Analysis Techniques for Post-Quantum Cryptography

    Get PDF
    Due to the threat of scalable quantum computation breaking existing public-key cryptography, interest in post-quantum cryptography has exploded in the past decade. There are two key aspects to the mitigation of the quantum threat. The first is to have a complete understanding of the capabilities of a quantum enabled adversary and be able to predict the impact on the security of protocols. The second is to find suitable replacements for those protocols rendered insecure. In this thesis, we develop new techniques to help address these problems, in order to better prepare for the post-quantum era. Proofs in security models that consider quantum adversaries are notoriously more challenging compared to their classical analogues. The quantum random oracle model abstracts real world hash functions to a black box, but allows for superposition queries. This model is important as it often makes possible the reduction of the security of a protocol to the hardness of an underlying hard problem. We prove several results about the model itself. We provide upper and lower bounds on the ability of the adversary to find collisions in non-uniform functions in this model. We also compare the quantum random oracle model to the classical random oracle model and establish that a key aspect of their relationship to the standard model is unchanged. As well, we develop a way to model a new security property (dubbed quantum annoyingness) that considers the security of classical password-authenticated key exchange schemes in the presence of quantum adversaries, and prove the security of a recently standardized protocol in this model. For the second problem, we show how established post-quantum problems can be used to build protocols beyond key establishment and signing. We look at two protocols, that of key-blinded signatures and updatable public-key encryption, which are variants of signature and key-establishment protocols. We show how these protocols can be instantiated by modifying existing post-quantum signature and key-establishment protocols. Both of these protocols were originally built heavily relying on the structure of the discrete logarithm problem. In instantiating the schemes with post-quantum assumptions, we also highlight how alternative mathematical structures can be adapted to achieve the same results. Finally, we provide proofs, implementations, and performance metrics for these instantiations
    corecore