2,447 research outputs found
Construction of secure random curves of genus 2 over prime fields
International audienceFor counting points of Jacobians of genus 2 curves defined over large prime fields, the best known method is a variant of Schoof's algorithm. We present several improvements on the algorithms described by Gaudry and Harley in 2000. In particular we rebuild the symmetry that had been broken by the use of Cantor's division polynomials and design a faster division by 2 and a division by 3. Combined with the algorithm by Matsuo, Chao and Tsujii, our implementation can count the points on a Jacobian of size 164 bits within about one week on a PC
The Q-curve construction for endomorphism-accelerated elliptic curves
We give a detailed account of the use of -curve reductions to
construct elliptic curves over with efficiently computable
endomorphisms, which can be used to accelerate elliptic curve-based
cryptosystems in the same way as Gallant--Lambert--Vanstone (GLV) and
Galbraith--Lin--Scott (GLS) endomorphisms. Like GLS (which is a degenerate case
of our construction), we offer the advantage over GLV of selecting from a much
wider range of curves, and thus finding secure group orders when is fixed
for efficient implementation. Unlike GLS, we also offer the possibility of
constructing twist-secure curves. We construct several one-parameter families
of elliptic curves over equipped with efficient
endomorphisms for every p \textgreater{} 3, and exhibit examples of
twist-secure curves over for the efficient Mersenne prime
.Comment: To appear in the Journal of Cryptology. arXiv admin note: text
overlap with arXiv:1305.540
Constructing Permutation Rational Functions From Isogenies
A permutation rational function is a rational function
that induces a bijection on , that is, for all
there exists exactly one such that . Permutation
rational functions are intimately related to exceptional rational functions,
and more generally exceptional covers of the projective line, of which they
form the first important example.
In this paper, we show how to efficiently generate many permutation rational
functions over large finite fields using isogenies of elliptic curves, and
discuss some cryptographic applications. Our algorithm is based on Fried's
modular interpretation of certain dihedral exceptional covers of the projective
line (Cont. Math., 1994)
Efficient Multi-Point Local Decoding of Reed-Muller Codes via Interleaved Codex
Reed-Muller codes are among the most important classes of locally correctable
codes. Currently local decoding of Reed-Muller codes is based on decoding on
lines or quadratic curves to recover one single coordinate. To recover multiple
coordinates simultaneously, the naive way is to repeat the local decoding for
recovery of a single coordinate. This decoding algorithm might be more
expensive, i.e., require higher query complexity. In this paper, we focus on
Reed-Muller codes with usual parameter regime, namely, the total degree of
evaluation polynomials is , where is the code alphabet size
(in fact, can be as big as in our setting). By introducing a novel
variation of codex, i.e., interleaved codex (the concept of codex has been used
for arithmetic secret sharing \cite{C11,CCX12}), we are able to locally recover
arbitrarily large number of coordinates of a Reed-Muller code
simultaneously at the cost of querying coordinates. It turns out that
our local decoding of Reed-Muller codes shows ({\it perhaps surprisingly}) that
accessing locations is in fact cheaper than repeating the procedure for
accessing a single location for times. Our estimation of success error
probability is based on error probability bound for -wise linearly
independent variables given in \cite{BR94}
(2,1)-separating systems beyond the probabilistic bound
Building on previous results of Xing, we give new lower bounds on the rate of
intersecting codes over large alphabets. The proof is constructive, and uses
algebraic geometry, although nothing beyond the basic theory of linear systems
on curves. Then, using these new bounds within a concatenation argument, we
construct binary (2,1)-separating systems of asymptotic rate exceeding the one
given by the probabilistic method, which was the best lower bound available up
to now. This answers (negatively) the question of whether this probabilistic
bound was exact, which has remained open for more than 30 years. (By the way,
we also give a formulation of the separation property in terms of metric
convexity, which may be an inspirational source for new research problems.)Comment: Version 7 is a shortened version, so that numbering should match with
the journal version (to appear soon). Material on convexity and separation in
discrete and continuous spaces has been removed. Readers interested in this
material should consult version 6 instea
Hard isogeny problems over RSA moduli and groups with infeasible inversion
We initiate the study of computational problems on elliptic curve isogeny
graphs defined over RSA moduli. We conjecture that several variants of the
neighbor-search problem over these graphs are hard, and provide a comprehensive
list of cryptanalytic attempts on these problems. Moreover, based on the
hardness of these problems, we provide a construction of groups with infeasible
inversion, where the underlying groups are the ideal class groups of imaginary
quadratic orders.
Recall that in a group with infeasible inversion, computing the inverse of a
group element is required to be hard, while performing the group operation is
easy. Motivated by the potential cryptographic application of building a
directed transitive signature scheme, the search for a group with infeasible
inversion was initiated in the theses of Hohenberger and Molnar (2003). Later
it was also shown to provide a broadcast encryption scheme by Irrer et al.
(2004). However, to date the only case of a group with infeasible inversion is
implied by the much stronger primitive of self-bilinear map constructed by
Yamakawa et al. (2014) based on the hardness of factoring and
indistinguishability obfuscation (iO). Our construction gives a candidate
without using iO.Comment: Significant revision of the article previously titled "A Candidate
Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the
constructions by giving toy examples, added "The Parallelogram Attack" (Sec
5.3.2). 54 pages, 8 figure
A Generic Approach to Searching for Jacobians
We consider the problem of finding cryptographically suitable Jacobians. By
applying a probabilistic generic algorithm to compute the zeta functions of low
genus curves drawn from an arbitrary family, we can search for Jacobians
containing a large subgroup of prime order. For a suitable distribution of
curves, the complexity is subexponential in genus 2, and O(N^{1/12}) in genus
3. We give examples of genus 2 and genus 3 hyperelliptic curves over prime
fields with group orders over 180 bits in size, improving previous results. Our
approach is particularly effective over low-degree extension fields, where in
genus 2 we find Jacobians over F_{p^2) and trace zero varieties over F_{p^3}
with near-prime orders up to 372 bits in size. For p = 2^{61}-1, the average
time to find a group with 244-bit near-prime order is under an hour on a PC.Comment: 22 pages, to appear in Mathematics of Computatio
Discrete logarithms in curves over finite fields
A survey on algorithms for computing discrete logarithms in Jacobians of
curves over finite fields
- …