189 research outputs found
Collusion Resistant Revocable Ring Signatures and Group Signatures from Hard Homogeneous Spaces
Both ring signatures and group signatures are useful privacy tools, allowing signers to hide their identities
within a set of other public keys, while allowing their signatures to be validated with respect to the entire
set. Group signature schemes and revocable ring signature schemes both provide the additional ability for
certain authorized members to revoke the anonymity on a signature and reveal the true signer—allowing
management of abuse in the scheme. This work consists of two parts. Firstly, we introduce a stronger security
notion—collusion resistance—for revocable ring signatures and show how to derive a group signature
scheme from it, which provides a new approach to obtaining group signatures. This improves on the existing
weak security model (e.g. with selfless anonymity) which fails to guarantee anonymity of members whose
keys are exposed. Our stronger notion requires that the scheme remains secure against full key exposure
in the anonymity game, and allows collusion among arbitrary members in the revocability game. Secondly
(and more concretely), we construct a practical collusion-resistant revocable ring signature scheme based on
hard homogenous spaces (HHS), and thus obtain a group signature scheme based on isogenies. To the best
of our knowledge, the schemes given in this work are the first efficient post-quantum (collusion-resistant)
revocable ring signature scheme, and the first efficient isogeny-based group signature scheme in the literature
Hard Homogeneous Spaces from the Class Field Theory of Imaginary Hyperelliptic Function Fields
We explore algorithmic aspects of a free and transitive commutative group action
coming from the class field theory of imaginary hyperelliptic function fields.
Namely, the Jacobian of an imaginary hyperelliptic curve defined over
acts on a subset of isomorphism classes of Drinfeld modules. We
describe an algorithm to compute the group action efficiently. This is a
function field analog of the Couveignes-Rostovtsev-Stolbunov group action. Our
proof-of-concept C++/NTL implementation only requires a fraction of a second on
a standard computer. Also, we state a conjecture — supported by experiments
— which implies that the current fastest algorithm to solve its inverse
problem runs in exponential time. This action is therefore a promising candidate
for the construction of Hard Homogeneous Spaces, which are the building
blocks of several post-quantum cryptographic protocols. This demonstrates the
relevance of using imaginary hyperelliptic curves and Drinfeld modules as an
alternative to the standard setting of imaginary quadratic number fields and
elliptic curves for isogeny-based cryptographic applications. Moreover, our
function field setting enables the use of Kedlaya\u27s algorithm and its variants
for computing the order of the group in polynomial time when is fixed. No
such polynomial-time algorithm for imaginary quadratic number fields is known.
For and parameters similar to CSIDH-512, we compute this order more than
8500 times faster than the record computation for CSIDH-512 by Beullens,
Kleinjung and Vercauteren
CSIDH on the surface
For primes p≡3mod4, we show that setting up CSIDH on the surface, i.e., using supersingular elliptic curves with endomorphism ring Z[(1+−p−−−√)/2], amounts to just a few sign switches in the underlying arithmetic. If p≡7mod8 then horizontal 2-isogenies can be used to help compute the class group action. The formulas we derive for these 2-isogenies are very efficient (they basically amount to a single exponentiation in Fp) and allow for a noticeable speed-up, e.g., our resulting CSURF-512 protocol runs about 5.68% faster than CSIDH-512. This improvement is completely orthogonal to all previous speed-ups, constant-time measures and construction of cryptographic primitives that have appeared in the literature so far. At the same time, moving to the surface gets rid of the redundant factor Z3 of the acting ideal-class group, which is present in the case of CSIDH and offers no extra security
Threshold Schemes from Isogeny Assumptions
We initiate the study of threshold schemes based on the Hard Homogeneous Spaces (HHS) framework of Couveignes. Quantum-resistant HHS based on supersingular isogeny graphs have recently become usable thanks to the record class group precomputation performed for the signature scheme CSI-FiSh.
Using the HHS equivalent of the technique of Shamir\u27s secret sharing in the exponents, we adapt isogeny based schemes to the threshold setting. In particular we present threshold versions of the CSIDH public key encryption, and the CSI-FiSh signature schemes.
The main highlight is a threshold version of CSI-FiSh which runs almost as fast as the original scheme, for message sizes as low as 1880 B, public key sizes as low as 128 B, and thresholds up to 56; other speed-size-threshold compromises are possible
Post-Quantum Cryptography from Supersingular Isogenies (Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties)
This paper is based on a presentation made at RIMS conference on “Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties”, so-called “Supersingular 2020”. Post-quantum cryptography is a next-generation public-key cryptosystem that resistant to cryptoanalysis by both classical and quantum computers. Isogenies between supersingular elliptic curves present one promising candidate, which is called isogeny-based cryptography. In this paper, we give an introduction to two isogeny-based key exchange protocols, SIDH [17] and CSIDH [2], which are considered as a standard in the subject so far. Moreover, we explain briefly our recent result [24] about cycles in the isogeny graphs used in some parameters of SIKE, which is a key encapsulation mechanism based on SIDH
One-Round Authenticated Group Key Exchange from Isogenies
We propose two one-round authenticated group-key exchange protocols from newly employed cryptographic invariant maps (CIMs): one is
secure under the quantum random oracle model and the other resists against maximum exposure where a non-trivial combination of secret
keys is revealed. The security of the former (resp. latter) is proved under the n-way decisional Diffie-Hellman (resp. n-way gap Diffie-Hellman) assumption on the CIMs in the quantum random (resp. random) oracle model.
We instantiate the proposed protocols on the hard homogeneous spaces with limitation where the number of the user group is two. In particular, the protocols instantiated by using the CSIDH, commutative supersingular isogeny Diffie-Hellman, key exchange are
currently more realistic than the general n-party CIM-based ones due
to its implementability. Our two-party one-round protocols are secure against quantum adversaries
Rational isogenies from irrational endomorphisms
In this paper, we introduce a polynomial-time algorithm to compute a connecting -ideal between two supersingular elliptic curves over with common -endomorphism ring , given a description of their full endomorphism rings. This algorithm provides a reduction of the security of the CSIDH cryptosystem to the problem of computing endomorphism rings of supersingular elliptic curves. A similar reduction for SIDH appeared at Asiacrypt 2016, but relies on totally different techniques. Furthermore, we also show that any supersingular elliptic curve constructed using the complex-multiplication method can be located precisely in the supersingular isogeny graph by explicitly deriving a path to a known base curve. This result prohibits the use of such curves as a building block for a hash function into the supersingular isogeny graph
A Like ELGAMAL Cryptosystem But Resistant To Post-Quantum Attacks
The Modulo 1 Factoring Problem (M1FP) is an elegant mathematical problem which could be exploited to design safe cryptographic protocols and encryption schemes that resist to post quantum attacks. The ELGAMAL encryption scheme is a well-known and efficient public key algorithm designed by Taher ELGAMAL from discrete logarithm problem. It is always highly used in Internet security and many other applications after a large number of years. However, the imminent arrival of quantum computing threatens the security of ELGAMAL cryptosystem and impose to cryptologists to prepare a resilient algorithm to quantum computer-based attacks. In this paper we will present a like-ELGAMAL cryptosystem based on the M1FP NP-hard problem. This encryption scheme is very simple but efficient and supposed to be resistant to post quantum attacks
An Algorithm for Ennola's Second Theorem and Counting Smooth Numbers in Practice
Let count the number of positive integers such that
every prime divisor of is at most . Given inputs and , what is
the best way to estimate ? We address this problem in three ways:
with a new algorithm to estimate , with a performance improvement to
an established algorithm, and with empirically based advice on how to choose an
algorithm to estimate for the given inputs.
Our new algorithm to estimate is based on Ennola's second theorem
[Ennola69], which applies when .
It takes arithmetic operations of precomputation and operations per evaluation of .
We show how to speed up Algorithm HT, which is based on the saddle-point
method of Hildebrand and Tenenbaum [1986], by a factor proportional to
, by applying Newton's method in a new way.
And finally we give our empirical advice based on five algorithms to compute
estimates for .The challenge here is that the boundaries of the
ranges of applicability, as given in theorems, often include unknown constants
or small values of , for example, that cannot be programmed
directly
- …