470 research outputs found
Ring-LWE Cryptography for the Number Theorist
In this paper, we survey the status of attacks on the ring and polynomial
learning with errors problems (RLWE and PLWE). Recent work on the security of
these problems [Eisentr\"ager-Hallgren-Lauter, Elias-Lauter-Ozman-Stange] gives
rise to interesting questions about number fields. We extend these attacks and
survey related open problems in number theory, including spectral distortion of
an algebraic number and its relationship to Mahler measure, the monogenic
property for the ring of integers of a number field, and the size of elements
of small order modulo q.Comment: 20 Page
Formalized Class Group Computations and Integral Points on Mordell Elliptic Curves
Diophantine equations are a popular and active area of research in number
theory. In this paper we consider Mordell equations, which are of the form
, where is a (given) nonzero integer number and all solutions in
integers and have to be determined. One non-elementary approach for
this problem is the resolution via descent and class groups. Along these lines
we formalized in Lean 3 the resolution of Mordell equations for several
instances of . In order to achieve this, we needed to formalize several
other theories from number theory that are interesting on their own as well,
such as ideal norms, quadratic fields and rings, and explicit computations of
the class number. Moreover we introduced new computational tactics in order to
carry out efficiently computations in quadratic rings and beyond.Comment: 14 pages. Submitted to CPP '23. Source code available at
https://github.com/lean-forward/class-group-and-mordell-equatio
Hard isogeny problems over RSA moduli and groups with infeasible inversion
We initiate the study of computational problems on elliptic curve isogeny
graphs defined over RSA moduli. We conjecture that several variants of the
neighbor-search problem over these graphs are hard, and provide a comprehensive
list of cryptanalytic attempts on these problems. Moreover, based on the
hardness of these problems, we provide a construction of groups with infeasible
inversion, where the underlying groups are the ideal class groups of imaginary
quadratic orders.
Recall that in a group with infeasible inversion, computing the inverse of a
group element is required to be hard, while performing the group operation is
easy. Motivated by the potential cryptographic application of building a
directed transitive signature scheme, the search for a group with infeasible
inversion was initiated in the theses of Hohenberger and Molnar (2003). Later
it was also shown to provide a broadcast encryption scheme by Irrer et al.
(2004). However, to date the only case of a group with infeasible inversion is
implied by the much stronger primitive of self-bilinear map constructed by
Yamakawa et al. (2014) based on the hardness of factoring and
indistinguishability obfuscation (iO). Our construction gives a candidate
without using iO.Comment: Significant revision of the article previously titled "A Candidate
Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the
constructions by giving toy examples, added "The Parallelogram Attack" (Sec
5.3.2). 54 pages, 8 figure
The endomorphism ring problem and supersingular isogeny graphs
Supersingular isogeny graphs, which encode supersingular elliptic curves and their isogenies, have recently formed the basis for a number of post-quantum cryptographic protocols. The study of supersingular elliptic curves and their endomorphism rings has a long history and is intimately related to the study of quaternion algebras and their maximal orders. In this thesis, we give a treatment of the theory of quaternion algebras and elliptic curves over finite fields as these relate to supersingular isogeny graphs and computational problems on such graphs, in particular, consolidating and surveying results in the research literature. We also perform some numerical experiments on supersingular isogeny graphs and establish a number of refined upper bounds on supersingular elliptic curves with small non-integer endomorphisms
DoubleMod and SingleMod: Simple Randomized Secret-Key Encryption with Bounded Homomorphicity
An encryption relation f Z Z with decryption function f 1 is “group-homomorphic”
if, for any suitable plaintexts x1 and x2, x1+x2 = f 1( f (x1)+f (x2)). It is “ring-homomorphic”
if furthermore x1x2 = f 1( f (x1) f (x2)); it is “field-homomorphic” if furthermore 1=x1 =
f 1( f (1=x1)). Such relations would support oblivious processing of encrypted data.
We propose a simple randomized encryption relation f over the integers, called
DoubleMod, which is “bounded ring-homomorphic” or what some call ”somewhat homomorphic.”
Here, “bounded” means that the number of additions and multiplications that can
be performed, while not allowing the encrypted values to go out of range, is limited (any
pre-specified bound on the operation-count can be accommodated). Let R be any large integer.
For any plaintext x 2 ZR, DoubleMod encrypts x as f (x) = x + au + bv, where a
and b are randomly chosen integers in some appropriate interval, while (u; v) is the secret
key. Here u > R2 is a large prime and the smallest prime factor of v exceeds u. With
knowledge of the key, but not of a and b, the receiver decrypts the ciphertext by computing
f 1(y) = (y mod v) mod u.
DoubleMod generalizes an independent idea of van Dijk et al. 2010. We present and
refine a new CCA1 chosen-ciphertext attack that finds the secret key of both systems (ours
and van Dijk et al.’s) in linear time in the bit length of the security parameter. Under a
known-plaintext attack, breaking DoubleMod is at most as hard as solving the Approximate
GCD (AGCD) problem. The complexity of AGCD is not known.
We also introduce the SingleMod field-homomorphic cryptosystems. The simplest
SingleMod system based on the integers can be broken trivially. We had hoped, that if
SingleMod is implemented inside non-Euclidean quadratic or higher-order fields with large
discriminants, where GCD computations appear di cult, it may be feasible to achieve a
desired level of security. We show, however, that a variation of our chosen-ciphertext attack
works against SingleMod even in non-Euclidean fields
- …