7,756 research outputs found
Still Wrong Use of Pairings in Cryptography
Several pairing-based cryptographic protocols are recently proposed with a
wide variety of new novel applications including the ones in emerging
technologies like cloud computing, internet of things (IoT), e-health systems
and wearable technologies. There have been however a wide range of incorrect
use of these primitives. The paper of Galbraith, Paterson, and Smart (2006)
pointed out most of the issues related to the incorrect use of pairing-based
cryptography. However, we noticed that some recently proposed applications
still do not use these primitives correctly. This leads to unrealizable,
insecure or too inefficient designs of pairing-based protocols. We observed
that one reason is not being aware of the recent advancements on solving the
discrete logarithm problems in some groups. The main purpose of this article is
to give an understandable, informative, and the most up-to-date criteria for
the correct use of pairing-based cryptography. We thereby deliberately avoid
most of the technical details and rather give special emphasis on the
importance of the correct use of bilinear maps by realizing secure
cryptographic protocols. We list a collection of some recent papers having
wrong security assumptions or realizability/efficiency issues. Finally, we give
a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page
Quantum resource estimates for computing elliptic curve discrete logarithms
We give precise quantum resource estimates for Shor's algorithm to compute
discrete logarithms on elliptic curves over prime fields. The estimates are
derived from a simulation of a Toffoli gate network for controlled elliptic
curve point addition, implemented within the framework of the quantum computing
software tool suite LIQ. We determine circuit implementations for
reversible modular arithmetic, including modular addition, multiplication and
inversion, as well as reversible elliptic curve point addition. We conclude
that elliptic curve discrete logarithms on an elliptic curve defined over an
-bit prime field can be computed on a quantum computer with at most qubits using a quantum circuit of at most Toffoli gates. We are able to classically simulate the
Toffoli networks corresponding to the controlled elliptic curve point addition
as the core piece of Shor's algorithm for the NIST standard curves P-192,
P-224, P-256, P-384 and P-521. Our approach allows gate-level comparisons to
recent resource estimates for Shor's factoring algorithm. The results also
support estimates given earlier by Proos and Zalka and indicate that, for
current parameters at comparable classical security levels, the number of
qubits required to tackle elliptic curves is less than for attacking RSA,
suggesting that indeed ECC is an easier target than RSA.Comment: 24 pages, 2 tables, 11 figures. v2: typos fixed and reference added.
ASIACRYPT 201
Shaping the learning landscape in neural networks around wide flat minima
Learning in Deep Neural Networks (DNN) takes place by minimizing a non-convex
high-dimensional loss function, typically by a stochastic gradient descent
(SGD) strategy. The learning process is observed to be able to find good
minimizers without getting stuck in local critical points, and that such
minimizers are often satisfactory at avoiding overfitting. How these two
features can be kept under control in nonlinear devices composed of millions of
tunable connections is a profound and far reaching open question. In this paper
we study basic non-convex one- and two-layer neural network models which learn
random patterns, and derive a number of basic geometrical and algorithmic
features which suggest some answers. We first show that the error loss function
presents few extremely wide flat minima (WFM) which coexist with narrower
minima and critical points. We then show that the minimizers of the
cross-entropy loss function overlap with the WFM of the error loss. We also
show examples of learning devices for which WFM do not exist. From the
algorithmic perspective we derive entropy driven greedy and message passing
algorithms which focus their search on wide flat regions of minimizers. In the
case of SGD and cross-entropy loss, we show that a slow reduction of the norm
of the weights along the learning process also leads to WFM. We corroborate the
results by a numerical study of the correlations between the volumes of the
minimizers, their Hessian and their generalization performance on real data.Comment: 37 pages (16 main text), 10 figures (7 main text
Removable Weak Keys for Discrete Logarithm Based Cryptography
We describe a novel type of weak cryptographic private key that can exist in
any discrete logarithm based public-key cryptosystem set in a group of prime
order where has small divisors. Unlike the weak private keys based on
\textit{numerical size} (such as smaller private keys, or private keys lying in
an interval) that will \textit{always} exist in any DLP cryptosystems, our type
of weak private keys occurs purely due to parameter choice of , and hence,
can be removed with appropriate value of . Using the theory of implicit
group representations, we present algorithms that can determine whether a key
is weak, and if so, recover the private key from the corresponding public key.
We analyze several elliptic curves proposed in the literature and in various
standards, giving counts of the number of keys that can be broken with
relatively small amounts of computation. Our results show that many of these
curves, including some from standards, have a considerable number of such weak
private keys. We also use our methods to show that none of the 14 outstanding
Certicom Challenge problem instances are weak in our sense, up to a certain
weakness bound
On Constant-Round Concurrent Zero-Knowledge from a Knowledge Assumption
In this work, we consider the long-standing open question of constructing
constant-round concurrent zero-knowledge protocols in the plain model.
Resolving this question is known to require non-black-box techniques.
We consider non-black-box techniques for zero-knowledge based on knowledge
assumptions, a line of thinking initiated by the work of Hada and Tanaka
(CRYPTO 1998). Prior to our work, it was not known whether knowledge
assumptions could be used for achieving security in the concurrent setting, due
to a number of significant limitations that we discuss here. Nevertheless, we
obtain the following results:
1. We obtain the first constant round concurrent zero-knowledge argument for
\textbf{NP} in the plain model based on a new variant of knowledge of exponent
assumption. Furthermore, our construction avoids the inefficiency inherent in
previous non-black-box techniques such that those of Barak (FOCS 2001); we
obtain our result through an efficient protocol compiler.
2. Unlike Hada and Tanaka, we do not require a knowledge assumption to argue
the soundness of our protocol. Instead, we use a discrete log like assumption,
which we call Diffie-Hellman Logarithm Assumption, to prove the soundness of
our protocol.
3. We give evidence that our new variant of knowledge of exponent assumption
is in fact plausible. In particular, we show that our assumption holds in the
generic group model.
4. Knowledge assumptions are especially delicate assumptions whose
plausibility may be hard to gauge. We give a novel framework to express
knowledge assumptions in a more flexible way, which may allow for formulation
of plausible assumptions and exploration of their impact and application in
cryptography.Comment: 30 pages, 3 figure
Multiaccess Channels with State Known to One Encoder: Another Case of Degraded Message Sets
We consider a two-user state-dependent multiaccess channel in which only one
of the encoders is informed, non-causally, of the channel states. Two
independent messages are transmitted: a common message transmitted by both the
informed and uninformed encoders, and an individual message transmitted by only
the uninformed encoder. We derive inner and outer bounds on the capacity region
of this model in the discrete memoryless case as well as the Gaussian case.
Further, we show that the bounds for the Gaussian case are tight in some
special cases.Comment: 5 pages, Proc. of IEEE International Symposium on Information theory,
ISIT 2009, Seoul, Kore
Solving discrete logarithms on a 170-bit MNT curve by pairing reduction
Pairing based cryptography is in a dangerous position following the
breakthroughs on discrete logarithms computations in finite fields of small
characteristic. Remaining instances are built over finite fields of large
characteristic and their security relies on the fact that the embedding field
of the underlying curve is relatively large. How large is debatable. The aim of
our work is to sustain the claim that the combination of degree 3 embedding and
too small finite fields obviously does not provide enough security. As a
computational example, we solve the DLP on a 170-bit MNT curve, by exploiting
the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS
- …