Integer Linear Programming Modeling of Addition Sequences With Additional Constraints for Evaluation of Power Terms

In this work, an integer linear programming (ILP) based model is proposed for the computation of a minimal cost addition sequence for a given set of integers. Since exponents are additive under multiplication, the minimal length addition sequence will provide an economical solution for the evaluation of a requested set of power terms. This is turn, finds application in, e.g., window-based exponentiation for cryptography and polynomial evaluation. Not only is an optimal model proposed, the model is extended to consider different costs for multipliers and squarers as well as controlling the depth of the resulting addition sequence.Comment: This manuscript was written in 2012, and, hence, lacks more recent reference

Fast hashing to G2 on pairing friendly curves

When using pairing-friendly ordinary elliptic curves over prime fields to implement identity-based protocols, there is often a need to hash identities to points on one or both of the two elliptic curve groups of prime order $r$ involved in the pairing. Of these $G_1$ is a group of points on the base field E(\F_p) and $G_2$ is instantiated as a group of points with coordinates on some extension field, over a twisted curve E\u27(\F_{p^d}), where $d$ divides the embedding degree $k$. While hashing to $G_1$ is relatively easy, hashing to $G_2$ has been less considered, and is regarded as likely to be more expensive as it appears to require a multiplication by a large cofactor. In this paper we introduce a fast method for this cofactor multiplication on $G_2$ which exploits an efficiently computable homomorphism

On the final exponentiation for calculating pairings on ordinary elliptic curves

When using pairing-friendly ordinary elliptic curves to compute the Tate and related pairings, the computation consists of two main components, the Miller loop and the so-called final exponentiation. As a result of good progress being made to reduce the Miller loop component of the algorithm (particularly with the discovery of ``truncated loop\u27\u27 pairings like the R-ate pairing), the final exponentiation has become a more significant component of the overall calculation. Here we exploit the structure of pairing friendly elliptic curves to reduce the computation required for the final exponentiation to a minimum

Memory-saving computation of the pairing final exponentiation on BN curves

In this paper, we describe and improve efficient methods for computing the hard part of the final exponentiation of pairings on Barreto-Naehrig curves. Thanks to the variants of pairings which decrease the length of the Miller loop, the final exponentiation has become a significant component of the overall calculation. Here we exploit the structure of BN curves to improve this computation. We will first present the most famous methods in the literature that en- sure the computing of the hard part of the final exponentiation. We are particularly interested in the memory resources necessary for the implementation of these methods. Indeed, this is an important constraint in restricted environments. More precisely, we are studying Devegili et al. method, Scott et al. addition chain method and Fuentes et al. method. After recalling these methods and their complexities, we determine the number of required registers to compute the final result, because this is not always given in the literature. Then, we will present new versions of these methods which require less memory resources (up to 37%). Moreover, some of these variants are providing algorithms which are also more efficient than the original ones

Constructing suitable ordinary pairing-friendly curves: A case of elliptic curves and genus two hyperelliptic curves

One of the challenges in the designing of pairing-based cryptographic protocols is to construct suitable pairing-friendly curves: Curves which would provide e�cient implementation without compromising the security of the protocols. These curves have small embedding degree and large prime order subgroup. Random curves are likely to have large embedding degree and hence are not practical for implementation of pairing-based protocols. In this thesis we review some mathematical background on elliptic and hyperelliptic curves in relation to the construction of pairing-friendly hyper-elliptic curves. We also present the notion of pairing-friendly curves. Furthermore, we construct new pairing-friendly elliptic curves and Jacobians of genus two hyperelliptic curves which would facilitate an efficient implementation in pairing-based protocols. We aim for curves that have smaller values than ever before reported for di�erent embedding degrees. We also discuss optimisation of computing pairing in Tate pairing and its variants. Here we show how to e�ciently multiply a point in a subgroup de�ned on a twist curve by a large cofactor. Our approach uses the theory of addition chains. We also show a new method for implementation of the computation of the hard part of the �nal exponentiation in the calculation of the Tate pairing and its varian

양자 컴퓨터에 대한 암호학적 알고리즘

학위논문(박사) -- 서울대학교대학원 : 자연과학대학 수리과학부, 2022. 8. 이훈희.The advent of a quantum mechanical computer presents a clear threat to existing cryptography. On the other hand, the quantum computer also suggests the possibility of a new cryptographic protocol through the properties of quantum mechanics. These two perspectives, respectively, gave rise to a new field called post-quantum cryptography as a countermeasure against quantum attacks and quantum cryptography as a new cryptographic technology using quantum mechanics, which are the subject of this thesis. In this thesis, we reconsider the security of the current post-quantum cryptography through a new quantum attack, model, and security proof. We present the fine-grained quantum security of hash functions as cryptographic primitives against preprocessing adversaries. We also bring recent quantum information theoretic research into cryptography, creating new quantum public key encryption and quantum commitment. Along the way, we resolve various open problems such as limitations of quantum algorithms with preprocessing computation, oracle separation problems in quantum complexity theory, and public key encryption using group action.양자역학을 이용한 컴퓨터의 등장은 쇼어의 알고리즘 등을 통해 기존 암호학에 명백한 위협을 제시하며, 양자역학의 성질을 통한 새로운 암호프로토콜의 가능성 또한 제시한다. 이러한 두 가지 관점은 각각 이 학위 논문의 주제가 되는 양자공격에 대한 대응책으로써의 대양자암호와 양자역학을 이용한 암호기술인 양자암호라고 불리는 새로운 분야를 발생시켰다. 이 학위 논문에서는 현재 대양자암호의 안전성을 새로운 양자암호 공격 알고리즘과 모델, 안전성 증명을 통해 재고한다. 특히 암호학적 해쉬함수의 일방향함수, 암호학적 의사난수생성기로서의 대양자 암호 안전성의 구체적인 평가를 제시한다. 또한 최근 양자역학의 연구를 양자암호에 도입함으로써 새로운 양자 공개키암호와 양자 커밋먼트 등의 새로운 발견을 제시한다. 이 과정에서 전처리 계산을 포함한 양자알고리즘의 한계, 양자 복잡계들의 오라클분리 문제, 군의 작용을 이용한 공개키 암호 등의 여러 열린문제들의 해결을 제시한다.1 Introduction 1 1.1 Contributions 3 1.2 Related Works 11 1.3 Research Papers 13 2 Preliminaries 14 2.1 Quantum Computations 15 2.2 Quantum Algorithms 20 2.3 Cryptographic Primitives 21 I Post-Quantum Cryptography: Attacks, New Models, and Proofs 24 3 Quantum Cryptanalysis 25 3.1 Introduction 25 3.2 QROM-AI Algorithm for Function Inversion 26 3.3 Quantum Multiple Discrete Logarithm Problem 34 3.4 Discussion and Open problems 39 4 Quantum Random Oracle Model with Classical Advice 42 4.1 Quantum ROM with Auxiliary Input 44 4.2 Function Inversion 46 4.3 Pseudorandom Generators 56 4.4 Post-quantum Primitives 58 4.5 Discussion and Open Problems 59 5 Quantum Random Permutations with Quantum Advice 62 5.1 Bound for Inverting Random Permutations 64 5.2 Preparation 64 5.3 Proof of Theorem 68 5.4 Implication in Complexity Theory 74 5.5 Discussion and Open Problems 77 II Quantum Cryptography: Public-key Encryptions and Bit Commitments 79 6 Equivalence Theorem 80 6.1 Equivalence Theorem 81 6.2 Non-uniform Equivalence Theorem 83 6.3 Proof of Equivalence Theorem 86 7 Quantum Public Key Encryption 89 7.1 Swap-trapdoor Function Pairs 90 7.2 Quantum-Ciphertext Public Key Encryption 94 7.3 Group Action based Construction 99 7.4 Lattice based Construction 107 7.5 Discussion and Open Problems 113 7.6 Deferred Proof 114 8 Quantum Bit Commitment 119 8.1 Quantum Commitments 120 8.2 Efficient Conversion 123 8.3 Applications of Conversion 126 8.4 Discussion and Open Problems 137박