240 research outputs found
The Q-curve construction for endomorphism-accelerated elliptic curves
We give a detailed account of the use of -curve reductions to
construct elliptic curves over with efficiently computable
endomorphisms, which can be used to accelerate elliptic curve-based
cryptosystems in the same way as Gallant--Lambert--Vanstone (GLV) and
Galbraith--Lin--Scott (GLS) endomorphisms. Like GLS (which is a degenerate case
of our construction), we offer the advantage over GLV of selecting from a much
wider range of curves, and thus finding secure group orders when is fixed
for efficient implementation. Unlike GLS, we also offer the possibility of
constructing twist-secure curves. We construct several one-parameter families
of elliptic curves over equipped with efficient
endomorphisms for every p \textgreater{} 3, and exhibit examples of
twist-secure curves over for the efficient Mersenne prime
.Comment: To appear in the Journal of Cryptology. arXiv admin note: text
overlap with arXiv:1305.540
Families of fast elliptic curves from Q-curves
We construct new families of elliptic curves over \FF_{p^2} with
efficiently computable endomorphisms, which can be used to accelerate elliptic
curve-based cryptosystems in the same way as Gallant-Lambert-Vanstone (GLV) and
Galbraith-Lin-Scott (GLS) endomorphisms. Our construction is based on reducing
\QQ-curves-curves over quadratic number fields without complex
multiplication, but with isogenies to their Galois conjugates-modulo inert
primes. As a first application of the general theory we construct, for every
, two one-parameter families of elliptic curves over \FF_{p^2}
equipped with endomorphisms that are faster than doubling. Like GLS (which
appears as a degenerate case of our construction), we offer the advantage over
GLV of selecting from a much wider range of curves, and thus finding secure
group orders when is fixed. Unlike GLS, we also offer the possibility of
constructing twist-secure curves. Among our examples are prime-order curves
equipped with fast endomorphisms, with almost-prime-order twists, over
\FF_{p^2} for and
Computing cardinalities of Q-curve reductions over finite fields
We present a specialized point-counting algorithm for a class of elliptic
curves over F\_{p^2} that includes reductions of quadratic Q-curves modulo
inert primes and, more generally, any elliptic curve over F\_{p^2} with a
low-degree isogeny to its Galois conjugate curve. These curves have interesting
cryptographic applications. Our algorithm is a variant of the
Schoof--Elkies--Atkin (SEA) algorithm, but with a new, lower-degree
endomorphism in place of Frobenius. While it has the same asymptotic asymptotic
complexity as SEA, our algorithm is much faster in practice.Comment: To appear in the proceedings of ANTS-XII. Added acknowledgement of
Drew Sutherlan
Efficiency of SIDH-based signatures (yes, SIDH)
In this note, we assess the efficiency of a supersingular isogeny Diffie-Hellman (SIDH)-based digital signature built on a weaker variant of a recent identification protocol proposed by Basso et al. Despite the devastating attacks against (the mathematical problem underlying) SIDH, this identification protocol remains secure, as its security is backed by a different (and more standard) isogeny-finding problem. We conduct our analysis by applying some known cryptographic techniques to decrease the signature size by about 70% for all parameter sets (obtaining signatures of approximately 21 kB for SIKE p 434 ). Moreover, we propose a minor optimisation to compute many isogenies in parallel from the same starting curve. Our assessment confirms that determining the most efficient methods for isogeny-based signature schemes, including optimisations such as those presented in this paper, is still a open problem, with much more work to be done
Lightweight Public Key Encryption in Post-Quantum Computing Era
Confidentiality in our digital world is based on the security of
cryptographic algorithms. These are usually executed transparently in the
background, with people often relying on them without further knowledge. In the
course of technological progress with quantum computers, the protective
function of common encryption algorithms is threatened. This particularly
affects public-key methods such as RSA and DH based on discrete logarithms and
prime factorization. Our concept describes the transformation of a classical
asymmetric encryption method to a modern complexity class. Thereby the approach
of Cramer-Shoup is put on the new basis of elliptic curves. The system is
provable cryptographically strong, especially against adaptive
chosen-ciphertext attacks. In addition, the new method features small key
lengths, making it suitable for Internet-of-Things. It represents an
intermediate step towards an encryption scheme based on isogeny elliptic
curves. This approach shows a way to a secure encryption scheme for the
post-quantum computing era
Fast and Frobenius: Rational Isogeny Evaluation over Finite Fields
Consider the problem of efficiently evaluating isogenies of
elliptic curves over a finite field , where the kernel is a cyclic group of odd (prime) order: given , , and a
point (or several points) on , we want to compute . This
problem is at the heart of efficient implementations of group-action- and
isogeny-based post-quantum cryptosystems such as CSIDH. Algorithms based on
V{\'e}lu's formulae give an efficient solution to this problem when the kernel
generator is defined over . However, for general isogenies,
is only defined over some extension , even though
as a whole (and thus ) is defined over the base field
; and the performance of V{\'e}lu-style algorithms degrades
rapidly as grows. In this article we revisit the isogeny-evaluation problem
with a special focus on the case where . We improve
V{\'e}lu-style isogeny evaluation for many cases where using special
addition chains, and combine this with the action of Galois to give greater
improvements when
Isogeny-based post-quantum key exchange protocols
The goal of this project is to understand and analyze the supersingular isogeny Diffie Hellman (SIDH), a post-quantum key exchange protocol which security lies on the isogeny-finding problem between supersingular elliptic curves. In order to do so, we first introduce the reader to cryptography focusing on key agreement protocols and motivate the rise of post-quantum cryptography as a necessity with the existence of the model of quantum computation. We review some of the known attacks on the SIDH and finally study some algorithmic aspects to understand how the protocol can be implemented
Optimizations of Isogeny-based Key Exchange
Supersingular Isogeny Diffie-Hellman (SIDH) is a key exchange scheme that is believed to
be quantum-resistant. It is based on the difficulty of finding a certain isogeny between given
elliptic curves. Over the last nine years, optimizations have been proposed that significantly
increased the performance of its implementations. Today, SIDH is a promising candidate in
the US National Institute for Standards and Technology’s (NIST’s) post-quantum cryptography
standardization process.
This work is a self-contained introduction to the active research on SIDH from a high-level,
algorithmic lens. After an introduction to elliptic curves and SIDH itself, we describe the
mathematical and algorithmic building blocks of the fastest known implementations.
Regarding elliptic curves, we describe which algorithms, data structures and trade-offs regard-
ing elliptic curve arithmetic and isogeny computations exist and quantify their runtime cost in
field operations. These findings are then tailored to the situation of SIDH. As a result, we give
efficient algorithms for the performance-critical parts of the protocol
Quantum Algorithms for Attacking Hardness Assumptions in Classical and Post‐Quantum Cryptography
In this survey, the authors review the main quantum algorithms for solving the computational problems that serve as hardness assumptions for cryptosystem. To this end, the authors consider both the currently most widely used classically secure cryptosystems, and the most promising candidates for post-quantum secure cryptosystems. The authors provide details on the cost of the quantum algorithms presented in this survey. The authors furthermore discuss ongoing research directions that can impact quantum cryptanalysis in the future
- …