On the effectiveness of isogeny walks for extending cover attacks on elliptic curves

Cryptographic systems based on the elliptic curve discrete logarithm problem (ECDLP) are widely deployed in the world today. In order for such a system to guarantee a particular security level, the elliptic curve selected must be such that it avoids a number of well-known attacks. Beyond this, one also needs to be wary of attacks whose reach can be extended via the use of isogenies. It is an open problem as to whether there exists a field for which the isogeny walk strategy can render all elliptic curves unsuitable for cryptographic use. This thesis provides a survey of the theory of elliptic curves from a cryptographic perspective and overviews a few of the well-known algorithms for computing elliptic curve discrete logarithms. We perform some experimental verification for the assumptions used in the analysis of the isogeny walk strategy for extending Weil descent-type cover attacks, and explore its applicability to elliptic curves of cryptographic size. In particular, we demonstrate for the first time that the field F_2^{150} is partially weak for elliptic curve cryptography

Weakness of F_{3^{6*1429}} and F_{2^{4*3041}} for Discrete Logarithm Cryptography

In 2013, Joux and then Barbulsecu et al. presented new algorithms for computing discrete logarithms in finite fields of small characteristic. Shortly thereafter, Adj et al. presented a concrete analysis showing that, when combined with some steps from classical algorithms, the new algorithms render the finite field F_{3^{6*509}} weak for pairing-based cryptography. Granger and Zumbragel then presented a modification of the new algorithms that extends their effectiveness to a wider range of fields. In this paper, we study the effectiveness of the new algorithms combined with a carefully crafted descent strategy for the fields F_{3^{6*1429}} and F_{2^{4*3041}}. The intractability of the discrete logarithm problem in these fields is necessary for the security of pairings derived from supersingular curves with embedding degree 6 and 4 defined, respectively, over F_{3^{1429}} and F_{2^{3041}}; these curves were believed to enjoy a security level of 192 bits against attacks by Coppersmith\u27s algorithm. Our analysis shows that these pairings offer security levels of at most 96 and 129 bits, respectively, leading us to conclude that they are dead for pairing-based cryptography

Tamper-Resistant Arithmetic for Public-Key Cryptography

Cryptographic hardware has found many uses in many ubiquitous and pervasive security devices with a small form factor, e.g. SIM cards, smart cards, electronic security tokens, and soon even RFIDs. With applications in banking, telecommunication, healthcare, e-commerce and entertainment, these devices use cryptography to provide security services like authentication, identification and confidentiality to the user. However, the widespread adoption of these devices into the mass market, and the lack of a physical security perimeter have increased the risk of theft, reverse engineering, and cloning. Despite the use of strong cryptographic algorithms, these devices often succumb to powerful side-channel attacks. These attacks provide a motivated third party with access to the inner workings of the device and therefore the opportunity to circumvent the protection of the cryptographic envelope. Apart from passive side-channel analysis, which has been the subject of intense research for over a decade, active tampering attacks like fault analysis have recently gained increased attention from the academic and industrial research community. In this dissertation we address the question of how to protect cryptographic devices against this kind of attacks. More specifically, we focus our attention on public key algorithms like elliptic curve cryptography and their underlying arithmetic structure. In our research we address challenges such as the cost of implementation, the level of protection, and the error model in an adversarial situation. The approaches that we investigated all apply concepts from coding theory, in particular the theory of cyclic codes. This seems intuitive, since both public key cryptography and cyclic codes share finite field arithmetic as a common foundation. The major contributions of our research are (a) a generalization of cyclic codes that allow embedding of finite fields into redundant rings under a ring homomorphism, (b) a new family of non-linear arithmetic residue codes with very high error detection probability, (c) a set of new low-cost arithmetic primitives for optimal extension field arithmetic based on robust codes, and (d) design techniques for tamper resilient finite state machines

Cryptographic Pairings: Efficiency and DLP security

This thesis studies two important aspects of the use of pairings in cryptography, efficient algorithms and security. Pairings are very useful tools in cryptography, originally used for the cryptanalysis of elliptic curve cryptography, they are now used in key exchange protocols, signature schemes and Identity-based cryptography. This thesis comprises of two parts: Security and Efficient Algorithms. In Part I: Security, the security of pairing-based protocols is considered, with a thorough examination of the Discrete Logarithm Problem (DLP) as it occurs in PBC. Results on the relationship between the two instances of the DLP will be presented along with a discussion about the appropriate selection of parameters to ensure particular security level. In Part II: Efficient Algorithms, some of the computational issues which arise when using pairings in cryptography are addressed. Pairings can be computationally expensive, so the Pairing-Based Cryptography (PBC) research community is constantly striving to find computational improvements for all aspects of protocols using pairings. The improvements given in this section contribute towards more efficient methods for the computation of pairings, and increase the efficiency of operations necessary in some pairing-based protocol

On Selection of Samples in Algebraic Attacks and a New Technique to Find Hidden Low Degree Equations

The best way of selecting samples in algebraic attacks against block ciphers is not well explored and understood. We introduce a simple strategy for selecting the plaintexts and demonstrate its strength by breaking reduced-round KATAN, LBLOCK and SIMON. For each case, we present a practical attack on reduced round version which outperforms previous attempts of algebraic cryptanalysis whose complexities were close to exhaustive search. The attack is based on the selection of samples using cube attack and ELIMLIN which was presented at FSE'12, and a new technique called proning. In the case of LBLOCK, we break 10 out of 32 rounds. In KATAN, we break 78 out of 254 rounds. Unlike previous attempts which break smaller number of rounds, we do not guess any bit of the key and we only use structural properties of the cipher to be able to break a higher number of rounds with much lower complexity. We show that cube attacks owe their success to the same properties and therefore, can be used as a heuristic for selecting the samples in an algebraic attack. The performance of ELIMLIN is further enhanced by the new proning technique, which allows to discover linear equations that are not found by ELIMLIN

Effective Pairings in Isogeny-based Cryptography

Pairings are useful tools in isogeny-based cryptography and have been used in SIDH/SIKE and other protocols. As a general technique, pairings can be used to move problems about points on curves to elements in finite fields. However, until now, their applicability was limited to curves over fields with primes of a specific shape and pairings seemed too costly for the type of primes that are nowadays often used in isogeny-based cryptography. We remove this roadblock by optimizing pairings for highly-composite degrees such as those encountered in CSIDH and SQISign. This makes the general technique viable again: We apply our low-cost pairing to problems of general interest, such as supersingularity verification and finding full-torsion points, and show that we can outperform current methods, in some cases up to four times faster than the state-of-the-art. Furthermore, we analyze how pairings can be used to improve deterministic and dummy-free CSIDH. Finally, we provide a constant-time implementation (in Rust) that shows the practicality of these algorithms

Pairing-based cryptosystems and key agreement protocols.

For a long time, pairings on elliptic curves have been considered to be destructive in elliptic curve cryptography. Only recently after some pioneering works, particularly the well-known Boneh-Franklin identity-based encryption (IBE), pairings have quickly become an important tool to construct novel cryptographic schemes. In this thesis, several new cryptographic schemes with pairings are proposed, which are both efficient and secure with respect to a properly defined security model, and some relevant previous schemes are revisited. IBE provides a public key encryption mechanism where a public key can be an arbitrary string such as an entity identifier and unwieldy certificates are unnecessary. Based on the Sakai-Kasahara key construction, an IBE scheme which is secure in the Boneh-Franklin IBE model is constructed, and two identity-based key encapsulation mechanisms are proposed. These schemes achieve the best efficiency among the existing schemes to date. Recently Al-Riyami and Paterson introduced the certificateless public key encryption (CL-PKE) paradigm, which eliminates the need of certificates and at the same time retains the desirable properties of IBE without the key escrow problem. The security formulation of CL-PKE is revisited and a strong security model for this type of mechanism is defined. Following a heuristic approach, three efficient CL-PKE schemes which are secure in the defined strong security model are proposed. Identity-based two-party key agreement protocols from pairings are also investigated. The Bellare-Rogaway key agreement model is enhanced and within the model several previously unproven protocols in the literature are formally analysed. In considering that the user identity may be sensitive information in many environments, an identity-based key agreement protocol with unilateral identity privacy is proposed

The genetics and pathophysiology of cluster headache and associated disorders

Cluster headache (CH) is described as one of the most painful conditions known to humans. It effects approximately 60,000 individuals in the UK and carries significant morbidity. It exhibits hereditability evident by reports of familial aggregation and is categorised as a trigeminal autonomic cephalalgia (TAC). Despite this, the exact pathophysiological and genetic drivers of this condition remain elusive. The purpose of this thesis is to examine the clinical and genetic determinants of CH, and thus gain insights into the underlying neurobiological mechanisms. This work consists of two components. In the first section, I conduct clinical observational studies to further delineate the CH phenotype. I address the postulated association between pituitary adenomas and CH and question the utility of dedicated pituitary imagining in this patient group. I also describe the largest series of Post-Traumatic Headache of Cluster Headache (PTH-CH) and demonstrate its distinct features and increased intractability to treatment. Finally, through meta-analysis, I estimate the prevalence of familial CH to be 6.27% and demonstrate an overlap with concurrent short-Lasting unilateral neuralgiform headache attacks with conjunctival injection and tearing (SUNCT) in familial cases. The second section explores the genetics architecture underlying CH. I perform a Genome-Wide Association Study (GWAS) to identify replicable susceptibility loci and conduct a downstream analysis. Subsequent genetic correlation analysis showed an overlap with migraine, depression, bipolar and sleep disturbance implying the possibility of a common genetic driver for these conditions, which frequently present concurrently. I then carry out linkage analysis in CH families and replicate a linked region suggestive of significance on chromosome 2 that also overlaps a genome wide significant locus. Finally, I execute whole exome sequencing and utilise rare variant association tests and segregation analysis to identify causal variants for familial CH

The XTR public key system

This paper introduces the XTR public key system. XTR is based on a new method for representing elements of a subgroup of a multiplicative group of a finite field. Application of XTR in cryptographic protocols leads to substantial savings both in communication and computational overhead without compromising securit