165 research outputs found
Curves, Jacobians, and Cryptography
The main purpose of this paper is to give an overview over the theory of
abelian varieties, with main focus on Jacobian varieties of curves reaching
from well-known results till to latest developments and their usage in
cryptography. In the first part we provide the necessary mathematical
background on abelian varieties, their torsion points, Honda-Tate theory,
Galois representations, with emphasis on Jacobian varieties and hyperelliptic
Jacobians. In the second part we focus on applications of abelian varieties on
cryptography and treating separately, elliptic curve cryptography, genus 2 and
3 cryptography, including Diffie-Hellman Key Exchange, index calculus in Picard
groups, isogenies of Jacobians via correspondences and applications to discrete
logarithms. Several open problems and new directions are suggested.Comment: 66 page
Counting points on hyperelliptic curves with explicit real multiplication in arbitrary genus
We present a probabilistic Las Vegas algorithm for computing the local zeta
function of a genus- hyperelliptic curve defined over with
explicit real multiplication (RM) by an order in a degree-
totally real number field.
It is based on the approaches by Schoof and Pila in a more favorable case
where we can split the -torsion into kernels of endomorphisms, as
introduced by Gaudry, Kohel, and Smith in genus 2. To deal with these kernels
in any genus, we adapt a technique that the author, Gaudry, and Spaenlehauer
introduced to model the -torsion by structured polynomial systems.
Applying this technique to the kernels, the systems we obtain are much smaller
and so is the complexity of solving them.
Our main result is that there exists a constant such that, for any
fixed , this algorithm has expected time and space complexity as grows and the characteristic is large enough. We prove that
and we also conjecture that the result still holds for .Comment: To appear in Journal of Complexity. arXiv admin note: text overlap
with arXiv:1710.0344
Quantum resource estimates for computing elliptic curve discrete logarithms
We give precise quantum resource estimates for Shor's algorithm to compute
discrete logarithms on elliptic curves over prime fields. The estimates are
derived from a simulation of a Toffoli gate network for controlled elliptic
curve point addition, implemented within the framework of the quantum computing
software tool suite LIQ. We determine circuit implementations for
reversible modular arithmetic, including modular addition, multiplication and
inversion, as well as reversible elliptic curve point addition. We conclude
that elliptic curve discrete logarithms on an elliptic curve defined over an
-bit prime field can be computed on a quantum computer with at most qubits using a quantum circuit of at most Toffoli gates. We are able to classically simulate the
Toffoli networks corresponding to the controlled elliptic curve point addition
as the core piece of Shor's algorithm for the NIST standard curves P-192,
P-224, P-256, P-384 and P-521. Our approach allows gate-level comparisons to
recent resource estimates for Shor's factoring algorithm. The results also
support estimates given earlier by Proos and Zalka and indicate that, for
current parameters at comparable classical security levels, the number of
qubits required to tackle elliptic curves is less than for attacking RSA,
suggesting that indeed ECC is an easier target than RSA.Comment: 24 pages, 2 tables, 11 figures. v2: typos fixed and reference added.
ASIACRYPT 201
On the Probability of Generating a Lattice
We study the problem of determining the probability that m vectors selected
uniformly at random from the intersection of the full-rank lattice L in R^n and
the window [0,B)^n generate when B is chosen to be appropriately
large. This problem plays an important role in the analysis of the success
probability of quantum algorithms for solving the Discrete Logarithm Problem in
infrastructures obtained from number fields and also for computing fundamental
units of number fields.
We provide the first complete and rigorous proof that 2n+1 vectors suffice to
generate L with constant probability (provided that B is chosen to be
sufficiently large in terms of n and the covering radius of L and the last n+1
vectors are sampled from a slightly larger window). Based on extensive computer
simulations, we conjecture that only n+1 vectors sampled from one window
suffice to generate L with constant success probability. If this conjecture is
true, then a significantly better success probability of the above quantum
algorithms can be guaranteed.Comment: 18 page
Security Analysis of Elliptic Curves over Sextic Extension of Small Prime Fields
In this report we investigate how to generate secure elliptic curves over sextic extension of prime fields of size roughly 64 bits to achieve 128-bit security. In particular, we present one of such curves over a 64-bit prime field, which we named Cheetah, and provide its security parameter. This curve is particularly well-suited for zero-knowledge applications such as FRI-based STARK proving systems, as its base prime field has the property of having a large two-adicity, necessary for FFT-related operations and
at the same time it is used for elliptic curve-based signatures. We also provide a prototype implementation of this curve in Rust, featuring constant-time arithmetic and no use of the Rust standard library for WebAssembly support
- …