35 research outputs found
The Q-curve construction for endomorphism-accelerated elliptic curves
We give a detailed account of the use of -curve reductions to
construct elliptic curves over with efficiently computable
endomorphisms, which can be used to accelerate elliptic curve-based
cryptosystems in the same way as Gallant--Lambert--Vanstone (GLV) and
Galbraith--Lin--Scott (GLS) endomorphisms. Like GLS (which is a degenerate case
of our construction), we offer the advantage over GLV of selecting from a much
wider range of curves, and thus finding secure group orders when is fixed
for efficient implementation. Unlike GLS, we also offer the possibility of
constructing twist-secure curves. We construct several one-parameter families
of elliptic curves over equipped with efficient
endomorphisms for every p \textgreater{} 3, and exhibit examples of
twist-secure curves over for the efficient Mersenne prime
.Comment: To appear in the Journal of Cryptology. arXiv admin note: text
overlap with arXiv:1305.540
SCALLOP:Scaling the CSI-FiSh
International audienceWe present SCALLOP: SCALable isogeny action based on Oriented supersingular curves with Prime conductor, a new group action based on isogenies of supersingular curves. Similarly to CSIDH and OSIDH, we use the group action of an imaginary quadratic orderâs class group on the set of oriented supersingular curves. Compared to CSIDH, the main benefit of our construction is that it is easy to compute the class-group structure; this data is required to uniquely representâand efficiently act by â arbitrary group elements, which is a requirement in, e.g., the CSI-FiSh signature scheme by Beullens, Kleinjung and Vercauteren. The index-calculus algorithm used in CSI-FiSh to compute the class-group structure has complexity L(1/2), ruling out class groups much larger than CSIDH-512, a limitation that is particularly problematic in light of the ongoing debate regarding the quantum security of cryptographic group actions.Hoping to solve this issue, we consider the class group of a quadratic order of large prime conductor inside an imaginary quadratic field of small discriminant. This family of quadratic orders lets us easily determine the size of the class group, and, by carefully choosing the conductor, even exercise significant control on itâin particular supporting highly smooth choices. Although evaluating the resulting group action still has subexponential asymptotic complexity, a careful choice of parameters leads to a practical speedup that we demonstrate in practice for a security level equivalent to CSIDH-1024, a parameter currently firmly out of reach of index-calculus-based methods. However, our implementation takes 35 seconds (resp. 12.5 minutes) for a single group-action evaluation at a CSIDH-512-equivalent (resp. CSIDH-1024-equivalent) security level, showing that, while feasible, the SCALLOP group action does not achieve realistically usable performance yet
Computing Bilinear Pairings on Elliptic Curves with Automorphisms
In this paper, we present a novel method for constructing a
super-optimal pairing with great efficiency, which we call the omega
pairing. The computation of the omega pairing requires the simple
final exponentiation and short loop length in Miller\u27s algorithm
which leads to a significant improvement over the previously known
techniques on certain pairing-friendly curves. Experimental results
show that the omega pairing is about 22% faster and 19% faster
than the super-optimal pairing proposed by Scott at security level
of AES 80 bits on certain pairing-friendly curves in affine
coordinate systems and projective coordinate systems, respectively
The supersingular endomorphism ring problem given one endomorphism
Given a supersingular elliptic curve E and a non-scalar endomorphism
of E, we prove that the endomorphism ring of E can be computed in classical
time about disc(Z[])^1/4 , and in quantum subexponential time, assuming
the generalised Riemann hypothesis. Previous results either had higher
complexities, or relied on heuristic assumptions. Along the way, we prove that
the Primitivisation problem can be solved in polynomial time (a problem
previously believed to be hard), and we prove that the action of smooth ideals
on oriented elliptic curves can be computed in polynomial time (previous
results of this form required the ideal to be powersmooth, i.e., not divisible
by any large prime power). Following the attacks on SIDH, isogenies in high
dimension are a central ingredient of our results
Bandersnatch: a fast elliptic curve built over the BLS12-381 scalar field
In this short note, we introduce Bandersnatch, a new elliptic curve built over the BLS12-381 scalar field. The curve is equipped with an efficient endomorphism, allowing a fast scalar multiplication algorithm. Our benchmark shows that the multiplication is 42% faster, compared to another curve, called Jubjub, having similar properties. Nonetheless, Bandersnatch does not provide any performance improvement for either rank 1 constraint systems (R1CS) or multi scalar multiplications, compared to the Jubjub curve
SCALLOP: scaling the CSI-FiSh
We present SCALLOP: SCALable isogeny action based on
Oriented supersingular curves with Prime conductor, a new group action based on isogenies of supersingular curves. Similarly to CSIDH and
OSIDH, we use the group action of an imaginary quadratic orderâs class
group on the set of oriented supersingular curves. Compared to CSIDH,
the main benefit of our construction is that it is easy to compute the
class-group structure; this data is required to uniquely representâ and
efficiently act byâ arbitrary group elements, which is a requirement in,
e.g., the CSI-FiSh signature scheme by Beullens, Kleinjung and Vercauteren. The index-calculus algorithm used in CSI-FiSh to compute
the class-group structure has complexity L(1/2), ruling out class groups
much larger than CSIDH-512, a limitation that is particularly problematic in light of the ongoing debate regarding the quantum security of
cryptographic group actions.
Hoping to solve this issue, we consider the class group of a quadratic order of large prime conductor inside an imaginary quadratic field of small
discriminant. This family of quadratic orders lets us easily determine
the size of the class group, and, by carefully choosing the conductor,
even exercise significant control on itâ in particular supporting highly
smooth choices. Although evaluating the resulting group action still has
subexponential asymptotic complexity, a careful choice of parameters
leads to a practical speedup that we demonstrate in practice for a security level equivalent to CSIDH-1024, a parameter currently firmly out of reach of index-calculus-based methods. However, our implementation
takes 35 seconds (resp. 12.5 minutes) for a single group-action evaluation at a CSIDH-512-equivalent (resp. CSIDH-1024-equivalent) security
level, showing that, while feasible, the SCALLOP group action does not
achieve realistically usable performance yet
Security Analysis of Isogeny-Based Cryptosystems
Let be a supersingular elliptic curve over a finite field.
In this document we study public-key encryption schemes which use non-constant rational maps from .
The purpose of this study is to determine if such cryptosystems are secure.
Supersingular Isogeny Diffie-Hellman (SIDH) and other supersingular isogeny-based cryptosystems are considered.
The content is naturally divided by cryptosystem, and in the case of SIDH, further divided by type of cryptanalysis:
SIDH when the endomorphism ring of the base elliptic curve is given (as is done in practice), repeated use of keys in SIDH, and endomorphism ring constructing algorithms.
In each case the relevent background material is presented to develop the theory.
In studying the security of SIDH when the endomorphism ring of the base curve is known, one of the main results is the following.
This theorem is then used to reduce the security of such an SIDH instantiation to the problem of finding particular endomorphisms in \End(E).
\begin{thm}
Given
\begin{enumerate}
\item a supersingular elliptic curve E/\FQ such that for coprime , where is -smooth,
\item an elliptic curve that is the codomain of an -isogeny ,
\item the action of on , and
\item a -endomorphism of , where , and if \g is the greatest integer such that and , then \h := \frac{k}{g} < N_1,
\end{enumerate}
there exists a classical algorithm with worst case runtime \tilde{O}(\h^3) which decides whether or not, but may give false positives with probability .
Further, if \h is -smooth, then the runtime is \tilde{O} (\sqrt{\h}).
\end{thm}
In studying the security of repeated use of SIDH public keys, the main result presented is the following theorem, which proves that performing multiple pairwise instances of SIDH prevents certain active attacks when keys are reused.
\begin{thm}
Assuming that the CSSI problem is intractable, it is computationally infeasible for a malicious adversary, with non-negligible probability, to modify a public key to some which is malicious for SIDH.
\end{thm}
It is well known that the problem of computing hidden supersingular isogenies can be reduced to computing the endomorphism rings of the domain and codomain elliptic curves.
A novel algorithm for computing an order in the endomorphism ring of a supersingular elliptic curve is presented and analyzed to have runtime .
In studying non-SIDH cryptosystems, four other isogeny-based cryptosystems are examined.
The first three were all proposed by the same authors and use secret endomorphisms.
These are each shown to be either totally insecure (private keys can be recovered directly from public keys) or impractical to implement efficiently.
The fourth scheme is a novel proposal which attempts to combine isogenies with the learning with errors problem.
This proposal is also shown to be totally insecure
The supersingular endomorphism ring problem given one endomorphism
Given a supersingular elliptic curve and a non-scalar endomorphism of , we prove that the endomorphism ring of can be computed in classical time about , and in quantum subexponential time, assuming the generalised Riemann hypothesis. Previous results either had higher complexities, or relied on heuristic assumptions.
Along the way, we prove that the Primitivisation problem can be solved in polynomial time (a problem previously believed to be hard), and we prove that the action of smooth ideals on oriented elliptic curves can be computed in polynomial time (previous results of this form required the ideal to be powersmooth, i.e., not divisible by any large prime power).
Following the attacks on SIDH, isogenies in high dimension are a central ingredient of our results