3,913 research outputs found
Hard isogeny problems over RSA moduli and groups with infeasible inversion
We initiate the study of computational problems on elliptic curve isogeny
graphs defined over RSA moduli. We conjecture that several variants of the
neighbor-search problem over these graphs are hard, and provide a comprehensive
list of cryptanalytic attempts on these problems. Moreover, based on the
hardness of these problems, we provide a construction of groups with infeasible
inversion, where the underlying groups are the ideal class groups of imaginary
quadratic orders.
Recall that in a group with infeasible inversion, computing the inverse of a
group element is required to be hard, while performing the group operation is
easy. Motivated by the potential cryptographic application of building a
directed transitive signature scheme, the search for a group with infeasible
inversion was initiated in the theses of Hohenberger and Molnar (2003). Later
it was also shown to provide a broadcast encryption scheme by Irrer et al.
(2004). However, to date the only case of a group with infeasible inversion is
implied by the much stronger primitive of self-bilinear map constructed by
Yamakawa et al. (2014) based on the hardness of factoring and
indistinguishability obfuscation (iO). Our construction gives a candidate
without using iO.Comment: Significant revision of the article previously titled "A Candidate
Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the
constructions by giving toy examples, added "The Parallelogram Attack" (Sec
5.3.2). 54 pages, 8 figure
Deterministic elliptic curve primality proving for a special sequence of numbers
We give a deterministic algorithm that very quickly proves the primality or
compositeness of the integers N in a certain sequence, using an elliptic curve
E/Q with complex multiplication by the ring of integers of Q(sqrt(-7)). The
algorithm uses O(log N) arithmetic operations in the ring Z/NZ, implying a bit
complexity that is quasi-quadratic in log N. Notably, neither of the classical
"N-1" or "N+1" primality tests apply to the integers in our sequence. We
discuss how this algorithm may be applied, in combination with sieving
techniques, to efficiently search for very large primes. This has allowed us to
prove the primality of several integers with more than 100,000 decimal digits,
the largest of which has more than a million bits in its binary representation.
At the time it was found, it was the largest proven prime N for which no
significant partial factorization of N-1 or N+1 is known.Comment: 16 pages, corrected a minor sign error in 5.
Computing the endomorphism ring of an ordinary elliptic curve over a finite field
We present two algorithms to compute the endomorphism ring of an ordinary
elliptic curve E defined over a finite field F_q. Under suitable heuristic
assumptions, both have subexponential complexity. We bound the complexity of
the first algorithm in terms of log q, while our bound for the second algorithm
depends primarily on log |D_E|, where D_E is the discriminant of the order
isomorphic to End(E). As a byproduct, our method yields a short certificate
that may be used to verify that the endomorphism ring is as claimed.Comment: 16 pages (minor edits
A CM construction for curves of genus 2 with p-rank 1
We construct Weil numbers corresponding to genus-2 curves with -rank 1
over the finite field \F_{p^2} of elements. The corresponding curves
can be constructed using explicit CM constructions. In one of our algorithms,
the group of \F_{p^2}-valued points of the Jacobian has prime order, while
another allows for a prescribed embedding degree with respect to a subgroup of
prescribed order. The curves are defined over \F_{p^2} out of necessity: we
show that curves of -rank 1 over \F_p for large cannot be efficiently
constructed using explicit CM constructions.Comment: 19 page
- …