Another Look at Some Isogeny Hardness Assumptions

The security proofs for isogeny-based undeniable signature schemes have been based primarily on the assumptions that the One-Sided Modified SSCDH problem and the One-More SSCDH problem are intractable. We challenge the validity of these assumptions, showing that both the decisional and computational variants of these problems can be solved in polynomial time. We further demonstrate an attack, applicable to two undeniable signature schemes, one of which was proposed at PQCrypto 2014. The attack allows to forge signatures in 24λ/5 steps on a classical computer. This is an improvement over the expected classical security of 2λ, where λ denotes the chosen security parameter.SCOPUS: cp.kinfo:eu-repo/semantics/publishedCryptographers Track at the RSA Conference, CT-RSA 2020; San Francisco; United States; 24 February 2020 through 28 February 2020ISBN: 978-303040185-

A Negative Feedback Loop That Limits the Ectopic Activation of a Cell Type–Specific Sporulation Sigma Factor of Bacillus subtilis

Two highly similar RNA polymerase sigma subunits, σF and σG, govern the early and late phases of forespore-specific gene expression during spore differentiation in Bacillus subtilis. σF drives synthesis of σG but the latter only becomes active once engulfment of the forespore by the mother cell is completed, its levels rising quickly due to a positive feedback loop. The mechanisms that prevent premature or ectopic activation of σG while discriminating between σF and σG in the forespore are not fully comprehended. Here, we report that the substitution of an asparagine by a glutamic acid at position 45 of σG (N45E) strongly reduced binding by a previously characterized anti-sigma factor, CsfB (also known as Gin), in vitro, and increased the activity of σG in vivo. The N45E mutation caused the appearance of a sub-population of pre-divisional cells with strong activity of σG. CsfB is normally produced in the forespore, under σF control, but sigGN45E mutant cells also expressed csfB and did so in a σG-dependent manner, autonomously from σF. Thus, a negative feedback loop involving CsfB counteracts the positive feedback loop resulting from ectopic σG activity. N45 is invariant in the homologous position of σG orthologues, whereas its functional equivalent in σF proteins, E39, is highly conserved. While CsfB does not bind to wild-type σF, a E39N substitution in σF resulted in efficient binding of CsfB to σF. Moreover, under certain conditions, the E39N alteration strongly restrains the activity of σF in vivo, in a csfB-dependent manner, and the efficiency of sporulation. Therefore, a single amino residue, N45/E39, is sufficient for the ability of CsfB to discriminate between the two forespore-specific sigma factors in B. subtilis

Suppression of Lung Adenocarcinoma Progression by Nkx2-1

Despite the high prevalence and poor outcome of patients with metastatic lung cancer the mechanisms of tumour progression and metastasis remain largely uncharacterized. Here we modelled human lung adenocarcinoma, which frequently harbours activating point mutations in KRAS and inactivation of the p53 pathway, using conditional alleles in mice. Lentiviral-mediated somatic activation of oncogenic Kras and deletion of p53 in the lung epithelial cells of Kras[superscript LSL-G12D/+];p53[superscript flox/flox] mice initiates lung adenocarcinoma development4. Although tumours are initiated synchronously by defined genetic alterations, only a subset becomes malignant, indicating that disease progression requires additional alterations. Identification of the lentiviral integration sites allowed us to distinguish metastatic from non-metastatic tumours and determine the gene expression alterations that distinguish these tumour types. Cross-species analysis identified the NK2-related homeobox transcription factor Nkx2-1 (also called Ttf-1 or Titf1) as a candidate suppressor of malignant progression. In this mouse model, Nkx2-1 negativity is pathognomonic of high-grade poorly differentiated tumours. Gain- and loss-of-function experiments in cells derived from metastatic and non-metastatic tumours demonstrated that Nkx2-1 controls tumour differentiation and limitsmetastatic potential in vivo. Interrogation of Nkx2-1-regulated genes, analysis of tumours at defined developmental stages, and functional complementation experiments indicate that Nkx2-1 constrains tumours in part by repressing the embryonically restricted chromatin regulator Hmga2. Whereas focal amplification of NKX2-1 in a fraction of human lung adenocarcinomas has focused attention on its oncogenic function, our data specifically link Nkx2-1 downregulation to loss of differentiation, enhanced tumour seeding ability and increased metastatic proclivity. Thus, the oncogenic and suppressive functions ofNkx2-1 in the sametumourNational Institutes of Health (U.S.) (grant U01-CA84306 )National Institutes of Health (U.S.) (grant K99-CA151968)Howard Hughes Medical InstituteLudwig Center for Molecular OncologyNational Cancer Institute (U.S.) (Cancer Center Support (core) grant P30-CA14051

Supersingular isogeny graphs and endomorphism rings:reductions and solutions

In this paper, we study several related computational problems for supersingular elliptic curves, their isogeny graphs, and their endomorphism rings. We prove reductions between the problem of path finding in the -isogeny graph, computing maximal orders isomorphic to the endomorphism ring of a supersingular elliptic curve, and computing the endomorphism ring itself. We also give constructive versions of Deuring’s correspondence, which associates to a maximal order in a certain quaternion algebra an isomorphism class of supersingular elliptic curves. The reductions are based on heuristics regarding the distribution of norms of elements in quaternion algebras. We show that conjugacy classes of maximal orders have a representative of polynomial size, and we define a way to represent endomorphism ring generators in a way that allows for efficient evaluation at points on the curve. We relate these problems to the security of the Charles-Goren-Lauter hash function. We provide a collision attack for special but natural parameters of the hash function and prove that for general parameters its preimage and collision resistance are also equivalent to the endomorphism ring computation problem.SCOPUS: cp.kinfo:eu-repo/semantics/published37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2018; Tel Aviv; Israel; 29 April 2018 through 3 May 2018ISBN: 978-331978371-0Volume Editors: Nielsen J.B.Rijmen V.Publisher: Springer Verla

Oblivious Pseudorandom Functions from Isogenies

An oblivious PRF, or OPRF, is a protocol between a client and a server, where the server has a key $k$ for a secure pseudorandom function $F$, and the client has an input $x$ for the function. At the end of the protocol the client learns $F(k,x)$, and nothing else, and the server learns nothing. An OPRF is verifiable if the client is convinced that the server has evaluated the PRF correctly with respect to a prior commitment to $k$. OPRFs and verifiable OPRFs have numerous applications, such as private-set-intersection protocols, password-based key-exchange protocols, and defense against denial-of-service attacks. Existing OPRF constructions use RSA-, Diffie-Hellman-, and lattice-type assumptions. The first two are not post-quantum secure. In this paper we construct OPRFs and verifiable OPRFs from isogenies. Our main construction uses isogenies of supersingular elliptic curves over $\mathbb{F}_{p^{2}}$ and tries to adapt the Diffie-Hellman OPRF to that setting. However, a recent attack on supersingular-isogeny systems due to Galbraith et al. [ASIACRYPT 2016] makes this approach difficult to secure. To overcome this attack, and to validate the server\u27s response, we develop two new zero-knowledge protocols that convince each party that its peer has sent valid messages. With these protocols in place, we obtain an OPRF in the SIDH setting and prove its security in the UC framework. Our second construction is an adaptation of the Naor-Reingold PRF to commutative group actions. Combining it with recent constructions of oblivious transfer from isogenies, we obtain an OPRF in the CSIDH setting

Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography

Isogeny based post-quantum cryptography is one of the most recent addition to the family of quantum resistant cryptosystems. In this paper, we propose an efficient modular multiplication algorithm for primes of the form $p = 2 \cdot 2^a \cdot 3^b - 1$ with b even, typically used in such cryptosystem. Our modular multiplication algorithm exploits the special structure present in such primes. We compare the efficiency of our technique with Barrett reduction and Montgomery multiplication. Our C implementation shows that our algorithm is approximately 3 times faster than the normal Barrett reduction

The supersingular isogeny problem in genus 2 and beyond

International audienceLet $A/\overline{\mathbb{F}}_p$ and $A'/\overline{\mathbb{F}}_p$ be supersingular principally polarized abelian varieties of dimension $g>1$. For any prime $\ell \ne p$, we give an algorithm that finds a path $\phi \colon A \rightarrow A'$ in the $(\ell, \dots , \ell)$-isogeny graph in $\widetilde{O}(p^{g-1})$ group operations on a classical computer, and $\widetilde{O}(\sqrt{p^{g-1}})$ calls to the Grover oracle on a quantum computer. The idea is to find paths from $A$ and $A'$ to nodes that correspond to products of lower dimensional abelian varieties, and to recurse down in dimension until an elliptic path-finding algorithm (such as Delfs--Galbraith) can be invoked to connect the paths in dimension $g=1$. In the general case where $A$ and $A'$ are any two nodes in the graph, this algorithm presents an asymptotic improvement over all of the algorithms in the current literature. In the special case where $A$ and $A'$ are a known and relatively small number of steps away from each other (as is the case in higher dimensional analogues of SIDH), it gives an asymptotic improvement over the quantum claw finding algorithms and an asymptotic improvement over the classical van Oorschot--Wiener algorithm

Radical Isogenies

This paper introduces a new approach to computing isogenies called radical isogenies and a corresponding method to compute chains of $N$-isogenies that is very efficient for small $N$. The method is fully deterministic and completely avoids generating $N$-torsion points. It is based on explicit formulae for the coordinates of an $N$-torsion point $P\u27$ on the codomain of a cyclic $N$-isogeny $\varphi : E \to E\u27$, such that composing $\varphi$ with $E\u27 \to E\u27 / \langle P\u27 \rangle$ yields a cyclic $N^2$-isogeny. These formulae are simple algebraic expressions in the coefficients of $E$, the coordinates of a generator $P$ of $\ker \varphi$, and an $N$th root $\sqrt[N]{\rho}$, where the radicand $\rho$ itself is given by an easily computable algebraic expression in the coefficients of $E$ and the coordinates of $P$. The formulae can be iterated and are particularly useful when computing chains of $N$-isogenies over a finite field $\mathbb{F}_q$ with $\gcd(q-1, N) = 1$, where taking an $N$th root is a simple exponentiation. Compared to the state-of-the-art, our method results in an order of magnitude speed-up for $N \leq 13$; for larger $N$, the advantage disappears due to the increasing complexity of the formulae. When applied to CSIDH, we obtain a speed-up of about $19 \%$ over the implementation by Bernstein, De Feo, Leroux and Smith for the CSURF-512 parameters

Genus two isogeny cryptography

We study (ℓ,ℓ) -isogeny graphs of principally polarised supersingular abelian surfaces (PPSSAS). The (ℓ,ℓ) -isogeny graph has cycles of small length that can be used to break the collision resistance assumption of the genus two isogeny hash function suggested by Takashima. Algorithms for computing (2, 2)-isogenies on the level of Jacobians and (3, 3)-isogenies on the level of Kummers are used to develop a genus two version of the supersingular isogeny Diffie–Hellman protocol of Jao and de Feo. The genus two isogeny Diffie–Hellman protocol achieves the same level of security as SIDH but uses a prime with a third of the bit length