Computing in Algebraic Closures of Finite Fields

We present algorithms to construct and perform computations in algebraic closures of finite fields. Inspired by algorithms for constructing irreducible polynomials, our approach for constructing closures consists of two phases; First, extension towers of prime power degree are built, and then they are glued together using composita techniques. To be able to move elements around in the closure we give efficient algorithms for computing isomorphisms and embeddings. In most cases, our algorithms which are based on polynomial arithmetic, rather than linear algebra, have quasi-linear complexity

Point Counting On Genus 2 Curves

For cryptographic purposes, counting points on the jacobian variety of a given hyperelliptic curve is of great importance. There has been several approaches to obtain the cardinality of such a group, specially for hyperelliptic curves of genus 2. The best known algorithm for counting points on genus 2 curves over prime fields of large characteristic is a variant of Schoof’s genus 1 algorithm. Following a recent work of Gaudry and Schost, we show how to speed up the current state of the art genus 2 point counting algorithm by proposing various computational improvements to its basic arithmetical ingredients

Efficient Quantum Public-Key Encryption From Learning With Errors

Our main result is a quantum public-key encryption scheme based on the Extrapolated Di- hedral Coset problem (EDCP) which is equivalent, under quantum polynomial-time reductions, to the Learning With Errors (LWE) problem. For limited number of public keys (roughly linear in the security parameter), the proposed scheme is information-theoretically secure. For poly- nomial number of public keys, breaking the scheme is as hard as solving the LWE problem. The public keys in our scheme are quantum states of size Õ(n) qubits. The key generation and decryption algorithms require Õ(n) qubit operations while the encryption algorithm takes O(1) qubit operations

x-only point addition formula and faster compressed SIKE

The optimization of the main key compression bottlenecks of the supersingular isogeny key encapsulation mechanism (SIKE) has been a target of research in the last few years. Significant improvements were introduced in the recent works of Costello et al. and Zanon et al. The combination of the techniques in previous works reduced the running time of binary torsion basis generation in decompression by a factor of 29 compared to previous work. On the other hand, generating such a basis still takes almost a million cycles on an Intel Core i5-6267U Skylake. In this paper, we continue the work of Zanon et al. and introduce a technique that drops the complexity of binary torsion basis generation by a factor log p in the number of underlying field multiplications. In particular, our experimental results show that a basis can be generated in about 1,300 cycles, attaining an improvement by a factor more than 600. Although this result eliminates one of the key compression bottlenecks, many other bottlenecks remain. In addition, we give further improvements for the ternary torsion generation with significant impact on the related decompression procedure. Moreover, a new trade-off between ciphertext sizes vs decapsulation speed and storage is introduced and achieves a 1.7 times faster decapsulation

Faster Cryptographic Hash Function From Supersingular Isogeny Graphs

We propose a variant of the CGL hash, Charles et al. 2009, that is significantly faster than the original algorithm, and prove that it is preimage and collision resistant. For $n = \log p$ where $p$ is the characteristic of the finite field, the performance ratio between CGL and the new proposal is $(5.7n + 110) / (13.5\log n + 46.4)$. This gives an exponential speed up as the size of $p$ increases. Assuming the best quantum preimage attack on the hash has complexity $O(p^{\frac{1}{4}})$, we attain a concrete speed-up for a 256-bit quantum preimage security level by a factor 33.5. For a 384-bit quantum preimage security level, the speed-up is by a factor 47.8

Failing to hash into supersingular isogeny graphs

An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of "hard supersingular curves" that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) gcd's of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces; and (v) using quantum random walks.Comment: 33 pages, 7 figure