211 research outputs found
Finding Significant Fourier Coefficients: Clarifications, Simplifications, Applications and Limitations
Ideas from Fourier analysis have been used in cryptography for the last three
decades. Akavia, Goldwasser and Safra unified some of these ideas to give a
complete algorithm that finds significant Fourier coefficients of functions on
any finite abelian group. Their algorithm stimulated a lot of interest in the
cryptography community, especially in the context of `bit security'. This
manuscript attempts to be a friendly and comprehensive guide to the tools and
results in this field. The intended readership is cryptographers who have heard
about these tools and seek an understanding of their mechanics and their
usefulness and limitations. A compact overview of the algorithm is presented
with emphasis on the ideas behind it. We show how these ideas can be extended
to a `modulus-switching' variant of the algorithm. We survey some applications
of this algorithm, and explain that several results should be taken in the
right context. In particular, we point out that some of the most important bit
security problems are still open. Our original contributions include: a
discussion of the limitations on the usefulness of these tools; an answer to an
open question about the modular inversion hidden number problem
Distortion maps for genus two curves
Distortion maps are a useful tool for pairing based cryptography. Compared
with elliptic curves, the case of hyperelliptic curves of genus g > 1 is more
complicated since the full torsion subgroup has rank 2g. In this paper we prove
that distortion maps always exist for supersingular curves of genus g>1 and we
construct distortion maps in genus 2 (for embedding degrees 4,5,6 and 12).Comment: 16 page
Constructing supersingular elliptic curves with a given endomorphism ring
Let O be a maximal order in the quaternion algebra B_p over Q ramified at p
and infinity. The paper is about the computational problem: Construct a
supersingular elliptic curve E over F_p such that End(E) = O. We present an
algorithm that solves this problem by taking gcds of the reductions modulo p of
Hilbert class polynomials. New theoretical results are required to determine
the complexity of our algorithm. Our main result is that, under certain
conditions on a rank three sublattice O^T of O, the order O is effectively
characterized by the three successive minima and two other short vectors of
O^T. The desired conditions turn out to hold whenever the j-invariant j(E), of
the elliptic curve with End(E) = O, lies in F_p. We can then prove that our
algorithm terminates with running time O(p^{1+\epsilon}) under the
aforementioned conditions. As a further application we present an algorithm to
simultaneously match all maximal order types with their associated
j-invariants. Our algorithm has running time O(p^{2.5+\epsilon}) operations and
is more efficient than Cervino's algorithm for the same problem.Comment: Full version of paper published by the LMS Journal of Computation and
Mathematic
The Weil pairing on elliptic curves over C
To help motivate the Weil pairing, we discuss
it in the context of elliptic curves over the
field of complex numbers
Authenticated key exchange for SIDH
We survey authenticated key exchange (AKE) in the context of supersingular isogeny Diffie-Hellman key exchange (SIDH). We discuss different approaches to achieve authenticated key exchange, and survey the literature. We explain some challenges that arise in the SIDH setting if one wants to do a ``Diffie-Hellman-like\u27\u27 AKE, and present several candidate authenticated key exchange protocols suitable for SIDH. We also discuss some open problems
On the Degree-Insensitive SI-GDH problem and assumption
Fujioka, Takashima, Terada and Yoneyama, in their 2018 work on an authenticated key exchange protocol using supersingular isogenies, use new assumptions in their security proof of the scheme. In particular, they define the degree-sensitive and degree-insensitive SI-GDH assumptions and problems. These assumptions include a decision oracle that is used in the security proofs. We give evidence that those assumptions are not well defined. Hence, the security proofs in their paper do not seem to be correct
Obfuscating Finite Automata
We construct a VBB and perfect circuit-hiding obfuscator for evasive deterministic finite automata using a matrix encoding scheme with a limited zero-testing algorithm. We construct the matrix encoding scheme by extending an existing matrix FHE scheme. Using obfuscated DFAs we can for example evaluate secret regular expressions or disjunctive normal forms on public inputs. In particular, the possibility of evaluating regular expressions solves the open problem of obfuscated substring matching
Lattice Decoding Attacks on Binary LWE
We consider the binary-LWE problem, which is the learning with errors problem when the entries of the secret vector are chosen from or (and the error vector is sampled from a discrete Gaussian distribution). Our main result is an improved lattice decoding algorithm for binary-LWE which first translates the problem to the inhomogeneous short integer solution (ISIS) problem, and then solves the closest vector problem using a re-scaling of the lattice. We also discuss modulus switching as an approach to the problem. Our conclusion is that binary-LWE is easier than general LWE. We give experimental results and theoretical estimates that can be used to choose parameters for binary-LWE to achieve certain security levels
Auditable Obfuscation
We introduce a new variant of malicious obfuscation. Our formalism is incomparable to the existing definitions by Canetti and Varia (TCC 2010), Canetti et al. (EUROCRYPT 2022) and Badrinarayanan et al. (ASIACRYPT 2016). We show that this concept is natural and applicable to obfuscation-as-a-service platforms. We next define a new notion called auditable obfuscation which provides security against malicious obfuscation. Finally, we construct a proof of concept of the developed notions based on well-studied theoretical obfuscation proposals
- …