Deuring for the People: Supersingular Elliptic Curves with Prescribed Endomorphism Ring in General Characteristic

Constructing a supersingular elliptic curve whose endomorphism ring is isomorphic to a given quaternion maximal order (one direction of the Deuring correspondence) is known to be polynomial-time assuming the generalized Riemann hypothesis [KLPT14; Wes21], but notoriously daunting in practice when not working over carefully selected base fields. In this work, we speed up the computation of the Deuring correspondence in general characteristic, i.e., without assuming any special form of the characteristic. Our algorithm follows the same overall strategy as earlier works, but we add simple (yet effective) optimizations to multiple subroutines to significantly improve the practical performance of the method. To demonstrate the impact of our improvements, we show that our implementation achieves highly practical running times even for examples of cryptographic size. One implication of these findings is that cryptographic security reductions based on KLPT-derived algorithms (such as [EHLMP18; Wes22]) have become tighter, and therefore more meaningful in practice. Another is the pure bliss of fast(er) computer algebra: We provide a Sage implementation which works for general primes and includes many necessary tools for computational number theorists\u27 and cryptographers\u27 needs when working with endomorphism rings of supersingular elliptic curves. This includes the KLPT algorithm, translation of ideals to isogenies, and finding supersingular elliptic curves with known endomorphism ring for general primes. Finally, the Deuring correspondence has recently received increased interest because of its role in the SQISign signature scheme [DeF+20]. We provide a short and self-contained summary of the state-of-the-art algorithms without going into any of the cryptographic intricacies of SQISign

Adventures in Supersingularland

In this paper, we study isogeny graphs of supersingular elliptic curves. Supersingular isogeny graphs were introduced as a hard problem into cryptography by Charles, Goren, and Lauter for the construction of cryptographic hash functions [CGL06]. These are large expander graphs, and the hard problem is to find an efficient algorithm for routing, or path-finding, between two vertices of the graph. We consider four aspects of supersingular isogeny graphs, study each thoroughly and, where appropriate, discuss how they relate to one another. First, we consider two related graphs that help us understand the structure: the `spine' $\mathcal{S}$, which is the subgraph of $\mathcal{G}_\ell(\overline{\mathbb{F}_p})$ given by the $j$-invariants in $\mathbb{F}_p$, and the graph $\mathcal{G}_\ell(\mathbb{F}_p)$, in which both curves and isogenies must be defined over $\mathbb{F}_p$. We show how to pass from the latter to the former. The graph $\mathcal{S}$ is relevant for cryptanalysis because routing between vertices in $\mathbb{F}_p$ is easier than in the full isogeny graph. The $\mathbb{F}_p$-vertices are typically assumed to be randomly distributed in the graph, which is far from true. We provide an analysis of the distances of connected components of $\mathcal{S}$. Next, we study the involution on $\mathcal{G}_\ell(\overline{\mathbb{F}_p})$ that is given by the Frobenius of $\mathbb{F}_p$ and give heuristics on how often shortest paths between two conjugate $j$-invariants are preserved by this involution (mirror paths). We also study the related question of what proportion of conjugate $j$-invariants are $\ell$-isogenous for $\ell = 2,3$. We conclude with experimental data on the diameters of supersingular isogeny graphs when $\ell = 2$ and compare this with previous results on diameters of LPS graphs and random Ramanujan graphs.Comment: 46 pages. Comments welcom

SALSA PICANTE: a machine learning attack on LWE with binary secrets

Learning with Errors (LWE) is a hard math problem underpinning many proposed post-quantum cryptographic (PQC) systems. The only PQC Key Exchange Mechanism (KEM) standardized by NIST is based on module~LWE, and current publicly available PQ Homomorphic Encryption (HE) libraries are based on ring LWE. The security of LWE-based PQ cryptosystems is critical, but certain implementation choices could weaken them. One such choice is sparse binary secrets, desirable for PQ HE schemes for efficiency reasons. Prior work, SALSA, demonstrated a machine learning-based attack on LWE with sparse binary secrets in small dimensions ($n \le 128$) and low Hamming weights ($h \le 4$). However, this attack assumes access to millions of eavesdropped LWE samples and fails at higher Hamming weights or dimensions. We present PICANTE, an enhanced machine learning attack on LWE with sparse binary secrets, which recovers secrets in much larger dimensions (up to $n=350$) and with larger Hamming weights (roughly $n/10$, and up to $h=60$ for $n=350$). We achieve this dramatic improvement via a novel preprocessing step, which allows us to generate training data from a linear number of eavesdropped LWE samples ($4n$) and changes the distribution of the data to improve transformer training. We also improve the secret recovery methods of SALSA and introduce a novel cross-attention recovery mechanism allowing us to read off the secret directly from the trained models. While PICANTE does not threaten NIST\u27s proposed LWE standards, it demonstrates significant improvement over SALSA and could scale further, highlighting the need for future investigation into machine learning attacks on LWE with sparse binary secrets

Managing foreign exchange risk with the Value at Risk method

Tato bakalářská práce je zaměřena na řízení měnového rizika, které vzniká v důsledku vývoje kurzů měn. Skládá se ze 4 kapitol. První kapitola je věnovaná uvedení do problematiky měnového rizika a jednotlivých kroků jeho řízení, za které považujeme identifikaci, následnou kvantifikaci a strategii řízení rizika. Další kapitola se už podrobně zabývá měnovými deriváty, které zařazujeme mezi externí metody zajištění. Třetí část práce je zaměřená na rozšířenou a populární metodu měření rizika Value at Risk, která je součástí bankovní regulace Basel I, Basel II i Basel III a také regulace pro pojišťovny Solvency II. Poslední částí je praktická část, ve které využívám metodu historické simulace na konkrétních datech třech portfolií složených z forwardových kontraktů, následně interpretuji a vzájemně porovnávám výsledky měření.The bachelor thesis is focused on FX risk management due to the evolution of exchange rates. It consists of 4 chapters. The first chapter deals with introduction to the topic of price risk and particular steps of its management, for which we consider the identification, quantification and subsequent risk management strategy. The next chapter is concerned with currency derivatives, to which we refer to as external methods of hedging. The third part focuses on the extensive and popular method of measuring, the so called Value at risk Method, which is a part of banking regulation Basel I, Basel II and Basel III as well as Solvency II for insurers. The final part of the thesis is the practical part, where I apply the historical simulation method on the specific data of 3 portfolios, which are composed of forward contracts, and then I interpret and compare the results of measurements

Product analysis of the company Pfanner, spol. s r.o.

The diploma thesis focuses on the product analysis of the company Pfanner, spol. s r.o. The practical part of the thesis handles with individual components of the product and compares firm and brand-name Pfanner with his nearest competitor and his products, the company Rauch Rankweil. Afterwards, thesis analyses the situation on the market of juices, nectars and sparkling beverages. The final assessment is focused on the competitors' performance on the market and their evaluation of sales value in the specific types of outlets

Economical analysis of company

Bakalárska práca je zameraná na rozbor hospodárnosti podniku CAMPI CZ,s.r.o.. Posudzuje finančné zdravie podniku s použitím metód finančnej analýzy. Tieto výsledky analýzy sú zhodnocované z pohľadu vlastníka spoločnosti

Analysis of factors influencing mortgage markets in Czech republic

Cílem diplomové práce je odhadnout vliv vybraných faktorů, které působí na objem poskytnutých hypotečních úvěrů. První kapitola popisuje historii hypotečního úvěru, jeho základní charakteristiky a specifika, vliv centrální banky a situaci v průběhu finanční krize. Druhá kapitola poukazuje na klíčové faktory, které vedou ke změně objemu hypotečních úvěrů. Analyzuji časové řady od prvního kvartálu roku 2005 do druhého kvartálu roku 2019, Zjišťuji závislost na minulých pozorováních a identifikuji vhodný model, který by tyto souvislosti popsal. Kapitola obsahuje také zhodnocení vztahu mezi danými faktory a objemem hypoték.Z analýzy ovšem vyplývá, že vazby mezi veličinami jsou velmi diskutabilní a vztahy mezi dvěma proměnnými jsou zjednodušením reality. Z tohoto důvodu jsem ve třetí kapitole použila účinnější metodu: vícenásobnou lineární regresi.The thesis aims to estimate the impact of mortgage market factors. The first chapter describes the history of the mortgage loan, its basic characteristics and specifics, the influence of the central bank and the situation during the financial crisis. The second chapter points to the dominant factors that lead to a change in the volume of newly granted mortgage loans. Gradually I analyze the time series from the first quarter of 2005 to the second quarter of 2019. I find out the coherence of past observations and identify a model that would describe these connections. The chapter also includes an evaluation of the relationship between the investigated factor and the volume of mortgages. To capture the complexity of the data, I used a more efficient method in the third part: multiple linear regression.Cieľom diplomovej práce je odhadnúť silu a smer vplyvu každého z vybraných faktorov na objem novoposkytnutých hypotekárnych úverov. Prvá kapitola popisuje históriu hypotekárneho úveru, jeho základné charakteristiky a špecifiká, vplyv centrálnej banky a situáciu v priebehu finančnej krízy. Druhá kapitola poukazuje na dominantné faktory, ktoré vedú k zmene objemu novoposkytnutých hypotekárnych úverov. Postupne analyzujem časové rady od prvého kvartálu roku 2005 do druhého kvartálu roku 2019, zisťujem závislosť na minulých pozorovaniach a identifikujem model, ktorý by tieto súvislosti popísal. Súčasťou kapitoly je taktiež zhodnotenie vzťahu medzi skúmaným faktorom a objemom hypoték. Zo zistení vyplýva, že väzby medzi veličinami sú veľmi diskutabilné a vzťahy medzi dvoma premennými sú zjednodušením skutočností a preto som v tretej časti použila účinnejšiu metódu: viacnásobnú lineárnu regresiu

Rozbor hospodárnosti podniku

Bakalárska práca je zameraná na rozbor hospodárnosti podniku CAMPI CZ,s.r.o.. Posudzuje finančné zdravie podniku s použitím metód finančnej analýzy. Tieto výsledky analýzy sú zhodnocované z pohľadu vlastníka spoločnosti

Breaking the decisional Diffie-Hellman problem for class group actions using genus theory.

status: publishe

Breaking the Decisional Diffie–Hellman Problem for Class Group Actions Using Genus Theory: Extended Version

In this paper, we use genus theory to analyze the hardness of the decisional Diffie-Hellman problem for ideal class groups of imaginary quadratic orders acting on sets of elliptic curves through isogenies (DDH-CGA). Such actions are used in the Couveignes-Rostovtsev-Stolbunov protocol and in CSIDH. Concretely, genus theory equips every imaginary quadratic order $\mathcal{O}$ with a set of assigned characters $\chi : \text{cl}(\mathcal{O}) \to \{ \pm 1\}$, and for each such character and every secret ideal class $[\mathfrak{a}]$ connecting two public elliptic curves $E$ and $E\u27 = [\mathfrak{a}] \star E$, we show how to compute $\chi([\mathfrak{a}])$ given only $E$ and $E\u27$, i.e. without knowledge of $[\mathfrak{a}]$. In practice, this breaks DDH-CGA as soon as the class number is even, which is true for a density $1$ subset of all imaginary quadratic orders. For instance, our attack works very efficiently for all supersingular elliptic curves over $\mathbb{F}_p$ with $p \equiv 1 \bmod 4$. Our method relies on computing Tate pairings and walking down isogeny volcanoes. We also show that these ideas carry over, at least partly, to abelian varieties of arbitrary dimension. This is an extended version of the paper that was presented at Crypto 2020