Solving the "Isomorphism of Polynomials with Two Secrets" Problem for all Pairs of Quadratic Forms

We study the Isomorphism of Polynomial (IP2S) problem with m=2 homogeneous quadratic polynomials of n variables over a finite field of odd characteristic: given two quadratic polynomials (a, b) on n variables, we find two bijective linear maps (s,t) such that b=t . a . s. We give an algorithm computing s and t in time complexity O~(n^4) for all instances, and O~(n^3) in a dominant set of instances. The IP2S problem was introduced in cryptography by Patarin back in 1996. The special case of this problem when t is the identity is called the isomorphism with one secret (IP1S) problem. Generic algebraic equation solvers (for example using Gr\"obner bases) solve quite well random instances of the IP1S problem. For the particular cyclic instances of IP1S, a cubic-time algorithm was later given and explained in terms of pencils of quadratic forms over all finite fields; in particular, the cyclic IP1S problem in odd characteristic reduces to the computation of the square root of a matrix. We give here an algorithm solving all cases of the IP1S problem in odd characteristic using two new tools, the Kronecker form for a singular quadratic pencil, and the reduction of bilinear forms over a non-commutative algebra. Finally, we show that the second secret in the IP2S problem may be recovered in cubic time

Key-Recovery Attack on the ASASA Cryptosystem with Expanding S-boxes

We present a cryptanalysis of the ASASA public key cipher introduced at Asiacrypt 2014. This scheme alternates three layers of affine transformations A with two layers of quadratic substitutions S. We show that the partial derivatives of the public key polynomials contain information about the intermediate layer. This enables us to present a very simple distinguisher between an ASASA public key and random polynomials. We then expand upon the ideas of the distinguisher to achieve a full secret key recovery. This method uses only linear algebra and has a complexity dominated by the cost of computing the kernels of $2^{26}$ small matrices with entries in $\mathbb F_{16}$

New Insight into the Isomorphism of Polynomials problem IP1S and its Use in Cryptography

This paper investigates the mathematical structure of the ``Isomorphism of Polynomial with One Secret\u27\u27 problem (IP1S). Our purpose is to understand why for practical parameter values of IP1S most random instances are easily solvable (as first observed by Bouillaguet et al.). We show that the structure of the problem is directly linked to the structure of quadratic forms in odd and even characteristic. We describe a completely new method allowing to efficiently solve most instances. Unlike previous solving techniques, this is not based upon Gröbner basis computations

The Art of Bonsai: How Well-Shaped Trees Improve the Communication Cost of MLS

Messaging Layer Security (MLS) is a Secure Group Messaging protocol that uses for its handshake a binary tree – called a Ratchet Tree – in order to reach a logarithmic communication cost w.r.t. the number of group members. This Ratchet Tree represents users as its leaves; therefore any change in the group membership results in adding or removing a leaf associated with that user. MLS consequently implements what we call a tree evolution mechanism, consisting in a user add algorithm – determining where to insert a new leaf – and a tree expansion process – stating how to increase the size of the tree when no space is available for a new user. The tree evolution mechanism currently used by MLS is de- signed so that it naturally left-balances the Ratchet Tree. However, such a Ratchet Tree structure is often quite inefficient in terms of communication cost. Furthermore, one may wonder whether the binary tree used in that Ratchet Tree has a degree optimized for the features of a handshake in MLS – called a commit. Therefore, we study in this paper how to improve the communication cost of a commit in MLS by considering both the tree evolution mechanism and the tree degree used for the Ratchet Tree. To do so, we determine the tree structure that optimizes its communication cost, and we propose optimized algorithms for both the user add and tree expansion processes, that allow to remain close to that optimal structure and thus to have a communication cost as close to optimal as possible. We also determine the Ratchet Tree degree that is best suited to a given set of parameters induced by the encryption scheme used by MLS. This study shows that when using classical (i.e. pre-quantum) ciphersuites, a binary tree is indeed the most appropriate Ratchet Tree; nevertheless, when it comes to post-quantum algorithms, it generally becomes more interesting to use instead a ternary tree. Our improvements do not change TreeKEM protocol and are easy to implement. With parameter sets corresponding to practical ciphersuites, they reduce TreeKEM’s communication cost by 5 to 10%. In particular, the 10% gain appears in the Post-Quantum setting – when both an optimized tree evolution mechanism and a ternary tree are necessary –, which is precisely the context where any optimization of the protocol’s communication cost is welcome, due to the important bandwidth of PQ encrypted communication

Diversity and Transparency for ECC

Generating and standardizing elliptic curves to use them in a cryptographic context is a hard task. In this note, we don’t make an explicit proposal for an elliptic curve, but we deal with the following issues. Security: We give a list of criteria that should be satisfied by a secure elliptic curve. Although a few of these criteria are incompatible, we detail what we think are the best choices for optimal security. Transparency: We sketch a way to generate a curve in a fully transparent way so that it can be trusted and not suspected to belong to a (not publicly known to be) vulnerable class. In particular, since the computational cost of verifying the output of such a process may be quite high, we sketch out the format of a certificate that eases the computations. We think that this format might deserve being standardized

Espaces de Banach analytiques p-adiques et espaces de Banach-Colmez

A p-adic spectral Banach space is a p-adic Banach space endowed with an algebra of analytic functions with values in a complete, algebraically closed field C. A Banach-Colmez space is such a p-adic spectral Banach space that can be built via successive extensions and quotients from C and Qp. These spaces make an abelian category, and two additive functions, « dimension » and « height », are naturally defined ; this gives a new proof of the « weakly admissible implies admissible » theorem (Colmez-Fontaine, 2000). Moreover, there exists a full subcategory whose objects are canonically filtered by the slopes of the Frobenius action ; this filtration is decreasing and indexed by the non-negative rational numbers.Un espace de Banach spectral p-adique est un espace de~Banach p-adique muni d'une algèbre de fonctions analytiques à valeurs dans un corps complet et algébriquement clos C. Un espace de Banach-Colmez est un espace de Banach spectral qui s'obtient par extensions et quotients à partir de C et Qp. Ces espaces forment une catégorie abélienne, qui est naturellement munie de fonctions additives « dimension » et « hauteur » ; on retrouve ainsi une démonstration du théorème « faiblement admissible implique admissible » (Colmez-Fontaine, 2000). De plus, il existe une sous-catégorie pleine qui admet une filtration canonique par les pentes de l'action du Frobenius, décroissante et indexée par les rationnels positifs

TOWARDS QUANTUM-RESISTANT CRYPTOSYSTEMS FROM SUPERSINGULAR ELLIPTIC CURVE ISOGENIES

Abstract. We present new candidates for quantum-resistant public-key cryptosystems based on the conjectured difficulty of finding isogenies between supersingular elliptic curves. The main technical idea in our scheme is that we transmit the images of torsion bases under the isogeny in order to allow the parties to construct a shared commutative square despite the noncommutativity of the endomorphism ring. Our work is motivated by the recent development of a subexponential-time quantum algorithm for constructing isogenies between ordinary elliptic curves. In the supersingular case, by contrast, the fastest known quantum attack remains exponential, since the noncommutativity of the endomorphism ring means that the approach used in the ordinary case does not apply. We give a precise formulation of the necessary computational assumptions along with a discussion of their validity, and prove the security of our protocols under these assumptions. In addition, we present implementation results showing that our protocols are multiple orders of magnitude faster than previous isogeny-based cryptosystems over ordinary curves. This paper is an extended version of [19]. We add a new zero-knowledge identification scheme, and detailed security proofs for the protocols. We also present a new, asymptotically faster, algorithm for key generation, a thorough study of its optimization, and new experimental data

Explicit isogenies in quadratic time in any characteristic

Published in the twelfth Algorithmic Number Theory Symposium in KaiserslauternConsider two ordinary elliptic curves $E,E'$ defined over a finite field \F_q, and suppose that there exists an isogeny $\psi$ between $E$ and $E'$. We propose an algorithm that determines $\psi$ from the knowledge of $E$, $E'$ and of its degree $r$, by using the structure of the $ℓ$-torsion of the curves (where $ℓ$~is a prime different from the characteristic~$p$ of the base field). Our approach is inspired by a previous algorithm due to Couveignes, that involved computations using the $p$-torsion on the curves. The most refined version of that algorithm, due to De Feo, has a complexity of~\tildO(r^2) p^{O(1)} base field operations. On the other hand, the cost of our algorithm is \tildO(r^2) \log(q)^{O(1)}, for a large class of inputs; this makes it an interesting alternative for the medium- and large-characteristic cases