Faster SeaSign signatures through improved rejection sampling

We speed up the isogeny-based "SeaSign'' signature scheme recently proposed by De Feo and Galbraith. The core idea in SeaSign is to apply the "Fiat–Shamir with aborts'' transform to the parallel repeated execution of an identification scheme based on CSIDH. We optimize this general transform by allowing the prover to not answer a limited number of said parallel executions, thereby lowering the overall probability of rejection. The performance improvement ranges between factors of approximately 4.4 and 65.7 for various instantiations of the scheme, at the expense of roughly doubling the signature sizes

Efficient computation of (3n,3n)(3^n,3^n)-isogenies

The parametrization of $(3,3)$-isogenies by Bruin, Flynn and Testa requires over 37.500 multiplications if one wants to evaluate a single isogeny in a point. We simplify their formulae and reduce the amount of required multiplications by 94%. Further we deduce explicit formulae for evaluating $(3,3)$-splitting and gluing maps in the framework of the parametrization by Bröker, Howe, Lauter and Stevenhagen. We provide implementations to compute $(3^n,3^n)$-isogenies between principally polarized abelian surfaces with a focus on cryptographic application. Our implementation can retrieve Alice\u27s secret isogeny in 11 seconds for the SIKEp751 parameters, which were aimed at NIST level 5 security

An efficient key recovery attack on SIDH

We present an efficient key recovery attack on the Supersingular Isogeny Diffie-Hellman protocol (SIDH). The attack is based on Kani\u27s reducibility criterion for isogenies from products of elliptic curves and strongly relies on the torsion point images that Alice and Bob exchange during the protocol. If we assume knowledge of the endomorphism ring of the starting curve then the classical running time is polynomial in the input size (heuristically), apart from the factorization of a small number of integers that only depend on the system parameters. The attack is particularly fast and easy to implement if one of the parties uses 2-isogenies and the starting curve comes equipped with a non-scalar endomorphism of very small degree; this is the case for SIKE, the instantiation of SIDH that recently advanced to the fourth round of NIST\u27s standardization effort for post-quantum cryptography. Our Magma implementation breaks SIKEp434, which aims at security level 1, in about ten minutes on a single core

Towards a Quantum-resistant Weak Verifiable Delay Function

In this paper, we present a new quantum-resistant weak Verifiable Delay Function based on a purely algebraic construction. Its delay depends on computing a large-degree isogeny between elliptic curves, whereas its verification relies on the computation of isogenies between products of two elliptic curves. One of its major advantages is its expected fast verification time. However, it is important to note that the practical implementation of our theoretical framework poses significant challenges. We examine the strengths and weaknesses of our construction, analyze its security and provide a proof-of-concept implementation

Horizontal racewalking using radical isogenies

We address three main open problems concerning the use of radical isogenies, as presented by Castryck, Decru and Vercauteren at Asiacrypt 2020, in the computation of long chains of isogenies of fixed, small degree between elliptic curves over finite fields. Firstly, we present an interpolation method for finding radical isogeny formulae in a given degree $N$, which by-passes the need for factoring division polynomials over large function fields. Using this method, we are able to push the range for which we have formulae at our disposal from $N \leq 13$ to $N \leq 37$ (where in the range $18 \leq N \leq 37$ we have restricted our attention to prime powers). Secondly, using a combination of known techniques and ad-hoc manipulations, we derive optimized versions of these formulae for $N \leq 19$, with some instances performing more than twice as fast as their counterparts from 2020. Thirdly, we solve the problem of understanding the correct choice of radical when walking along the surface between supersingular elliptic curves over $\mathbb{F}_p$ with $p \equiv 7 \bmod 8$; this is non-trivial for even $N$ and was settled for $N = 2$ and $N = 4$ only, in the latter case by Onuki and Moriya at PKC 2022. We give a conjectural statement for all even $N$ and prove it for $N \leq 14$. The speed-ups obtained from these techniques are substantial: using $16$-isogenies, the computation of long chains of $2$-isogenies over $512$-bit prime fields can be accelerated by a factor $3$, and the previous implementation of CSIDH using radical isogenies can be sped up by about $12\%$

Six new dactylogyrid species (Platyhelminthes, Monogenea) from the gills of cichlids (Teleostei, Cichliformes) from the Lower Congo Basin

The Lower Congo Basin is characterized by a mangrove-lined estuary at its mouth and, further upstream, by many hydrogeographical barriers such as rapids and narrow gorges. Five localities in the mangroves and four from (upstream) left bank tributaries or pools were sampled. On the gills of Coptodon tholloni, Coptodon rendalli, Hemichromis elongatus, Hemichromis stellifer and Tylochromis praecox, 17 species of parasites (Dactylogyridae & Gyrodactylidae, Monogenea) were found, eight of which are new to science. Six of these are herein described: Cichlidogyrus bixlerzavalai n. sp. and Cichlidogyrus omari n. sp. from T praecox, Cichlidogyrus calycinus n. sp. and Cichlidogyrus polyenso n. sp. from H. elongatus, Cichlidogyrus kmentovae n. sp. from H. stellifer and Onchob-della ximenae n. sp. from both species of Hemichromis. On Cichlidogyrus reversati a ridge on the accessory piece was discovered that connects to the basal bulb of the penis. We report a putative spillback effect of the native parasites Cichlidogyrus berradae, Cichlidogyrus cubitus and Cichlidogyrus flexicolpos from C. tholloni to the introduced C. rendalli. From our results, we note that the parasite fauna of Lower Congo has a higher affinity with the fauna of West African and nearby freshwater ecoregions than it has with fauna of other regions of the Congo Basin and Central Africa.Peer reviewe

Efficient Computation of (3n,3n)(3^n , 3^n)-Isogenies

International audienceThe parametrization of $(3, 3)$-isogenies by Bruin, Flynn and Testa requires over 37.500 multiplications if one wants to evaluate a single isogeny in a point. We simplify their formulae and reduce the amount of required multiplications by 94%. Further we deduce explicit formulae for evaluating $(3, 3)$-splitting and gluing maps in the framework of the parametrization by Bröker, Howe, Lauter and Stevenhagen. We provide implementations to compute $(3^n , 3^n)$-isogenies between principally polarized abelian surfaces with a focus on cryptographic application. Our implementation can retrieve Alice's secret isogeny in 11 seconds for the SIKEp751 parameters, which were aimed at NIST level 5 security

CSIDH on the surface

status: accepte

Multiradical isogenies

We argue that for all integers $N \geq 2$ and $g \geq 1$ there exist multiradical isogeny formulae, that can be iteratively applied to compute $(N^k, \ldots, N^k)$-isogenies between principally polarized $g$-dimensional abelian varieties, for any value of $k \geq 2$. The formulae are complete: each iteration involves the extraction of $g(g+1)/2$ different $N$th roots, whence the epithet multiradical, and by varying which roots are chosen one computes all $N^{g(g+1)/2}$ extensions to an $(N^k, \ldots, N^k)$-isogeny of the incoming $(N^{k-1}, \ldots, N^{k-1})$-isogeny. Our group-theoretic argumentation is heuristic, but it is supported by concrete formulae for several prominent families. As our main application, we illustrate the use of multiradical isogenies by implementing a hash function from $(3,3)$-isogenies between Jacobians of superspecial genus-$2$ curves, showing that it outperforms its $(2,2)$-counterpart by an asymptotic factor $\approx 9$ in terms of speed