40 research outputs found
Computation of Hilbert class polynomials and modular polynomials from supersingular elliptic curves
We present several new heuristic algorithms to compute class polynomials and
modular polynomials modulo a prime . For that, we revisit the idea of
working with supersingular elliptic curves. The best known algorithms to this
date are based on ordinary curves, due to the supposed inefficiency of the
supersingular case. While this was true a decade ago, it is not anymore due to
the recent advances in the study of supersingular curves. Our main ingredients
are two new heuristic algorithms to compute the -invariants of supersingular
curves having an endomorphism ring contained in some set of isomorphism class
of maximal orders
Verifiable random function from the Deuring correspondence and higher dimensional isogenies
In this paper, we introduce the family of Verifiable Random Function (VRF) protocols. Based on isogenies between supersingular curves, the random function at the heart of our scheme is the one that computes the codomain of an isogeny of big prime degree from its kernel.
In , the evaluation is done with algorithms for the Deuring correspondence that make use of isogenies in dimension , and the verification is based on the isogeny representation obtained from isogenies in dimension .
The main advantage of the family is its compactness, with proof sizes of a few hundred bytes, which is orders of magnitude smaller than other generic purpose post-quantum VRF constructions.
We describe four variants of our scheme with each offering different tradeoffs between compactness, evaluation efficiency and verification efficiency.
In the process, we introduce several new algorithms that might be of independent interest. In particular, for the variants with , we introduce the first algorithm to translate an ideal into the corresponding isogeny of dimension using isogenies between abelian variety of dimension as a tool.
The main advantage of this new algorithm compared to existing solution is the relaxation of the constraints on the prime characteristic: our new algorithm can run efficiently with ``SIDH primes that are very easy to generate unlike ``SQIsign primes that are currently required by the state of the art appoach.
We believe that this algorithm opens a promising research direction to speed-up other schemes based on the Deuring correspondence such as the SQIsign signature scheme
An Effective Lower Bound on the Number of Orientable Supersingular Elliptic Curves
International audienceIn this article, we prove a generic lower bound on the number of O-orientable supersingular curves over F p 2 , i.e curves that admit an embedding of the quadratic order O inside their endomorphism ring. Prior to this work, the only known effective lower-bound is restricted to small discriminants. Our main result targets the case of fundamental discriminants and we derive a generic bound using the expansion properties of the supersingular isogeny graphs. Our work is motivated by isogeny-based cryptography and the increasing number of protocols based on O-oriented curves. In particular, our lower bound provides a complexity estimate for the brute-force attack against the new O-uber isogeny problem introduced by De Feo, Delpech de Saint Guilhem, Fouotsa, Kutas, Leroux, Petit, Silva and Wesolowski in their recent article on the SETA encryption scheme
A New Isogeny Representation and Applications to Cryptography
International audienceThis paper focuses on isogeny representations, defined as ways to evaluate isogenies and verify membership to the language of isogenous supersingular curves (the set of triples D, E1, E2 with a cyclic isogeny of degree D between E1 and E2). The tasks of evaluating and verifying isogenies are fundamental for isogeny-based cryptography. Our main contribution is the design of the suborder representation, a new isogeny representation targetted at the case of (big) prime degree. The core of our new method is the revelation of endomorphisms of smooth norm inside a well-chosen suborder of the codomain's endomorphism ring. This new representation appears to be opening interesting prospects for isogeny-based cryptography under the hardness of a new computational problem: the SubOrder to Ideal Problem (SOIP). As an application, we introduce pSIDH, a new NIKE based on the suborder representation. Studying new assumption appears to be particularly crucial in the light of the recent attacks against isogeny-based cryptography. In order to manipulate efficiently the suborder representation, we develop several heuristic algorithmic tools to solve norm equations inside a new family of quaternion orders. These new algorithms may be of independent interest
SCALLOP-HD: group action from 2-dimensional isogenies
We present SCALLOP-HD, a novel group action that builds upon the recent SCALLOP group action introduced by De Feo, Fouotsa, Kutas, Leroux, Merz, Panny and Wesolowski in 2023. While our group action uses the same action of the class group on -oriented curves where for a large prime as SCALLOP, we introduce a different orientation representation: The new representation embeds an endomorphism generating in a -isogeny between abelian varieties of dimension with Kani\u27s Lemma, and this representation comes with a simple algorithm to compute the class group action. Our new approach considerably simplifies the SCALLOP framework, potentially surpassing it in efficiency — a claim to be confirmed by implementation results. Additionally, our approach streamlines parameter selection. The new representation allows us to select efficiently a class group of smooth order, enabling polynomial-time generation of the lattice of relation, hence enhancing scalability in contrast to SCALLOP.
To instantiate our SCALLOP-HD group action, we introduce a new technique to apply Kani\u27s Lemma in dimension 2 with an isogeny diamond obtained from commuting endomorphisms. This method allows one to represent arbitrary endomorphisms with isogenies in dimension 2, and may be of independent interest
Updatable Encryption from Group Actions
Updatable Encryption (UE) allows to rotate the encryption key in the outsourced storage
setting while minimizing the bandwith used. The server can update ciphertexts to the new key using a
token provided by the client. UE schemes should provide strong confidentiality guarantees against an
adversary that can corrupt keys and tokens.
This paper studies the problem of building UE in the group action framework. We introduce a new
notion of Mappable Effective Group Action (MEGA) and show that we can build CCA secure UE from
a MEGA by generalizing the SHINE construction of Boyd et al. at Crypto 2020. Unfortunately, we do
not know how to instantiate this new construction in the post-quantum setting. Doing so would solve
the open problem of building a CCA secure post-quantum UE scheme.
Isogeny-based group actions are the most studied post-quantum group actions. Unfortunately, the
resulting group actions are not mappable. We show that we can still build UE from isogenies by
introducing a new algebraic structure called Effective Triple Orbital Group Action (ETOGA). We
prove that UE can be built from an ETOGA and show how to instantiate this abstract structure from
isogeny-based group actions. This new construction solves two open problems in ciphertext-independent
post-quantum UE. First, this is the first post-quantum UE scheme that supports an unbounded number
of updates. Second, our isogeny-based UE scheme is the first post-quantum UE scheme not based on
lattices
Communication-Efficient Proactive MPC for Dynamic Groups with Dishonest Majorities
International audienceSecure multiparty computation (MPC) has recently been increasingly adopted to secure cryptographic keys in enterprises, cloud infrastructure, and cryptocurrency and blockchain-related settings such as wallets and exchanges. Using MPC in blockchains and other distributed systems highlights the need to consider dynamic settings. In such dynamic settings, parties, and potentially even parameters of underlying secret sharing and corruption tolerance thresholds of sub-protocols, may change over the lifetime of the protocol. In particular, stronger threat models-in which mobile adversaries control a changing set of parties (up to t out of n involved parties at any instant), and may eventually corrupt all n parties over the course of a protocol's execution-are becoming increasingly important for such real world deployments; secure protocols designed for such models are known as Proactive MPC (PMPC). In this work, we construct the first efficient PMPC protocol for dynamic groups (where the set of parties changes over time) secure against a dishonest majority of parties. Our PMPC protocol only requires O(n 2) (amortized) communication per secret, compared to existing PMPC protocols that require O(n 4) and only consider static groups with dishonest majorities. At the core of our PMPC protocol is a new efficient technique to perform multiplication of secret shared data (shared using a bivariate scheme) with O(n √ n) communication with security against a dishonest majority without requiring pre-computation. We also develop a new efficient bivariate batched proactive secret sharing (PSS) protocol for dishonest majorities, which may be of independent interest. This protocol enables multiple dealers to contribute different secrets that are efficiently shared together in one batch; previous batched PSS schemes required all secrets to come from a single dealer
Hidden Stabilizers, the Isogeny To Endomorphism Ring Problem and the Cryptanalysis of pSIDH
The Isogeny to Endomorphism Ring Problem (IsERP) asks to compute the
endomorphism ring of the codomain of an isogeny between supersingular curves in
characteristic given only a representation for this isogeny, i.e. some data
and an algorithm to evaluate this isogeny on any torsion point. This problem
plays a central role in isogeny-based cryptography; it underlies the security
of pSIDH protocol (ASIACRYPT 2022) and it is at the heart of the recent attacks
that broke the SIDH key exchange. Prior to this work, no efficient algorithm
was known to solve IsERP for a generic isogeny degree, the hardest case
seemingly when the degree is prime.
In this paper, we introduce a new quantum polynomial-time algorithm to solve
IsERP for isogenies whose degrees are odd and have many prime
factors. As main technical tools, our algorithm uses a quantum algorithm for
computing hidden Borel subgroups, a group action on supersingular isogenies
from EUROCRYPT 2021, various algorithms for the Deuring correspondence and a
new algorithm to lift arbitrary quaternion order elements modulo an odd integer
with many prime factors to powersmooth elements.
As a main consequence for cryptography, we obtain a quantum polynomial-time
key recovery attack on pSIDH. The technical tools we use may also be of
independent interest