Optimal TNFS-secure pairings on elliptic curves with composite embedding degree

In this paper we present a comprehensive comparison between pairing-friendly elliptic curves, considering di erent curve forms and twists where possible. We de ne an additional measure of the e- ciency of a parametrized pairing-friendly family that takes into account the number eld sieve (NFS) attacks (unlike the -value). This measure includes an approximation of the security of the discrete logarithm problem in F pk , computed via the method of Barbulescu and Duquesne [4]. We compute the security of the families presented by Fotiadis and Konstantinou in [14], compute some new families, and compare the eciency of both of these with the (adjusted) BLS, KSS, and BN families, and with the new families of [20]. Finally, we recommend pairing-friendly elliptic curves for security levels 128 and 192

Hilbert Modular Polynomials

International audienceWe present an algorithm to compute a higher dimensional analogue of modular polynomials. This higher dimensional analogue, the 'set of Hilbert modular polynomials', concerns cyclic isogenies of principally polarised abelian varieties with maximal real multiplication by a fixed totally real number field K0. We give a proof that this algorithm is correct, and provide practical improvements and an implementation for the 2-dimensional case with K0 = Q(√ 5). We also explain applications of this algorithm to point counting, walking on isogeny graphs, and computing class polynomials

On homomorphic encryption using abelian groups: Classical security analysis

In [15], Leonardi and Ruiz-Lopez propose an additively homomorphic public key encryption scheme whose security is expected to depend on the hardness of the $\textit{learning homomorphism with noise problem}$ (LHN). Choosing parameters for their primitive requires choosing three groups $G$, $H$, and $K$. In their paper, Leonardi and Ruiz-Lopez claim that, when $G$, $H$, and $K$ are abelian, then their public-key cryptosystem is not quantum secure. In this paper, we study security for finite abelian groups $G$, $H$, and $K$ in the classical case. Moreover, we study quantum attacks on instantiations with solvable groups

Isogeny graphs, modular polynomials, and applications

Dans ma thèse j'etude les variétés abéliennes ordinaires définies avec multiplication réelle maximale. Je définis des polynômes modulaires dans ce situation et je donne un algorithme pour calculer sur les nombres complexes et pour les surfaces sur des corps finis. Je donne aussi un théorème de structure pour les graphs des isogénies dans ce contexte. Je donne une généralisation de Schoof-Elkies-Atkin aux courbes de genre 2 avec multiplication réelle maximale fixe en utilisant les polynômes modulaires.My thesis looks at ordinary abelian varieties defined with maximal real multiplication. I define modular polynomials in this setting and give an algorithm to compute them over the complex numbers, and for surfaces over finite fields. I also give a structure theorem for isogeny graphs in this setting. I give a generalisation of Schoof-Elkies-Atkin to genus 2 curves with fixed maximal real multiplication using the modular polynomials

Graphes d'isogénies, polynômes modulaires et applications

My thesis looks at ordinary abelian varieties defined with maximal real multiplication. I define modular polynomials in this setting and give an algorithm to compute them over the complex numbers, and for surfaces over finite fields. I also give a structure theorem for isogeny graphs in this setting. I give a generalisation of Schoof-Elkies-Atkin to genus 2 curves with fixed maximal real multiplication using the modular polynomials.Dans ma thèse j'etude les variétés abéliennes ordinaires définies avec multiplication réelle maximale. Je définis des polynômes modulaires dans ce situation et je donne un algorithme pour calculer sur les nombres complexes et pour les surfaces sur des corps finis. Je donne aussi un théorème de structure pour les graphs des isogénies dans ce contexte. Je donne une généralisation de Schoof-Elkies-Atkin aux courbes de genre 2 avec multiplication réelle maximale fixe en utilisant les polynômes modulaires

Isogeny graphs, modular polynomials, and applications

Dans ma thèse j'etude les variétés abéliennes ordinaires définies avec multiplication réelle maximale. Je définis des polynômes modulaires dans ce situation et je donne un algorithme pour calculer sur les nombres complexes et pour les surfaces sur des corps finis. Je donne aussi un théorème de structure pour les graphs des isogénies dans ce contexte. Je donne une généralisation de Schoof-Elkies-Atkin aux courbes de genre 2 avec multiplication réelle maximale fixe en utilisant les polynômes modulaires.My thesis looks at ordinary abelian varieties defined with maximal real multiplication. I define modular polynomials in this setting and give an algorithm to compute them over the complex numbers, and for surfaces over finite fields. I also give a structure theorem for isogeny graphs in this setting. I give a generalisation of Schoof-Elkies-Atkin to genus 2 curves with fixed maximal real multiplication using the modular polynomials

How to not break SIDH

We give a number of approaches which, to a newcomer, may seem like natural ways to attack the SIDH/SIKE protocol, and explain why each of these approaches seems to fail, at least with the specific setup and parameters of SIKE. Our aim is to save some time for others who are looking to assess the security of SIDH/SIKE. We include methods that fail to attack the pure isogeny problem, namely: looking at the $\mathbb F_p$-subgraph, lifting to characteristic zero, and using Weil restrictions. We also include methods that fail to make use of the public 2-power and 3-power torsion points, namely: interpolation techniques, any purely group-theoretic approaches, and constructing an endomorphism à la Petit to exploit the auxiliary points, but with balanced parameters

An attack on SIDH with arbitrary starting curve

We present an attack on SIDH which does not require any endomorphism information on the starting curve. Our attack has subexponential complexity thus significantly reducing the security of SIDH and SIKE; our analysis and preliminary implementation suggests that our algorithm will be feasible for the Microsoft challenge parameters $p = 2^{110}3^{67}-1$ on a regular computer. Our attack applies to any isogeny-based cryptosystem that publishes the images of points under the secret isogeny, for example Seta and B-SIDH. It does not apply to CSIDH, CSI-FiSh, or SQISign

A Direct Key Recovery Attack on SIDH

International audienceWe present an attack on SIDH utilising isogenies between polarized products of two supersingular elliptic curves. In the case of arbitrary starting curve, our attack (discovered independently from [8]) has subexponential complexity, thus significantly reducing the security of SIDH and SIKE. When the endomorphism ring of the starting curve is known, our attack (here derived from [8]) has polynomial-time complexity assuming the generalised Riemann hypothesis. Our attack applies to any isogeny-based cryptosystem that publishes the images of points under the secret isogeny, for example Séta and B-SIDH. It does not apply to CSIDH, CSI-FiSh, or SQISign