Finding Significant Fourier Coefficients: Clarifications, Simplifications, Applications and Limitations

Ideas from Fourier analysis have been used in cryptography for the last three decades. Akavia, Goldwasser and Safra unified some of these ideas to give a complete algorithm that finds significant Fourier coefficients of functions on any finite abelian group. Their algorithm stimulated a lot of interest in the cryptography community, especially in the context of `bit security'. This manuscript attempts to be a friendly and comprehensive guide to the tools and results in this field. The intended readership is cryptographers who have heard about these tools and seek an understanding of their mechanics and their usefulness and limitations. A compact overview of the algorithm is presented with emphasis on the ideas behind it. We show how these ideas can be extended to a `modulus-switching' variant of the algorithm. We survey some applications of this algorithm, and explain that several results should be taken in the right context. In particular, we point out that some of the most important bit security problems are still open. Our original contributions include: a discussion of the limitations on the usefulness of these tools; an answer to an open question about the modular inversion hidden number problem

Distortion maps for genus two curves

Distortion maps are a useful tool for pairing based cryptography. Compared with elliptic curves, the case of hyperelliptic curves of genus g > 1 is more complicated since the full torsion subgroup has rank 2g. In this paper we prove that distortion maps always exist for supersingular curves of genus g>1 and we construct distortion maps in genus 2 (for embedding degrees 4,5,6 and 12).Comment: 16 page

Constructing supersingular elliptic curves with a given endomorphism ring

Let O be a maximal order in the quaternion algebra B_p over Q ramified at p and infinity. The paper is about the computational problem: Construct a supersingular elliptic curve E over F_p such that End(E) = O. We present an algorithm that solves this problem by taking gcds of the reductions modulo p of Hilbert class polynomials. New theoretical results are required to determine the complexity of our algorithm. Our main result is that, under certain conditions on a rank three sublattice O^T of O, the order O is effectively characterized by the three successive minima and two other short vectors of O^T. The desired conditions turn out to hold whenever the j-invariant j(E), of the elliptic curve with End(E) = O, lies in F_p. We can then prove that our algorithm terminates with running time O(p^{1+\epsilon}) under the aforementioned conditions. As a further application we present an algorithm to simultaneously match all maximal order types with their associated j-invariants. Our algorithm has running time O(p^{2.5+\epsilon}) operations and is more efficient than Cervino's algorithm for the same problem.Comment: Full version of paper published by the LMS Journal of Computation and Mathematic

The Weil pairing on elliptic curves over C

To help motivate the Weil pairing, we discuss it in the context of elliptic curves over the field of complex numbers

Authenticated key exchange for SIDH

We survey authenticated key exchange (AKE) in the context of supersingular isogeny Diffie-Hellman key exchange (SIDH). We discuss different approaches to achieve authenticated key exchange, and survey the literature. We explain some challenges that arise in the SIDH setting if one wants to do a ``Diffie-Hellman-like\u27\u27 AKE, and present several candidate authenticated key exchange protocols suitable for SIDH. We also discuss some open problems

Lattice Decoding Attacks on Binary LWE

We consider the binary-LWE problem, which is the learning with errors problem when the entries of the secret vector are chosen from $\{ 0, 1\}$ or $\{ -1, 0, 1 \}$ (and the error vector is sampled from a discrete Gaussian distribution). Our main result is an improved lattice decoding algorithm for binary-LWE which first translates the problem to the inhomogeneous short integer solution (ISIS) problem, and then solves the closest vector problem using a re-scaling of the lattice. We also discuss modulus switching as an approach to the problem. Our conclusion is that binary-LWE is easier than general LWE. We give experimental results and theoretical estimates that can be used to choose parameters for binary-LWE to achieve certain security levels

Obfuscating Finite Automata

We construct a VBB and perfect circuit-hiding obfuscator for evasive deterministic finite automata using a matrix encoding scheme with a limited zero-testing algorithm. We construct the matrix encoding scheme by extending an existing matrix FHE scheme. Using obfuscated DFAs we can for example evaluate secret regular expressions or disjunctive normal forms on public inputs. In particular, the possibility of evaluating regular expressions solves the open problem of obfuscated substring matching

Auditable Obfuscation

We introduce a new variant of malicious obfuscation. Our formalism is incomparable to the existing definitions by Canetti and Varia (TCC 2010), Canetti et al. (EUROCRYPT 2022) and Badrinarayanan et al. (ASIACRYPT 2016). We show that this concept is natural and applicable to obfuscation-as-a-service platforms. We next define a new notion called auditable obfuscation which provides security against malicious obfuscation. Finally, we construct a proof of concept of the developed notions based on well-studied theoretical obfuscation proposals

Obfuscation of Evasive Algebraic Set Membership

Canetti, Rothblum, and Varia showed how to obfuscate membership testing in a hyperplane over a finite field of exponentially large prime order, assuming the membership predicate is evasive and the under a modified DDH assumption. Barak, Bitansky, Canetti, Kalai, Paneth, and Sahai extended their work from hyperplanes to hypersurfaces (of bounded degree), assuming multi-linear maps. In this paper we give much more general obfuscation tools that allow to obfuscate evasive membership testing in arbitrary algebraic sets (including projective sets) over finite fields of arbitrary (prime power) order. We give two schemes and prove input-hiding security based on relatively standard assumptions. The first scheme is based on the preimage resistance property of cryptographic hash functions; and the second scheme is based on the hardness assumptions required for small superset obfuscation. We also introduce a new security notion called span-hiding, and prove that the second scheme achieves span-hiding assuming small superset obfuscation. One special case of algebraic sets over finite fields is boolean polynomials, which means our methods can be applied to obfuscate any evasive function defined by a polynomial-size collection of boolean polynomials. As a corollary, we obtain an input-hiding obfuscator for evasive functions defined by circuits in NC^0