199 research outputs found
Finding Significant Fourier Coefficients: Clarifications, Simplifications, Applications and Limitations
Ideas from Fourier analysis have been used in cryptography for the last three
decades. Akavia, Goldwasser and Safra unified some of these ideas to give a
complete algorithm that finds significant Fourier coefficients of functions on
any finite abelian group. Their algorithm stimulated a lot of interest in the
cryptography community, especially in the context of `bit security'. This
manuscript attempts to be a friendly and comprehensive guide to the tools and
results in this field. The intended readership is cryptographers who have heard
about these tools and seek an understanding of their mechanics and their
usefulness and limitations. A compact overview of the algorithm is presented
with emphasis on the ideas behind it. We show how these ideas can be extended
to a `modulus-switching' variant of the algorithm. We survey some applications
of this algorithm, and explain that several results should be taken in the
right context. In particular, we point out that some of the most important bit
security problems are still open. Our original contributions include: a
discussion of the limitations on the usefulness of these tools; an answer to an
open question about the modular inversion hidden number problem
Distortion maps for genus two curves
Distortion maps are a useful tool for pairing based cryptography. Compared
with elliptic curves, the case of hyperelliptic curves of genus g > 1 is more
complicated since the full torsion subgroup has rank 2g. In this paper we prove
that distortion maps always exist for supersingular curves of genus g>1 and we
construct distortion maps in genus 2 (for embedding degrees 4,5,6 and 12).Comment: 16 page
Constructing supersingular elliptic curves with a given endomorphism ring
Let O be a maximal order in the quaternion algebra B_p over Q ramified at p
and infinity. The paper is about the computational problem: Construct a
supersingular elliptic curve E over F_p such that End(E) = O. We present an
algorithm that solves this problem by taking gcds of the reductions modulo p of
Hilbert class polynomials. New theoretical results are required to determine
the complexity of our algorithm. Our main result is that, under certain
conditions on a rank three sublattice O^T of O, the order O is effectively
characterized by the three successive minima and two other short vectors of
O^T. The desired conditions turn out to hold whenever the j-invariant j(E), of
the elliptic curve with End(E) = O, lies in F_p. We can then prove that our
algorithm terminates with running time O(p^{1+\epsilon}) under the
aforementioned conditions. As a further application we present an algorithm to
simultaneously match all maximal order types with their associated
j-invariants. Our algorithm has running time O(p^{2.5+\epsilon}) operations and
is more efficient than Cervino's algorithm for the same problem.Comment: Full version of paper published by the LMS Journal of Computation and
Mathematic
The Weil pairing on elliptic curves over C
To help motivate the Weil pairing, we discuss
it in the context of elliptic curves over the
field of complex numbers
Authenticated key exchange for SIDH
We survey authenticated key exchange (AKE) in the context of supersingular isogeny Diffie-Hellman key exchange (SIDH). We discuss different approaches to achieve authenticated key exchange, and survey the literature. We explain some challenges that arise in the SIDH setting if one wants to do a ``Diffie-Hellman-like\u27\u27 AKE, and present several candidate authenticated key exchange protocols suitable for SIDH. We also discuss some open problems
Lattice Decoding Attacks on Binary LWE
We consider the binary-LWE problem, which is the learning with errors problem when the entries of the secret vector are chosen from or (and the error vector is sampled from a discrete Gaussian distribution). Our main result is an improved lattice decoding algorithm for binary-LWE which first translates the problem to the inhomogeneous short integer solution (ISIS) problem, and then solves the closest vector problem using a re-scaling of the lattice. We also discuss modulus switching as an approach to the problem. Our conclusion is that binary-LWE is easier than general LWE. We give experimental results and theoretical estimates that can be used to choose parameters for binary-LWE to achieve certain security levels
Obfuscating Finite Automata
We construct a VBB and perfect circuit-hiding obfuscator for evasive deterministic finite automata using a matrix encoding scheme with a limited zero-testing algorithm. We construct the matrix encoding scheme by extending an existing matrix FHE scheme. Using obfuscated DFAs we can for example evaluate secret regular expressions or disjunctive normal forms on public inputs. In particular, the possibility of evaluating regular expressions solves the open problem of obfuscated substring matching
Auditable Obfuscation
We introduce a new variant of malicious obfuscation. Our formalism is incomparable to the existing definitions by Canetti and Varia (TCC 2010), Canetti et al. (EUROCRYPT 2022) and Badrinarayanan et al. (ASIACRYPT 2016). We show that this concept is natural and applicable to obfuscation-as-a-service platforms. We next define a new notion called auditable obfuscation which provides security against malicious obfuscation. Finally, we construct a proof of concept of the developed notions based on well-studied theoretical obfuscation proposals
Obfuscation of Evasive Algebraic Set Membership
Canetti, Rothblum, and Varia showed how to obfuscate membership testing in a hyperplane over a finite field of exponentially large prime order, assuming the membership predicate is evasive and the under a modified DDH assumption.
Barak, Bitansky, Canetti, Kalai, Paneth, and Sahai extended their work from hyperplanes to hypersurfaces (of bounded degree), assuming multi-linear maps.
In this paper we give much more general obfuscation tools that allow to obfuscate evasive membership testing in arbitrary algebraic sets (including projective sets) over finite fields of arbitrary (prime power) order.
We give two schemes and prove input-hiding security based on relatively standard assumptions. The first scheme is based on the preimage resistance property of cryptographic hash functions; and the second scheme is based on the hardness assumptions required for small superset obfuscation.
We also introduce a new security notion called span-hiding, and prove that the second scheme achieves span-hiding assuming small superset obfuscation.
One special case of algebraic sets over finite fields is boolean polynomials, which means our methods can be applied to obfuscate any evasive function defined by a polynomial-size collection of boolean polynomials.
As a corollary, we obtain an input-hiding obfuscator for evasive functions defined by circuits in NC^0
- …