Security considerations for Galois non-dual RLWE families

We explore further the hardness of the non-dual discrete variant of the Ring-LWE problem for various number rings, give improved attacks for certain rings satisfying some additional assumptions, construct a new family of vulnerable Galois number fields, and apply some number theoretic results on Gauss sums to deduce the likely failure of these attacks for 2-power cyclotomic rings and unramified moduli

CSIDH on the surface

For primes p≡3mod4, we show that setting up CSIDH on the surface, i.e., using supersingular elliptic curves with endomorphism ring Z[(1+−p−−−√)/2], amounts to just a few sign switches in the underlying arithmetic. If p≡7mod8 then horizontal 2-isogenies can be used to help compute the class group action. The formulas we derive for these 2-isogenies are very efficient (they basically amount to a single exponentiation in Fp) and allow for a noticeable speed-up, e.g., our resulting CSURF-512 protocol runs about 5.68% faster than CSIDH-512. This improvement is completely orthogonal to all previous speed-ups, constant-time measures and construction of cryptographic primitives that have appeared in the literature so far. At the same time, moving to the surface gets rid of the redundant factor Z3 of the acting ideal-class group, which is present in the case of CSIDH and offers no extra security

Rational isogenies from irrational endomorphisms

In this paper, we introduce a polynomial-time algorithm to compute a connecting $\mathcal{O}$-ideal between two supersingular elliptic curves over $\mathbb{F}_p$ with common $\mathbb{F}_p$-endomorphism ring $\mathcal{O}$, given a description of their full endomorphism rings. This algorithm provides a reduction of the security of the CSIDH cryptosystem to the problem of computing endomorphism rings of supersingular elliptic curves. A similar reduction for SIDH appeared at Asiacrypt 2016, but relies on totally different techniques. Furthermore, we also show that any supersingular elliptic curve constructed using the complex-multiplication method can be located precisely in the supersingular isogeny graph by explicitly deriving a path to a known base curve. This result prohibits the use of such curves as a building block for a hash function into the supersingular isogeny graph

On collisions related to an ideal class of order 3 in CSIDH

CSIDH is an isogeny-based key exchange, which is a candidate for post quantum cryptography. It uses the action of an ideal class group on Fp-isomorphic classes of supersingular elliptic curves. In CSIDH, the ideal classes are represented by vectors with integer coefficients. The number of ideal classes represented by these vectors de- termines the security level of CSIDH. Therefore, it is important to investigate the correspondence between the vectors and the ideal classes. Heuristics show that integer vectors in a certain range represent “almost” uniformly all of the ideal classes. However, the precise correspondence between the integer vectors and the ideal classes is still unclear. In this paper, we investigate the correspondence between the ideal classes and the integer vectors and show that the vector (1, . . . , 1) corresponds to an ideal class of order 3. Consequently, the integer vectors in CSIDH have collisions related to this ideal class. Here, we use the word “collision” in the sense of distinct vectors belonging to the same ideal class, i.e., distinct secret keys that correspond to the same public key in CSIDH. We further propose a new ideal representation in CSIDH that does not include these collisions and give formulae for efficiently computing the action of the new representation

Parametric Polyhedra with at least kk Lattice Points: Their Semigroup Structure and the k-Frobenius Problem

Given an integral $d \times n$ matrix $A$, the well-studied affine semigroup \mbox{ Sg} (A)=\{ b : Ax=b, \ x \in {\mathbb Z}^n, x \geq 0\} can be stratified by the number of lattice points inside the parametric polyhedra $P_A(b)=\{x: Ax=b, x\geq0\}$. Such families of parametric polyhedra appear in many areas of combinatorics, convex geometry, algebra and number theory. The key themes of this paper are: (1) A structure theory that characterizes precisely the subset \mbox{ Sg}_{\geq k}(A) of all vectors b \in \mbox{ Sg}(A) such that $P_A(b) \cap {\mathbb Z}^n$ has at least $k$ solutions. We demonstrate that this set is finitely generated, it is a union of translated copies of a semigroup which can be computed explicitly via Hilbert bases computations. Related results can be derived for those right-hand-side vectors $b$ for which $P_A(b) \cap {\mathbb Z}^n$ has exactly $k$ solutions or fewer than $k$ solutions. (2) A computational complexity theory. We show that, when $n$, $k$ are fixed natural numbers, one can compute in polynomial time an encoding of \mbox{ Sg}_{\geq k}(A) as a multivariate generating function, using a short sum of rational functions. As a consequence, one can identify all right-hand-side vectors of bounded norm that have at least $k$ solutions. (3) Applications and computation for the $k$-Frobenius numbers. Using Generating functions we prove that for fixed $n,k$ the $k$-Frobenius number can be computed in polynomial time. This generalizes a well-known result for $k=1$ by R. Kannan. Using some adaptation of dynamic programming we show some practical computations of $k$-Frobenius numbers and their relatives

SiGamal: A supersingular isogeny-based PKE and its application to a PRF

We propose two new supersingular isogeny-based public key encryptions: SiGamal and C-SiGamal. They were developed by giving an additional point of the order $2^r$ to CSIDH. SiGamal is similar to ElGamal encryption, while C-SiGamal is a compressed version of SiGamal. We prove that SiGamal and C-SiGamal are IND-CPA secure without using hash functions under a new assumption: the P-CSSDDH assumption. This assumption comes from the expectation that no efficient algorithm can distinguish between a random point and a point that is the image of a public point under a hidden isogeny. Next, we propose a Naor-Reingold type pseudo random function (PRF) based on SiGamal. If the P-CSSDDH assumption and the CSSDDH$^*$ assumption, which guarantees the security of CSIDH that uses a prime $p$ in the setting of SiGamal, hold, then our proposed function is a pseudo random function. Moreover, we estimate that the computational costs of group actions to compute our proposed PRF are about $\sqrt{\frac{8T}{3\pi}}$ times that of the group actions in CSIDH, where $T$ is the Hamming weight of the input of the PRF. Finally, we experimented with group actions in SiGamal and C-SiGamal. The computational costs of group actions in SiGamal-512 with a $256$-bit plaintext message space were about $2.62$ times that of a group action in CSIDH-512

One-Round Authenticated Group Key Exchange from Isogenies

We propose two one-round authenticated group-key exchange protocols from newly employed cryptographic invariant maps (CIMs): one is secure under the quantum random oracle model and the other resists against maximum exposure where a non-trivial combination of secret keys is revealed. The security of the former (resp. latter) is proved under the n-way decisional Diffie-Hellman (resp. n-way gap Diffie-Hellman) assumption on the CIMs in the quantum random (resp. random) oracle model. We instantiate the proposed protocols on the hard homogeneous spaces with limitation where the number of the user group is two. In particular, the protocols instantiated by using the CSIDH, commutative supersingular isogeny Diffie-Hellman, key exchange are currently more realistic than the general n-party CIM-based ones due to its implementability. Our two-party one-round protocols are secure against quantum adversaries

Further Optimizations of CSIDH: A Systematic Approach to Efficient Strategies, Permutations, and Bound Vectors

CSIDH is a recent post-quantum key establishment protocol based on constructing isogenies between supersingular elliptic curves. Several recent works give constant-time implementations of CSIDH along with some optimizations of the ideal class group action evaluation algorithm, including the SIMBA technique of Meyer et al. and the two-point method of Onuki et al. A recent work of Cervantes-Vazquez et al. details a number of improvements to the works of Meyer et al. and Onuki et al. Several of these optimizations---in particular, the choice of ordering of the primes, the choice of SIMBA partition and strategies, and the choice of bound vector which defines the secret keyspace---have been made in an ad hoc fashion, and so while they yield performance improvements it has not been clear whether these choices could be improved upon, or how to do so. In this work we present a framework for improving these optimizations using (respectively) linear programming, dynamic programming, and convex programming techniques. Our framework is applicable to any CSIDH security level, to all currently-proposed paradigms for computing the class group action, and to any choice of model for the underlying curves. Using our framework we find improved parameter sets for the two major methods of computing the group action: in the case of the implementation of Meyer et al. we obtain a 12.77% speedup without applying the further optimizations proposed by Cervantes-Vazquez et al., while for that of Cervantes-Vazquez et al. under the two-point method we obtain a speedup of 5.06%, giving the fastest constant-time implementation of CSIDH to date

Large FHE Gates from tensored homomorphic accumulator

The main bottleneck of all known Fully Homomorphic Encryption schemes lies in the bootstrapping procedure invented by Gentry (STOC’09). The cost of this procedure can be mitigated either using Homomorphic SIMD techniques, or by performing larger computation per bootstrapping procedure.In this work, we propose new techniques allowing to perform more operations per bootstrapping in FHEW-type schemes (EUROCRYPT’13). While maintaining the quasi-quadratic Õ(n2) complexity of the whole cycle, our new scheme allows to evaluate gates with Ω(log n) input bits, which constitutes a quasi-linear speed-up. Our scheme is also very well adapted to large threshold gates, natively admitting up to Ω(n) inputs. This could be helpful for homomorphic evaluation of neural networks.Our theoretical contribution is backed by a preliminary prototype implementation, which can perform 6-to-6 bit gates in less than 10s on a single core, as well as threshold gates over 63 input bits even faster.<p