153 research outputs found
On Index Calculus Algorithms for Subfield Curves
In this paper we further the study of index calculus methods for solving the elliptic curve discrete logarithm problem (ECDLP). We focus on the index calculus for subfield curves, also called Koblitz curves, defined over Fq with ECDLP in Fqn. Instead of accelerating the solution of polynomial systems during index calculus as was predominantly done in previous work, we define factor bases that are invariant under the q-power Frobenius automorphism of the field Fqn, reducing the number of polynomial systems that need to be solved. A reduction by a factor of 1/n is the best one could hope for. We show how to choose factor bases to achieve this, while simultaneously accelerating the linear algebra step of the index calculus method for Koblitz curves by a factor n2. Furthermore, we show how to use the Frobenius endomorphism to improve symmetry breaking for Koblitz curves. We provide constructions of factor bases with the desired properties, and we study their impact on the polynomial system solving costs experimentally.SCOPUS: cp.kinfo:eu-repo/semantics/publishe
Cryptanalysis of an oblivious PRF from supersingular isogenies
We cryptanalyse the SIDH-based oblivious pseudorandom function from supersingular isogenies proposed at Asiacryptâ20 by Boneh, Kogan and Woo. To this end, we give an attack on an assumption, the auxiliary one-more assumption, that was introduced by Boneh et al. and we show that this leads to an attack on the oblivious PRF itself. The attack breaks the pseudorandomness as it allows adversaries to evaluate the OPRF without further interactions with the server after some initial OPRF evaluations and some offline computations. More specifically, we first propose a polynomial-time attack. Then, we argue it is easy to change the OPRF protocol to include some countermeasures, and present a second subexponential attack that succeeds in the presence of said countermeasures. Both attacks break the security parameters suggested by Boneh et al. Furthermore, we provide a proof of concept implementation as well as some timings of our attack. Finally, we examine the generation of one of the OPRF parameters and argue that a trusted third party is needed to guarantee provable security.SCOPUS: cp.kinfo:eu-repo/semantics/publishe
On Adaptive Attacks against Jao-Urbanikâs Isogeny-Based Protocol
The k-SIDH protocol is a static-static isogeny-based key agreement protocol. At Mathcrypt 2018, Jao and Urbanik introduced a variant of this protocol which uses non-scalar automorphisms of special elliptic curves to improve its efficiency. In this paper, we provide a new adaptive attack on Jao-Urbanikâs protocol. The attack is a non-trivial adaptation of Galbraith-Petit-Shani-Tiâs attack on SIDH (Asiacrypt 2016) and its extension to k-SIDH by Dobson-Galbraith-LeGrow-Ti-Zobernig (IACR eprint 2019). Our attack provides a speedup compared to a naĂŻve application of Dobson et al.âs attack to Jao-Urbanikâs scheme, exploiting its inherent structure. Estimating the security of k-SIDH and Jao-Urbanikâs variant with respect to these attacks, k-SIDH provides better efficiency.SCOPUS: cp.kinfo:eu-repo/semantics/published12th International Conference on the Theory and Application of Cryptographic Techniques in Africa, AFRICACRYPT 2020; Cairo; Egypt; 20 July 2020 through 22 July 2020ISBN: 978-303051937-7Volume Editors: Nitaj A.Youssef A.Publisher: Springe
SCALLOP:Scaling the CSI-FiSh
International audienceWe present SCALLOP: SCALable isogeny action based on Oriented supersingular curves with Prime conductor, a new group action based on isogenies of supersingular curves. Similarly to CSIDH and OSIDH, we use the group action of an imaginary quadratic orderâs class group on the set of oriented supersingular curves. Compared to CSIDH, the main benefit of our construction is that it is easy to compute the class-group structure; this data is required to uniquely representâand efficiently act by â arbitrary group elements, which is a requirement in, e.g., the CSI-FiSh signature scheme by Beullens, Kleinjung and Vercauteren. The index-calculus algorithm used in CSI-FiSh to compute the class-group structure has complexity L(1/2), ruling out class groups much larger than CSIDH-512, a limitation that is particularly problematic in light of the ongoing debate regarding the quantum security of cryptographic group actions.Hoping to solve this issue, we consider the class group of a quadratic order of large prime conductor inside an imaginary quadratic field of small discriminant. This family of quadratic orders lets us easily determine the size of the class group, and, by carefully choosing the conductor, even exercise significant control on itâin particular supporting highly smooth choices. Although evaluating the resulting group action still has subexponential asymptotic complexity, a careful choice of parameters leads to a practical speedup that we demonstrate in practice for a security level equivalent to CSIDH-1024, a parameter currently firmly out of reach of index-calculus-based methods. However, our implementation takes 35 seconds (resp. 12.5 minutes) for a single group-action evaluation at a CSIDH-512-equivalent (resp. CSIDH-1024-equivalent) security level, showing that, while feasible, the SCALLOP group action does not achieve realistically usable performance yet
On the Isogeny Problem with Torsion Point Information
It has recently been rigorously proven (and was previously known under certain heuristics) that the general supersingular isogeny problem reduces to the supersingular endomorphism ring computation problem. However, in order to attack SIDH-type schemes, one requires a particular isogeny which is usually not returned by the general reduction. At Asiacrypt 2016, Galbraith, Petit, Shani and Ti presented a polynomial-time reduction of the problem of finding the secret isogeny in SIDH to the problem of computing the endomorphism ring of a supersingular elliptic curve. Their method exploits the fact that secret isogenies in SIDH are of degree approximately . The method does not extend to other SIDH-type schemes, where secret isogenies of larger degree are used and this condition is not fulfilled.
We present a more general reduction algorithm that generalises to all SIDH-type schemes. The main idea of our algorithm is to exploit available torsion point images together with the KLPT algorithm to obtain a linear system of equations over a certain residue class ring. We show that this system will have a unique solution that can be lifted to the integers if some mild conditions on the parameters are satisfied. This lift then yields the secret isogeny. One consequence of this work is that the choice of the prime in B-SIDH is tight.
Finally, we show that our reduction still applies for SIDH variations deploying recently proposed countermeasures against a series of classical polynomial time attacks against SIDH
Improved algorithms for finding fixed-degree isogenies between supersingular elliptic curves
Finding isogenies between supersingular elliptic curves is a natural algorithmic problem which is known to be equivalent to computing the curves\u27 endomorphism rings.
When the isogeny is additionally required to have a specific degree , the problem appears to be somewhat different in nature, yet it is also considered a hard problem in isogeny-based cryptography.
Let be supersingular elliptic curves over . We present improved classical and quantum algorithms that compute an isogeny of degree between and if it exists. Let the sought-after degree be for some .
Our essentially memory-free algorithms have better time complexity than meet-in-the-middle algorithms, which require exponential memory storage, in the range on a classical computer and quantum improvements in the range
Weak instances of class group action based cryptography via self-pairings
In this paper we study non-trivial self-pairings with cyclic domains that are compatible with isogenies between elliptic curves oriented by an imaginary quadratic order . We prove that the order of such a self-pairing necessarily satisfies (and even if and if ) and is not a multiple of the field characteristic. Conversely, for each satisfying these necessary conditions, we construct a family of non-trivial cyclic self-pairings of order that are compatible with oriented isogenies, based on generalized Weil and Tate pairings.
As an application, we identify weak instances of class group actions on elliptic curves assuming the degree of the secret isogeny is known. More in detail, we show that if for some prime power then given two primitively -oriented elliptic curves and connected by an unknown invertible ideal , we can recover essentially at the cost of a discrete logarithm computation in a group of order , assuming the norm of is given and is smaller than . We give concrete instances, involving ordinary elliptic curves over finite fields, where this turns into a polynomial time attack.
Finally, we show that these self-pairings simplify known results on the decisional Diffie-Hellman problem for class group actions on oriented elliptic curves
SCALLOP: scaling the CSI-FiSh
We present SCALLOP: SCALable isogeny action based on
Oriented supersingular curves with Prime conductor, a new group action based on isogenies of supersingular curves. Similarly to CSIDH and
OSIDH, we use the group action of an imaginary quadratic orderâs class
group on the set of oriented supersingular curves. Compared to CSIDH,
the main benefit of our construction is that it is easy to compute the
class-group structure; this data is required to uniquely representâ and
efficiently act byâ arbitrary group elements, which is a requirement in,
e.g., the CSI-FiSh signature scheme by Beullens, Kleinjung and Vercauteren. The index-calculus algorithm used in CSI-FiSh to compute
the class-group structure has complexity L(1/2), ruling out class groups
much larger than CSIDH-512, a limitation that is particularly problematic in light of the ongoing debate regarding the quantum security of
cryptographic group actions.
Hoping to solve this issue, we consider the class group of a quadratic order of large prime conductor inside an imaginary quadratic field of small
discriminant. This family of quadratic orders lets us easily determine
the size of the class group, and, by carefully choosing the conductor,
even exercise significant control on itâ in particular supporting highly
smooth choices. Although evaluating the resulting group action still has
subexponential asymptotic complexity, a careful choice of parameters
leads to a practical speedup that we demonstrate in practice for a security level equivalent to CSIDH-1024, a parameter currently firmly out of reach of index-calculus-based methods. However, our implementation
takes 35 seconds (resp. 12.5 minutes) for a single group-action evaluation at a CSIDH-512-equivalent (resp. CSIDH-1024-equivalent) security
level, showing that, while feasible, the SCALLOP group action does not
achieve realistically usable performance yet
- âŠ