Computing Zeta Functions of Hyperelliptic Curves over Finite Fields of Characteristic 2

We present an algorithm for computing the zeta function of an arbitrary hyperelliptic curve over a finite field Fq of characteristic 2, thereby extending the algorithm of Kedlaya for small odd characteristic. For a genus g hyperelliptic curve over n , the asymptotic running time of the algorithm is O(g ) and the space complexity is O(g )

Computing Zeta Functions of Nondegenerate Curves

In this paper we present a p-adic algorithm to compute the zeta function of a nondegenerate curve over a finite field using Monsky-Washnitzer cohomology. The paper vastly generalizes previous work since all known cases, e.g. hyperelliptic, superelliptic and C_{ab} curves, can be transformed to fit the nondegenerate case. For curves with a fixed Newton polytope, the property of being nondegenerate is generic, so that the algorithm works for almost all curves with given Newton polytope. For a genus g curve over F_{p^n}, the expected running time is O(n^3g^6 + n^2g^{6.5}), whereas the space complexity amounts to O(n^3g^4), assuming p is fixed.Comment: 41 page

On error distributions in ring-based LWE

Since its introduction in 2010 by Lyubashevsky, Peikert and Regev, the ring learning with errors problem (ring-LWE) has become a popular building block for cryptographic primitives, due to its great versatility and its hardness proof consisting of a (quantum) reduction from ideal lattice problems. But, for a given modulus q and degree n number field K, generating ring-LWE samples can be perceived as cumbersome, because the secret keys have to be taken from the reduction mod q of a certain fractional ideal O-K(V) subset of K called the codifferent or 'dual', rather than from the ring of integers O-K itself. This has led to various non-dual variants of ring-LWE, in which one compensates for the non-duality by scaling up the errors. We give a comparison of these versions, and revisit some unfortunate choices that have been made in the recent literature, one of which is scaling up by vertical bar Delta(K)vertical bar(1/2n) with Delta(K) the discriminant of K. As a main result, we provide, for any epsilon > 0, a family of number fields K for which this variant of ring-LWE can be broken easily as soon as the errors are scaled up by vertical bar Delta(K)vertical bar((1-epsilon)/n)

Faster SeaSign signatures through improved rejection sampling

We speed up the isogeny-based "SeaSign'' signature scheme recently proposed by De Feo and Galbraith. The core idea in SeaSign is to apply the "Fiat–Shamir with aborts'' transform to the parallel repeated execution of an identification scheme based on CSIDH. We optimize this general transform by allowing the prover to not answer a limited number of said parallel executions, thereby lowering the overall probability of rejection. The performance improvement ranges between factors of approximately 4.4 and 65.7 for various instantiations of the scheme, at the expense of roughly doubling the signature sizes

Quantum equivalence of the DLP and CDHP for group actions

In this short note we give a polynomial-time quantum reduction from the vectorization problem (DLP) to the parallelization problem (CDHP) for group actions. Combined with the trivial reduction from parallelization to vectorization, we thus prove the quantum equivalence of both problems

On the decisional Diffie-Hellman problem for class group actions on oriented elliptic curves

We show how the Weil pairing can be used to evaluate the assigned characters of an imaginary quadratic order $\mathcal{O}$ in an unknown ideal class $[\mathfrak{a}] \in \mathrm{Cl}(\mathcal{O})$ that connects two given $\mathcal{O}$-oriented elliptic curves $(E, \iota)$ and $(E', \iota') = [\mathfrak{a}](E, \iota)$. When specialized to ordinary elliptic curves over finite fields, our method is conceptually simpler and often somewhat faster than a recent approach due to Castryck, Sot\'akov\'a and Vercauteren, who rely on the Tate pairing instead. The main implication of our work is that it breaks the decisional Diffie-Hellman problem for practically all oriented elliptic curves that are acted upon by an even-order class group. It can also be used to better handle the worst cases in Wesolowski's recent reduction from the vectorization problem for oriented elliptic curves to the endomorphism ring problem, leading to a method that always works in sub-exponential time.Comment: 18 p

Efficiently processing complex-valued data in homomorphic encryption

We introduce a new homomorphic encryption scheme that is natively capable of computing with complex numbers. This is done by generalizing recent work of Chen, Laine, Player and Xia, who modified the Fan–Vercauteren scheme by replacing the integral plaintext modulus t by a linear polynomial X − b. Our generalization studies plaintext moduli of the form Xm + b. Our construction significantly reduces the noise growth in comparison to the original FV scheme, so much deeper arithmetic circuits can be homomorphically executed

A framework for cryptographic problems from linear algebra

We introduce a general framework encompassing the main hard problems emerging in lattice-based cryptography, which naturally includes the recently proposed Mersenne prime cryptosystem, but also problems coming from code-based cryptography. The framework allows to easily instantiate new hard problems and to automatically construct plausibly post-quantum secure primitives from them. As a first basic application, we introduce two new hard problems and the corresponding encryption schemes. Concretely, we study generalisations of hard problems such as SIS, LWE and NTRU to free modules over quotients of Z[X] by ideals of the form (f,g), where f is a monic polynomial and g∈Z[X] is a ciphertext modulus coprime to f. For trivial modules (i.e. of rank one), the case f=Xn+1 and g=q∈Z>1 corresponds to ring-LWE, ring-SIS and NTRU, while the choices f=Xn−1 and g=X−2 essentially cover the recently proposed Mersenne prime cryptosystems. At the other extreme, when considering modules of large rank and letting deg(f)=1, one recovers the framework of LWE and SIS

A polynomial-time attack on instances of M-SIDH and FESTA

The recent devastating attacks on SIDH rely on the fact that the protocol reveals the images $\varphi(P)$ and $\varphi(Q)$ of the secret isogeny $\varphi : E_0 \rightarrow E$ on a basis $\{P, Q\}$ of the $N$-torsion subgroup $E_0[N]$ where $N^2 > \deg(\varphi)$. To thwart this attack, two recent proposals, M-SIDH and FESTA, proceed by only revealing the images upto unknown scalars $\lambda_1, \lambda_2 \in \mathbb{Z}_N^\times$, i.e., only $\lambda_1 \varphi(P)$ and $\lambda_2 \varphi(Q)$ are revealed, where $\lambda_1 = \lambda_2$ for M-SIDH and $\lambda_1 = \lambda_2^{-1}$ for FESTA. Similar information is leaked in CSIDH since $\varphi$ maps the eigenspaces of Frobenius on $E_0$ to the corresponding eigenspaces on $E$. In this paper, we introduce a new polynomial time attack that generalizes the well known lollipop attack and analyze how it applies to M-SIDH, FESTA and CSIDH. We show that M-SIDH can be broken in polynomial time whenever $E_0$ or $E$ is $\mathbb{F}_p$-rational, even when the endomorphism rings of $E_0$ and $E$ are unknown. This can be generalized to the case where the starting (or end) curve is not $\mathbb{F}_p$-rational, but is connected to its Frobenius conjugate by an isogeny of small degree. For FESTA, where the curve $E_0$ is already $\mathbb{F}_p$-rational, we obtain a polynomial time attack under the added requirement that at least one of the basis points $P, Q$ spans an eigenspace of Frobenius, of an endomorphism of low degree, or of a composition of both. We note that the current implementation of FESTA does not choose such a basis. Since it is always possible to construct an endomorphism, typically of large degree, with either $P, Q$ an eigenvector, we conclude that FESTA with overstretched parameters is insecure. Although the information leaked in CSIDH is very similar to FESTA, we show that our attack does not reveal any new information about the secret isogeny, i.e., we only learn that it is $\mathbb{F}_p$-rational, which is a priori knowledge. Finally, we analyze if and how it would be possible to backdoor M-SIDH and FESTA by choosing system parameters that look inconspicuous, but in fact reduce to the special cases above via a secret isogeny chosen by the adversary