{"title":"Computing 2-isogenies between Kummer lines","authors":"Damien Robert, Nicolas Sarkis","doi":"10.62056/abvua69p1","DOIUrl":"https://doi.org/10.62056/abvua69p1","url":null,"abstract":"<jats:p> We use theta groups to study <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mn>2</mml:mn>\u0000 </mml:mrow>\u0000 </mml:math>-isogenies between Kummer lines, with a particular focus on the Montgomery model. This allows us to recover known formulas, along with more efficient forms for translated isogenies, which require only <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mn>2</mml:mn>\u0000 <mml:mi>S</mml:mi>\u0000 <mml:mo>+</mml:mo>\u0000 <mml:mn>2</mml:mn>\u0000 <mml:msub>\u0000 <mml:mi>m</mml:mi>\u0000 <mml:mn>0</mml:mn>\u0000 </mml:msub>\u0000 </mml:mrow>\u0000 </mml:math> for evaluation. We leverage these translated isogenies to build a hybrid ladder for scalar multiplication on Montgomery curves with rational <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mn>2</mml:mn>\u0000 </mml:mrow>\u0000 </mml:math>-torsion, which cost <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mn>3</mml:mn>\u0000 <mml:mi>M</mml:mi>\u0000 <mml:mo>+</mml:mo>\u0000 <mml:mn>6</mml:mn>\u0000 <mml:mi>S</mml:mi>\u0000 <mml:mo>+</mml:mo>\u0000 <mml:mn>2</mml:mn>\u0000 <mml:msub>\u0000 <mml:mi>m</mml:mi>\u0000 <mml:mn>0</mml:mn>\u0000 </mml:msub>\u0000 </mml:mrow>\u0000 </mml:math> per bit, compared to <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mn>5</mml:mn>\u0000 <mml:mi>M</mml:mi>\u0000 <mml:mo>+</mml:mo>\u0000 <mml:mn>4</mml:mn>\u0000 <mml:mi>S</mml:mi>\u0000 <mml:mo>+</mml:mo>\u0000 <mml:mn>1</mml:mn>\u0000 <mml:msub>\u0000 <mml:mi>m</mml:mi>\u0000 <mml:mn>0</mml:mn>\u0000 </mml:msub>\u0000 </mml:mrow>\u0000 </mml:math> for the standard Montgomery ladder. </jats:p>","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"7 2","pages":"37"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140726844","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Computing isogenies between finite Drinfeld modules","authors":"B. Wesolowski","doi":"10.62056/avommp-3y","DOIUrl":"https://doi.org/10.62056/avommp-3y","url":null,"abstract":"We prove that isogenies between Drinfeld F[x]-modules over a finite field can be computed in polynomial time. This breaks Drinfeld analogs of isogeny-based cryptosystems.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"68 6","pages":"438"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140724943","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Preliminary Cryptanalysis of the Biscuit Signature Scheme","authors":"Charles Bouillaguet, Julia Sauvage","doi":"10.62056/aemp-4c2h","DOIUrl":"https://doi.org/10.62056/aemp-4c2h","url":null,"abstract":"Biscuit is a recent multivariate signature scheme based on the MPC-in-the-Head paradigm. It has been submitted to the NIST competition for additional signature schemes. Signatures are derived from a zero-knowledge proof of knowledge of the solution of a structured polynomial system. This extra structure enables efficient proofs and compact signatures. This short note demonstrates that it also makes these polynomial systems easier to solve than random ones. As a consequence, the original parameters of Biscuit failed to meet the required security levels and had to be upgraded.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"37 12","pages":"148"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140726899","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"On the Efficiency of Generic, Quantum Cryptographic Constructions","authors":"Keita Xagawa","doi":"10.62056/a66c0l5vt","DOIUrl":"https://doi.org/10.62056/a66c0l5vt","url":null,"abstract":"One of the central questions in cryptology is how efficient generic constructions of cryptographic primitives can be. Gennaro, Gertner, Katz, and Trevisan [SIAM J. of Compt., 2005] studied the lower bounds of the number of invocations of a (trapdoor) one-way permutation in order to construct cryptographic schemes, e.g., pseudorandom number generators, digital signatures, and public-key and symmetric-key encryption.\u0000 Recently, quantum machines have been explored to _construct_ cryptographic primitives other than quantum key distribution. This paper studies the efficiency of _quantum_ black-box constructions of cryptographic primitives when the communications are _classical_. Following Gennaro et al., we give the lower bounds of the number of invocations of an underlying quantumly-computable quantum-one-way permutation when the _quantum_ construction of pseudorandom number generator and symmetric-key encryption is weakly black-box. Our results show that the quantum black-box constructions of pseudorandom number generator and symmetric-key encryption do not improve the number of invocations of an underlying quantumly-computable quantum-one-way permutation.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"26 1","pages":"1142"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140725374","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proximity Testing with Logarithmic Randomness","authors":"Benjamin E. Diamond, Jim Posen","doi":"10.62056/aksdkp10","DOIUrl":"https://doi.org/10.62056/aksdkp10","url":null,"abstract":"A fundamental result dating to Ligero (Des. Codes Cryptogr. '23) establishes that each fixed linear block code exhibits proximity gaps with respect to the collection of affine subspaces, in the sense that each given subspace either resides entirely close to the code, or else contains only a small portion which resides close to the code. In particular, any given subspace's failure to reside entirely close to the code is necessarily witnessed, with high probability, by a uniformly randomly sampled element of that subspace. We investigate a variant of this phenomenon in which the witness is not sampled uniformly from the subspace, but rather from a much smaller subset of it. We show that a logarithmic number of random field elements (in the dimension of the subspace) suffice to effect an analogous proximity test, with moreover only a logarithmic (multiplicative) loss in the possible prevalence of false witnesses. We discuss applications to recent noninteractive proofs based on linear codes, including Brakedown (CRYPTO '23).","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"32 6","pages":"630"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140723594","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Recovering cryptographic keys from partial information, by example","authors":"Gabrielle De Micheli, N. Heninger","doi":"10.62056/ahjbksdja","DOIUrl":"https://doi.org/10.62056/ahjbksdja","url":null,"abstract":"Side-channel attacks targeting cryptography may leak only partial or indirect information about the secret keys. There are a variety of techniques in the literature for recovering secret keys from partial information. In this work, we survey several of the main families of partial key recovery algorithms for RSA, (EC)DSA, and (elliptic curve) Diffie-Hellman, the classical public-key cryptosystems in common use today. We categorize the known techniques by the structure of the information that is learned by the attacker, and give simplified examples for each technique to illustrate the underlying ideas.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"29 9","pages":"1506"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140727211","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"How to Make Rational Arguments Practical and Extractable","authors":"Matteo Campanelli, Chaya Ganesh, Rosario Gennaro","doi":"10.62056/a63zl86bm","DOIUrl":"https://doi.org/10.62056/a63zl86bm","url":null,"abstract":"We investigate proof systems where security holds against rational parties instead of malicious ones. Our starting point is the notion of rational arguments, a variant of rational proofs (Azar and Micali, STOC 2012) where security holds against rational adversaries that are also computationally bounded.\u0000 Rational arguments are an interesting primitive because they generally allow for very efficient protocols, and in particular sublinear verification (i.e. where the Verifier does not have to read the entire input). In this paper we aim at narrowing the gap between literature on rational schemes and real world applications. Our contribution is two-fold.\u0000 We provide the first construction of rational arguments for the class of polynomial computations that is practical (i.e., it can be applied to real-world computations on reasonably common hardware) and with logarithmic communication. Techniques-wise, we obtain this result through a compiler from information-theoretic protocols and rational proofs for polynomial evaluation. The latter could be of independent interest.\u0000 As a second contribution, we propose a new notion of extractability for rational arguments. Through this notion we can obtain arguments where knowledge of a witness is incentivized (rather than incentivizing mere soundness). We show how our aforementioned compiler can also be applied to obtain efficient extractable rational arguments for \u0000 \u0000 \u0000 N\u0000 P\u0000 \u0000 \u0000 .","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"23 6","pages":"1966"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140721393","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Décio Luiz Gazzoni Filho, Guilherme Brandão, Julio López Hernandez
{"title":"Fast polynomial multiplication using matrix multiplication accelerators with applications to NTRU on Apple M1/M3 SoCs","authors":"Décio Luiz Gazzoni Filho, Guilherme Brandão, Julio López Hernandez","doi":"10.62056/a3txommol","DOIUrl":"https://doi.org/10.62056/a3txommol","url":null,"abstract":"Efficient polynomial multiplication routines are critical to the performance of lattice-based post-quantum cryptography (PQC). As PQC standards only recently started to emerge, CPUs still lack specialized instructions to accelerate such routines. Meanwhile, deep learning has grown immeasurably in importance. Its workloads call for teraflops-level of processing power for linear algebra operations, mainly matrix multiplication. Computer architects have responded by introducing ISA extensions, coprocessors and special-purpose cores to accelerate such operations. In particular, Apple ships an undocumented matrix-multiplication coprocessor, AMX, in hundreds of millions of mobile phones, tablets and personal computers. Our work repurposes AMX to implement polynomial multiplication and applies it to the NTRU cryptosystem, setting new speed records on the Apple M1 and M3 systems-on-chip (SoCs): polynomial multiplication, key generation, encapsulation and decapsulation are sped up by \u0000 \u0000 1.54\u0000 \u0000 –\u0000 \u0000 3.07\u0000 ×\u0000 \u0000 , \u0000 \u0000 1.08\u0000 \u0000 –\u0000 \u0000 1.33\u0000 ×\u0000 \u0000 , \u0000 \u0000 1.11\u0000 \u0000 –\u0000 \u0000 1.50\u0000 ×\u0000 \u0000 and \u0000 \u0000 1.20\u0000 \u0000 –\u0000 \u0000 1.98\u0000 ×\u0000 \u0000 , respectively, over the previous state-of-the-art.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"75 8","pages":"2"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140726284","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Secure Multi-Party Linear Algebra with Perfect Correctness","authors":"Jules Maire, Damien Vergnaud","doi":"10.62056/avzojbkrz","DOIUrl":"https://doi.org/10.62056/avzojbkrz","url":null,"abstract":"We present new secure multi-party computation protocols for linear algebra over a finite field, which improve the state-of-the-art in terms of security. We look at the case of unconditional security with perfect correctness, i.e., information-theoretic security without errors. We notably propose an expected constant-round protocol for solving systems of m linear equations in n variables over Fq with expected complexity O(k n^2.5 + k m) (where complexity is measured in terms of the number of secure multiplications required) with k > m(m+n)+1. The previous proposals were not error-free: known protocols can indeed fail and thus reveal information with probability Omega(poly(m)/q). Our protocols are simple and rely on existing computer-algebra techniques, notably the Preparata-Sarwate algorithm, a simple but poorly known “baby-step giant-step” method for computing the characteristic polynomial of a matrix, and techniques due to Mulmuley for error-free linear algebra in positive characteristic.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"199 1","pages":"508"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140724151","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Feldman's Verifiable Secret Sharing for a Dishonest Majority","authors":"Yi-Hsiu Chen, Yehuda Lindell","doi":"10.62056/ak2isgvtw","DOIUrl":"https://doi.org/10.62056/ak2isgvtw","url":null,"abstract":"Verifiable secret sharing (VSS) protocols enable parties to share secrets while guaranteeing security (in particular, that all parties hold valid and consistent shares) even if the dealer or some of the participants are malicious. Most work on VSS focuses on the honest majority case, primarily since it enables one to guarantee output delivery (e.g., a corrupted recipient cannot prevent an honest dealer from sharing their value). Feldman's VSS is a well known and popular protocol for this task and relies on the discrete log hardness assumption. In this paper, we present a variant of Feldman's VSS for the dishonest majority setting and formally prove its security. Beyond the basic VSS protocol, we present a publicly-verifiable version, as well as show how to securely add participants to the sharing and how to refresh an existing sharing (all secure in the presence of a dishonest majority). We prove that our protocols are UC secure, for appropriately defined ideal functionalities.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"111 6","pages":"31"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140724593","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
