Monday morning was interrupted by a very special coffee break: the **ecliptic curve cryptography coffee break**, a.k.a. viewing the solar eclipse. General Chair Steve Myers had very conveniently ordered solar eclipse glasses for everyone (from a legitimate vendor!). The sky was cloudy during the coffee break, but the eclipse occasionally peeked through, and the skies cleared afterward for a clearer view of the eclipse.

Later that morning, John Martinis, a physicist from UCSB, gave an invited lecture on the prospects of a quantum factoring (and, presumably, discrete logarithm-ing) machine.

On Monday afternoon, Yehuda Lindell gave a talk on his paper **Fast Secure Two-Party ECDSA Signing**. Fast protocols exist for many factoring-, discrete logarithm-, and elliptic curve-based signature and public key encryption schemes. DSA and ECDSA are tricky because signing involves operations both additive and multiplicative operations using $k$ and $k^{-1}$, but in a threshold scheme this must be done without knowing $k$. Past work by MacKenzie and Reiter (Crypto 2001) and Gennaro, Goldfeder, and Narayanan (ACNS 2016) gives two-party protocols for computing ECDSA using multiplicative sharing of the signing key $x$ and ephemeral secret $k$ and then Paillier encryption to combine their equations. Proving honest behaviour ends up being quite expensive, unfortunately. Lindell showed how to improve performance by simplifying the shared tasks that one of the party participates in while still using Paillier homomorphic encryption. The key idea is that the second party, before releasing the signature, can check whether the first party behaved honestly simply by checking the final signature, which is publicly checkable efficient by definition of a digital signature scheme. The paper reports experimental results that show that two-party signing for ECDSA (with the NIST P-256 curve) can be run in approximately 37 milliseconds. The techniques also apply to DSA.

Tuesday featured the three **award papers**. Sam Kim and David J. Wu won the best student paper award for Watermarking Cryptographic Functionalities from Standard Lattice Assumptions. Best paper awards went to Nico Döttling and Sanjam Garg for Identity-Based Encryption from the Diffie-Hellman Assumption and Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, and Yarik Markov for The first collision for full SHA-1.

Döttling and Garg’s paper showed how to construct **identity-based encryption from the computational Diffie–Hellman problem** in any group, including elliptic curve groups. Previous results had shown it impossible to construct IBE in a black-box way from CDH, so this paper had to make non-black-box use of the underlying cryptographic primitives. While the scheme is polynomial-time, this non-black-box use ends up making the scheme quite inefficient. On Wednesday another paper expanded the set of assumptions from which one can construct identity-based encryption: Identity-based Encryption from Codes with Rank Metric.

Tuesday evening featured the annual **rump session**, including the program chair’s report, reminiscences, announcements, songs, joke talks, and, unfortunately, some serious talks too. Most poignant was the second talk, entitled “Forty years and still running”. **Jean-Jacques Quisquater** presented a list of cryptosystems still running after 40 years, including the DES/Triple-DES algorithm and the RSA cryptosystem. In fact, 2017 marks the 40th anniversary of the invention of RSA, and Quisquater had arranged a wonderful surprise: Ron Rivest, Adi Shamir, and Leonard Adleman were all present for the rump session, and they took the stage to commemorate this milestone.

Later in the rump session, Michael Naehrig, co-inventor of the Barreto–Naehrig (BN) family of elliptic curves, performed (via Youtube) his original song **The Sound of Quantum**.

On Wednesday, Cédric Fournet of Microsoft Research Cambridge gave the second invited talk on **Project Everest**, a massive multi-institution multi-year project to create a fully verified efficient implementation of the TLS protocol. One component of Everest is a verified implementation of Curve25519 in a language called HaCL*, which compiles down to verified C code. This invited lecture was a joint talk between Crypto 2017 and the 30th IEEE Computer Security Foundations Symposium (CSF), also taking place at UCSB last week.

The full proceedings of Crypto 2017 are available on SpringerLink:

Crypto 2018 will take place in August 2018 at—where else?—UC Santa Barbara.

— Douglas Stebila

]]>

The first suggestions to use isogenies in crypto were due to Couveignes (in a talk in 1997), Charles, Lauter and Goren (a hash function proposed in 2005) and Rostovtsev and Stolbunov (eprint, 2006). But the biggest impetus came from the paper by David Jao and Luca De Feo in PQCrypto 2011. This paper presents the supersingular isogeny Diffie-Hellman (SIDH) key exchange scheme that has potential to be post-quantum secure.

The first thing to note is that the Jao and De Feo scheme is based on supersingular elliptic curves. Readers might think: *Supersingular curves are weak for classical crypto, and ECDLP is broken by Shor’s algorithm, so how can this be a good idea?* The point is that we are no longer basing security on discrete logarithms, or any “algebraic” property of a specific elliptic curve. Instead, the basic structure is group homomorphisms *between* curves.

There are several reasons to be interested in supersingular isogeny crypto.

- The pool of potential post-quantum assumptions is very small, and so all avenues need to be fully explored and tested.
- There has been a huge body of knowledge and experience developed over the last 20 years in support of elliptic curve crypto, and so it is natural to try to continue using elliptic curves if possible.
- Some of the underlying computational problems have already been considered by researchers in classical elliptic curve crypto and computational number theory, and so there is some good evidence that the assumptions are reasonable, at least against classical computers.
- It is straightforward to choose parameters to achieve a given security level. In contrast, selecting parameters for lattice crypto that achieve a given security level is still problematic. For example, different models of how the BKZ algorithm performs lead to quite different results (although it is possible to make conservative choices that still lead to a practical scheme).

However, there are also several serious concerns about supersingular isogeny crypto.

- One of the most serious concerns is that the systems have not been sufficiently scrutinised by researchers in quantum algorithms. A contributing factor is that there are significant mathematical preliminaries needed to fully understand isogeny crypto, and so it is not an easy field for non-experts to work in.
- Another concern, especially in contrast to lattices, is that isogenies are not a very “expressive” tool. Lattice crypto has provided a rich suite of cryptographic functionalities including encryption, signatures, id-based crypto, homomorphic encryption, and more. On the other hand, the only practical isogeny crypto primitive known is key exchange. We do not even have a practical digital signature scheme based on isogenies (see Yoo et al in FC2017 and this paper, which is to appear at Asiacrypt 2017), and signatures are a relatively basic primitive.

The main conceptual idea of isogeny key exchange is the following: In the original Diffie-Hellman protocol Alice sends to Bob and Bob sends to Alice . One can interpret this in terms of group homomorphisms: Alice has a private group homomorphism defined by and Bob has a private group homomorphism defined by . Alice publishes and Bob publishes . Alice completes the protocol by computing and Bob computes . The homomorphisms commute so Alice and Bob compute the same key.

An isogeny is a group homomorphism from an elliptic curve . An isogeny has a finite kernel . So one can think of an isogeny as a homomorphism . The crucial fact is that there is a way to represent the image in a form that does not reveal the group . In other words, it is not represented using cosets, but as another elliptic curve.

The key exchange protocol is then seen to be analogous to the Diffie-Hellman protocol. Fix an elliptic curve . Alice has a private subgroup and a private isogeny (group homomorphism) . Bob has a private subgroup and a private isogeny . Alice publishes for some points that enable Bob to compute . Bob computes for some other points that enable Alice to compute . Then Alice computes and Bob computes and in both cases they get the same elliptic curve (up to isomorphism) . For details see the paper by Jao and De Feo, or any of the other subsequent papers in the field.

One reason to choose supersingular elliptic curves is that it makes key generation and some computational and theoretical aspects of the protocol much more simple and efficient than if using other elliptic curves.

The fundamental computational problem underlying isogeny crypto is the problem: Given two elliptic curves to find an isogeny . This has been studied by researchers since David Kohel’s thesis in the mid-1990s and is a well-established problem in computational number theory. Only exponential-time classical algorithms are known for this problem. Moving to quantum algorithms: Childs, Jao and Soukharev gave in 2014 a subexponential-time quantum algorithm for the ordinary curve case. However, for supersingular curves the only quantum algorithm known is by Biasse, Jao and Sankar and it requires exponential time and subexponential space. This gives further motivation to only consider the case of supersingular curves.

However, it is important to note that the Jao-De-Feo key exchange scheme relies on a weaker variant of this problem. In the scheme one gets two elliptic curves plus two pairs of points where is an isogeny of known degree. Using these points one can generate exponentially many points on the graph of . Is it possible to compute using some kind of interpolation algorithm? Perhaps a quantum algorithm? A recent paper by Christophe Petit explores a novel classical approach to solving this variant of the isogeny problem, but currently these methods do not break practical versions of the SIDH scheme.

In conclusion, isogeny crypto is a very interesting and active area of research in crypto. However, more investigation is needed by researchers in quantum algorithms before we can be confident that it really is post-quantum secure. If you wish to learn more about the subject then I recommend this paper for a tutorial on the basic theory, and for a discussion of computational problems of interest.

— Steven Galbraith

]]>

— Steven Galbraith

]]>

- “The first collision for full SHA-1” by Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini and Yarik Markov
- “Fast Secure Two-Party ECDSA Signing” by Yehuda Lindell
- “Identity-Based Encryption from the Diffie-Hellman Assumption” by Nico Döttling and Sanjam Garg

The conference takes place August 20-24, 2017 in Santa Barbara.

The Eighth International Conference on Post-Quantum Cryptography (PQCrypto 2017)

takes place in Utrecht, the Netherlands, June 26–28, 2017.

The invited speakers are:

- Jaya Baloo
- Vadim Lyubashevsky
- Lieven Vandersypen

The list of acepted papers is available, and includes a session on isogeny-based crypto.

— Steven Galbraith

]]>

**David Kohel** introduced the -normal form for elliptic curves five years ago (at Indocrypt 2012). These curves are basically the “right way” to generalize Edwards curve arithmetic to characteristic 2. And they’re the right generalization not only mathematically, but also NIST-ically: existing standardized characteristic 2 curves cannot be transformed into -normal form. David’s paper twists its way around that obstruction, for a small cost of two extra multiplications per point addition. These twisted -normal curves are clearly the fastest and prettiest standard-compatible characteristic-2 elliptic curves out there. This is great news for binarophiles, and it will be interesting to see if implementers working on the hardware level can get much benefit from this.

**Joost Renes** gave a remarkably accessible talk about his work with **Craig Costello**, **David Jao**, **Patrick Longa**, **Michael Naehrig**, and **David Urbanik** on compressing public keys for the Supersingular Isogeny Diffie–Hellman protocol. SIDH is the best-known supposedly-quantum-resistant elliptic curve cryptosystem; while it might be slow compared with other postquantum alternatives, its principal attraction for cryptographers is its particularly small keys. Well, those keys are now even smaller (330 bytes for 128-bit security)—but the interesting thing in this paper is a much-improved key compression algorithm, which runs an order of magnitude faster than previous methods.

**Thorsten Kleinjung** gave a really nice talk on his record discrete logarithm computation with **Claus Diem**, **Arjen Lenstra**, **Christine Priplata**, and **Colin Stahlke**. Together they computed a discrete logarithm in a 768-bit prime field.

Why 768 bits? Because that matches the record for general integer factorization (from 2009, in a project that also included Thorsten and Arjen), which was computed with the General Number Field Sieve (GNFS); and GNFS is also what we use for prime-field discrete logs. In contrast to most recent finite-field discrete-log results which attack small-characteristic or pairing-related fields, this computation represents the state-of-the-art in the classic prime-field case.

The prime in question was , which is the smallest “safe prime” larger than (“safe” meaning that is also prime, so that this represents the hardest case for generic algorithms applied to finite fields of the same size). The element 11 generates the multiplicative group of .

No doubt the question you are asking yourself right now is *“what is the discrete logarithm of with respect to the base 11?” *Ask no more, for Thorsten has the answer: it’s *325923617918270562238615985978623709128341338833721058543950813521768156295091638348030637920237175638117352442299234041658748471079911977497864301995972638266781162575370644813703762423329783129621567127479417280687495231463348812*.

…So now you know. But as Thorsten points out, the journey is more interesting than the final destination: using some clever techniques detailed in the paper, this calculation took *much* less time and effort (a whole order of magnitude!) than the authors expected. Before you get too excited, it still took 5300 core years—but if this isn’t the exact discrete logarithm you are looking for, computing another one in the same field will now only take two core days. From a cryptographic perspective, that two-core-day figure is especially interesting, because that’s the time required to break actual keys, after a 5-core-millennium precomputation depending only on the field.

**Joshua Fried** spoke about his work on with **Pierrick Gaudry**, **Nadia Heninger**, and **Emmanuel Thomé** about discrete logarithms in an even bigger prime field: 1024 bits. How can you compute discrete logs in such a large prime field? You cheat—or, I should say, the parameter generator cheats. Our estimates of the difficulty of these problems, and the cryptosystems that depend on them, are based on the performance of the *General* Number Field Sieve algorithm (GNFS). But Dan Gordon explained 25 years ago how to choose primes that are vulnerable to the much faster *Special* Number Field Sieve (SNFS)—but only if we know a secret backdoor, and detecting that backdoor is apparently infeasible. This project set up an instance of a backdoored 1024-bit prime, and then solved it. This means that if you’re still using 1024-bit fields (and why are you doing such a thing in the twenty-first century?), then you should be extremely careful about their provenance. Kevin McCurley asked an interesting question: is Gordon’s backdoor optimal?

**Gamze Orhon** gave a lightning-fast presentation of her work with **Huseyin Hisil** on optimizing Huff curve arithmetic during the rump session. The key is viewing these curves as curves in , rather than . The details are in their preprint.

**Aurore Guillevic** and **Laurent Grémy** have established a new reference website to help you keep track of records progress and progress in finite field discrete logarithm computations. It was about time we had a better solution than trawling the archives of the NMBRTHRY list! Laurent is hosting a front-end on his website, but what’s really nice is that the database itself is git-able.

*—Ben Smith*

]]>

— Steven Galbraith

]]>

More information is available at the conference page

https://ecc2017.cs.ru.nl/

]]>

The three invited talks were:

- Nadia Heninger “The Reality of Cryptographic Deployments on the Internet”.
Nadia described several bad implementations of finite field Diffie-Hellman key exchange, surveying work of several recent papers by many authors. She commented that finite field Diffie-Hellman is prevalent in practice partly due to concerns that elliptic curves might have US government trapdoors.

- Hoeteck Wee “Advances in Functional Encryption”
Hoeteck gave a wonderfully clear overview of functional encryption.

- Neal Koblitz “Cryptography in Vietnam in the French and American Wars”
Neal gave a fascinating historical talk, based on recent research by himself, the general chair Hieu Phan and others, and drawing on historical resources from museums in Hanoi and the writings of historians and former government employees. Neal emphasized the mathematical and cryptographical ingenuity of the Vietnamese people, as well as powerfully evoking the horrors of war and the heroism of certain individuals (both Vietnamese and American).

The best paper award went to Ilaria Chillotti, Nicolas Gama, Mariya Georgieva and Malika Izabachène for “Faster Fully Homomorphic Encryption: Bootstrapping in less than 0.1 Seconds”, which shows that homomorphic encryption (in this case the GSW scheme with packed ciphertexts, together with a bunch of clever new ideas) is gradually becoming closer to practicality. Here is a photo of the best paper award authors with the two program chairs (Tsyoshi Takagi on the left and Jung Hee Cheon on the right).

Some papers related to discrete logarithms and elliptic curves included:

- Palash Sarkar and Shashank Singh “A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm”.
This work is relevant for assessing the security of pairing based cryptography, more details on this application can be found here.

- Steven D. Galbraith, Christophe Petit, Barak Shani and Yan Bo Ti “On the Security of Supersingular Isogeny Cryptosystems”
The paper contains several results about the (potentially post-quantum) isogeny-based key exchange and encryption protocols of De Feo, Jao and Plut.

- There was an entire session about ABE and IBE, containing papers that use pairings:
- Nuttapong Attrapadung “Dual System Encryption Framework in Prime-Order Groups via Computational Pair Encodings”
- Junqing Gong, Xiaolei Dong, Jie Chen and Zhenfu Cao “Efficient IBE with Tight Reduction to Standard Assumption in the Multi-challenge Setting”
- Melissa Chase, Mary Maller and Sarah Meiklejohn “Déjà Q All Over Again: Tighter and Broader Reductions of q-Type Assumptions”
- Shuichi Katsumata and Shota Yamada “Partitioning via Non-Linear Polynomial Functions: More Compact IBEs from Ideal Lattices and Bilinear Maps”

- Paz Morillo, Carla Ràfols and Jorge L. Villar “The Kernel Matrix Diffie-Hellman Assumption”
This talk is about relations between variants of the Diffie-Hellman problem.

- Ted Chinburg, Brett Hemenway, Nadia Heninger and Zachary Scherr “Cryptographic applications of capacity theory: On the optimality of Coppersmith’s method for univariate polynomials”
Ted Chinburg delivered a clear and interesting survey of “capacity theory” (a branch of arithmetic geometry/algebraic number theory) that is relevant to the analysis of Coppersmith’s technique for finding small solutions to polynomial equations. The authors hope these ideas will be useful in other contexts in cryptography/cryptanalysis.

Regarding the increased focus on post-quantum crypto there were talks on multivariate crypto (more efficient Multi-quadratic-polynomial signatures), lattices (Vadim Lyubashevsky presented a result about signatures based on ring-SIS in *any* ring and urged the audience to work on a much harder but more interesting problem relating to LWE in any ring) and code-based crypto (an adaptive attack on a decoding algorithm).

The rump session was chaired by me, and was thankfully short. The best and most entertaining talk was given by Pierre Karpman and Jerome Plut. The social activities included a Water Puppet show and a Vietnamese banquet with traditional music.

— Steven Galbraith

]]>

https://twitter.com/cryptocephaly/status/803542260256276481

UPDATED Sunday December 4: More detailed explanation on NMBRTHRY list.

UPDATED December 30: The eprint paper has been updated.

]]>

It’s remarkable that this workshop has been running successfully for 20 years now: elliptic curve cryptography has come a long way. It was great to be there to celebrate a milestone of sorts:

–Ben Smith

]]>