— Steven Galbraith
]]>The session on isogeny-based cryptography was held in the afternoon of May 9. It included three talks by young researchers:
This talk presented a faster variant of the SeaSign signature scheme by improving rejection sampling, which is a key technical ingredient of SeaSign. To obtain a practical isogeny-based (post-quantum) signature scheme is an important research direction in this field. This work advances a nice step towards the goal, however, it does not yet succeed.
First, this talk presented a systematic method for finding collisions of the Charles-Goren-Lauter type genus-two hash function (which was suggested in a previous paper of mine). The collision finding was accomplished based on a closer look of the structure of isogeny graphs in genus two. A little surprisingly, it is now fixed by a very recent paper by Castryck, Decru, and Smith (eprint arxiv 2019/296), which reformulates it by using genus-two “superspecial” subgraphs. The talk also proposed a SIDH-type key exchange in genus two, in which (2,2)- and (3,3)-isogenies are used instead of 2- and 3-isogenies in the genus one case, respectively.
This presentation proposed an efficient constant-time implementation of CSIDH. In the authors’ previous paper (INDOCRYPT 2018), they initiated an improvement of CSIDH implementation, which resulted in a faster algorithm than the original. However, this previous one leaks various information about the private key. Therefore, for obtaining side-channel leakage resistance, this talk modified how to sample key elements and used dummy isogenies, and then obtained a constant-time implementation (with several efficiency improvements furthermore).
Moreover, there were two invited talks which are relevant to this blog. One was by Tsuyoshi Takagi (Univ. of Tokyo), and the title was “Computational Challenge Problems in Post-Quantum Cryptography”, in which he first briefly reviewed the NIST PQC standardization, and then introduced PQC challenge problems with focus on the Fukuoka MQ Challenge and the Darmstadt Lattice Challenge. The other was given by Dustin Moody (NIST) on “Round 2 of NIST PQC Competition”. He carefully summarized the history of the competition and, for all the round 2 submissions, he made brief comments on advantages and/or unique features of the schemes. He also very briefly mentioned the future schedule of the competition.
— Katsuyuki Takashima
]]>Takakazu Satoh has been interested in pairing inversion for quite a while, and has published several papers on the topic, including “On Degrees of Polynomial Interpolations Related to Elliptic Curve Cryptography” (WCC 2005), “On Pairing Inversion Problems” (Pairing 2007), and “Closed formulae for the Weil pairing inversion” (Finite Fields and Their Applications 2008).
To recall basic definitions: Let be an ellptic curve over a field . Let be a large prime such that . The embedding degree is the smallest integer such that A pairing-friendly elliptic curve is one whose embedding degree is small, e.g.,
The (reduced) Tate-Lichtenbaum pairing takes two points and gives a value . A lot of researchers, including me and many of my friends, worked between 2000 and 2010 trying to compute pairings faster. The computation of the reduced Tate-Lichtenbaum pairing has two stages. First one computes a Miller function . The function has divisor
Then one computes the final exponentiation, which is an exponentiation to the power
It was discovered that, for many pairing-friendly curves, there was a more efficient way to compute the Miller function. Essentially instead of computing one can compute values like , which is a simpler computation when , which is usually the case. This observation was first made in a special case in a paper of Duursma and Lee from ASIACRYPT 2003. Further special cases were noted by Kwon (ACISP 2005) and Barreto, Galbraith, O hEigeartaigh and Scott (Designs, Codes and Cryptography, 2007). The situation was finally clarified by Granger, Hess, Oyono, Thériault and Vercauteren (“Ate Pairing on Hyperelliptic Curves”, EUROCRYPT 2007). The key idea is to work with Frobenius eigenspaces and change the pairing to . I call this paper GHOTV below. Subsequently, Hess (“Pairing Lattices”, Pairing 2008) and Vercauteren (“Optimal pairings”, IEEE Trans. Information Theory 2010) showed how to use this idea most effectively in general pairing implementations.
One particular feature of the ate pairing introduced in GHOTV, is that the pairing computation only needs the first stage (Miller’s algorithm) and does not require a final exponentiation. This makes it a lot faster to compute. The ate pairing is not the exact same function as the reduced Tate-Lichtenbaum pairing, so one cannot use them interchangeably. But they are both bilinear maps and so a system can be implemented using the ate pairing and it all works fine.
In those days, we thought pairings would be useful for identity-based crypto and short signatures, and we were mostly trying to work with large embedding degrees like . So the case was considered of relatively minor interest and was not studied much.
The computational assumptions underlying pairing-based crypto all required pairing inversion to be hard. Typically pairing inversion means: Given and a point to find such that
It was quickly realised that there are two obstacles to pairing inversion: First it is necessary to invert the final exponentiation. Second one needs to invert the Miller function. It turned out that sometimes one or the other of these problems could be easy, but I know no situation for prime order groups where both are easy at the same time. For example, since the ate pairing does not require a final exponentiation, pairing inversion for the ate pairing is equivalent to Miller inversion (which seems to be hard in this case). In short, pairing inversion remains a hard computational problem, which is good news for pairing-based crypto. A good reference for these ideas is Galbraith, Hess, Vercauteren (“Aspects of Pairing Inversion”, IEEE Trans. Information Theory 2008).
Satoh’s recent paper explores the case . Work on discrete logs in finite fields (e.g., see these blog posts has caused some pairing researchers to become very conservative and reconsider choices such as When we essentially have and the final exponentiation is to the power The reduced Tate-Lichtenbaum pairing is
Satoh uses Lemma 2 of GHOTV, that already has order . This is the fact that the ate pairing does not require a final exponentiation. Let be the value computed by Miller’s algorithm, so that is the pairing value. Suppose one has the value (this is not normally the case, normally the attacker has , from which there are possible values for ). Since (I am using different notation to Satoh here) it means that an attacker can get their hands on by raising to the power , remembering that exponentiation to the power is linear, and hence solving a square-root to get . Hence, Satoh has shown that Miller inversion is easy in this case, but pairing inversion is still hard.
In fact, when it would be quite natural to instead use the ate pairing for any crypto application. Now there is no final exponentiation. However Satoh’s attack does not work since his approach is precisely to kill off the “ate pairing” contribution to the Tate-Lichtenbaum pairing.
In short, there are two pairings one can use in embedding degree 2 and both seem to be hard to invert: the ate pairing has trivial final exponentiation but the Miller function seems hard to invert; the Tate-Lichtenbaum pairing has easy Miller inversion (as Satoh has just shown) but it seems hard to invert the final exponentiation.
I end with a comment about applications of pairings. As I mentioned, 15 years ago we thought that the “killer applications” for pairings were identity-based crypto and short signatures. Nowadays it seems pairings are most useful for short zero knowledge proofs. For example, Jens Groth’s pairing-based zk-SNARK (zero-knowledge succinct non-interactive argument of knowledge) is a key component of Zcash. As far as I can tell, the implementation in Zcash uses curves with embedding degree and does use the ate pairing.
— Steven Galbraith
]]>There was a Special Session on The Mathematics of Cryptography organised by Shahed Sharif and Alice Silverberg. Slides of (some of) the talks are available here.
Among the talks I attended, I mention these:
I talked about CSIDH and SeaSign, and then said a little bit about some work of my PhD student Yan Bo Ti on hash functions from dimension 2 supersingular abelian varieties. The slides online also cover some other topics that I did not mention (Kuperberg’s algorithm and quaternion algebras).
This was a really nice talk that described a “hash encryption” scheme based on the (decisional) Diffie-Hellman problem and explained how this enables identity-based encryption from the Diffie-Hellman problem (no pairings needed). This is joint work with Nico Döttling. The schemes are not practical.
Kristin reported joint work with Anamaria Costache, Brooke Feigon, Maike Massierer and Anna Puskas about some computational problems in isogeny graphs. A paper on this work is eprint 2018/593.
Jung Hee talked about some basic mathematical functions (such as max and min) that are useful for practical computations on encrypted data. He explained some iterated processes (in his words “nowadays I am working in numerical analysis”) that give low-depth circuits to compute approximations to these functions.
Shahed talked (on the blackboard — there are no slides) about his paper eprint 2018/665 with Dan Boneh, Darren Glass, Daniel Krashen, Kristin Lauter, Alice Silverberg, Mehdi Tibouchi and Mark Zhandry. The scheme is still incomplete as no suitable efficiently computable isomorphism invariant of abelian varieties has been found. Shahed discussed attempts to find such invariant, and I learned some interesting facts about polarizations on abelian surfaces.
Joe presented joint work with Jeff Hoffstein and others on a new candidate number-theoretical problem that might be interesting for new signature schemes. This is a work-in-progress and is not published yet.
Travis presented his papers eprint 2017/383, eprint 2018/307 and some newer work on “isolated curves”.
Nadia surveyed her joint work with Breitner, published as “Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies”. Her talk also included an overview of lattice algorithms for the hidden number problem, and a very clear sketch of Bleichenbacher’s approach using Fourier analysis to the hidden number problem.
Jeff presented very new joint work with Joe Silverman on yet another number-theoretical problem that might be interesting for new signature schemes. This is related to their previous work on isomorphisms of finite fields, but with new ideas and applications. I was not able to follow the details of the talk. There is no preprint yet on this work.
Travis gave an overview of his EUROCRYPT 2018 paper with Eisentraeger, Hallgren, Lauter and Petit.
Much work on algorithms to compute Hilbert class polynomials requires proving good upper bounds on the size (e.g., bitlength) of these polynomials. Reinier spoke about his current work-in-progress trying to prove lower bounds on the size of these polynomials.
There was also a Special Session on Emerging Connections with Number Theory organised by Kate Stange and Renate Scheidler, plus a lot of other sessions, that included talks of some interest to readers of this blog. However, I stayed in the Mathematics of Cryptography room.
— Steven Galbraith
]]>The PQ Crypto 2019 program features three papers on isogeny crypto:
The PKC 2019 program includes the paper:
This paper shows how to construct elliptic curves whose group order is a composite that passes some primality tests with moderate probability. The paper explains why this has implications in some Diffie-Hellman settings.
(Apologies for the self-promotion.)
— Steven Galbraith
]]>You can watch the Habilitation thesis talk by Luca de Feo on Exploring isogeny graphs.
— Steven Galbraith
]]>The three plenary invited speakers were:
Professor Matsui was the 2018 IACR Distinguished Lecturer. The talk reviewed the history and development of linear cryptanalysis.
Melissa gave an overview of the Picnic signature scheme, which beautifully combines ideas from multiparty computation and zero knowledge proofs, together with block ciphers and hash functions with low circuit complexity.
Vanessa gave an overview of online voting schemes, including a detailed discussion of some real-world examples. The main focus of her talk was the problem of verifiable electronic voting.
The most relevant session for this blog was the session on isogeny crypto on the final morning. There were three talks:
The talk presented an implementation of Couveignes’ hard homogeneous spaces concept with ordinary elliptic curves.
Building on work in the previous talk, the talk explained an implementation of Couveignes’ hard homogeneous spaces concept with supersingular elliptic curves. Using supersingular curves gives a massive performance improvement over the previous talk. Group actions like these have some advantages over SIDH, but are still slower.
The talk explained how to compute (chains of) 2-isogenies on an elliptic curve efficiently by converting them to (chains of) (2,2)-isogenies on the Kummer surface of the Weil restriction of the the elliptic curve.
There were also a number of accepted papers that used pairing-based crypto. To mention two of them: “Compact Multi-Signatures for Smaller Blockchains” by Dan Boneh, Manu Drijvers and Gregory Neven; “Unbounded Inner Product Functional Encryption from Bilinear Maps” by Junichi Tomida and Katsuyuki Takashima.
The Rump Session was superbly and irreverently chaired by Craig Costello, Leo Ducas and Pierre Karpman. One of the interventions perpetrated on the unsuspecting speakers was the introduction of humourous comments on their slides. But the major highlight of the rump session was the launch of the game “Cards against Cryptography”. It is a version of the famous card game “Cards against Humanity”, and has been designed by three anonymous cryptographers (not the rump session chairs). You can find out more by following @CrdsAgnstCrypto on twitter. A copy of this highly collectible and desirable game was awarded to each of the five best rump session talks. To buy extra time, speakers were invited to eat a spoonful of vegemite, or drink a beer. Another highlight of the rump session included the song “Gotta Break Em All” (about the NIST PQ Crypto competition) written by Leo Ducas and his partner Jessica, and performed by Peter Schwabe (on guitar), Chloe Martindale, Lejla Batina, Marcel Keller, Leo and Jessica.
Serious rump session talks included: Bart Preneel on how to steal a Tesla car; Suhri Kim on curve equations for isogenies; Daniel Bernstein on quantum circuits for class group actions (relevant for the analysis of Kuperberg’s algorithm as an attack on CSIDH); Chloe Martindale on choosing appropriate pairings for current security levels; Lorenz Panny on speeding up SeaSign isogeny signatures.
A small group of Asiacrypt attendees then flew to Adelaide for Kangacrypt. The workshop was mostly about cryptanalysis, especially fault attacks and side-channel attacks. But I did give (naturally enough) a talk about Kangaroos (ie., the Pollard kangaroo method for discrete logs and why it doesn’t work for isogenies).
— Steven Galbraith
]]>* David Jao discussed a number of techniques (from various authors) to achieve faster embedded implementations of SIDH, both in software using either vector instructions (like ARM NEON) or dedicated coprocessors, and on reconfigurable hardware. The talk was presented as a response to a recent paper by Koppermann et al. which had rather pessimistic conclusions regarding the usability of SIDH on smaller devices, mentioning 18 seconds as its headline timing for key exchange on 32-bit microcontrollers. David Jao argued that suitably optimized implementations could in fact do much better.
* Travis Morrison discussed some of his recent results (joint work with Eisenträger, Hallgren, Lauter and Petit) regarding the relationship between two computational problems connected to supersingular elliptic curves, namely pathfinding in the -isogeny graph of supersingular elliptic curves over some (with ) and the problem of computing the endomorphism ring of a supersingular elliptic curve. The main takeaway is that, assuming some heuristics, the two problems are polynomial-time equivalent.
* Chloe Martindale gave an excellent introduction to CSIDH (joint work with Wouter Castryck, Tanja Lange, Lorenz Panny and Joost Renes), which is a new instantiation of Couveignes-style hard homogeneous spaces using isogenies of supersingular elliptic curves over (as opposed to ), which satisfy that the ring of rational endomorphisms is commutative. This provides a nice group action similar to the case of ordinary curves, but makes it possible to choose parameters in such a way that -isogenies for many small primes can be computed efficiently. This leads to a variant of the Couveignes-Rostovtsev-Stolbunov key exchange protocol that outperforms the original one by many orders of magnitude, achieving performance on the order of a few dozen milliseconds per key exchange.
* Finally, Katsuyuki Takashima discussed new isogeny-based authenticated key exchange protocols (joint work with Atsushi Fujioka and Kazuki Yoneyama). He showed how to obtain a one-round authenticated key exchange protocol using commutative group actions on isogeny graph. Assuming the existence of -way cryptographic invariant maps, as suggested by Boneh et al., the protocol can be instantiated for an arbitrary number of parties. Unfortunately, it is not yet known how to construct such invariant maps (and as one of the culprits, I have to admit that the prospects of constructing them look rather remote). However, the two-party case only relies on Couveignes’s hard homogeneous spaces, and can thus be obtained from CRS or CSIDH.
There were many other excellent talks at the workshop, but some of them were not closely related to elliptic curves and so we don’t discuss them on this blog. Of particular notice besides isogenies was Pierrick Gaudry’s presentation on point counting in higher genus (joint work with Simon Abelard and Pierre-Jean Spaenlehauer). He showed how to compute the zeta function of a hyperelliptic curve of genus over in time , greatly improving upon the previous complexity, with an exponent quasi-quadratic in . He also discussed concrete results for , establishing that the correct complexity was for general hyperelliptic curves, and for Jacobians with real mutiplication. In the latter case, the complexity becomes tractable even for cryptographic sizes, and Pierrick was able to show us the whole zeta function for a curve over with .
— Mehdi Tibouchi
]]>Sadly, the book is not updated to discuss new research since 2011. I don’t have time to do that.
— Steven Galbraith
]]>There will be a “autumn school” on November 17-18, followed by the main conference on November 19-21.
— Steven Galbraith
]]>