The three plenary invited speakers were:

- Mitsuru Matsui (Mitsubishi) “25 Years of linear cryptanalysis – Early History and Path Search Algorithm”
Professor Matsui was the 2018 IACR Distinguished Lecturer. The talk reviewed the history and development of linear cryptanalysis.

- Melissa Chase (Microsoft) “Picnic: Postquantum signatures from zero-knowledge proofs”
Melissa gave an overview of the Picnic signature scheme, which beautifully combines ideas from multiparty computation and zero knowledge proofs, together with block ciphers and hash functions with low circuit complexity.

- Vanessa Teague (Melbourne) “Democracy, security and evidence: Let’s have all three”
Vanessa gave an overview of online voting schemes, including a detailed discussion of some real-world examples. The main focus of her talk was the problem of verifiable electronic voting.

The most relevant session for this blog was the session on **isogeny crypto** on the final morning. There were three talks:

- Jean Kieffer “Towards practical key exchange from ordinary isogeny graphs” (joint work with Luca De Feo and Benjamin Smith)
The talk presented an implementation of Couveignes’ hard homogeneous spaces concept with ordinary elliptic curves.

- Lorenz Panny “CSIDH: An efficient post-quantum commutative group action” (joint work with Wouter Castryck, Tanja Lange, Chloe Martindale and Joost Renes)
Building on work in the previous talk, the talk explained an implementation of Couveignes’ hard homogeneous spaces concept with supersingular elliptic curves. Using supersingular curves gives a massive performance improvement over the previous talk. Group actions like these have some advantages over SIDH, but are still slower.

- Craig Costello “Computing supersingular isogenies on Kummer surfaces”
The talk explained how to compute (chains of) 2-isogenies on an elliptic curve efficiently by converting them to (chains of) (2,2)-isogenies on the Kummer surface of the Weil restriction of the the elliptic curve.

There were also a number of accepted papers that used pairing-based crypto. To mention two of them: “Compact Multi-Signatures for Smaller Blockchains” by Dan Boneh, Manu Drijvers and Gregory Neven; “Unbounded Inner Product Functional Encryption from Bilinear Maps” by Junichi Tomida and Katsuyuki Takashima.

The Rump Session was superbly and irreverently chaired by Craig Costello, Leo Ducas and Pierre Karpman. One of the interventions perpetrated on the unsuspecting speakers was the introduction of humourous comments on their slides. But the major highlight of the rump session was the launch of the game “Cards against Cryptography”. It is a version of the famous card game “Cards against Humanity”, and has been designed by three anonymous cryptographers (not the rump session chairs). You can find out more by following @CrdsAgnstCrypto on twitter. A copy of this highly collectible and desirable game was awarded to each of the five best rump session talks. To buy extra time, speakers were invited to eat a spoonful of vegemite, or drink a beer. Another highlight of the rump session included the song “Gotta Break Em All” (about the NIST PQ Crypto competition) written by Leo Ducas and his partner Jessica, and performed by Peter Schwabe (on guitar), Chloe Martindale, Lejla Batina, Marcel Keller, Leo and Jessica.

Serious rump session talks included: Bart Preneel on how to steal a Tesla car; Suhri Kim on curve equations for isogenies; Daniel Bernstein on quantum circuits for class group actions (relevant for the analysis of Kuperberg’s algorithm as an attack on CSIDH); Chloe Martindale on choosing appropriate pairings for current security levels; Lorenz Panny on speeding up SeaSign isogeny signatures.

A small group of Asiacrypt attendees then flew to Adelaide for Kangacrypt. The workshop was mostly about cryptanalysis, especially fault attacks and side-channel attacks. But I did give (naturally enough) a talk about Kangaroos (ie., the Pollard kangaroo method for discrete logs and why it doesn’t work for isogenies).

— Steven Galbraith

]]>* David Jao discussed a number of techniques (from various authors) to achieve faster embedded implementations of SIDH, both in software using either vector instructions (like ARM NEON) or dedicated coprocessors, and on reconfigurable hardware. The talk was presented as a response to a recent paper by Koppermann et al. which had rather pessimistic conclusions regarding the usability of SIDH on smaller devices, mentioning 18 seconds as its headline timing for key exchange on 32-bit microcontrollers. David Jao argued that suitably optimized implementations could in fact do much better.

* Travis Morrison discussed some of his recent results (joint work with Eisenträger, Hallgren, Lauter and Petit) regarding the relationship between two computational problems connected to supersingular elliptic curves, namely pathfinding in the -isogeny graph of supersingular elliptic curves over some (with ) and the problem of computing the endomorphism ring of a supersingular elliptic curve. The main takeaway is that, assuming some heuristics, the two problems are polynomial-time equivalent.

* Chloe Martindale gave an excellent introduction to CSIDH (joint work with Wouter Castryck, Tanja Lange, Lorenz Panny and Joost Renes), which is a new instantiation of Couveignes-style hard homogeneous spaces using isogenies of supersingular elliptic curves over (as opposed to ), which satisfy that the ring of rational endomorphisms is commutative. This provides a nice group action similar to the case of ordinary curves, but makes it possible to choose parameters in such a way that -isogenies for many small primes can be computed efficiently. This leads to a variant of the Couveignes-Rostovtsev-Stolbunov key exchange protocol that outperforms the original one by many orders of magnitude, achieving performance on the order of a few dozen milliseconds per key exchange.

* Finally, Katsuyuki Takashima discussed new isogeny-based authenticated key exchange protocols (joint work with Atsushi Fujioka and Kazuki Yoneyama). He showed how to obtain a one-round authenticated key exchange protocol using commutative group actions on isogeny graph. Assuming the existence of -way cryptographic invariant maps, as suggested by Boneh et al., the protocol can be instantiated for an arbitrary number of parties. Unfortunately, it is not yet known how to construct such invariant maps (and as one of the culprits, I have to admit that the prospects of constructing them look rather remote). However, the two-party case only relies on Couveignes’s hard homogeneous spaces, and can thus be obtained from CRS or CSIDH.

There were many other excellent talks at the workshop, but some of them were not closely related to elliptic curves and so we don’t discuss them on this blog. Of particular notice besides isogenies was Pierrick Gaudry’s presentation on point counting in higher genus (joint work with Simon Abelard and Pierre-Jean Spaenlehauer). He showed how to compute the zeta function of a hyperelliptic curve of genus over in time , greatly improving upon the previous complexity, with an exponent quasi-quadratic in . He also discussed concrete results for , establishing that the correct complexity was for general hyperelliptic curves, and for Jacobians with real mutiplication. In the latter case, the complexity becomes tractable even for cryptographic sizes, and Pierrick was able to show us the whole zeta function for a curve over with .

— Mehdi Tibouchi

]]>Sadly, the book is **not** updated to discuss new research since 2011. I don’t have time to do that.

— Steven Galbraith

]]>There will be a “autumn school” on November 17-18, followed by the main conference on November 19-21.

— Steven Galbraith

]]>**An improvement to the quaternion analogue of the L-isogeny path problem**, by Spike Smith

This talk focused on the analogue of the l-isogeny path problem, important for the security of the Charles-Goren-Lauter hash function, under the Deuring correspondence between supersingular elliptic curves and left ideals of quaternion orders. While an algorithm by Kohel-Lauter-Petit-Tignol is known that solves the problem in probabilistic polynomial time, this work improves on the run time of the algorithm, and the size of the solution that is found. This improvement allows for smaller signatures in the Galbraith-Petit-Silva identification protocol. Two more significant improvements to the KLPT are being developed and will be published in an extended version of the paper.

**Multi-Party Non-interactive Key Exchange and more from Isogenies on Elliptic Curves**, by Dan Boneh

The room was packed for the talk about “Multi-Party Non-interactive Key Exchange and more from Isogenies on Elliptic Curves”. Dan reminded the audience of cryptographic group actions such as CRS and CSIDH and how they give rise to elegant Post Quantum secure Diffe-Hellmann like protocols. Then he talked about the new paper which introduces a new generalization of cryptographic group actions that would result in NIKE, BLS signatures and more. The paper gives a candidate construction of this powerful new primitive apart from the fact that one crucial ingredient, namely an efficiently computable isomorphism invariant of a product of elliptic curves, is missing.

**Extra Secrets from Automorphisms and SIDH-based NIKE**, by David Urbanik

The basic observation underlying this talk is that when doing SIDH starting from a curve which has nontrivial automorphisms, it is possible to exploit these automorphisms to derive multiple secrets for the same pair of public keys. This can be used to protect against the GPST attack and obtain non-interactive key exchanges in ways that are more efficient than previous approaches.

**A new Poly space attack on CRS and CSIDH**, by Jason Legrow

This work gives a new implementation of Regev’s quantum algorithm for inverting the CM action which can be used to attack the CRS and CSIDH cryptosystems. Like earlier attacks, the time and space complexity of the attack is subexponential, however the advantage of the new attack is that it only requires polynomial quantum space. The problem with previous attacks was that evaluating the CM action (which happens in superposition) required subexponential time and space. This is solved with a purely classical precomputation that allows the CM action to be evaluated in subexponential time, but in polynomial space, eliminating the need for subexponential amounts of quantum memory.

**Quasi-subfield polynomials and the Elliptic Curve Discrete Log Problem**, by Michiel Kosters

This work investigates if it is possible to generalize index calculus attacks to break the ECDLP problem for curves over the field , where is a small prime, and is a prime. The main idea is to replace the subfield polynomial , which is used in the usual Gaudry/Diem-type index calculus attack on curves over with large , and replace this polynomial by a polynomial of the form , where has small degree such that splits completely over . To make the index calculus algorithm efficient the degree of is low. When the degree of is low enough, the polynomial is called a quasi-subfield polynomial. Quasi-subfield polynomials can be used to solve the ECDLP slightly faster than with exhaustive search, but to improve over the baby-step giant-step algorithm much better quasi-subfield polynomials would need to be found.

— Ward Beullens

]]>The Invited speakers were:

- Jennifer Balakrishnan “Effective aspects of quadratic Chabauty”
Jennifer explained Minhyong Kim’s non-abelian Chabauty framework to obtain an effective methods for determining the rational points on a curve using Coleman integrals. She explained how p-adic heights provide a bilinear function that enables Kim’s approach to be performed in the “quadratic” case. She surveyed new results, including resolving the problem of rational points on the “cursed curve” that parameterises split Galois representations of level 13.

- Noam Elkies “Curves with many points over number fields”
Noam demonstrated constructions of infinite families of curves over Q of fixed genus with many rational points.

- Steven Galbraith “Current trends and challenges in post-quantum cryptography”
The talk gave an overview of post-quantum crypto and the NIST standardisation process, then listed a number of open problem in isogeny crypto. Slides are here: http://www.math.grinnell.edu/~paulhusj/ants2018/TalkSlides/Galbraith.pdf.

- Melanie Matchett Wood “Effective Chebotarev density theorems for families of number fields without GRH”
Melanie surveyed her joint work with Lillian Pierce and Caroline Turnage-Butterbaugh on effective Chebotarev density theorems for certain families of number fields (the fields in each family all have the same Galois group).

- Emmanuel Thomé “Computation of discrete logarithms in finite fields”
Emmanuel gave an overview of number field sieve algorithms for discrete logarithms in , including recent research on variants for different regions of interest in terms of He also mentioned the LOGJAM attack on TLS (from 2015) and the “hidden-SNFS” 1024-bit discrete logarithm (2016).

The contributed papers included the following of interest to ECC researchers:

- S. Abelard, P. Gaudry and P.-J. Spaenlehauer, Counting points on genus-3 hyperelliptic curves with explicit real multiplication. The paper is about Schoof-type algorithms for point counting on genus 3 hyperelliptic curves over finite fields.
- T. Kleinjung and B. Wesolowski, A new perspective on the powers of two descent for discrete logarithms in finite fields. The paper is about the descent step in quasi-polynomial-time algorithms for the DLP in for small and large .
- A. V. Sutherland, Fast Jacobian arithmetic for hyperelliptic curves of genus 3. This paper gives formulas for fast computation of divisor class groups of genus 3 curves with two points at infinity.
- B. Wesolowski, Generating subgroups of ray class groups with small prime ideals. The paper has results about isogeny graphs in higher dimensions.

The winners of the Selfridge Prize for best paper were Michael Musty, Sam Schiavone, Jeroen Sijsling and John Voight for their paper “A database of Belyĭ maps”.

The poster prize was awarded to Travis Scholl for his poster on “Isolated Abelian Varieties over Finite Fields”. Here is a list of all the posters.

The Rump session took place late on the Thursday afternoon. I put up an announcement for ECC 2018 at Osaka Japan on November 19-21 (preceded by a 2 day autumn school). The rump session also included by presentation by Benjamin Smith giving a general way to break tri-linear maps of the type proposed by Huang, by using the intersection pairing on the endomorphism ring.

— Steven Galbraith

]]>I am going to describe a simple (but insecure) example that will allow to communicate the main ideas of the proposal.

Let be an ordinary pairing-friendly elliptic curve over and let . Let be the Weil pairing on , meaning that for some integer (the “embedding degree”), where is the cyclic multiplicative group of order .

Write for the -power Frobenius map on . Note that .

The construction is to choose a random and random integers Huang defines to be an endomorphism on , and sets . With high probability (if not then repeat the construction for another point ).

The key idea is that one can now “encode” three integers as follows. Encode as the group element , encode as the group element , encode as the endomorphism where is chosen uniformly at random in . More precisely, is represented as where and One can compute efficiently as . Since the Weil pairing is alternating we have .

So

In other words, we have a tri-linear map where the three sets are “encodings” of . Note that the integers and are “hidden” due to the hardness of the discrete log problem, and are groups. While the integer is hidden by the “random blinding” by a random multiple of .

The bad news about this particular example is that it is not secure. Since is public, an attacker who sees the encoding in can easily solve for and . In other words the “discrete log problem” in is easy to solve.

We now briefly mention why this tri-linear map concept avoids the negative results by Boneh and Silverberg in their paper Applications of Multilinear Forms to Cryptography. In short, the set is “weight zero” in the motivic language of Section 7.4 of Boneh-Silverberg. One topic of discussion at the BIRS meeting last week was whether or not weight zero objects always have weak discrete logarithms. As far as I can tell the outcome was inconclusive.

Huang’s actual proposal is to work on a 2-dimensional Abelian variety that is pairing friendly and has a non-commutative endomorphism ring. The idea is to publish a set of endomorphisms (extending the single endomorphism in the above example) that can be used to “hide” an integer when encoding it in . Instead of representing these endomorphisms with respect to some -module basis (such as ), which would be insecure, the suggestion is to represent endomorphisms using low degree rational functions on the Abelian surface. This is a very interesting idea, but more work is needed to determine if such an system is secure and efficiently computable.

— Steven Galbraith

]]>Elliptic curves were a bit underrepresented though, with only one session talk explicitly devoted to them. Christophe Petit spoke about “Supersingular isogeny graphs and endomorphism rings: reductions and solutions”, which arose as a merge of a paper by him and Kristin Lauter and a paper by Kirsten Eisenträger, Sean Hallgren and Travis Morrison. In his talk, Christophe mainly focused on the security of the Charles-Goren-Lauter (CGL) hash function, which is based on the hardness of finding a cycle in the ell-isogeny graph (typically ell = 2) of supersingular elliptic curves over a large quadratic finite field . He related the security of the CGL hash function to the problem of computing the endomorphism ring of a given supersingular elliptic curve (while removing some ambiguity on what is meant by this) and to the problem of making Deuring’s correspondence effective. The most interesting outcome is a polynomial-time collision algorithm in case the initial curve is “special”, i.e., if it has a well-known endormorphism ring. This is worrisome, because it is an open problem how to generate a genuinely random “non-special” supersingular elliptic curve over , so this potentially opens the door to backdoored versions of the CGL hash function.

Other talks of relevance to ECC included:

- Henry Corrigan-Gibbs gave a nice talk on the discrete logarithm problem (DLP) in general, reporting on a paper that he wrote together with Dmitry Kogan, which won the best young research award. He recalled that a massive preprocessing phase can reduce the hardness of the DLP in a generic group of order from to . Their contribution is a Shoup-type result stating that this is optimal in the generic group model. Interestingly, they also reveal a dichotomy with the decisional Diffie-Hellman problem, in that they provide an algorithm for distinguishing triples of the form from random triples in , again using a very large amount of preprocessing.
- Another interesting talk was given by Yilei Chen on joint work with Ran Canetti, Leonid Reyzin and Ron Rothblum, on the Fiat-Shamir transformation of a three-round public-coin identification scheme into a one-round digital signature scheme. He saw an analogy with transforming an elaborate USA-style conversation into a brief no-nonsense Israeli one. Chen and his coauthors constructed two families of so-called “correlation-intractable” hash functions, one of which uses elliptic curves. If you want to obtain a provably secure digital signature scheme from a hash function through Fiat-Shamir, then correlation intractability is the property you want.
- In the rump session I gave a short talk about CSIDH, a compact non-interactive key exchange protocol designed together with Tanja Lange, Chloe Martindale, Lorenz Panny and Joost Renes. It is obtained by applying the Couveignes-Rostovtsev-Stolbunov scheme to the set of supersingular elliptic curves over a large prime field , rather than to ordinary elliptic curves. This choice was motivated by recent work of Luca De Feo, Jean Kieffer and Ben Smith on speeding up the ordinary Couveignes-Rostovtsev-Stolbunov scheme: one of their proposed speed-ups works particularly well in the supersingular setting.

All slides can (or will) be found on the conference web page, see https://eurocrypt.iacr.org/2018/

— Wouter Castryck

]]>The details are published in the paper Solving 114-bit ECDLP for a Barreto-Naehrig Curve by Takuya Kusaka, Sho Joichi, Ken Ikuta, Md Al-Amin Khandaker, Yasuyuki Nogami, Satoshi Uehara, Nariyoshi Yamai and Sylvain Duquesne (appeared in proceedings of ICISC 2017).

The curve is a pairing-friendly BN curve over a prime field . The curve has -invariant 0, and so has an automorphism group of size 6. Hence, it is possible to perform the Pollard rho algorithm using equivalence classes of size 6.

I got a few more details from the authors. They used partitions for the random walk, and the “hash function” was chosen to be the least significant bits of the -coordinate of the current curve point.

The paper writes that “The parallel implementation of the rho method by adopting a client-server model, using 2000 CPU cores took about 6 months”. They seem to have been lucky to get a collision earlier than expected: “the result of the authors attack is little bit better than the average number of rational points where a simple collision attack stops.”

The previous ECDLP record (due to Bos, Kaihara, Kleinjung, Lenstra and Montgomery) in the case was a 112-bits group size, published in 2012.

— Steven Galbraith

PS. It has been pointed out in the comments that there are other recent ECDLP records, such as the 118 bit record computation by Bernstein, Engels, Lange, Niederhagen, Paar, Schwabe and Zimmermann. This is a characteristic 2 computation, whereas I was focussed in this blog post on the case. But still it is a notable computation and should be celebrated.

]]>The three plenary lectures were:

- Jean-Pierre Tillich,
*Attacks in code based cryptography: a survey, new results and open problems*.The talk surveyed code-based crypto (both within the NIST submissions, and over its entire history) and various types of attacks.

- Dave Wecker,
*Achieving practical quantum computing*.The talk gave a wide-ranging overview of the potential applications of quantum computing (especially in modelling for quantum chemistry), the engineering challenges of building a quantum computer (with focus on practical concerns such as cooling and the interface between classical computing control systems and the quantum system), and the work being done globally by Microsoft research. Dave predicts that Microsoft will have a quantum computer suitable for chemistry applications within 5 years and “something of interest to this crowd” in 10 years.

- Dustin Moody,
*Let’s Get Ready to Rumble: The NIST PQC `Competition’*.This was an overview of the NIST post-quantum standardisation process, including a discussion of the goals and evaluation criteria. The talk also presented a few graphs that give a rough comparison of submissions according to features like key size, computation time, etc.

The session on isogeny crypto had two papers:

- Joost Renes talked about a method to derive very nice formulae for writing isogenies as explicit rational functions.
- Geovandro Pereira presented his joint paper with Zanon, Simplicio, Doliskani and Barreto. This work is about efficient methods for compressed supersingular isogeny Diffie-Hellman (SIDH). The goal is to minimise the bandwidth in the SIDH protocol by compressing the protocol messages, and to minimise the cost of de-compressing these values to complete the protocol. The paper makes excellent use of a lot of really nice tricks, including techniques for efficient computation of pairings and Shoup’s optimised variant of the Pohlig-Hellman algorithm.

The contributed talks included sessions on code-based crypto, lattices, hash-based crypto, multivariate crypto. There were also papers on cryptanalysis of post-quantum cryptosystems and quantum algorithms.

The recent results session contained three talks on isogeny crypto:

- Sam Jaques explained that Tani’s claw finding quantum attack on SIDH might be slower than estimated in the SIKE NIST submission. He suggests that the security level of the NIST submission attains higher security levels than claimed.

Ray Perlner has also posted a comment on the NIST PQCrypto mailing list suggesting this. Ray references independent works by Dan Bernstein, Scott Fluhrer, and himself on hash collisions, that argue that storage costs cannot be neglected in the complexity estimates. He writes “the quantum algorithm for collision search is no better than the best classical algorithms in any physically plausible model of computation”. - Lorenz Panny sketched a variant of SIDH based on the curves with j-invariant in . The idea is to implement the group action key exchange protocol due to Couveignes, and so to avoid having to send points. A preprint will be made public soon.
- Aaron Hutchinson discussed joint work on efficient implementation of SIDH by exploiting parallelism. They consider the de Feo, Jao, Plut optimised method to compute -isogenies in a multi-core setting.

Not presented at this conference, but also relevant: Gora Adj, Daniel Cervantes-Vázquez, Jesús-Javier Chi-Domínguez, Alfred Menezes and Francisco Rodríguez-Henríquez have posted on eprint the paper On the cost of computing isogenies between supersingular elliptic curves. The paper is about classical algorithms and they show how the low-storage algorithm due to van Oorschot and Wiener can be applied to isogeny problems. Again, they argue that storage costs should not be neglected and suggest that the stated security levels have been under-estimated. They suggest using somewhat smaller primes for SIDH. This reinforces the claims made by Jaques/Perlner/et al.

— Steven Galbraith

]]>