First let us recall the situation in the setting of where is prime. A Diffie-Hellman quadruple is for . The Decision Diffie-Hellman problem (DDH) is to distinguish such a triple (for uniformly sampled and ) from a quadruple for uniformly sampled and .
The Legendre symbol is multiplicative, which implies that . If (which may happen when has even order) then one can learn the parity of and from respectively, and hence test if the fourth value of the quadruple has Legendre symbol consistent with . This well-known fact allows to reject half of all uniformly sampled quadruples when , which is sufficient to say that DDH is not a hard problem in .
One can increase the success rate beyond by using a random-self-reduction of Diffie-Hellman quadruples, but one can never get a perfect DDH oracle (i.e., an oracle that only accepts ) from this technique, as the Legendre symbol only “sees” the order 2 elements.
The Legendre symbol is just a group homomorphism , and for any prime one can get a homomorphism where is a subgroup of order . Hence, if has a range of small factors then one can get an increasingly accurate algorithm to distinguish Diffie-Hellman quadruples from random quadruples (and hence solve DDH).
[As an aside: The amazing thing about the Legendre symbol, and the reason it is taught in all good number theory courses, is not the existence of a group homomorphism . This is trivial. What is non-trivial is the quadratic reciprocity law, which gives a non-obvious and very efficient way to compute Legendre symbols.]
Similarly, for any finite group one can consider group homomorphisms to subgroups of small order. So one can also attack elliptic curve DDH in a similar way. This is one of the main reasons why the community works with groups of prime order, and in particular elliptic curves of prime order.
Now we turn to group actions. Let be a finite group acting on a set . Write the action of on as . For example, let be an ideal class group acting on the set of supersingular elliptic curves with j-invariant in . This is the setting of the CSIDH system in isogeny-based post-quantum crypto. The natural analogue of DLP is: Given and to compute . The natural analogue of DDH is to distinguish from , where are uniformly sampled from .
Knowing about Legendre symbols, it is natural to speculate that one might be able to do something similar for group actions. We’d like a group homomorphism for some group of small prime order, and to be able to compute from . That is what the paper of Castryck, Sotáková and Vercauteren does.
In some survey talks (such as at ANTS 2018 and at the Alice Silverberg birthday conference in 2018) I asked “Can subgroups of ideal class group be exploited?” While I thought this would be a good problem, I did not have any clue how to do this. I am surprised and delighted by the new results.
Without going into the details, what the paper shows is that one can get enough information about the degree of an isogeny from to (and hence the norm of the ideal ) from looking at pairings of points on the elliptic curve. It is a wonderful and surprising (at least, to me) result, and brings a new set of ideas and techniques into isogeny crypto. The paper is not too hard to follow (don’t be put off by the phrase “genus theory” — it is not as scary as it sounds).
I end with a few small comments. First, as with the case of , this does not give a perfect algorithm to distinguish DDH quadruples from uniform ones. But it does allow to reject some quadruples as being definitely not DDH, and this is enough to break the DDH assumption. Second, breaking the DDH assumption does not, as far as I know, break any isogeny cryptosystem. This is because isogeny cryptosystems are rather unsophisticated compared with DLP-based protocols. Third, the results do not apply to SIDH and have no impact on the SIKE submission to the NIST standardization process.
To conclude, this paper is a great theoretical result that brings new ideas to the field. What will be next for isogeny crypto? Whatever it is, I look forward to it!
— Steven Galbraith
]]>The deadline for submissions is February 25. To submit, please go to the call for papers on the conference website.
I decided to have a look at the history of the ANTS conferences, and in particular to identify the most highly cited papers (using google scholar). The ANTS conferences started in 1994, with the first conference held at Cornell.
First I want to mention that citation counts are not a good measure of research quality or difficulty or importance. Citations are biased towards subject areas that have a culture of writing lots of papers and citing widely. Citation counts are also biased to older papers, since they have had more time to accrue citations. Hence, we would expect the most highly cited papers at ANTS to be in cryptography, and from 16 or more years ago.
Nevertheless, citation counts do tell something about the interest in a paper, and are a reasonable proxy for impact on the field.
The most highly cited paper in the history of the ANTS conferences (with nearly 1700 citations according to google scholar) is:
There is no doubt that this is a massively influential paper on lattice cryptography. Several of the lattice-based submissions to the NIST Post-Quantum standardisaton process were very closely building on NTRU. The irony (if you can call it that) is that this paper was rejected from CRYPTO, and yet has had higher impact than most other papers published in CRYPTO around that time.
Here are the following 14 most cited ANTS papers:
Of course, these rankings will change over time. But that is what it looked like in early 2020.
Looking at this list I see many important and favourite papers: Antoine Joux’s paper on One Round Tripartite Diffie-Hellman kick-started pairing-based crypto; the Adleman-DeMarrais-Huang paper was the first to show high genus curves are weak for DLP crypto; the Lay-Zimmer paper was influential in the early days of ECC; Fouquet and Morain introduced the phrase “Isogeny Volcano”; etc. It is also notable that several of the papers listed (e.g., those by Boneh, Elkies, Nguyen-Stern, and the second paper by Joux) are invited papers, which shows that the community does value survey/overview papers.
Anyway, I look forward to strong submissions to ANTS XIV in Auckland, including on elliptic curves, lattices and isogenies. Hopefully in 15-20 years the impact of some of those papers will be apparent.
— Steven Galbraith
]]>2. ASIACRYPT 2019 took place in Kobe, Japan in December. It was a very well organised conference.
The Best Paper award went to Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich for the paper “Wave: A New Family of Trapdoor One-Way Preimage Sampleable Functions Based on Codes”. This paper gives a post-quantum signature scheme (of the “hash and sign” type) from error-correcting codes. Ward Beullens has written a blog post on this paper in the COSIC blog.
There were two conference sessions on isogenies, featuring these papers:
The invited talks were both about blockchain, so I don’t mention them here.
You can read about several other papers on the COSIC blog. Recordings were made of the talks, and will go on the iacr youtube channel eventually.
The rump session, hosted by Mehdi Tibouchi, featured a Samurai warrior to make sure speakers kept to time.
3. Recall the Multiparty Non-Interactive Key Exchange From Isogenies on Elliptic Curves (mentioned in this blog post. It was relying on an invariant of products of elliptic curves. Recently Eric Rains, Karl Rubin, Travis Scholl, Shahed Sharif and Alice Silverberg have posted on arxiv the paper “Algebraic maps constant on isomorphism classes of unpolarized abelian varieties are constant”, which gives additional evidence that a useful invariant doesn’t exist.
4. Advance notice for ECC 2020 in Taiwan! You will find information here.
— Steven Galbraith
]]>Indeed, such cases apparently still happen:
This situation is natural whenever a crypto tool that is technically subtle (and crypto tools always have technical subtleties) moves from “niche” into the mainstream. However it can result in incorrect schemes being published, for example because there are not enough experts to review all the papers.
Back in 2006, in response to those issues in pairing-based crypto, Kenny Paterson, Nigel Smart and I wrote the paper Pairings for Cryptographers. The abstract read:
Many research papers in pairing based cryptography treat pairings as a “black box”. These papers build cryptographic schemes making use of various properties of pairings. If this approach is taken, then it is easy for authors to make invalid assumptions concerning the properties of pairings. The cryptographic schemes developed may not be realizable in practice, or may not be as efficient as the authors assume. The aim of this paper is to outline, in as simple a fashion as possible, the basic choices that are available when using pairings in cryptography. For each choice, the main properties and efficiency issues are summarized. The paper is intended to be of use to non-specialists who are interested in using pairings to design cryptographic schemes.
This abstract exhibits the particular style of understated writing that is cultivated by British people. What we really meant was: Please read this and stop screwing up.
Rolling forward 15 years, isogeny-based cryptography is another area with many technical subtleties, but is moving into the mainstream of cryptography. Once again, not everything that can be done with discrete logarithms can necessarily be done with isogenies. It is therefore not surprising to find papers that have issues with their security.
It is probably time for an Isogenies for Cryptographers paper, but I don’t have time to write it. Instead, in this blog post I will mention several recent examples of incorrect papers. My hope is that these examples are instructional and will help prevent future mistakes. My intention is not to bring shame upon the authors.
In this case, there is no reason for the original authors to be embarrassed. There has been considerable progress in isogeny crypto in the last 5 years, and it is natural that new cryptanalytic tools would become available that could break earlier schemes.
Without going into all the details, in SIDH there is a base curve and four points on it. An SIDH instance includes a triple where is an isogeny of degree . One of the basic computational problems is to compute when given this information.
The decisional assumption is to distinguish a valid triple from another triple where is a supersingular curve, and are points satisfying various conditions.
At Provsec 2019, S. Terada and K. Yoneyama (“Password-based Authenticated Key Exchange from Standard Isogeny Assumptions”) proposed a password-based authenticated key exchange scheme for SIDH. The security against offline dictionary attacks was based on the hardness of a decision problem, but it was not the above decision problem. Instead, the security of the scheme under such an offline dictionary attack relies on the difficulty of distinguishing the triple from a uniformly random binary string of the same length. This problem is not hard at all since there are many properties that the valid triple should satisfy (e.g., is a supersingular elliptic curve, etc) which would not be satisfied by a uniformly chosen binary string. Hence the scheme in the paper is not secure against offline dictionary attacks.
It is actually a really interesting open question to fix this, related to compression of SIDH protocol messages. If one could compress SIDH protocol messages down to the minimum number of bits, then one might actually be able to argue that the protocol message is indistinguishable from a uniform binary string. I don’t know any way to solve this problem and I think it is probably impossible. For the state-of-the-art in compression of SIDH messages see G. H. M. Zanon, M. A. Simplicio Jr, G. C. C. F. Pereira, J. Doliskani and P. S. L. M. Barreto, “Faster key compression for isogeny-based cryptosystems”.
D. Boneh and J. Love Supersingular Curves With Small Non-integer Endomorphisms show, among other things, that it is hard to hash to SIDH public keys. W. Castryck, L. Panny and F. Vercauteren, Rational isogenies from irrational endomorphisms show it is hard to hash to CSIDH.
It would be great if someone can solve one of these problems, but I think they are both hard. In the meantime, cryptographers should not assume that it is possible to hash to public keys/protocol messages. This also limits the possibility to transport some protocols from the discrete-log world into the isogeny world.
For the isogeny context it is dangerous to use a gap assumption, as there are known arguments that one can reduce the computational isogeny problem to a decisional isogeny problem in certain cases. I already warned about this in the key exchange setting in this note. The solution of Fujioka et al was to introduce a “degree-insensitive” version of the problem, which is essentially to extend the protocol to -isogeny chains of any length (rather than fixed length). It is an interesting idea.
However, my student S. Dobson and I have given evidence (see On the Degree-Insensitive SI-GDH problem and assumption) that the distribution of public keys in the degree insensitive case is close to uniform, and so it no longer makes sense to consider a gap problem. We do not have an attack on this protocol, but we conclude that the security proof is not correct. This shows again that one must be very careful to adapt ideas from discrete-log-based protocols into the isogeny setting.
Furukawa et al. [14] proposed an isogeny-based BD-type GKE protocol called SIBD. However, the security proof of SIBD (Theorem 4 in [14]) is imperfect, and several points remain unclear, for example, on how to simulate some public variables.
Once again, the scheme is not broken (as far as I know), but the security argument is not correct. Takashima gives a new security analysis in his paper (but I have not had time to check it).
What can authors do to avoid the dangers of isogeny crypto? There are some very good surveys of the basic ideas behind isogenies (for example see Mathematics of Isogeny Based Cryptography by Luca De Feo), but there is no good resource for cryptographers who want to use isogenies as a “black box”, and just want to know what is possible and what is not possible for building protocols. My best attempt so far is this note. In any case, I hope the present blog post can act as a cautionary tale: treating isogenies as a black box is risky!
— Steven Galbraith
]]>Continuing the unavoidable trend for large conferences, Crypto 2019 offered two parallel tracks, and understandably I’ll report on but a few presentations of the one specific track I happened to choose at each segment of the program (I tried to vary my choice of track for every session block, though).
And yet, the dichotomy of parallel sessions got me into existential anguish (of sorts) right from the start for being unable to attend both. The very first parallel pair was on lattice-based ZK proofs on the one hand, and on certain symmetric constructions on the other. I chose symmetric constructions.
I found the notion of secure PRNGs that lack a random seed, introduced by S. Coretti et al. (“Seedless Fruit is the Sweetest: Random Number Generation, Revisited”), particularly intriguing (to say the least). The authors bypass the impossibility of attaining this by compromising: yes, the entropy source is still implicitly there despite the name, but instead of modeling the extraction procedure by feeding the PRNG a randomness seed, it assumes the underlying random oracle itself (called the “monolithic extractor”) is picked uniformly at random all at once. Building on this idea, the authors offer provably secure constructions and show how some existing ones are insecure. Unfortunately, delays between clicks and slide changes, coupled with a few other issues (including, I should say, a somewhat inordinate number of jokes), made it impossible to cover the extensive slide set in the allotted time… and to check if I got the ideas right.
My session choice meant I couldn’t attend the simultaneous presentation of the equally intriguing solution to the problem of constructing a non-interactive zero-knowledge (NIZK) proof system from the LWE assumption for any NP language, discovered by C. Peikert and S. Shiehian and described in their paper “Noninteractive Zero Knowledge for NP from (Plain) Learning with Errors”. That was a pity, but it was somewhat compensated by the work “Nonces Are Noticed: AEAD Revisited” by M. Bellare, Ruth Ng, and B. Tackmann. This work reveals an enormous gap between the usual theory of nonce-based schemes and the actual (sometimes even standardized) usage of those schemes in practice: nonces become a kind of metadata that can reveal a surprising amount of information about the users or devices originating them. Quite creepy, but the authors address it by providing new notions and solutions whereby the nonce is hidden as well, and also resist nonce misuse.
As usual, there was a session on FHE. The work “On the Plausibility of Fully Homomorphic Encryption for RAMs” by A. Hamlin et al., the authors tackle the problem of hiding the sequence of memory addresses that are accessed when doing some processing on a large database. Using their notion of rewindable oblivious RAM, they obtain a preliminary single-hop scheme where the multiplicative running time overhead is , where is the database size.
In the same session, Sri A. K. Thyagarajan talked about his joint work with G. Malavolta on “Homomorphic Time-Lock Puzzles and Applications” whereby one can evaluate functions over puzzles without solving them. This amusing notion has nice applications like e-voting: in a simple setting, the voters create one encryption of 1 for the candidate they are voting for and distinct encryptions of 0 for all the others, so that summing up those sets over all voters yields the encrypted voting tally for all candidates (without revealing who voted for them), while adding the all encryptions, and independently the squares of all encryptions, for each individual voter yields a proof that they voted exactly once for each candidate. Transforming the encryptions into time-lock puzzles makes the decryption operations public, and does away with the need for a trusted third party. Other applications were suggested, like sealed e-auction bidding, multiparty coin flipping, or multiparty contract signing.
The session on the communication complexity of multiparty computation (MPC), which I chose over malleable codes, was no less striking, in particular the presentation by Mark Simkin and the one by Abhi Shelat.
Mark, who presented his work with S. Ghosh (“The Communication Complexity of Threshold Private Set Intersection”), started with applications of private set intersection (like the intersection of fingerprints) where one only cares about large intersections. In that case, it pays to set up the protocol so that one actually learns the complement of the intersection instead. One can see this as MPC of the ratio between characteristic polynomials, so that common factors (that is, those corresponding to the intersection) cancel. I didn’t quite gather whether a trusted third party is essential or just a secondary concern for the proposed protocol, though.
Abhi delighted the audience with a long, slow-motion clip of radical acrobatic skiing and the associated adrenaline rush. This blogger is not really sure the subject of MPC communication complexity causes a similar physiological effect, although the presenter claimed it does. After a recapitulation of the milestones of the subject, the audience was finally rewarded with a quite detailed mathematical treatment of the contribution, though this time at a very, very fast pace. Perhaps the subject does cause an adrenaline rush after all. Anyway, the work covered adaptively secure MPC with sublinear communication cost, in a scenario where the adversary can corrupt parties at any time, even after the end of the protocol, at which time the adversary can potentially corrupt all parties.
The session on post-quantum security focused on the quantum random oracle model (QROM). Both papers in the first part of that session, “How to Record Quantum Queries, and Applications to Quantum Indifferentiability” by M. Zhandry, and “Quantum Security Proofs Using Semi-classical Oracles” by A. Ambainis, M. Hamburg and D. Unruh, were thickly theoretical. The talk on “Quantum Indistinguishability of Random Sponges” by J. Czajkowski, A. Hülsing, and C. Schaffner was more approachable in my opinion (TL;DR: the sponge construction can be used to build quantum-secure pseudorandom functions when the adversary has superposition access to the input-output behavior of the sponge but not to the sponge’s internal function or permutation function itself, assumed to be random in their model). Sure enough, the more theoretically-oriented results have a clear and welcome niche even here, since these results build upon Zhandry’s prior switching lemma for pseudo-random functions or permutations from 2015. Zhandry is also a co-author of another paper from that session, “Revisiting Post-Quantum Fiat-Shamir” (joint work with Q. Liu), which was presented together with the last one, “Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model” by J. Don et al.
Several other works are worth mentioning; I’ll mention a few more, but alas, not a full list: hanc blogis exiguitas non caperet. I found the paper “Unifying Leakage Models on a Rényi Day” by T. Prest, D. Goudarzi, A. Martinelli, and A. Passelègue, whose presentation I could not attend for not being proficient at ubiquity, quite entertaining (I assure the reader that this has nothing to do with my living in the often rainy Seattle area). The paper “It Wasn’t Me! Repudiability and Claimability of Ring Signatures” by S. Park and A. Sealfon deals with the question of enabling repudiation for ring signature non-signers, and claimability for actual signers of ring signatures. The importance of the first is to deflect undue responsibility for ring signatures produced by another ring member, and the importance of the latter lies in taking due credit for signing when that turns out to be, or becomes, desirable, but prior notions of security for ring signatures were ambivalent at best on such issues. Besides updated notions, the authors offer a repudiable scheme based on a variety of assumptions (for instance, bilinear maps), and unclaimable scheme based on the SIS assumption, and constructions for claimable or unrepudiable schemes that can be obtained from certain existing ring signatures.
Last but obviously not least, three papers got awards:
The papers are quite well written. The interested readers are encouraged to avail themselves of them for all of the fascinating details of these works. I was personally interested in the second of them and, to a smaller degree, the first, so I’ll try and briefly summarize those (I’m afraid the third falls somewhat outside my areas of expertise so I refer the interested reader to the corresponding paper).
Kazuhiko Minematsu began describing their work on OCB2 by showing how easy it is to attain a minimal forgery with one single encryption query. The general attack follows the model previously applied against the EAX Prime mode of operation, which lacked a formal security analysis (so it was not really a big surprise that scheme turned out to succumb to attacks). However, OCB2 was supported by a full-fledged security proof and remained unscathed for fifteen years. The attack described in the paper stems from an observed gap in that security proof which turned out to be a severe flaw. On the bright side, the attack does not extend to OCB1 nor OCB3, nor to certain suggested tweaks to OCB2. This shows that the overall structure of OCB is sound, but also the necessity of active verification of proofs.
Sam Jaques explained that their claw-finding paper set forth three goals. The first goal was to fairly compare attacks with classical and quantum resources. The second goal was to view gates as processes (which is indeed the view suggested by current quantum technology). The third goal was to include error correction as part of the cost and effort of the attack, since those are essential to overcome the exquisite fragility (in the sense of susceptibility to decoherence) of quantum computations. Their main idea was thus to view quantum memory as a physical system acted upon by a memory controller. As such, it undergoes two kinds of time evolution: free (caused by noise) and costly (caused by the controller). The computation cost becomes the number of iterations (ignoring construction costs, focusing on the controller cost instead). Two cost models are covered: the so-called G (gate) cost, which assumes passive error correction and 1 RAM operation per gate, and the DW (depth-width) cost, which counts 1 RAM operation per qubit per time unit. This sets the framework for their analysis of the claw-finding algorithm, which is a meet-in-the-middle attack to recover a path spelled out by the private key in the isogeny graph, between the initial curve and the final one (which is part of the public key). It can be realized by Tani’s collision-finding algorithm, by following random walks on two Johnson graphs, looking for a collision, and doing all computations in a quantum setting. The complexity is . Despite the paper title, a quite surprising conclusion of their analysis is that SIDH and SIKE are actually harder to break than initially thought. In particular, it appears that the minimum SIKE parameter set (namely, SIKE434) cannot be broken by any known attack in less than the cost and effort needed to break AES128, specifically . This scales to other parameter sets, to the effect that the revised SIKE parameters for the 2nd round of the NIST PQC process are smaller than their 1st round counterparts.
So, there you have it, a brief (and necessarily incomplete, but hopefully helpful) appraisal of Crypto 2019. Scripsi. Vale.
]]>Day #1
Day #1 started strong. After a quick overview of isogenies by Chloe Martindale and Lorenz Panny, including an introduction to SIDH and CSIDH, the invited speakers took the stage:
In the initial part of his talk he introduced the hidden-shift problem in its isogeny version and the Kuperberg algorithm. Thomas Decru has covered this talk in detail in this blog post.
This concluded Day #1
Day #2
In Day #2 we had
Day #3
Day #3 of isogenies opened with the plenary session delivered by Kristin Lauter. Her talk, as usual, was really inspiring and was about the history of Supersingular Isogeny Graphs in Cryptography. She basically covered the Charles-Goren-Lauter (CGL) hashing construction and the panorama of post quantum cryptography. After a quick break and a commuting to the other building we were back to the isogenies mini-symposium:
Day #4
And here we arrived already to the last day:
That’s all from SIAM AG. See you in 2 years.
— Antonio Sanso
]]>— Steven Galbraith
]]>The session on isogeny-based cryptography was held in the afternoon of May 9. It included three talks by young researchers:
This talk presented a faster variant of the SeaSign signature scheme by improving rejection sampling, which is a key technical ingredient of SeaSign. To obtain a practical isogeny-based (post-quantum) signature scheme is an important research direction in this field. This work advances a nice step towards the goal, however, it does not yet succeed.
First, this talk presented a systematic method for finding collisions of the Charles-Goren-Lauter type genus-two hash function (which was suggested in a previous paper of mine). The collision finding was accomplished based on a closer look of the structure of isogeny graphs in genus two. A little surprisingly, it is now fixed by a very recent paper by Castryck, Decru, and Smith (eprint arxiv 2019/296), which reformulates it by using genus-two “superspecial” subgraphs. The talk also proposed a SIDH-type key exchange in genus two, in which (2,2)- and (3,3)-isogenies are used instead of 2- and 3-isogenies in the genus one case, respectively.
This presentation proposed an efficient constant-time implementation of CSIDH. In the authors’ previous paper (INDOCRYPT 2018), they initiated an improvement of CSIDH implementation, which resulted in a faster algorithm than the original. However, this previous one leaks various information about the private key. Therefore, for obtaining side-channel leakage resistance, this talk modified how to sample key elements and used dummy isogenies, and then obtained a constant-time implementation (with several efficiency improvements furthermore).
Moreover, there were two invited talks which are relevant to this blog. One was by Tsuyoshi Takagi (Univ. of Tokyo), and the title was “Computational Challenge Problems in Post-Quantum Cryptography”, in which he first briefly reviewed the NIST PQC standardization, and then introduced PQC challenge problems with focus on the Fukuoka MQ Challenge and the Darmstadt Lattice Challenge. The other was given by Dustin Moody (NIST) on “Round 2 of NIST PQC Competition”. He carefully summarized the history of the competition and, for all the round 2 submissions, he made brief comments on advantages and/or unique features of the schemes. He also very briefly mentioned the future schedule of the competition.
— Katsuyuki Takashima
]]>Takakazu Satoh has been interested in pairing inversion for quite a while, and has published several papers on the topic, including “On Degrees of Polynomial Interpolations Related to Elliptic Curve Cryptography” (WCC 2005), “On Pairing Inversion Problems” (Pairing 2007), and “Closed formulae for the Weil pairing inversion” (Finite Fields and Their Applications 2008).
To recall basic definitions: Let be an ellptic curve over a field . Let be a large prime such that . The embedding degree is the smallest integer such that A pairing-friendly elliptic curve is one whose embedding degree is small, e.g.,
The (reduced) Tate-Lichtenbaum pairing takes two points and gives a value . A lot of researchers, including me and many of my friends, worked between 2000 and 2010 trying to compute pairings faster. The computation of the reduced Tate-Lichtenbaum pairing has two stages. First one computes a Miller function . The function has divisor
Then one computes the final exponentiation, which is an exponentiation to the power
It was discovered that, for many pairing-friendly curves, there was a more efficient way to compute the Miller function. Essentially instead of computing one can compute values like , which is a simpler computation when , which is usually the case. This observation was first made in a special case in a paper of Duursma and Lee from ASIACRYPT 2003. Further special cases were noted by Kwon (ACISP 2005) and Barreto, Galbraith, O hEigeartaigh and Scott (Designs, Codes and Cryptography, 2007). The situation was finally clarified by Granger, Hess, Oyono, Thériault and Vercauteren (“Ate Pairing on Hyperelliptic Curves”, EUROCRYPT 2007). The key idea is to work with Frobenius eigenspaces and change the pairing to . I call this paper GHOTV below. Subsequently, Hess (“Pairing Lattices”, Pairing 2008) and Vercauteren (“Optimal pairings”, IEEE Trans. Information Theory 2010) showed how to use this idea most effectively in general pairing implementations.
One particular feature of the ate pairing introduced in GHOTV, is that the pairing computation only needs the first stage (Miller’s algorithm) and does not require a final exponentiation. This makes it a lot faster to compute. The ate pairing is not the exact same function as the reduced Tate-Lichtenbaum pairing, so one cannot use them interchangeably. But they are both bilinear maps and so a system can be implemented using the ate pairing and it all works fine.
In those days, we thought pairings would be useful for identity-based crypto and short signatures, and we were mostly trying to work with large embedding degrees like . So the case was considered of relatively minor interest and was not studied much.
The computational assumptions underlying pairing-based crypto all required pairing inversion to be hard. Typically pairing inversion means: Given and a point to find such that
It was quickly realised that there are two obstacles to pairing inversion: First it is necessary to invert the final exponentiation. Second one needs to invert the Miller function. It turned out that sometimes one or the other of these problems could be easy, but I know no situation for prime order groups where both are easy at the same time. For example, since the ate pairing does not require a final exponentiation, pairing inversion for the ate pairing is equivalent to Miller inversion (which seems to be hard in this case). In short, pairing inversion remains a hard computational problem, which is good news for pairing-based crypto. A good reference for these ideas is Galbraith, Hess, Vercauteren (“Aspects of Pairing Inversion”, IEEE Trans. Information Theory 2008).
Satoh’s recent paper explores the case . Work on discrete logs in finite fields (e.g., see these blog posts has caused some pairing researchers to become very conservative and reconsider choices such as When we essentially have and the final exponentiation is to the power The reduced Tate-Lichtenbaum pairing is
Satoh uses Lemma 2 of GHOTV, that already has order . This is the fact that the ate pairing does not require a final exponentiation. Let be the value computed by Miller’s algorithm, so that is the pairing value. Suppose one has the value (this is not normally the case, normally the attacker has , from which there are possible values for ). Since (I am using different notation to Satoh here) it means that an attacker can get their hands on by raising to the power , remembering that exponentiation to the power is linear, and hence solving a square-root to get . Hence, Satoh has shown that Miller inversion is easy in this case, but pairing inversion is still hard.
In fact, when it would be quite natural to instead use the ate pairing for any crypto application. Now there is no final exponentiation. However Satoh’s attack does not work since his approach is precisely to kill off the “ate pairing” contribution to the Tate-Lichtenbaum pairing.
In short, there are two pairings one can use in embedding degree 2 and both seem to be hard to invert: the ate pairing has trivial final exponentiation but the Miller function seems hard to invert; the Tate-Lichtenbaum pairing has easy Miller inversion (as Satoh has just shown) but it seems hard to invert the final exponentiation.
I end with a comment about applications of pairings. As I mentioned, 15 years ago we thought that the “killer applications” for pairings were identity-based crypto and short signatures. Nowadays it seems pairings are most useful for short zero knowledge proofs. For example, Jens Groth’s pairing-based zk-SNARK (zero-knowledge succinct non-interactive argument of knowledge) is a key component of Zcash. As far as I can tell, the implementation in Zcash uses curves with embedding degree and does use the ate pairing.
— Steven Galbraith
]]>There was a Special Session on The Mathematics of Cryptography organised by Shahed Sharif and Alice Silverberg. Slides of (some of) the talks are available here.
Among the talks I attended, I mention these:
I talked about CSIDH and SeaSign, and then said a little bit about some work of my PhD student Yan Bo Ti on hash functions from dimension 2 supersingular abelian varieties. The slides online also cover some other topics that I did not mention (Kuperberg’s algorithm and quaternion algebras).
This was a really nice talk that described a “hash encryption” scheme based on the (decisional) Diffie-Hellman problem and explained how this enables identity-based encryption from the Diffie-Hellman problem (no pairings needed). This is joint work with Nico Döttling. The schemes are not practical.
Kristin reported joint work with Anamaria Costache, Brooke Feigon, Maike Massierer and Anna Puskas about some computational problems in isogeny graphs. A paper on this work is eprint 2018/593.
Jung Hee talked about some basic mathematical functions (such as max and min) that are useful for practical computations on encrypted data. He explained some iterated processes (in his words “nowadays I am working in numerical analysis”) that give low-depth circuits to compute approximations to these functions.
Shahed talked (on the blackboard — there are no slides) about his paper eprint 2018/665 with Dan Boneh, Darren Glass, Daniel Krashen, Kristin Lauter, Alice Silverberg, Mehdi Tibouchi and Mark Zhandry. The scheme is still incomplete as no suitable efficiently computable isomorphism invariant of abelian varieties has been found. Shahed discussed attempts to find such invariant, and I learned some interesting facts about polarizations on abelian surfaces.
Joe presented joint work with Jeff Hoffstein and others on a new candidate number-theoretical problem that might be interesting for new signature schemes. This is a work-in-progress and is not published yet.
Travis presented his papers eprint 2017/383, eprint 2018/307 and some newer work on “isolated curves”.
Nadia surveyed her joint work with Breitner, published as “Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies”. Her talk also included an overview of lattice algorithms for the hidden number problem, and a very clear sketch of Bleichenbacher’s approach using Fourier analysis to the hidden number problem.
Jeff presented very new joint work with Joe Silverman on yet another number-theoretical problem that might be interesting for new signature schemes. This is related to their previous work on isomorphisms of finite fields, but with new ideas and applications. I was not able to follow the details of the talk. There is no preprint yet on this work.
Travis gave an overview of his EUROCRYPT 2018 paper with Eisentraeger, Hallgren, Lauter and Petit.
Much work on algorithms to compute Hilbert class polynomials requires proving good upper bounds on the size (e.g., bitlength) of these polynomials. Reinier spoke about his current work-in-progress trying to prove lower bounds on the size of these polynomials.
There was also a Special Session on Emerging Connections with Number Theory organised by Kate Stange and Renate Scheidler, plus a lot of other sessions, that included talks of some interest to readers of this blog. However, I stayed in the Mathematics of Cryptography room.
— Steven Galbraith
]]>