- “The first collision for full SHA-1” by Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini and Yarik Markov
- “Fast Secure Two-Party ECDSA Signing” by Yehuda Lindell
- “Identity-Based Encryption from the Diffie-Hellman Assumption” by Nico Döttling and Sanjam Garg

The conference takes place August 20-24, 2017 in Santa Barbara.

The Eighth International Conference on Post-Quantum Cryptography (PQCrypto 2017)

takes place in Utrecht, the Netherlands, June 26–28, 2017.

The invited speakers are:

- Jaya Baloo
- Vadim Lyubashevsky
- Lieven Vandersypen

The list of acepted papers is available, and includes a session on isogeny-based crypto.

— Steven Galbraith

]]>

**David Kohel** introduced the -normal form for elliptic curves five years ago (at Indocrypt 2012). These curves are basically the “right way” to generalize Edwards curve arithmetic to characteristic 2. And they’re the right generalization not only mathematically, but also NIST-ically: existing standardized characteristic 2 curves cannot be transformed into -normal form. David’s paper twists its way around that obstruction, for a small cost of two extra multiplications per point addition. These twisted -normal curves are clearly the fastest and prettiest standard-compatible characteristic-2 elliptic curves out there. This is great news for binarophiles, and it will be interesting to see if implementers working on the hardware level can get much benefit from this.

**Joost Renes** gave a remarkably accessible talk about his work with **Craig Costello**, **David Jao**, **Patrick Longa**, **Michael Naehrig**, and **David Urbanik** on compressing public keys for the Supersingular Isogeny Diffie–Hellman protocol. SIDH is the best-known supposedly-quantum-resistant elliptic curve cryptosystem; while it might be slow compared with other postquantum alternatives, its principal attraction for cryptographers is its particularly small keys. Well, those keys are now even smaller (330 bytes for 128-bit security)—but the interesting thing in this paper is a much-improved key compression algorithm, which runs an order of magnitude faster than previous methods.

**Thorsten Kleinjung** gave a really nice talk on his record discrete logarithm computation with **Claus Diem**, **Arjen Lenstra**, **Christine Priplata**, and **Colin Stahlke**. Together they computed a discrete logarithm in a 768-bit prime field.

Why 768 bits? Because that matches the record for general integer factorization (from 2009, in a project that also included Thorsten and Arjen), which was computed with the General Number Field Sieve (GNFS); and GNFS is also what we use for prime-field discrete logs. In contrast to most recent finite-field discrete-log results which attack small-characteristic or pairing-related fields, this computation represents the state-of-the-art in the classic prime-field case.

The prime in question was , which is the smallest “safe prime” larger than (“safe” meaning that is also prime, so that this represents the hardest case for generic algorithms applied to finite fields of the same size). The element 11 generates the multiplicative group of .

No doubt the question you are asking yourself right now is *“what is the discrete logarithm of with respect to the base 11?” *Ask no more, for Thorsten has the answer: it’s *325923617918270562238615985978623709128341338833721058543950813521768156295091638348030637920237175638117352442299234041658748471079911977497864301995972638266781162575370644813703762423329783129621567127479417280687495231463348812*.

…So now you know. But as Thorsten points out, the journey is more interesting than the final destination: using some clever techniques detailed in the paper, this calculation took *much* less time and effort (a whole order of magnitude!) than the authors expected. Before you get too excited, it still took 5300 core years—but if this isn’t the exact discrete logarithm you are looking for, computing another one in the same field will now only take two core days. From a cryptographic perspective, that two-core-day figure is especially interesting, because that’s the time required to break actual keys, after a 5-core-millennium precomputation depending only on the field.

**Joshua Fried** spoke about his work on with **Pierrick Gaudry**, **Nadia Heninger**, and **Emmanuel Thomé** about discrete logarithms in an even bigger prime field: 1024 bits. How can you compute discrete logs in such a large prime field? You cheat—or, I should say, the parameter generator cheats. Our estimates of the difficulty of these problems, and the cryptosystems that depend on them, are based on the performance of the *General* Number Field Sieve algorithm (GNFS). But Dan Gordon explained 25 years ago how to choose primes that are vulnerable to the much faster *Special* Number Field Sieve (SNFS)—but only if we know a secret backdoor, and detecting that backdoor is apparently infeasible. This project set up an instance of a backdoored 1024-bit prime, and then solved it. This means that if you’re still using 1024-bit fields (and why are you doing such a thing in the twenty-first century?), then you should be extremely careful about their provenance. Kevin McCurley asked an interesting question: is Gordon’s backdoor optimal?

**Gamze Orhon** gave a lightning-fast presentation of her work with **Huseyin Hisil** on optimizing Huff curve arithmetic during the rump session. The key is viewing these curves as curves in , rather than . The details are in their preprint.

**Aurore Guillevic** and **Laurent Grémy** have established a new reference website to help you keep track of records progress and progress in finite field discrete logarithm computations. It was about time we had a better solution than trawling the archives of the NMBRTHRY list! Laurent is hosting a front-end on his website, but what’s really nice is that the database itself is git-able.

*—Ben Smith*

]]>

— Steven Galbraith

]]>

More information is available at the conference page

https://ecc2017.cs.ru.nl/

]]>

The three invited talks were:

- Nadia Heninger “The Reality of Cryptographic Deployments on the Internet”.
Nadia described several bad implementations of finite field Diffie-Hellman key exchange, surveying work of several recent papers by many authors. She commented that finite field Diffie-Hellman is prevalent in practice partly due to concerns that elliptic curves might have US government trapdoors.

- Hoeteck Wee “Advances in Functional Encryption”
Hoeteck gave a wonderfully clear overview of functional encryption.

- Neal Koblitz “Cryptography in Vietnam in the French and American Wars”
Neal gave a fascinating historical talk, based on recent research by himself, the general chair Hieu Phan and others, and drawing on historical resources from museums in Hanoi and the writings of historians and former government employees. Neal emphasized the mathematical and cryptographical ingenuity of the Vietnamese people, as well as powerfully evoking the horrors of war and the heroism of certain individuals (both Vietnamese and American).

The best paper award went to Ilaria Chillotti, Nicolas Gama, Mariya Georgieva and Malika Izabachène for “Faster Fully Homomorphic Encryption: Bootstrapping in less than 0.1 Seconds”, which shows that homomorphic encryption (in this case the GSW scheme with packed ciphertexts, together with a bunch of clever new ideas) is gradually becoming closer to practicality. Here is a photo of the best paper award authors with the two program chairs (Tsyoshi Takagi on the left and Jung Hee Cheon on the right).

Some papers related to discrete logarithms and elliptic curves included:

- Palash Sarkar and Shashank Singh “A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm”.
This work is relevant for assessing the security of pairing based cryptography, more details on this application can be found here.

- Steven D. Galbraith, Christophe Petit, Barak Shani and Yan Bo Ti “On the Security of Supersingular Isogeny Cryptosystems”
The paper contains several results about the (potentially post-quantum) isogeny-based key exchange and encryption protocols of De Feo, Jao and Plut.

- There was an entire session about ABE and IBE, containing papers that use pairings:
- Nuttapong Attrapadung “Dual System Encryption Framework in Prime-Order Groups via Computational Pair Encodings”
- Junqing Gong, Xiaolei Dong, Jie Chen and Zhenfu Cao “Efficient IBE with Tight Reduction to Standard Assumption in the Multi-challenge Setting”
- Melissa Chase, Mary Maller and Sarah Meiklejohn “Déjà Q All Over Again: Tighter and Broader Reductions of q-Type Assumptions”
- Shuichi Katsumata and Shota Yamada “Partitioning via Non-Linear Polynomial Functions: More Compact IBEs from Ideal Lattices and Bilinear Maps”

- Paz Morillo, Carla Ràfols and Jorge L. Villar “The Kernel Matrix Diffie-Hellman Assumption”
This talk is about relations between variants of the Diffie-Hellman problem.

- Ted Chinburg, Brett Hemenway, Nadia Heninger and Zachary Scherr “Cryptographic applications of capacity theory: On the optimality of Coppersmith’s method for univariate polynomials”
Ted Chinburg delivered a clear and interesting survey of “capacity theory” (a branch of arithmetic geometry/algebraic number theory) that is relevant to the analysis of Coppersmith’s technique for finding small solutions to polynomial equations. The authors hope these ideas will be useful in other contexts in cryptography/cryptanalysis.

Regarding the increased focus on post-quantum crypto there were talks on multivariate crypto (more efficient Multi-quadratic-polynomial signatures), lattices (Vadim Lyubashevsky presented a result about signatures based on ring-SIS in *any* ring and urged the audience to work on a much harder but more interesting problem relating to LWE in any ring) and code-based crypto (an adaptive attack on a decoding algorithm).

The rump session was chaired by me, and was thankfully short. The best and most entertaining talk was given by Pierre Karpman and Jerome Plut. The social activities included a Water Puppet show and a Vietnamese banquet with traditional music.

— Steven Galbraith

]]>

https://twitter.com/cryptocephaly/status/803542260256276481

UPDATED Sunday December 4: More detailed explanation on NMBRTHRY list.

UPDATED December 30: The eprint paper has been updated.

]]>

It’s remarkable that this workshop has been running successfully for 20 years now: elliptic curve cryptography has come a long way. It was great to be there to celebrate a milestone of sorts:

–Ben Smith

]]>

Apart from the excellent invited lectures, the most memorable event of the conference was the late-night walk through the forest, illuminated by hand-held flaming torches, from the conference dinner at Bremerhof.

The Selfridge Prize was presented to J. Steffen Müller (Oldenburg) for the paper “Computing canonical heights on elliptic curves in quasi-linear time” by J. Steffen Müller and Michael Stoll.

The published papers are available in the LMS Journal of Computational Mathematics. Sadly this will be the final year that the proceedings appear in this journal, since the journal is being closed down.

There were relatively few papers with major relevance to ECC, but the following papers may be of some interest to readers of this blog:

- Chris Peikert “Finding Short Generators of Ideals, and Implications for Cryptography“. This was an overview of the work presented in his paper with Cramer, Ducas and Regev.
- Gary McGuire, Henriette Heer and Oisin Robinson “JKL-ECM: An implementation of ECM using Hessian curves”. The paper was about choosing elliptic curves in Hessian form with large torsion groups for the elliptic curve factoring method.
- Jung Hee Cheon, Jinhyuck Jeong and Changmin Lee “An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without an encoding of zero”. This paper is another nail in the coffin of multilinear maps.
- Francois Morain, Charlotte Scribot and Benjamin Smith “Computing cardinalities of -curve reductions over finite fields”. This was about a variant of the SEA method that is suitable for counting points on special curves with an endomorphism of a special type. Such curves are suitable for fast implementations of ECC, and so the method in this paper helps to speed up parameter generation when using such curves.
- Luca Defeo, Jerome Plût, Eric Schost and Cyril Hugounenq “Explicit isogenies in quadratic time in any characteristic”. The paper is about a Couveignes-type method for computing an explicit isogeny between two curves. This is a useful ingredient in point counting algorithms. The new method is appropriate when working in characteristic that is neither “large” nor “very small”.
- Jean-François Biasse, Claus Fieker and Michael Jacobson “Fast heuristic algorithms for computing relations in the class group of a quadratic order with applications to isogeny evaluation”. This paper is about the problem of “smoothing” an isogeny by reducing the ideal corresponding to it in the ideal class group of the order. It introduces some nice techniques that had not been used in this context previously.

The rump session contained a number of jokes about Australia and New Zealand. Aurore Guillevic mentioned some recent DLP records (mostly already mentioned on this blog). Rump session slides will be available eventually here.

The 2018 edition of the ANTS conference is expected to take place in Madison, Wisconsin.

— Steven Galbraith

]]>

The scientific programs of both conferences overlapped somewhat (the CRYPTO program ran from Monday through Thursday morning, while CHES ran from Wednesday to Friday with optional tutorials on Tuesday), and CRYPTO now has parallel sessions, so attendees to both conferences effectively had to choose between three parallel tracks. Yet you could probably attend all the talks related to elliptic curve cryptography, as there just weren’t that many.

At CRYPTO, the two most relevant presentations were given in the Algorithmic Number Theory session on Wednesday morning:

- Taechan Kim presented his paper with Razvan Barbulescu, “Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case”, about which Aurore Guillevic wrote an extensive survey on this blog a few months ago. The paper obtains a better complexity for the discrete logarithm problem in some composite degree extensions of finite fields, and although Taechan spent a good part of his talk trying to downplay the concrete impact, it actually translates to a significant reduction in the security of the most popular pairing-friendly elliptic curves. In particular, after this attack, 256-bit Barreto-Naehrig curves no longer offer 128 bits of security, but perhaps closer to 96 or so.
- Craig Costello presented his paper with Patrick Longa and Michael Naehrig, “Efficient Algorithms for Supersingular Isogeny Diffie-Hellman”, which uses a number of clever tricks to implement the postquantum-secure isogeny-based key exchange protocol of De Feo, Jao and Plût significantly more efficiently than what previously thought possible. Although SIDH still lags behind other popular postquantum constructions based e.g. on lattices by several orders of magnitude in terms of performance, it uses comparatively short keys, can be combined with classical ECDH very cheaply, and in any case is based on a very different type of security assumption that may look more appealing to the algebraic geometrically inclined.

Other papers related to elliptic curves include:

- “Design in Type-I, Run in Type-III: Fast and Scalable Bilinear-Type Conversion using Integer Programming” by Masayuki Abe, Fumitaka Hoshino and Miyako Ohkubo, which explains how to algorithmically convert pairing-based protocols using symmetric pairings to the asymmetric setting at a minimal overhead using integer linear programming techniques;
- the CRYPTO best paper, “Breaking the Circuit Size Barrier for Secure Computation Under DDH“ by Elette Boyle, Niv Gilboa and Yuval Ishai, which is not elliptic curve crypto per se, but relies on an interesting observation regarding discrete logarithms. The idea is that if two parties hold a secret sharing of a small value in the exponent, i.e. and with , they can derive from that an additive secret sharing of itself
*without any interaction*. To do so, they agree on a polynomially dense subset of distinguished points in the group, and count how many steps it takes to reach an element of from their respective share. If is small enough compared to the relative density of , they should reach the*same*element of with good probability, and in that case, if it took (resp. ) steps for the first (resp. second) party, we have , hence : is a secret sharing of obtained without interaction!

At CHES, on the other hand, there were several interesting papers about the implementation of elliptic and hyperelliptic curve cryptography on various platforms.

- On desktop CPUs: the paper by Thomaz Oliveira, Julio López and Francisco Rodríguez-Henríquez, “Software Implementation of Koblitz Curves over Quadratic Fields”. Usual Koblitz curves are defined over and use the fast Frobenius endomorphism instead of doublings to speed up scalar multiplication. This paper instead investigates curves defined over together with the corresponding, slightly less fast Frobenius , and shows that the quadratic extension structure of the corresponding fields yields interesting performance benefits. The authors obtain a constant time scalar multiplication in under 70k cycles on Haswell and 52k cycles on Skylake at the 128-bit security level, which is quite respectable, even though they have to rely on a suboptimal field size of close to 300 bits to find a curve with a sufficiently large prime subgroup.
- On embedded CPUs: the paper by Leijla Batina, Joost Renes, Peter Schwabe and Benjamin Smith, “µKummer: Efficient Hyperelliptic Signatures and Key Exchange on Microcontrollers”. It is well-known that Kummer surfaces support a notion of scalar multiplication, but not point addition directly because it is not compatible with quotienting by . As a result, they would only be used for protocols like Diffie-Hellman, and not for e.g. signatures, which require point additions. However, Chung, Costello and Smith recently observed that you can simply lift back to the actual Jacobian after carrying out your fast variable base point multiplication on the Kummer, and doing so is likely to be faster than doing everything in a Jacobian, especially if you want constant time arithmetic. This CHES paper is a concrete demonstration of that idea on constrained software platforms (AVR ATmega and ARM Cortex M0), where the authors break earlier speed records for (H)ECC by wide margins.
- In hardware: the paper by Kimmo Järvinen, Andrea Miele, Reza Azarderakjsh and Patrick Longa, “FourQ on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime Characteristic Fields”. FourQ is a very nice curve introduced by Costello and Longa at last year’s ASIACRYPT, which currently holds essentially all of the speed records on desktop CPUs for constant-time scalar multiplication (both fixed and variable base) by a comfortable margin. This CHES paper implements it on FPGA, and finds that it also performs faster than other implementations over large characteristic fields (although not nearly as fast as comparable binary field designs).

The CHES rump session also featured some annoucements of note, including a concrete complexity estimate by Francisco Rodríguez-Henríquez and his colleagues of the quasilinear attack on discrete logs in the formerly 128-bit secure field that used to be recommended for pairings (answer: if everybody in the world was working on it 8 hours per day, 1000 multiplications per hour, it would only take about 10 months!). The annoucement that personally got me the most excited is an improved implementation result for the binary curve GLS254 on desktop CPUs due to Thomaz Oliveira, Diego Aranha, Julio López and Francisco Rodríguez-Henríquez, who adapted techniques from the quadratic Koblitz paper above to blow up the competition again with that curve: at 48k cycles on Haswell and 38k cycles on Skylake for 128-bit secure scalar multiplication, it is even faster than Kummers and FourQ!

— Mehdi Tibouchi

]]>

The paper is written in an unusual style. It is a bit like a research notebook, containing sketches of ideas, rather than a polished mathematics paper.

The paper is mainly about the point decomposition problem, which is the fundamental problem behind all recent work on index calculus algorithms (see: these blog

posts). Precisely this problem is: Given a point and a factor base write for .

The standard approach these days is to use summation polynomials: We find solutions to the Semaev summation polynomial and then compute the corresponding points. Currently these methods have not had any practical impact on the security of elliptic curve cryptography.

The preprint contains several ideas, whose relevance and impact are yet to be fully determined.

One idea is a way to generate a lot of equations without adding too many new variables. Courtois chooses random elliptic curve points (where is any natural number) and defines new variables

for .

Courtois then notes that if and then

Hence we have

There are choices for , so we get a system of equations in the variables . On the one hand, we now have a greatly over-determined system, and so it should be easier to solve than traditional systems. On the other hand, the system has too many solutions as the variables are unconstrained.

Hence the next problem is to add constraints to the system to reduce the number of solutions. If one can find suitable constraints then one should be able to define a corresponding notion of factor base. Some ideas are sketched in the paper, in particular in Section 18.2, but I have not yet formed an opinion about well these ideas will work. The paper only considers elliptic curves over prime fields , but similar ideas might be used for curves over other fields.

There are several other ideas in the paper, including some new polynomial equations that might be used to play a similar role to the summation polynomials.

Overall, the paper contains some interesting ideas that are not yet fully developed. Currently the paper does not describe a complete index calculus algorithm and it is difficult for me to determine whether or not the methods are likely to lead to an improvement over existing techniques. No precise complexity statements are made in the paper.

I hope that other researchers will investigate these ideas. I look forward to following the development of work on this topic.

— Steven Galbraith

]]>