Zoya Dyka,Dan Kreiser,Ievgen Kabin,Peter Langendoerfer

DOI: https://doi.org/10.1109/RECONFIG.2018.8641730

2022-01-06

Abstract:In this paper we describe our flexible ECDSA design for elliptic curve over binary extended fields GF(2l). We investigated its resistance against Horizontal Collision Correlation Attacks (HCCA). Due to the fact that our design is based on the Montgomery kP algorithm using Lopez-Dahab projective coordinates the scalar k cannot be successful revealed using HCCA, but this kind of attacks can be helpful to divide the measured traces into parts that correspond to processing of a single bit of the scalar k. The most important contribution of this paper is that our flexible field multiplier is resistant against horizontal attacks. This inherent resistance makes it a valuable building block for designing unified field multipliers.

Cryptography and Security

Jeremy Booher,Ross Bowden,Javad Doliskani,Tako Boris Fouotsa,Steven D. Galbraith,Sabrina Kunzweiler,Simon-Philipp Merz,Christophe Petit,Benjamin Smith,Katherine E. Stange,Yan Bo Ti,Christelle Vincent,José Felipe Voloch,Charlotte Weitkämper,Lukas Zobernig

2024-05-09

Abstract:An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of "hard supersingular curves" that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) gcd's of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces; and (v) using quantum random walks.

Number Theory,Cryptography and Security

David Kohel

DOI: https://doi.org/10.48550/arXiv.1601.03669

2016-01-15

Abstract:We present normal forms for elliptic curves over a field of characteristic $2$ analogous to Edwards normal form, and determine bases of addition laws, which provide strikingly simple expressions for the group law. We deduce efficient algorithms for point addition and scalar multiplication on these forms. The resulting algorithms apply to any elliptic curve over a field of characteristic $2$ with a $4$-torsion point, via an isomorphism with one of the normal forms. We deduce algorithms for duplication in time $2M + 5S + 2m_c$ and for addition of points in time $7M + 2S$, where $M$ is the cost of multiplication, $S$ the cost of squaring, and $m_c$ the cost of multiplication by a constant. By a study of the Kummer curves $\mathcal{K} = E/\{[\pm1]\}$, we develop an algorithm for scalar multiplication with point recovery which computes the multiple of a point $P$ with $4M + 4S + 2m_c + m_t$ per bit where $m_t$ is multiplication by a constant that depends on $P$.

Number Theory

Michele Burrello,Haitan Xu,Giuseppe Mussardo,Xin Wan

DOI: https://doi.org/10.1103/physrevlett.104.160502

IF: 8.6

2010-01-01

Physical Review Letters

Abstract:We study an efficient algorithm to hash any single-qubit gate into a braid of Fibonacci anyons represented by a product of icosahedral group elements. By representing the group elements by braid segments of different lengths, we introduce a series of pseudogroups. Joining these braid segments in a renormalization group fashion, we obtain a Gaussian unitary ensemble of random-matrix representations of braids. With braids of length O(log2(1/epsilon)), we can approximate all SU(2) matrices to an average error epsilon with a cost of O(log(1/epsilon)) in time. The algorithm is applicable to generic quantum compiling.

Jeremy Maitin-Shepard,Mehdi Tibouchi,Diego Aranha

DOI: https://doi.org/10.48550/arXiv.1601.06502

2016-01-25

Abstract:A homomorphic, or incremental, multiset hash function, associates a hash value to arbitrary collections of objects (with possible repetitions) in such a way that the hash of the union of two collections is easy to compute from the hashes of the two collections themselves: it is simply their sum under a suitable group operation. In particular, hash values of large collections can be computed incrementally and/or in parallel. Homomorphic hashing is thus a very useful primitive with applications ranging from database integrity verification to streaming set/multiset comparison and network coding. Unfortunately, constructions of homomorphic hash functions in the literature are hampered by two main drawbacks: they tend to be much longer than usual hash functions at the same security level (e.g. to achieve a collision resistance of 2^128, they are several thousand bits long, as opposed to 256 bits for usual hash functions), and they are also quite slow. In this paper, we introduce the Elliptic Curve Multiset Hash (ECMH), which combines a usual bit string-valued hash function like BLAKE2 with an efficient encoding into binary elliptic curves to overcome both difficulties. On the one hand, the size of ECMH digests is essentially optimal: 2m-bit hash values provide O(2^m) collision resistance. On the other hand, we demonstrate a highly-efficient software implementation of ECMH, which our thorough empirical evaluation shows to be capable of processing over 3 million set elements per second on a 4 GHz Intel Haswell machine at the 128-bit security level---many times faster than previous practical methods.

Cryptography and Security

J. Steffen Müller,Michael Stoll

DOI: https://doi.org/10.1112/s1461157016000139

2016-01-01

LMS Journal of Computation and Mathematics

Abstract:We introduce an algorithm that can be used to compute the canonical height of a point on an elliptic curve over the rationals in quasi-linear time. As in most previous algorithms, we decompose the difference between the canonical and the naive height into an archimedean and a non-archimedean term. Our main contribution is an algorithm for the computation of the non-archimedean term that requires no integer factorization and runs in quasi-linear time.

Xia Liu,Huan Yang,Li Yang

DOI: https://doi.org/10.1186/s42400-023-00181-w

2023-01-01

Abstract:The elliptic curve discrete logarithm problem (ECDLP) is a popular choice for cryptosystems due to its high level of security. However, with the advent of the extended Shor's algorithm, there is concern that ECDLP may soon be vulnerable. While the algorithm does offer hope in solving ECDLP, it is still uncertain whether it can pose a real threat in practice. From the perspective of the quantum circuits of the algorithm, this paper analyzes the feasibility of cracking ECDLP using an ion trap quantum computer with improved quantum circuits for the extended Shor's algorithm. We give precise quantum circuits for extended Shor's algorithm to calculate discrete logarithms on elliptic curves over prime fields, including modular subtraction, three different modular multiplication, and modular inverse. Additionally, we incorporate and improve upon windowed arithmetic in the circuits to reduce the CNOT-counts. Whereas previous studies mostly focused on minimizing the number of qubits or the depth of the circuit, we focus on minimizing the number of CNOT gates in the circuit, which greatly affects the running time of the algorithm on an ion trap quantum computer. Specifically, we begin by presenting implementations of basic arithmetic operations with the lowest known CNOT-counts, along with improved constructions for modular inverse, point addition, and windowed arithmetic. Next, we precisely estimate that, to execute the extended Shor's algorithm with the improved circuits to factor an n-bit integer, the CNOT-count required is 1237n(3)/ log n + 2n(2) + n. Finally, we analyze the running time and feasibility of the extended Shor's algorithm on an ion trap quantum computer.

白国强,周涛,陈弘毅

DOI: https://doi.org/10.3321/j.issn:0372-2112.2002.11.018

2002-01-01

Abstract:The selection of secure elliptic curves and the scalar multiplications of elliptic curves are two important problems in the practice of efficiently implementing an elliptic curve cryptosystems.In this paper,we study those two problems jointly,give a class of secure elliptic curves mainly based on the computer words,describe a detailed process of how to selecting those curves,and present a new method,which is based on the idea of baby step giant step,of computing the scalar multiplication concerning those curves.With the new method,the amount of scalar multiplications based on those curves can be reduced greatly. Besides,when those curves are used,special representation method for the elements in the base field is no longer needed,and all the arithmetic in the field can be quickly accomplished.

Jíntai Ding,Bo‐Yin Yang

DOI: https://doi.org/10.1007/978-3-540-79499-8_28

2008-01-01

Abstract:We propose the idea of building a secure hash using quadratic or higher degree multivariate polynomials over a finite field as the compression function. We analyze some security properties and potential feasibility, where the compression functions are randomly chosen high-degree polynomials, and show that under some plausible assumptions, high-degree polynomials as compression functions has good properties. Next, we propose to improve on the efficiency of the system by using some specially designed polynomials generated by a small number of random parameters, where the security of the system would then relies on stronger assumptions, and we give empirical evidence for the validity of using such polynomials.Keywordshash functionmultivariate polynomialssparse

DOI: https://doi.org/10.1007/s13389-024-00353-5

2024-05-14

Journal of Cryptographic Engineering

Abstract:A one-third century ago, as a means to speed up the elliptic curve method (ECM) for integer factoring, Montgomery suggested using a special elliptic curve form over prime fields and developed an addition chain to compute scalar multiplication on them, which nowadays are famous as Montgomery curves and Montgomery ladder. Kim et al. (http://eprint.iacr.org/2017/669. 2017) and Kim et al. (Adv Math Commun https://doi.org/10.3934/amc.2020090. 2020) found the Montgomery ladder very efficient on every short Weierstrass curve, leading to the most efficient regular scalar multiplication algorithms, which was further improved by Hamburg (https://ches.2017.rump.cr.yp.to/. 2020) and Hamburg (http://eprint.iacr.org/2020/437. 2020). However, the efficiency of the Montgomery ladder in general Montgomery curves remained not improved at all since firstly presented by Montgomery. This paper addresses the long-standing Elliptic Curve Cryptography (ECC) problem. The topic of this article is considered one of the topics that have attracted much attention from the cryptographic community following the launch of a multi-year project called "Post-Quantum Cryptography Standardization" by the National Institute of Standards and Technology (NIST) and also thanks partly to featuring one of the smallest keys of any algorithm known in the literature that is conjectured to be quantum resistant. To the best of our knowledge, this article provides, for the first time after Peter L. Montgomery's, an improvement of arithmetic in general Montgomery curves, including point doubling and differential addition, which are the most fundamental operations in the context of ECC and supersingular isogeny-based primitives such as Supersingular Isogeny Diffie–Hellman (SIDH) or Supersingular Isogeny Key Encapsulation (SIKE), as well as ECM.

computer science, theory & methods

Donghoe Heo,Jeonghwan Lee,Taehoon Kang,Suhri Kim,Seokhie Hong

DOI: https://doi.org/10.1109/access.2024.3491790

IF: 3.9

2024-11-13

IEEE Access

Abstract:This paper analyzes the security and performance of the isogeny-based hash functions. The isogeny-based hash function was first proposed by Charles, Goren, and Lauter, and is referred to as the CGL hash function. However, Lauter and Petit demonstrated that a collision could be found if the endomorphism ring of the starting curve is known. Subsequently, isogeny hash functions that mitigate the Lauter-Petit attack have been proposed. This paper analyzes three methods that counter the Lauter-Petit attack: the methods proposed by Panny, Zaman and Min, and Larsson. In particular, we propose a new isogeny-based hash function SHH, which exploits Panny's method with Hessian curves. We then analyze the security and performance of the proposed SHH along with the methods by Zaman and Min (SCH) and Larsson (SLH). More specifically, the security was analyzed in the context of the Lauter-Petit attack, collision resistance, and fault tolerance. The analysis in this paper shows that all three algorithms can counter the Lauter-Petit attack. However, for SCH, we demonstrated that collision pairs could be found with carelessly chosen parameters. This paper also provides guidelines for selecting parameters to make SCH collision-resistant. From a fault-tolerance perspective, SCH and SLH are not fault-tolerant. We also present the results of implementing the three algorithms in SageMath. The implementation results show that at the 128-bit security level, hashing a 256-bit message takes 0.130s for SCH, 0.125s for projective-SLH, and 0.162s for SHH. As can be seen from the implementation results, projective-SLH is the most efficient, while SHH performs slower due to the use of a larger finite field.

computer science, information systems,telecommunications,engineering, electrical & electronic

Duo Liu,Zhiyong Tan,Yiqi Dai

DOI: https://doi.org/10.1007/978-3-642-01440-6_20

2008-01-01

Abstract:The Simple Power Analysis (SPA) attack against an elliptic curve cryptosystem distinguishes between point doubling and point addition in a single execution of scalar multiplication. Although many SPA-resistant scalar multiplication algorithms have been proposed, few countermeasures for multi-scalar multiplications are known. In this paper, we propose a new SPA-resistant multi-scalar multiplication for a pair of integers combing the Joint Sparse Form (JSF) representation technique for pair of integers, point randomization, and uniform operation sequence. The new method requires about 8.5% less multiplications in the field compared to the known countermeasures.

Kevin Yeo

2023-06-20

Abstract:Cuckoo hashing is a powerful primitive that enables storing items using small space with efficient querying. At a high level, cuckoo hashing maps $n$ items into $b$ entries storing at most $\ell$ items such that each item is placed into one of $k$ randomly chosen entries. Additionally, there is an overflow stash that can store at most $s$ items. Many cryptographic primitives rely upon cuckoo hashing to privately embed and query data where it is integral to ensure small failure probability when constructing cuckoo hashing tables as it directly relates to the privacy guarantees. As our main result, we present a more query-efficient cuckoo hashing construction using more hash functions. For construction failure probability $\epsilon$, the query overhead of our scheme is $O(1 + \sqrt{\log(1/\epsilon)/\log n})$. Our scheme has quadratically smaller query overhead than prior works for any target failure probability $\epsilon$. We also prove lower bounds matching our construction. Our improvements come from a new understanding of the locality of cuckoo hashing failures for small sets of items. We also initiate the study of robust cuckoo hashing where the input set may be chosen with knowledge of the hash functions. We present a cuckoo hashing scheme using more hash functions with query overhead $\tilde{O}(\log \lambda)$ that is robust against poly$(\lambda)$ adversaries. Furthermore, we present lower bounds showing that this construction is tight and that extending previous approaches of large stashes or entries cannot obtain robustness except with $\Omega(n)$ query overhead. As applications of our results, we obtain improved constructions for batch codes and PIR. In particular, we present the most efficient explicit batch code and blackbox reduction from single-query PIR to batch PIR.

Cryptography and Security,Data Structures and Algorithms

Jennifer S. Balakrishnan,Mirela Ciperiani,Jaclyn Lang,Bahare Mirza,Rachel Newton

DOI: https://doi.org/10.48550/arXiv.1610.08729

2016-10-27

Abstract:Let E/Q be an elliptic curve and p a rational prime of good ordinary reduction. For every imaginary quadratic field K/Q satisfying the Heegner hypothesis for E we have a corresponding line in E(K)\otimes Q_p, known as a shadow line. When E/Q has analytic rank 2 and E/K has analytic rank 3, shadow lines are expected to lie in E(Q)\otimes Q_p. If, in addition, p splits in K/Q, then shadow lines can be determined using the anticyclotomic p-adic height pairing. We develop an algorithm to compute anticyclotomic p-adic heights which we then use to provide an algorithm to compute shadow lines. We conclude by illustrating these algorithms in a collection of examples.

Number Theory

Duo LIU,Yi-qi DAI

DOI: https://doi.org/10.3321/j.issn:0372-2112.2005.08.023

2005-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Elliptic curve cryptosystem is the focus of public cryptology nowadays, for it has many advantages which the RSA lacks. In this paper, a new elliptic curve scalar multiplication algorithm is proposed. The algorithm uses the Frobenius map on optimal extension field (OEF) and the logic operations of binary strings. Based on this algorithm, a new method of computing scalar multiplication of elliptic curve over an OEF is presented. The accurate analysis about it is given. The comparisons of traditional method and the new method are presented. The running time of new method is about 60%-80% of that of the traditional φ-adic scalar multiplication algorithms of elliptic curve over OEF.

Matthew Hase-Liu,Nicholas Triantafillou

DOI: https://doi.org/10.48550/arXiv.1709.02442

2017-09-08

Abstract:In this paper, we present efficient algorithms for computing the number of points and the order of the Jacobian group of a superelliptic curve over finite fields of prime order p. Our method employs the Hasse-Weil bounds in conjunction with the Hasse-Witt matrix for superelliptic curves, whose entries we express in terms of multinomial coefficients. We present a fast algorithm for counting points on specific trinomial superelliptic curves and a slower, more general method for all superelliptic curves. For the first case, we reduce the problem of simplifying the entries of the Hasse-Witt matrix modulo p to a problem of solving quadratic Diophantine equations. For the second case, we extend Bostan et al.'s method for hyperelliptic curves to general superelliptic curves. We believe the methods we describe are asymptotically the most efficient known point-counting algorithms for certain families of trinomial superelliptic curves.

Number Theory

Xiao Li,Chang Lv,Zhizhong Pan

DOI: https://doi.org/10.1007/s11424-024-2452-5

2024-06-13

Journal of Systems Science and Complexity

Abstract:Elliptic curve cryptography is an important part of nowaday's public key cryptosystem. Counting points of elliptic curves over finite fields is of great significance to the selection of safety curves. At present, there are many p -adic algorithms, such as SST algorithm, generalized AGM algorithm, Kedlaya algorithm, etc., which can deal with the situation of finite fields of small characteristics. In this paper, the authors generalize the MSST algorithm of characteristic 2 to general fields of odd characteristic, and propose the generalized MSST algorithm. The generalized MSST algorithm is achieved by combining the advantages of the SST algorithm and the generalized AGM algorithm. If the time complexity of the multiplication of two n -bit numbers is denoted as O ( n μ ), then the time complexity of the generalized MSST algorithm is , which is the same as the improved SST algorithm. In practical experiments, the running time of the generalized MSST algorithm is less than that of the improved SST algorithm.

mathematics, interdisciplinary applications

Ebru Adiguzel-Goktas,Enver Ozdemir

2024-01-30

Abstract:In this paper, we present a review of three widely-used practical square root algorithms. We then describe a unifying framework where each of these well-known algorithms can be seen as a special case of it. The framework with singular curves offers a broad perspective to compare and further improve the existing methods in addition to offering a new avenue for square root computation algorithms in finite fields.

Number Theory

Oded Regev

DOI: https://doi.org/10.48550/arXiv.cs/0309051

2003-09-29

Abstract:We introduce the use of Fourier analysis on lattices as an integral part of a lattice based construction. The tools we develop provide an elegant description of certain Gaussian distributions around lattice points. Our results include two cryptographic constructions which are based on the worst-case hardness of the unique shortest vector problem. The main result is a new public key cryptosystem whose security guarantee is considerably stronger than previous results ($O(n^{1.5})$ instead of $O(n^7)$). This provides the first alternative to Ajtai and Dwork's original 1996 cryptosystem. Our second result is a family of collision resistant hash functions which, apart from improving the security in terms of the unique shortest vector problem, is also the first example of an analysis which is not based on Ajtai's iterative step. Surprisingly, both results are derived from one theorem which presents two indistinguishable distributions on the segment $[0,1)$. It seems that this theorem can have further applications and as an example we mention how it can be used to solve an open problem related to quantum computation.

Cryptography and Security

Corentin Le Coz,Christopher Battarbee,Ramón Flores,Thomas Koberda,Delaram Kahrobaei

DOI: https://doi.org/10.3934/amc.2024037

2024-08-29

Advances in Mathematics of Communications

Abstract:We define new families of Tillich-Zémor hash functions, using higher dimensional special linear groups over finite fields as platforms. The Cayley graphs of these groups combine fast mixing properties and high girth, which together give rise to good preimage and collision resistance of the corresponding hash functions. We justify the claim that the resulting hash functions are post-quantum secure.

computer science, theory & methods,mathematics, applied