National Institute of Standards and Technology における超伝導研究及び生活

An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users' keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor Tracing by Chor, Fiat and Naor. We refer to such schemes as traitor tracing with constant transmission rate. Here we present a general methodology and two protocol constructions that result in the first two public-key traitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficiently large. Our starting point is the notion of copyrighted function which was presented by Naccache, Shamir and Stern. We first solve the open problem of discrete-log-based and public-key-based copyrighted function. Then, we observe the simple yet crucial relation between (public-key) copyrighted encryption and (public-key) traitor tracing, which we exploit by introducing a generic design paradigm for designing constant transmission rate traitor tracing schemes based on copyrighted encryption functions. Our first scheme achieves the same expansion efficiency as regular ElGamal encryption. The second scheme introduces only a slightly larger (constant) overhead, however, it additionally achieves efficient black-box traitor tracing (against any pirate construction).

Traitor Tracing with constant transmission rate

Quantum computers will break today's most popular public-key cryptographic systems, including RSA, DSA, and ECDSA. This book introduces the reader to the next generation of cryptographic algorithms, the systems that resist quantum-computer attacks: in particular, post-quantum public-key encryption systems and post-quantum public-key signature systems. Leading experts have joined forces for the first time to explain the state of the art in quantum computing, hash-based cryptography, code-based cryptography, lattice-based cryptography, and multivariate cryptography. Mathematical foundations and implementation issues are included. This book is an essential resource for students and researchers who want to contribute to the field of post-quantum cryptography.

Post-quantum cryptography

We present new candidates for quantum-resistant public-key cryptosystems based on the conjectured difficulty of finding isogenies between supersingular elliptic curves. The main technical idea in our scheme is that we transmit the images of torsion bases under the isogeny in order to allow the two parties to arrive at a common shared key despite the noncommutativity of the endomorphism ring. Our work is motivated by the recent development of a subexponential-time quantum algorithm for constructing isogenies between ordinary elliptic curves. In the supersingular case, by contrast, the fastest known quantum attack remains exponential, since the noncommutativity of the endomorphism ring means that the approach used in the ordinary case does not apply. We give a precise formulation of the necessary computational assumption along with a discussion of its validity. In addition, we present implementation results showing that our protocols are multiple orders of magnitude faster than previous isogeny-based cryptosystems over ordinary curves.

/pdf/towards-quantum-resistant-cryptosystems-from-supersingular-3i2d4br24h.pdf

Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

This paper shows a generic and simple conversion from weak asymmetric and symmetric encryption schemes into an asymmetric encryption scheme which is secure in a very strong sense- indistinguishability against adaptive chosen-ciphertext attacks in the random oracle model. In particular, this conversion can be applied efficiently to an asymmetric encryption scheme that provides a large enough coin space and, for every message, many enough variants of the encryption, like the ElGamal encryption scheme.

Secure integration of asymmetric and symmetric encryption schemes

Abstract We present new candidates for quantum-resistant public-key cryptosystems based on the conjectured difficulty of finding isogenies between supersingular elliptic curves. The main technical idea in our scheme is that we transmit the images of torsion bases under the isogeny in order to allow the parties to construct a shared commutative square despite the non-commutativity of the endomorphism ring. We give a precise formulation of the necessary computational assumptions along with a discussion of their validity, and prove the security of our protocols under these assumptions. In addition, we present implementation results showing that our protocols are multiple orders of magnitude faster than previous isogeny-based cryptosystems over ordinary curves. This paper is an extended version of [Lecture Notes in Comput. Sci. 7071, Springer (2011), 19–34]. We add a new zero-knowledge identification scheme and detailed security proofs for the protocols. We also present a new, asymptotically faster, algorithm for key generation, a thorough study of its optimization, and new experimental data.

/pdf/towards-quantum-resistant-cryptosystems-from-supersingular-37t03wpqh1.pdf

Given two elliptic curves over a finite field having the same cardinality and endomorphism ring, it is known that the curves admit an isogeny between them, but finding such an isogeny is believed to be computationally difficult. The fastest known classical algorithm takes exponential time, and prior to our work no faster quantum algorithm was known. Recently, public-key cryptosystems based on the presumed hardness of this problem have been proposed as candidates for post-quantum cryptography. In this paper, we give a subexponential-time quantum algorithm for constructing isogenies, assuming the Generalized Riemann Hypothesis (but with no other assumptions). Our algorithm is based on a reduction to a hidden shift problem, together with a new subexponential-time algorithm for evaluating isogenies from kernel ideals (under only GRH), and represents the first nontrivial application of Kuperberg's quantum algorithm for the hidden shift problem. This result suggests that isogeny-based cryptosystems may be uncompetitive with more mainstream quantum-resistant cryptosystems such as lattice-based cryptosystems.

Constructing elliptic curve isogenies in quantum subexponential time

We present new candidates for quantum-resistant public-key cryptosystems based on the conjectured difficulty of finding isogenies between supersingular elliptic curves. The main technical idea in our scheme is that we transmit the images of torsion bases under the isogeny in order to allow the parties to construct a shared commutative square despite the noncommutativity of the endomorphism ring. Our work is motivated by the recent development of a subexponential-time quantum algorithm for constructing isogenies between ordinary elliptic curves. In the supersingular case, by contrast, the fastest known quantum attack remains exponential, since the noncommutativity of the endomorphism ring means that the approach used in the ordinary case does not apply. We give a precise formulation of the necessary computational assumptions along with a discussion of their validity, and prove the security of our protocols under these assumptions. In addition, we present implementation results showing that our protocols are multiple orders of magnitude faster than previous isogeny-based cryptosystems over ordinary curves. This paper is an extended version of [19]. We add a new zero-knowledge identification scheme, and detailed security proofs for the protocols. We also present a new, asymptotically faster, algorithm for key generation, a thorough study of its optimization, and new experimental data.

/pdf/towards-quantum-resistant-cryptosystems-from-supersingular-2k0o9u35cc.pdf

Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies.

Quantum computation has the potential for dramatic impact on cryptography. Shor’s algorithm [16] breaks the two most widely used public-key cryptosystems, RSA encryption and elliptic curve cryptography. Related quantum algorithms could break other classical cryptographic protocols, such as Buchmann-Williams key exchange [8] and algebraically homomorphic encryption [5]. Thus there is considerable interest in understanding which classical cryptographic schemes are or are not secure against quantum attacks, both from a practical perspective and as a potential source of new quantum algorithms that outperform classical computation. While it is well known that quantum computers can efficiently solve the discrete logarithm problem in elliptic curve groups, other computations involving elliptic curves may be significantly more difficult. In particular, Couveignes [4] and Rostovtsev and Stolbunov [15, 17] proposed publickey cryptosystems based on the presumed difficulty of constructing an isogeny between two given elliptic curves. Informally, an isogeny is a map between curves that preserves their algebraic structure. Isogenies play a major role in classical computational number theory, yet as far as we are aware they have yet to be studied from the standpoint of quantum computation. In this work, we present a quantum algorithm for constructing an isogeny between two ordinary elliptic curves. The isogenies from an elliptic curve E to itself form the endomorphism ring of the curve; this ring is an imaginary quadratic order O∆ of discriminant ∆ < 0. Given two isogenous ordinary elliptic curves E0, E1 over Fq with the same endomorphism ring O∆, we show how to construct an isogeny φ : E0 → E1 (specified by its kernel, represented by a smooth ideal class [b] ∈ Cl(O∆)). The output of this algorithm is sufficient to recover the private key in all proposed isogeny-based public-key cryptosystems [4, 15, 17]. The running time of our algorithm is subexponential—specifically, assuming the Generalized Riemann Hypothesis (GRH), it runs in time L(12 , √ 3 2 ), where L( 2 , c) := exp [ (c+ o(1)) √ ln q ln ln q ] .

/pdf/constructing-elliptic-curve-isogenies-in-quantum-x0zq7auk2x.pdf

David Jao

Papers

Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

Constructing elliptic curve isogenies in quantum subexponential time

Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies.

Constructing elliptic curve isogenies in quantum subexponential time