A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2022; you can also visit the original URL.
The file type is
IACR Cryptology ePrint Archive
Many isogeny-based cryptosystems are believed to rely on the hardness of the Supersingular Decision Diffie-Hellman (SSDDH) problem. However, most cryptanalytic efforts have treated the hardness of this problem as being equivalent to the more generic supersingular e -isogeny problem -an established hard problem in number theory. In this work, we shine some light on the possibility that the combination of two additional pieces of information given in practical SSDDH instancesthe image of thedblp:journals/iacr/BottinelliQLMPS19 fatcat:2hp25ajavrgsjjiemlouailuya
more »... on subgroup, and the starting curve's endomorphism ring -can lead to better attacks cryptosystems relying on this assumption. We show that SIKE/SIDH are secure against our techniques. However, in certain settings, e.g., multi-party protocols, our results may suggest a larger gap between the security of these cryptosystems and the e -isogeny problem. Our analysis relies on the ability to find many endomorphisms on the base curve that have special properties. To the best of our knowledge, this class of endomorphisms has never been studied in the literature. We informally discuss the parameter sets where these endomorphisms should exist. We also present an algorithm which may provide information about additional torsion points under the party's private isogeny, which is of independent interest. Finally, we present a minor variation of the SIKE protocol that avoids exposing a known endomorphism ring.
Lecture Notes in Computer Science
We study a scheme of Bai and Galbraith (CT-RSA'14), also known as TESLA. TESLA was thought to have a tight security reduction from the learning with errors problem (LWE) in the random oracle model (ROM). Moreover, a variant using chameleon hash functions was lifted to the quantum random oracle model (QROM). However, both reductions were later found to be flawed and hence it remained unresolved until now whether TESLA can be proven to be tightly secure in the (Q)ROM. In the present paper wedoi:10.1007/978-3-319-59879-6_9 fatcat:qd3gs6qknban5jbkq2fq45fz6i
more »... de an entirely new, tight security reduction for TESLA from LWE in the QROM (and thus in the ROM). Our security reduction involves the adaptive re-programming of a quantum oracle. Furthermore, we propose parameter sets targeting 128 bits of security against both classical and quantum adversaries and compare TESLA's performance with state-of-the-art signature schemes.
We would also like to thank Filip Pawlega and the anonymous reviewers for their careful reading and helpful feedback. ...arXiv:2005.14681v3 fatcat:w3oplqvwufeuhlcm2n3yodetva
recommendations from the Council of Europe to promote tolerance and to promulgate legislation banning discrimination based on sexual orientation, the Polish government has not taken any such steps (Pawlęga ... of equality parades: . no one was naked, no one was in feathers, nobody flashed their boobs, nor asses and I was in shock (Focus group interview with Monika, Justyna, Kasia, Mariusz, Ewelina and Filip ...doi:10.21953/lse.6pv8ey9vxc10 fatcat:2d2o2pfhufdijbgljl56c6zgdm