Conference Agenda

Overview and details of the sessions of this conference. Please select a date or location to show only sessions at that day or location. Please select a single session for detailed view (with abstracts and downloads if available).

 
Session Overview
Location: Unitobler, F-123
52 seats, 100m^2
Date: Tuesday, 09/Jul/2019
10:00am - 12:00pmMS132, part 1: Polynomial equations in coding theory and cryptography
Unitobler, F-123 
 
10:00am - 12:00pm

Polynomial equations in coding theory and cryptography

Chair(s): Alessio Caminata (University of Neuchâtel, Switzerland), Alberto Ravagnani (University College Dublin, Ireland)

Polynomial equations are central in algebraic geometry, being algebraic varieties geometric manifestations of solutions of systems of polynomial equations. Actually, modern algebraic geometry is based on the use of techniques for studying and solving geometrical problems about these sets of zeros. At the same time, polynomial equations have found interesting applications in coding theory and cryptography. The interplay between algebraic geometry and coding theory is old and goes back to the first examples of algebraic codes defined with polynomials and codes coming from algebraic curves. More recently, polynomial equations have found important applications in cryptography as well. For example, in multivariate cryptography, one of the prominent candidates for post-quantum cryptosystems, the trapdoor one-way function takes the form of a multivariate quadratic polynomial map over a finite field. Furthermore, the efficiency of the index calculus attack to break an elliptic curve cryptosystem relies on the effectiveness of solving a system of multivariate polynomial equations. This session will feature recent progress in these and other applications of polynomial equations to coding theory and cryptography.

 

(25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise)

 

Free resolutions of test sets and their applications to coding theory

Edgar Martinez Moro
University of Valladolid

To each linear code defined over a finite field one can define its associated matroid and its generalized Hamming weights which are the same as those of the code. Johnsen and Verdure. showed that the generalized Hamming weights of a matroid are determined by the graded Betti numbers of the Stanley-Reisner ring of the simplicial complex whose faces are the independent set of M. In this talk we go a step further: our practical results indicate that the generalized Hamming weights of a linearcode can be obtained from the monomial ideal associated with a test-set for the code.

 

Algebraic geometry codes from del Pezzo surfaces

Alain Couvreur
INRIA

In this talk, we consider the problem of constructing codes with good parameters from algebraic surfaces. We start from two constatations. The first one, due to Voloch and Zarzar in a 2007 article, is that surfaces with a small Picard rank, in particular those with Picard rank one, seem to be interesting candidates to provide good codes. The second one, is that several nice examples in the literature of surfaces yielding good codes can be understood in a unified context : that of del Pezzo surfaces.

We will study the classification of del Pezzo surfaces over finite fields and consider their anticanonical codes. Such surfaces can be classified by the action of the Frobenius on the (geometric) Picard lattice, which gives many properties such as the (arithmetic) Picard number or the number of rational points. This rich structure of del Pezzo surfaces permits to obtain fine estimates of the parameters of these codes and even to compute their automorphism groups in some cases. This investigation led to the discovery of new codes whose parameters beat the best known codes listed in the database codetables.de.

This is a collaboration with Blache, Hallouin, Madore, Nardi, Rambaud and Randriam.

 

An Approach to Density Problems in Coding Theory

Eimear Byrne
University College Dublin

We give a new perspective on extremal codes. We obtain upper and lower bounds on the density functions of a number of families of codes within a larger family. In many cases, these bounds have expressions involving polynomials in indeterminate q, where q is the size of the underlying scalar field.

We use these expressions to obtain precise asymptotic estimates of these quantities and hence the density functions for some families of codes possessed of a particular extremal property. We introduce the idea of a partition-balanced family of codes, and show how the combinatorial invariants of such families can be used to obtain estimates on the number of codes satisfying a particular property.

In particular, we show that the MRD matrix codes are not dense in the family of all matrix codes of a given fixed dimension, unlike the MRD vector codes.

 

Multivariate Signatures

Jintai Ding
University of Cincinnati

In this talk, we will present the designs of multivariate signatures. The focus will be on the schemes submitted to the 2017 NIST post-quantum standard submissions. We will present the key security analysis tools and the main challenges for these schemes.

 
3:00pm - 5:00pmMS132, part 2: Polynomial equations in coding theory and cryptography
Unitobler, F-123 
 
3:00pm - 5:00pm

Polynomial equations in coding theory and cryptography

Chair(s): Alessio Caminata (University of Neuchâtel, Switzerland), Alberto Ravagnani (University College Dublin, Ireland)

Polynomial equations are central in algebraic geometry, being algebraic varieties geometric manifestations of solutions of systems of polynomial equations. Actually, modern algebraic geometry is based on the use of techniques for studying and solving geometrical problems about these sets of zeros. At the same time, polynomial equations have found interesting applications in coding theory and cryptography. The interplay between algebraic geometry and coding theory is old and goes back to the first examples of algebraic codes defined with polynomials and codes coming from algebraic curves. More recently, polynomial equations have found important applications in cryptography as well. For example, in multivariate cryptography, one of the prominent candidates for post-quantum cryptosystems, the trapdoor one-way function takes the form of a multivariate quadratic polynomial map over a finite field. Furthermore, the efficiency of the index calculus attack to break an elliptic curve cryptosystem relies on the effectiveness of solving a system of multivariate polynomial equations. This session will feature recent progress in these and other applications of polynomial equations to coding theory and cryptography.

 

(25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise)

 

Efficient Key Generation for Rainbow

Albrecht Petzoldt
University of Versailles

The Rainbow Signature Scheme is one of the most studied multivariate signature scheme and was accepted as a second round candidate for the NIST standardization process for post-quantum cryptosystems. However, the key generation process of the first round version was not very efficient. In this talk, we present a modified version of the Rainbow key generation process, which generates a Rainbow key pair using only matrix products, and therefore is very efficient. Furthermore, our new algorithm also allows a very efficient key generation for Rainbow variants such as cyclicRainbow.

 

Algebraic techniques for cryptanalysis of rank-based cryptosystems

Simona Samardjiska
Radboud University

In the past few years, code-based cryptography in the rank-metric has become increasingly popular mainly because of the efficiency advantages over similar constructions in the Hamming metric and the ongoing NIST post-quantum standardization process. Several new ideas have emerged - for example, the cryptosystems based on LRPC codes follow an NTRU-like design and provide an alternative to the classical rank-based cryptosystems based on Gabidulin codes. Furthermore, the security in the rank metric is now much better understood - recently it was shown that the rank syndrome decoding problem is hard. On the other hand, the known cryptosystems do not have a reduction from the hard problem. Therefore, it is interesting not only to study the practical security of the rank syndrome decoding, but also attacks that take advantage of the particular construction of the cryptosystems. In this talk I will focus on algebraic techniques in the context of rank-based cryptography. It is known that decoding problems in rank-based cryptography can be modeled as systems of (non-linear) equations, however not much attention has been devoted to this modelling. It turns out that algebraic techniques are more powerful than previously thought. I will discuss how they can be refined and used in an unexpected way and how particular structure of the cryptosytems influences their efficiency.

 

MinRank Problems in Post-Quantum Cryptography

Daniel Smith-Tone
NIST and University of Louisville

We explore some of the variety of MinRank problem instances arising in post-quantum cryptography. We briefly review some prototypical applications in some of the post-quantum families of schemes, recall some of the computation techniques and summarize some of the complexity results for such instances. This talk should illustrate the landscape more closely investigated in the talks of Daniel Cabarcas and Ray Perlner.

 

Rank Analysis of Cubic Multivariate Cryptosystems

Karan Khathuria
University of Zurich

Multivariate cryptography is the study of public-key cryptosystems based on multivariate polynomials over a finite field. Since solving a system of multivariate nonlinear polynomials over a finite field of order 2 is proven to be NP-hard, it is considered to be secure against quantum computers. Currently, most of the multivariate schemes are based on system of quadratic polynomials, mainly because of two reasons. First, they are smaller compared to higher degree constructions and hence more efficient. Second, if f is cubic, its (symmetric) differential Df(x) = f(x+a) - f(x) - f(a) is a quadratic map that preserves some of the properties of f. In quadratic constructions, one of the most successful family of attacks is the min-rank attack. It exploits the existence of low-rank linear combination of the matrices representing the quadratic forms of the public polynomials. One natural way to avoid this attack is to use cubic polynomials. This leads to several natural questions: Is there a notion of rank for cubic forms? Can we extend the min-rank attack to cubic constructions? Is the differential attack always a vulnerability for such constructions? What are the implications of low-rank cubic constructions?

In this talk, we address all these questions by taking a general perspective of cubic multivariate schemes. This is a joint work with John Baena, Daniel Cabarcas, Daniel Escudero and Javier Verbel.

 

Date: Wednesday, 10/Jul/2019
10:00am - 12:00pmMS145, part 1: Isogenies in Cryptography
Unitobler, F-123 
 
10:00am - 12:00pm

Isogenies in Cryptography

Chair(s): Tanja Lange (Eindhoven University of Technology, Netherlands, The), Chloe Martindale (Eindhoven University of Technology, Netherlands, The), Lorenz Panny (Eindhoven University of Technology, Netherlands, The)

The isogeny graph of elliptic curves over finite fields has long been a subject of study in algebraic geometry and number theory. During the past 10 years several authors have shown multiple applications in cryptology. One interesting feature is that systems built on isogenies seem to resist attacks by quantum computers, making them the most recent family of cryptosystems studied in post-quantum cryptography.

This mini-symposium brings together presentations on cryptosystems built on top of isogenies, their use in applications, and different approaches to the cryptanalysis, including quantum cryptanalysis.

 

(25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise)

 

Overview of isogenies in cryptography (Part I)

Chloe Martindale1, Lorenz Panny2
1Eindhoven University of Techonology, 2Eindhoven University of Technology

We will give an introductory overview of the current landscape in isogeny-based cryptography, including SIDH/SIKE and CSIDH. We will then summarise the latest developments and present some open problems.

 

Overview of isogenies in cryptography (Part II)

Lorenz Panny, Chloe Martindale
Eindhoven University of Technology

We will give an introductory overview of the current landscape in isogeny-based cryptography, including SIDH/SIKE and CSIDH. We will then summarise the latest developments and present some open problems.

 

Quantum attacks against isogenies

Daniel J. Bernstein
University of Illinois at Chicago

Childs, Jao, and Soukharev introduced a subexponential quantum attack against the original isogeny-based cryptosystem from Couveignes, Rostovtsev, and Stolbunov. The attack uses a subexponential quantum algorithm introduced by Kuperberg to find hidden shifts. This talk will (1) introduce the hidden-shift problem and the isogeny problem, (2) survey the attack algorithms, and (3) summarize the latest analyses of the costs of attacking CSIDH. This includes joint work with Lange, Martindale, and Panny (https://quantum.isogenies.org).

 

Pre- and post-quantum Diffie-Hellman

Benjamin Smith
INRIA & LIX - Ecole Polytechnique

From a mathematical and algorithmic point of view, one of the nice features of commutative isogeny-based cryptosystems (such as CSIDH) is that they are governed by particularly simple algebraic structures, namely commutative groups acting on sets. On a strictly formal level, this allows us to draw strong analogies with classical Diffie-Hellman and discrete-logarithm-based cryptosystems, problems, and algorithms. In this talk we will explore these analogies and their limitations, and consider the relationships between the "hard" problems underlying commutative isogeny-based cryptosystems in both the pre- and post-quantum settings.

 
3:00pm - 5:00pmMS132, part 3: Polynomial equations in coding theory and cryptography
Unitobler, F-123 
 
3:00pm - 5:00pm

Polynomial equations in coding theory and cryptography

Chair(s): Alessio Caminata (University of Neuchâtel, Switzerland), Alberto Ravagnani (University College Dublin, Ireland)

Polynomial equations are central in algebraic geometry, being algebraic varieties geometric manifestations of solutions of systems of polynomial equations. Actually, modern algebraic geometry is based on the use of techniques for studying and solving geometrical problems about these sets of zeros. At the same time, polynomial equations have found interesting applications in coding theory and cryptography. The interplay between algebraic geometry and coding theory is old and goes back to the first examples of algebraic codes defined with polynomials and codes coming from algebraic curves. More recently, polynomial equations have found important applications in cryptography as well. For example, in multivariate cryptography, one of the prominent candidates for post-quantum cryptosystems, the trapdoor one-way function takes the form of a multivariate quadratic polynomial map over a finite field. Furthermore, the efficiency of the index calculus attack to break an elliptic curve cryptosystem relies on the effectiveness of solving a system of multivariate polynomial equations. This session will feature recent progress in these and other applications of polynomial equations to coding theory and cryptography.

 

(25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise)

 

Classical and Quantum Evaluation Codes at the Trace Roots

Diego Ruano
University of Valladolid

We introduce a new class of evaluation linear codes by evaluating polynomials at the roots of a suitable trace function. We give conditions for self-orthogonality of these codes and their subfield-subcodes with respect to the Hermitian inner product. They allow us to construct stabilizer quantum codes over several finite fields which substantially improve the codes in the literature. For the binary case, we obtain records at http://codetables.de/. Moreover, we obtain several classical linear codes over the field with four elements which are records at http://codetables.de/. Joint work with C. Galindo and F. Hernando (Jaume I University).

 

Optimal curves and codes with locality

Gretchen Matthews
Virginia Tech

In some applications, it is desirable to have erasure codes that have recovery algorithms for a relatively large number of missing pieces (erasures). To maintain data availability at all times, it is advantageous to recover information at one node, which may fail or be offline, by accessing a small number of other nodes. This leads to the notion of local recovery, meaning that for a code C of length n, a codeword symbol can be recovered by accessing at most r other coordinates of the codeword; the code C is then said to have locality r. Though there are tradeoffs in terms of the rate and minimum distance, one typically wants r small, so that communications of information from other locations is minimal, hence saving communications bandwidths. In addition, it is often desirable for each coordinate to have multiple recovery sets; such a code is said to have availability. In this talk, we consider codes with locality and availabilty constructed from optimal curves.

 

The Story of Solving Random Quadratic Multivariate Systems of Equations

Bo Yin Yang
Academia Sinica

Solving quadratic multivariate systems over finite fields is one of the fundamental problem in computer science and cryptography. In fact, Shannon is said to have remarked that breaking a good cipher should be as hard as solving a system of nonlinear equations. Exactly how hard that really is has been an interesting open problem. We discuss the interesting history and recent developments in solving multivariate quadratic systems, particularly that over GF(2).

 

The Zeta Function for Generalized Rank Weights

Eimear Byrne, Giuseppe Cotardo, Alberto Ravagnani
University College Dublin

The zeta function of a linear block code with the Hamming metric encodes its weight distribution in a convenient way. It is particularly useful to analyze the structural properties of a family of codes that share the same weight enumerator. The definition of the zeta function is motivated by the properties of codes with the Hamming weight obtained from algebraic curves via Goppa's construction. The rank-metric analogue of the zeta function is defined as the generating function of the normalized q-binomial moments of a matrix code endowed with the rank distance. This algebraic object is a code invariant with respect to puncturing and shortening operations, and links the rank distribution of codes to a Riemann-type hypothesis in the context of coding theory.

In the first part of the talk we present the main definitions and results on the theory of rank-metric zeta functions. We then extend this concept to generalized distributions of matrix codes, and discuss the duality theory of these. In particular, we present a generalized version of the MacWilliams identities for rank-metric codes, and prove some rigidity properties of extremal codes with respect to generalized distributions.

(the new results in this talk are joint work with E. Byrne and A. Ravagnani)

 

Date: Thursday, 11/Jul/2019
10:00am - 12:00pmMS145, part 2: Isogenies in Cryptography
Unitobler, F-123 
 
10:00am - 12:00pm

Isogenies in Cryptography

Chair(s): Tanja Lange (Eindhoven University of Technology, Netherlands, The), Chloe Martindale (Eindhoven University of Technology, Netherlands, The), Lorenz Panny (Eindhoven University of Technology, Netherlands, The)

The isogeny graph of elliptic curves over finite fields has long been a subject of study in algebraic geometry and number theory. During the past 10 years several authors have shown multiple applications in cryptology. One interesting feature is that systems built on isogenies seem to resist attacks by quantum computers, making them the most recent family of cryptosystems studied in post-quantum cryptography.

This mini-symposium brings together presentations on cryptosystems built on top of isogenies, their use in applications, and different approaches to the cryptanalysis, including quantum cryptanalysis.

 

(25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise)

 

Constant-time isogeny implementations

David Jao
University of Waterloo

We discuss recent progress in implementing isogeny-based cryptosystems in constant time to resist side-channel attacks. We propose an implementation of supersingular isogeny Diffie-Hellman (SIDH) for complete Edwards curves. While the use of Edwards curves does not actually provide a faster implementation of SIDH, it does provide some security benefits against side-channel attacks. In addition, we present an optimized, constant-time software library for the Commutative supersingular isogeny Diffie-Hellman key exchange (CSIDH) scheme proposed by Castryck et al., targeting 64-bit ARM processors, and designed to offer resistance against SPA and DPA side-channel attacks.

SIDH results are joint work of Reza Azarderakhsh, Elena Bakos Lang, David Jao, and Brian Koziel.

CSIDH results are joint work of Amir Jalali, Reza Azarderakhsh, Mehran Mozaffari Kermani, and David Jao.

 

Isogeny-based cryptography: a cryptanalysis perspective

Christophe Petit
Birmingham University

In this talk I will survey known results on the security of isogeny-based protocols.
 

Fast isogeny-based signatures

Frederik Vercauteren
KU Leuven

Although several isogeny based signature schemes have been proposed, none of them can be considered really practical. In this talk I will describe a signature scheme based on CSIDH that has moderate public key sizes and is very efficient, in particular, signing a message only requires a couple of hundreds of milliseconds.

 

Orienting supersingular isogeny graphs

David Kohel
University of Marseilles

Supersingular isogeny graphs have been used in the Charles–Goren–Lauter cryptographic hash function and the supersingular isogeny Diffie–Hellman (SIDH) protocol of De Feo and Jao. A recently proposed alternative to SIDH is the commutative supersingular isogeny Diffie–Hellman (CSIDH) protocol, which in which the isogeny graph is first restricted to Fp-rational curves E and Fp-rational isogenies then oriented by the quadratic subring Z[π] ⊂ End(E) generated by the Frobenius endomorphism π : E → E. We introduce a general notion of orienting supersingular elliptic curves and their isogenies, and use this as the basis to construct a general oriented supersingular isogeny Diffie-Hellman (OSIDH) protocol.

 
3:00pm - 5:00pmMS132, part 4: Polynomial equations in coding theory and cryptography
Unitobler, F-123 
 
3:00pm - 5:00pm

Polynomial equations in coding theory and cryptography

Chair(s): Alessio Caminata (University of Neuchâtel, Switzerland), Alberto Ravagnani (University College Dublin, Ireland)

Polynomial equations are central in algebraic geometry, being algebraic varieties geometric manifestations of solutions of systems of polynomial equations. Actually, modern algebraic geometry is based on the use of techniques for studying and solving geometrical problems about these sets of zeros. At the same time, polynomial equations have found interesting applications in coding theory and cryptography. The interplay between algebraic geometry and coding theory is old and goes back to the first examples of algebraic codes defined with polynomials and codes coming from algebraic curves. More recently, polynomial equations have found important applications in cryptography as well. For example, in multivariate cryptography, one of the prominent candidates for post-quantum cryptosystems, the trapdoor one-way function takes the form of a multivariate quadratic polynomial map over a finite field. Furthermore, the efficiency of the index calculus attack to break an elliptic curve cryptosystem relies on the effectiveness of solving a system of multivariate polynomial equations. This session will feature recent progress in these and other applications of polynomial equations to coding theory and cryptography.

 

(25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise)

 

Linearized Polynomials in Finite Geometry and Rank-Metric Coding

John Sheekey
University College Dublin

Linearized polynomials arise naturally in various areas of finite geometry, coding theory, and cryptography. In particular, most known constructions for good codes in the rank metric arise from studying properties of linearized polynomials. In this talk we will give an overview of the applications of these polynomials, as well as recent results towards characterising their number of roots, and present some open problems.

 

Quantum Algorithms for Optimization over Finite Fields and Applications in Cryptanalysis

Xiao-Shan Gao
Academy of Mathematics and Systems Science, Chinese Academy of Sciences

In this talk, we present quantum algorithms for two fundamental computation problems: solving polynomial systems and optimization over finite fields. The quantum algorithms can solve these problems with any given success probability and have complexities polynomial in the size of the input and the condition number of certain polynomial system related to the problem. So, we achieved exponential speedup for these problems when their condition numbers are small. We apply the quantum algorithm to the cryptanalysis of the stream cipher Trivum, the block cipher AES, the hash function SHA-3/Keccak, the multivariate public key cryptosystems, the lattice based cipher NTRU, and show that they are secure under quantum algebraic attack only if the condition numbers of the corresponding equation systems are large.

 

On the Complexity of ``Superdetermined'' Minrank Instances

Daniel Cabarcas
Universidad Nacional de Colombia

The Minrank (MR) problem is a computational problem closely related to attacks on code- and multivariate-based schemes. The MR problem is, given m matrices and a target rank r, to determine whether there exists a linear combination of the matrices with rank at most r. The Kipnis-Shamir (KS) approach to MR is to solve the quadratic system of equations that arises from the observation that the dimension of the right kernel of a rank r matrix of size p times q is q-r by setting the entries of a kernel basis as variables. I will present some recent results on the complexity of the KS approach. I will focus on a particular set of instances that yield a very overdetermined system. I show how to construct non-trivial syzygies through the analysis of the Jacobian of the resulting system, with respect to a group of variables. The resulting complexity estimate for such instances is tighter than other approaches. For example, for the HFE cryptosystem, the speedup is roughly a square root. This talk is based on a paper by the same name with my coauthors Javier Verbel, John Baena, Ray Perlner and Daniel Smith-Tone, that appeared on PQCrypto 2019.

 

MinRank Problems Arising from Rank-based Cryptography

Ray Perlner
NIST

Rank-based cryptosystems such as the second round candidates for NIST's post-quantum standardization process, ROLLO and RQC, have a number of desirable features, such as good performance and key size while defending against all currently known classical and quantum attacks. Nonetheless, these cryptosystems, and the underlying Rank Syndrome Decoding(RSD) problem have been less studied in the literature than competing lattice and code-based cryptosystems and their underlying security assumptions. Parameters for rank-based cryptosystems are currently set using the support trapping attack of Gaborit, Ruatta, and Schrek. However, it is possible that approaches relating the Rank Syndrome decoding problem to polynomial-based approaches to solving the MinRank Problem, such as minors and Kipnis-Shamir modeling may give better cryptanalysis for some parameters. The polynomial systems arising in these cases have a number of interesting features that distinguish them from MinRank problems that arise in multivariate cryptography. In particular 1) The number of matrices is quadratic rather than linear in the dimension of the matrices, which generally results in a solving degree that is significantly higher than the degree of regularity when an algebraic approach is used and 2) There is extra structure in the MinRank instances arising from RSD due to the fact that the solution space exhibits a linear symmetry with respect to the extension field used to define the RSD problem. This allows some variables to be set for free, often reducing the complexity of the MinRank problem. This talk will explore the mathematical techniques that may be employed to give better estimates for the complexity of the RSD and related problems, and better security estimates for Rank-based cryptosystems.

 

Date: Friday, 12/Jul/2019
10:00am - 12:00pmMS145, part 3: Isogenies in Cryptography
Unitobler, F-123 
 
10:00am - 12:00pm

Isogenies in Cryptography

Chair(s): Tanja Lange (Eindhoven University of Technology, Netherlands, The), Chloe Martindale (Eindhoven University of Technology, Netherlands, The), Lorenz Panny (Eindhoven University of Technology, Netherlands, The)

The isogeny graph of elliptic curves over finite fields has long been a subject of study in algebraic geometry and number theory. During the past 10 years several authors have shown multiple applications in cryptology. One interesting feature is that systems built on isogenies seem to resist attacks by quantum computers, making them the most recent family of cryptosystems studied in post-quantum cryptography.

This mini-symposium brings together presentations on cryptosystems built on top of isogenies, their use in applications, and different approaches to the cryptanalysis, including quantum cryptanalysis.

 

(25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise)

 

Superspecial genus 2 curves in cryptography

Thomas Decru
KU Leuven

Isogenies can be defined between algebraic groups different from elliptic curves. In a joint work with Castryck and Smith, we construct a genus 2 version of the Charles-Goren-Lauter hash function based on isogenies. We will discuss the technical difficulties that arise from adapting the elliptic curve case.

 

Quantum algorithms for finding isogenies between supersingular elliptic curves.

Jean-François Biasse
University of South Florida

We will present joint work with Jao and Sankhar on a quantum algorithm for finding an isogeny between two given supersingular elliptic curves. In general, it runs in time O(p^1/4), but it has subexponential run time if both curves are defined over Fp. We will also discuss improvements to this method obtained in collaboration with Iezzi and Jacobson.

Our method consists in performing a quantum search within possible paths originating from the given curves to attain curves defined over Fp. Then we find an isogeny between curves defined over Fp by naturally exploiting the action of the class group of the endormorphism ring of these curves similarly to the work of Childs Jao and Soukharev. Further improvements to this method focus on the cost of the evaluation of the action of the class group.

 

Horizontal isogeny graphs

Benjamin Wesolowski
CWI

A horizontal isogeny graph is a graph whose vertices represent abelian varieties which all share the same endomorphism ring, and edges represent isogenies between them. They are an important tool to study the discrete logarithm problem on these abelian varieties, and allow to construct promising post-quantum public key cryptosystems. We discuss the analytic methods that allow to study the "mixing" properties of these graphs (a short random walk rapidly converges to a uniformly distributed vertex), with applications for cryptography.

 

Isogeny Graphs of Ordinary Abelian Surfaces and Endomorphism Rings

Dimitar Jetchev
EPFL

Building on some recent joint work with Brooks and Wesolowski, we recall a recent construction of certain l-power isogeny graphs of principally polarizable ordinary abelian varieties and study the structure of these graphs using the theory of Bruhat-Tits buildings for symplectic groups. Our results have implications in various problems from computational number theory and mathematical cryptology, most notably, the question of computing endomorphism rings as well as constructing hyperelliptic curves over finite fields whose Jacobians have a fixed characteristic polynomial of Frobenius and maximal endomorphism rings (the CM method in genus 2). This work is joint with Gaetan Bisson and Alexey Zykin (in memoriam).

 
3:00pm - 5:00pmMS162, part 1: Applications of finite fields theory
Unitobler, F-123 
 
3:00pm - 5:00pm

Applications of finite fields theory

Chair(s): Antoine Joux (University of Sorbonne), Giacomo Micheli (EPFL), Violetta Weger (University of Zurich, Switzerland)

The theory of finite fields is one of the most important meeting points of Algebraic Geometry, Computer Science, and Number Theory. One of the most important challenges in the area is to develope the theory of finite fields in connection with useful applications, in particular in secure communication, coding theory, and pseudorandom number generation. In this minysimposium we plan to bring together experts from many different areas of the mathematics of communication who share the common interest towards the theory of finite fields. Our main purpose is to provide an overview of some of the cutting-edge research in the field, and to lay the fundations for new collaborations among researchers interested in applications of the theory of finite fields.
In the cryptographic setting, we focus on new post-quantum cryptographic schemes (Marco Baldi, Antoine Joux) and cryptanalysis (Gohar Kyureghyan, Yann Rotella). For pseudorandomness we propose construction of new pseudorandom generators (Federico Amadio Guidi, Laszlo Merai) and construction of polynomials over finite fields with given properties which are interesting for applications (Andrea Ferraguti).

 

(25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise)

 

Introductory Talk

Giacomo Micheli
EPFL

This is an introductory talk to this session.

 

Using Mersenne and Fermat numbers in Cryptosystems

Antoine Joux
University of Sorbonne

Modern public-key cryptography is mostly based on the hardness of Factoring and computing discrete logarithms. However, due to Shor’s algorithm, large scale Quantum computer if and when they become available would put these systems at risk, with the danger of compromising the security of all computer applications. In this talk, we show the construction of new crypto algorithms based on arithmetic modulo Mersenne or Fermat numbers. We describe both a simple encryption algorithm and a fully homomorphic encryption scheme.

 

Cryptographic attacks against filter generator using monomial mapping

Yann Rotella
Inria

Filter generators are vulnerable to several attacks which have led to well-known design criteria on the Boolean filtering function (mainly Algebraic Immunity and Nonlinearity). However, Rønjom and Cid have observed that a change of the primitive root defining the LFSR leads to several equivalent generators. They usually offer different security levels since they involve filtering functions of the form F(xk) where k is coprime to (2n -1) and n denotes the LFSR length.

We prove that this monomial equivalence does not affect the resistance of the generator against algebraic attacks, but usually impacts the resistance to correlation attacks.

Most importantly, a more efficient attack can often be mounted by considering non-bijective monomial mappings. In this setting, a divide-and-conquer strategy applies based on a search within a multiplicative subgroup of F2n*. Moreover, if the LFSR length n is not a prime, a fast correlation attack involving a shorter LFSR can be performed.

This attack is generic and uses the decomposition in the multiplicative subgroups of F2n*, leading to new design criteria for Boolean functions used in Cryptography.

 

Permutation and complete rational functions via Chebotarev theorem for function fields

Andrea Ferraguti
Max Planck Institute for Mathmatics

Constructing permutation functions of finite fields is a task of great interest in coding theory and cryptography. Permutation polynomials over finite fields have been completely classified up to degree 6, with "ad hoc" methods for every degree. In this talk, we present a general approach for classifying permutation rational functions of any degree that exploits a refined version of Chebotarev density theorem for function fields due to Kosters. We will show how to use the method to completely classify permutation rational functions and complete rational functions of degree 3. This is joint work with Giacomo Micheli.

 

Date: Saturday, 13/Jul/2019
10:00am - 12:00pmMS145, part 4: Isogenies in Cryptography
Unitobler, F-123 
 
10:00am - 12:00pm

Isogenies in Cryptography

Chair(s): Tanja Lange (Eindhoven University of Technology, Netherlands, The), Chloe Martindale (Eindhoven University of Technology, Netherlands, The), Lorenz Panny (Eindhoven University of Technology, Netherlands, The)

The isogeny graph of elliptic curves over finite fields has long been a subject of study in algebraic geometry and number theory. During the past 10 years several authors have shown multiple applications in cryptology. One interesting feature is that systems built on isogenies seem to resist attacks by quantum computers, making them the most recent family of cryptosystems studied in post-quantum cryptography.

This mini-symposium brings together presentations on cryptosystems built on top of isogenies, their use in applications, and different approaches to the cryptanalysis, including quantum cryptanalysis.

 

(25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise)

 

Post-quantum signature schemes and more from supersingular isogenies

Ward Beullens
KU Leuven

To be completed.

 

Algorithmic aspects of cryptographic invariant maps from isogenies

Florian Hess
University of Oldenburg

We discuss some algorithmic aspects of candidate cryptographic invariant maps from isogenies, in particular those presented by Boneh, Glass, Krashen, Lauter, Sharif, Silverberg, Tibouchi and Zhandry in their paper on multiparty non-interactive key exchange.

 

Verifiable Delay Functions from Isogenies and Pairings

Luca De Feo
Ecole Polytechnique

We present a (non-post-quantum) framework for proving statements on isogeny walks in supersingular graphs. The framework can be seen as a combination of the BLS signature scheme with the supersingular isogeny graphs popularized by the key exchange protocols SIDH and CSIDH.

An instatiation of the framework for signature and interactive identification was already suggested in a 2010 patent owned by Microsoft; however the most interesting new application we obtain is a Verifiable Delay Function, whereby an isogeny walk of "great" length between two elliptic curves is made public, and the framework produces a succinct and easily verifiable proof of isogeny evaluation (similar to a proof of work).

This is joint work with S. Masson, C. Petit and A. Sanso.

 

Cryptographic goals beyond key exchange and signatures

Jeff Burdges
GNUnet

We shall discuss some cryptographic problems beyond key exchange and signatures for which practical post-quantum protocols would be much appreciated. These come in two flavours depending upon motivation, protocols desired for a more ethical applications that protect metadata, and protocols used in modern consensus algorithms.

 
3:00pm - 5:00pmMS162, part 2: Applications of finite fields theory
Unitobler, F-123 
 
3:00pm - 5:00pm

Applications of finite fields theory

Chair(s): Antoine Joux (University of Sorbonne), Giacomo Micheli (EPFL), Violetta Weger (University of Zurich, Switzerland)

The theory of finite fields is one of the most important meeting points of Algebraic Geometry, Computer Science, and Number Theory. One of the most important challenges in the area is to develope the theory of finite fields in connection with useful applications, in particular in secure communication, coding theory, and pseudorandom number generation. In this minysimposium we plan to bring together experts from many different areas of the mathematics of communication who share the common interest towards the theory of finite fields. Our main purpose is to provide an overview of some of the cutting-edge research in the field, and to lay the fundations for new collaborations among researchers interested in applications of the theory of finite fields.
In the cryptographic setting, we focus on new post-quantum cryptographic schemes (Marco Baldi, Antoine Joux) and cryptanalysis (Gohar Kyureghyan, Yann Rotella). For pseudorandomness we propose construction of new pseudorandom generators (Federico Amadio Guidi, Laszlo Merai) and construction of polynomials over finite fields with given properties which are interesting for applications (Andrea Ferraguti).

 

(25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise)

 

Public key encryption and key exchange from LDPC codes: LEDAcrypt

Paolo Santini
Marche Polytechnic University

The pioneering work of McEliece in 1978 paved the way for code-based cryptography, which is still today a promising research area for the development of cryptographic primitives characterized by high efficiency and, most importantly, quantum resistance. Among several variants of the McEliece cryptosystem employing families of codes other than the original family of Goppa codes, those based on low-density parity-check (LDPC) codes have been shown able to achieve compact public keys and high algorithmic efficiency. This talk will recall the basic concepts of LDPC code-based cryptography, and then describe two primitives for asymmetric cryptography based on LDPC codes that are candidates to the NIST post-quantum cryptography standardization initiative: LEDAkem and LEDApkc.

 

Cryptological properties of mappings of finite fields

Gohar Kyureghyan
University of Rostock

Mappings used in some of cryptological primitives must be highly nonlinear, since linear ones are easy to predict. In this talk, we present several notions for optimal nonlinearity. We discuss connections between the different concepts and review known constructions and major open challenges in this research area.

 

Pseudorandom walks on elliptic curves

Laszlo Merai
RICAM

We give an overview of pseudorandom number generators (PRNGs) based on elliptic curves over finite fields. Many PRNGs are defined via a recursion law Pn = ψ(Pn-1) for some initial point P0 in E and a rational map (morphism) ψ:E → E of the curve E. An example for such PRNGs is the so-called power generator, where ψ is a scalar multiplication: ψ: P → eP for some integer e ≥ 2. We consider in detail the case when ψ is an arbitrary endomorphism of the curve.

We present bounds on the discrepancy and linear complexity of the obtained sequences.

 

Fractional Jumps and pseudorandom number generation

Federico Amadio Guidi
University of Oxford

In this talk we discuss a new construction of full orbit sequences in affine spaces over finite fields via Fractional Jumps of transitive projective automorphism, that is joint work with S. Lindqvist and G. Micheli. In dimension 1, our construction covers entirely the case of Inversive Congruential Generator (ICG) sequences. We explain how the sequences produced using Fractional Jumps enjoy the same discrepancy bounds as ICG sequences, but are less expensive to compute, thus representing a good source for pseudorandom number generation.