Conference Agenda
Overview and details of the sessions of this conference. Please select a date or location to show only sessions at that day or location. Please select a single session for detailed view (with abstracts and downloads if available).
|
|
|
Session Overview | |
|
Location: Unitobler, F-123 52 seats, 100m^2 |
| Date: Tuesday, 09/Jul/2019 | |
| 10:00am - 12:00pm | MS132, part 1: Polynomial equations in coding theory and cryptography |
| Unitobler, F-123 | |
|
|
10:00am - 12:00pm
Polynomial equations in coding theory and cryptography Polynomial equations are central in algebraic geometry, being algebraic varieties geometric manifestations of solutions of systems of polynomial equations. Actually, modern algebraic geometry is based on the use of techniques for studying and solving geometrical problems about these sets of zeros. At the same time, polynomial equations have found interesting applications in coding theory and cryptography. The interplay between algebraic geometry and coding theory is old and goes back to the first examples of algebraic codes defined with polynomials and codes coming from algebraic curves. More recently, polynomial equations have found important applications in cryptography as well. For example, in multivariate cryptography, one of the prominent candidates for post-quantum cryptosystems, the trapdoor one-way function takes the form of a multivariate quadratic polynomial map over a finite field. Furthermore, the efficiency of the index calculus attack to break an elliptic curve cryptosystem relies on the effectiveness of solving a system of multivariate polynomial equations. This session will feature recent progress in these and other applications of polynomial equations to coding theory and cryptography. (25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise) Free resolutions of test sets and their applications to coding theory To each linear code defined over a finite field one can define its associated matroid and its generalized Hamming weights which are the same as those of the code. Johnsen and Verdure. showed that the generalized Hamming weights of a matroid are determined by the graded Betti numbers of the Stanley-Reisner ring of the simplicial complex whose faces are the independent set of M. In this talk we go a step further: our practical results indicate that the generalized Hamming weights of a linearcode can be obtained from the monomial ideal associated with a test-set for the code. Algebraic geometry codes from del Pezzo surfaces In this talk, we consider the problem of constructing codes with good parameters from algebraic surfaces. We start from two constatations. The first one, due to Voloch and Zarzar in a 2007 article, is that surfaces with a small Picard rank, in particular those with Picard rank one, seem to be interesting candidates to provide good codes. The second one, is that several nice examples in the literature of surfaces yielding good codes can be understood in a unified context : that of del Pezzo surfaces. We will study the classification of del Pezzo surfaces over finite fields and consider their anticanonical codes. Such surfaces can be classified by the action of the Frobenius on the (geometric) Picard lattice, which gives many properties such as the (arithmetic) Picard number or the number of rational points. This rich structure of del Pezzo surfaces permits to obtain fine estimates of the parameters of these codes and even to compute their automorphism groups in some cases. This investigation led to the discovery of new codes whose parameters beat the best known codes listed in the database codetables.de. This is a collaboration with Blache, Hallouin, Madore, Nardi, Rambaud and Randriam. An Approach to Density Problems in Coding Theory We give a new perspective on extremal codes. We obtain upper and lower bounds on the density functions of a number of families of codes within a larger family. In many cases, these bounds have expressions involving polynomials in indeterminate q, where q is the size of the underlying scalar field. We use these expressions to obtain precise asymptotic estimates of these quantities and hence the density functions for some families of codes possessed of a particular extremal property. We introduce the idea of a partition-balanced family of codes, and show how the combinatorial invariants of such families can be used to obtain estimates on the number of codes satisfying a particular property. In particular, we show that the MRD matrix codes are not dense in the family of all matrix codes of a given fixed dimension, unlike the MRD vector codes. Multivariate Signatures In this talk, we will present the designs of multivariate signatures. The focus will be on the schemes submitted to the 2017 NIST post-quantum standard submissions. We will present the key security analysis tools and the main challenges for these schemes. |
| 3:00pm - 5:00pm | MS132, part 2: Polynomial equations in coding theory and cryptography |
| Unitobler, F-123 | |
|
|
3:00pm - 5:00pm
Polynomial equations in coding theory and cryptography Polynomial equations are central in algebraic geometry, being algebraic varieties geometric manifestations of solutions of systems of polynomial equations. Actually, modern algebraic geometry is based on the use of techniques for studying and solving geometrical problems about these sets of zeros. At the same time, polynomial equations have found interesting applications in coding theory and cryptography. The interplay between algebraic geometry and coding theory is old and goes back to the first examples of algebraic codes defined with polynomials and codes coming from algebraic curves. More recently, polynomial equations have found important applications in cryptography as well. For example, in multivariate cryptography, one of the prominent candidates for post-quantum cryptosystems, the trapdoor one-way function takes the form of a multivariate quadratic polynomial map over a finite field. Furthermore, the efficiency of the index calculus attack to break an elliptic curve cryptosystem relies on the effectiveness of solving a system of multivariate polynomial equations. This session will feature recent progress in these and other applications of polynomial equations to coding theory and cryptography. (25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise) Efficient Key Generation for Rainbow The Rainbow Signature Scheme is one of the most studied multivariate signature scheme and was accepted as a second round candidate for the NIST standardization process for post-quantum cryptosystems. However, the key generation process of the first round version was not very efficient. In this talk, we present a modified version of the Rainbow key generation process, which generates a Rainbow key pair using only matrix products, and therefore is very efficient. Furthermore, our new algorithm also allows a very efficient key generation for Rainbow variants such as cyclicRainbow. Algebraic techniques for cryptanalysis of rank-based cryptosystems In the past few years, code-based cryptography in the rank-metric has become increasingly popular mainly because of the efficiency advantages over similar constructions in the Hamming metric and the ongoing NIST post-quantum standardization process. Several new ideas have emerged - for example, the cryptosystems based on LRPC codes follow an NTRU-like design and provide an alternative to the classical rank-based cryptosystems based on Gabidulin codes. Furthermore, the security in the rank metric is now much better understood - recently it was shown that the rank syndrome decoding problem is hard. On the other hand, the known cryptosystems do not have a reduction from the hard problem. Therefore, it is interesting not only to study the practical security of the rank syndrome decoding, but also attacks that take advantage of the particular construction of the cryptosystems. In this talk I will focus on algebraic techniques in the context of rank-based cryptography. It is known that decoding problems in rank-based cryptography can be modeled as systems of (non-linear) equations, however not much attention has been devoted to this modelling. It turns out that algebraic techniques are more powerful than previously thought. I will discuss how they can be refined and used in an unexpected way and how particular structure of the cryptosytems influences their efficiency. MinRank Problems in Post-Quantum Cryptography We explore some of the variety of MinRank problem instances arising in post-quantum cryptography. We briefly review some prototypical applications in some of the post-quantum families of schemes, recall some of the computation techniques and summarize some of the complexity results for such instances. This talk should illustrate the landscape more closely investigated in the talks of Daniel Cabarcas and Ray Perlner. Rank Analysis of Cubic Multivariate Cryptosystems Multivariate cryptography is the study of public-key cryptosystems based on multivariate polynomials over a finite field. Since solving a system of multivariate nonlinear polynomials over a finite field of order 2 is proven to be NP-hard, it is considered to be secure against quantum computers. Currently, most of the multivariate schemes are based on system of quadratic polynomials, mainly because of two reasons. First, they are smaller compared to higher degree constructions and hence more efficient. Second, if f is cubic, its (symmetric) differential Df(x) = f(x+a) - f(x) - f(a) is a quadratic map that preserves some of the properties of f. In quadratic constructions, one of the most successful family of attacks is the min-rank attack. It exploits the existence of low-rank linear combination of the matrices representing the quadratic forms of the public polynomials. One natural way to avoid this attack is to use cubic polynomials. This leads to several natural questions: Is there a notion of rank for cubic forms? Can we extend the min-rank attack to cubic constructions? Is the differential attack always a vulnerability for such constructions? What are the implications of low-rank cubic constructions? In this talk, we address all these questions by taking a general perspective of cubic multivariate schemes. This is a joint work with John Baena, Daniel Cabarcas, Daniel Escudero and Javier Verbel. |
| Date: Wednesday, 10/Jul/2019 | |
| 10:00am - 12:00pm | MS145, part 1: Isogenies in Cryptography |
| Unitobler, F-123 | |
|
|
10:00am - 12:00pm
Isogenies in Cryptography The isogeny graph of elliptic curves over finite fields has long been a subject of study in algebraic geometry and number theory. During the past 10 years several authors have shown multiple applications in cryptology. One interesting feature is that systems built on isogenies seem to resist attacks by quantum computers, making them the most recent family of cryptosystems studied in post-quantum cryptography. This mini-symposium brings together presentations on cryptosystems built on top of isogenies, their use in applications, and different approaches to the cryptanalysis, including quantum cryptanalysis. (25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise) Overview of isogenies in cryptography (Part I) We will give an introductory overview of the current landscape in isogeny-based cryptography, including SIDH/SIKE and CSIDH. We will then summarise the latest developments and present some open problems. Overview of isogenies in cryptography (Part II) We will give an introductory overview of the current landscape in isogeny-based cryptography, including SIDH/SIKE and CSIDH. We will then summarise the latest developments and present some open problems. Quantum attacks against isogenies Childs, Jao, and Soukharev introduced a subexponential quantum attack against the original isogeny-based cryptosystem from Couveignes, Rostovtsev, and Stolbunov. The attack uses a subexponential quantum algorithm introduced by Kuperberg to find hidden shifts. This talk will (1) introduce the hidden-shift problem and the isogeny problem, (2) survey the attack algorithms, and (3) summarize the latest analyses of the costs of attacking CSIDH. This includes joint work with Lange, Martindale, and Panny (https://quantum.isogenies.org). Pre- and post-quantum Diffie-Hellman From a mathematical and algorithmic point of view, one of the nice features of commutative isogeny-based cryptosystems (such as CSIDH) is that they are governed by particularly simple algebraic structures, namely commutative groups acting on sets. On a strictly formal level, this allows us to draw strong analogies with classical Diffie-Hellman and discrete-logarithm-based cryptosystems, problems, and algorithms. In this talk we will explore these analogies and their limitations, and consider the relationships between the "hard" problems underlying commutative isogeny-based cryptosystems in both the pre- and post-quantum settings. |
| 3:00pm - 5:00pm | MS132, part 3: Polynomial equations in coding theory and cryptography |
| Unitobler, F-123 | |
|
|
3:00pm - 5:00pm
Polynomial equations in coding theory and cryptography Polynomial equations are central in algebraic geometry, being algebraic varieties geometric manifestations of solutions of systems of polynomial equations. Actually, modern algebraic geometry is based on the use of techniques for studying and solving geometrical problems about these sets of zeros. At the same time, polynomial equations have found interesting applications in coding theory and cryptography. The interplay between algebraic geometry and coding theory is old and goes back to the first examples of algebraic codes defined with polynomials and codes coming from algebraic curves. More recently, polynomial equations have found important applications in cryptography as well. For example, in multivariate cryptography, one of the prominent candidates for post-quantum cryptosystems, the trapdoor one-way function takes the form of a multivariate quadratic polynomial map over a finite field. Furthermore, the efficiency of the index calculus attack to break an elliptic curve cryptosystem relies on the effectiveness of solving a system of multivariate polynomial equations. This session will feature recent progress in these and other applications of polynomial equations to coding theory and cryptography. (25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise) Classical and Quantum Evaluation Codes at the Trace Roots We introduce a new class of evaluation linear codes by evaluating polynomials at the roots of a suitable trace function. We give conditions for self-orthogonality of these codes and their subfield-subcodes with respect to the Hermitian inner product. They allow us to construct stabilizer quantum codes over several finite fields which substantially improve the codes in the literature. For the binary case, we obtain records at http://codetables.de/. Moreover, we obtain several classical linear codes over the field with four elements which are records at http://codetables.de/. Joint work with C. Galindo and F. Hernando (Jaume I University). Optimal curves and codes with locality In some applications, it is desirable to have erasure codes that have recovery algorithms for a relatively large number of missing pieces (erasures). To maintain data availability at all times, it is advantageous to recover information at one node, which may fail or be offline, by accessing a small number of other nodes. This leads to the notion of local recovery, meaning that for a code C of length n, a codeword symbol can be recovered by accessing at most r other coordinates of the codeword; the code C is then said to have locality r. Though there are tradeoffs in terms of the rate and minimum distance, one typically wants r small, so that communications of information from other locations is minimal, hence saving communications bandwidths. In addition, it is often desirable for each coordinate to have multiple recovery sets; such a code is said to have availability. In this talk, we consider codes with locality and availabilty constructed from optimal curves. The Story of Solving Random Quadratic Multivariate Systems of Equations Solving quadratic multivariate systems over finite fields is one of the fundamental problem in computer science and cryptography. In fact, Shannon is said to have remarked that breaking a good cipher should be as hard as solving a system of nonlinear equations. Exactly how hard that really is has been an interesting open problem. We discuss the interesting history and recent developments in solving multivariate quadratic systems, particularly that over GF(2). The Zeta Function for Generalized Rank Weights The zeta function of a linear block code with the Hamming metric encodes its weight distribution in a convenient way. It is particularly useful to analyze the structural properties of a family of codes that share the same weight enumerator. The definition of the zeta function is motivated by the properties of codes with the Hamming weight obtained from algebraic curves via Goppa's construction. The rank-metric analogue of the zeta function is defined as the generating function of the normalized q-binomial moments of a matrix code endowed with the rank distance. This algebraic object is a code invariant with respect to puncturing and shortening operations, and links the rank distribution of codes to a Riemann-type hypothesis in the context of coding theory. In the first part of the talk we present the main definitions and results on the theory of rank-metric zeta functions. We then extend this concept to generalized distributions of matrix codes, and discuss the duality theory of these. In particular, we present a generalized version of the MacWilliams identities for rank-metric codes, and prove some rigidity properties of extremal codes with respect to generalized distributions. (the new results in this talk are joint work with E. Byrne and A. Ravagnani) |
| Date: Thursday, 11/Jul/2019 | |
| 10:00am - 12:00pm | MS145, part 2: Isogenies in Cryptography |
| Unitobler, F-123 | |
|
|
10:00am - 12:00pm
Isogenies in Cryptography The isogeny graph of elliptic curves over finite fields has long been a subject of study in algebraic geometry and number theory. During the past 10 years several authors have shown multiple applications in cryptology. One interesting feature is that systems built on isogenies seem to resist attacks by quantum computers, making them the most recent family of cryptosystems studied in post-quantum cryptography. This mini-symposium brings together presentations on cryptosystems built on top of isogenies, their use in applications, and different approaches to the cryptanalysis, including quantum cryptanalysis. (25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise) Constant-time isogeny implementations We discuss recent progress in implementing isogeny-based cryptosystems in constant time to resist side-channel attacks. We propose an implementation of supersingular isogeny Diffie-Hellman (SIDH) for complete Edwards curves. While the use of Edwards curves does not actually provide a faster implementation of SIDH, it does provide some security benefits against side-channel attacks. In addition, we present an optimized, constant-time software library for the Commutative supersingular isogeny Diffie-Hellman key exchange (CSIDH) scheme proposed by Castryck et al., targeting 64-bit ARM processors, and designed to offer resistance against SPA and DPA side-channel attacks. SIDH results are joint work of Reza Azarderakhsh, Elena Bakos Lang, David Jao, and Brian Koziel. CSIDH results are joint work of Amir Jalali, Reza Azarderakhsh, Mehran Mozaffari Kermani, and David Jao. Isogeny-based cryptography: a cryptanalysis perspective In this talk I will survey known results on the security of isogeny-based protocols.
Fast isogeny-based signatures Although several isogeny based signature schemes have been proposed, none of them can be considered really practical. In this talk I will describe a signature scheme based on CSIDH that has moderate public key sizes and is very efficient, in particular, signing a message only requires a couple of hundreds of milliseconds. Orienting supersingular isogeny graphs Supersingular isogeny graphs have been used in the Charles–Goren–Lauter cryptographic hash function and the supersingular isogeny Diffie–Hellman (SIDH) protocol of De Feo and Jao. A recently proposed alternative to SIDH is the commutative supersingular isogeny Diffie–Hellman (CSIDH) protocol, which in which the isogeny graph is first restricted to Fp-rational curves E and Fp-rational isogenies then oriented by the quadratic subring Z[π] ⊂ End(E) generated by the Frobenius endomorphism π : E → E. We introduce a general notion of orienting supersingular elliptic curves and their isogenies, and use this as the basis to construct a general oriented supersingular isogeny Diffie-Hellman (OSIDH) protocol. |
| 3:00pm - 5:00pm | MS132, part 4: Polynomial equations in coding theory and cryptography |
| Unitobler, F-123 | |
|
|
3:00pm - 5:00pm
Polynomial equations in coding theory and cryptography Polynomial equations are central in algebraic geometry, being algebraic varieties geometric manifestations of solutions of systems of polynomial equations. Actually, modern algebraic geometry is based on the use of techniques for studying and solving geometrical problems about these sets of zeros. At the same time, polynomial equations have found interesting applications in coding theory and cryptography. The interplay between algebraic geometry and coding theory is old and goes back to the first examples of algebraic codes defined with polynomials and codes coming from algebraic curves. More recently, polynomial equations have found important applications in cryptography as well. For example, in multivariate cryptography, one of the prominent candidates for post-quantum cryptosystems, the trapdoor one-way function takes the form of a multivariate quadratic polynomial map over a finite field. Furthermore, the efficiency of the index calculus attack to break an elliptic curve cryptosystem relies on the effectiveness of solving a system of multivariate polynomial equations. This session will feature recent progress in these and other applications of polynomial equations to coding theory and cryptography. (25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise) Linearized Polynomials in Finite Geometry and Rank-Metric Coding Linearized polynomials arise naturally in various areas of finite geometry, coding theory, and cryptography. In particular, most known constructions for good codes in the rank metric arise from studying properties of linearized polynomials. In this talk we will give an overview of the applications of these polynomials, as well as recent results towards characterising their number of roots, and present some open problems. Quantum Algorithms for Optimization over Finite Fields and Applications in Cryptanalysis In this talk, we present quantum algorithms for two fundamental computation problems: solving polynomial systems and optimization over finite fields. The quantum algorithms can solve these problems with any given success probability and have complexities polynomial in the size of the input and the condition number of certain polynomial system related to the problem. So, we achieved exponential speedup for these problems when their condition numbers are small. We apply the quantum algorithm to the cryptanalysis of the stream cipher Trivum, the block cipher AES, the hash function SHA-3/Keccak, the multivariate public key cryptosystems, the lattice based cipher NTRU, and show that they are secure under quantum algebraic attack only if the condition numbers of the corresponding equation systems are large. On the Complexity of ``Superdetermined'' Minrank Instances The Minrank (MR) problem is a computational problem closely related to attacks on code- and multivariate-based schemes. The MR problem is, given m matrices and a target rank r, to determine whether there exists a linear combination of the matrices with rank at most r. The Kipnis-Shamir (KS) approach to MR is to solve the quadratic system of equations that arises from the observation that the dimension of the right kernel of a rank r matrix of size p times q is q-r by setting the entries of a kernel basis as variables. I will present some recent results on the complexity of the KS approach. I will focus on a particular set of instances that yield a very overdetermined system. I show how to construct non-trivial syzygies through the analysis of the Jacobian of the resulting system, with respect to a group of variables. The resulting complexity estimate for such instances is tighter than other approaches. For example, for the HFE cryptosystem, the speedup is roughly a square root. This talk is based on a paper by the same name with my coauthors Javier Verbel, John Baena, Ray Perlner and Daniel Smith-Tone, that appeared on PQCrypto 2019. MinRank Problems Arising from Rank-based Cryptography Rank-based cryptosystems such as the second round candidates for NIST's post-quantum standardization process, ROLLO and RQC, have a number of desirable features, such as good performance and key size while defending against all currently known classical and quantum attacks. Nonetheless, these cryptosystems, and the underlying Rank Syndrome Decoding(RSD) problem have been less studied in the literature than competing lattice and code-based cryptosystems and their underlying security assumptions. Parameters for rank-based cryptosystems are currently set using the support trapping attack of Gaborit, Ruatta, and Schrek. However, it is possible that approaches relating the Rank Syndrome decoding problem to polynomial-based approaches to solving the MinRank Problem, such as minors and Kipnis-Shamir modeling may give better cryptanalysis for some parameters. The polynomial systems arising in these cases have a number of interesting features that distinguish them from MinRank problems that arise in multivariate cryptography. In particular 1) The number of matrices is quadratic rather than linear in the dimension of the matrices, which generally results in a solving degree that is significantly higher than the degree of regularity when an algebraic approach is used and 2) There is extra structure in the MinRank instances arising from RSD due to the fact that the solution space exhibits a linear symmetry with respect to the extension field used to define the RSD problem. This allows some variables to be set for free, often reducing the complexity of the MinRank problem. This talk will explore the mathematical techniques that may be employed to give better estimates for the complexity of the RSD and related problems, and better security estimates for Rank-based cryptosystems. |
| Date: Friday, 12/Jul/2019 | |
| 10:00am - 12:00pm | MS145, part 3: Isogenies in Cryptography |
| Unitobler, F-123 | |
|
|
10:00am - 12:00pm
Isogenies in Cryptography The isogeny graph of elliptic curves over finite fields has long been a subject of study in algebraic geometry and number theory. During the past 10 years several authors have shown multiple applications in cryptology. One interesting feature is that systems built on isogenies seem to resist attacks by quantum computers, making them the most recent family of cryptosystems studied in post-quantum cryptography. This mini-symposium brings together presentations on cryptosystems built on top of isogenies, their use in applications, and different approaches to the cryptanalysis, including quantum cryptanalysis. (25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise) Superspecial genus 2 curves in cryptography Isogenies can be defined between algebraic groups different from elliptic curves. In a joint work with Castryck and Smith, we construct a genus 2 version of the Charles-Goren-Lauter hash function based on isogenies. We will discuss the technical difficulties that arise from adapting the elliptic curve case. Quantum algorithms for finding isogenies between supersingular elliptic curves. We will present joint work with Jao and Sankhar on a quantum algorithm for finding an isogeny between two given supersingular elliptic curves. In general, it runs in time O(p^1/4), but it has subexponential run time if both curves are defined over Fp. We will also discuss improvements to this method obtained in collaboration with Iezzi and Jacobson. Our method consists in performing a quantum search within possible paths originating from the given curves to attain curves defined over Fp. Then we find an isogeny between curves defined over Fp by naturally exploiting the action of the class group of the endormorphism ring of these curves similarly to the work of Childs Jao and Soukharev. Further improvements to this method focus on the cost of the evaluation of the action of the class group. Horizontal isogeny graphs A horizontal isogeny graph is a graph whose vertices represent abelian varieties which all share the same endomorphism ring, and edges represent isogenies between them. They are an important tool to study the discrete logarithm problem on these abelian varieties, and allow to construct promising post-quantum public key cryptosystems. We discuss the analytic methods that allow to study the "mixing" properties of these graphs (a short random walk rapidly converges to a uniformly distributed vertex), with applications for cryptography. Isogeny Graphs of Ordinary Abelian Surfaces and Endomorphism Rings Building on some recent joint work with Brooks and Wesolowski, we recall a recent construction of certain l-power isogeny graphs of principally polarizable ordinary abelian varieties and study the structure of these graphs using the theory of Bruhat-Tits buildings for symplectic groups. Our results have implications in various problems from computational number theory and mathematical cryptology, most notably, the question of computing endomorphism rings as well as constructing hyperelliptic curves over finite fields whose Jacobians have a fixed characteristic polynomial of Frobenius and maximal endomorphism rings (the CM method in genus 2). This work is joint with Gaetan Bisson and Alexey Zykin (in memoriam). |
| 3:00pm - 5:00pm | MS162, part 1: Applications of finite fields theory |
| Unitobler, F-123 | |
|
|
3:00pm - 5:00pm
Applications of finite fields theory The theory of finite fields is one of the most important meeting points of Algebraic Geometry, Computer Science, and Number Theory. One of the most important challenges in the area is to develope the theory of finite fields in connection with useful applications, in particular in secure communication, coding theory, and pseudorandom number generation. In this minysimposium we plan to bring together experts from many different areas of the mathematics of communication who share the common interest towards the theory of finite fields. Our main purpose is to provide an overview of some of the cutting-edge research in the field, and to lay the fundations for new collaborations among researchers interested in applications of the theory of finite fields. (25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise) Introductory Talk This is an introductory talk to this session. Using Mersenne and Fermat numbers in Cryptosystems Modern public-key cryptography is mostly based on the hardness of Factoring and computing discrete logarithms. However, due to Shor’s algorithm, large scale Quantum computer if and when they become available would put these systems at risk, with the danger of compromising the security of all computer applications. In this talk, we show the construction of new crypto algorithms based on arithmetic modulo Mersenne or Fermat numbers. We describe both a simple encryption algorithm and a fully homomorphic encryption scheme. Cryptographic attacks against filter generator using monomial mapping Filter generators are vulnerable to several attacks which have led to well-known design criteria on the Boolean filtering function (mainly Algebraic Immunity and Nonlinearity). However, Rønjom and Cid have observed that a change of the primitive root defining the LFSR leads to several equivalent generators. They usually offer different security levels since they involve filtering functions of the form F(xk) where k is coprime to (2n -1) and n denotes the LFSR length. We prove that this monomial equivalence does not affect the resistance of the generator against algebraic attacks, but usually impacts the resistance to correlation attacks. Most importantly, a more efficient attack can often be mounted by considering non-bijective monomial mappings. In this setting, a divide-and-conquer strategy applies based on a search within a multiplicative subgroup of F2n*. Moreover, if the LFSR length n is not a prime, a fast correlation attack involving a shorter LFSR can be performed. This attack is generic and uses the decomposition in the multiplicative subgroups of F2n*, leading to new design criteria for Boolean functions used in Cryptography. Permutation and complete rational functions via Chebotarev theorem for function fields Constructing permutation functions of finite fields is a task of great interest in coding theory and cryptography. Permutation polynomials over finite fields have been completely classified up to degree 6, with "ad hoc" methods for every degree. In this talk, we present a general approach for classifying permutation rational functions of any degree that exploits a refined version of Chebotarev density theorem for function fields due to Kosters. We will show how to use the method to completely classify permutation rational functions and complete rational functions of degree 3. This is joint work with Giacomo Micheli. |
| Date: Saturday, 13/Jul/2019 | |
| 10:00am - 12:00pm | MS145, part 4: Isogenies in Cryptography |
| Unitobler, F-123 | |
|
|
10:00am - 12:00pm
Isogenies in Cryptography The isogeny graph of elliptic curves over finite fields has long been a subject of study in algebraic geometry and number theory. During the past 10 years several authors have shown multiple applications in cryptology. One interesting feature is that systems built on isogenies seem to resist attacks by quantum computers, making them the most recent family of cryptosystems studied in post-quantum cryptography. This mini-symposium brings together presentations on cryptosystems built on top of isogenies, their use in applications, and different approaches to the cryptanalysis, including quantum cryptanalysis. (25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise) Post-quantum signature schemes and more from supersingular isogenies To be completed. Algorithmic aspects of cryptographic invariant maps from isogenies We discuss some algorithmic aspects of candidate cryptographic invariant maps from isogenies, in particular those presented by Boneh, Glass, Krashen, Lauter, Sharif, Silverberg, Tibouchi and Zhandry in their paper on multiparty non-interactive key exchange. Verifiable Delay Functions from Isogenies and Pairings We present a (non-post-quantum) framework for proving statements on isogeny walks in supersingular graphs. The framework can be seen as a combination of the BLS signature scheme with the supersingular isogeny graphs popularized by the key exchange protocols SIDH and CSIDH. An instatiation of the framework for signature and interactive identification was already suggested in a 2010 patent owned by Microsoft; however the most interesting new application we obtain is a Verifiable Delay Function, whereby an isogeny walk of "great" length between two elliptic curves is made public, and the framework produces a succinct and easily verifiable proof of isogeny evaluation (similar to a proof of work). This is joint work with S. Masson, C. Petit and A. Sanso. Cryptographic goals beyond key exchange and signatures We shall discuss some cryptographic problems beyond key exchange and signatures for which practical post-quantum protocols would be much appreciated. These come in two flavours depending upon motivation, protocols desired for a more ethical applications that protect metadata, and protocols used in modern consensus algorithms. |
| 3:00pm - 5:00pm | MS162, part 2: Applications of finite fields theory |
| Unitobler, F-123 | |
|
|
3:00pm - 5:00pm
Applications of finite fields theory The theory of finite fields is one of the most important meeting points of Algebraic Geometry, Computer Science, and Number Theory. One of the most important challenges in the area is to develope the theory of finite fields in connection with useful applications, in particular in secure communication, coding theory, and pseudorandom number generation. In this minysimposium we plan to bring together experts from many different areas of the mathematics of communication who share the common interest towards the theory of finite fields. Our main purpose is to provide an overview of some of the cutting-edge research in the field, and to lay the fundations for new collaborations among researchers interested in applications of the theory of finite fields. (25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise) Public key encryption and key exchange from LDPC codes: LEDAcrypt The pioneering work of McEliece in 1978 paved the way for code-based cryptography, which is still today a promising research area for the development of cryptographic primitives characterized by high efficiency and, most importantly, quantum resistance. Among several variants of the McEliece cryptosystem employing families of codes other than the original family of Goppa codes, those based on low-density parity-check (LDPC) codes have been shown able to achieve compact public keys and high algorithmic efficiency. This talk will recall the basic concepts of LDPC code-based cryptography, and then describe two primitives for asymmetric cryptography based on LDPC codes that are candidates to the NIST post-quantum cryptography standardization initiative: LEDAkem and LEDApkc. Cryptological properties of mappings of finite fields Mappings used in some of cryptological primitives must be highly nonlinear, since linear ones are easy to predict. In this talk, we present several notions for optimal nonlinearity. We discuss connections between the different concepts and review known constructions and major open challenges in this research area. Pseudorandom walks on elliptic curves We give an overview of pseudorandom number generators (PRNGs) based on elliptic curves over finite fields. Many PRNGs are defined via a recursion law Pn = ψ(Pn-1) for some initial point P0 in E and a rational map (morphism) ψ:E → E of the curve E. An example for such PRNGs is the so-called power generator, where ψ is a scalar multiplication: ψ: P → eP for some integer e ≥ 2. We consider in detail the case when ψ is an arbitrary endomorphism of the curve. We present bounds on the discrepancy and linear complexity of the obtained sequences. Fractional Jumps and pseudorandom number generation In this talk we discuss a new construction of full orbit sequences in affine spaces over finite fields via Fractional Jumps of transitive projective automorphism, that is joint work with S. Lindqvist and G. Micheli. In dimension 1, our construction covers entirely the case of Inversive Congruential Generator (ICG) sequences. We explain how the sequences produced using Fractional Jumps enjoy the same discrepancy bounds as ICG sequences, but are less expensive to compute, thus representing a good source for pseudorandom number generation. |
