Conference Agenda

Overview and details of the sessions of this conference. Please select a date or location to show only sessions at that day or location. Please select a single session for detailed view (with abstracts and downloads if available).

 
Session Overview
Session
MS134, part 4: Coding theory and cryptography
Time:
Wednesday, 10/Jul/2019:
3:00pm - 5:00pm

Location: Unitobler, F-122
52 seats, 100m^2

Presentations
3:00pm - 5:00pm

Coding theory and cryptography

Chair(s): Alessio Caminata (University of Neuchâtel, Switzerland), Alberto Ravagnani (University College Dublin, Ireland)

The focus of this proposal is on coding theory and cryptography, with emphasis on the algebraic aspects of these two research fields.Error-correcting codes are mathematical objects that allow reliable communications over noisy/lossy/adversarial channels. Constructing good codes and designing efficient decoding algorithms for them often reduces to solving algebra problems, such as counting rational points on curves, solving equations, and classifying finite rings and modules. Cryptosystems can be roughly defined as functions that are easy to evaluate, but whose inverse is difficult to compute in practice. These functions are in general constructed using algebraic objects and tools, such as polynomials, algebraic varieties, and groups. The security of the resulting cryptosystem heavily relies on the mathematical properties of these. The sessions we propose feature experts of algebraic methods in coding theory and cryptography. All levels of experience are represented, from junior to very experienced researchers.

 

(25 minutes for each presentation, including questions, followed by a 5-minute break; in case of x<4 talks, the first x slots are used unless indicated otherwise)

 

Pairing-friendly curves in cryptography

Aurore Guillevic
Inria

Pairings on elliptic curves are involved in signatures, NIZK, and recently in blockchains (ZK-SNARKS). These pairings take as input two points on an elliptic curve E over a finite field, and output a value in an extension of that finite field. Usually for efficiency reasons, this extension degree is a power of 2 and 3 (such as 12,18,24), and moreover the characteristic of the finite field has a special form. The security relies on the hardness of computing discrete logarithms in the group of points of the curve and in the finite field extension.

In 2013-2016, new variants of the function field sieve and the number field sieve algorithms turned out to be faster in certain finite fields related to pairing-based cryptography, in particular those which had a very efficient arithmetic. Now small characteristic settings are discarded. The situation for GF(p^k) where p is prime and k is small is still quite unclear. We refine the work of Menezes-Sarkar-Singh and Barblescu-Duquesne to estimate the cost of a hypothetical implementation of the Special-Tower-NFS in GF(p^k) for small k, and deduce parameter sizes for cryptographic pairings.
Joint work with Shashank Singh.

 

On a question of F.R.K. Chung and its relevance to the discrete logarithm problem in extension fields

Robert Granger
University of Surrey

We consider a question possibly first raised by F.R.K. Chung in 1989 regarding the representation of elements of GF(q^n) as a product of linear elements, whose bearing on the discrete logarithm problem seems not to be well-known.

 

Using the ring structure to solve Ring-Learning-with-Errors

Katherine E. Stange
University of Colorado, Boulder

Ring-Learning-with-Errors is a lattice-based hard problem proposed for post-quantum cryptography. This problem has become very popular, due to its apparent quantum-safety and its adaptability to cryptographic applications, such as homomorphic encryption. It has security reductions to more familiar lattice problems. But Ring-Learning-with-Errors is usually built on two-power cyclotomic rings, and it is natural to ask if there are attacks on these problems based on the ring structure. I will discuss the ring-theoretic structure and how to exploit it to obtain some potential speedups over generic lattice algorithms.

 

MDP convolutional codes

Julia Lieb
University of Aveiro

Maximum distance profile (MDP) convolutional codes have the property that their column distances are as large as possible. It has been shown that, transmitting over an erasure channel, these codes have optimal recovery rate for windows of a certain length. Additionally, the subclass of complete MDP convolutional codes has the ability to reduce the waiting time during decoding. Hence, it is possible to develop quite efficient decoding algorithms over the erasure channel for these codes.

The existence of MDP and complete MDP convolutional codes for arbitrary rate and degree has been shown for sufficiently large field sizes. Moreover, there exist basically two general construction techniques for these codes, which we will present here. However, one could see that these constructions require very large field sizes but at least the second of these constructions works for arbitrary characteristic of the field. Therefore, one goal is to investigate, which field sizes are possible in order that MDP or complete MDP convolutional codes with given rate and degree could exist. Furthermore, we aim to construct such codes over fields of possibly small size, starting to try this for rather small values for the code parameters.