Section: New Results

Algebraic Curves for Cryptology

Cocks-Pinch Curves of Embedding Degrees Five to Eight and Optimal Ate Pairing Computation

Participants : Aurore Guillevic, Simon Masson, Emmanuel Thomé.

In [21] we explored a modification of the Cocks-Pinch method to generate pairing-friendly curves resistant to the Special-Tower-NFS algorithm (STNFS). We carefully estimated the cost of the STNFS attack for existing families of curves, and chose curves of embedding degree five to eight. For prime embedding degrees 5 and 7, our curves are naturally immune to the STNFS attack, but their performance level is not high. For composite embedding degrees 6 and 8 for which the TNFS attack applies, we chose the parameters from a family that is general enough to thwart the “special” variant STNFS; we also optimized these parameter choices so that these curves can have a reasonably efficient pairing computation, close with the very best possible curve choices.

A Short-List of Pairing-Friendly Curves Resistant to Special TNFS at the 128-bit Security Level

Participant : Aurore Guillevic.

The preprint [20] applies the refinements of the paper [22] to estimate the cost of the Special Tower NFS algorithm for particular pairing-friendly curves, whose target group is ${𝔽}_{p^n}$, and where the characteristic is special, parameterized by a low degree polynomial. We show that with a new variant of the polynomial selection, the estimated cost is reduced, but stays above the theoretical bound of the Special NFS $L_{p^n}(1/3,{(32/9)}^{1/3})$. This variant does not apply to the Cocks-Pinch curves of [21]. We list nine interesting pairing-friendly curves of embedding degrees between 10 and 16 at the 128-bit security level.

A Practical Attack on ECDSA Implementations Using wNAF Representation

Participants : Gabrielle de Micheli, Cécile Pierrot, Rémi Piau.

ECDSA is a widely deployed public key signature protocol that uses elliptic curves. One way of attacking ECDSA with wNAF implementation for the scalar multiplication is to perform a side-channel analysis to collect information, then use a lattice based method to recover the secret key. In [18], we re-investigate the construction of the lattice used in one of these methods, the Extended Hidden Number Problem (EHNP). We find the secret key with only 3 signatures, thus reaching the theoretical bound never achieved before. Our attack is more efficient than previous attacks, has better probability of success, and is still able to find the secret key with a small amount of erroneous traces, up to 2% of false digits.

Algorithmic Aspects of Elliptic Bases in Finite Field Discrete Logarithm Algorithms

Participant : Cécile Pierrot.

Elliptic bases give an elegant way of representing finite field extensions and were used as a starting point for small characteristic finite field discrete logarithm algorithms. This idea has been proposed by two groups, in order to achieve provable quasi-polynomial time algorithms for computing discrete logarithms in small characteristic finite fields. In [23], together with Antoine Joux, we do not try to achieve a provable algorithm, but instead we investigate the practicality of heuristic algorithms based on elliptic bases.

A Fast Randomized Geometric Algorithm for Computing Riemann-Roch Spaces

Participants : Aude Le Gluher, Pierre-Jean Spaenlehauer [contact] .

In [7], we proposed a probabilistic variant of Brill-Noether's algorithm for computing a basis of the Riemann-Roch space $L\left(D\right)$ associated to a divisor $D$ on a projective plane curve $𝒞$ over a sufficiently large perfect field $k$. Most of the results of this work have been obtained in 2018. In 2019, we have strengthened these results and revised the associated paper. This new version of the paper has been accepted for publication in the journal Mathematics of Computation.

Counting Points on Hyperelliptic Curves

Participants : Pierrick Gaudry, Pierre-Jean Spaenlehauer.

Two works with Simon Abelard [1], [2] following his PhD thesis about improved complexities for counting point algorithms of hyperelliptic curves with or without real multiplication are now formally published as journal articles.

Verifiable Delay Functions from Supersingular Isogenies and Pairings

Participant : Simon Masson.

Together with Luca De Feo, Christophe Petit and Antonio Sanso, we introduce in [11] two verifiable delay functions based on isogenies of supersingular elliptic curves and pairing. We discuss both the advantages and drawbacks of our constructions, we study their security and we demonstrate their practicality with a proof-of-concept implementation. This work appears in the proceedings of ASIACRYPT'2019.

Isogeny Graphs With Maximal Real Multiplication

Participant : Emmanuel Thomé.

Emmanuel Thomé and Sorina Ionica (post-doctoral fellow in the former CARAMEL team in 2012) worked on a new algorithm for computing isogeny graphs for Jacobians of curves having the special property that the intersection of their endomorphism ring with its real subfield is maximal. The resulting algorithm is the first depth-first algorithm for this task. The work [6] was finally published.