We use theta groups to study � � 2� � -isogenies between Kummer lines, with a particular focus on the Montgomery model. This allows us to recover known formulas, along with more efficient forms for translated isogenies, which require only � � 2� S� +� 2� � m� 0� � � for evaluation. We leverage these translated isogenies to build a hybrid ladder for scalar multiplication on Montgomery curves with rational � � 2� � -torsion, which cost � � 3� M� +� 6� S� +� 2� � m� 0� � � per bit, compared to � � 5� M� +� 4� S� +� 1� � m� 0� � � for the standard Montgomery ladder.
我们使用 Theta 群来研究库默尔线间的 2 -同源关系,尤其侧重于蒙哥马利模型。这使我们能够恢复已知公式,以及更有效的翻译同源形式,只需 2 S + 2 m 0 即可进行评估。我们利用这些翻译同源建立了一个混合梯子,用于具有有理 2 -扭转的蒙哥马利曲线上的标量乘法,每比特的成本为 3 M + 6 S + 2 m 0,而标准蒙哥马利梯子的成本为 5 M + 4 S + 1 m 0。
{"title":"Computing 2-isogenies between Kummer lines","authors":"Damien Robert, Nicolas Sarkis","doi":"10.62056/abvua69p1","DOIUrl":"https://doi.org/10.62056/abvua69p1","url":null,"abstract":"<jats:p> We use theta groups to study <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mn>2</mml:mn>\u0000 </mml:mrow>\u0000 </mml:math>-isogenies between Kummer lines, with a particular focus on the Montgomery model. This allows us to recover known formulas, along with more efficient forms for translated isogenies, which require only <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mn>2</mml:mn>\u0000 <mml:mi>S</mml:mi>\u0000 <mml:mo>+</mml:mo>\u0000 <mml:mn>2</mml:mn>\u0000 <mml:msub>\u0000 <mml:mi>m</mml:mi>\u0000 <mml:mn>0</mml:mn>\u0000 </mml:msub>\u0000 </mml:mrow>\u0000 </mml:math> for evaluation. We leverage these translated isogenies to build a hybrid ladder for scalar multiplication on Montgomery curves with rational <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mn>2</mml:mn>\u0000 </mml:mrow>\u0000 </mml:math>-torsion, which cost <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mn>3</mml:mn>\u0000 <mml:mi>M</mml:mi>\u0000 <mml:mo>+</mml:mo>\u0000 <mml:mn>6</mml:mn>\u0000 <mml:mi>S</mml:mi>\u0000 <mml:mo>+</mml:mo>\u0000 <mml:mn>2</mml:mn>\u0000 <mml:msub>\u0000 <mml:mi>m</mml:mi>\u0000 <mml:mn>0</mml:mn>\u0000 </mml:msub>\u0000 </mml:mrow>\u0000 </mml:math> per bit, compared to <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\u0000 <mml:mrow>\u0000 <mml:mn>5</mml:mn>\u0000 <mml:mi>M</mml:mi>\u0000 <mml:mo>+</mml:mo>\u0000 <mml:mn>4</mml:mn>\u0000 <mml:mi>S</mml:mi>\u0000 <mml:mo>+</mml:mo>\u0000 <mml:mn>1</mml:mn>\u0000 <mml:msub>\u0000 <mml:mi>m</mml:mi>\u0000 <mml:mn>0</mml:mn>\u0000 </mml:msub>\u0000 </mml:mrow>\u0000 </mml:math> for the standard Montgomery ladder. </jats:p>","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"7 2","pages":"37"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140726844","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We prove that isogenies between Drinfeld F[x]-modules over a finite field can be computed in polynomial time. This breaks Drinfeld analogs of isogeny-based cryptosystems.
{"title":"Computing isogenies between finite Drinfeld modules","authors":"B. Wesolowski","doi":"10.62056/avommp-3y","DOIUrl":"https://doi.org/10.62056/avommp-3y","url":null,"abstract":"We prove that isogenies between Drinfeld F[x]-modules over a finite field can be computed in polynomial time. This breaks Drinfeld analogs of isogeny-based cryptosystems.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"68 6","pages":"438"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140724943","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Biscuit is a recent multivariate signature scheme based on the MPC-in-the-Head paradigm. It has been submitted to the NIST competition for additional signature schemes. Signatures are derived from a zero-knowledge proof of knowledge of the solution of a structured polynomial system. This extra structure enables efficient proofs and compact signatures. This short note demonstrates that it also makes these polynomial systems easier to solve than random ones. As a consequence, the original parameters of Biscuit failed to meet the required security levels and had to be upgraded.
{"title":"Preliminary Cryptanalysis of the Biscuit Signature Scheme","authors":"Charles Bouillaguet, Julia Sauvage","doi":"10.62056/aemp-4c2h","DOIUrl":"https://doi.org/10.62056/aemp-4c2h","url":null,"abstract":"Biscuit is a recent multivariate signature scheme based on the MPC-in-the-Head paradigm. It has been submitted to the NIST competition for additional signature schemes. Signatures are derived from a zero-knowledge proof of knowledge of the solution of a structured polynomial system. This extra structure enables efficient proofs and compact signatures. This short note demonstrates that it also makes these polynomial systems easier to solve than random ones. As a consequence, the original parameters of Biscuit failed to meet the required security levels and had to be upgraded.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"37 12","pages":"148"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140726899","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
One of the central questions in cryptology is how efficient generic constructions of cryptographic primitives can be. Gennaro, Gertner, Katz, and Trevisan [SIAM J. of Compt., 2005] studied the lower bounds of the number of invocations of a (trapdoor) one-way permutation in order to construct cryptographic schemes, e.g., pseudorandom number generators, digital signatures, and public-key and symmetric-key encryption.� Recently, quantum machines have been explored to _construct_ cryptographic primitives other than quantum key distribution. This paper studies the efficiency of _quantum_ black-box constructions of cryptographic primitives when the communications are _classical_. Following Gennaro et al., we give the lower bounds of the number of invocations of an underlying quantumly-computable quantum-one-way permutation when the _quantum_ construction of pseudorandom number generator and symmetric-key encryption is weakly black-box. Our results show that the quantum black-box constructions of pseudorandom number generator and symmetric-key encryption do not improve the number of invocations of an underlying quantumly-computable quantum-one-way permutation.
密码学的核心问题之一是密码基元的通用构造如何才能高效。Gennaro、Gertner、Katz 和 Trevisan [SIAM J. of Compt.,2005] 研究了(陷阱门)单向排列调用次数的下限,以构建密码方案,如伪随机数生成器、数字签名、公钥和对称密钥加密。最近,人们开始探索用量子机来构建量子密钥分发之外的其他加密原语。本文研究了当通信是_经典_时,加密原语的_量子_黑箱构造的效率。继 Gennaro 等人之后,我们给出了当伪随机数发生器和对称密钥加密的_量子_构造是弱黑箱时,底层量子可计算量子单向置换的调用次数下限。我们的结果表明,伪随机数发生器和对称密钥加密的量子黑箱构造并不能提高底层量子可计算量子单向排列的调用次数。
{"title":"On the Efficiency of Generic, Quantum Cryptographic Constructions","authors":"Keita Xagawa","doi":"10.62056/a66c0l5vt","DOIUrl":"https://doi.org/10.62056/a66c0l5vt","url":null,"abstract":"One of the central questions in cryptology is how efficient generic constructions of cryptographic primitives can be. Gennaro, Gertner, Katz, and Trevisan [SIAM J. of Compt., 2005] studied the lower bounds of the number of invocations of a (trapdoor) one-way permutation in order to construct cryptographic schemes, e.g., pseudorandom number generators, digital signatures, and public-key and symmetric-key encryption.\u0000 Recently, quantum machines have been explored to _construct_ cryptographic primitives other than quantum key distribution. This paper studies the efficiency of _quantum_ black-box constructions of cryptographic primitives when the communications are _classical_. Following Gennaro et al., we give the lower bounds of the number of invocations of an underlying quantumly-computable quantum-one-way permutation when the _quantum_ construction of pseudorandom number generator and symmetric-key encryption is weakly black-box. Our results show that the quantum black-box constructions of pseudorandom number generator and symmetric-key encryption do not improve the number of invocations of an underlying quantumly-computable quantum-one-way permutation.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"26 1","pages":"1142"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140725374","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A fundamental result dating to Ligero (Des. Codes Cryptogr. '23) establishes that each fixed linear block code exhibits proximity gaps with respect to the collection of affine subspaces, in the sense that each given subspace either resides entirely close to the code, or else contains only a small portion which resides close to the code. In particular, any given subspace's failure to reside entirely close to the code is necessarily witnessed, with high probability, by a uniformly randomly sampled element of that subspace. We investigate a variant of this phenomenon in which the witness is not sampled uniformly from the subspace, but rather from a much smaller subset of it. We show that a logarithmic number of random field elements (in the dimension of the subspace) suffice to effect an analogous proximity test, with moreover only a logarithmic (multiplicative) loss in the possible prevalence of false witnesses. We discuss applications to recent noninteractive proofs based on linear codes, including Brakedown (CRYPTO '23).
{"title":"Proximity Testing with Logarithmic Randomness","authors":"Benjamin E. Diamond, Jim Posen","doi":"10.62056/aksdkp10","DOIUrl":"https://doi.org/10.62056/aksdkp10","url":null,"abstract":"A fundamental result dating to Ligero (Des. Codes Cryptogr. '23) establishes that each fixed linear block code exhibits proximity gaps with respect to the collection of affine subspaces, in the sense that each given subspace either resides entirely close to the code, or else contains only a small portion which resides close to the code. In particular, any given subspace's failure to reside entirely close to the code is necessarily witnessed, with high probability, by a uniformly randomly sampled element of that subspace. We investigate a variant of this phenomenon in which the witness is not sampled uniformly from the subspace, but rather from a much smaller subset of it. We show that a logarithmic number of random field elements (in the dimension of the subspace) suffice to effect an analogous proximity test, with moreover only a logarithmic (multiplicative) loss in the possible prevalence of false witnesses. We discuss applications to recent noninteractive proofs based on linear codes, including Brakedown (CRYPTO '23).","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"32 6","pages":"630"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140723594","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Side-channel attacks targeting cryptography may leak only partial or indirect information about the secret keys. There are a variety of techniques in the literature for recovering secret keys from partial information. In this work, we survey several of the main families of partial key recovery algorithms for RSA, (EC)DSA, and (elliptic curve) Diffie-Hellman, the classical public-key cryptosystems in common use today. We categorize the known techniques by the structure of the information that is learned by the attacker, and give simplified examples for each technique to illustrate the underlying ideas.
{"title":"Recovering cryptographic keys from partial information, by example","authors":"Gabrielle De Micheli, N. Heninger","doi":"10.62056/ahjbksdja","DOIUrl":"https://doi.org/10.62056/ahjbksdja","url":null,"abstract":"Side-channel attacks targeting cryptography may leak only partial or indirect information about the secret keys. There are a variety of techniques in the literature for recovering secret keys from partial information. In this work, we survey several of the main families of partial key recovery algorithms for RSA, (EC)DSA, and (elliptic curve) Diffie-Hellman, the classical public-key cryptosystems in common use today. We categorize the known techniques by the structure of the information that is learned by the attacker, and give simplified examples for each technique to illustrate the underlying ideas.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"29 9","pages":"1506"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140727211","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We investigate proof systems where security holds against rational parties instead of malicious ones. Our starting point is the notion of rational arguments, a variant of rational proofs (Azar and Micali, STOC 2012) where security holds against rational adversaries that are also computationally bounded.� Rational arguments are an interesting primitive because they generally allow for very efficient protocols, and in particular sublinear verification (i.e. where the Verifier does not have to read the entire input). In this paper we aim at narrowing the gap between literature on rational schemes and real world applications. Our contribution is two-fold.� We provide the first construction of rational arguments for the class of polynomial computations that is practical (i.e., it can be applied to real-world computations on reasonably common hardware) and with logarithmic communication. Techniques-wise, we obtain this result through a compiler from information-theoretic protocols and rational proofs for polynomial evaluation. The latter could be of independent interest.� As a second contribution, we propose a new notion of extractability for rational arguments. Through this notion we can obtain arguments where knowledge of a witness is incentivized (rather than incentivizing mere soundness). We show how our aforementioned compiler can also be applied to obtain efficient extractable rational arguments for � � � N� P� � � .
我们研究的是针对理性对手而非恶意对手的证明系统。我们的出发点是理性论证的概念,它是理性证明的一种变体(Azar 和 Micali,STOC 2012),在这种证明系统中,面对计算受限的理性对手也能保证安全性。理性论证是一种有趣的基本原理,因为它通常可以实现非常高效的协议,尤其是亚线性验证(即验证者无需读取整个输入)。本文旨在缩小有理方案文献与现实应用之间的差距。我们的贡献有两个方面。我们首次为多项式计算类提供了实用的理性论证结构(即可以在合理普通的硬件上应用于现实世界的计算),并且具有对数通信功能。在技术上,我们通过信息论协议的编译器和多项式计算的理性证明来获得这一结果。后者可能具有独立的意义。第二个贡献是,我们为理性论证提出了一个新的可提取性概念。通过这个概念,我们可以获得对证人的了解受到激励的论证(而不仅仅是对合理性的激励)。我们展示了上述编译器如何应用于获取 N P 的高效可提取理性论证。
{"title":"How to Make Rational Arguments Practical and Extractable","authors":"Matteo Campanelli, Chaya Ganesh, Rosario Gennaro","doi":"10.62056/a63zl86bm","DOIUrl":"https://doi.org/10.62056/a63zl86bm","url":null,"abstract":"We investigate proof systems where security holds against rational parties instead of malicious ones. Our starting point is the notion of rational arguments, a variant of rational proofs (Azar and Micali, STOC 2012) where security holds against rational adversaries that are also computationally bounded.\u0000 Rational arguments are an interesting primitive because they generally allow for very efficient protocols, and in particular sublinear verification (i.e. where the Verifier does not have to read the entire input). In this paper we aim at narrowing the gap between literature on rational schemes and real world applications. Our contribution is two-fold.\u0000 We provide the first construction of rational arguments for the class of polynomial computations that is practical (i.e., it can be applied to real-world computations on reasonably common hardware) and with logarithmic communication. Techniques-wise, we obtain this result through a compiler from information-theoretic protocols and rational proofs for polynomial evaluation. The latter could be of independent interest.\u0000 As a second contribution, we propose a new notion of extractability for rational arguments. Through this notion we can obtain arguments where knowledge of a witness is incentivized (rather than incentivizing mere soundness). We show how our aforementioned compiler can also be applied to obtain efficient extractable rational arguments for \u0000 \u0000 \u0000 N\u0000 P\u0000 \u0000 \u0000 .","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"23 6","pages":"1966"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140721393","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Décio Luiz Gazzoni Filho, Guilherme Brandão, Julio López Hernandez
Efficient polynomial multiplication routines are critical to the performance of lattice-based post-quantum cryptography (PQC). As PQC standards only recently started to emerge, CPUs still lack specialized instructions to accelerate such routines. Meanwhile, deep learning has grown immeasurably in importance. Its workloads call for teraflops-level of processing power for linear algebra operations, mainly matrix multiplication. Computer architects have responded by introducing ISA extensions, coprocessors and special-purpose cores to accelerate such operations. In particular, Apple ships an undocumented matrix-multiplication coprocessor, AMX, in hundreds of millions of mobile phones, tablets and personal computers. Our work repurposes AMX to implement polynomial multiplication and applies it to the NTRU cryptosystem, setting new speed records on the Apple M1 and M3 systems-on-chip (SoCs): polynomial multiplication, key generation, encapsulation and decapsulation are sped up by � � 1.54� � –� � 3.07� ×� � , � � 1.08� � –� � 1.33� ×� � , � � 1.11� � –� � 1.50� ×� � and � � 1.20� � –� � 1.98� ×� � , respectively, over the previous state-of-the-art.
{"title":"Fast polynomial multiplication using matrix multiplication accelerators with applications to NTRU on Apple M1/M3 SoCs","authors":"Décio Luiz Gazzoni Filho, Guilherme Brandão, Julio López Hernandez","doi":"10.62056/a3txommol","DOIUrl":"https://doi.org/10.62056/a3txommol","url":null,"abstract":"Efficient polynomial multiplication routines are critical to the performance of lattice-based post-quantum cryptography (PQC). As PQC standards only recently started to emerge, CPUs still lack specialized instructions to accelerate such routines. Meanwhile, deep learning has grown immeasurably in importance. Its workloads call for teraflops-level of processing power for linear algebra operations, mainly matrix multiplication. Computer architects have responded by introducing ISA extensions, coprocessors and special-purpose cores to accelerate such operations. In particular, Apple ships an undocumented matrix-multiplication coprocessor, AMX, in hundreds of millions of mobile phones, tablets and personal computers. Our work repurposes AMX to implement polynomial multiplication and applies it to the NTRU cryptosystem, setting new speed records on the Apple M1 and M3 systems-on-chip (SoCs): polynomial multiplication, key generation, encapsulation and decapsulation are sped up by \u0000 \u0000 1.54\u0000 \u0000 –\u0000 \u0000 3.07\u0000 ×\u0000 \u0000 , \u0000 \u0000 1.08\u0000 \u0000 –\u0000 \u0000 1.33\u0000 ×\u0000 \u0000 , \u0000 \u0000 1.11\u0000 \u0000 –\u0000 \u0000 1.50\u0000 ×\u0000 \u0000 and \u0000 \u0000 1.20\u0000 \u0000 –\u0000 \u0000 1.98\u0000 ×\u0000 \u0000 , respectively, over the previous state-of-the-art.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"75 8","pages":"2"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140726284","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We present new secure multi-party computation protocols for linear algebra over a finite field, which improve the state-of-the-art in terms of security. We look at the case of unconditional security with perfect correctness, i.e., information-theoretic security without errors. We notably propose an expected constant-round protocol for solving systems of m linear equations in n variables over Fq with expected complexity O(k n^2.5 + k m) (where complexity is measured in terms of the number of secure multiplications required) with k > m(m+n)+1. The previous proposals were not error-free: known protocols can indeed fail and thus reveal information with probability Omega(poly(m)/q). Our protocols are simple and rely on existing computer-algebra techniques, notably the Preparata-Sarwate algorithm, a simple but poorly known “baby-step giant-step” method for computing the characteristic polynomial of a matrix, and techniques due to Mulmuley for error-free linear algebra in positive characteristic.
我们为有限域上的线性代数提出了新的安全多方计算协议,这些协议在安全性方面提高了最新水平。我们研究了具有完美正确性的无条件安全情况,即没有错误的信息论安全。值得注意的是,我们提出了一种用于求解 Fq 上 n 个变量中 m 个线性方程组的预期常圆协议,其预期复杂度为 O(k n^2.5 + k m)(复杂度用所需的安全乘法次数来衡量),且 k > m(m+n)+1。以前的建议并非没有错误:已知协议确实可能失败,从而以 Omega(poly(m)/q) 的概率泄露信息。我们的协议很简单,依赖于现有的计算机代数技术,特别是 Preparata-Sarwate 算法,这是一种计算矩阵特征多项式的简单但鲜为人知的 "小步巨步 "方法,以及 Mulmuley 提出的正特征无错线性代数技术。
{"title":"Secure Multi-Party Linear Algebra with Perfect Correctness","authors":"Jules Maire, Damien Vergnaud","doi":"10.62056/avzojbkrz","DOIUrl":"https://doi.org/10.62056/avzojbkrz","url":null,"abstract":"We present new secure multi-party computation protocols for linear algebra over a finite field, which improve the state-of-the-art in terms of security. We look at the case of unconditional security with perfect correctness, i.e., information-theoretic security without errors. We notably propose an expected constant-round protocol for solving systems of m linear equations in n variables over Fq with expected complexity O(k n^2.5 + k m) (where complexity is measured in terms of the number of secure multiplications required) with k > m(m+n)+1. The previous proposals were not error-free: known protocols can indeed fail and thus reveal information with probability Omega(poly(m)/q). Our protocols are simple and rely on existing computer-algebra techniques, notably the Preparata-Sarwate algorithm, a simple but poorly known “baby-step giant-step” method for computing the characteristic polynomial of a matrix, and techniques due to Mulmuley for error-free linear algebra in positive characteristic.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"199 1","pages":"508"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140724151","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Verifiable secret sharing (VSS) protocols enable parties to share secrets while guaranteeing security (in particular, that all parties hold valid and consistent shares) even if the dealer or some of the participants are malicious. Most work on VSS focuses on the honest majority case, primarily since it enables one to guarantee output delivery (e.g., a corrupted recipient cannot prevent an honest dealer from sharing their value). Feldman's VSS is a well known and popular protocol for this task and relies on the discrete log hardness assumption. In this paper, we present a variant of Feldman's VSS for the dishonest majority setting and formally prove its security. Beyond the basic VSS protocol, we present a publicly-verifiable version, as well as show how to securely add participants to the sharing and how to refresh an existing sharing (all secure in the presence of a dishonest majority). We prove that our protocols are UC secure, for appropriately defined ideal functionalities.
{"title":"Feldman's Verifiable Secret Sharing for a Dishonest Majority","authors":"Yi-Hsiu Chen, Yehuda Lindell","doi":"10.62056/ak2isgvtw","DOIUrl":"https://doi.org/10.62056/ak2isgvtw","url":null,"abstract":"Verifiable secret sharing (VSS) protocols enable parties to share secrets while guaranteeing security (in particular, that all parties hold valid and consistent shares) even if the dealer or some of the participants are malicious. Most work on VSS focuses on the honest majority case, primarily since it enables one to guarantee output delivery (e.g., a corrupted recipient cannot prevent an honest dealer from sharing their value). Feldman's VSS is a well known and popular protocol for this task and relies on the discrete log hardness assumption. In this paper, we present a variant of Feldman's VSS for the dishonest majority setting and formally prove its security. Beyond the basic VSS protocol, we present a publicly-verifiable version, as well as show how to securely add participants to the sharing and how to refresh an existing sharing (all secure in the presence of a dishonest majority). We prove that our protocols are UC secure, for appropriately defined ideal functionalities.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"111 6","pages":"31"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140724593","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: