Description
Lyubashevsky’s signatures are based on the Fiat-Shamir with aborts paradigm, whose central ingredient is the use of rejection sampling to transform (secret-key-dependent) signature samples into samples from a secret-key-independent distribution. The choice of these two underly- ing distributions is part of the rejection sampling strategy, and various instantiations have been considered up to this day. In this work, we inves- tigate which strategy leads to the most compact signatures, given signing runtime requirements. Our main contributions are as follows:<br/> (i) We prove lower bounds for compactness of signatures given signing runtime requirements, and (ii) show that these lower bounds are reached considering a new and elementary choice of distributions, namely con- tinuous uniform distributions over hyperballs. (iii) We also prove that, for any fixed pair of distributions, classic rejection sampling is the best strategy for minimizing the number of aborts, as well as (iv) propose a novel strategy that allows to fix (any) bound on the number of aborts while still guaranteeing correctness and security.<br/> lien: https://univ-rennes1-fr.zoom.us/j/97066341266?pwd=RUthOFV5cm1uT0ZCQVh6QUcrb1drQT09
Next sessions
-
Séminaire C2 à INRIA Paris
Emmanuel Thomé et Pierrick Gaudry Rachelle Heim Boissier Épiphane Nouetowa Dung Bui Plus d'infos sur https://seminaire-c2.inria.fr/ -
Attacking the Supersingular Isogeny Problem: From the Delfs–Galbraith algorithm to oriented graphs
Speaker : Arthur Herlédan Le Merdy - COSIC, KU Leuven
The threat of quantum computers motivates the introduction of new hard problems for cryptography.One promising candidate is the Isogeny problem: given two elliptic curves, compute a “nice’’ map between them, called an isogeny.In this talk, we study classical attacks on this problem, specialised to supersingular elliptic curves, on which the security of current isogeny-based cryptography relies. In[…]-
Cryptography
-