Sommaire

  • Cet exposé a été présenté le 20 septembre 2024 (13:45).

Description

  • Orateur

    Aurore Guillevic - INRIA Rennes

This talk is based on joint works with Diego Aranha, Youssef El Housni, and Simon Masson. 

Elliptic curves make possible in practice very interesting mechanisms of proofs. The security relies on the difficulty of the discrete log problem and variants. Succinct non-interactive arguments of knowledge (SNARK) are a very fruitful topic, so that given a sequence of instructions that can be quite large, it is possible to extract a single equation such that if satisfied, it will convince a verifier that the set of instructions were correctly executed. To ensure the zero-knowledge property, the equation is hidden "in the exponents", in other words, "homomorphic hiding" is required. Such a property is made possible with a pairing on elliptic curves: a bilinear map e : G1 x G2 -> GT, where e([a]g1, [b]g2) = e(g1, g2)^{ab}, that can multiply secret scalars/exponents together. The solution of Groth at Eurocrypt'16 (Groth16) made possible a SNARK verification in three pairings, the proof size being two G1 and one G2 elements. 

The design of dedicated elliptic curves is required at different stages: finding ``inner'' pairing-friendly elliptic curves (first SNARK), finding ``outer'' pairing-friendly elliptic curves (second SNARK, a first construction was given in the Geppetto paper), finding ``embedded'' elliptic curves (such as JubJub for BLS12-381). This talk will recall the construction of particular pairing-friendly elliptic curves for SNARK, and the recent works on finding embedded curves. A generalisation of the work of Sanso and El Housni will be presented, that allows to obtain in about some hours a 2-cycle of elliptic curves with CM, given any input prime. The parameterized version will be given. 
 

Infos pratiques

Prochains exposés

  • Predicting Module-Lattice Reduction

    • 19 décembre 2025 (13:45 - 14:45)

    • Batiment 22-23 salle 16 (en face de l'amphi Lebesgue)

    Orateur : Paola de Perthuis - CWI

    Is module-lattice reduction better than unstructured lattice reduction? This question was highlighted as `Q8' in the Kyber NIST standardization submission (Avanzi et al., 2021), as potentially affecting the concrete security of Kyber and other module-lattice-based schemes. Foundational works on module-lattice reduction (Lee, Pellet-Mary, Stehlé, and Wallet, ASIACRYPT 2019; Mukherjee and Stephens[…]

    • Cryptography

  • Séminaire C2 à INRIA Paris

    • 16 janvier 2026 (10:00 - 17:00)

    • INRIA Paris

    Emmanuel Thomé et Pierrick Gaudry Rachelle Heim Boissier Épiphane Nouetowa Dung Bui Plus d'infos sur https://seminaire-c2.inria.fr/ 

  • Attacking the Supersingular Isogeny Problem: From the Delfs–Galbraith algorithm to oriented graphs

    • 23 janvier 2026 (13:45 - 14:45)

    • IRMAR - Université de Rennes - Campus Beaulieu Bat. 22, RDC, Rennes - Amphi Lebesgue

    Orateur : Arthur Herlédan Le Merdy - COSIC, KU Leuven

    The threat of quantum computers motivates the introduction of new hard problems for cryptography.One promising candidate is the Isogeny problem: given two elliptic curves, compute a “nice’’ map between them, called an isogeny.In this talk, we study classical attacks on this problem, specialised to supersingular elliptic curves, on which the security of current isogeny-based cryptography relies. In[…]

    • Cryptography

Voir les exposés passés
Haut de page