Dustin Moody

An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme

Historically, multivariate public key cryptography has been less than successful at offering encryption schemes which are both secure and efficient. At PQCRYPTO ’13 in Limoges, Tao, Diene, Tang, and Ding introduced a promising new multivariate encryption algorithm based on a fundamentally new idea: hiding the structure of a large matrix algebra over a finite field. We present an attack based on subspace differential invariants inherent to this methodology. The attack is a structural key recovery attack which is asymptotically optimal among all known attacks (including algebraic attacks) on the original scheme and its generalizations.

Report on Pairing-based Cryptography

This report summarizes study results on pairing-based cryptography. The main purpose of the study is to form NIST’s position on standardizing and recommending pairing-based cryptography schemes currently published in research literature and standardized in other standard bodies. The report reviews the mathematical background of pairings. This includes topics such as pairing-friendly elliptic curves and how to compute various pairings. It includes a brief introduction to existing identity-based encryption (IBE) schemes and other cryptographic schemes using pairing technology. The report provides a complete study of the current status of standard activities on pairing-based cryptographic schemes. It explores different application scenarios for pairing-based cryptography schemes. As an important aspect of adopting pairing-based schemes, the report also considers the challenges inherent in validation testing of cryptographic algorithms and modules. Based on the study, the report suggests an approach for including pairing-based cryptography schemes in the NIST cryptographic toolkit. The report also outlines several questions that will require further study if this approach is followed.

Analogues of Vélu’s formulas for isogenies on alternate models of elliptic curves

Isogenies of elliptic curves have been well-studied, in part because there are several cryptographic applications. Using Velu’s formula, isogenies can be evaluated explicitly given their kernel. However, Velu’s formula applies to elliptic curves given by a Weierstrass equation. In this paper we show how to similarly evaluate isogenies on Edwards curves and Huff curves. Edwards and Huff curves are new normal forms for elliptic curves, different than the traditional Weierstrass form.

Key Recovery Attack on the Cubic ABC Simple Matrix Multivariate Encryption Scheme

In the last few years multivariate public key cryptography has experienced an infusion of new ideas for encryption. Among these new strategies is the ABC Simple Matrix family of encryption schemes which utilize the structure of a large matrix algebra to construct effectively invertible systems of nonlinear equations hidden by an isomorphism of polynomials. The cubic version of the ABC Simple Matrix Encryption was developed with provable security in mind and was published including a heuristic security argument claiming that an attack on the scheme should be at least as difficult as solving a random system of quadratic equations over a finite field.

Isomorphism classes of Edwards curves over finite fields

Abstract Edwards curves are an alternate model for elliptic curves, which have attracted notice in cryptography. We give exact formulas for the number of F q -isomorphism classes of Edwards curves and twisted Edwards curves. This answers a question recently asked by R. Farashahi and I. Shparlinski.

Improved Attacks for Characteristic-2 Parameters of the Cubic ABC Simple Matrix Encryption Scheme

In the last few years multivariate public key cryptography has experienced an infusion of new ideas for encryption. Among these new strategies is the ABC Simple Matrix family of encryption schemes which utilize the structure of a large matrix algebra to construct effectively invertible systems of nonlinear equations hidden by an isomorphism of polynomials. One promising approach to cryptanalyzing these schemes has been structural cryptanalysis, based on applying a strategy similar to MinRank attacks to the discrete differential. These attacks however have been significantly more expensive when applied to parameters using fields of characteristic 2, which have been the most common choice for published parameters. This disparity is especially great for the cubic version of the Simple Matrix Encryption Scheme.

Elliptic curves arising from Brahmagupta quadrilaterals

A Brahmagupta quadrilateral is a cyclic quadrilateral whose sides, diagonals and area are all integer values. In this article, we characterise the notions of Brahmagupta, introduced by K. R. S. Sastry [‘Brahmagupta quadrilaterals’, Forum Geom. 2 (2002), 167–173], by means of elliptic curves. Motivated by these characterisations, we use Brahmagupta quadrilaterals to construct infinite families of elliptic curves with torsion group \(Z/2Z×Z/2Z\) having ranks (at least) four, five and six. Furthermore, by specialising we give examples from these families of specific curves with rank nine. DOI: 10.1017/S0004972713001172

Heron quadrilaterals via elliptic curves

A Heron quadrilateral is a cyclic quadrilateral whose area and side lengths are rational. In this work, we establish a correspondence between Heron quadrilaterals and a family of elliptic curves of the form y 2 = x 3 + αx 2 - n 2 x. This correspondence generalizes the notions of Goins and Maddox who established a similar connection between Heron triangles and elliptic curves. We further study this family of elliptic curves, looking at their torsion groups and ranks. We also explore their connection with congruent numbers, which are the α = 0 case. Congruent numbers are positive integers which are the area of a right triangle with rational side lengths.

Improved indifferentiability security bound for the JH mode

Indifferentiability security of a hash mode of operation guarantees the mode’s resistance against all generic attacks. It is also useful to establish the security of protocols that use hash functions as random functions. The JH hash function was one of the five finalists in the National Institute of Standards and Technology SHA-3 hash function competition. Despite several years of analysis, the indifferentiability security of the JH mode has remained remarkably low, only at