-
On the decisional Diffie-Hellman problem for class group actions on oriented elliptic curves
Authors:
Wouter Castryck,
Marc Houben,
Frederik Vercauteren,
Benjamin Wesolowski
Abstract:
We show how the Weil pairing can be used to evaluate the assigned characters of an imaginary quadratic order $\mathcal{O}$ in an unknown ideal class $[\mathfrak{a}] \in \mathrm{Cl}(\mathcal{O})$ that connects two given $\mathcal{O}$-oriented elliptic curves $(E, ι)$ and $(E', ι') = [\mathfrak{a}](E, ι)$. When specialized to ordinary elliptic curves over finite fields, our method is conceptually si…
▽ More
We show how the Weil pairing can be used to evaluate the assigned characters of an imaginary quadratic order $\mathcal{O}$ in an unknown ideal class $[\mathfrak{a}] \in \mathrm{Cl}(\mathcal{O})$ that connects two given $\mathcal{O}$-oriented elliptic curves $(E, ι)$ and $(E', ι') = [\mathfrak{a}](E, ι)$. When specialized to ordinary elliptic curves over finite fields, our method is conceptually simpler and often somewhat faster than a recent approach due to Castryck, Sotáková and Vercauteren, who rely on the Tate pairing instead. The main implication of our work is that it breaks the decisional Diffie-Hellman problem for practically all oriented elliptic curves that are acted upon by an even-order class group. It can also be used to better handle the worst cases in Wesolowski's recent reduction from the vectorization problem for oriented elliptic curves to the endomorphism ring problem, leading to a method that always works in sub-exponential time.
△ Less
Submitted 3 October, 2022;
originally announced October 2022.
-
BASALISC: Programmable Hardware Accelerator for BGV Fully Homomorphic Encryption
Authors:
Robin Geelen,
Michiel Van Beirendonck,
Hilder V. L. Pereira,
Brian Huffman,
Tynan McAuley,
Ben Selfridge,
Daniel Wagner,
Georgios Dimou,
Ingrid Verbauwhede,
Frederik Vercauteren,
David W. Archer
Abstract:
Fully Homomorphic Encryption (FHE) allows for secure computation on encrypted data. Unfortunately, huge memory size, computational cost and bandwidth requirements limit its practicality. We present BASALISC, an architecture family of hardware accelerators that aims to substantially accelerate FHE computations in the cloud. BASALISC is the first to implement the BGV scheme with fully-packed bootstr…
▽ More
Fully Homomorphic Encryption (FHE) allows for secure computation on encrypted data. Unfortunately, huge memory size, computational cost and bandwidth requirements limit its practicality. We present BASALISC, an architecture family of hardware accelerators that aims to substantially accelerate FHE computations in the cloud. BASALISC is the first to implement the BGV scheme with fully-packed bootstrap** -- the noise removal capability necessary for arbitrary-depth computation. It supports a customized version of bootstrap** that can be instantiated with hardware multipliers optimized for area and power.
BASALISC is a three-abstraction-layer RISC architecture, designed for a 1 GHz ASIC implementation and underway toward 150mm2 die tape-out in a 12nm GF process. BASALISC's four-layer memory hierarchy includes a two-dimensional conflict-free inner memory layer that enables 32 Tb/s radix-256 NTT computations without pipeline stalls. Its conflict-resolution permutation hardware is generalized and re-used to compute BGV automorphisms without throughput penalty. BASALISC also has a custom multiply-accumulate unit to accelerate BGV key switching.
The BASALISC toolchain comprises a custom compiler and a joint performance and correctness simulator. To evaluate BASALISC, we study its physical realizability, emulate and formally verify its core functional units, and we study its performance on a set of benchmarks. Simulation results show a speedup of more than 5,000 times over HElib -- a popular software FHE library.
△ Less
Submitted 25 July, 2023; v1 submitted 27 May, 2022;
originally announced May 2022.
-
Quantum Equivalence of the DLP and CDHP for Group Actions
Authors:
Steven Galbraith,
Lorenz Panny,
Benjamin Smith,
Frederik Vercauteren
Abstract:
In this short note we give a polynomial-time quantum reduction from the vectorization problem (DLP) to the parallelization problem (CDHP) for group actions. Combined with the trivial reduction from par-allelization to vectorization, we thus prove the quantum equivalence of both problems.
In this short note we give a polynomial-time quantum reduction from the vectorization problem (DLP) to the parallelization problem (CDHP) for group actions. Combined with the trivial reduction from par-allelization to vectorization, we thus prove the quantum equivalence of both problems.
△ Less
Submitted 26 July, 2021; v1 submitted 21 December, 2018;
originally announced December 2018.
-
Computing Zeta Functions of Nondegenerate Curves
Authors:
Wouter Castryck,
Jan Denef,
Frederik Vercauteren
Abstract:
In this paper we present a p-adic algorithm to compute the zeta function of a nondegenerate curve over a finite field using Monsky-Washnitzer cohomology. The paper vastly generalizes previous work since all known cases, e.g. hyperelliptic, superelliptic and C_{ab} curves, can be transformed to fit the nondegenerate case. For curves with a fixed Newton polytope, the property of being nondegenerat…
▽ More
In this paper we present a p-adic algorithm to compute the zeta function of a nondegenerate curve over a finite field using Monsky-Washnitzer cohomology. The paper vastly generalizes previous work since all known cases, e.g. hyperelliptic, superelliptic and C_{ab} curves, can be transformed to fit the nondegenerate case. For curves with a fixed Newton polytope, the property of being nondegenerate is generic, so that the algorithm works for almost all curves with given Newton polytope. For a genus g curve over F_{p^n}, the expected running time is O(n^3g^6 + n^2g^{6.5}), whereas the space complexity amounts to O(n^3g^4), assuming p is fixed.
△ Less
Submitted 8 January, 2007; v1 submitted 13 July, 2006;
originally announced July 2006.