Semi-commutative Masking: A Framework for Isogeny-Based Protocols, with an Application to Fully Secure Two-Round Isogeny-Based OT

Guilhem, Cyprien Delpech de Saint; Orsini, Emmanuela; Petit, Christophe; Smart, Nigel P.

doi:10.1007/978-3-030-65411-5_12

Cited by 4 publications

(3 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [DOPS20], the authors introduce the concept of masking, which generalizes the one of hard homogeneous spaces. The paper contains two passively secure OT protocols, one with two rounds, derived from the Shamir-3-Pass key transportation scheme, and the other with three rounds derived from the CO protocol.…”

Section: Sender Receivermentioning

confidence: 99%

“…As mentioned before, the protocols are based on masking assumptions, ParallelEither, ParallelBoth and ParallelDouble, that can be instantiated with isogeny-based assumptions. The ParallelEither asks for either g ab or g a/b given g a , g b ; the ParallelBoth asks for g ba0/a1 or g ba1/a0 given g a0 , g a1 , g b ; the ParallelDouble asks for g ac and g bc given g a , g b , g c and a one-time access to an oracle that exponentiates by c. We refer to [DOPS20] for additional details.…”

Section: Sender Receivermentioning

confidence: 99%

See 1 more Smart Citation

Simple Two-Message OT in the Explicit Isogeny Model

Orsini,

Zanotto

2024

IACR CiC

Self Cite

View full text Add to dashboard Cite

In this work we study algebraic and generic models for group actions, and extend them to the universal composability (UC) framework of Canetti (FOCS 2001). We revisit the constructions of Duman et al. (PKC 2023) integrating the type-safe model by Zhandry (Crypto 2022), adapted to the group action setting, and formally define an algebraic action model (AAM). This model restricts the power of the adversary in a similar fashion to the algebraic group model (AGM). By imposing algebraic behaviour to the adversary and environment of the UC framework, we construct the UC-AAM. Finally, we instantiate UC-AAM with isogeny-based assumptions, in particular the CSIDH action with twists, obtaining the explicit isogeny model, UC-EI; we observe that, under certain assumptions, this model is "closer" to standard UC than the UC-AGM, even though there still exists an important separation. We demonstrate the utility of our definitions by proving UC-EI security for the passive-secure oblivious transfer protocol described by Lai et al. (Eurocrypt 2021), hence providing the first concretely efficient two-message isogeny-based OT protocol in the random oracle model against malicious adversaries.

show abstract

Section: Sender Receivermentioning

confidence: 99%

Section: Sender Receivermentioning

confidence: 99%

Simple Two-Message OT in the Explicit Isogeny Model

Orsini,

Zanotto

2024

IACR CiC

Self Cite

View full text Add to dashboard Cite

show abstract

“…The invention of CSIDH 3 [13], the first efficient post-quantum group action, spurred a wave of interest on the topic. Among the many applications of CSIDH, we may cite the signature scheme CSI-FiSh [7], threshold [21] and ring [6] signatures, oblivious transfer [22,33], oblivious PRFs [8] and hash proof systems [2]. As of today, all known post-quantum group actions are obtained from isogenies of elliptic curves, either ordinary or supersingular, and are all understood as instances of the celebrated theory of complex multiplication.…”

Section: Introductionmentioning

confidence: 99%

On the Security of OSIDH

Dartois

Feo

2022

Public-Key Cryptography – PKC 2022

View full text Add to dashboard Cite

The Oriented Supersingular Isogeny Diffie-Hellman is a postquantum key exchange scheme recently introduced by Colò and Kohel. It is based on the group action of an ideal class group of a quadratic imaginary order on a subset of supersingular elliptic curves, and in this sense it can be viewed as a generalization of the popular isogeny based key exchange CSIDH. From an algorithmic standpoint, however, OSIDH is quite different from CSIDH. In a sense, OSIDH uses class groups which are more structured than in CSIDH, creating a potential weakness that was already recognized by Colò and Kohel. To circumvent the weakness, they proposed an ingenious way to realize a key exchange by exchanging partial information on how the class group acts in the neighborhood of the public curves, and conjectured that this additional information would not impact security. In this work we revisit the security of OSIDH by presenting a new attack, building upon previous work of Onuki. Our attack has exponential complexity, but it practically breaks Colò and Kohel's parameters unlike Onuki's attack. We also discuss countermeasures to our attack, and analyze their impact on OSIDH, both from an efficiency and a functionality point of view.

show abstract