## CryptoDB

### Antoine Joux

#### ORCID: 0000-0003-2682-6508

#### Publications

**Year**

**Venue**

**Title**

2024

CRYPTO

MPC in the head using the subfield bilinear collision problem
Abstract

In this paper, we introduce the subfield bilinear collision problem and use it to construct an identification protocol and a signature scheme. This construction is based on the MPC-in-the-head paradigm and uses the Fiat-Shamir transformation to obtain a signature.

2024

EUROCRYPT

Key Recovery Attack on the Partial Vandermonde Knapsack Problem
Abstract

The Partial Vandermonde (PV) Knapsack problem is an algebraic variant of the low-density inhomogeneous SIS problem. The problem has been used as a building block for various lattice-based constructions, including signatures (ACNS'14, ACISP'18), encryptions (DCC'15,DCC'20), and signature aggregation (Eprint'20). At Crypto'22, Boudgoust, Gachon, and Pellet-Mary proposed a key distinguishing attack on the PV Knapsack exploiting algebraic properties of the problem. Unfortunately, their attack doesn't offer key recovery, except for worst-case keys.
In this paper, we propose an alternative attack on the PV Knapsack problem, which provides key recovery for a much larger set of keys. Like the Crypto'22 attack, it is based on lattice reduction and uses a dimension reduction technique to speed-up the underlying lattice reduction algorithm and enhance its performance. As a side bonus, our attack transforms the PV Knapsack problem into uSVP instances instead of SVP instances in the Crypto'22 attack. This also helps the lattice reduction algorithm, both from a theoretical and practical point of view.
We use our attack to re-assess the hardness of the concrete parameters used in the literature. It appears that many contain a non-negligible fraction of weak keys, which are easily identified and extremely susceptible to our attack. For example, a fraction of $2^{-19}$ of the public keys of a parameter set from ACISP'18 can be solved in about $30$ hours on a moderate server using off-the-shelf lattice reduction. This parameter set was initially claimed to have a $129$-bit security against key recovery attack. Its security was reduced to $87$-bit security using the distinguishing attack from Crypto'22. Similarly, the ACNS'14 proposal also includes a parameter set containing a fraction of $2^{-19}$ of weak keys; those can be solved in about $17$ hours.

2023

EUROCRYPT

On the Hardness of the Finite Field Isomorphism Problem
Abstract

The finite field isomorphism $(\ffi)$ problem was introduced in PKC'18, as an alternative to average-case lattice problems (like $\lwe$, $\sis$, or $\NTRU$). As an application, the same paper used the $\ffi$ problem to construct a fully homomorphic encryption scheme. In this work, we prove that the decision variant of the $\ffi$ problem can be solved in polynomial time for any field characteristics $q= \Omega(\beta n^2)$, where $q,\beta,n$ parametrize the $\ffi$ problem. Then we use our result from the $\ffi$ distinguisher to propose polynomial-time attacks on the semantic security of the fully homomorphic encryption scheme. Furthermore, for completeness, we also study the search variant of the $\ffi$ problem and show how to state it as a $q$-ary lattice problem, which was previously unknown. As a result, we can solve the search problem for some previously intractable parameters using a simple lattice reduction approach.

2023

EUROCRYPT

Short Signatures from Regular Syndrome Decoding in the Head
Abstract

We introduce a new candidate post-quantum digital signature scheme from the regular syndrome decoding (RSD) assumption, an established variant of the syndrome decoding assumption which asserts that it is hard to find w-regular solutions to systems of linear equations over F_2 (a vector is regular if it is a concatenation of w unit vectors). Our signature is obtained by introducing and compiling a new 5-round zero-knowledge proof system constructed using the MPC-in-the-head paradigm. At the heart of our result is an efficient MPC protocol in the preprocessing model that checks correctness of a regular syndrome decoding instance by using a share ring-conversion mechanism.
The analysis of our construction is non-trivial and forms a core technical contribution of our work. It requires careful combinatorial analysis and combines several new ideas, such as analyzing soundness in a relaxed setting where a cheating prover is allowed to use any witness *sufficiently close* to a regular vector. We complement our analysis with an in-depth overview of existing attacks against RSD.
Our signatures are competitive with the best-known code-based signatures, ranging from 12.52 KB (fast setting, with signing time of the order of a few milliseconds on a single core of a standard laptop) to about 9 KB (short setting, with estimated signing time of the order of 15ms).

2022

EUROCRYPT

Practical Post-Quantum Signature Schemes from Isomorphism Problems of Trilinear Forms
📺
Abstract

In this paper, we propose a practical signature scheme based on the alternating trilinear form equivalence problem. Our scheme is inspired from the Goldreich-Micali-Wigderson's zero-knowledge protocol for graph isomorphism, and can be served as an alternative candidate for the NIST's post-quantum digital signatures.
First, we present theoretical evidences to support its security, especially in the post-quantum cryptography context. The evidences are drawn from several research lines, including hidden subgroup problems, multivariate cryptography, cryptography based on group actions, the quantum random oracle model, and recent advances on isomorphism problems for algebraic structures in algorithms and complexity.
Second, we demonstrate its potential for practical uses. Based on algorithm studies, we propose concrete parameter choices, and then implement a prototype. One concrete scheme achieves 128 bit security with public key size ~4100 bytes, signature size ~6800 bytes, and running times (key generation, sign, verify) ~0.8ms on a common laptop computer.

2022

CRYPTO

Syndrome Decoding in the Head: Shorter Signatures from Zero-Knowledge Proofs
📺
Abstract

Zero-knowledge proofs of knowledge are useful tools to design signature schemes. The ongoing effort to build a quantum computer motivates the cryptography community to develop new secure cryptographic protocols based on quantum-hard cryptographic problems. One of the few directions is code-based cryptography for which the strongest problem is the syndrome decoding (SD) for random linear codes. This problem is known to be NP-hard and the cryptanalysis state of the art has been stable for many years. A zero-knowledge protocol for this problem was pioneered by Stern in 1993. Since its publication, many articles proposed optimizations, implementation, or variants.
In this paper, we introduce a new zero-knowledge proof for the syndrome decoding problem on random linear codes. Instead of using permutations like most of the existing protocols, we rely on the MPC-in-the-head paradigm in which we reduce the task of proving the low Hamming weight of the SD solution to proving some relations between specific polynomials. We propose a 5-round zero-knowledge protocol that proves the knowledge of a vector x such that y=Hx and \wt(x) <= w and which achieves a soundness error closed to 1/N for an arbitrary N.
While turning this protocol into a signature scheme, we achieve a signature size of 11-12 KB for a 128-bit security when relying on the hardness of the SD problem on binary fields. Using bigger fields (like \F_{2^8}), we can produce fast signatures of around 8 KB. This allows us to outperform Picnic3 and to be competitive with SPHINCS+, both post-quantum signature candidates in the ongoing NIST standardization effort. Moreover, our scheme outperforms all the existing code-based signature schemes for the common ``signature size + public key size'' metric.

2018

CRYPTO

A New Public-Key Cryptosystem via Mersenne Numbers
📺
Abstract

In this work, we propose a new public-key cryptosystem whose security is based on the computational intractability of the following problem: Given a Mersenne number
$$p = 2^n - 1$$
p=2n-1, where n is a prime, a positive integer h, and two n-bit integers T, R, decide whether their exist n-bit integers F, G each of Hamming weight less than h such that
$$T = F\cdot R + G$$
T=F·R+G modulo p.

2018

ASIACRYPT

How to Securely Compute with Noisy Leakage in Quasilinear Complexity
Abstract

Since their introduction in the late 90’s, side-channel attacks have been considered as a major threat against cryptographic implementations. This threat has raised the need for formal leakage models in which the security of implementations can be proved. At Eurocrypt 2013, Prouff and Rivain introduced the noisy leakage model which has been argued to soundly capture the physical reality of power and electromagnetic leakages. In their work, they also provide the first formal security proof for a masking scheme in the noisy leakage model. However their work has two important limitations: (i) the security proof relies on the existence of a leak-free component, (ii) the tolerated amount of information in the leakage (aka leakage rate) is of O(1 / n) where n is the security parameter (i.e. the number of shares in the underlying masking scheme). The first limitation was nicely tackled by Duc, Dziembowski and Faust one year later (Eurocrypt 2014). Their main contribution was to show a security reduction from the noisy leakage model to the conceptually simpler random-probing model. They were then able to prove the security of the well-known Ishai-Sahai-Wagner scheme (Crypto 2003) in the noisy leakage model. The second limitation was addressed in a paper by Andrychowicz, Dziembowski and Faust (Eurocrypt 2016) which makes use of a construction due to Ajtai (STOC 2011) to achieve security in the strong adaptive probing model with a leakage rate of $$O(1/\log n)$$. The authors argue that their result can be translated into the noisy leakage model with a leakage rate of O(1) by using secret sharing based on algebraic geometric codes. In terms of complexity, the protected program scales from |P| arithmetic instructions to $$\tilde{O}(|P| \, n^2)$$. According to the authors, this $$\tilde{O}(n^2)$$ blow-up could be reduced to $$\tilde{O}(n)$$ using packed secret sharing but no details are provided. Moreover, such an improvement would only be possible for a program of width at least linear in n. The issue of designing an explicit scheme achieving $$\tilde{O}(n)$$ complexity blow-up for any arithmetic program is hence left open.In this paper, we tackle the above issue: we show how to securely compute in the presence of noisy leakage with a leakage rate $$\tilde{O}(1)$$ and complexity blow-up $$\tilde{O}(n)$$. Namely, we introduce a transform that turns any program P composed of arithmetic instructions on some filed $$\mathbb {F}$$ into a (functionally equivalent) program $$\varPi $$ composed of $$|\varPi | = O(|P| n \log n)$$ arithmetic instructions which can tolerate some (quasi-constant) amount of noisy leakage on its internal variables (while revealing negligible information). We use a polynomial encoding allowing quasilinear multiplication based on the fast Number Theoretic Transform (NTT). We first show that our scheme is secure in the random-probing model with leakage rate $$O(1/\log n)$$. Using the reduction by Duc et al. this result can be translated in the noisy leakage model with a $$O(1/|\mathbb {F}|^2 \log n)$$ leakage rate. However, a straight application of this reduction is not satisfactory since our construction requires $$|\mathbb {F}| = O(n)$$. In order to bypass this issue (which is shared with the construction of Andrychowicz et al.), we provide a generic security reduction from the noisy leakage model at the logical-instruction level to the random-probing model at the arithmetic level. This reduction allows us to prove the security of our construction in the noisy leakage model with leakage rate $$\tilde{O}(1)$$.

2014

EUROCRYPT

2014

EUROCRYPT

2013

EUROCRYPT

2012

EUROCRYPT

2012

EUROCRYPT

2012

EUROCRYPT

2003

CRYPTO

2003

JOFC

2002

FSE

#### Program Committees

- Eurocrypt 2023
- Crypto 2020
- Asiacrypt 2016
- PKC 2013
- FSE 2012
- Asiacrypt 2012
- Crypto 2012
- Asiacrypt 2011
- FSE 2011 (Program chair)
- FSE 2010
- Eurocrypt 2010
- Asiacrypt 2010
- Eurocrypt 2009 (Program chair)
- Eurocrypt 2008
- FSE 2008
- Crypto 2007
- FSE 2007
- Asiacrypt 2006
- FSE 2006
- Eurocrypt 2006
- FSE 2005
- Crypto 2005
- Eurocrypt 2004
- Crypto 2003
- PKC 2002
- Eurocrypt 2002

#### Coauthors

- Divesh Aggarwal (1)
- Razvan Barbulescu (1)
- Aurélie Bauer (1)
- Anja Becker (2)
- Eli Biham (2)
- Dan Boneh (1)
- Eliana Carozza (1)
- Patrick Carribault (1)
- Guilhem Castagnos (1)
- Florent Chabaud (1)
- Yeow Meng Chee (1)
- Rafi Chen (2)
- Philippe Chose (1)
- Jean-Sébastien Coron (3)
- Geoffroy Couteau (1)
- Dipayan Das (2)
- Thai Duong (1)
- Jean-Charles Faugère (2)
- Thibauld Feneuil (1)
- Pierre-Alain Fouque (1)
- Pierrick Gaudry (1)
- Henri Gilbert (1)
- Dahmun Goudarzi (1)
- Louis Granboulan (2)
- Helena Handschuh (1)
- Nick Howgrave-Graham (1)
- Louise Huot (1)
- Janik Huth (1)
- William Jalby (1)
- Éliane Jaulmes (4)
- Antoine Joux (57)
- Ilya Kizhvatov (1)
- Sébastien Kunz-Jacques (1)
- Fabien Laguillaumie (1)
- Christophe Lemuet (1)
- Reynald Lercier (2)
- Stefan Lucks (1)
- Avradip Mandal (1)
- Gwenaëlle Martinet (1)
- Chrysanthi Mavromati (1)
- Alexander May (1)
- Marcel Medwed (1)
- Alexander Meurer (1)
- Michel Mitton (1)
- Frédéric Muller (4)
- David Naccache (3)
- Kim Nguyen (1)
- Phong Q. Nguyen (2)
- Pascal Paillier (1)
- Thomas Peyrin (1)
- Cécile Pierrot (1)
- Thomas Plantard (1)
- Guillaume Poupard (1)
- Anupam Prakash (1)
- Youming Qiao (1)
- Jean-René Reinhard (1)
- Guénaël Renault (1)
- Pierre-Michel Ricordel (1)
- Matthieu Rivain (2)
- Miklos Santha (1)
- Nigel P. Smart (1)
- François-Xavier Standaert (1)
- Jacques Stern (5)
- Willy Susilo (1)
- Gang Tang (1)
- Emmanuel Thomé (2)
- Mehdi Tibouchi (1)
- Frédéric Valette (2)
- Serge Vaudenay (1)
- Frederik Vercauteren (1)
- Vanessa Vitse (2)