Tampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014
|
|
- Delphia Eaton
- 6 years ago
- Views:
Transcription
1 Tampering attacks in pairing-based cryptography Johannes Blömer University of Paderborn September 22, / 16
2 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable map e : G G G T, where G, G, G T are finite groups of the same size. Bilinearity: e(p + Q, R) = e(p, R) e(q, R) for all P, Q G, R G e(p, R + Q) = e(p, R) e(p, Q) for all P G, Q, R G. Non-degeneracy: for all P G \ {O} there is a Q G such that e(p, Q) 1. 2 / 16
3 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable map e : G G G T, where G, G, G T are finite groups of the same size. Bilinearity: e(p + Q, R) = e(p, R) e(q, R) for all P, Q G, R G e(p, R + Q) = e(p, R) e(p, Q) for all P G, Q, R G. Non-degeneracy: for all P G \ {O} there is a Q G such that e(p, Q) 1. plus crypto assumptions 2 / 16
4 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable map e : G G G T, where G, G, G T are finite groups of the same size. Bilinearity: e(p + Q, R) = e(p, R) e(q, R) for all P, Q G, R G e(p, R + Q) = e(p, R) e(p, Q) for all P G, Q, R G. Non-degeneracy: for all P G \ {O} there is a Q G such that e(p, Q) 1. plus crypto assumptions e(a P, b Q) = e(b P, a Q) = e(ab P, Q) = e(p, Q) ab can be used to combine and recombine shares of secrets or secrets and nonces 2 / 16
5 Pairings Applications identity-based encryption attribute-based encryption group signatures key agreement anonymous credentials... 3 / 16
6 Pairings Applications identity-based encryption attribute-based encryption group signatures key agreement anonymous credentials... Attribute-based encryption encrypt data under attributes, not for individual users, users get rights, if rights and attributes match, data can be decrypted 3 / 16
7 Pairings Applications identity-based encryption attribute-based encryption group signatures key agreement anonymous credentials... Attribute-based encryption encrypt data under attributes, not for individual users, users get rights, if rights and attributes match, data can be decrypted 3 / 16
8 Pairings Applications identity-based encryption attribute-based encryption group signatures key agreement anonymous credentials... Attribute-based encryption encrypt data under attributes, not for individual users, users get rights, if rights and attributes match, data can be decrypted 3 / 16
9 Pairings Applications identity-based encryption attribute-based encryption group signatures key agreement anonymous credentials... Attribute-based encryption encrypt data under attributes, not for individual users, users get rights, if rights and attributes match, data can be decrypted 3 / 16
10 Elliptic curves Elliptic curves F a field (finite or infinite), F algebraic closure a, b F E := {(x, y) F 2 : y 2 = x 3 + ax + b = 0} {O} elliptic curve over F O point at infinity elliptic curves have group structure using chord and tangent law 4 / 16
11 Elliptic curves Elliptic curves F a field (finite or infinite), F algebraic closure a, b F E := {(x, y) F 2 : y 2 = x 3 + ax + b = 0} {O} elliptic curve over F O point at infinity elliptic curves have group structure using chord and tangent law 4 / 16
12 Elliptic curves Elliptic curves F a field (finite or infinite), F algebraic closure a, b F E := {(x, y) F 2 : y 2 = x 3 + ax + b = 0} {O} elliptic curve over F O point at infinity elliptic curves have group structure using chord and tangent law Q P (P + Q) P + Q 4 / 16
13 Elliptic curves Elliptic curves F a field (finite or infinite), F algebraic closure a, b F E := {(x, y) F 2 : y 2 = x 3 + ax + b = 0} {O} elliptic curve over F O point at infinity elliptic curves have group structure using chord and tangent law Q P 2P 2P (P + Q) P + Q 4 / 16
14 Torsion points and embedding degree 5 / 16
15 Torsion points and embedding degree Torsion points on elliptic curves E elliptic curve, P E, r N P torsion point of order r, iff r P = O E[r] := set of points of order r E[r] is subgroup of E 5 / 16
16 Torsion points and embedding degree Torsion points on elliptic curves E elliptic curve, P E, r N P torsion point of order r, iff r P = O E[r] := set of points of order r E[r] is subgroup of E points of order 2 5 / 16
17 Torsion points and embedding degree Torsion points on elliptic curves E elliptic curve, P E, r N P torsion point of order r, iff r P = O E[r] := set of points of order r E[r] is subgroup of E point of order 4 R 5 / 16
18 Torsion points and embedding degree Torsion points on elliptic curves E elliptic curve, P E, r N P torsion point of order r, iff r P = O E[r] := set of points of order r E[r] is subgroup of E point of order 4 R Embedding degree F = F q finite field, r N smallest k s.th. r (q k 1) called embedding degree E[r] E(F q k ) := E (F q k F q k ) 5 / 16
19 Miller s algorithm Miller Algorithm (MA) input : r N, P, Q E, Q P, O, r = t j=0 r j2 j, r j {0, 1} T P ; for j = t do T 2T ; if r j = 1 then T T + P; 6 / 16
20 Miller s algorithm Miller Algorithm (MA) input : r N, P, Q E, Q P, O, r = t j=0 r j2 j, r j {0, 1} output: f r,p (Q) T P, f 1; for j = t do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f ; l U,V := equation of line through U, V 6 / 16
21 The Weil pairing µ r := {u F q k : u r = 1} (set of r-th roots of unity) Definition 2 (Weil/Miller) The Weil pairing w r is the map defined by w r : E[r] E[r] µ r (P, Q) ( 1) r f r,p (Q) f r,q (P). 7 / 16
22 The Weil pairing µ r := {u F q k : u r = 1} (set of r-th roots of unity) Definition 2 (Weil/Miller) The Weil pairing w r is the map defined by w r : E[r] E[r] µ r (P, Q) ( 1) r f r,p (Q) f r,q (P). w r is bilinear and non-degenerate, but rather inefficient, two invocations of MA 7 / 16
23 The reduced Tate pairing Definition 3 The reduced Tate pairing t r is the map defined by t r : E[r] E ( ) / ( ) F q k re Fq k µr (P, Q) f r,p (Q) (qk 1)/r. 8 / 16
24 The reduced Tate pairing Definition 3 The reduced Tate pairing t r is the map defined by t r : E[r] E ( ) / ( ) F q k re Fq k µr (P, Q) f r,p (Q) (qk 1)/r. t r requires one MA invocation and one exponentiation, the final exponentiation (FE) more efficient to compute than w r variants of t r lead to pairings currently proposed for applications most variants have the structure MA + FE 8 / 16
25 Fault attacks on pairings most applications don t just compute a pairing - never mind MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 9 / 16
26 Fault attacks on pairings most applications don t just compute a pairing - never mind secret is not the scalar r, rather it is P or Q MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 9 / 16
27 Fault attacks on pairings most applications don t just compute a pairing - never mind secret is not the scalar r, rather it is P or Q both MA and FE individually are usually hard to invert MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 9 / 16
28 Fault attacks on pairings most applications don t just compute a pairing - never mind secret is not the scalar r, rather it is P or Q both MA and FE individually are usually hard to invert FE many-to-one, need to find the right preimage MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 9 / 16
29 Fault attacks on pairings most applications don t just compute a pairing - never mind secret is not the scalar r, rather it is P or Q both MA and FE individually are usually hard to invert FE many-to-one, need to find the right preimage MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; game is different from standard elliptic curve cryptography (ECC) for practical evaluation see Marie s talk. 9 / 16
30 Attacking a pairing - how to deal with FE 1 Ignore the problem. 2 Show that you can use correlated faults to induce faults in Miller s algorithm and skip the final exponentiation. (see Peter s talk) 3 Assume that you can induce faults into Miller s algorithm and additional faults into the final exponentiation that facilitate the inversion problem for the exponentiation. 4 Use particular curves and pairings for which the inversion problem for the final exponentiation can be solved efficiently. 10 / 16
31 The strategies MA + FE input : r N, P, Q E output: f r,p (Q) 1 T P, f 1; 2 for j = t do 3 f f 2 l T,T (Q) /l 2T, 2T (Q); 4 T 2T ; 5 if r j = 1 then 6 f f l T,P (Q) /l T +P, (T +P) (Q); 7 T T + P; 8 return f (qk 1)/r ; 11 / 16
32 The strategies attack operations in lines 3,4,6,7 lines 4 and 7 seem difficult MA + FE input : r N, P, Q E output: f r,p (Q) 1 T P, f 1; 2 for j = t do 3 f f 2 l T,T (Q) /l 2T, 2T (Q); 4 T 2T ; 5 if r j = 1 then 6 f f l T,P (Q) /l T +P, (T +P) (Q); 7 T T + P; 8 return f (qk 1)/r ; 11 / 16
33 The strategies attack operations in lines 3,4,6,7 lines 4 and 7 seem difficult lines 3,6: attack by Wheelan, Scott and others MA + FE input : r N, P, Q E output: f r,p (Q) 1 T P, f 1; 2 for j = t do 3 f f 2 l T,T (Q) /l 2T, 2T (Q); 4 T 2T ; 5 if r j = 1 then 6 f f l T,P (Q) /l T +P, (T +P) (Q); 7 T T + P; 8 return f (qk 1)/r ; 11 / 16
34 The strategies attack operations in lines 3,4,6,7 lines 4 and 7 seem difficult lines 3,6: attack by Wheelan, Scott and others attack loop in lines 2-7 (Page-Vercauteren) MA + FE input : r N, P, Q E output: f r,p (Q) 1 T P, f 1; 2 for j = t do 3 f f 2 l T,T (Q) /l 2T, 2T (Q); 4 T 2T ; 5 if r j = 1 then 6 f f l T,P (Q) /l T +P, (T +P) (Q); 7 T T + P; 8 return f (qk 1)/r ; 11 / 16
35 The strategies attack operations in lines 3,4,6,7 lines 4 and 7 seem difficult lines 3,6: attack by Wheelan, Scott and others attack loop in lines 2-7 (Page-Vercauteren) leave the loop after completing a certain number of iterations MA + FE input : r N, P, Q E output: f r,p (Q) 1 T P, f 1; 2 for j = t do 3 f f 2 l T,T (Q) /l 2T, 2T (Q); 4 T 2T ; 5 if r j = 1 then 6 f f l T,P (Q) /l T +P, (T +P) (Q); 7 T T + P; 8 return f (qk 1)/r ; 11 / 16
36 The strategies attack operations in lines 3,4,6,7 lines 4 and 7 seem difficult lines 3,6: attack by Wheelan, Scott and others attack loop in lines 2-7 (Page-Vercauteren) leave the loop after completing a certain number of iterations leave the loop within an iteration and before executing the if-instruction in line 5 MA + FE input : r N, P, Q E output: f r,p (Q) 1 T P, f 1; 2 for j = t do 3 f f 2 l T,T (Q) /l 2T, 2T (Q); 4 T 2T ; 5 if r j = 1 then 6 f f l T,P (Q) /l T +P, (T +P) (Q); 7 T T + P; 8 return f (qk 1)/r ; 11 / 16
37 Skipping iterations with two independent faults induce single fault in two independent runs of algorithm MA + FE 12 / 16
38 Skipping iterations with two independent faults induce single fault in two independent runs of algorithm MA + FE in first run leave for-loop after iteration s to obtain f (qk 1)/r s MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t 2... s do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 12 / 16
39 Skipping iterations with two independent faults induce single fault in two independent runs of algorithm MA + FE in first run leave for-loop after iteration s to obtain f (qk 1)/r s in first run leave for-loop after iteration s 1 to obtain f (qk 1)/r s 1 MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t 2... s 1 do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 12 / 16
40 Skipping iterations with two independent faults - analysis P known, Q secret f s 1 l r fs 2 = P,r P(Q) l 2r P,P(Q) r s 1 l 2r P, 2r P(Q) l r P, r P(Q) r s 1 in coordinates of Q determine Q using computer algebra (system) low degree function 13 / 16
41 Skipping iterations with two independent faults - analysis P known, Q secret f s 1 l r fs 2 = P,r P(Q) l 2r P,P(Q) r s 1 l 2r P, 2r P(Q) l r P, r P(Q) r s 1 in coordinates of Q determine Q using computer algebra (system) only get ( f s 1 /fs 2 ) (q k 1)/r (final exponentiation) low degree function 13 / 16
42 Skipping iterations with two independent faults - analysis P known, Q secret f s 1 l r fs 2 = P,r P(Q) l 2r P,P(Q) r s 1 l 2r P, 2r P(Q) l r P, r P(Q) r s 1 in coordinates of Q determine Q using computer algebra (system) only get ( f s 1 /fs 2 ) (q k 1)/r (final exponentiation) similar analysis for other fault attacks low degree function 13 / 16
43 Final exponentiation (q k 1)/r may be small, i.e. 4 by choice of q, E, r 14 / 16
44 Final exponentiation (q k 1)/r may be small, i.e. 4 by choice of q, E, r (q k 1)/r may be of special structure, that can be exploited due to optimizations of reduced Tate pairing 14 / 16
45 Final exponentiation (q k 1)/r may be small, i.e. 4 by choice of q, E, r (q k 1)/r may be of special structure, that can be exploited due to optimizations of reduced Tate pairing final exponentiation can be skipped with correlated fault exponent can be simplified with correlated fault 14 / 16
46 Final exponentiation (q k 1)/r may be small, i.e. 4 by choice of q, E, r (q k 1)/r may be of special structure, that can be exploited due to optimizations of reduced Tate pairing final exponentiation can be skipped with correlated fault exponent can be simplified with correlated fault final exponentiation should not be considered a countermeasure against fault attacks 14 / 16
47 Conclusion fault attacks against pairings possible and realistic (see last two talks today) but more complex than in ECC, both in realization and in analysis combination of Miller algorithm and final exponentiation main difficulty 15 / 16
48 Conclusion fault attacks against pairings possible and realistic (see last two talks today) but more complex than in ECC, both in realization and in analysis combination of Miller algorithm and final exponentiation main difficulty timing and power analysis attacks also possible since points not scalars are the secrets need to attack arithmetic/elliptic curve operations 15 / 16
49 Conclusion fault attacks against pairings possible and realistic (see last two talks today) but more complex than in ECC, both in realization and in analysis combination of Miller algorithm and final exponentiation main difficulty timing and power analysis attacks also possible since points not scalars are the secrets need to attack arithmetic/elliptic curve operations MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t 2... s do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 15 / 16
50 thank you Thank you! 16 / 16
Ate Pairing on Hyperelliptic Curves
Ate Pairing on Hyperelliptic Curves R. Granger, F. Hess, R. Oyono, N. Thériault F. Vercauteren EUROCRYPT 2007 - Barcelona Pairings Pairings Let G 1, G 2, G T be groups of prime order l. A pairing is a
More informationAspects of Pairing Inversion
Applications of Aspects of ECC 2007 - Dublin Aspects of Applications of Applications of Aspects of Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear
More informationA Dierential Power Analysis attack against the Miller's Algorithm
A Dierential Power Analysis attack against the Miller's Algorithm Nadia El Mrabet (1), G. Di Natale (2) and M.L. Flottes (2) (1) Team Arith, (2) Team CCSI/LIRMM, Université Montpellier 2 Prime 2009, UCC,
More informationPairings for Cryptography
Pairings for Cryptography Michael Naehrig Technische Universiteit Eindhoven Ñ ÐÖÝÔØÓ ºÓÖ Nijmegen, 11 December 2009 Pairings A pairing is a bilinear, non-degenerate map e : G 1 G 2 G 3, where (G 1, +),
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationBackground of Pairings
Background of Pairings Tanja Lange Department of Mathematics and Computer Science Technische Universiteit Eindhoven The Netherlands tanja@hyperelliptic.org 04.09.2007 Tanja Lange Background of Pairings
More informationABHELSINKI UNIVERSITY OF TECHNOLOGY
Identity-Based Cryptography T-79.5502 Advanced Course in Cryptology Billy Brumley billy.brumley at hut.fi Helsinki University of Technology Identity-Based Cryptography 1/24 Outline Classical ID-Based Crypto;
More informationAnalysis of Optimum Pairing Products at High Security Levels
Analysis of Optimum Pairing Products at High Security Levels Xusheng Zhang and Dongdai Lin Institute of Software, Chinese Academy of Sciences Institute of Information Engineering, Chinese Academy of Sciences
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got
More informationOptimised versions of the Ate and Twisted Ate Pairings
Optimised versions of the Ate and Twisted Ate Pairings Seiichi Matsuda 1, Naoki Kanayama 1, Florian Hess 2, and Eiji Okamoto 1 1 University of Tsukuba, Japan 2 Technische Universität Berlin, Germany Abstract.
More informationSingular curve point decompression attack
Singular curve point decompression attack Peter Günther joint work with Johannes Blömer University of Paderborn FDTC 2015, September 13th, Saint Malo Peter Günther (UPB) Decompression Attack FDTC 2015
More informationHardware Acceleration of the Tate Pairing in Characteristic Three
Hardware Acceleration of the Tate Pairing in Characteristic Three CHES 2005 Hardware Acceleration of the Tate Pairing in Characteristic Three Slide 1 Introduction Pairing based cryptography is a (fairly)
More informationParshuram Budhathoki FAU October 25, Ph.D. Preliminary Exam, Department of Mathematics, FAU
Parshuram Budhathoki FAU October 25, 2012 Motivation Diffie-Hellman Key exchange What is pairing? Divisors Tate pairings Miller s algorithm for Tate pairing Optimization Alice, Bob and Charlie want to
More information2.2. The Weil Pairing on Elliptic Curves If A and B are r-torsion points on some elliptic curve E(F q d ), let us denote the r-weil pairing of A and B
Weil Pairing vs. Tate Pairing in IBE systems Ezra Brown, Eric Errthum, David Fu October 10, 2003 1. Introduction Although Boneh and Franklin use the Weil pairing on elliptic curves to create Identity-
More informationImplementing the Weil, Tate and Ate pairings using Sage software
Sage days 10, Nancy, France Implementing the Weil, Tate and Ate pairings using Sage software Nadia EL MRABET LIRMM, I3M, Université Montpellier 2 Saturday 11 th October 2008 Outline of the presentation
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationFaster pairing computation in Edwards coordinates
Faster pairing computation in Edwards coordinates PRISM, Université de Versailles (joint work with Antoine Joux) Journées de Codage et Cryptographie 2008 Edwards coordinates Á Thm: (Bernstein and Lange,
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationReprésentation RNS des nombres et calcul de couplages
Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29
More informationMechanizing Elliptic Curve Associativity
Mechanizing Elliptic Curve Associativity Why a Formalized Mathematics Challenge is Useful for Verification of Crypto ARM Machine Code Joe Hurd Computer Laboratory University of Cambridge Galois Connections
More informationA Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field
A Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field Taichi Sumo, Yuki Mori (Okayama University) Yasuyuki Nogami (Graduate School of Okayama University) Tomoko Matsushima
More informationImplementing Pairing-Based Cryptosystems
Implementing Pairing-Based Cryptosystems Zhaohui Cheng and Manos Nistazakis School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, UK. {m.z.cheng, e.nistazakis}@mdx.ac.uk Abstract:
More informationFixed Argument Pairings
craig.costello@qut.edu.au Queensland University of Technology LatinCrypt 2010 Puebla, Mexico Joint work with Douglas Stebila Pairings A mapping e : G 1 G 2 G T : P G 1, Q G 2 and e(p, Q) G T : groups are
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationIntroduction to Cryptology. Lecture 20
Introduction to Cryptology Lecture 20 Announcements HW9 due today HW10 posted, due on Thursday 4/30 HW7, HW8 grades are now up on Canvas. Agenda More Number Theory! Our focus today will be on computational
More information[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex
Exponent Group Signature Schemes and Ecient Identity Based Signature Schemes Based on Pairings F. Hess Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol,
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationAn Analysis of Affine Coordinates for Pairing Computation
An Analysis of Affine Coordinates for Pairing Computation Michael Naehrig Microsoft Research mnaehrig@microsoft.com joint work with Kristin Lauter and Peter Montgomery Microsoft Research Pairing 2010,
More informationFaster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves
Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is
More informationWhat About Vulnerability to a Fault Attack of the Miller s Algorithm during an Identity Based Protocol?
What About Vulnerability to a Fault Attack of the Miller s Algorithm during an Identity Based Protocol? Nadia EL MRABET LIRMM Laboratory, I3M, CNRS, University Montpellier 2, 161, rue Ada, 34 392 Montpellier,
More informationSome Efficient Algorithms for the Final Exponentiation of η T Pairing
Some Efficient Algorithms for the Final Exponentiation of η T Pairing Masaaki Shirase 1, Tsuyoshi Takagi 1, and Eiji Okamoto 2 1 Future University-Hakodate, Japan 2 University of Tsukuba, Japan Abstract.
More informationElliptic Curve Cryptography
AIMS-VOLKSWAGEN STIFTUNG WORKSHOP ON INTRODUCTION TO COMPUTER ALGEBRA AND APPLICATIONS Douala, Cameroon, October 12, 2017 Elliptic Curve Cryptography presented by : BANSIMBA Gilda Rech BANSIMBA Gilda Rech
More informationMontgomery Algorithm for Modular Multiplication with Systolic Architecture
Montgomery Algorithm for Modular Multiplication with ystolic Architecture MRABET Amine LIAD Paris 8 ENIT-TUNI EL MANAR University A - MP - Gardanne PAE 016 1 Plan 1 Introduction for pairing Montgomery
More informationNumber Theory in Cryptology
Number Theory in Cryptology Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology Kharagpur October 15, 2011 What is Number Theory? Theory of natural numbers N = {1,
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationCo-Z Addition Formulæ and Binary Ladders on Elliptic Curves. Raveen Goundar Marc Joye Atsuko Miyaji
Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves Raveen Goundar Marc Joye Atsuko Miyaji Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves Raveen Goundar Marc Joye Atsuko Miyaji Elliptic
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationThe Final Exponentiation in Pairing-Based Cryptography
The Final Exponentiation in Pairing-Based Cryptography Barış Bülent Kırlar Department of Mathematics, Süleyman Demirel University, 3220, Isparta, Turkey Institute of Applied Mathematics, Middle East Technical
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationArithmetic operators for pairing-based cryptography
7. Kryptotag November 9 th, 2007 Arithmetic operators for pairing-based cryptography Jérémie Detrey Cosec, B-IT, Bonn, Germany jdetrey@bit.uni-bonn.de Joint work with: Jean-Luc Beuchat Nicolas Brisebarre
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationPractical Round-Optimal Blind Signatures in the Standard Model
W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Practical Round-Optimal Blind Signatures in the Standard Model Georg Fuchsbauer, Christian Hanser and Daniel Slamanig, Institute of Science and Technology
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More informationEfficient Tate Pairing Computation Using Double-Base Chains
Efficient Tate Pairing Computation Using Double-Base Chains Chang an Zhao, Fangguo Zhang and Jiwu Huang 1 Department of Electronics and Communication Engineering, Sun Yat-Sen University, Guangzhou 510275,
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationFast Formulas for Computing Cryptographic Pairings
Fast Formulas for Computing Cryptographic Pairings Craig Costello craig.costello@qut.edu.au Queensland University of Technology May 28, 2012 1 / 47 Thanks: supervisors and co-authors Prof. Colin Boyd Dr.
More informationSEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY
SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY OFER M. SHIR, THE HEBREW UNIVERSITY OF JERUSALEM, ISRAEL FLORIAN HÖNIG, JOHANNES KEPLER UNIVERSITY LINZ, AUSTRIA ABSTRACT. The area of elliptic curves
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things l Efficient algorithms l Suitable elliptic curves We have
More informationSelecting Elliptic Curves for Cryptography Real World Issues
Selecting Elliptic Curves for Cryptography Real World Issues Michael Naehrig Cryptography Research Group Microsoft Research UW Number Theory Seminar Seattle, 28 April 2015 Elliptic Curve Cryptography 1985:
More informationPublic Key Encryption with Conjunctive Field Keyword Search
Public Key Encryption with Conjunctive Field Keyword Search Dong Jin PARK Kihyun KIM Pil Joong LEE IS Lab, POSTECH, Korea August 23, 2004 Contents 1 Preliminary 2 Security Model 3 Proposed Scheme 1 4 Proposed
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationRandomized Signed-Scalar Multiplication of ECC to Resist Power Attacks
Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks Jae Cheol Ha 1 and Sang Jae Moon 2 1 Division of Information Science, Korea Nazarene Univ., Cheonan, Choongnam, 330-718, Korea jcha@kornu.ac.kr
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationProject: Supersingular Curves and the Weil Pairing in Elliptic Curve Cryptography
Math 842: Final Project 12/15/04 Project: Supersingular Curves and the Weil Pairing in Elliptic Curve Cryptography Instructor: Nigel Boston Author: Sarah Knoop 1 Introduction Even first semester calculus
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationFaster Pairings on Special Weierstrass Curves
craig.costello@qut.edu.au Queensland University of Technology Pairing 2009 Joint work with Huseyin Hisil, Colin Boyd, Juanma Gonzalez-Nieto, Kenneth Koon-Ho Wong Table of contents 1 Introduction The evolution
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationTi Secured communications
Ti5318800 Secured communications Pekka Jäppinen September 20, 2007 Pekka Jäppinen, Lappeenranta University of Technology: September 20, 2007 Relies on use of two keys: Public and private Sometimes called
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationOn the Key-collisions in the Signature Schemes
On the Key-collisions in the Signature Schemes Tomáš Rosa ICZ a.s., Prague, CZ Dept. of Computer Science, FEE, CTU in Prague, CZ tomas.rosa@i.cz Motivation to study k-collisions Def. Non-repudiation [9,10].
More informationA Practical Second-Order Fault Attack against a Real-World Pairing Implementation
A Practical Second-Order Fault Attack against a Real-World Pairing Implementation Johannes Blömer, Ricardo Gomes da Silva, Peter Günther, Juliane Krämer and Jean-Pierre Seifert Technische Universität Berlin
More informationOptimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves
CT-RSA 2012 February 29th, 2012 Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves Joint work with: Nicolas Estibals CARAMEL project-team, LORIA, Université de Lorraine / CNRS / INRIA,
More informationEfficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields
Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields Sanjit Chatterjee, Palash Sarkar and Rana Barua Cryptology Research Group Applied Statistics Unit Indian
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationThe Hidden Root Problem
EPFL 2008 Definition of HRP Let F q k be a finite field where q = p n for prime p. The (Linear) Hidden Root Problem: let r N0 be given and x F q k hidden access to oracle Ox that given (a, b) F 2 q k returns
More informationElliptic Curves Spring 2013 Lecture #12 03/19/2013
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring
More informationCongruence of Integers
Congruence of Integers November 14, 2013 Week 11-12 1 Congruence of Integers Definition 1. Let m be a positive integer. For integers a and b, if m divides b a, we say that a is congruent to b modulo m,
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationOptimal Pairings. F. Vercauteren
Optimal Pairings F. Vercauteren Department of Electrical Engineering, Katholieke Universiteit Leuven Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium frederik.vercauteren@esat.kuleuven.be Abstract.
More informationBranch Prediction based attacks using Hardware performance Counters IIT Kharagpur
Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur March 19, 2018 Modular Exponentiation Public key Cryptography March 19, 2018 Branch Prediction Attacks 2 / 54 Modular Exponentiation
More informationEfficient Computation of Miller's Algorithm in Pairing-Based Cryptography
University of Windsor Scholarship at UWindsor Electronic Theses and Dissertations 2017 Efficient Computation of Miller's Algorithm in Pairing-Based Cryptography Shun Wang University of Windsor Follow this
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationON THE IMPLEMENTATION OF COMPOSITE-ORDER BILINEAR GROUPS IN CRYPTOGRAPHIC PROTOCOLS SEVERIANO K. SISNEROS THESIS
ON THE IMPLEMENTATION OF COMPOSITE-ORDER BILINEAR GROUPS IN CRYPTOGRAPHIC PROTOCOLS BY SEVERIANO K. SISNEROS THESIS Submitted in partial fulfillment of the requirements for the degree of Master of Science
More informationLecture 3.1: Public Key Cryptography I
Lecture 3.1: Public Key Cryptography I CS 436/636/736 Spring 2015 Nitesh Saxena Today s Informative/Fun Bit Acoustic Emanations http://www.google.com/search?source=ig&hl=en&rlz=&q=keyboard+acoustic+em
More information