Reducing the Key Size of Rainbow using Non-Commutative Rings
|
|
- Sharleen Dorsey
- 5 years ago
- Views:
Transcription
1 Reducing the Key Size of Rainbow using Non-Commutative Rings Takanori Yasuda (Institute of systems, Information Technologies and Nanotechnologies (ISIT)), Kouichi Sakurai (ISIT, Kyushu university) and Tsuyoshi Takagi (Kyushu university). 1
2 MQ problem and key size MQ equations Public key = set of coefficients of polynomials m n j i n i m i m i j i m ij n m n j i n i i i j i ij n n j i n i i i j i ij n d c x b x x a x x f d c x b x x a x x f d c x b x x a x x f, 1 1 ) ( ) ( ) ( 1 2, 1 1 (2) (2) (2) 1 2 1, 1 1 (1) (1) (1) 1 1 ),..., ( ),..., ( ),..., ( 2 2) 1)( ( n n m coefficients of number the large key size 2
3 Rainbow Signature of a multilayer variant of UOV Secret key size is also large We reduced by 75%? Rainbow Secret key size Public key size Key size of RSA Ratio (secret key) R(17,13,13) 19.1kB 25.7kB 1369bits 116.6times R(21,16,17) 36.5kB 50.8kB 1937bits 150.7times R(27,19,19) 60.5kB 84.0kB 2560bits 189.0times Reference: A.Petzoldt et al. Selecting Parameters for the Rainbow Signature Scheme, PQCrypto'10, Springer LNCS vol (2010) Reduction by 62% Problem: reduction of key size - reduction of public key CyclicRainbow (INDOCRIPT 10, SCC 10, PKC 11) - reduction of secret key TTS, TRMS 3
4 Proposed scheme Rainbow using non-commutative rings NC - Rainbow( R; v ~, o~, ~,..., ~ 1 o2 o 1 s ) 4
5 Non-commutative rings R : non-commutative ring R : finite dimensional algebra over a finite field K (dimension=r) Fix a K linear isomorphism : K r ~ R Example (quaternion algebra (q : order of K)) Q q ( set) Q q K 1 K i K j K ij, (r = 4), ( product) i 2 j 2 1, ij ji. There is a natural isomorphism : K 4 Q ~ q 5
6 NC - Rainbow( R; v ~, o~, o~,..., o~ s ) (1/2) n : positive number For i = 1,, s ~ Si o~ Central map i ~ G v~ v~ v~ v~ s s 1 {1,..., v~ i }, v~ v~. i 1 i ~ O i { v ~ i 1,..., v~ i 1 ( ~ ~ n~ m~ g,..., ) :, ( ~ ~ ~ ~ 1 g R R m n v ) v 1 g x x x x x x ( k) ( k) k ( 1,..., n) ( i ij j j ij i ) i O, j S h i, j S h n h 1 }, n~ x x ( x x ) h ( k ) ( k,1) ( k,2) i ij j i i i i i S ( k v 1,..., n,,.. R). ( k) ( k) 1 ij 6 1
7 NC - Rainbow( R; v ~, o~, o~,..., o~ s ) (2/2) Key Generation Secret key (n = nr, m = mr) G, two affine transformations Public key ~ F A m~ Signature Generation m M K 1 ~ n~ G : K For message, calculate m~ 1 ~ (1) a ( A1 ( M )), (2) b G in this order. c is a signature. Verification ~ F( c) M If, the signature is accepted. If R=K, then this becomes A 7 2 n A 1 m m : K K, A2 1 K m. ( a), (3) c : K n~ n ( A 1 2 K ( b)) Original Rainbow Rainbow( K; v ~, o~, ~,..., ~ 1 o2 o 1 s n ).
8 Correspondence between NC-Rainbow and Rainbow Theorem There exists a correspondence which holds public key. NC - Rainbow( R; v ~ ~ ~,..., ~ 1, o1, o2 os ) Rainbow( K; rv~, ro~, ro~ 1 1 2,..., ro~ s ) Secret key size of NC-Rainbow m( m 1) n( n 1) s h 1 ro~ (2 v ~ o ~ v~ 2 v ~ Secret key size of corresponding Rainbow m( m 1) n( n 1) s h 1 ~ roh r 2 h v~ o~ h h h h 2 h rv~ ( ~ h rvh 2 h 1 1) rv~ 1) field elements h 1 1 field elements 8
9 Comparison of Secret key size K = GF(256), R = Q 256 (r = 4). Comparison of NC - Rainbow( Q ; ~, ~, ~ ) Rainbow( (256);4 ~,4 ~,4 ~ 256 v1 o1 o2 and GF v1 o1 o2) (v 1, o 1, o 2 ) NC-size Corr. Rainbow R-size ratio (4,3,3) 4.2kB (16,12,12) 15.9kB 26.7% (5,4,4) 8.0kB (20,16,16) 33.6kB 23.9% (7,5,5) 15.1kB (28,20,20) 70.7kB 21.5% (9,6,6) 25.5kB (36,24,24) 128.2kB 19.9% NC-size : Secret key size of NC-Rainbow R-size : Secret key size of corresponding Rainbow ratio = NC-size/R-size 9
10 Reason of reduction of key size Property of regular action R is expressed by a subring of matrix algebra of size r. Q q M ( K 4 entries 16 entries 4, ) M ( d, Qq ) M (4d, K) NC - Rainbow( Q ; ~ ~ ~,..., ~ q v1, o1, o2 os ) Rainbow( K;4 v ~,4 o ~,4 o ~ (Map in Theorem) 4d 2 entries 16d 2 entries ,...,4 o ~ s )
11 Attacks against Rainbow (1/2) Need to analyze attacks against Rainbow to know whether or not they work efficiently against NC-Rainbow. Known attacks against Rainbow Direct attacks Using XL and Grobner basis algorithm etc. UOV attack determine a simultaneous isotropic subspace (which coincides with Oil space in the last layer with high probability) compute invariant spaces of certain matrices UOV-Reconciliation(UOV-R) attack determine a simultaneous isotropic subspace (which coincides with Oil space in the last layer with high probability) Solve a system of equations w.r.t. coefficients of right affine transformation 11
12 Attacks against Rainbow (2/2) Known attacks against Rainbow (continued) MinRank attack determine a matrix with minimal rank among linear combinations of quadratic part of components of public key HighRank attack determine a matrix with the second highest rank among linear combinations of quadratic part of components of public key Rainbow-Band-Separation(RBS) attack transform public key to a form of central map of Rainbow Solve a system of equations w.r.t. coefficients of both affine transformations 12
13 Security for NC-Rainbow l -bit security (K =GF(2 a )) 1. UOV attack 2. MinRank attack 3. HighRank attack 4. UOV-R attack v~ o ~ 1 1 n 2ro~ l / a 1 5. Direct attacks, RBS attack s r o~ v~ ) l / ( 1 1 ro ~ s l / a a same security level against direct attacks A.Petzoldt et al. Selecting Parameters for the Rainbow Signature Scheme, PQCrypto'10, Springer LNCS vol (2010) 13
14 Table of security and secret key size NC - Rainbow( Q ; ~, ~, ~ ) Rainbow( (256);4 ~,4 ~,4 ~ 256 v1 o1 o2 and GF v1 o1 o2) NC-Rainbow (5, 4, 4) (7, 5, 5) (9, 6, 6) Security level 83bits 96bits 107bits Secret key size 8.0kB 15.1kB 25.5kB Corr. Rainbow (20,16,16) (28,20,20) (36,24,24) Secret key size 33.6kB 70.7kB 128.2kB Ratio 23.9% 21.5% 19.9% ratio=secret key size of NCRainbow/Secret key size of corr. Rainbow 14
15 Conclusion Conclusion We proposed a scheme using non-commutative rings, which is regarded as another construction of Rainbow. This scheme can reduce the secret key size in comparison with original Rainbow. In paticular, the secret key size of the proposed NC-Rainbow is reduced by about 75% in the security level of 80 bits. Future works Finding a non-commutative ring with efficient arithmetic operation. Speed up the signature generation 15
16 Dual Exponentiation Schemes Colin D. Walter Information Security Group Royal Holloway University of London 29 Feb 2012
17 The Problem Motivation: New algorithms are always useful as there are always so many different optimisations and conflicting pressures on resource-constrained platforms. Aim: Setting: Better exponentiation on space-limited chip. (Fast memory is expensive.) Mixed base representation for the exponent. Solution: Define a dual for the associated addition chain. Benefits: Derive new algorithms from existing ones; Better understanding of exponentiation. 2 / 30 Dual Exponentiation Colin D. Walter
18 Outline 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 3 / 30 Dual Exponentiation Colin D. Walter
19 Background 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 4 / 30 Dual Exponentiation Colin D. Walter
20 r-ary Exponentiation L2R (Brauer, 1939) Inputs: g G, D = ((d n 1 r+d n 2 )r+... +d 1 )r+d 0 N where 0 d i <r. Output: g D G Initialise table: T [d] g d for all d, 0<d<r. P 1 G for i n 1 downto 0 do { if i n 1 then P P r if d i 0 then P P T [d i ] } return P 5 / 30 Dual Exponentiation Colin D. Walter
21 r-ary Exponentiation R2L (Yao, 1976) Inputs: g G, D = d n 1 r n 1 +d n 2 r n d 1 r 1 +d 0 where 0 d i <r. Output: g D G Initialise table: T [d] 1 G for all d, 0<d<r. P g for i 0 to n 1 do { if d i 0 then T [d i ] T [d i ] P if i n 1 then P P r } return d:0<d<r T [d]d 6 / 30 Dual Exponentiation Colin D. Walter
22 Sliding Window L2R Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N, where d i {0, ±1, ±3,..., ± 1 2 (r 1)}, r i {2, 2 w } and d i =0 if r i =2. Output: g D G Initialise table: T [d] g d for all d 0. P 1 G for i n 1 downto 0 do { if i n 1 then P P r i if d i 0 then P P T [d i ] } return P 7 / 30 Dual Exponentiation Colin D. Walter
23 Sliding Window R2L Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N, where d i {0, ±1, ±3,..., ± 1 2 (r 1)}, r i {2, 2 w } and d i =0 if r i =2. Output: g D G Initialise table: T [d] 1 G for all d 0. P g for i 0 to n 1 do { if d i 0 then T [d i ] T [d i ] P if i n 1 then P P r i } return d 0 T [d]d 8 / 30 Dual Exponentiation Colin D. Walter
24 Mixed Base Exponentiation L2R Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N, where (r i, d i ) R D. Output: g D G Initialise table: T [d] g d for all d D \ {0}. P 1 G for i n 1 downto 0 do { if i n 1 then P P r i if d i 0 then P P T [d i ] } return P 9 / 30 Dual Exponentiation Colin D. Walter
25 Mixed Base Exponentiation R2L Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N, where (r i, d i ) R D. Output: g D G Initialise table: T [d] 1 G for all d D \ {0}. P g for i 0 to n 1 do { if d i 0 then T [d i ] T [d i ] P if i n 1 then P P r i } return d D\{0} T [d]d 10 / 30 Dual Exponentiation Colin D. Walter
26 A Compact Right-to-Left Algorithm (Arith13, 1997) Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N, where (r i, d i ) R D. Output: g D G T 1 G P g for i 0 to n 1 do { if d i 0 then T T P d i if i n 1 then P P r i } return T The loop body involves computing P d i en route to P r i. 11 / 30 Dual Exponentiation Colin D. Walter
27 The Transposition Method 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 12 / 30 Dual Exponentiation Colin D. Walter
28 The Computational Di-Graph An addition chain for D yields a computational, acyclic di-graph: n 3 n 5 Here is that for 1+1=2; 1+2=3; 2+3=5. n 1 n 2 For convenience, nodes are numbered so n d represents g d. Addition i+j = k gives directed edges n i n k and n j n k. It is acyclic, with a single root n 1 and a single leaf n 5. All nodes except root n 1 have input degree 2 as all op s are binary. #Ops = #Nodes 1 = 1 2 #Edges. By induction, D = #paths from n 1 to n D. 13 / 30 Dual Exponentiation Colin D. Walter
29 Di-Graph for the Transpose Method n 3 n 5 n 1 n 2 Reverse the edges for the transposition method. Node inputs are again multiplied together. Path count is D, as before. So it again computes g D. Nodes may need merging or expanding to restore in-degree 2. The #binary operations is not changed: 1 2 #edges. This reverses the addition chain in some sense. It doesn t preserve space requirements and without care, sq g & mult n counts may change. 14 / 30 Dual Exponentiation Colin D. Walter
30 Space Duality 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 15 / 30 Dual Exponentiation Colin D. Walter
31 Space-Aware Addition Chains Definition. For a given set of registers, take five classes of atomic op s : Copying one register to another; Copying one register to another & initialising source register to 1 G ; In-place squaring of the contents of one register; Multiplying two different registers into one of the input registers; Multiplying two different registers into one of the input registers, & initialising the other input to 1 G. A space-aware addition chain is a sequence of such operations in which the registers are named. Every addition chain can be written as a space-aware addition chain. 16 / 30 Dual Exponentiation Colin D. Walter
32 Matrix Representation Space For a device with two locations, matrix examples of each class are: [ ] [ ] [ ] [ ] [ ,,,, and They act on a column vector containing the values in each register. By omitting more general op ns, this set is closed under transposition. Copy (without initialise) becomes multiplication with initialise, and vice versa. (The red matrices.) Other operations stay in their class under transposition. Definition. The dual of a space-aware chain is its transpose. (The transposed operations are applied in reverse order.) The dual uses the same space but may not have the same mult n count. ]. 17 / 30 Dual Exponentiation Colin D. Walter
33 Matrix Representation Space For a device with two locations, matrix examples of each class are: [ ] [ ] [ ] [ ] [ ,,,, and They act on a column vector containing the values in each register. By omitting more general op ns, this set is closed under transposition. Copy (without initialise) becomes multiplication with initialise, and vice versa. (The red matrices.) Other operations stay in their class under transposition. Definition. The dual of a space-aware chain is its transpose. (The transposed operations are applied in reverse order.) The dual uses the same space but may not have the same mult n count. ]. 17 / 30 Dual Exponentiation Colin D. Walter
34 Matrix Representation Space For a device with two locations, matrix examples of each class are: [ ] [ ] [ ] [ ] [ ,,,, and They act on a column vector containing the values in each register. By omitting more general op ns, this set is closed under transposition. Copy (without initialise) becomes multiplication with initialise, and vice versa. (The red matrices.) Other operations stay in their class under transposition. Definition. The dual of a space-aware chain is its transpose. (The transposed operations are applied in reverse order.) The dual uses the same space but may not have the same mult n count. ]. 17 / 30 Dual Exponentiation Colin D. Walter
35 The Dual Chain An Example R3 R2; R3 R2+R3; R1 I R2; R2 I R3; R2 I R1+R2 In matrices acting on a col mn vector: = The dual (the transpose) is: = i.e. R1 R2; R3 I R2; R2 I R1; R2 R2+R3; R2 I R2+R3 Both have two multiplications and no squarings. Both compute g 3 from g G with R 2 for I/O. 18 / 30 Dual Exponentiation Colin D. Walter
36 Extra Requirements 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 19 / 30 Dual Exponentiation Colin D. Walter
37 The Main Problems 1 #Mults may not be preserved in the dual as copying becomes mult n with initialisation. 2 The dual chain may not compute the same value unless the matrix product is symmetric. To overcome the first of these, extra conditions are required: Select the initialising op n when possible. Eliminate 1 G as an operand. Remove operations whose output is not used. Fix a subset of registers for I/O. (An I/O register must read input and write non-trivial output.) Definition. A space-aware chain is normalised if the above hold. 20 / 30 Dual Exponentiation Colin D. Walter
38 The Main Problems 1 #Mults may not be preserved in the dual as copying becomes mult n with initialisation. 2 The dual chain may not compute the same value unless the matrix product is symmetric. To overcome the first of these, extra conditions are required: Select the initialising op n when possible. Eliminate 1 G as an operand. Remove operations whose output is not used. Fix a subset of registers for I/O. (An I/O register must read input and write non-trivial output.) Definition. A space-aware chain is normalised if the above hold. 20 / 30 Dual Exponentiation Colin D. Walter
39 The Main Problems 1 #Mults may not be preserved in the dual as copying becomes mult n with initialisation. 2 The dual chain may not compute the same value unless the matrix product is symmetric. To overcome the first of these, extra conditions are required: Select the initialising op n when possible. Eliminate 1 G as an operand. Remove operations whose output is not used. Fix a subset of registers for I/O. (An I/O register must read input and write non-trivial output.) Definition. A space-aware chain is normalised if the above hold. 20 / 30 Dual Exponentiation Colin D. Walter
40 Counting Ones Instances of 1 G or arise from: a) Initial value of a non-input register. b) Initialised by copy or mult n op n. Instances of 1 G or finish their lives as: c) Final value in a non-output register. d) Overwritten by a copy op n. Since #a = #c, we conclude #b = #d. Subtracting the #{copies with init n } from #b and #d, we have #Mult ns with init n = #Copies without init n These op n types are swapped in the dual & others stay as they are. So: Theorem. For a normalised space-aware chain, #Mult ns & #Sq res are the same for the dual. 21 / 30 Dual Exponentiation Colin D. Walter
41 Counting Ones Instances of 1 G or arise from: a) Initial value of a non-input register. b) Initialised by copy or mult n op n. Instances of 1 G or finish their lives as: c) Final value in a non-output register. d) Overwritten by a copy op n. Since #a = #c, we conclude #b = #d. Subtracting the #{copies with init n } from #b and #d, we have #Mult ns with init n = #Copies without init n These op n types are swapped in the dual & others stay as they are. So: Theorem. For a normalised space-aware chain, #Mult ns & #Sq res are the same for the dual. 21 / 30 Dual Exponentiation Colin D. Walter
42 Counting Ones Instances of 1 G or arise from: a) Initial value of a non-input register. b) Initialised by copy or mult n op n. Instances of 1 G or finish their lives as: c) Final value in a non-output register. d) Overwritten by a copy op n. Since #a = #c, we conclude #b = #d. Subtracting the #{copies with init n } from #b and #d, we have #Mult ns with init n = #Copies without init n These op n types are swapped in the dual & others stay as they are. So: Theorem. For a normalised space-aware chain, #Mult ns & #Sq res are the same for the dual. 21 / 30 Dual Exponentiation Colin D. Walter
43 Counting Ones Instances of 1 G or arise from: a) Initial value of a non-input register. b) Initialised by copy or mult n op n. Instances of 1 G or finish their lives as: c) Final value in a non-output register. d) Overwritten by a copy op n. Since #a = #c, we conclude #b = #d. Subtracting the #{copies with init n } from #b and #d, we have #Mult ns with init n = #Copies without init n These op n types are swapped in the dual & others stay as they are. So: Theorem. For a normalised space-aware chain, #Mult ns & #Sq res are the same for the dual. 21 / 30 Dual Exponentiation Colin D. Walter
44 Symmetric Cases If the action of a (multi-) exponentiation function f on registers is described by matrix M then a dual f is described by the transpose M T. Theorem a) f computes the same values as f iff its matrix is symmetric. b) In particular, it uses the same registers for output as input. In the normalised case, unused registers give columns of zeros. Used, non-output registers are over-written with 1 G : more zeros. Used, non-input registers are initialised to 1 G : more zeros. So only the sub-matrix M IO on I/O registers need be symmetric. Theorem A normalised space-aware chain for a single exponentiation and its dual compute the same values. (Duals become unique only when written in atomic operations.) 22 / 30 Dual Exponentiation Colin D. Walter
45 Symmetric Cases If the action of a (multi-) exponentiation function f on registers is described by matrix M then a dual f is described by the transpose M T. Theorem a) f computes the same values as f iff its matrix is symmetric. b) In particular, it uses the same registers for output as input. In the normalised case, unused registers give columns of zeros. Used, non-output registers are over-written with 1 G : more zeros. Used, non-input registers are initialised to 1 G : more zeros. So only the sub-matrix M IO on I/O registers need be symmetric. Theorem A normalised space-aware chain for a single exponentiation and its dual compute the same values. (Duals become unique only when written in atomic operations.) 22 / 30 Dual Exponentiation Colin D. Walter
46 Symmetric Cases If the action of a (multi-) exponentiation function f on registers is described by matrix M then a dual f is described by the transpose M T. Theorem a) f computes the same values as f iff its matrix is symmetric. b) In particular, it uses the same registers for output as input. In the normalised case, unused registers give columns of zeros. Used, non-output registers are over-written with 1 G : more zeros. Used, non-input registers are initialised to 1 G : more zeros. So only the sub-matrix M IO on I/O registers need be symmetric. Theorem A normalised space-aware chain for a single exponentiation and its dual compute the same values. (Duals become unique only when written in atomic operations.) 22 / 30 Dual Exponentiation Colin D. Walter
47 New Algorithms 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 23 / 30 Dual Exponentiation Colin D. Walter
48 High Level Algorithms Question: When is an algorithm dualisable if its steps are more complex than the atomic operations? We want to be able to decompose steps independently into atomic op ns yet obtain the normalised property when all steps are concatenated. Solution: For each step the values initially in its non-input registers must not be used and its used non-output registers must be reset to 1 G. The output registers for one step must be the input registers for the next. (Include unused registers in the I/O set for convenience here.) These are only requirements on how steps are realised as space-aware chains. So not a restriction on algorithm formulation. Definition The dual of a high level exponentiation algorithm is that given by transposing its steps and reversing their order. 24 / 30 Dual Exponentiation Colin D. Walter
49 High Level Algorithms Question: When is an algorithm dualisable if its steps are more complex than the atomic operations? We want to be able to decompose steps independently into atomic op ns yet obtain the normalised property when all steps are concatenated. Solution: For each step the values initially in its non-input registers must not be used and its used non-output registers must be reset to 1 G. The output registers for one step must be the input registers for the next. (Include unused registers in the I/O set for convenience here.) These are only requirements on how steps are realised as space-aware chains. So not a restriction on algorithm formulation. Definition The dual of a high level exponentiation algorithm is that given by transposing its steps and reversing their order. 24 / 30 Dual Exponentiation Colin D. Walter
50 High Level Algorithms Question: When is an algorithm dualisable if its steps are more complex than the atomic operations? We want to be able to decompose steps independently into atomic op ns yet obtain the normalised property when all steps are concatenated. Solution: For each step the values initially in its non-input registers must not be used and its used non-output registers must be reset to 1 G. The output registers for one step must be the input registers for the next. (Include unused registers in the I/O set for convenience here.) These are only requirements on how steps are realised as space-aware chains. So not a restriction on algorithm formulation. Definition The dual of a high level exponentiation algorithm is that given by transposing its steps and reversing their order. 24 / 30 Dual Exponentiation Colin D. Walter
51 An Old Algorithm (Arith13, 1997) Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N Output: g D G T 1 G P g for i 0 to n 1 do { if d i 0 then T T P d i if i n 1 then P P r i } return T The loop body involves computing P d i en route to P r i. 25 / 30 Dual Exponentiation Colin D. Walter
52 One Iteration Base/digit pairs (r, d) are chosen for compact, fast performance. Specifically at most one register in addition to P and T. e.g. r = 2 i ±1, d = 2 j will involve i squarings & 2 mult s. It avoids a table entry for each d. There is now a dual algorithm using the same space only three registers. The step T TP d, P P r is achieved by [ r 0 d 1 So the transpose performs the dual op n P P r T d. The sequence of op s is easily determined via the dual. ] = [ r d 0 1 ] T. 26 / 30 Dual Exponentiation Colin D. Walter
53 One Iteration Base/digit pairs (r, d) are chosen for compact, fast performance. Specifically at most one register in addition to P and T. e.g. r = 2 i ±1, d = 2 j will involve i squarings & 2 mult s. It avoids a table entry for each d. There is now a dual algorithm using the same space only three registers. The step T TP d, P P r is achieved by [ r 0 d 1 So the transpose performs the dual op n P P r T d. The sequence of op s is easily determined via the dual. ] = [ r d 0 1 ] T. 26 / 30 Dual Exponentiation Colin D. Walter
54 A New Compact Left-to-Right Algorithm Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N Output: g D G T g P 1 G for i n 1 downto 0 do P P r i T d i return P Loop iterations are computed as described on last slide. It is the dual of the previous R2L algorithm, as just derived. 27 / 30 Dual Exponentiation Colin D. Walter
55 The Value of the Algorithm Table-less exponentiation useful in constrained environments. If space for only three registers and division has the same cost as mult n, the compact algorithms are faster. A left-to-right version allows better use of composite op s, e.g. double-and-add, triple-and-add, quintuple-and-add. Recoding is done on-the-fly for R2L exp n ; in advance for L2R exp n. The recoding typically needs up to 3 times the storage space of D. 28 / 30 Dual Exponentiation Colin D. Walter
56 Conclusion 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 29 / 30 Dual Exponentiation Colin D. Walter
57 Summary & Final Remarks A general setting enabling most exp n algorithms to be described naturally, namely a mixed base recoding. A new space- and time-preserving duality between left-to-right and right-to-left exp n algorithms. A new tableless exp n algorithm. It enables new speed records to be set in certain environments. New understanding of exp n is possible, e.g. a comparison of R2L initialisation with L2R finalisation steps / 30 Dual Exponentiation Colin D. Walter
58 Summary & Final Remarks A general setting enabling most exp n algorithms to be described naturally, namely a mixed base recoding. A new space- and time-preserving duality between left-to-right and right-to-left exp n algorithms. A new tableless exp n algorithm. It enables new speed records to be set in certain environments. New understanding of exp n is possible, e.g. a comparison of R2L initialisation with L2R finalisation steps / 30 Dual Exponentiation Colin D. Walter
59 Summary & Final Remarks A general setting enabling most exp n algorithms to be described naturally, namely a mixed base recoding. A new space- and time-preserving duality between left-to-right and right-to-left exp n algorithms. A new tableless exp n algorithm. It enables new speed records to be set in certain environments. New understanding of exp n is possible, e.g. a comparison of R2L initialisation with L2R finalisation steps / 30 Dual Exponentiation Colin D. Walter
60 Summary & Final Remarks A general setting enabling most exp n algorithms to be described naturally, namely a mixed base recoding. A new space- and time-preserving duality between left-to-right and right-to-left exp n algorithms. A new tableless exp n algorithm. It enables new speed records to be set in certain environments. New understanding of exp n is possible, e.g. a comparison of R2L initialisation with L2R finalisation steps / 30 Dual Exponentiation Colin D. Walter
61 Summary & Final Remarks A general setting enabling most exp n algorithms to be described naturally, namely a mixed base recoding. A new space- and time-preserving duality between left-to-right and right-to-left exp n algorithms. A new tableless exp n algorithm. It enables new speed records to be set in certain environments. New understanding of exp n is possible, e.g. a comparison of R2L initialisation with L2R finalisation steps / 30 Dual Exponentiation Colin D. Walter
62 CT-RSA 2012 February 29th, 2012 Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves Joint work with: Nicolas Estibals CARAMEL project-team, LORIA, Université de Lorraine / CNRS / INRIA, France Nicolas.Estibals@loria.fr Diego F. Aranha Jean-Luc Beuchat Jérémie Detrey Institute of Computing, University of Campinas, Brazil Graduate School of Systems and Information Engineering, University of Tsukuba, Japan CARAMEL project-team, LORIA, INRIA / Université de Lorraine / CNRS, France /* EPI CARAMEL */ C,A, /* Cryptologie, Arithmétique : */ R,a, /* Matériel et Logiciel */ M,E, L,i= 5,e, d[5],q[999 ]={0};main(N ){for (;i--;e=scanf("%" "d",d+i));for(a =*d; ++i<a ;++Q[ i*i% A],R= i[q]? R:i); for(;i --;) for(m =A;M --;N +=!M*Q [E%A ],e+= Q[(A +E*E- R*L* L%A) %A]) for( E=i,L=M,a=4;a;C= i*e+r*m*l,l=(m*e +i*l) %A,E=C%A+a --[d]);printf ("%d" "\n", (e+n* N)/2 /* cc caramel.c; echo f3 f2 f1 f0 p./a.out */ -A);}
63 Pairings and cryptology used as a primitive in many protocols and devices Boneh Lynn Shacham short signature Boneh Franklin identity-based encryption... N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 1 / 14
64 Pairings and cryptology used as a primitive in many protocols and devices Boneh Lynn Shacham short signature Boneh Franklin identity-based encryption... implementations needed for various targets online server high-speed software smart card low-resource hardware reach 128 bits of security (equivalent to AES) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 1 / 14
65 What s a cryptographic pairing e : G 1 G 2 G T where (G 1, +), (G 2, +) and (G T, ) are cyclic groups of order l The discrete logarithm problem should be hard on these groups N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 2 / 14
66 What s a cryptographic pairing e : G 1 G 2 G T where (G 1, +), (G 2, +) and (G T, ) are cyclic groups of order l The discrete logarithm problem should be hard on these groups Bilinear map: e(ap, bq) = e(p, Q) ab N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 2 / 14
67 What s a cryptographic pairing e : G 1 G 2 G T where (G 1, +), (G 2, +) and (G T, ) are cyclic groups of order l The discrete logarithm problem should be hard on these groups Bilinear map: e(ap, bq) = e(p, Q) ab Symmetric pairing (Type-1): G 1 = G 2, exploited by some protocols N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 2 / 14
68 What s a cryptographic pairing e : G 1 G 2 G T where (G 1, +), (G 2, +) and (G T, ) are cyclic groups of order l The discrete logarithm problem should be hard on these groups Bilinear map: e(ap, bq) = e(p, Q) ab Symmetric pairing (Type-1): G 1 = G 2, exploited by some protocols Choice of the groups: G 1, G 2 : related to an algebraic curve G T : related to the field of definition of the curve N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 2 / 14
69 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14
70 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing Supersingular elliptic curves + Symmetric pairing Thanks to a distortion map ψ : G 1 G 2 + Small characteristic arithmetic No carry propagation Not suited to 128-bit security level Larger base field: F , F N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14
71 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing Supersingular elliptic curves + Symmetric pairing Thanks to a distortion map ψ : G 1 G 2 + Small characteristic arithmetic No carry propagation Not suited to 128-bit security level Larger base field: F , F N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14
72 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing Supersingular elliptic curves + Symmetric pairing Thanks to a distortion map ψ : G 1 G 2 + Small characteristic arithmetic No carry propagation Not suited to 128-bit security level Larger base field: F , F Solutions to the large base field needed by supersingular curves (Pairing 2010) Use fields of composite extension degree: benefit from faster field arithmetic but requires careful security analysis N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14
73 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing Supersingular elliptic curves + Symmetric pairing Thanks to a distortion map ψ : G 1 G 2 + Small characteristic arithmetic No carry propagation Not suited to 128-bit security level Larger base field: F , F Solutions to the large base field needed by supersingular curves (Pairing 2010) Use fields of composite extension degree: benefit from faster field arithmetic but requires careful security analysis (This work) Use genus-2 hyperelliptic curves: base field will be F N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14
74 Elliptic curves E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14
75 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O Q P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14
76 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O L P,Q Q P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14
77 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O Q R L P,Q P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14
78 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O V R Q R L P,Q P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14
79 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O V R Q R L P,Q P R = P + Q N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14
80 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 In practice: K is a finite field F q E(F q ) is a finite group O V R Q R L P,Q P R = P + Q N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14
81 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 In practice: K is a finite field F q O V R E(F q ) is a finite group l: a large prime dividing #E(F q ) Use the cyclic subgroup Q R L P,Q E(F q )[l] = {P [l]p = O} P R = P + Q N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14
82 Genus-2 hyperelliptic curves C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14
83 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14
84 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 P 2 P 1 Q 1 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14
85 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 P 2 P 1 Q 1 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14
86 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 P 2 R 1 P 1 R 2 Q 1 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14
87 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 P 2 R 1 R 2 P 1 R 1 R 2 Q 1 {P 1, P 2 } + {Q 1, Q 2 } = {R 1, R 2 } N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14
88 Genus-2 hyperelliptic curves C(K) not a group! But pairs of points {P 1, P 2 } C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 O Q 2 More formally use the Jacobian Jac C (K) P 2 R 1 R 2 P 1 R 1 R 2 Q 1 {P 1, P 2 } + {Q 1, Q 2 } = {R 1, R 2 } N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14
89 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 More formally use the Jacobian Jac C (K) D P P 2 R 1 R 2 D R D Q P 1 R 1 R 2 Q 1 D P + D Q = D R N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14
90 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 More formally use the Jacobian Jac C (K) D P P 2 R 1 R 2 D R D Q general form of the elements (called divisor) P 1 R 1 R 2 Q 1 D P = (P 1 )+(P 2 ) 2(O) D P + D Q = D R N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14
91 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 More formally use the Jacobian Jac C (K) D P P 2 R 1 R 2 D R D Q general form of the elements (called divisor) P 1 R 1 R 2 Q 1 D P = (P 1 )+(P 2 ) 2(O) degenerate form (P) (O) D P + D Q = D R N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14
92 Computing the pairing: Miller s algorithm (elliptic case) e : G 1 G 2 G T Reduced Tate pairing O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14
93 Computing the pairing: Miller s algorithm (elliptic case) P, Reduced Tate pairing e : E(F q )[l] G 2 G T O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14
94 Computing the pairing: Miller s algorithm (elliptic case) Reduced Tate pairing e : E(F q )[l] E(F q k)[l] G T P, Q k: embedding degree (curve parameter) O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14
95 Computing the pairing: Miller s algorithm (elliptic case) Reduced Tate pairing e : E(F q )[l] E(F q k)[l] µ l F q k P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14
96 Computing the pairing: Miller s algorithm (elliptic case) Reduced Tate pairing e : E(F q )[l] E(F q k)[l] µ l F q k P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) O Miller functions: f n,p N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14
97 Computing the pairing: Miller s algorithm (elliptic case) e : E(F q )[l] E(F q k)[l] µ l F q k Reduced Tate pairing P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) O Miller functions: f n,p an inductive identity f 1,P = 1 f n+n,p = f n,p f n,p g [n]p,[n ]P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14
98 Computing the pairing: Miller s algorithm (elliptic case) e : E(F q )[l] E(F q k)[l] µ l F q k Reduced Tate pairing P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) Miller functions: f n,p an inductive identity f 1,P = 1 f n+n,p = f n,p f n,p g [n]p,[n ]P g [n]p,[n ]P derived from the addition of [n]p and [n ]P g [n]p,[n ]P = L [n]p,[n ]P V [n+n ]P [n]p O [n ]P V [n+n ]P L [n]p,[n ]P [n + n ]P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14
99 Computing the pairing: Miller s algorithm (elliptic case) e : E(F q )[l] E(F q k)[l] µ l F q k Reduced Tate pairing P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) Miller functions: f n,p an inductive identity f 1,P = 1 f n+n,p = f n,p f n,p g [n]p,[n ]P g [n]p,[n ]P derived from the addition of [n]p and [n ]P compute f l,p thanks to an addition chain in practice: double-and-add log 2 l iterations g [n]p,[n ]P = L [n]p,[n ]P V [n+n ]P [n]p O [n ]P V [n+n ]P L [n]p,[n ]P [n + n ]P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14
100 Miller s algorithm (hyperelliptic case) e : G 1 G 2 G T O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14
101 Miller s algorithm (hyperelliptic case) e : Jac C (F q )[l] Jac C (F q k)[l] µ l F q k O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14
102 Miller s algorithm (hyperelliptic case) e : Jac C (F q )[l] Jac C (F q k)[l] µ l F q k D 1, D 2 f l,d1 (D 2 ) qk 1 l Hyperelliptic Miller functions: f n,d same inductive identity f 1,D = 1 f n+n,d = f n,d f n,d g [n]d,[n ]D O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14
103 Miller s algorithm (hyperelliptic case) e : Jac C (F q )[l] Jac C (F q k)[l] µ l F q k D 1, D 2 f l,d1 (D 2 ) qk 1 l Hyperelliptic Miller functions: f n,d same inductive identity f 1,D = 1 f n+n,d = f n,d f n,d g [n]d,[n ]D g [n]d,[n ]D = L [n]d,[n ]D V [n+n ]D O g [n]d,[n ]D derived from the addition of [n]d and [n ]D use Cantor s addition algorithm [n]d [n + n ]D [n ]D L [n]d,[n ]D V [n+n ]D N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14
104 Miller s algorithm (hyperelliptic case) e : Jac C (F q )[l] Jac C (F q k)[l] µ l F q k D 1, D 2 f l,d1 (D 2 ) qk 1 l Hyperelliptic Miller functions: f n,d same inductive identity f 1,D = 1 f n+n,d = f n,d f n,d g [n]d,[n ]D g [n]d,[n ]D = L [n]d,[n ]D V [n+n ]D O g [n]d,[n ]D derived from the addition of [n]d and [n ]D use Cantor s addition algorithm double-and-add algorithm log 2 l iterations [n]d L [n]d,[n ]D [n + n ]D V [n+n ]D [n ]D iterations are more complex N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14
105 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14
106 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14
107 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) [4] ((P) (O)) = (P 4 ) + (P 4 ) 2(O) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14
108 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) [4] ((P) (O)) = (P 4 ) + (P 4 ) 2(O) [8] ((P) (O)) = (P 8 ) (O) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14
109 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) [4] ((P) (O)) = (P 4 ) + (P 4 ) 2(O) [8] ((P) (O)) = ([8]P) (O) octupling acts on the curve N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14
110 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) [4] ((P) (O)) = (P 4 ) + (P 4 ) 2(O) [8] ((P) (O)) = ([8]P) (O) octupling acts on the curve f 8,D has a much simpler expression than f 2,D N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14
111 Constructing the Optimal Eta pairing Algorithm Tate double & add #iterations 2m Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14
112 Constructing the Optimal Eta pairing Algorithm #iterations Tate double & add 2m Tate octuple & add 2m 3 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14
113 Constructing the Optimal Eta pairing Algorithm #iterations Tate Tate Barreto et al. double & add octuple & add η T pairing 2m 2m 3 m 2 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14
114 Constructing the Optimal Eta pairing Algorithm Tate Tate Barreto et al. double & add octuple & add η T pairing Optimal Ate pairing #iterations 2m 2m 3 m 2 m 6 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 Optimal Ate pairing distortion map ψ is much more complex iterations would be roughly twice as expensive optimal Ate pairing not considered here N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14
115 Constructing the Optimal Eta pairing Algorithm #iterations Tate Tate Barreto et al. This paper double & add octuple & add η T pairing Optimal Eta pairing 2m 2m 3 m 2 m 6 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 Optimal Ate pairing distortion map ψ is much more complex iterations would be roughly twice as expensive optimal Ate pairing not considered here Optimal Eta pairing N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14
116 Constructing the Optimal Eta pairing Algorithm #iterations Tate Tate Barreto et al. This paper double & add octuple & add η T pairing Optimal Eta pairing 2m 2m 3 m 2 m 6 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 Optimal Ate pairing distortion map ψ is much more complex iterations would be roughly twice as expensive optimal Ate pairing not considered here Optimal Eta pairing cannot use 2 m -th power Verschiebung: does not act on the curve N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14
117 Constructing the Optimal Eta pairing Algorithm #iterations Tate Tate Barreto et al. This paper double & add octuple & add η T pairing Optimal Eta pairing 2m 2m 3 m 2 m 3 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 Optimal Ate pairing distortion map ψ is much more complex iterations would be roughly twice as expensive optimal Ate pairing not considered here Optimal Eta pairing cannot use 2 m -th power Verschiebung: does not act on the curve but can use 2 3m -th power Verschiebung 33% improvement compared to Barreto et al. s work N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14
118 Considering degenerate divisors Some protocols allow to choose the form of one or two input divisors Consider degenerate divisors of the form (P) (O) only 2 coordinates in F 2 m to represent such a divisor (instead of 4 coordinates for a general one) since octupling acts on the curve: we can work with a point! [8]((P) (O)) = ([8]P) (O) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 10 / 14
119 Considering degenerate divisors Some protocols allow to choose the form of one or two input divisors Consider degenerate divisors of the form (P) (O) only 2 coordinates in F 2 m to represent such a divisor (instead of 4 coordinates for a general one) since octupling acts on the curve: we can work with a point! [8]((P) (O)) = ([8]P) (O) We may compute the pairing of two general divisors (GG) one degenerate and one general divisor (DG) halves the amount of computation lot of protocols allow this two degenerate divisors (DD) halves again the amount of computation some protocols still compatible N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 10 / 14
Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves
CT-RSA 2012 February 29th, 2012 Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves Joint work with: Nicolas Estibals CARAMEL project-team, LORIA, Université de Lorraine / CNRS / INRIA,
More informationArithmetic operators for pairing-based cryptography
7. Kryptotag November 9 th, 2007 Arithmetic operators for pairing-based cryptography Jérémie Detrey Cosec, B-IT, Bonn, Germany jdetrey@bit.uni-bonn.de Joint work with: Jean-Luc Beuchat Nicolas Brisebarre
More informationSome Efficient Algorithms for the Final Exponentiation of η T Pairing
Some Efficient Algorithms for the Final Exponentiation of η T Pairing Masaaki Shirase 1, Tsuyoshi Takagi 1, and Eiji Okamoto 2 1 Future University-Hakodate, Japan 2 University of Tsukuba, Japan Abstract.
More informationBlock Wiedemann likes Schirokauer maps
Block Wiedemann likes Schirokauer maps E. Thomé INRIA/CARAMEL, Nancy. /* EPI CARAMEL */ C,A, /* Cryptologie, Arithmétique : */ R,a, /* Matériel et Logiciel */ M,E, L,i= 5,e, d[5],q[999 ]={0};main(N ){for
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationArithmetic Operators for Pairing-Based Cryptography
Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1
More informationOptimised versions of the Ate and Twisted Ate Pairings
Optimised versions of the Ate and Twisted Ate Pairings Seiichi Matsuda 1, Naoki Kanayama 1, Florian Hess 2, and Eiji Okamoto 1 1 University of Tsukuba, Japan 2 Technische Universität Berlin, Germany Abstract.
More informationPairings for Cryptography
Pairings for Cryptography Michael Naehrig Technische Universiteit Eindhoven Ñ ÐÖÝÔØÓ ºÓÖ Nijmegen, 11 December 2009 Pairings A pairing is a bilinear, non-degenerate map e : G 1 G 2 G 3, where (G 1, +),
More informationArithmetic Operators for Pairing-Based Cryptography
Arithmetic Operators for Pairing-Based Cryptography J.-L. Beuchat 1 N. Brisebarre 2 J. Detrey 3 E. Okamoto 1 1 University of Tsukuba, Japan 2 École Normale Supérieure de Lyon, France 3 Cosec, b-it, Bonn,
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationImplementing Pairing-Based Cryptosystems
Implementing Pairing-Based Cryptosystems Zhaohui Cheng and Manos Nistazakis School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, UK. {m.z.cheng, e.nistazakis}@mdx.ac.uk Abstract:
More informationAn Algorithm for the η T Pairing Calculation in Characteristic Three and its Hardware Implementation
An Algorithm for the η T Pairing Calculation in Characteristic Three and its Hardware Implementation Jean-Luc Beuchat 1 Masaaki Shirase 2 Tsuyoshi Takagi 2 Eiji Okamoto 1 1 Graduate School of Systems and
More informationAsymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)
Asymmetric Pairings Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) 1 Overview In their 2006 paper "Pairings for cryptographers", Galbraith, Paterson and Smart identified three
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got
More informationHFERP - A New Multivariate Encryption Scheme
- A New Multivariate Encryption Scheme Yasuhiko Ikematsu (Kyushu University) Ray Perlner (NIST) Daniel Smith-Tone (NIST, University of Louisville) Tsuyoshi Takagi (Kyushi University) Jeremy Vates (University
More informationEfficient variant of Rainbow using sparse secret keys
Takanori Yasuda 1, Tsuyoshi Takagi 2, and Kouichi Sakurai 1,3 1 Institute of Systems, Information Technologies and Nanotechnologies, Fukuoka, Japan 2 Institute of Mathematics for Industry, Kyushu University,
More informationBackground of Pairings
Background of Pairings Tanja Lange Department of Mathematics and Computer Science Technische Universiteit Eindhoven The Netherlands tanja@hyperelliptic.org 04.09.2007 Tanja Lange Background of Pairings
More informationHardware Acceleration of the Tate Pairing in Characteristic Three
Hardware Acceleration of the Tate Pairing in Characteristic Three CHES 2005 Hardware Acceleration of the Tate Pairing in Characteristic Three Slide 1 Introduction Pairing based cryptography is a (fairly)
More informationPairings at High Security Levels
Pairings at High Security Levels Michael Naehrig Eindhoven University of Technology michael@cryptojedi.org DoE CRYPTODOC Darmstadt, 21 November 2011 Pairings are efficient!... even at high security levels.
More informationEfficient Tate Pairing Computation Using Double-Base Chains
Efficient Tate Pairing Computation Using Double-Base Chains Chang an Zhao, Fangguo Zhang and Jiwu Huang 1 Department of Electronics and Communication Engineering, Sun Yat-Sen University, Guangzhou 510275,
More informationElliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm Problem Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM October 19, 2009 Vanessa VITSE (UVSQ) Elliptic Curve Discrete Logarithm Problem October
More informationAnalysis of Optimum Pairing Products at High Security Levels
Analysis of Optimum Pairing Products at High Security Levels Xusheng Zhang and Dongdai Lin Institute of Software, Chinese Academy of Sciences Institute of Information Engineering, Chinese Academy of Sciences
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationAn Algebraic Framework for Cipher Embeddings
An Algebraic Framework for Cipher Embeddings C. Cid 1, S. Murphy 1, and M.J.B. Robshaw 2 1 Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. 2 France Télécom
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationHyperelliptic curves
1/40 Hyperelliptic curves Pierrick Gaudry Caramel LORIA CNRS, Université de Lorraine, Inria ECC Summer School 2013, Leuven 2/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic
More informationFixed Argument Pairings
craig.costello@qut.edu.au Queensland University of Technology LatinCrypt 2010 Puebla, Mexico Joint work with Douglas Stebila Pairings A mapping e : G 1 G 2 G T : P G 1, Q G 2 and e(p, Q) G T : groups are
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things l Efficient algorithms l Suitable elliptic curves We have
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More informationA brief overwiev of pairings
Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks
More informationTwo Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map
Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map Jung Hee Cheon, Sungmo Park, Sangwoo Park, and Daeho Kim Electronics and Telecommunications Research Institute, 161 Kajong-Dong,Yusong-Gu,
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationOn the Efficiency and Security of Pairing-Based Protocols in the Type 1 and Type 4 Settings
On the Efficiency and Security of Pairing-Based Protocols in the Type 1 and Type 4 Settings Sanjit Chatterjee, Darrel Hankerson, and Alfred Menezes 1 Department of Combinatorics & Optimization, University
More informationA VLSI Algorithm for Modular Multiplication/Division
A VLSI Algorithm for Modular Multiplication/Division Marcelo E. Kaihara and Naofumi Takagi Department of Information Engineering Nagoya University Nagoya, 464-8603, Japan mkaihara@takagi.nuie.nagoya-u.ac.jp
More informationReprésentation RNS des nombres et calcul de couplages
Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationModular Multiplication in GF (p k ) using Lagrange Representation
Modular Multiplication in GF (p k ) using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe Nègre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier
More informationSide-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman
Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman Presenter: Reza Azarderakhsh CEECS Department and I-Sense, Florida Atlantic University razarderakhsh@fau.edu Paper by: Brian
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationAte Pairing on Hyperelliptic Curves
Ate Pairing on Hyperelliptic Curves R. Granger, F. Hess, R. Oyono, N. Thériault F. Vercauteren EUROCRYPT 2007 - Barcelona Pairings Pairings Let G 1, G 2, G T be groups of prime order l. A pairing is a
More informationA gentle introduction to isogeny-based cryptography
A gentle introduction to isogeny-based cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Motivation Part 2: Preliminaries Part 3: Brief SIDH sketch
More informationAspects of Pairing Inversion
Applications of Aspects of ECC 2007 - Dublin Aspects of Applications of Applications of Aspects of Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear
More informationSingular curve point decompression attack
Singular curve point decompression attack Peter Günther joint work with Johannes Blömer University of Paderborn FDTC 2015, September 13th, Saint Malo Peter Günther (UPB) Decompression Attack FDTC 2015
More informationNo.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such
Vol.17 No.6 J. Comput. Sci. & Technol. Nov. 2002 Selection of Secure Hyperelliptic Curves of g = 2 Based on a Subfield ZHANG Fangguo ( ) 1, ZHANG Futai ( Ξ) 1;2 and WANG Yumin(Π±Λ) 1 1 P.O.Box 119 Key
More informationKatherine Stange. Pairing, Tokyo, Japan, 2007
via via Department of Mathematics Brown University http://www.math.brown.edu/~stange/ Pairing, Tokyo, Japan, 2007 Outline via Definition of an elliptic net via Definition (KS) Let R be an integral domain,
More informationPower Analysis to ECC Using Differential Power between Multiplication and Squaring
Power Analysis to ECC Using Differential Power between Multiplication and Squaring Toru Akishita 1 and Tsuyoshi Takagi 2 1 Sony Corporation, Information Technologies Laboratories, Tokyo, Japan akishita@pal.arch.sony.co.jp
More informationHyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago
Hyperelliptic-curve cryptography D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS 0140542 NSF ITR 0716498 Alfred P. Sloan Foundation Two parts to this talk: 1. Elliptic curves; modern
More informationSpeeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago
Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases D. J. Bernstein University of Illinois at Chicago NSF ITR 0716498 Part I. Linear maps Consider computing 0
More informationA note on López-Dahab coordinates
A note on López-Dahab coordinates Tanja Lange Faculty of Mathematics, Matematiktorvet - Building 303, Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark tanja@hyperelliptic.org Abstract López-Dahab
More informationEfficient Pairing Computation on Supersingular Abelian Varieties
Efficient airing Computation on Supersingular Abelian Varieties aulo S. L. M. Barreto 1, Steven Galbraith 2, Colm Ó héigeartaigh 3, and Michael Scott 3 1 Department of Computing and Digital Systems Engineering,
More informationTampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014
Tampering attacks in pairing-based cryptography Johannes Blömer University of Paderborn September 22, 2014 1 / 16 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable
More informationEfficient Key Agreement and Signature Schemes Using Compact Representations in GF (p 10 )
Efficient Key Agreement and Signature Schemes Using Compact Representations in GF (p 10 ) Kenneth J. Giuliani 1 and Guang Gong 2 1 Dept. of Combinatorics and Optimization University of Waterloo Waterloo,
More informationDiscrete Logarithm Computation in Hyperelliptic Function Fields
Discrete Logarithm Computation in Hyperelliptic Function Fields Michael J. Jacobson, Jr. jacobs@cpsc.ucalgary.ca UNCG Summer School in Computational Number Theory 2016: Function Fields Mike Jacobson (University
More informationEfficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields
Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields Sanjit Chatterjee, Palash Sarkar and Rana Barua Cryptology Research Group Applied Statistics Unit Indian
More informationElGamal type signature schemes for n-dimensional vector spaces
ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional
More informationProblème du logarithme discret sur courbes elliptiques
Problème du logarithme discret sur courbes elliptiques Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM Groupe de travail équipe ARITH LIRMM Vanessa VITSE (UVSQ) DLP over elliptic
More informationMappings of elliptic curves
Mappings of elliptic curves Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationNumbers. Çetin Kaya Koç Winter / 18
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 18 Number Systems and Sets We represent the set of integers as Z = {..., 3, 2, 1,0,1,2,3,...} We denote the set of positive integers modulo n as
More informationSquare Always Exponentiation
Square Always Exponentiation Christophe Clavier 1 Benoit Feix 1,2 Georges Gagnerot 1,2 Mylène Roussellet 2 Vincent Verneuil 2,3 1 XLIM-Université de Limoges, France 2 INSIDE Secure, Aix-en-Provence, France
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationAn introduction to supersingular isogeny-based cryptography
An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular
More informationNew Directions in Multivariate Public Key Cryptography
New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in
More informationAn Analysis of Affine Coordinates for Pairing Computation
An Analysis of Affine Coordinates for Pairing Computation Kristin Lauter, Peter L. Montgomery, and Michael Naehrig Microsoft Research, One Microsoft Way, Redmond, WA 98052, USA {klauter, petmon, mnaehrig}@microsoft.com
More informationECEN 5022 Cryptography
Elementary Algebra and Number Theory University of Colorado Spring 2008 Divisibility, Primes Definition. N denotes the set {1, 2, 3,...} of natural numbers and Z denotes the set of integers {..., 2, 1,
More informationEfficient Computation of Roots in Finite Fields
Efficient Computation of Roots in Finite Fields PAULO S. L. M. BARRETO (pbarreto@larc.usp.br) Laboratório de Arquitetura e Redes de Computadores (LARC), Escola Politécnica, Universidade de São Paulo, Brazil.
More informationThe Eta Pairing Revisited
1 The Eta Pairing Revisited F. Hess, N.P. Smart and F. Vercauteren Abstract In this paper we simplify and extend the Eta pairing, originally discovered in the setting of supersingular curves by Baretto
More informationConstructing c-ary Perfect Factors
Constructing c-ary Perfect Factors Chris J. Mitchell Computer Science Department Royal Holloway University of London Egham Hill Egham Surrey TW20 0EX England. Tel.: +44 784 443423 Fax: +44 784 443420 Email:
More information標数 3 の超特異楕円曲線上の ηt ペアリングの高速実装
九州大学学術情報リポジトリ Kyushu University Institutional Repository 標数 3 の超特異楕円曲線上の ηt ペアリングの高速実装 川原, 祐人九州大学大学院数理学府 https://doi.org/10.15017/21704 出版情報 :Kyushu University, 2011, 博士 ( 機能数理学 ), 課程博士バージョン :published
More informationCover and Decomposition Index Calculus on Elliptic Curves made practical
Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a previously unreachable curve over F p 6 Vanessa VITSE Antoine JOUX Université de Versailles Saint-Quentin, Laboratoire
More informationSide-channel attacks on PKC and countermeasures with contributions from PhD students
basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationThe Final Exponentiation in Pairing-Based Cryptography
The Final Exponentiation in Pairing-Based Cryptography Barış Bülent Kırlar Department of Mathematics, Süleyman Demirel University, 3220, Isparta, Turkey Institute of Applied Mathematics, Middle East Technical
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationA Note on Scalar Multiplication Using Division Polynomials
1 A Note on Scalar Multiplication Using Division Polynomials Binglong Chen, Chuangqiang Hu and Chang-An Zhao Abstract Scalar multiplication is the most important and expensive operation in elliptic curve
More informationSubquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach
Subquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach M A Hasan 1 and C Negre 2 1 ECE Department and CACR, University of Waterloo, Ontario, Canada 2 Team
More informationImplementing the Weil, Tate and Ate pairings using Sage software
Sage days 10, Nancy, France Implementing the Weil, Tate and Ate pairings using Sage software Nadia EL MRABET LIRMM, I3M, Université Montpellier 2 Saturday 11 th October 2008 Outline of the presentation
More informationA Remark on Implementing the Weil Pairing
A Remark on Implementing the Weil Pairing Cheol Min Park 1, Myung Hwan Kim 1 and Moti Yung 2 1 ISaC and Department of Mathematical Sciences, Seoul National University, Korea {mpcm,mhkim}@math.snu.ac.kr
More informationA. Algebra and Number Theory
A. Algebra and Number Theory Public-key cryptosystems are based on modular arithmetic. In this section, we summarize the concepts and results from algebra and number theory which are necessary for an understanding
More informationSpeeding up the Scalar Multiplication on Binary Huff Curves Using the Frobenius Map
International Journal of Algebra, Vol. 8, 2014, no. 1, 9-16 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ija.2014.311117 Speeding up the Scalar Multiplication on Binary Huff Curves Using the
More informationScalar multiplication in compressed coordinates in the trace-zero subgroup
Scalar multiplication in compressed coordinates in the trace-zero subgroup Giulia Bianco and Elisa Gorla Institut de Mathématiques, Université de Neuchâtel Rue Emile-Argand 11, CH-2000 Neuchâtel, Switzerland
More informationFaster Pairings on Special Weierstrass Curves
craig.costello@qut.edu.au Queensland University of Technology Pairing 2009 Joint work with Huseyin Hisil, Colin Boyd, Juanma Gonzalez-Nieto, Kenneth Koon-Ho Wong Table of contents 1 Introduction The evolution
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationMODEL ANSWERS TO HWK #7. 1. Suppose that F is a field and that a and b are in F. Suppose that. Thus a = 0. It follows that F is an integral domain.
MODEL ANSWERS TO HWK #7 1. Suppose that F is a field and that a and b are in F. Suppose that a b = 0, and that b 0. Let c be the inverse of b. Multiplying the equation above by c on the left, we get 0
More informationEfficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves
Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves SESSION ID: CRYP-T07 Patrick Longa Microsoft Research http://research.microsoft.com/en-us/people/plonga/
More informationAn Analysis of Affine Coordinates for Pairing Computation
An Analysis of Affine Coordinates for Pairing Computation Michael Naehrig Microsoft Research mnaehrig@microsoft.com joint work with Kristin Lauter and Peter Montgomery Microsoft Research Pairing 2010,
More informationOrdinary Pairing Friendly Curve of Embedding Degree 3 Whose Order Has Two Large Prime Factors
Memoirs of the Faculty of Engineering, Okayama University, Vol. 44, pp. 60-68, January 2010 Ordinary Pairing Friendly Curve of Embedding Degree Whose Order Has Two Large Prime Factors Yasuyuki NOGAMI Graduate
More informationThe point decomposition problem in Jacobian varieties
The point decomposition problem in Jacobian varieties Jean-Charles Faugère2, Alexandre Wallet1,2 1 2 ENS Lyon, Laboratoire LIP, Equipe AriC UPMC Univ Paris 96, CNRS, INRIA, LIP6, Equipe PolSys 1 / 19 1
More informationConstructing Families of Pairing-Friendly Elliptic Curves
Constructing Families of Pairing-Friendly Elliptic Curves David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-155 August 24, 2005* cryptography, pairings, elliptic curves, embedding
More informationWhat About Vulnerability to a Fault Attack of the Miller s Algorithm during an Identity Based Protocol?
What About Vulnerability to a Fault Attack of the Miller s Algorithm during an Identity Based Protocol? Nadia EL MRABET LIRMM Laboratory, I3M, CNRS, University Montpellier 2, 161, rue Ada, 34 392 Montpellier,
More information2.2. The Weil Pairing on Elliptic Curves If A and B are r-torsion points on some elliptic curve E(F q d ), let us denote the r-weil pairing of A and B
Weil Pairing vs. Tate Pairing in IBE systems Ezra Brown, Eric Errthum, David Fu October 10, 2003 1. Introduction Although Boneh and Franklin use the Weil pairing on elliptic curves to create Identity-
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection
More informationFour-Dimensional GLV Scalar Multiplication
Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 9 September 30, 2015 CPSC 467, Lecture 9 1/47 Fast Exponentiation Algorithms Number Theory Needed for RSA Elementary Number Theory
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationGenerating more MNT elliptic curves
Generating more MNT elliptic curves Michael Scott 1 and Paulo S. L. M. Barreto 2 1 School of Computer Applications Dublin City University Ballymun, Dublin 9, Ireland. mike@computing.dcu.ie 2 Universidade
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More information