Fast, twist-secure elliptic curve cryptography from Q-curves

Similar documents
Non-generic attacks on elliptic curve DLPs

Explicit Complex Multiplication

Families of fast elliptic curves from Q-curves

Advanced Constructions in Curve-based Cryptography

Faster Compact DiffieHellman: Endomorphisms on the x-line

Mappings of elliptic curves

Four-Dimensional GLV Scalar Multiplication

You could have invented Supersingular Isogeny Diffie-Hellman

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Constructing Abelian Varieties for Pairing-Based Cryptography

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Montgomery curves and their arithmetic

Other Public-Key Cryptosystems

Class invariants by the CRT method

GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias

One can use elliptic curves to factor integers, although probably not RSA moduli.

Isogenies in a quantum world

An introduction to supersingular isogeny-based cryptography

Fast Cryptography in Genus 2

Introduction to Elliptic Curve Cryptography. Anupam Datta

ElGamal type signature schemes for n-dimensional vector spaces

Aspects of Pairing Inversion

SM9 identity-based cryptographic algorithms Part 1: General

Polynomial Interpolation in the Elliptic Curve Cryptosystem

Introduction to Elliptic Curve Cryptography

On the complexity of computing discrete logarithms in the field F

Explicit isogenies and the Discrete Logarithm Problem in genus three

Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography

Selecting Elliptic Curves for Cryptography Real World Issues

Counting points on elliptic curves over F q

Asymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition

Discrete logarithm and related schemes

Loop-abort faults on supersingular isogeny cryptosystems

Pairings for Cryptography

Mathematical analysis of the computational complexity of integer sub-decomposition algorithm

Genus 2 Curves of p-rank 1 via CM method

Scalar multiplication in compressed coordinates in the trace-zero subgroup

Efficient Key Agreement and Signature Schemes Using Compact Representations in GF (p 10 )

Fast point multiplication algorithms for binary elliptic curves with and without precomputation

Public-key Cryptography and elliptic curves

Computing the image of Galois

Constructing Pairing-Friendly Elliptic Curves for Cryptography

Lecture 1: Introduction to Public key cryptography

CSC 774 Advanced Network Security

Other Public-Key Cryptosystems

CSC 774 Advanced Network Security

CPSC 467b: Cryptography and Computer Security

ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS

Elliptic Curve Cryptography

Math/Mthe 418/818. Review Questions

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Points of High Order on Elliptic Curves ECDSA

A gentle introduction to isogeny-based cryptography

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms

8 Elliptic Curve Cryptography

Modular Multiplication in GF (p k ) using Lagrange Representation

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

Constructing genus 2 curves over finite fields

An improved compression technique for signatures based on learning with errors

Some Efficient Algorithms for the Final Exponentiation of η T Pairing

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products

Edwards Curves and the ECM Factorisation Method

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Four-Dimensional Gallant-Lambert-Vanstone Scalar Multiplication

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

An Introduction to Pairings in Cryptography

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

CPSC 467: Cryptography and Computer Security

Introduction to Elliptic Curves

Using semidirect product of (semi)groups in public key cryptography

Using semidirect product of (semi)groups in public key cryptography

Connecting Legendre with Kummer and Edwards

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

Katherine Stange. ECC 2007, Dublin, Ireland

Elliptic Curve Cryptography

Generation Methods of Elliptic Curves

Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco

Public Key Algorithms

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

An introduction to the algorithmic of p-adic numbers

Ate Pairing on Hyperelliptic Curves

µkummer: efficient hyperelliptic signatures and key exchange on microcontrollers

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

Parameterization of Edwards curves on the rational field Q with given torsion subgroups. Linh Tung Vo

CRYPTANALYSIS OF ELGAMAL TYPE DIGITAL SIGNATURE SCHEMES USING INTEGER DECOMPOSITION

An overview of the XTR public key system

Pseudo-random Number Generation. Qiuliang Tang

Public-key Cryptography and elliptic curves

Efficient Implementation of Cryptographic pairings. Mike Scott Dublin City University

Secure Bilinear Diffie-Hellman Bits

A quasi polynomial algorithm for discrete logarithm in small characteristic

Congruent number elliptic curves of high rank

Transcription:

Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16, 2013 Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 1 / 27

Scalar multiplication General ECC situation: We have a cryptosystem based on a cyclic subgroup G E(F q ), #G = N prime #E(F q ) q. To implement the system: want to construct a curve E/F q with 1 a very strong group structure: prime/almost-prime order, 2 fast cryptographic operations:, [2], and [m], 3 fast finite field arithmetic: eg. q = 2 n e with tiny e We want all three of these improvements simultaneously......but in practice, the three properties are not orthogonal. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 2 / 27

Schnorr signatures: Key Generation algorithm System parameters G = P of prime order N, cryptographic hash function H : {0, 1} Z/NZ Output A public/private-key pair (Q, x) G Z/NZ 1 Set x := random(z/nz); // x is the private key 2 Set Q := [x]p; // Q is the public key 3 Return (Q, x). All of the hard work is in computing Q = [x]p. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 3 / 27

Schnorr signatures: Sign algorithm System parameters G = P of prime order N, cryptographic hash function H : {0, 1} Z/NZ Input A message m {0, 1} and a private key x Z/NZ. Output A Schnorr signature (s, e) (Z/NZ) 2. 1 Set k := random(z/nz); 2 Set R := [k]p; 3 Set e := H(m R); // is bitstring concatenation 4 Let s := k xe (mod N); 5 Return (s, e). All of the hard work is in computing R = [k]p. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 4 / 27

Generic binary exponentiation Input m [0..2 β ) and P G Output [m]p // β-bit m, gen. β = log 2 N 1 Compute binary representation m = β 1 i=0 m i2 i (with m i {0, 1}); // normally this is for free 2 Set R := 0 G ; 3 For i in β 1 down to 0, // β iterations 3a Set R := [2]R; 3b Set R := R [m i ]P; // [m i ]P = 0 or P 4 Return R. Optimizations/variations: windows, combs, NAF,... But the bigger the β, the longer it takes. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 5 / 27

Schnorr signatures: Verify algorithm System parameters G = P of prime order N, cryptographic hash function H : {0, 1} Z/NZ Input A signature (s, e) (Z/NZ) 2, a message m {0, 1}, and a public key Q G. Output True if (s, e) is a valid signature on the message m for the user with public key Q, otherwise False. 1 Let R := [s]p [e]q; //= R if s k xe (mod N) 2 Let e := H(m R ); 3 If e = e, then Return True; else Return False. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 6 / 27

Generic binary multiexponentiation Input (a, b) in [0..2 β ) 2, P, Q in G Output [a]p [b]q // eg. β = log 2 N 1 Compute binary reps a = β 1 i=0 a i2 i and b = β 1 i=0 b i2 i 2 Set T 0,0 := 0 G, T 1,0 := P, T 0,1 := Q, T 1,1 := P Q; 3 Set R := 0 G ; 4 For i = β 1 down to 0, // β iterations 4a Set R := [2]R; 4b Set R := R T ai,b i ; 5 Return R. #group ops same as plain exponentiation by max( a, b ). Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 7 / 27

Eigenvalues of endomorphisms In practice: G = Z/NZ is embedded in an ordinary elliptic curve E, which has a much richer structure than Z/NZ : End(G) = Z/NZ but End(E) Z[π], where π : (x, y) (x q, y q ) is Frobenius. If ψ End(E) restricts to an endomorphism of G (that is, ψ(g) G; this happens pretty much all the time): ψ(p) = [λ ψ ]P for all P G We call λ ψ the eigenvalue of ψ on G. Convention: N/2 < λ ψ < N/2. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 8 / 27

Scalar multiplication with an endomorphism Binary exponentiation: can compute [m]p with log 2 m doubles. If ψ has eigenvalue λ ψ on G and (a, b) satisfies m a + bλ ψ (mod N), then for any P in G we have [m]p = [a]p [b]ψ(p) and we can compute the RHS using multiexponentation. Multiexponentiation by (a, b) will beat exponentiation by m if ψ can be evaluated fast (time/space < a few doubles), and we can find a and b significantly shorter than m. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 9 / 27

Scalar multiplication with an endomorphism Lemma: If λ ψ > N 1/2, then we can quickly find a and b such that a + bλ ψ m (mod N) with log 2 max ( a, b ) 1 2 log 2 N + ɛ. (The constant ɛ is easily bounded; constant-length (a, b) are possible.) Great! Now all we need is a source of good E equipped with fast ψ but this turns out to be highly nontrivial. Note: integer multiplications and Frobenius do not make good ψ. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 10 / 27

GLV Curves (Gallant Lambert Vanstone, CRYPTO 2001) Start with an explicit CM curve over Q and reduce mod p. Example (CM by 1) Let p 1 (mod 4); let i be a square root of 1 in F p. Then the curves E a : y 2 = x 3 + ax have an explicit (and extremely efficient) endomorphism ψ : (x, y) ( x, iy). Short scalar decompositions: large eigenvalue λ ψ 1 (mod N). Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 11 / 27

Limitations of GLV The curves E a /F p : y 2 = x 3 + ax look perfect......but we are not always free to choose our own (fast) prime p! Example The 256-bit prime p = 2 255 19 offers very fast field arithmetic. The F p -isomorphism classes of E a /F p are represented by a = 1, 2, 4, 8. 199 bits if a = 1 239 bits if a = 2 Largest prime factor of #E a (F p ) = 175 bits if a = 4 173 bits if a = 8 So we pay for fast arithmetic with at least 17 (/256) bits of group order, which is about 9 (/128) bits of security. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 12 / 27

Other GLV curves We can try other explicit CM curves... But there are hardly any of them! ψ fast generally implies deg ψ very small deg ψ small, ψ / Z = Z[ψ] has small discriminant curves with CM by discriminant have j-invariant classified by Hilbert polynomials H H has very small degree, typically 1 for tiny = only one j-invariant per Only 2, 4, or 6 twists (curves) per j-invariant = a handful of suitable curves, none of which might have (almost)-prime reduction mod p Only 18 GLV curves with endomorphisms faster than doubling. No guarantee any of them have good cryptographic group orders mod p. Curve rarity is a critical weakness of the GLV technique. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 13 / 27

GLS Curves (Galbraith Lin Scott, EUROCRYPT 2009) Start with any curve over F p, extend to F p 2, and use p-th powering on the quadratic twist. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 14 / 27

GLS Curves (Galbraith Lin Scott, EUROCRYPT 2009) Start with any curve over F p, extend to F p 2, and use p-th powering on the quadratic twist. Example Let p 5 (mod 8), take A, B, in F p, take µ in F p 2 with µ nonsquare: E/F p 2 : y 2 = x 3 + µ 2 Ax + µ 3 B has an efficient endomorphism ψ : (x, y) ( x p, iy p ) where i 2 = 1. p-th powering in F p 2 = F p ( D) almost free: (a 0 + a 1 D) p = a 0 a 1 D Good scalar decompositions: λ ψ 1 (mod N). Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 15 / 27

Twist security: the problem with GLS GLS offers p different j-invariants with an extremely fast endomorphism. Some of these j-invariants should give prime/secure order curves. Solves the secure curve choice problem for fixed p! Weak point: built-in twist-insecurity. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 16 / 27

Diffie Hellman key exchange An overly abstract point of view of Diffie Hellman: 1 A and B public fix a group G and a generator X 0 G. G can be a set, not a group 2 A and B choose secret multipliers s A, s B Z/(#G). scalars s A and s B an abelian semigroup acting on G. 3 A computes X A := [s A ]X 0 and makes it public; B computes X B := [s B ]X 0 and makes it public. 4 A and B compute the shared secret [s A s B ]X 0 = [s A ]X B = [s B ]X A. DHP in G (given X 0, [s A ]X 0, [s B ]X 0, find [s A s B ]X 0 ) should be hard. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 17 / 27

Dropping y-coordinates Implementing Diffie Hellman on E : y 2 = x 3 + Ax + B over F q : Working without y-coordinates saves time and a bit of space. We can compute [m] x(p) := x([m]p) in terms of x(p) (and A, B). Similarly, with an endomorphism ψ: Can compute (a + bψ) (x(p)) := x([a]p [b]ψ(p)) in terms of x(p). Algorithmically, no need for y-coordinates Solve x(q) = [s] x(p) = solve Q = [s]p on E Cryptographically, no need for y-coordinates The x-coordinate maps [m] and (a + bψ) work, compose, and commute for any input x, not just x(p) for P E(F q )! Garbage In = Garbage Out. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 18 / 27

Diffie Hellman / Montgomery Curve over F q : E : y 2 = x(x 2 + Ax + 1) Quadratic twist: E : By 2 = x(x 2 + Ax + B), where B is a nonsquare Every α in F q satisfies one of: (α, 0) E[2](F q ) and (α, 0) E [2](F q ) α = x(p) for some P E(F q ) \ E[2](F q ) α = x(p ) for some P E (F q ) \ E [2](F q ) Fault attack (Bernstein, Fouque Réal Lercier Vallette): Sneak in α = x(p E (F q )), then solve the DHP on the twist. = We need almost-prime order for both E and E. GLS curves: twists are (by construction) subfield curves. Largest prime factor in O(p), not O(p 2 ) = built-in weakness. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 19 / 27

Another look at GLS Consider a pair of Galois-conjugate curves over F p 2: E : y 2 = x 3 + Ax + B and (p) E : y 2 = x 3 + A p x + B p. We always have a p-th power Frobenius isogeny π 0 : (p) E E. If E is a GLS curve, then an isomorphism φ : E (p) E, and the GLS endomorphism is ψ := π 0 φ. But existence of an isomorphism = j(e) F p = twist-insecurity! Idea: Let s replace φ with a low degree separable isogeny. Easy source of pairs of separably isogenous Galois-conjugate curves: (mod p reductions of) quadratic Q-curves. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 20 / 27

Q-curves Definition: A quadratic Q-curve of degree d is an elliptic curve Ẽ : y 2 = x 3 + Ax + B over a quadratic field Q( ), without complex multiplication, with a d-isogeny φ : Ẽ σ Ẽ : y 2 = x 3 + σ(a)x + σ(b), where σ is conjugation on Q( ). Where do we find quadratic Q-curves of degree d? Look at the map X 0 (d) X (d) := X 0 (d)/ Atkin Lehners. Q-curves irrational preimages of points in X (d)(q). We want small d for efficiency, and X 0 (d) = P 1 for small d; = one-parameter families of Q-curves Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 21 / 27

Endomorphism recipe Preheat a fast prime p and a nice with ( /p) = 1. Choose a degree-d Q-curve /Q( ) with good reduction at p. = d-isogeny φ : Ẽ σ Ẽ over Q(, d). Reduce φ modulo p (which is inert in Q( ), since ( /p) = 1) = d-isogeny φ : E (p) E over F p ( ). Compose φ with p-powering isogeny π 0 : (p) E E = dp-endomorphism ψ := π 0 φ in End(E), and σ φ φ = [±d] (since Ẽ has no CM), so ψ 2 = [±d]π. Serve hot d small = ψ fast, with big eigenvalue ± ±d (mod N). Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 22 / 27

Hasegawa s universal quadratic Q-curve of degree 2 For any squarefree discriminant and any t in Q, define conjugate curves Ẽ t /Q( ) : y 2 = (x 4)(x 2 + 4x 14 + 18t ), σ Ẽ t /Q( ) : y 2 = (x 4)(x 2 + 4x 14 18t ). Good reduction at every prime p > 3 inert in Q( )! φ : (x, y) There exists a 2-isogeny φ : Ẽt σ Ẽ t, defined by ( ) y f (x), f (x) 2 where f (x) = x 2 9(1 + t ) x 4. Hasegawa: Every degree-2 Q-curve over Q( ) is = Ẽt for some t Q. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 23 / 27

A family of degree-2p endomorphisms Applying the recipe to the whole Hasegawa degree-2 family at once: Take any F p 2 = F p ( ). For every t F p, the curve E t /F p 2 : y 2 = x 3 6(5 3t )x + 8(7 9t ) has an efficient (faster than doubling) endomorphism ( ψ : (x, y) f (x p y p ) ), f (x p ) where f (x p ) = x p 2 2 9(1 t ) (x p 4). We have ψ 2 = [±2]π, so λ ψ = ± ±2 on cryptographic subgroups. Lots of choice: p ɛ different j-invariants in F p 2 (+ codomains) Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 24 / 27

Example Take F p 2 = F p (i) where p = 2 127 1 (Mersenne prime) and i 2 = 1. After a quick search, we find the 254-bit curve E 9245 /F p 2 : y 2 = x 3 30(5 5547i)x + 8(7 83205i) Looking at the curve and its twist, we find E 9245 (F p 2) = Z/2Z Z/NZ and E 9245(F p 2) = Z/2Z Z/N Z, where N and N are 253-bit primes. On either curve, 253-bit scalar multiplications 127-bit multiexponentiations. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 25 / 27

Producing more curves and endomorphisms g(x 0 (d)) = 0 = family of degree-dp endomorphisms Applying the recipe: d = 1: degenerate case, recover twist-insecure GLS curves d = 3: construct prime-order twist-secure curves Hasegawa: one-parameter universal curve family d = 5: construct prime-order twist-prime-order curves Hasegawa = one-parameter family for fixed d = 7: More prime-order twist-prime-order curves Hasegawa: one-parameter universal curve family d 7: Even more curves... But slower and less interesting. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 26 / 27

Go forth and scalar multiply 1-parameter families of elliptic curves over any F p 2 with efficient endomorphisms of degree 2p, 3p, 5p, 7p yielding half-length scalar decompositions. Ready to use: plenty of secure parameters. Details: ASIACRYPT 2013, http://eprint.iacr.org/2013/312 Full version with d = 5 curves coming soon Work in progress (with Costello & Hisil): A fast, open, constant-time implementation Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/2013 27 / 27

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback