High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Similar documents
A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

D. J. Bernstein University of Illinois at Chicago

Computational algebraic number theory tackles lattice-based cryptography

McBits: fast constant-time code-based cryptography. (to appear at CHES 2013)

Post-Quantum Cryptography

Quantum-resistant cryptography

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago

Advanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.

Advances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago

Lattice-Based Cryptography

8 Elliptic Curve Cryptography

Wild McEliece Incognito

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Elliptic Curve Cryptography

Daniel J. Bernstein University of Illinois at Chicago. means an algorithm that a quantum computer can run.

NTRU Prime. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. Technische Universiteit Eindhoven

Post-Quantum Cryptography & Privacy. Andreas Hülsing

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

MATH 158 FINAL EXAM 20 DECEMBER 2016

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

Attacking and defending the McEliece cryptosystem

MaTRU: A New NTRU-Based Cryptosystem

The Elliptic Curve in https

9 Knapsack Cryptography

Short generators without quantum computers: the case of multiquadratics

Elliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein

Applications of Lattice Reduction in Cryptography

Unbelievable Security Matching AES security using public key systems

Chosen-Ciphertext Attacks on Optimized NTRU

Introduction to Quantum Safe Cryptography. ENISA September 2018

Hidden Field Equations

Decoding One Out of Many

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

RSA Cryptosystem and Factorization

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

Lecture 1: Introduction to Public key cryptography

Errors, Eavesdroppers, and Enormous Matrices

NTRU Cryptosystem and Its Analysis

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Weaknesses in Ring-LWE

Code-based Cryptography

Lecture 6: Cryptanalysis of public-key algorithms.,

My brief introduction to cryptography

Algebraic Aspects of Symmetric-key Cryptography

Short generators without quantum computers: the case of multiquadratics

Post-quantum RSA. We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity

Public-Key Cryptosystems CHAPTER 4

Computational algebraic number theory tackles lattice-based cryptography

Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Mathematics of Public Key Cryptography

Implementation of Automatic Invertible Matrix Mechanism in NTRU Matrix Formulation Algorithm

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Open problems in lattice-based cryptography

Post-Quantum Cryptography

Hexi McEliece Public Key Cryptosystem

Ti Secured communications

Public-key Cryptography and elliptic curves

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

RSA. Ramki Thurimella

True & Deterministic Random Number Generators

On estimating the lattice security of NTRU

The quantum threat to cryptography

Short generators without quantum computers: the case of multiquadratics

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

ECE297:11 Lecture 12

An overview of the XTR public key system

Ideal Lattices and NTRU

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

On the complexity of computing discrete logarithms in the field F

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Lattice Reduction of Modular, Convolution, and NTRU Lattices

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Elliptic Curve Cryptography with Derive

Post Quantum Cryptography

Introduction to Modern Cryptography. Benny Chor

Mathematics of Cryptography

Public-key Cryptography and elliptic curves

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Double-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Selecting Elliptic Curves for Cryptography Real World Issues

Lattice Cryptography

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Blockchain and Quantum Computing

Discrete logarithm and related schemes

THE RSA CRYPTOSYSTEM

Post-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017

Code Based Cryptology at TU/e

Algorithms for ray class groups and Hilbert class fields

5199/IOC5063 Theory of Cryptology, 2014 Fall

Computers and Mathematics with Applications

FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Transcription:

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Cryptographers Working systems Cryptanalytic algorithm designers Unbroken systems Cryptographic algorithm designers and implementors Efficient systems Cryptographic users

1. Working systems Fundamental question for cryptographers: How can we encrypt, decrypt, sign, verify, etc.? Many answers: DES, Triple DES, FEAL-4, AES, RSA, McEliece encryption, Merkle hash-tree signatures, Merkle Hellman knapsack encryption, Buchmann Williams class-group encryption, ECDSA, HFE v, NTRU, et al.

2. Unbroken systems Fundamental question for pre-quantum cryptanalysts: What can an attacker do using <2 b operations on a classical computer? Fundamental question for post-quantum cryptanalysts: What can an attacker do using <2 b operations on a quantum computer? Goal: identify systems that are not breakable in <2 b operations.

Examples of RSA cryptanalysis: Schroeppel s linear sieve, mentioned in 1978 RSA paper, factors pq into p; q using (2 + o(1)) (lg pq)1=2 (lg lg pq) 1=2 simple operations (conjecturally). To push this beyond 2 b, must choose pq to have at least (0:5 + o(1))b 2 =lg b bits. Note 1: lg = log 2. Note 2: o(1) says nothing about, e.g., b = 128. Today: focus on asymptotics.

1993 Buhler Lenstra Pomerance, generalizing 1988 Pollard number-field sieve, factors pq into p; q using (3:79 : : : + o(1)) (lg pq)1=3 (lg lg pq) 2=3 simple operations (conjecturally). To push this beyond 2 b, must choose pq to have at least (0:015 : : : + o(1))b 3 =(lg b) 2 bits. Subsequent improvements: 3:73 : : :; details of o(1). But can reasonably conjecture that 2 (lg pq)1=3+o(1) is optimal for classical computers.

Cryptographic systems surviving pre-quantum cryptanalysis: Triple DES (for b 112), AES-256 (for b 256), RSA with b 3+o(1) -bit modulus, McEliece with code length b 1+o(1), Merkle signatures with strong b 1+o(1) -bit hash, BW with strong b 2+o(1) - bit discriminant, ECDSA with strong b 1+o(1) -bit curve, HFE v with b 1+o(1) polynomials, NTRU with b 1+o(1) bits, et al.

Typical algorithmic tools for pre-quantum cryptanalysts: NFS,, ISD, LLL, F4, XL, et al. Post-quantum cryptanalysts have all the same tools plus quantum algorithms. Spectacular example: 1994 Shor factors pq into p; q using (lg pq) 2+o(1) simple quantum operations. To push this beyond 2 b, must choose pq to have at least 2 (0:5+o(1))b bits. Yikes.

Cryptographic systems surviving post-quantum cryptanalysis: AES-256 (for b 128), McEliece code-based encryption with code length b 1+o(1), Merkle hash-based signatures with strong b 1+o(1) -bit hash, HFE v MQ signatures with b 1+o(1) polynomials, NTRU lattice-based encryption with b 1+o(1) bits, et al.

3. Efficient systems Fundamental question for designers and implementors of cryptographic algorithms: Exactly how efficient are the unbroken cryptosystems? Many goals: minimize encryption time, size, decryption time, etc. Pre-quantum example: RSA encrypts and verifies in b 3+o(1) simple operations. Signature occupies b 3+o(1) bits.

ECC (with strong curve/f q, reasonable padding, etc.): ECDL costs 2 (1=2+o(1)) lg q by Pollard s rho method. Conjecture: this is the optimal attack against ECC. Can take lg q 2 (2 + o(1))b. Encryption: Fast scalar mult costs (lg q) 2+o(1) = b 2+o(1). Summary: ECC costs b 2+o(1). Asymptotically faster than RSA. Bonus: also b 2+o(1) decryption.

Efficiency is important: users have cost constraints. Cryptographers, cryptanalysts, implementors, etc. tend to focus on RSA and ECC, citing these cost constraints. But Shor breaks RSA and ECC!

Efficiency is important: users have cost constraints. Cryptographers, cryptanalysts, implementors, etc. tend to focus on RSA and ECC, citing these cost constraints. But Shor breaks RSA and ECC! We think that the most efficient unbroken post-quantum systems will be hash-based signatures, code-based encryption, lattice-based encryption, multivariate-quadratic sigs.

1978 McEliece system (with length-n classical Goppa codes, reasonable padding, etc.): Conjecture: Fastest attacks cost 2 (+o(1))n=lg n. Quantum attacks: smaller. Can take n 2 (1= + o(1))b lg b. Encryption: Matrix mult costs n 2+o(1) = b 2+o(1). Summary: McEliece costs b 2+o(1). Hmmm: is this faster than ECC? Need more detailed analysis.

ECC encryption: Θ(lg q) operations in F. q Each operation in F costs q Θ(lg q lg lg q lg lg lg q). Total Θ(b 2 lg b lg lg b).

ECC encryption: Θ(lg q) operations in F. q Each operation in F costs q Θ(lg q lg lg q lg lg lg q). Total Θ(b 2 lg b lg lg b). McEliece encryption, with 1986 Niederreiter speedup: Θ(n=lg n) additions in F n 2, each costing Θ(n). Total Θ(b 2 lg b).

ECC encryption: Θ(lg q) operations in F. q Each operation in F costs q Θ(lg q lg lg q lg lg lg q). Total Θ(b 2 lg b lg lg b). McEliece encryption, with 1986 Niederreiter speedup: Θ(n=lg n) additions in F n 2, each costing Θ(n). Total Θ(b 2 lg b). McEliece is asymptotically faster. Bonus: Even faster decryption. Another bonus: Post-quantum.

Algorithmic advances can change the competition. Examples: 1. Speed up ECC: can reduce lg lg b using 2007 Fürer; maybe someday eliminate lg lg b?

Algorithmic advances can change the competition. Examples: 1. Speed up ECC: can reduce lg lg b using 2007 Fürer; maybe someday eliminate lg lg b? 2. Faster attacks on McEliece: 2010 Bernstein Lange Peters, 2011 May Meurer Thomae, 2012 Becker Joux May Meurer. : : : but still Θ(b 2 lg b).

Algorithmic advances can change the competition. Examples: 1. Speed up ECC: can reduce lg lg b using 2007 Fürer; maybe someday eliminate lg lg b? 2. Faster attacks on McEliece: 2010 Bernstein Lange Peters, 2011 May Meurer Thomae, 2012 Becker Joux May Meurer. : : : but still Θ(b 2 lg b). 3. We re optimizing subfield AG variant of McEliece. Conjecture: Fastest attacks cost 2 (+o(1))n ; encryption Θ(b 2 ).

Code-based encryption Modern version of McEliece: Receiver s public key is random t lg n n matrix K over F 2. Specifies linear F n 2 Typically t lg n 0:2n; e.g., n = 2048, t = 40.! Ft lg n 2. Messages suitable for encryption: m 2 F n 2 : #fi : m i = 1g = t. Encryption of m is Km 2 F t lg n 2. Use hash of m as secret AES- GCM key to encrypt more data.

Attacker, by linear algebra, easily works backwards from Km to some v 2 F n 2 such that Kv = Km. i.e. Attacker finds some element v 2 m + KerK. Note that #KerK 2 n t lg n. Attacker wants to decode v: to find element of KerK at distance only t from v. Presumably unique, revealing m. But decoding isn t easy! Receiver builds K with secret Goppa structure for fast decoding.

Goppa codes Fix q 2 f8; 16; 32; : : :g; t 2 f2; 3; : : : ; b(q 1)= lg qcg; n 2 ft lg q + 1; t lg q + 2; : : : ; qg. e.g. q = 1024, t = 50, n = 1024. or q = 4096, t = 150, n = 3600. Receiver builds a matrix H as the parity-check matrix for the classical (genus-0) irreducible length-n degree-t binary Goppa code defined by a monic degree-t irreducible polynomial g 2 F [x] and q distinct a 1 ; a 2 ; : : : ; a 2 F. n q

: : : which means: H = 0 1 B @ 1 g(a 1 ) 1 g(a ) n a 1 g(a 1 )... a t 1 1 a n g(a n )...... a t 1 g(a 1 ) n g(a n ) C A : View each element of F q as a column in F lg q 2. Then H : F n lg 2! q Ft 2. here

More useful view: Consider the map m 7! P i m i=(x a i ) from F n 2 to F q[x]=g. H is the matrix for this map where F n 2 has standard basis and F q [x]=g has basis bg=xc, g=x 2, : : :, g=x t. One-line proof: In F [x] have q g g(a ) X j i = a j g=x j+1k. i x a i j0 Receiver generates key K as row reduction of H, revealing only KerH.

Lattice-based encryption 1998 Hoffstein Pipher Silverman NTRU (textbook version, without required padding): Receiver s public key is random h 2 ((Z=q)[x]=(x p 1)). Ciphertext: m + rh given m; r 2 (Z=q)[x]=(x p 1); all coefficients in f 1; 0; 1g; #fi : r = 1g = i #fi : r =1g = t. i p: prime; e.g., p = 613. q: power of 2 around 8p, with order (p 1)=2 in (Z=p). t: roughly 0:1p.

Receiver built h = 3g=(1 + 3f) where f; g 2 (Z=q)[x]=(x p 1), all coeffs in f 1; 0; 1g, #fi : f = 1g = i #fi : f =1g = t, i #fi : g = 1g i #fi : g =1g p i 3, both 1 + 3f and g invertible. Given ciphertext c = m + rh, receiver computes (1 + 3f)c = (1 + 3f)m + 3rg in (Z=q)[x]=(x p 1), lifts to Z[x]=(x p 1) with coeffs in f q=2; : : : ; q=2 1g, reduces modulo 3 to obtain m.

Basic attack tool: Lift pairs (u; uh) to Z 2p to obtain a lattice. Attacking key h: (1 + 3f; 3g) is a short vector in this lattice. Attacking ciphertext c: (0; c) is close to lattice vector (r; rh). Standard lattice algorithms (SVP, CVP) cost 2 Θ(p). Nothing subexponential known, even post-quantum.

Take p 2 Θ(b) for security 2 b against all known attacks. Θ(b lg b) bits in key. Time b(lg b) 2+o(1) to multiply in (Z=q)[x]=(x p 1). Time b(lg b) 2+o(1) for encryption, decryption. Excellent overall performance.

Take p 2 Θ(b) for security 2 b against all known attacks. Θ(b lg b) bits in key. Time b(lg b) 2+o(1) to multiply in (Z=q)[x]=(x p 1). Time b(lg b) 2+o(1) for encryption, decryption. Excellent overall performance. The McEliece cryptosystem inspires more confidence but has much larger keys.

Something completely different 1985 H. Lange Ruppert: A(k) has a complete system of addition laws, degree (3; 3). Symmetry ) degree (2; 2). The proof is nonconstructive: : : To determine explicitly a complete system of addition laws requires tedious computations already in the easiest case of an elliptic curve in Weierstrass normal form.

1985 Lange Ruppert: Explicit complete system of 3 addition laws for short Weierstrass curves. Reduce formulas to 53 monomials by introducing extra variables x i y + j x j y, i x i y j x j y. i 1987 Lange Ruppert: Explicit complete system of 3 addition laws for long Weierstrass curves.

1995 Bosma Lenstra: Explicit complete system of 2 addition laws for long Weierstrass curves: X 3 ; Y 3 ; Z 3 ; X 0 3 ; Y 0 3 ; Z0 3 2 Z[a 1 ; a 2 ; a 3 ; a 4 ; a 6 ; X 1 ; Y 1 ; Z 1 ; X 2 ; Y 2 ; Z 2 ].

1995 Bosma Lenstra: Explicit complete system of 2 addition laws for long Weierstrass curves: X 3 ; Y 3 ; Z 3 ; X 0 3 ; Y 0 3 ; Z0 3 2 Z[a 1 ; a 2 ; a 3 ; a 4 ; a 6 ; X 1 ; Y 1 ; Z 1 ; X 2 ; Y 2 ; Z 2 ]. My previous slide in this talk: Bosma Lenstra Y 0 3 ; Z0 3.

1995 Bosma Lenstra: Explicit complete system of 2 addition laws for long Weierstrass curves: X 3 ; Y 3 ; Z 3 ; X 0 3 ; Y 0 3 ; Z0 3 2 Z[a 1 ; a 2 ; a 3 ; a 4 ; a 6 ; X 1 ; Y 1 ; Z 1 ; X 2 ; Y 2 ; Z 2 ]. My previous slide in this talk: Bosma Lenstra Y 0 3 ; Z0 3. Actually, slide shows Publish(Y 0 3 ); Publish(Z0 3 ), where Publish introduces typos.

What this means: For all fields k, all P 2 Weierstrass curves E=k : Y 2 Z + a 1 XY Z + a 3 Y Z 2 = X 3 + a 2 X 2 Z + a 4 XZ 2 + a 6 Z 3, all P 1 = (X 1 : Y 1 : Z 1 ) 2 E(k), all P 2 = (X 2 : Y 2 : Z 2 ) 2 E(k): (X 3 : Y 3 : Z 3 ) is P 1 + P 2 or (0 : 0 : 0); (X 0 3 : Y 0 3 : Z0 3 ) is P 1 + P 2 or (0 : 0 : 0); at most one of these is (0 : 0 : 0).

2009 Bernstein T. Lange: For all fields k with 2 6= 0, all P 1 P 1 Edwards curves E=k : X 2 T 2 + Y 2 Z 2 = Z 2 T 2 + dx 2 Y 2, all P 1 ; P 2 2 E(k), P 1 = ((X 1 : Z 1 ); (Y 1 : T 1 )), P 2 = ((X 2 : Z 2 ); (Y 2 : T 2 )): (X 3 : Z 3 ) is x(p 1 + P 2 ) or (0 : 0); (X 0 3 : Z0 3 ) is x(p 1 + P 2 ) or (0 : 0); (Y 3 : T 3 ) is y(p 1 + P 2 ) or (0 : 0); (Y 0 3 : T 0 3 ) is y(p 1 + P 2 ) or (0 : 0); at most one of these is (0 : 0).

X 3 = X 1 Y 2 Z 2 T 1 + X 2 Y 1 Z 1 T 2, Z 3 = Z 1 Z 2 T 1 T 2 + dx 1 X 2 Y 1 Y 2, Y 3 = Y 1 Y 2 Z 1 Z 2 X 1 X 2 T 1 T 2, T 3 = Z 1 Z 2 T 1 T 2 dx 1 X 2 Y 1 Y 2, X 0 3 = X 1Y 1 Z 2 T 2 + X 2 Y 2 Z 1 T 1, Z 0 3 = X 1X 2 T 1 T 2 + Y 1 Y 2 Z 1 Z 2, Y 0 3 = X 1Y 1 Z 2 T 2 X 2 Y 2 Z 1 T 1, T 0 3 = X 1Y 2 Z 2 T 1 X 2 Y 1 Z 1 T 2. Much, much, much simpler than Lange Ruppert, Bosma Lenstra. Also much easier to prove.

1987 Lenstra: Use Lange Ruppert complete system of addition laws to computationally define group E(R) for more general rings R rings with trivial class group. Define P 2 (R) = f(x : Y : Z) : X; Y; Z 2 R; XR+Y R+ZR = Rg where (X : Y : Z) is the module f(x; Y; Z) : 2 Rg. Define E(R) = f(x : Y : Z) 2 P 2 (R) : Y 2 Z = X 3 + a 4 XZ 2 + a 6 Z 3 g.

To define (and compute) sum (X 1 : Y 1 : Z 1 ) + (X 2 : Y 2 : Z 2 ): Consider (and compute) Lange Ruppert (X 3 : Y 3 : Z 3 ), (X3 0 : Y 3 0 : Z0 3 ), 00 (X3 : Y 3 00 : Z00 3 ). Add these R-modules: f (X 3 ; Y 3 ; Z 3 ) + ( 0 X3 0 ; 0 Y3 0; 0 Z3 0 ) + ( 00 X3 00; 00 Y3 00; 00 Z3 00) : ; 0 ; 00 2 Rg. Express as (X : Y : Z), using trivial class group of R.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback