a brief overwiev of pairings
play

A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. - PowerPoint PPT Presentation

Jul 10, 2023 •24 likes •744 views

Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks

  1. Bordeaux — November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu — Overview pairings 0 / 37

  2. Plan of the lecture ◮ Pairings Pairing-friendly curves ◮ Progress of NFS attacks ◮ ◮ Consequences R. Barbulescu — Overview pairings 1 / 37

  3. Definition Definition Let r be an integer, E an elliptic curve with coefficients in a field K , P a point on E with coefficients in K so that [ r ] P = 0 (where [ r ] P := P + · · · + P = 0, r times). Given µ a solution of µ r = 1 in an extension of K , the pairing of E × E with respect to r , P and µ is the map r Z P × Z Z → µ Z / r Z e E , r , P ,µ : r Z P ([ a ] P , [ b ] P ) �→ µ ab . Properties of a pairing e 1. e ([ λ ] P , Q ) = e ( P , Q ) λ = e ([ λ ] Q , P ) 2. e ([ a ] P , [ b 1 ] P + [ b 2 ] P ) = e ([ a ] P , [ b 1 ] P ) · e ([ a ] P , [ b 2 ] P ) 3. if a is such that e ([ a ] P , [ b ] P ) = 1 for all b then a = 0. R. Barbulescu — Overview pairings 2 / 37

  4. Three-party Diffie-Hellman Problem Alice, Bob and Carol use a public elliptic curve E and a pairing e with respect to a point P. Each of the participants broadcast simultaneously an information in a public channel. How can they agree on a common key ? Joux’s protocol 1. Simultaneously, each participant generates a random integer in [0 , r − 1] and broadcasts a multiple of P : • Alice generates a and computes [ a ] P ; • Bob generates b and computes [ b ] P ; • Carol generates c and computes [ c ] P ; 2. Simultaneously, each participant computes the pairing of the received information and computes the common key: • Alice computes e ([ b ] P , [ c ] P ) a ; • Bob computes e ([ c ] P , [ a ] P ) b ; • Carol computes e ([ a ] P , [ b ] P ) c ; Common secret key: µ abc . R. Barbulescu — Overview pairings 3 / 37

  5. Discrete logarithm Definition Given a finite group G generated by an element P of order r , we call discrete logarithm of P a (or [ a ] P in additive notation) in base P the integer a ∈ [0 , r − 1]. The discrete logarithm problem (DLP) consists of computing the discrete logarithm of any element. Generic algorithm A combination of Pohlig-Hellman reduction and Pollard’s rho solves DLP in a generic group G after O ( √ r ) operations, where r is the largest prime factor of # G . Relation to pairings A pairing e : � P � × � P � → K ( µ ) is safe only if n 1. DLP in E [ r ] is hard; (DLP on elliptic curves) if log 2 # G = n , cost= 2 2 √ 3 2. DLP in K ( µ ) is hard. (DLP in finite fields) if log 2 # K ( µ ) = N , cost ≈ exp( N ) R. Barbulescu — Overview pairings 4 / 37

  6. DLP: an example (1) Parameters • p = 12101 • g = 7 is a generator of G = ( Z / p Z ) ∗ • ℓ = 11 is a prime factor of ( p − 1) = # G • B = 10 is the smoothness bound • factor base 2 , 3 , 5 , 7 Finding relations among logs 7 5 mod p = 4706 = 2 · 13 · 181 R. Barbulescu — Overview pairings 5 / 37

  7. DLP: an example (1) Parameters • p = 12101 • g = 7 is a generator of G = ( Z / p Z ) ∗ • ℓ = 11 is a prime factor of ( p − 1) = # G • B = 10 is the smoothness bound • factor base 2 , 3 , 5 , 7 Finding relations among logs 7 5 mod p = 4706 = 2 · 13 · 181 7 6 mod p = 8740 = 2 2 · 5 · 19 · 23 R. Barbulescu — Overview pairings 5 / 37

  8. DLP: an example (1) Parameters • p = 12101 • g = 7 is a generator of G = ( Z / p Z ) ∗ • ℓ = 11 is a prime factor of ( p − 1) = # G • B = 10 is the smoothness bound • factor base 2 , 3 , 5 , 7 Finding relations among logs 7 5 mod p = 4706 = 2 · 13 · 181 7 6 mod p = 8740 = 2 2 · 5 · 19 · 23 7 7 mod p = 675 = 3 3 · 5 2 R. Barbulescu — Overview pairings 5 / 37

  9. DLP: an example (1) Parameters • p = 12101 • g = 7 is a generator of G = ( Z / p Z ) ∗ • ℓ = 11 is a prime factor of ( p − 1) = # G • B = 10 is the smoothness bound • factor base 2 , 3 , 5 , 7 Finding relations among logs 7 5 mod p = 4706 = 2 · 13 · 181 7 6 mod p = 8740 = 2 2 · 5 · 19 · 23 7 7 mod p = 675 = 3 3 · 5 2 The last relation gives: 7 = 3 log 7 3 + 2 log 7 5 R. Barbulescu — Overview pairings 5 / 37

  10. DLP: an example (1) Parameters • p = 12101 • g = 7 is a generator of G = ( Z / p Z ) ∗ • ℓ = 11 is a prime factor of ( p − 1) = # G • B = 10 is the smoothness bound • factor base 2 , 3 , 5 , 7 Finding relations among logs 7 5 mod p = 4706 = 2 · 13 · 181 7 6 mod p = 8740 = 2 2 · 5 · 19 · 23 7 7 mod p = 675 = 3 3 · 5 2 7 8 mod p = . . . The last relation gives: 7 = 3 log 7 3 + 2 log 7 5 25 = 8 log 7 2 + 1 log 7 3 42 = 6 log 7 2 + 2 log 7 5 . R. Barbulescu — Overview pairings 5 / 37

  11. DLP: an example (2) Thanks to the Pohlig-Hellman reduction we do the linear algebra computations modulo ℓ = 11. Linear algebra computations We have to find the unknown log 7 2, log 7 3 and lg 7 5 in the equation       0 3 2 log 7 2 7       8 1 0  · log 7 3  ≡ 25 mod 11 .           6 0 2 log 7 5 42 Conjecture The matrix obtained by the technique above has maximal rank. We can drop all conjectures by modifying the algorithm, but this variant is fast and, even if the matrix has smaller rank we can find logs. Solution We solve to obtain log 7 2 ≡ 0 mod 11; log 7 3 ≡ 3 mod 11 and log 7 5 ≡ 10 mod 11. For this small example we can also use Pollard’s rho method and obtain that log 7 3 = 8869 ≡ 3 mod 11 . R. Barbulescu — Overview pairings 6 / 37

  12. DLP: an example (3) At this point, we know discrete logarithms of the factor base and of smooth numbers: log 7 (10) = log 7 2 + log 7 5 ≡ 10 mod 11 . R. Barbulescu — Overview pairings 7 / 37

  13. DLP: an example (3) At this point, we know discrete logarithms of the factor base and of smooth numbers: log 7 (10) = log 7 2 + log 7 5 ≡ 10 mod 11 . Smoothing by randomization Consider a residue modulo p which is not 10-smooth, e.g. h = 151. We take random exponents a and test is ( g a h ) mod p is B -smooth. 7 3 151 mod p = 3389 R. Barbulescu — Overview pairings 7 / 37

  14. DLP: an example (3) At this point, we know discrete logarithms of the factor base and of smooth numbers: log 7 (10) = log 7 2 + log 7 5 ≡ 10 mod 11 . Smoothing by randomization Consider a residue modulo p which is not 10-smooth, e.g. h = 151. We take random exponents a and test is ( g a h ) mod p is B -smooth. 7 3 151 mod p = 3389 7 4 151 mod p = 11622 = 2 · 3 · 13 · 149 R. Barbulescu — Overview pairings 7 / 37

  15. DLP: an example (3) At this point, we know discrete logarithms of the factor base and of smooth numbers: log 7 (10) = log 7 2 + log 7 5 ≡ 10 mod 11 . Smoothing by randomization Consider a residue modulo p which is not 10-smooth, e.g. h = 151. We take random exponents a and test is ( g a h ) mod p is B -smooth. 7 3 151 mod p = 3389 7 4 151 mod p = 11622 = 2 · 3 · 13 · 149 7 5 151 mod p = 8748 = 2 2 · 3 7 R. Barbulescu — Overview pairings 7 / 37

  16. DLP: an example (3) At this point, we know discrete logarithms of the factor base and of smooth numbers: log 7 (10) = log 7 2 + log 7 5 ≡ 10 mod 11 . Smoothing by randomization Consider a residue modulo p which is not 10-smooth, e.g. h = 151. We take random exponents a and test is ( g a h ) mod p is B -smooth. 7 3 151 mod p = 3389 7 4 151 mod p = 11622 = 2 · 3 · 13 · 149 7 5 151 mod p = 8748 = 2 2 · 3 7 The discrete logarithms of the two members are equal: 5 + log 7 (151) = 2 log 7 2 + 7 log 7 3 . We find log 7 (151) ≡ 3 mod 11. Remark This part of the computations is independent of the relation collection and linear algebra stages. It is called individual logarithm stage. R. Barbulescu — Overview pairings 7 / 37

  17. Comparison among cryptographic primitives p and q N = pq factoring curve, g , g x x ECDLP g x p , g x DLP • elliptic curves: can be hard-coded without loss of security • finite fields: if hard-coded, an attacker can do precomputations, so the cost of DLP becomes equal to that of individual logarithm. R. Barbulescu — Overview pairings 8 / 37

  18. LogJam Records and precise estimations bitsize common part possible for individual logarithm 512 7 . 7 core-years everybody 10 min 768 4 . 5 k core-years academic level 2 days 1024 35 M core-years state level 30 days R. Barbulescu — Overview pairings 9 / 37

  19. LogJam Records and precise estimations bitsize common part possible for individual logarithm 512 7 . 7 core-years everybody 10 min 768 4 . 5 k core-years academic level 2 days 1024 35 M core-years state level 30 days When default parameters are given Among the servers using 512-bit primes (Table 1 Logjam paper): • 82% used the same prime; • 10% more used a second prime; • 8% others used a total of 463 primes. Similar proportions occur for 1024 and 2048-bit primes, and ECDSA. Pairings are vulnerable to LogJam so we must produce pairing-friendly curves on the fly. R. Barbulescu — Overview pairings 9 / 37

  20. Computing pairings Some algorithms for Tate-Lichtenbaum • Miller (see Miller 1986) • Ate (see Barreto-Galbraith-O hEigeataigh and Scott 2007) • Eta (see Hess, Smart and Vercauteren 2006) Cost Depending on the each curve but it grows with • log 2 r , • log 2 ( q k ). R. Barbulescu — Overview pairings 10 / 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An overwiev of a conjecture of Kitaoka Marcin Mazur An overwiev of a conjecture of Kitaoka

An overwiev of a conjecture of Kitaoka Marcin Mazur An overwiev of a conjecture of Kitaoka

An overwiev of a conjecture of Kitaoka Marcin Mazur An overwiev of a conjecture of Kitaoka p. 1/2 V is a finite dimensional Q -vector space. An overwiev of a conjecture of Kitaoka p. 2/2 V is a finite dimensional Q -vector space. : V

1.28k views • 99 slides
Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of

Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of

Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of Engineering Aarhus University Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q ) e (

1.52k views • 55 slides
Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of Computing University of Campinas Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q

1.02k views • 58 slides
Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert

Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert

Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert Inria Bordeaux Sud-Ouest Millers algorithm Pairings on abelian varieties Theta functions Pairings with theta functions Performance Outline

676 views • 50 slides
Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David

Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David

Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David Lubicz, Damien Robert June 6, 2013 Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance Outline 1

833 views • 33 slides
Pairings implementation in the PARI computer algebra system (explained by a mere programmer)

Pairings implementation in the PARI computer algebra system (explained by a mere programmer)

Pairings implementation in the PARI computer algebra system (explained by a mere programmer) jerome.milan (at) lix.polytechnique.fr Outline 1 Motivations and context 2 Pairings over elliptic curves 3 Pairing computation 4 Implementation in PARI

739 views • 51 slides
Group pairings with equivalent rigidity properties for bar-joint and point-hyperplane frameworks

Group pairings with equivalent rigidity properties for bar-joint and point-hyperplane frameworks

Group pairings with equivalent rigidity properties for bar-joint and point-hyperplane frameworks Bernd Schulze (with Katie Clinch, Anthony Nixon and Walter Whiteley) Lancaster University June 13, 2019 Bernd Schulze Group pairings with

746 views • 49 slides
The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena Thanks to the organizers of SAC

The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena Thanks to the organizers of SAC

The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena Thanks to the organizers of SAC 2013 for the invitation! Accompanying paper: joint work with D. Aranha, P. Longa and J. Ricardini. I know Im speaking in a marvelous

648 views • 45 slides
Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin

Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin

Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin Deschamps, Aurore Guillevic , Shashank Singh ENS Lyon, Inria Nancy, Loria, CNRS, Universit de Lorraine November 15, 1027 Elliptic Curve

753 views • 43 slides
Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Choosing G 1 and G 2 Ate Pairing Optimal Pairing Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer School - 2011 Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic

289 views • 24 slides
Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet

Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet

Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet GREYC - LMNO Universit e de Caen Darmstadt 29th of April 2010 1 / 59 Outline Pairing over elliptic curves 1 Definition and properties of

1.55k views • 111 slides
Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work with J. Burdges, S. Masson, C. Petit, A. Sanso IBM Research Zrich December 4, 2019, ECC, Bochum Slides online at https://defeo.lu/docet

928 views • 72 slides
Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of

Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of

Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of Computer Science University of Bras lia Joint work with K. Karabina, P. Longa, C. Gebotys, J. L opez, D. Hankerson, A. Menezes, E. Knapp, F.

759 views • 41 slides
Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S. Masson, C. Petit, A. Sanso Universit Paris Saclay UVSQ, France July 13, 2019, SIAM AG, Bern Slides online at https://defeo.lu/docet Tired of

350 views • 23 slides
Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David

Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David

Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David Lubicz 1,2 , Damien Robert 3 1 CLAR 2 IRMAR, Universit de Rennes 1 1 LFANT Team, IMB & Inria Bordeaux Sud-Ouest Motivations Millers

313 views • 30 slides
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First

Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First

Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got both! (Maybe not quite

509 views • 47 slides
17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack

17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack

17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack Algorithms leak information Nice example of practice trumping theoretical security Hardening algorithms: randomization Privilege separation

1.11k views • 69 slides
E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald

E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald

E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald Lercier 2 , David Naccache 3 , Emmanuel Thom e 4 Elliptic Curve Cryptography 2008 Utrecht 1 DGA and UVSQ 2 DGA and IRMAR 3 ENS 4 INRIA Lorraine 1

538 views • 25 slides
Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry

Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry

Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry Software Engineer, JBoss, Red Hat AeroGear, (Arquillian, RichFaces) Interests HTML5, Web Components, AngularJS Living and

1.17k views • 83 slides
The Frontiers of Continuous Delivery Eberhard Wolff @ewolff http://ewolff.com Fellow

The Frontiers of Continuous Delivery Eberhard Wolff @ewolff http://ewolff.com Fellow

The Frontiers of Continuous Delivery Eberhard Wolff @ewolff http://ewolff.com Fellow http://continuous-delivery-buch.de/ http://continuous-delivery-book.com/ http://microservices-buch.de/ http://microservices-book.com/ FREE!!!!

1k views • 83 slides
Byzantine Techniques Michael George November 29, 2005 Michael George Byzantine Techniques

Byzantine Techniques Michael George November 29, 2005 Michael George Byzantine Techniques

Overview The Byzantine Generals Problem Practical Byzantine Fault Tolerance Conclusion Byzantine Techniques Michael George November 29, 2005 Michael George Byzantine Techniques Overview The Byzantine Generals Problem Practical

940 views • 64 slides
The Byzantine Generals Problem - Kushal Babel Authors Leslie Lamport Turing Award

The Byzantine Generals Problem - Kushal Babel Authors Leslie Lamport Turing Award

The Byzantine Generals Problem - Kushal Babel Authors Leslie Lamport Turing Award Paxos, Lamport Clocks, LaTex... Robert Shostak PhD at Harvard Entrepreneur Marshall Pease Reinvented & Re-branded

822 views • 56 slides
Mixing Hadoop and HPC Workloads on Parallel Filesystems Esteban Molina-Estolano * , Maya Gokhale

Mixing Hadoop and HPC Workloads on Parallel Filesystems Esteban Molina-Estolano * , Maya Gokhale

Mixing Hadoop and HPC Workloads on Parallel Filesystems Esteban Molina-Estolano * , Maya Gokhale , Carlos Maltzahn * , John May , John Bent , Scott Brandt * * UC Santa Cruz, ISSDM, PDSI Lawrence Livermore National Laboratory

516 views • 22 slides
Modern Cryptology: from public key cryptography to homomorphic encryption 2015/12 Yaound,

Modern Cryptology: from public key cryptography to homomorphic encryption 2015/12 Yaound,

Modern Cryptology: from public key cryptography to homomorphic encryption 2015/12 Yaound, Cameroun Damien Robert quipe LFANT, Inria Bordeaux Sud-Ouest Institut de Mathmatiques de Bordeaux quipe MACISA, Laboratoire International de

960 views • 46 slides

More recommend