a generalized brezing weng algorithm for constructing
play

A Generalized Brezing-Weng Algorithm for Constructing - PowerPoint PPT Presentation

Sep 14, 2022 •365 likes •537 views

Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Analyzing the Algorithm A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties David Freeman Stanford

  1. Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Analyzing the Algorithm A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties David Freeman Stanford University, USA Pairing 2008 1 September 2008 David Freeman A Generalized Brezing-Weng Algorithm

  2. Abelian Varieties and Pairing-Based Cryptography Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Pairing-friendly Abelian Varieties Analyzing the Algorithm Our Result Pairings for cryptography Groups used in pairing-based crypto consist of points of prime order r on abelian varieties A / F q . Elliptic curves are 1-dimensional abelian varieties. Pairings are (variants of) Weil pairing e weil , r : A [ r ] × A [ r ] → µ r ⊂ F × q k or Tate pairing (more complicated). k is the embedding degree of A with respect to r . q k ( ⇔ q k ≡ 1 mod r ). Smallest integer such that µ r ⊂ F × If r , q k are large, discrete log problem (DLP) is infeasible in A [ r ] and F × q k . If k is small, pairings can be computed efficiently (Miller). David Freeman A Generalized Brezing-Weng Algorithm

  3. Abelian Varieties and Pairing-Based Cryptography Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Pairing-friendly Abelian Varieties Analyzing the Algorithm Our Result Pairing-friendly abelian varieties: first attempts Random abelian varieties Embedding degree of random A / F q with order- r subgroup will be ≈ r . Typical r ≈ 2 160 , so pairing on random A can’t even be computed. Supersingular abelian varieties Embedding degree in dimension g ≤ 6 is k ≤ 7 . 5 g (Rubin-Silverberg). These k are only acceptable for the lowest security levels. Conclusion: need to develop specific constructions of non-supersingular (usually, ordinary ) abelian vareities. David Freeman A Generalized Brezing-Weng Algorithm

  4. Abelian Varieties and Pairing-Based Cryptography Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Pairing-friendly Abelian Varieties Analyzing the Algorithm Our Result The Problem Find primes q and ordinary abelian varieties A / F q having a subgroup of large prime order r , and 1 prescribed (small) embedding degree k with respect to r . 2 In practice, want r > 2 160 and k ≤ 50. We call such varieties “pairing-friendly.” Want to be able to control the number of bits of r to construct varieties at varying security levels. Want ρ = log ( q g ) / log r close to 1 to maximize efficiency in implementations. David Freeman A Generalized Brezing-Weng Algorithm

  5. Abelian Varieties and Pairing-Based Cryptography Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Pairing-friendly Abelian Varieties Analyzing the Algorithm Our Result Our contribution We give a method for constructing primes q and ordinary A / F q that have prescribed embedding degree k . arbitrary k , many k , large ρ smaller ρ elliptic curves Cocks-Pinch Brezing-Weng higher dimensions F .-Stevenhagen-Streng This work Kawazoe-Takahashi (next talk) give another approach to filling in the lower-right corner (dimension 2 only). Uses techniques of F .-Stevenhagen-Streng to generalize Brezing-Weng method to arbitrary dimension. David Freeman A Generalized Brezing-Weng Algorithm

  6. Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method Algorithm for constructing pairing-friendly A.V. Inputs: embedding degree k , CM field K FSS idea : Construct a π ∈ O K with certain properties modulo r . Brezing-Weng idea : Parametrize subgroup order r as polynomial r ( x ) ∈ Z [ x ] . Combine ideas : Obtain π ( x ) ∈ K [ x ] with FSS properties modulo r ( x ) . For certain x 0 ∈ Z , π ( x 0 ) corresponds (in the sense of Honda-Tate theory) to the Frobenius endomorphism of an A / F q that has embedding degree k with respect to r ( x 0 ) . A can be constructed explicitly using CM methods . David Freeman A Generalized Brezing-Weng Algorithm

  7. Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method Complex multiplication: the basics For ordinary, simple, g -dimensional A / F q , End ( A ) ⊗ Q is a CM field K of degree 2 g . K = totally imaginary quadratic extension of totally real field. Frobenius endomorphism π is a q-Weil number in O K . All embeddings K ֒ → K have ππ = q . David Freeman A Generalized Brezing-Weng Algorithm

  8. Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method Properties of Frobenius make A / F q pairing-friendly Number of points given by # A ( F q ) = N K / Q ( π − 1 ) . Embedding degree k is order of q = ππ in ( Z / r Z ) × . A has embedding degree k with respect to r iff N K / Q ( π − 1 ) ≡ 0 ( mod r ) (1) Φ k ( ππ ) ≡ 0 ( mod r ) (2) ( Φ k = k th cyclotomic polynomial). Goal: construct a π ∈ O K with properties (1) and (2). David Freeman A Generalized Brezing-Weng Algorithm

  9. Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method The Brezing-Weng Algorithm Construct pairing-friendly elliptic curves via the following algorithm: √ Choose embedding degree k , CM field K = Q ( − D ) . 1 Choose irreducible r ( x ) ∈ Z [ x ] such that L = Q [ x ] / ( r ( x )) 2 contains K and ζ k . Compute t ( x ) mapping to ζ k + 1 in L . 3 √ Compute y ( x ) mapping to ( ζ k − 1 ) / − D in L . 4 4 ( t ( x ) 2 + Dy ( x ) 2 ) . Set q ( x ) ← 1 5 Theorem: If q ( x 0 ) is a prime integer for some x 0 , there is an elliptic curve over F q ( x 0 ) with an order- r ( x 0 ) subgroup and embedding degree k . David Freeman A Generalized Brezing-Weng Algorithm

  10. Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method Rethinking the Brezing-Weng algorithm √ BW: t ( x ) ≡ ζ k + 1 and y ( x ) ≡ ( ζ k − 1 ) / − D mod r ( x ) . Let r ( x ) be a factor of r ( x ) in K [ x ] . √ Let π ( x ) = 1 2 ( t ( x ) + y ( x ) − D ) . Then π ( x ) ≡ ζ k mod r ( x ) , 1 π ( x ) ≡ 1 mod r ( x ) . 2 This implies that N K [ x ] / Q [ x ] ( π ( x ) − 1 ) ≡ 0 mod r ( x ) (3) Φ k ( π ( x ) π ( x )) ≡ 0 mod r ( x ) (4) so when we plug in any integer x , the pairing-friendly conditions (1) and (2) hold. David Freeman A Generalized Brezing-Weng Algorithm

  11. Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method Main idea: A modular approach Easiest case: K Galois cyclic, degree 2 g , Gal ( K / Q ) = � σ � . If L = Q [ x ] / ( r ( x )) is Galois and contains K , then r ( x ) factors into 2 g irreducibles in K [ x ] . Pick a factor r ( x ) of r ( x ) in K [ x ] , and write r ( x ) = r ( x ) · r ( x ) σ · · · r ( x ) σ g − 1 · r ( x ) · r ( x ) σ · · · r ( x ) σ g − 1 σ acts on a polynomial by acting on its coefficients. σ g = complex conjugation. David Freeman A Generalized Brezing-Weng Algorithm

  12. Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method Constructing a π ( x ) with prescribed residues r ( x ) = r ( x ) · r ( x ) σ · · · r ( x ) σ g − 1 · r ( x ) · r ( x ) σ · · · r ( x ) σ g − 1 Given ξ ( x ) ∈ K [ x ] , write residues of ξ modulo factors of r ( x ) in K [ x ] as ( α 1 , α 2 , . . . , α g , β 1 , . . . , β g ) ∈ L 2 g . Then residues of ξ ( x ) σ − 1 are ( α 2 , α 3 , . . . , β 1 , β 2 , . . . , α 1 ) ∈ L 2 g , and so on for each ξ ( x ) σ − i , until residues of ξ ( x ) σ g − 1 are ( α g , β 1 , . . . , β g − 1 , β g , . . . , α g − 1 ) ∈ L 2 g . Define π ( x ) = � g − 1 i = 0 ξ ( x ) σ − i . Then π ( x ) mod r ( x ) = � g i = 1 α i , π ( x ) mod r ( x ) = � g i = 1 β i ∈ L . David Freeman A Generalized Brezing-Weng Algorithm

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Constructing Generalized Bent Functions from Trace Forms over Galois Rings Xiaoming Zhang Key

Constructing Generalized Bent Functions from Trace Forms over Galois Rings Xiaoming Zhang Key

Background Bent functions and generalized Bent functions Galois rings Constructions of generalized Bent functions Constructing Generalized Bent Functions from Trace Forms over Galois Rings Xiaoming Zhang Key Laboratory of Mathematics

495 views • 31 slides
Fast Algorithm for Generalized Multinomial Models with Ranking Data Jiaqi Gu (Joint work with

Fast Algorithm for Generalized Multinomial Models with Ranking Data Jiaqi Gu (Joint work with

Fast Algorithm for Generalized Multinomial Models with Ranking Data Jiaqi Gu (Joint work with Prof. Guosheng Yin) June 13, 2019 Department of Statistics and Actuarial Science, HKU Generalized multinomial models Consider d basic cells c 1 , . .

496 views • 11 slides
Generalized Loopy 2U: A New Algorithm for Approximate Inference in Credal Networks Alessandro

Generalized Loopy 2U: A New Algorithm for Approximate Inference in Credal Networks Alessandro

Generalized Loopy 2U: A New Algorithm for Approximate Inference in Credal Networks Alessandro Antonucci, Marco Zaffalon, Sun Yi, Cassio de Campos IDSIA Lugano, Switzerland PGM 08 - Hirtshals September 19th, 2008 Imprecise probabilities

1.04k views • 75 slides
Numerical experiments with a level-set tracking algorithm for generalized diffusion equations

Numerical experiments with a level-set tracking algorithm for generalized diffusion equations

Numerical experiments with a level-set tracking algorithm for generalized diffusion equations Jacob Cheverie and Leandro Fosque Mentor: Marianne Korten Department of Mathematics Kansas State University July 22 nd , 2014 Math REU funded by NSF

618 views • 31 slides
A Fast Greedy Algorithm for Generalized Column Subset Selec:on

A Fast Greedy Algorithm for Generalized Column Subset Selec:on

NIPS'13 Workshop on 1 Greedy Algorithms, Frank-Wolfe and Friends A Fast Greedy Algorithm for Generalized Column Subset Selec:on Ali Ghodsi

567 views • 17 slides
A BRANCH AND BOUND ALGORITHM FOR THE GENERALIZED ASSIGNMENT PROBLEM* G. Terry ROSS University of

A BRANCH AND BOUND ALGORITHM FOR THE GENERALIZED ASSIGNMENT PROBLEM* G. Terry ROSS University of

Mathematical Programming 8 (1975) 91-103. North-Holland Publishing Company A BRANCH AND BOUND ALGORITHM FOR THE GENERALIZED ASSIGNMENT PROBLEM* G. Terry ROSS University of Massachusetts, Amherst, Mass., U.S.A. and Richard M. SOLAND University

246 views • 13 slides
A Multi-start Heuristic Algorithm for the Generalized Traveling Salesman Problem V. Cacchiani, A.

A Multi-start Heuristic Algorithm for the Generalized Traveling Salesman Problem V. Cacchiani, A.

A Multi-start Heuristic Algorithm for the Generalized Traveling Salesman Problem V. Cacchiani, A. E. Fernandez Muritiba and P. Toth University of Bologna (Italy) M. Negreiros Universidade Estadual do Cear, Fortaleza (Brasil) V. Cacchiani, CTW

357 views • 22 slides
Physically-Based Rendering Shih-Chin Weng shihchin.weng@gmail.com What is PBR? The Chemical

Physically-Based Rendering Shih-Chin Weng shihchin.weng@gmail.com What is PBR? The Chemical

Physically-Based Rendering Shih-Chin Weng shihchin.weng@gmail.com What is PBR? The Chemical Brothers - Wide Open, The Mill Physically Based Rendering Simulate materials and lights based on physical laws or observations of real world more

1.48k views • 59 slides
A Distributed Algorithm for Large-Scale Generalized Matching Faraz Makari, Baruch Awerbuch,

A Distributed Algorithm for Large-Scale Generalized Matching Faraz Makari, Baruch Awerbuch,

A Distributed Algorithm for Large-Scale Generalized Matching Faraz Makari, Baruch Awerbuch, Rainer Gemulla, Rohit Khandekar, Julin Mestre, Mauro Sozio Recommender systems Given: A user-item feedback matrix Goal: Recommend additional

433 views • 40 slides
Notes on Neal and Hintons Generalized Expectation Maximization (GEM) Algorithm Mark Johnson

Notes on Neal and Hintons Generalized Expectation Maximization (GEM) Algorithm Mark Johnson

Notes on Neal and Hintons Generalized Expectation Maximization (GEM) Algorithm Mark Johnson Brown University Febuary 2005, updated November 2008 1 Talk overview What kinds of problems does expectation maximization solve? An example

703 views • 15 slides
for Constructing a Reliable MCDS in Probabilistic Wireless Networks Jing He, Zhipeng Cai,

for Constructing a Reliable MCDS in Probabilistic Wireless Networks Jing He, Zhipeng Cai,

WASA 2011 A Genetic Algorithm for Constructing a Reliable MCDS in Probabilistic Wireless Networks Jing He, Zhipeng Cai, Shouling Ji, and Yi Pan Department of Computer Science Georgia State University, Atlanta, GA, 30303 1 O UTLINE

462 views • 15 slides
Constructing non-positively curved spaces and groups Day 2: Algorithms v v Jon McCammond

Constructing non-positively curved spaces and groups Day 2: Algorithms v v Jon McCammond

Constructing non-positively curved spaces and groups Day 2: Algorithms v v Jon McCammond U.C. Santa Barbara 1 Outline I. Algorithm in dimension 3 II. 3-manifolds results III. Higher dimensions: Positive curvature IV. Higher

412 views • 17 slides
Global Illumination II Shih-Chin Weng shihchin.weng@gmail.com Case Study PantaRay from NVidia

Global Illumination II Shih-Chin Weng shihchin.weng@gmail.com Case Study PantaRay from NVidia

Global Illumination II Shih-Chin Weng shihchin.weng@gmail.com Case Study PantaRay from NVidia & Weta Scenario of PantaRay Scenario of PantaRay Case Study: PantaRay Splitting to chunks (green) Bucking van Emde Boas Layout etc.

996 views • 57 slides
Constructing Inverse Probability Weights for Static Constructing Inverse Probability Weights for

Constructing Inverse Probability Weights for Static Constructing Inverse Probability Weights for

Constructing Inverse Probability Weights for Static Constructing Inverse Probability Weights for Interventions Selection Bias Kunjal Patel, DSc MPH Senior Research Scientist Harvard T.H. Chan School of Public Health Acknowledgement Slides

928 views • 61 slides
The Classification of Generalized Riemann Derivatives Stefan Catoiu DePaul University, Chicago

The Classification of Generalized Riemann Derivatives Stefan Catoiu DePaul University, Chicago

Definition and basic properties Generalized vs. Ordinary Differentiation The Classification of Real Generalized Riemann Derivatives The Classification of Complex Generalized Riemann Derivatives The Classification of Generalized Riemann

768 views • 48 slides
Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Introduction Statement problem Mathematical background Algorithm Experiments Conclusions Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and OC-SVM with Mahalanobis Kernel Jayro Santiago-Paz, Deni

583 views • 23 slides
Implementation of RSA 2048 on GPUs Marcelo E. Kaihara EPFL LACAL Nov. 4, 2010 Motivation

Implementation of RSA 2048 on GPUs Marcelo E. Kaihara EPFL LACAL Nov. 4, 2010 Motivation

Implementation of RSA 2048 on GPUs Marcelo E. Kaihara EPFL LACAL Nov. 4, 2010 Motivation NIST Recommendations for Key Management (SP 800-57) NIST DRAFT recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes (SP

710 views • 32 slides
( t,w ) Threshold schemes " A master key ! (e.g. for a Certificate Authority) is very very

( t,w ) Threshold schemes " A master key ! (e.g. for a Certificate Authority) is very very

( t,w ) Threshold schemes " A master key ! (e.g. for a Certificate Authority) is very very sensitive to exposure or loss exposure makes the whole system untrustable loss makes system inaccessible " extra copies increases

329 views • 4 slides
An Algebraic Approach to the Design of Block Ciphers Jos Valena scar Pereira Tiago

An Algebraic Approach to the Design of Block Ciphers Jos Valena scar Pereira Tiago

An Algebraic Approach to the Design of Block Ciphers Jos Valena scar Pereira Tiago Oliveira { jmvalenca, oscar, tfaoliveira }@di.uminho.pt HASLab, INESC TEC & Univ. of Minho (PT) Mathematical Methods for Cryptography Svolvr,

403 views • 15 slides
Linear congruences: ax b (mod n ) for x Z a x = b in Z n (in particular x {

Linear congruences: ax b (mod n ) for x Z a x = b in Z n (in particular x {

Linear congruences: ax b (mod n ) for x Z a x = b in Z n (in particular x { 0 , 1 , . . . , n 1 } ) [ a ] n [ x ] n = [ b ] n in Z n x Z satisfies ax b (mod n ) if and only if there is y Z such that ax

357 views • 10 slides
Mod 2 linear algebra and tabulation of rational eigenforms Kiran S. Kedlaya Department of

Mod 2 linear algebra and tabulation of rational eigenforms Kiran S. Kedlaya Department of

Mod 2 linear algebra and tabulation of rational eigenforms Kiran S. Kedlaya Department of Mathematics, University of California, San Diego kedlaya@ucsd.edu http://kskedlaya.org/slides/ (see also this SageMathCloud project) Automorphic forms:

821 views • 71 slides
Lecture 2: Terminology and Definitions Abhinav Bhatele, Department of Computer Science

Lecture 2: Terminology and Definitions Abhinav Bhatele, Department of Computer Science

High Performance Computing Systems (CMSC714) Lecture 2: Terminology and Definitions Abhinav Bhatele, Department of Computer Science Announcements ELMS/Canvas page for the course is up: myelms.umd.edu

184 views • 17 slides
F r e e R T O S a n d T C P / I P c o mmu n i c a t i o n : t h e l

F r e e R T O S a n d T C P / I P c o mmu n i c a t i o n : t h e l

A d v a n c e d S c h o o l o n P r o g r a mma b l e S y s t e m- o n - C h i p f o r S c i e n t i f i c I n s t r u me n t a t i o n F r e e R T O S a n d T C P / I

392 views • 27 slides
AMD Naples EPYC Family Alif R Rochman (alifrr2) Robert A Ruester (ruester2) William Sentosa

AMD Naples EPYC Family Alif R Rochman (alifrr2) Robert A Ruester (ruester2) William Sentosa

AMD Naples EPYC Family Alif R Rochman (alifrr2) Robert A Ruester (ruester2) William Sentosa (sentosa2) Overview General Information Layout Security Memory Access Infinity Fabric Pipeline Caching

629 views • 26 slides

More recommend