a sat based approach for index calculus on binary
play

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves - PowerPoint PPT Presentation

Nov 27, 2022 •118 likes •327 views

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica Gilles Dequen MIS Laboratory, University of Picardie Jules Verne AfricaCrypt 2020 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based

  1. A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica Gilles Dequen MIS Laboratory, University of Picardie Jules Verne AfricaCrypt 2020 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 1/19

  2. Discrete log Defining discrete log Given a finite cyclic group ( G , +) and two elements g , h ∈ G , find x ∈ Z such that h = x · g . Generic attacks Pollard rho, Baby-step Giant-step, Kangaroo Index calculus attack Subexponential in (( Z / p Z ) ∗ , · ). Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 2/19

  3. Index calculus on elliptic curves Let F 2 n be a finite field and E be an elliptic curve defined by E : y 2 + xy = x 3 + ax 2 + b with a , b ∈ F 2 n . Discrete log: Find x , such that xP = Q , where P , Q ∈ E ( F 2 n ). Point decomposition phase of the Index calculus algorithm: Find P 1 , . . . , P m − 1 ∈ E ( F 2 n ), such that P m = P 1 + . . . + P m − 1 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 3/19

  4. Point Decomposition Problem (PDP) Semaev’s summation polynomials (2004) S 2 ( X 1 , X 2 ) = X 1 + X 2 , S 3 ( X 1 , X 2 , X 3 ) = X 2 1 X 2 2 + X 2 1 X 2 3 + X 1 X 2 X 3 + X 2 2 X 2 3 + b , For m ≥ 4 S m ( X 1 , . . . , X m ) = Res X ( S m − k ( X 1 , . . . , X m − k − 1 , X ) , S k +2 ( X m − k , . . . , X m , X )) For P 1 , . . . , P m ∈ E ( F 2 n ) P 1 + . . . + P m = O ⇐ ⇒ S m ( x P 1 , . . . , x P m ) = 0 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 4/19

  5. Gaudry and Diem (2008 and 2009) Weil descent Rewrite the equation S m ( X 1 , . . . , X m ) = 0 as a system of n equations over F 2 . Example (trivial case of m = 2): S 2 ( X 1 , X 2 ) = 0 X 1 + X 2 = 0 ( a 1 , 0 + a 1 , 1 t + . . . + a 1 , n − 1 t n − 1 ) + ( a 2 , 0 + a 2 , 1 t + . . . + a 2 , n − 1 t n − 1 ) = 0 ( a 1 , 0 + a 2 , 0 ) + ( a 1 , 1 + a 2 , 1 ) t + . . . + ( a 1 , n − 1 + a 2 , n − 1 ) t n − 1 = 0 8 a 1 , 0 + a 2 , 0 = 0 > > > > a 1 , 1 + a 2 , 1 = 0 < . . . > > > > a 1 , n − 1 + a 2 , n − 1 = 0 : Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 5/19

  6. Gaudry and Diem (2008 and 2009) Symmetrization Rewrite S m in terms of the elementary symmetric polynomials X = X i 1 , e 1 1 ≤ i 1 ≤ m X = X i 1 X i 2 , e 2 1 ≤ i 1 , i 2 ≤ m . . . Y = X i . e m 1 ≤ i ≤ m Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 6/19

  7. PDP algebraic model Choice of a factor base : an l -dimensional vector subspace V of F 2 n / F 2 . When l ∼ n m the system has a reasonable chance to have a solution. e i -variables X i -variables X 1 = a 1 , 0 + . . . + a 1 , l − 1 t l − 1 e 1 = e 1 , 0 + . . . + e 1 , l − 1 t l − 1 X 2 = a 2 , 0 + . . . + a 2 , l − 1 t l − 1 e 2 = e 2 , 0 + . . . + e 2 , 2 l − 2 t 2 l − 2 . . . . . . X m = a m , 0 + . . . + a m , l − 1 t l − 1 e m = e m , 0 + . . . + e m , m ( l − 1) t m ( l − 1) Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 7/19

  8. PDP algebraic model Two sets of equations Equations defining symmetric polynomials e 1 , 0 = a 1 , 0 + . . . + a m , 0 e 1 , 1 = a 1 , 1 + . . . + a m , 1 . . . e m , m ( l − 1) = a 1 , l · . . . · a m , l . Equations derived from the Weil descent The system is commonly solved using Gr¨ obner basis methods. Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 8/19

  9. Algebraic model to SAT-reasoning model Using sat solvers as a cryptanalytic tool requires expressing the cryptographic problem as a Boolean formula in conjunc- tive normal form ( cnf ) - a conjunction ( ∧ ) of or -clauses. Example. ( ¬ x 1 ∨ x 2 ) ∧ ( ¬ x 2 ∨ x 4 ∨ ¬ x 5 )) ∧ ( x 5 ∨ x 6 ) Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 9/19

  10. Algebraic model to SAT-reasoning model xor -enabled sat solvers are adapted to read a formula in cnf-xor form - a conjunction ( ∧ ) of or -clauses and xor - clauses. Example. ( ¬ x 1 ∨ x 2 ) ∧ ( ¬ x 2 ∨ x 4 ∨ ¬ x 5 )) ∧ ( x 1 ⊕ x 5 ⊕ x 6 ) Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 10/19

  11. Algebraic model to CNF-XOR model Variables in F 2 : Propositional variables: x 1 , x 2 , x 3 , x 4 , x 5 , x 6 . x 1 , x 2 , x 3 , x 4 , x 5 , x 6 with truth values in { true , false } ( x 1 ⊕ ( x 2 ∧ x 4 ) ⊕ ( x 5 ∧ x 6 )) ∧ x 1 + x 2 · x 4 + x 5 · x 6 + 1 = 0 ( x 1 ⊕ x 2 ⊕ x 4 ⊕ x 5 ) ∧ x 1 + x 2 + x 4 + x 5 + 1 = 0 ( x 3 ⊕ x 4 ⊕ ( x 2 ∧ x 4 )) ∧ x 3 + x 4 + x 2 · x 4 + 1 = 0 ( x 2 ⊕ x 5 ⊕ ( x 2 ∧ x 4 ) ⊕ ( x 5 ∧ x 6 )) ∧ x 2 + x 5 + x 2 · x 4 + x 5 · x 6 + 1 = 0 ( x 3 ⊕ x 4 ⊕ x 6 ) x 3 + x 4 + x 6 + 1 = 0 Multiplication in F 2 ( · ) becomes the logical and operation ( ∧ ) and addition in F 2 (+) becomes the logical xor ( ⊕ ). Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 11/19

  12. Algebraic model to CNF-XOR model Add new variable x 7 to substitute the conjunction x 2 ∧ x 4 . We have that x 7 ⇔ ( x 2 ∧ x 4 ) ( x 7 ⇒ ( x 2 ∧ x 4 )) ∧ (( x 2 ∧ x 4 ) ⇒ x 7 ) ¬ x 7 ∨ ( x 2 ∧ x 4 ) ¬ ( x 2 ∧ x 4 ) ∨ x 7 ¬ x 2 ∨ ¬ x 4 ∨ x 7 ( ¬ x 7 ∨ x 2 ) ∧ ( ¬ x 7 ∨ x 4 ) Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 12/19

  13. Algebraic model to CNF-XOR model Propositional variables: x 1 , x 2 , x 3 , x 4 , x 5 , x 6 with truth values in { true , false } ( ¬ x 7 ∨ x 2 ) ∧ ( ¬ x 7 ∨ x 4 ) ∧ ( ¬ x 2 ∨ ¬ x 4 ∨ x 7 ) ∧ ( ¬ x 8 ∨ x 5 ) ∧ ( x 1 ⊕ ( x 2 ∧ x 4 ) ⊕ ( x 5 ∧ x 6 )) ∧ ( ¬ x 8 ∨ x 6 ) ∧ ( x 1 ⊕ x 2 ⊕ x 4 ⊕ x 5 ) ∧ ( ¬ x 5 ∨ ¬ x 6 ∨ x 8 ) ∧ ( x 3 ⊕ x 4 ⊕ ( x 2 ∧ x 4 )) ∧ ( x 1 ⊕ x 7 ⊕ x 8 ) ∧ ( x 2 ⊕ x 5 ⊕ ( x 2 ∧ x 4 ) ⊕ ( x 5 ∧ x 6 )) ∧ ( x 1 ⊕ x 2 ⊕ x 4 ⊕ x 5 ) ∧ ( x 3 ⊕ x 4 ⊕ x 6 ) ( x 3 ⊕ x 4 ⊕ x 7 ) ∧ ( x 2 ⊕ x 5 ⊕ x 7 ⊕ x 8 ) ∧ ( x 3 ⊕ x 4 ⊕ x 6 ) Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 13/19

  14. WDSat algorithm Based on the Davis-Putnam-Logemann-Loveland (DPLL) al- gorithm. Recursively building a binary search-tree of height equivalent (at worst) to the number of variables. x 1 F T x 2 x 2 F F T x 3 X OK F T x 4 x 4 F T F T X X X X Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 14/19

  15. WDSat - Three reasoning modules cnf module Performs unit propagation on cnf -clauses. xorset module Performs unit propagation on the parity constraints. When all except one literal in a xor clause is assigned, we infer the truth value of the last literal according to parity reasoning. xorgauss module Performs Gaussian elimination on the xor system. Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 15/19

  16. WDSat - breaking symmetry Exploiting the symmetry of Semaev’s summation polynomials: when X 1 , ..., X m is a solution, all permutations of this set are a solution as well. Establish the following constraint X 1 ≤ X 2 ≤ . . . ≤ X m . Implement constraint in the solver using a tree-pruning-like technique. Optimizes the complexity by a factor of m !. Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 16/19

  17. Experimental results sat isfiable unsat isfiable Approach l n Runtime #Conflicts Memory Runtime #Conflicts Memory 17 207.220 NA 3601 142.119 NA 3291 6 19 215.187 NA 3940 155.765 NA 4091 Gr¨ obner basis 19 3854.708 NA 38763 2650.696 NA 38408 7 23 3128.844 NA 35203 2286.136 NA 35162 17 15.673 61812 34.5 62.396 260843 39.3 6 19 14.128 53767 33.2 64.563 259688 42.1 CryptoMiniSat 19 176.463 484098 41.5 843.367 2077747 72.3 7 23 300.021 638152 48.9 1012.412 2070190 73.6 17 .601 49117 1.4 3.851 254686 1.4 6 19 .470 38137 1.4 3.913 255491 1.4 WDSat 19 9.643 534867 16.7 44.107 2073089 16.7 7 23 9.303 477632 16.7 47.347 2067168 16.7 17 .220 17792 1.4 .605 43875 1.4 6 19 .243 19166 1.4 .639 44034 1.4 WDSat +br-sym 19 2.205 130062 1.4 6.859 351353 1.4 7 23 3.555 189940 1.4 7.478 350257 1.4 Table: Comparing Gr¨ obner basis and sat -based approaches for solving the pdp . Running times are in seconds and memory is in MB. Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 17/19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS156: The Calculus of A : { [ ] , , = } Computation where a [ i ]

CS156: The Calculus of A : { [ ] , , = } Computation where a [ i ]

Arrays I: Quantifier-free Fragment of T A Signature: CS156: The Calculus of A : { [ ] , , = } Computation where a [ i ] binary function Zohar Manna read array a at index i (read( a , i )) Winter 2008

394 views • 14 slides
Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Index Calculus Method Small char Finite Fields 9234 bits Impact on Pairings Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in F 2 4 1223 and F 2 12 367 ) Jens Zumbr agel Institute of

367 views • 32 slides
Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p index calculus Classic F needs to check smoothness &lt; p . of many positive integers Smooth integer: integer &gt; y . with no prime divisors y

475 views • 8 slides
Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault

Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault

Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault nicolast@exp-math.uni-essen.de University of Toronto / IEM Universitt DuisburgEssen Slide index Discrete Log Problem Large primes Hyperelliptic

927 views • 67 slides
Resequencing Calculus Existing Solutions An Early Multivariate Approach Our Solution Revised

Resequencing Calculus Existing Solutions An Early Multivariate Approach Our Solution Revised

Resequencing Calculus Gruenwald and Dwyer The Problem Resequencing Calculus Existing Solutions An Early Multivariate Approach Our Solution Revised Sequence Calculus I Calculus II Calculus III Mark Gruenwald and David Dwyer Strengths

397 views • 38 slides
CS143: Index 1 Topics to Learn Important concepts Dense index vs. sparse index Primary

CS143: Index 1 Topics to Learn Important concepts Dense index vs. sparse index Primary

CS143: Index 1 Topics to Learn Important concepts Dense index vs. sparse index Primary index vs. secondary index (= clustering index vs. non-clustering index) Tree-based vs. hash-based index Tree-based index Indexed

1.7k views • 122 slides
On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne Universit es UPMC, INRIA, CNRS LIP6 1/43 General Context Discrete Logarithm Problem (DLP) Given a finite cyclic group ( G = g , +) and h

595 views • 56 slides
Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The discrete-logarithm problem p = 1000003. Define p is prime. Easy to prove: Can we find an integer n 2 f 1 ; 2 ; 3 ; : : : ; p 1 g n mod p =

279 views • 26 slides
Index Investing Core and Satellite Approach to Portfolio Construction Active approach

Index Investing Core and Satellite Approach to Portfolio Construction Active approach

Index Investing Core and Satellite Approach to Portfolio Construction Active approach Core-Satellite approach Index approach Combines best of both worlds Seeks market returns Seeks to outperform Lower cost Higher cost Low

642 views • 29 slides
Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a

Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a

Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a previously unreachable curve over F p 6 Vanessa VITSE Antoine JOUX Universit e de Versailles Saint-Quentin, Laboratoire PRISM Eurocrypt 2012

595 views • 44 slides
Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J. Bernstein Easy to prove: is prime. University of Illinois at Chicago Can we find an integer 1 2 3

1.24k views • 97 slides
Part II: Lambda Calculus Lambda Calculus is a foundation for functional programs. Its an

Part II: Lambda Calculus Lambda Calculus is a foundation for functional programs. Its an

Part II: Lambda Calculus Lambda Calculus is a foundation for functional programs. Its an operational semantics, based on term rewriting. Lambda Calculus was developed by Alonzo Church in the 1930s and 40s as a theory of

820 views • 42 slides
Binary Search Trees Dictionary Operations: get(key) put(key, value) remove(key)

Binary Search Trees Dictionary Operations: get(key) put(key, value) remove(key)

Binary Search Trees Dictionary Operations: get(key) put(key, value) remove(key) Additional operations: ascend() get(index) (indexed binary search tree) remove(index) (indexed binary search tree) Complexity Of

218 views • 20 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald

E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald

E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald Lercier 2 , David Naccache 3 , Emmanuel Thom e 4 Elliptic Curve Cryptography 2008 Utrecht 1 DGA and UVSQ 2 DGA and IRMAR 3 ENS 4 INRIA Lorraine 1

538 views • 25 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David &lt;rdavid@quarkslab.com&gt; Luigi Coniglio &lt;luigi.coniglio@studenti.unitn.it&gt; Mariano Ceccato &lt;mariano.ceccato@univr.it&gt;

1.12k views • 82 slides
AMMI Introduction to Deep Learning 8.4. Optimizing inputs Fran cois Fleuret

AMMI Introduction to Deep Learning 8.4. Optimizing inputs Fran cois Fleuret

AMMI Introduction to Deep Learning 8.4. Optimizing inputs Fran cois Fleuret https://fleuret.org/ammi-2018/ Thu Sep 6 16:00:44 CAT 2018 COLE POLYTECHNIQUE FDRALE DE LAUSANNE Maximum response samples Fran cois Fleuret AMMI

686 views • 45 slides
International Challenge on Informatics and Computational Thinking Informatics Europe Best

International Challenge on Informatics and Computational Thinking Informatics Europe Best

International Challenge on Informatics and Computational Thinking Informatics Europe Best Practices in Education Award 2015 Valentina Dagiene, Wolfgang Pohl www.bebras.org Informatics @ School www.bebras.org ~ 1980: hardware, algorithms

586 views • 17 slides
Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi

Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi

Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi Google, Inc. Rochester Institute of Technology kak@google.com rlaz@cs.rit.edu Symposium on Usable Privacy and Security (SOUPS) 2009 July 15th-17th,

272 views • 26 slides
NIST P-256 has a cube-root ECDL algorithm D. J. Bernstein University of Illinois at Chicago,

NIST P-256 has a cube-root ECDL algorithm D. J. Bernstein University of Illinois at Chicago,

NIST P-256 has a cube-root ECDL algorithm D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven Joint work with: Tanja Lange Technische Universiteit Eindhoven eprint.iacr.org/2012/318 , eprint.iacr.org/2012/458

769 views • 63 slides
Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda One month later a = a - b

Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda One month later a = a - b

Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda One month later a = a - b The code x = a a = a + p a = a - b mod p a = a - b a = a - b The code x = a t = a a = a + p a = a - b t += p mod p a ?&gt; t a = a - b

695 views • 52 slides
CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter

708 views • 34 slides
M obile Transactions and Synchronization M obile Transactions and Synchronization Can Trker

M obile Transactions and Synchronization M obile Transactions and Synchronization Can Trker

M obile Transactions and Synchronization M obile Transactions and Synchronization Can Trker ETH Zurich S eminar &quot;Ubiquitous Information&quot;, 28.1 1 .2001 ... towards Pervasive Computing ... towards Pervasive Computing Gartner

448 views • 24 slides
Exploiting multilingual lexical resources to predict the compositionality of MWEs Paul Cook

Exploiting multilingual lexical resources to predict the compositionality of MWEs Paul Cook

Exploiting multilingual lexical resources to predict the compositionality of MWEs Paul Cook University of New Brunswick Compositionality Many MWEs exhibit semantic idiomaticity Compositionality: The extent to which the meaning of an MWE

599 views • 38 slides

More recommend