a short list of pairing friendly curves resistant to
play

A short-list of pairing-friendly curves resistant to Special TNFS at - PowerPoint PPT Presentation

Jun 09, 2023 •101 likes •407 views

A short-list of pairing-friendly curves resistant to Special TNFS at the 128-bit security level Aurore Guillevic Universit de Lorraine, CNRS, Inria, LORIA, Nancy, France aurore.guillevic@inria.fr PKC, June 4, 2020 1/18 Bilinear pairing in

  1. A short-list of pairing-friendly curves resistant to Special TNFS at the 128-bit security level Aurore Guillevic Université de Lorraine, CNRS, Inria, LORIA, Nancy, France aurore.guillevic@inria.fr PKC, June 4, 2020 1/18

  2. Bilinear pairing in cryptography As a black-box: ( G 1 , +) , ( G 2 , +) , ( G T , · ) three cyclic groups of large prime order r Bilinear pairing: map e : G 1 × G 2 → G T 1. bilinear: e ( P 1 + P 2 , Q ) = e ( P 1 , Q ) · e ( P 2 , Q ), e ( P , Q 1 + Q 2 ) = e ( P , Q 1 ) · e ( P , Q 2 ) 2. non-degenerate: e ( G 1 , G 2 ) � = 1 for � G 1 � = G 1 , � G 2 � = G 2 3. efficiently computable Mostly used in practice: e ([ a ] P , [ b ] Q ) = e ([ b ] P , [ a ] Q ) = e ( P , Q ) ab 2/18

  3. Examples of applications • 1984: idea of identity-based encryption (IBE) by Shamir • 1999: first practical identity-based cryptosystem of Sakai-Ohgishi-Kasahara • 2000: constructive pairings, Joux’s tri-partite key-exchange • 2001: IBE of Boneh-Franklin, short signatures Boneh-Lynn-Shacham ... • Broadcast encryption, re-keying • aggregate signatures • zero-knowledge (ZK) proofs • non-interactive ZK proofs (NIZK) • zk-SNARK (Z-cash, Zexe...) 3/18

  4. Bilinear pairings Rely on • Discrete Log Problem (DLP): given g , h ∈ G , compute x s.t. g x = h • Diffie-Hellman Problem (DHP): given g , g a , g b ∈ G , compute g ab • bilinear DLP and DHP • pairing inversion problem 4/18

  5. Pairing-based cryptography Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ r ] × E ( F p n )[ r ] F ∗ 5/18

  6. Pairing-based cryptography Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ r ] × E ( F p n )[ r ] F ∗ Attacks 5/18

  7. Pairing-based cryptography Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ r ] × E ( F p n )[ r ] F ∗ Attacks • inversion of e : hard problem (exponential) 5/18

  8. Pairing-based cryptography Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ r ] × E ( F p n )[ r ] F ∗ Attacks • inversion of e : hard problem (exponential) • discrete logarithm computation in E ( F p ) : hard problem (exponential, in O ( √ r )) 5/18

  9. Pairing-based cryptography Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ r ] × E ( F p n )[ r ] F ∗ Attacks • inversion of e : hard problem (exponential) • discrete logarithm computation in E ( F p ) : hard problem (exponential, in O ( √ r )) • discrete logarithm computation in F ∗ p n : easier, subexponential → take a large enough field 5/18

  10. Pairing-friendly curves are special E : y 2 = x 3 + ax + b over F p # E ( F p ) = p + 1 − t of large prime factor r discriminant D s.t. t 2 − 4 p = − Dy 2 , D square-free r | p n − 1, G T ⊂ F p n , n is minimal : embedding degree Tate Pairing: e : G 1 × G 2 → G T When n is small, the curve is pairing-friendly . This is very rare: usually log n ∼ log r ([Balasubramanian Koblitz]). G T ⊂ p n p 2 , p 6 p 3 , p 4 , p 6 p 12 p 16 p 18 p 24 Curve supersingular MNT BN, BLS12 KSS16 KSS18 BLS24 MNT, n = 6: variable D , p ( x ) = 4 x 2 + 1, # E ( F p ) = r ( x ) = 4 x 2 − 2 x + 1 BN, n = 12: D = − 3, E : y 2 = x 3 + b p ( x ) = 36 x 4 + 36 x 3 + 24 x 2 + 6 x + 1 r ( x ) = 36 x 4 + 36 x 3 + 18 x 2 + 6 x + 1 6/18

  11. Choosing pairing-friendly curves Pairing-based cryptography needs secure, efficient, compact pairing-friendly curves • secure against discrete log in E ( F p ), E ( F p n ), F p n • efficient for scalar multiplication in E , exponentiation in F p n , pairing • compact: key sizes as small as possible Which curves are the best options? 7/18

  12. Discrete Log in F p n F p n much less investigated than F p or integer factorization Much better results in pairing-related fields 8/18

  13. Discrete Log in F p n F p n much less investigated than F p or integer factorization Much better results in pairing-related fields • Special NFS in F p n : Joux–Pierrot 2013 • Tower NFS (TNFS): Barbulescu–Gaudry–Kleinjung 2015 • Extended Tower NFS: Kim–Barbulescu, Kim–Jeong, Sarkar–Singh 2016 Use more structure: subfields 8/18

  14. � � ( c + o (1))(ln p n ) α (ln ln p n ) 1 − α Complexities L p n ( α, c ) = exp large characteristic p = L p n ( α p ) , α p > 2 / 3: L p n (1 / 3 , c ) c = (64 / 9) 1 / 3 ≃ 1 . 923 NFS special p : c = (32 / 9) 1 / 3 ≃ 1 . 526 SNFS medium characteristic p = L p n ( α p ) , 1 / 3 < α p < 2 / 3: L p n (1 / 3 , c ) c = (96 / 9) 1 / 3 ≃ 2 . 201 prime n NFS-HD (Conjugation) c = (48 / 9) 1 / 3 ≃ 1 . 747 composite n , best case of TNFS: when parameters fit perfectly special p : c = (64 / 9) 1 / 3 ≃ 1 . 923 NFS-HD+Joux–Pierrot’13 c = (32 / 9) 1 / 3 ≃ 1 . 526 composite n , best case of STNFS 9/18

  15. Lenstra Verheul extrapolation for prime fields N (1 / 3 , 1 . 923) / 2 8 . 2 (DL-768 ↔ 2 68 . 32 ) L 0 N (1 / 3 , 1 . 923) / 2 14 (RSA-768 ↔ 2 67 ) L 0 log 2 cost 192 176 160 144 128 112 96 80 64 1024 2048 3072 4096 5120 6144 7168 8192 log 2 p 10/18

  16. Estimating key sizes for DL in F p n • Latest variants of TNFS (Kim–Barbulescu, Kim–Jeong) seem most promising for F p n where n is composite • We need record computations if we want to extrapolate from asymptotic complexities • The asymptotic complexities do not correspond to a fixed n , but to a ratio between n and p 11/18

  17. Largest record computations in F p n with NFS 1 Finite Size Cost: sieving Authors of p n field CPU days dim 203 11 [HAKT13] 7 F p 12 F p 6 423 3,400 [McGR20] 3 422 9,520 [GGMT17] 3 F p 6 F p 5 324 386 [GGM17] 3 F p 4 392 510 [BGGM15b] 2 593 8,400 [GGM16] 2 F p 3 F p 2 595 175 [BGGM15a] 2 768 1,935,825 [KDLPS17] 2 F p F p 795 1,132,275 [BGGHTZ19] 2 None used TNFS, only NFS and NFS-HD were implemented. 1Data extracted from DiscreteLogDB by L.Grémy 12/18

  18. Post-STNFS pairing-friendly curves • FK18 Fotiadis–Konstantinou: new curves based on L p n ( c ) • MSS16 Menezes–Sarkar–Singh: opened the black-box of STNFS algorithm • BD19 Barbulescu–Duquesne: proposed a model of cost, refined keysizes • FM19 Fotiadis–Martindale: new secure curves based on BD19 cost model • GS19 G–Singh: improved cost model with α and Murphy’s E value • GMT20 G–Masson–Thomé: variants of Cocks-Pinch curves • BEG19 Barbulescu–El Mrabet–Ghammam: scanned many possible curves • This work: applies systematically GS19 cost model and revisits BEG19 13/18

  19. Brezing–Weng generic construction r ( x ) ← irreducible polynomial s.t. K = Q [ x ] / ( r ( x )) ∋ ζ n a primitive n -th root of unity, and − D is a square in K (e.g. r ( x ) ← Φ n ( x )) K ← Q ( α ) = Q [ x ] / ( r ( x )) a ( x ) ← a polynomial mapping to a ( α ) = ζ n in K e ← integer in { 1 , . . . , n − 1 } , gcd( e , n ) = 1 t ( x ) ← a ( x ) e + 1 mod r ( x ) √ y ( x ) ← ( t ( x ) − 2) / − D mod r ( x ) p ( x ) ← ( t ( x ) 2 + Dy ( x ) 2 ) / 4 if p ( x ) is not irreducible return ⊥ if p ( x ) does not represent primes return ⊥ return ( p ( x ) , r ( x ) , t ( x ) , y ( x ) , D ) 14/18

  20. Selection criteria Curves: • Brezing–Weng, 6 ≤ n ≤ 21, D ∈ { 1 , 2 , 3 , . . . , n } • BN, BLS, FK, FM, etc Security estimate: • r at least 256 bits • 3072 ≤ p n ≤ 5376(= 448 × 12 for BN, BLS12) • test all possible Special variants of STNFS • for even p ( x ) = p ( − x ), let P ( x ): P ( x 2 ) = p ( x ) • for palindrome p ( x ) = p (1 / x ) x d , let P ( x ): P ( x + 1 / x ) = 0 mod p ( x ) • for any p ( x ) = a 0 + a 1 x + . . . + a d x d , let P i ( x ): P ( u i ) = p ( u ) for 1 < i ≤ d / 2 • combine the three above • test all possible Tower variants of STNFS: test all subfields F p i where i | n 15/18

  21. Key size for pairings: sort-list, 128-bit security level CP = Cocks–Pinch, BW = Brezing–Weng, BLS = Barreto–Lynn–Scott FM = Fotiadis–Martindale p n deg DL cost p r n curve D seed u p ( x ) bits bits bits in F p n 2 128 − 2 124 − 2 69 GMT20 6 CP 3 4 672 4028 256 128 GMT20 8 CP 1 8 544 4349 256 131 GMT20 2 64 − 2 54 +2 37 +2 32 − 4 GMT20 10 FM15 15 14 2 32 − 2 26 − 2 17 +2 10 − 1 446 4460 256 133 258 + 11 BW 3 26 333 3663 131 -0x1d2a 11 BW 11 16 412 4522 256 145 − 2 26 +2 21 +2 19 − 2 11 − 2 9 − 1 12 BN 3 4 446 5376 446 132 GS19 2 110 +2 36 +1 P11 12 BLS 3 6 446 5376 299 132 GS19 − (2 74 +2 73 +2 63 +2 57 +2 50 +2 17 +1) − 2 72 − 2 71 − 2 36 FM19 12 FM17 3 6 446 5352 296 136 267 + 13 BW 3 28 0x8b0 310 4027 140 14 BW 3 16 340 4755 256 148 2 21 +2 19 +2 10 − 2 6 16 KSS16 1 10 − 2 34 +2 27 − 2 23 +2 20 − 2 11 +1 BD19 330 5280 257 140 GS19 16 KSS16 1 10 330 5268 256 140 2 34 − 2 30 +2 26 +2 23 +2 14 − 2 5 +1 https://gitlab.inria.fr/tnfs-alpha/alpha sage/example_curves_short_list.sage 16/18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A comparison of pairing-friendly curves at the 192-bit security level Aurore Guillevic Inria

A comparison of pairing-friendly curves at the 192-bit security level Aurore Guillevic Inria

A comparison of pairing-friendly curves at the 192-bit security level Aurore Guillevic Inria Nancy, Caramba team 17/04/2019 WRACH workshop, Roscoff Joint work with Shashank Singh, IISER Bhopal, India 1/43 Plan Introduction: Discrete

924 views • 64 slides
A New Family of Pairing-Friendly Elliptic Curves Michael Scott and Aurore Guillevic MIRACL.com

A New Family of Pairing-Friendly Elliptic Curves Michael Scott and Aurore Guillevic MIRACL.com

A New Family of Pairing-Friendly Elliptic Curves Michael Scott and Aurore Guillevic MIRACL.com Universit de Lorraine, CNRS, Inria, LORIA, Nancy, France WAIFI 2018, Bergen, Norway, June 1416 1 / 24 Pairings in cryptography ( G 1 , +) , ( G

473 views • 24 slides
A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Analyzing the Algorithm A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties David Freeman Stanford

537 views • 16 slides
Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore

Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore Guillevic C2, Dinard, France C2 2012 1/23 grid

558 views • 23 slides
Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien Canard (1) , David Pointcheval (2) and Olivier Sanders (1 , 2) S (1) Orange Labs, Caen, France (2) Ecole Normale Sup erieure, Paris,

556 views • 31 slides
Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao Paulo da Silva , Ricardo Dahab, Julio L opez Institute of Computing University of Campinas Latin American Week on Coding and Information

558 views • 32 slides
Algebraic and Geometric Computations with Rational Curves Elias TSIGARIDAS E.T. ( PolSys @

Algebraic and Geometric Computations with Rational Curves Elias TSIGARIDAS E.T. ( PolSys @

Algebraic and Geometric Computations with Rational Curves Elias TSIGARIDAS E.T. ( PolSys @ INRIA ) Rational Curves GC 2013 @ ACMAC Short intro to rational curves Outline Short intro to rational curves 1 Univariate real solving 2 Special

870 views • 50 slides
Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing &amp; Manding Vincent J. Carbone Ed.D., BCBA-D NYS Licensed Behavior Analyst Carbone Clinic New York Boston Dubai www.CarboneClinic.com www.TheCarboneclinic.ae IESCUM Parma, Italy December 1,2 &amp; 3, 2016 1 Pairing

622 views • 35 slides
Heuristics on pairing-friendly abelian varieties joint work with David Gruenewald John Boxall

Heuristics on pairing-friendly abelian varieties joint work with David Gruenewald John Boxall

Heuristics on pairing-friendly abelian varieties joint work with David Gruenewald John Boxall john.boxall@unicaen.fr Laboratoire de Math ematiques Nicolas Oresme, UFR Sciences, Universit e de Caen Basse-Normandie, 14032 CAEN cedex,

800 views • 46 slides
Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is device pairing? What is the problem? The wireless communica8on channel is rela8vely easy to

298 views • 9 slides
Finding ECM-friendly curves through a study of Galois properties 10th Algorithmic Number Theory

Finding ECM-friendly curves through a study of Galois properties 10th Algorithmic Number Theory

Finding ECM-friendly curves through a study of Galois properties 10th Algorithmic Number Theory Symposium Razvan Barbulescu 1 Joppe W. Bos 3 Cyril Bouvier 1 Thorsten Kleinjung 2 Peter L. Montgomery 3 1. Universit de Lorraine, CNRS, INRIA,

231 views • 21 slides
A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks

744 views • 72 slides
Finding ECM friendly curves: A Galois approach Sudarshan SHINDE Sorbonne Universit es, Paris

Finding ECM friendly curves: A Galois approach Sudarshan SHINDE Sorbonne Universit es, Paris

Computer algebra Approach Modular curves approach Comparing different families Finding ECM friendly curves: A Galois approach Sudarshan SHINDE Sorbonne Universit es, Paris (UPMC, IMJ-PRG) 25/01/2018 1 / 24 Computer algebra Approach

547 views • 36 slides
Pairing-based Short Signatures Final Presentation Amit Markel Leonid Nemirovskiy Supervisor .

Pairing-based Short Signatures Final Presentation Amit Markel Leonid Nemirovskiy Supervisor .

Project in Computer Security at Technion Pairing-based Short Signatures Final Presentation Amit Markel Leonid Nemirovskiy Supervisor . Barukh Ziv 26 / 10 / 2014 Introduction Introduction / abstract Recent progress in research and

369 views • 25 slides
The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick joint work with Nuno Freitas (Warwick) AGC 2 T Luminy, 10 June 2019 Overview 1. Elliptic curves, mod p Galois representations, Weil pairing. 2.

954 views • 70 slides
Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Choosing G 1 and G 2 Ate Pairing Optimal Pairing Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer School - 2011 Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic

289 views • 24 slides
CHAPTER 9: WORKING TOGETHER An Introduction to Multiagent Systems

CHAPTER 9: WORKING TOGETHER An Introduction to Multiagent Systems

CHAPTER 9: WORKING TOGETHER An Introduction to Multiagent Systems http://www.csc.liv.ac.uk/mjw/pubs/imas/ Chapter 9 An Introduction to Multiagent Systems 1 Working Together Why and how to agents work together? Important to make a

169 views • 14 slides
COMPONENT BASED THEMING WITH UI PATTERNS PRESENTED BY BRIAN PERRY November 18, 2017 BRIAN

COMPONENT BASED THEMING WITH UI PATTERNS PRESENTED BY BRIAN PERRY November 18, 2017 BRIAN

COMPONENT BASED THEMING WITH UI PATTERNS PRESENTED BY BRIAN PERRY November 18, 2017 BRIAN PERRY Hi! Currently living in Chicago burbs Interactive Developer at HS2 Solutions Loves style guide driven development and all things

644 views • 48 slides
Spectral Frank-Wolfe Algorithm: Strict Complementarity and Linear Convergence Lijun Ding Joint

Spectral Frank-Wolfe Algorithm: Strict Complementarity and Linear Convergence Lijun Ding Joint

Spectral Frank-Wolfe Algorithm: Strict Complementarity and Linear Convergence Lijun Ding Joint work with Yingjie Fei, Qiantong Xu, and Chengrun Yang June 15, 2020 Lijun Ding (Cornell University) SpecFW June 15, 2020 1 / 17 Overview

949 views • 64 slides
Exponentiating in Pairing Groups Joppe W. Bos, Craig Costello, and Michael Naehrig SAC 2013

Exponentiating in Pairing Groups Joppe W. Bos, Craig Costello, and Michael Naehrig SAC 2013

Exponentiating in Pairing Groups Joppe W. Bos, Craig Costello, and Michael Naehrig SAC 2013 Vancouver, Canada August 16, 2013 Exponentiating in Pairing Groups The pairing explosion The big (bilinear) bang: [Jou00] , [SOK00] , [BF01] . . . . .

311 views • 16 slides
Universal BPS Structure of stationary supergravity solutions K.S. Stelle Imperial College London

Universal BPS Structure of stationary supergravity solutions K.S. Stelle Imperial College London

Universal BPS Structure of stationary supergravity solutions K.S. Stelle Imperial College London Inaugural Conference, Galileo Galilei Institute Firenze, 8 April 2009 G. Bossard, H. Nicolai &amp; K.S.S. 0809.5218 and 0902.4438 [hep-th] 1 /

542 views • 21 slides
Supergravity: Finite after all? Rencontres de Moriond 2008 Electroweak Interactions and Unified

Supergravity: Finite after all? Rencontres de Moriond 2008 Electroweak Interactions and Unified

Supergravity: Finite after all? Rencontres de Moriond 2008 Electroweak Interactions and Unified Theory La Thuile, Aosta Valley Kellogg Stelle Imperial College London 1 Ultraviolet Divergences in Gravity Simple power counting in gravity and

170 views • 16 slides
Enabling the Use of Strongly-Private Algorithms Kubilay Ahmet Kk (PhD candidate, 4 th year)

Enabling the Use of Strongly-Private Algorithms Kubilay Ahmet Kk (PhD candidate, 4 th year)

DEPARTMENT OF COMPUTER SCIENCE SOFTWARE AND SYSTEMS SECURITY RESEARCH GROUP Enabling the Use of Strongly-Private Algorithms Kubilay Ahmet Kk (PhD candidate, 4 th year) kucuk@cs.ox.ac.uk Supervisor: Prof. Andrew MARTIN Content from

309 views • 8 slides
Reasoning and Derivation of Monadic Programs Shin-Cheng Mu Tom Schrijvers Koen Pauwels Content

Reasoning and Derivation of Monadic Programs Shin-Cheng Mu Tom Schrijvers Koen Pauwels Content

Reasoning and Derivation of Monadic Programs Shin-Cheng Mu Tom Schrijvers Koen Pauwels Content Equational reasoning Reasoning with monads Goal of the paper Our contribution (a + b) * (a - b) [distr: forall x y z. x * (y + z) =

493 views • 25 slides

More recommend