arithmetic operators for pairing based cryptography
play

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat - PowerPoint PPT Presentation

Mar 17, 2024 •307 likes •896 views

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1 Tennodai, Tsukuba Ibaraki, 305-8573,

  1. Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1 Tennodai, Tsukuba Ibaraki, 305-8573, Japan mailto:beuchat@risk.tsukuba.ac.jp e J. Monnet, Saint-´ Joint work with Nicolas Brisebarre (Universit´ Etienne, France), J´ er´ emie Detrey (ENS Lyon, France), Eiji Okamoto (University of Tsukuba, Japan), Masaaki Shirase (Future University, Hakodate, Japan), and Tsuyoshi Takagi (Future University, Hakodate, Japan) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 1 / 38

  2. Outline of the Talk Example: Three-Party Key Agreement 1 Computation of the η T Pairing 2 A Coprocessor for the η T Pairing Computation 3 A Coprocessor for the Final Exponentiation 4 A Coprocessor for the Full Pairing Computation 5 Conclusion 6 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 2 / 38

  3. Example: Three-Party Key Agreement Key agreement How can Alice, Bob, and Chris agree upon a shared secret key? Alice Bob ? Chris Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 3 / 38

  4. Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = � P � : additively-written group of order n DLP: given P , Q , find the integer x ∈ { 0 , . . . , n − 1 } such that Q = xP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 4 / 38

  5. Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = � P � : additively-written group of order n DLP: given P , Q , find the integer x ∈ { 0 , . . . , n − 1 } such that Q = xP Diffie-Hellman problem (DHP) Given P , aP , and bP , find abP . Alice Bob a b aP bP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 4 / 38

  6. Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = � P � : additively-written group of order n DLP: given P , Q , find the integer x ∈ { 0 , . . . , n − 1 } such that Q = xP Diffie-Hellman problem (DHP) Given P , aP , and bP , find abP . Alice aP Bob a b aP bP bP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 4 / 38

  7. Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = � P � : additively-written group of order n DLP: given P , Q , find the integer x ∈ { 0 , . . . , n − 1 } such that Q = xP Diffie-Hellman problem (DHP) Given P , aP , and bP , find abP . Alice Bob a b abP abP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 4 / 38

  8. Example: Three-Party Key Agreement Alice Bob a b aP bP Chris c cP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

  9. Example: Three-Party Key Agreement Alice Bob a b aP bP bP First round aP cP Chris c cP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

  10. Example: Three-Party Key Agreement Alice Bob a b abP acP Chris c bcP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

  11. Example: Three-Party Key Agreement Alice Bob a b abP acP acP Second round abP bcP Chris c bcP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

  12. Example: Three-Party Key Agreement Alice Bob a b abcP abcP Chris c abcP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

  13. Example: Three-Party Key Agreement Three-party two-round key agreement protocol Does a three-party one-round key agreement protocol exist? Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 6 / 38

  14. Example: Three-Party Key Agreement Bilinear pairing G 1 = � P � : additively-written group G 2 : multiplicatively-written group with identity 1 A bilinear pairing on ( G 1 , G 2 ) is a map ˆ e : G 1 × G 1 → G 2 that satisfies the following conditions: Bilinearity. For all Q , R , S ∈ G 1 , 1 ˆ e ( Q + R , S ) = ˆ e ( Q , S )ˆ e ( R , S ) and ˆ e ( Q , R + S ) = ˆ e ( Q , R )ˆ e ( Q , S ). Non-degeneracy. ˆ e ( P , P ) � = 1. 2 Computability. ˆ e can be efficiently computed. 3 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 7 / 38

  15. Example: Three-Party Key Agreement Bilinear Diffie-Hellman problem (BDHP) e ( P , P ) abc Given P , aP , bP , and cP , compute ˆ Assumption: the BDHP is difficult Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 8 / 38

  16. Example: Three-Party Key Agreement Alice Bob a b aP bP Chris c cP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 9 / 38

  17. Example: Three-Party Key Agreement bP Alice Bob a b aP bP aP aP cP bP cP Chris c cP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 9 / 38

  18. Example: Three-Party Key Agreement Alice Bob a b ˆ e ( bP , cP ) a e ( aP , cP ) b ˆ e ( bP , cP ) a = ˆ e ( aP , cP ) b = ˆ e ( aP , bP ) c = ˆ e ( P , P ) abc ˆ Chris c e ( aP , bP ) c ˆ Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 9 / 38

  19. Example: Three-Party Key Agreement Examples of cryptographic bilinear maps Weil pairing Tate pairing η T pairing (Barreto et al. ) Ate pairing (Hess et al. ) Applications Identity based encryption Short signature Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 10 / 38

  20. Computation of the η T Pairing Elliptic curve over F 3 m Q = ( x q , y q ) P = ( x p , y p ) P η T pairing η T ( P , Q ) η T ( P , Q ) W ∈ F 3 6 m Exponentiation calculation ( F 3 6 m ) Q Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 11 / 38

  21. Computation of the η T Pairing – Tower Field ρ 2 1 ρ F 3 6 m = F 3 2 m [ ρ ] / ( ρ 3 − ρ − 1) 1 σ F 3 2 m = F 3 m [ σ ] / ( σ 2 + 1) x 2 x m − 3 x m − 2 x m − 1 1 x F 3 m = F 3 [ x ] / ( f ( x )) F 3 = Z / 3 Z = { 0, 1, 2 } Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 12 / 38

  22. Computation of the η T Pairing – Tower Field F 3 2 m F 3 2 m F 3 2 m ρ 2 σρ 2 1 σ ρ σρ 12 m bits F 3 6 m x m − 3 x m − 2 x m − 1 x 2 1 x 2 m bits F 3 m 2 bits F 3 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 13 / 38

  23. Computation of the η T Pairing m +1 η T ( P , Q ) 3 2 η T ( P , Q ) (Arith 18) Addition Addition Multiplication Multiplication Cubing Cubing Cube root Bilinearity of η T ( P , Q ) W � 2 � W m +1 � � � 3 η T ( P , Q ) W = 3 m � �� m − 1 � η T 3 P , Q � 2 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 14 / 38

  24. Computation of the η T Pairing Multiplication over F 3 6 m – η T ( P , Q ) m +1 multiplications 2 Operands: A and B ∈ F 3 6 m with ρ 2 σρ 2 1 σ ρ σρ − r 2 B = y p y q − r 0 0 − 1 0 0 r 0 , y p , and y q ∈ F 3 m Cost: 13 multiplications and 46 additions over F 3 m Multiplication over F 3 6 m – Exponentiation Only one multiplication Operands: A and B ∈ F 3 6 m Cost: 18 multiplications and 58 additions over F 3 m Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 15 / 38

  25. A Coprocessor for the η T Pairing Computation P = ( x p , y p ) η T ( P , Q ) Exponentiation η T ( P , Q ) W η T pairing Q = ( x q , y q ) (Waifi 2007) calculation (Arith 18) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 16 / 38

  26. A Coprocessor for the η T Pairing Computation P = ( x p , y p ) η T ( P , Q ) Exponentiation η T ( P , Q ) W η T pairing Q = ( x q , y q ) (Waifi 2007) calculation (Arith 18) Computation of η T ( P , Q ): multiplication over F 3 6 m New algorithm ◮ 15 multiplications and 29 additions over F 3 m ◮ Allows one to share operands between multipliers (less registers) Architecture ◮ 9 multipliers ◮ Most significant coefficient first (Horner’s rule) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 16 / 38

  27. A Coprocessor for the η T Pairing Computation Prototype Field: F 3 97 = F 3 [ x ] / ( x 97 + x 12 + 2) FPGA: Cyclone II EP2C35 (Altera) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 17 / 38

  28. A Coprocessor for the η T Pairing Computation Prototype Field: F 3 97 = F 3 [ x ] / ( x 97 + x 12 + 2) FPGA: Cyclone II EP2C35 (Altera) η T ( P , Q ) (Arith 18) Arithmetic over F 3 97 ◮ 9 multipliers ◮ 2 adders ◮ 1 cubing unit Area: 14895 LEs Frequency: 149 MHz Computation time: 33 µ s Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 17 / 38

  29. A Coprocessor for the η T Pairing Computation Prototype Field: F 3 97 = F 3 [ x ] / ( x 97 + x 12 + 2) FPGA: Cyclone II EP2C35 (Altera) η T ( P , Q ) (Arith 18) Exponentiation (Waifi 2007) Arithmetic over F 3 97 Challenge ◮ 9 multipliers Raise η T ( P , Q ) to the W power ◮ 2 adders in 33 µ s (or less) ◮ 1 cubing unit with the smallest amount of Area: 14895 LEs hardware Frequency: 149 MHz Computation time: 33 µ s Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 17 / 38

  30. A Coprocessor for the η T Pairing Computation Why FPGAs? Prototyping Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 18 / 38

  31. A Coprocessor for the η T Pairing Computation Why FPGAs? Prototyping Short time to market Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 18 / 38

  32. A Coprocessor for the η T Pairing Computation Why FPGAs? Prototyping Short time to market Small series Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 18 / 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc

Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc

Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc Beuchat Laboratory of Cryptography and Informantion Security University of Tsukuba, Japan jeanluc.beuchat@gmail.com Joint work with: enaire, LIP,

1.73k views • 139 slides
Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles St-Quentin-en-Yvelines France 1 Introduction: EC in cryptography Starting point: 1985 (V. Miller) Discrete logarithm based

487 views • 45 slides
Pairing-Based Cryptography & Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Bilinear Pairing Two (or three) groups with an

1.44k views • 105 slides
Pairing-Based Cryptography & Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Bilinear Pairing Two (or three) groups with an

1.67k views • 118 slides
Pairing-Based Cryptography & Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear

Pairing-Based Cryptography & Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear

Pairing-Based Cryptography & Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear 2 Bilinear Pairing Two (or three) groups

1.06k views • 102 slides
RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core

RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core

22nd IEEE Symposium on Computer Arithmetic RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core Procedure Jean-Claude Bajard , Julien Eynard Nabil Merkiche , Thomas Plantard Sorbonne

383 views • 25 slides
Assignment and Arithmetic Operators http://cs.mst.edu What are operators? Operators allow us

Assignment and Arithmetic Operators http://cs.mst.edu What are operators? Operators allow us

Assignment and Arithmetic Operators http://cs.mst.edu What are operators? Operators allow us to modify and manipulate information. They are symbols that represent a commonly used operation, such as addition 2 + 2 http://cs.mst.edu

365 views • 17 slides
Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based Encryption 2 Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair 2 Identity-Based Encryption In PKE, KeyGen produces a random

1.47k views • 114 slides
Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia El Mrabet (1) and Christophe Negre (2) (1) Team Arith/LIRMM, Universit e Montpellier 2 (2) Team DALI/ELIAUS, Universit e de Perpignan

753 views • 49 slides
Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based Encryption Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair

1.65k views • 115 slides
Lecture 6 Arithmetic Operators 3. Hardware and Softw are 4. High Level Languages C has a

Lecture 6 Arithmetic Operators 3. Hardware and Softw are 4. High Level Languages C has a

1. Introduction 2. Binary Representation Lecture 6 Arithmetic Operators 3. Hardware and Softw are 4. High Level Languages C has a number of arithmetic operators which are used to 5. Standard input and output combine variables and

403 views • 3 slides
Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power

Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power

Introduction Arithmetic in GF ( 2 m ) Summary - results, comments, future prospects Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power consumption - security tradeoffs Danuta Pamua 17th December 2012

695 views • 32 slides
A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Analyzing the Algorithm A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties David Freeman Stanford

537 views • 16 slides
Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
Avoiding Full Extension Field Arithmetic in Pairing Computations Craig Costello

Avoiding Full Extension Field Arithmetic in Pairing Computations Craig Costello

Introduction Motivation Miller 2 n -tupling Results Related Work Avoiding Full Extension Field Arithmetic in Pairing Computations Craig Costello craig.costello@qut.edu.au Queensland University of Technology AfricaCrypt 2010 Joint work with

556 views • 26 slides
Quasiperiodic Schrodinger operators: sharp arithmetic spectral transitions and universal

Quasiperiodic Schrodinger operators: sharp arithmetic spectral transitions and universal

Quasiperiodic Schrodinger operators: sharp arithmetic spectral transitions and universal hierarchical structure of eigenfunctions S. Jitomirskaya Atlanta, October 10, 2016 S. Jitomirskaya Quasiperiodic Schrodinger operators: sharp arithmetic

849 views • 72 slides
The Royal Bank of Scotland Group Q1 2012 Results 4 th May 2012 Important Information Certain

The Royal Bank of Scotland Group Q1 2012 Results 4 th May 2012 Important Information Certain

The Royal Bank of Scotland Group Q1 2012 Results 4 th May 2012 Important Information Certain sections in this document contain forward-looking statements as that term is defined in the United States Private Securities Litigation Reform Act

620 views • 26 slides
Computer Graphics (543) Lecture 5 (Part 2): Transformations (Rotations and Matrix Concatenation)

Computer Graphics (543) Lecture 5 (Part 2): Transformations (Rotations and Matrix Concatenation)

Computer Graphics (543) Lecture 5 (Part 2): Transformations (Rotations and Matrix Concatenation) Prof Emmanuel Agu Computer Science Dept. Worcester Polytechnic Institute (WPI) Recall: 3D Translation Translate: Move each vertex by same distance d

550 views • 29 slides
Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and

Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and

Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and Peter Sewell Computer Laboratory, University of Cambridge, U.K. Cassandra: Distributed Access Control Policies with Tunable Expressiveness p.

1.44k views • 20 slides
Linear Interpola-on from Cells Han-Wei Shen The Ohio State University Why Interpola-on? Most

Linear Interpola-on from Cells Han-Wei Shen The Ohio State University Why Interpola-on? Most

Linear Interpola-on from Cells Han-Wei Shen The Ohio State University Why Interpola-on? Most visualiza-on algorithms have to deal with discrete data Data aEributes that define at the cell ver-ces (d) polyline (e) triangle (b)

437 views • 29 slides
Financial modeling after the crisis a few thoughts David Lando Department of Finance, FRIC

Financial modeling after the crisis a few thoughts David Lando Department of Finance, FRIC

Financial modeling after the crisis a few thoughts David Lando Department of Finance, FRIC Copenhagen Business School Conference in honor of Niels Thygesen 5. December, 2014 1 Agenda Benchmark cases are (still) important

409 views • 13 slides
Robust Software Defined Networks Ravi Manghirmalani Ramesh Subrahmaniam Controller Offload

Robust Software Defined Networks Ravi Manghirmalani Ramesh Subrahmaniam Controller Offload

Experiences in Realizing Large Robust Software Defined Networks Ravi Manghirmalani Ramesh Subrahmaniam Controller Offload SDN mandates a split of control and forwarding plane The control and forwarding planes communicate through a TCP

810 views • 25 slides
Chapter 11 h Addition Arithmetic Multiplication Building Blocks g Digital Processor

Chapter 11 h Addition Arithmetic Multiplication Building Blocks g Digital Processor

Digital IC-Design Overview Chapter 11 h Addition Arithmetic Multiplication Building Blocks g Digital Processor Example: Wave Digital Filter (WDF) IN Memory REG Coefficient Bus MULT ROM Address REG Read Input APU Control

797 views • 15 slides
Impact of qualitative management of feeding wood mix on the process and pulp quality Patrcia

Impact of qualitative management of feeding wood mix on the process and pulp quality Patrcia

Impact of Qualitative Management of Feeding Wood Mix on Process and Pulp Quality Impact of qualitative management of feeding wood mix on the process and pulp quality Patrcia Nunes Pignaton Patrcia Nunes Pignaton Francisco Costa Neto

273 views • 14 slides

More recommend