deterministic hashing to elliptic and hyperelliptic curves
play

Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi - PowerPoint PPT Presentation

Oct 17, 2023 •37 likes •337 views

Introduction Problems Outlook and Conclusion Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08 Introduction Problems Outlook and Conclusion Outline Introduction Elliptic curves Hashing to

  1. Introduction Problems Outlook and Conclusion Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08

  2. Introduction Problems Outlook and Conclusion Outline Introduction Elliptic curves Hashing to elliptic curves Deterministic hashing Problems Overview Icart’s conjecture Indifferentiable hashing Hyperelliptic Curves Outlook and Conclusion Further problems

  3. Introduction Problems Outlook and Conclusion Outline Introduction Elliptic curves Hashing to elliptic curves Deterministic hashing Problems Overview Icart’s conjecture Indifferentiable hashing Hyperelliptic Curves Outlook and Conclusion Further problems

  4. Introduction Problems Outlook and Conclusion Elliptic curve cryptography • F finite field of characteristic > 3 (for simplicity’s sake). • Recall that an elliptic curve over F is the set of points ( x , y ) ∈ F 2 such that: y 2 = x 3 + ax + b (with a , b ∈ F fixed parameters), together with a point at infinity. • This set of points forms an abelian group where the Discrete Logarithm Problem and Diffie-Hellman-type problems are believed to be hard (no attack better than the generic ones). • Interesting for cryptography: for k bits of security, one can use elliptic curve groups of order ≈ 2 2 k , keys of length ≈ 2 k . Also come with rich structures such as pairings.

  5. Introduction Problems Outlook and Conclusion Outline Introduction Elliptic curves Hashing to elliptic curves Deterministic hashing Problems Overview Icart’s conjecture Indifferentiable hashing Hyperelliptic Curves Outlook and Conclusion Further problems

  6. Introduction Problems Outlook and Conclusion Hashing to elliptic curves is a problem • Many cryptographic protocols (schemes for encryption, signature, PAKE, IBE, etc.) involve representing a certain numeric value, often a hash value, as an element of the group G where the computations occur. • For G = Z ∗ n , simply taking the numeric value itself mod n is usually appropriate. • However, if G is an elliptic curve group, this technique has no obvious counterpart; e.g. one cannot put the value in the x -coordinate of a curve point, because only about 1 / 2 of possible x -values correspond to actual points. • Elliptic curve-specific protocols have been developed to circumvent this problem (ECDSA for signature, Menezes-Vanstone for encryption, ECMQV for key agreement, etc.), but doing so with all imaginable protocols is unrealistic.

  7. Introduction Problems Outlook and Conclusion The traditional solution • For k bits of security: 1. concatenate the hash value with a counter from 0 to k − 1; 2. initialize the counter as 0; 3. if the concatenated value is a valid x -coordinate on the curve, i.e. x 3 + ax + b is a square in F , return one of the two corresponding points; otherwise increment the counter and try again. • Heuristically, the probability of a concatenated value being valid is 1 / 2, so k iterations ensure k bits of security.

  8. Introduction Problems Outlook and Conclusion Problems with this solution • A natural implementation does not run in constant time: possible timing attacks (especially for PAKE). • A constant time implementation (always do k steps, compute the Legendre symbol in constant time) is very inefficient, O ( n 4 ). • Security is difficult to analyze. Remark: hashing as H ( m ) = h ( m ) G where G is a generator of the elliptic curve group is not a good idea.

  9. Introduction Problems Outlook and Conclusion Outline Introduction Elliptic curves Hashing to elliptic curves Deterministic hashing Problems Overview Icart’s conjecture Indifferentiable hashing Hyperelliptic Curves Outlook and Conclusion Further problems

  10. Introduction Problems Outlook and Conclusion Supersingular curves An elliptic curve shape of particular interest is: y 2 = x 3 + b over a field with q elements, with q ≡ 2 (mod 3). Admits the following deterministic encoding: ( u 2 − b ) 1 / 3 , u � � f : u �→ Such a curve is supersingular. Convenient for pairings, but much less secure than ordinary curves for the same key size (because of the MOV attack).

  11. Introduction Problems Outlook and Conclusion Shallue-Woestijne-Ulas First deterministic point construction algorithm on ordinary elliptic curves due to Shallue and Woestijne (ANTS 2006). Later generalized and simplified by Ulas (2007). lba’s identity: if g ( x ) = x 3 + ax + b , there are rational Based on Ska� functions X i ( t ) such that g ( X 1 ( t )) · g ( X 2 ( t )) · g ( X 3 ( t )) = X 4 ( t ) 2 Hence, on a finite field, at least one of g ( X 1 ( t )) , g ( X 2 ( t )) , g ( X 3 ( t )) is a square. Gives a deterministic point construction algorithm, which is efficient if q ≡ 3 (mod 4). Considered for implementation in European e-passports.

  12. Introduction Problems Outlook and Conclusion Icart Particularly simple deterministic encoding on ordinary elliptic curves when q ≡ 2 (mod 3), presented by Icart at CRYPTO last year. Generalization of the supersingular case. Defined as f : u �→ ( x , y ) with � 1 / 3 � v 2 − b − u 6 + u 2 v = 3 a − u 4 x = y = ux + v 27 3 6 u This simple idea sparked new research into the subject of deterministic hashing into elliptic curves.

  13. Introduction Problems Outlook and Conclusion Outline Introduction Elliptic curves Hashing to elliptic curves Deterministic hashing Problems Overview Icart’s conjecture Indifferentiable hashing Hyperelliptic Curves Outlook and Conclusion Further problems

  14. Introduction Problems Outlook and Conclusion Questions we solved The previous constructions do not completely address the problem of constructing “good hash functions” to elliptic curves, and open up a series of related questions. We solved some of them. • Icart’s conjecture: Icart observed that his function did not map to the whole elliptic curve, and conjectured that the image comprised only about 5 / 8 of all points. Is this true? What about the SWU function? • In particular if f is Icart’s function and h is a random oracle into the base field, m �→ f ( h ( m )) is easily distinguished from a random oracle. Can f still be used to construct a random oracle to the curve? • Extension to hyperelliptic curves: can we construct good hash functions? Note that we should map to the Jacobian variety, not the curve itself!

  15. Introduction Problems Outlook and Conclusion Outline Introduction Elliptic curves Hashing to elliptic curves Deterministic hashing Problems Overview Icart’s conjecture Indifferentiable hashing Hyperelliptic Curves Outlook and Conclusion Further problems

  16. Introduction Problems Outlook and Conclusion Statement E elliptic curve over F q , with q ≡ 2 (mod 3), and f : F q → E ( F q ) Icart’s deterministic encoding. Conjecture (Icart) There exists a universal constant C such that: q ) − 5 � ≤ C √ q � � � # f ( F 8# E ( F q ) Icart’s paper presented a heuristic argument to justify the constant 5 / 8. The conjecture was proved independently by Farahashi, Shparlinski and Voloch, and by Fouque and T. A consequence of this conjecture is that f is neither injective nor surjective. However, ( u , v ) �→ f ( u ) + f ( v ) is a surjective encoding function for q large enough.

  17. Introduction Problems Outlook and Conclusion Proof idea I • A key fact is that u maps to ( x , y ) under f if and only if: u 4 − 6 xu 2 + 6 yu − 3 a = 0 • Hence, the problem is to count the points ( x , y ) on the curve such that the polynomial P ( u ) = u 4 − 6 xu 2 + 6 yu − 3 a has at least one root in F q . • P can be seen as a polynomial over the function field F q ( x , y ) of E , and the problem is to count places of degree 1 in this function field where the reduction of P has a root. • Mathematicians have a powerful tool to tackle this kind of problems: the Chebotarev density theorem, which says that the “density” of places at which P reduces into a product of factors of given degrees is determined by the number of permutations with the corresponding cycle decomposition in the Galois group of P .

  18. Introduction Problems Outlook and Conclusion Proof idea II At this point, completing the proof is a technical exercise: • Show that P is an irreducible polynomial with Galois group S 4 (hard part). • Count the number of permutations in S 4 with a fixed point (there are 1 + 6 + 8 = 15 of them). • Deduce that the density of places in F q ( x , y ) at which P has a root is 15 / 24 = 5 / 8. • Apply an effective version of Chebotarev’s density theorem to get the same result with a O ( √ q ) error term for places of degree 1 (this gives Icart’s conjecture). In the paper with Fouque, we also show how the technique generalizes to other encoding functions with different Galois groups such as a simplified version of SWU (Galois group D 8 , constant 3 / 8).

  19. Introduction Problems Outlook and Conclusion Outline Introduction Elliptic curves Hashing to elliptic curves Deterministic hashing Problems Overview Icart’s conjecture Indifferentiable hashing Hyperelliptic Curves Outlook and Conclusion Further problems

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve Cryptography Nicolas Thriault ntheriau@fields.utoronto.ca Fields Institute Discrete Logarithms Suppose that G = a , an additive group of order

230 views • 21 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Elliptic and Hyperelliptic Curves: a Practical Security Comparison " Joppe W. Bos (Microsoft

Elliptic and Hyperelliptic Curves: a Practical Security Comparison " Joppe W. Bos (Microsoft

Elliptic and Hyperelliptic Curves: a Practical Security Comparison " Joppe W. Bos (Microsoft Research), Craig Costello (Microsoft Research), ! Andrea Miele (EPFL) " " 1/13 " Motivation and Goal(s) ! Elliptic curves

314 views • 14 slides
Hashing to Elliptic Curves and Cryptanalysis of RSA-Based Schemes Mehdi Tibouchi Ecole

Hashing to Elliptic Curves and Cryptanalysis of RSA-Based Schemes Mehdi Tibouchi Ecole

Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Hashing to Elliptic Curves and Cryptanalysis of RSA-Based Schemes Mehdi Tibouchi Ecole normale sup erieure Ph.D. Defense 20110923 Introduction RSA

2.09k views • 162 slides
Elliptic factors in Jacobians of hyperelliptic curves with certain automorphism groups Jennifer

Elliptic factors in Jacobians of hyperelliptic curves with certain automorphism groups Jennifer

Elliptic factors in Jacobians of hyperelliptic curves with certain automorphism groups Jennifer Paulhus Grinnell College paulhusj@grinnell.edu www.math.grinnell.edu/ paulhusj My original interest in Jacobian variety decomposition was

343 views • 21 slides
Verified Indifferentiable Hashing into Elliptic Curves eguelin 1 Santiago Zanella B Gilles

Verified Indifferentiable Hashing into Elliptic Curves eguelin 1 Santiago Zanella B Gilles

Verified Indifferentiable Hashing into Elliptic Curves eguelin 1 Santiago Zanella B Gilles Barthe 2 , Benjamin Gr egoire 3 , Sylvain Heraud 3 and Federico Olmedo 2 Microsoft Research Cambridge 1 IMDEA Software Institute 2 ee 3 INRIA Sophia

1.02k views • 36 slides
Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org joint work with Daniel J. Bernstein 10.11.2007 http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange p. 1 Do

787 views • 51 slides
Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography 16 September 2008 What is an elliptic curve? (1) An elliptic curve E over a field k in Weierstra

298 views • 25 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Projective equivalences of elliptic and hyperelliptic planar curves Juan G. Alc azar , Carlos

Projective equivalences of elliptic and hyperelliptic planar curves Juan G. Alc azar , Carlos

Projective equivalences of elliptic and hyperelliptic planar curves Juan G. Alc azar , Carlos Hermoso Universidad de Alcal a, Alcal a de Henares, Madrid (Spain) CCMA 2019 Juan G. Alc azar , Carlos Hermoso Projective equivalences of

468 views • 27 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
Fast and simple constant-time hashing to the BLS12-381 elliptic curve (and other curves, too!)

Fast and simple constant-time hashing to the BLS12-381 elliptic curve (and other curves, too!)

Fast and simple constant-time hashing to the BLS12-381 elliptic curve (and other curves, too!) Riad S. Wahby, Dan Boneh Stanford December 3 rd , 2019 Motivation Our initial motivation: BLS signatures [BLS01] Motivation Our initial

1.38k views • 126 slides
L -functions via deformations: from hyperelliptic curves to hypergeometric motives Kiran S.

L -functions via deformations: from hyperelliptic curves to hypergeometric motives Kiran S.

L -functions via deformations: from hyperelliptic curves to hypergeometric motives Kiran S. Kedlaya Department of Mathematics, University of California, San Diego kedlaya@ucsd.edu http://kskedlaya.org/slides/ Arithmetic of Hyperelliptic Curves

708 views • 48 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Rank and Bias in Families of Hyperelliptic Curves Trajan Hammonds 1 Ben Logsdon 2

Rank and Bias in Families of Hyperelliptic Curves Trajan Hammonds 1 Ben Logsdon 2

Background Hyperelliptic curves with moderately large rank over Q ( T ) Bias Conjecture Acknowledgements Rank and Bias in Families of Hyperelliptic Curves Trajan Hammonds 1 Ben Logsdon 2 thammond@andrew.cmu.edu bcl5@williams.edu Joint with

426 views • 41 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

Introduction GGH Construction GGHLite Conclusions More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School of IT Monash University, Australia (Based on joint work with A. Langlois and D. Stehl e, ENS

706 views • 39 slides
SFB 1102: Information Density and Linguistic Encoding The Empirical Basis of Slavic The Empirical

SFB 1102: Information Density and Linguistic Encoding The Empirical Basis of Slavic The Empirical

SFB 1102: Information Density and Linguistic Encoding The Empirical Basis of Slavic The Empirical Basis of Slavic Intercomprehension Intercomprehension Tania Avgustinova, Andrea Fischer, Klara Jagrova, Dietrich Klakow, Roland Marti, Irina Stenger

470 views • 26 slides
Similarity encoding for learning on dirty categorical variables Ga el Varoquaux

Similarity encoding for learning on dirty categorical variables Ga el Varoquaux

Similarity encoding for learning on dirty categorical variables Ga el Varoquaux Scikit-learn project lead Agenda today Bring to light a problem Show that statistical-learning can solve it Machine learning Let X R n p G

1.4k views • 45 slides
t ttst t

t ttst t

t ttst t tr s rts s Ptr

1.04k views • 64 slides
The Theory of Statistical Comparison in Quantum Information and Foundations Francesco Buscemi *

The Theory of Statistical Comparison in Quantum Information and Foundations Francesco Buscemi *

The Theory of Statistical Comparison in Quantum Information and Foundations Francesco Buscemi * Modern Topics in Quantum Information: Quantum Foundations and Quantum Information . International Institute of Physics (Natal, Brazil), 31 July 2018

412 views • 37 slides
CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local Differential Privacy in Practice (Module 1) Graham Cormode, Somesh Jha, Tejas Kulkarni, Ninghui Li, Divesh Srivastava, and Tianhao Wang Differential

819 views • 38 slides
CS 403X Mobile and Ubiquitous Computing Lecture 3: Introduction to Android Programming Emmanuel

CS 403X Mobile and Ubiquitous Computing Lecture 3: Introduction to Android Programming Emmanuel

CS 403X Mobile and Ubiquitous Computing Lecture 3: Introduction to Android Programming Emmanuel Agu Android UI Tour Home Screen First screen, includes favorites tray (e.g phone, mail, messaging, web, etc) All Apps Screen Accessed by

663 views • 42 slides
Microsoft Office PowerPoint: Deep Dive Steering Committee Member and Microsoft Office Specialist-

Microsoft Office PowerPoint: Deep Dive Steering Committee Member and Microsoft Office Specialist-

Microsoft Office PowerPoint: Deep Dive Steering Committee Member and Microsoft Office Specialist- Karim Cruz-Neal (DMV) Got PowerPoint? When and how should I use PowerPoint? Use it after you have prepared your presentation What is your Role ?

1.59k views • 119 slides

More recommend