efficient and cryptographically secure addition in the
play

Efficient and Cryptographically Secure Addition in the Ideal Class - PowerPoint PPT Presentation

Jul 31, 2023 •90 likes •397 views

Efficient and Cryptographically Secure Addition in the Ideal Class Groups of Hyperelliptic Curves Diploma thesis Andrey Bogdanov* Scientific advisors: Prof. Dr. Dr. h.c. Gerhard Frey Prof. Dr. Vladimir Anashin Russian State

  1. •• Efficient and Cryptographically Secure Addition in the Ideal Class Groups of Hyperelliptic Curves Diploma thesis Andrey Bogdanov* Scientific advisors: Prof. Dr. Dr. h.c. Gerhard Frey Prof. Dr. Vladimir Anashin Russian State University for the Humanities Faculty of Information Security *Supported by the Institute for Experimental Mathematics, University of Duisburg-Essen, Germany

  2. Motivation •• A careful study of genus 2 hyperelliptic curve based cryptography; A proper analyse of its suitability for real-world applications; Efficiency estimates known and improvements; Vulnerability against simple side-channel attacks (SCA) — no generic algorithmic solution for the time being; The SCA question is especially topical for characteristic 2! 2/29 Russian State University for the Humanities Faculty of Information Security

  3. Groups Suitable for Cryptography •• For G one should have simultaneously: Exponential complexity of the DLP for prime group order n = | G | ; Efficient representation: constructive + bit length O (log 2 | G | ); Efficiently performable group law in G . Degree 0 Picard groups Pic 0 F q ( C ) of low genus hyperelliptic curves C fulfill the requirements perfectly! 3/29 Russian State University for the Humanities Faculty of Information Security

  4. Subexponential and exponential DLP •• 4/29 Russian State University for the Humanities Faculty of Information Security

  5. Simple Side-Channel Attacks •• Simple power attack — a single power profile; If key bits and operation flow are tightly connected; Standard scalar multiplication vulnerable! 5/29 Russian State University for the Humanities Faculty of Information Security

  6. R1: Correct Addition Pic 0 F q ( C ) •• Publicly accepted formulae contained some relatively hidden but important errors; The errors have been found and corrected; The new formulae have been tested by numerous examples. 6/29 Russian State University for the Humanities Faculty of Information Security

  7. R2: Compression in Pic 0 F 2 d ( C ) •• For genus 2 hyperelliptic curves over binary finite fields GF (2 d ) of odd extension degree d : An efficient variant of a point decompression technique has been proposed; The complexity of our technique is: I+10M+(d+2)S, where: I = field inversion, M = field multiplication, S = field squaring. 7/29 Russian State University for the Humanities Faculty of Information Security

  8. R3: Montgomery representation,1 •• For genus 2 hyperelliptic curves over arbitrary finite fields: Though publicly believed, group doubling in Pic 0 F q ( C ) cannot be solely parameterized by the u -coordinate in the Mumford representation; Cantor’s division polynomials deliver no proof of this for degree 2 divisors; Some additional information needed. 8/29 Russian State University for the Humanities Faculty of Information Security

  9. R3: Montgomery representation,2 •• For genus 2 hyperelliptic curves over arbitrary finite fields: One should search for an effective invertible map ϕ : Pic 0 F q ( C ) → K to the related Kummer surface K — a quartic surface in P 3 with ϕ ( D 1 ) = ϕ ( − D 1 ) , D 1 ∈ Pic 0 F q ( C ) No group structure (but doubling possible); On the basis of ϕ ( D 1 ) , ϕ ( D 2 ) , ϕ ( D 1 − D 2 ) it is possible to construct explicit formulae for ϕ ( D 1 + D 2 ) , D 1 , D 2 ∈ Pic 0 F q ( C ) 9/29 Russian State University for the Humanities Faculty of Information Security

  10. Conclusion •• For genus 2 hyperelliptic curves over finite fields: Addition and doubling formulae corrected for Pic 0 F q ( C ) ; Complexity of point decompression improved; Framework for getting SCA-resistant Montgomery-like arithmetic provided. 10/29 Russian State University for the Humanities Faculty of Information Security

  11. Motivation •• Careful study of genus 2 hyperelliptic curve based cryptography; Efficiency estimates and improvements; Resistance against simple side-channel attacks — no optimal solution for the time being, especially for even characteristic. 11/29 Russian State University for the Humanities Faculty of Information Security

  12. Groups Suitable for Cryptography •• For G one should have simultaneously: Exponential complexity of the DLP for prime group order n = | G | ; Efficient representation: constructive + bit length O (log 2 | G | ); Efficiently performable group law in G . Degree 0 Picard groups Pic 0 F q ( C ) of low genus hyperelliptic curves C fulfill the requirements perfectly! 12/29 Russian State University for the Humanities Faculty of Information Security

  13. Hyperelliptic curves •• We take a middle-brow approach and deal directly with imaginary quadratic hyperelliptic curves curves. An imaginary quadratic hyperelliptic curve C of genus g ≥ 1 over F q is defined by: C : y 2 + h ( x ) = f ( x ) ∈ F q [ x, y ] , where h ( x ) ∈ F q [ x ] with deg ( h ) ≤ g ; f ( x ) ∈ F q [ x ] is monic with deg ( f ) = 2 g + 1 . By definition there is (at least) one Weierstraß point P ∞ �∈ A 2 ( F q ) , but P ∞ ∈ P 2 ( F q ) . 13/29 Russian State University for the Humanities Faculty of Information Security

  14. Ideal class group •• For a non-singular curve C M ⊂ K ( C ) is a fractional K [ C ] -ideal, if ∃ f ∈ K ( C ) ∗ : f M is an ideal of K [ C ] . M ⊂ K ( C ) is an invertible ideal, if there exists N ⊂ K ( C ) : NM = K [ C ] . K [ C ] is a Dedekind domain ⇔ every fractional K [ C ] -ideal is invertible. The non-zero fractional K [ C ] -ideals form a group I with respect ideal multiplication. f ∈ K ( C ) defines a fractional K [ C ] -ideal ( f ) — a principle fractional ideal , the set of f forms a subgroup P ⊳ I . H K ( C ) = I/P — ideal class group . 14/29 Russian State University for the Humanities Faculty of Information Security

  15. Subexponential and exponential DLP •• 15/29 Russian State University for the Humanities Faculty of Information Security

  16. Mumford representation •• For a genus g hyperelliptic curve C one has the following group isomorphism: F q ( C ) ∼ Pic 0 = H F q ( C ) , where H F q ( C ) is the ideal class group of C . ∀ non-trivial I ∈ H F q ( C ) can be represented via a unique ideal J ⊂ F q [ C ] generated by 2 polynomials: J = < a ( x ) , y − b ( x ) > , a ( x ) , b ( x ) ∈ F q [ x ] ; a monic; deg b < deg a ≤ g ; a | b 2 + bh − f . 16/29 Russian State University for the Humanities Faculty of Information Security

  17. Picard group cardinality •• For a genus g hyperelliptic curve C the following bounds on the cardinality of Pic 0 F q ( C ) exist: ( q 1 / 2 − 1) 2 g ≤ | Pic 0 F q ( C ) | ≤ ( q 1 / 2 + 1) 2 g , or | Pic 0 F q ( C ) | ≈ q g . 17/29 Russian State University for the Humanities Faculty of Information Security

  18. Cantor’s addition algorithm •• Example over the reals R : 18/29 Russian State University for the Humanities Faculty of Information Security

  19. Explicit group law complexity, 1 •• Addition in Pic 0 F q ( C ) , g = 2 , q odd Operation Costs N + N = N 47M+7S P + P = P 47M+4S A + A = A I+22M+3S Doubling in Pic 0 F q ( C ) , g = 2 , q odd Operation Costs 2 P = P 38M+6S 2 N = N 34M+7S 2 A = A I+22M+5S 19/29 Russian State University for the Humanities Faculty of Information Security

  20. Explicit group law complexity, 2 •• Addition in Pic 0 F 2 d ( C ) , g = 2 , q even, d odd Operation Costs R + R = R 49M+8S A + A = A I+21M+3S Doubling in Pic 0 F 2 d ( C ) , g = 2 , q even, d odd Operation Costs 2 P = P 22M+6S 2 R = R 20M+8S 2 A = A I+5M+6S 20/29 Russian State University for the Humanities Faculty of Information Security

  21. Simple Side-Channel Attacks •• Simple power attack — a single power profile; If key bits and operation flow are tightly connected; Standard scalar multiplication vulnerable! 21/29 Russian State University for the Humanities Faculty of Information Security

  22. Montgomery Ladder, 1 •• A simple method to homogenize group scalar multiplication: I NPUT : α ∈ G , k = ( k l − 1 . . . k 0 ) 2 ∈ { 1 , 2 , . . . , n − 1 } 1. β 0 ← 1 , β 1 ← α 2. for j from l − 1 downto 0 do if k j = 0 then β 1 ← β 1 + β 0 , β 0 ← 2 β 0 else [if k j = 1 ] β 0 ← β 1 + β 0 , β 1 ← 2 β 1 O UTPUT : β 0 = kα 22/29 Russian State University for the Humanities Faculty of Information Security

  23. Montgomery Ladder, 2 •• For the scalar multiplier k define: l − 1 k i 2 i − j and H j = L j + 1 . � L j = i = j Fact 1: (1) L j = 2 L j +1 + k j , (2) L j = L j +1 + H j +1 + k j − 1 , (3) L j = 2 H j +1 + k j − 2 . Fact 2: � ((2 L j +1 ) g, ( L j +1 + H j +1 ) g ) , k j = 0 , ( L j g, H j g ) = (( L j +1 + H j +1 ) g, (2 H j +1 ) g ) , k j = 1 . 23/29 Russian State University for the Humanities Faculty of Information Security

  24. Montgomery Ladder, 3 •• Useful observations: β 1 − β 0 = α = const throughout the algorithm, this can be used in some groups to speed-up addition; At each iteration the operations (D and A) are independent and can be performed in parallel; At each iteration, the operations (D and A) share a common operand which can be of advantage too. The Montgomery arithmetic can really be very efficient. For instance, elliptic curves! 24/29 Russian State University for the Humanities Faculty of Information Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data Weichao Wang, Zhiwei Li, Rodney Owens, Bharat Bhargava CCSW 2009: The ACM Cloud Computing Security Workshop 1 The Problem Providing secure and

414 views • 19 slides
Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message Transmission Schemes Yvo Desmedt 1 , 2 Stelios Erotokritou 1 Reihaneh Safavi-Naini 3 1 Department of Computer Science University College London, UK 2

459 views • 33 slides
Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE Convenient What is Secure Returns ? Secure Returns is a secure website where you and your clients can securely upload &amp; download confidential

202 views • 9 slides
Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure Metering Issues and Extensions Real World Other Directions Metering for General Access Structures Understanding the model Audit Agency

480 views • 35 slides
Coding addition Sasha Rubin Cornell REU 2009 Arithmetic on N Addition is space-efficient. eg.

Coding addition Sasha Rubin Cornell REU 2009 Arithmetic on N Addition is space-efficient. eg.

Coding addition Sasha Rubin Cornell REU 2009 Arithmetic on N Addition is space-efficient. eg. Base 10 coding of N . carry propagation procedure for +. Arithmetic on N Addition is space-efficient. eg. Base 10 coding of N . carry

485 views • 7 slides
Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment pain The vision The Octomizer: TVM for everyone 2 Simple, secure, and efficient Drive TVM adoption Expand the set of users who can deployment of

370 views • 14 slides
Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation

Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation

Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation One approach Lightweight Security Secure and Efficient Metering Motivation Advertising Webpage popularity Cost Measure

993 views • 49 slides
Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of Tsukuba, Japan JST CREST Secure Outsourcing GWAS Secure computation [Cloud] Outline of our solution [data holder] Secure

381 views • 19 slides
Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a

Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a

Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a Secure Sustainable Power System 17 th August 2011 Outline Agenda Chair: Dick Lewis, Manager, Grid Operations Planning 10.00 a.m. Registration (Tea

833 views • 70 slides
Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting

Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting

Introduction CGA for IPv6 CGA++ Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting Self-Certifying Address Generation and Verification Joppe Bos, Onur Ozen and Jean-Pierre Hubaux Ecole Polytechnique F

2.28k views • 44 slides
Efficient Algorithms for Differential Properties of Addition Helger Lipmaa Helsinki University

Efficient Algorithms for Differential Properties of Addition Helger Lipmaa Helsinki University

Efficient Algorithms for Differential Properties of Addition Helger Lipmaa Helsinki University of Technology (Finland) helger@tml.hut.fi Shiho Moriai NTT Laboratories (Japan) shiho@isl.ntt.co.jp FSE 2001, 04.04.2001 Efficient Algorithms for

481 views • 26 slides
More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis Hofheinz 2 Lisa Kohl 2 Jiaxin Pan 2 1 ENS Paris, France 2 Karlsruhe Institute of Technology, Germany R. Gay, D. Hofheinz, L. Kohl, J. Pan More Efficient

827 views • 45 slides
Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan

Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan

Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan University, Israel PKC 2013 Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 1 / 39 Secure Computation Background A set of

689 views • 39 slides
Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu,

Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu,

Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu, and Lin Lyu 1. Shanghai Jiao Tong University 2. State Key Laboratory of Cryptology 3. Westone Cryptologic Research Center Asiacrypt 2016, Hanoi,

950 views • 73 slides
Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, Srinivas Devadas Massachusetts Institute of Technology New Security Challenges Current computer

411 views • 26 slides
Voltage Sag P28 Studies August 2017 Introduction This presentation is intended to give a

Voltage Sag P28 Studies August 2017 Introduction This presentation is intended to give a

Transformer Inrush and Voltage Sag P28 Studies August 2017 Introduction This presentation is intended to give a simple overview of transformer inrush and energisation and why it is important to network operators (DNOs). When a

259 views • 14 slides
+61 8 6330 1000 +61 8 6330 1000 +61 8 6330 1000 June 2011 Half-Year Financial Result Disclaimer

+61 8 6330 1000 +61 8 6330 1000 +61 8 6330 1000 June 2011 Half-Year Financial Result Disclaimer

1 September 2011 INVESTOR PRESENTATION Paul Arndt, the Company s Managing Director &amp; CEO , Angelo Christou , the Companys Chief Financial Officer and Paul Marinko, Perilya s Company Secretary, will be conducting analyst and investor

432 views • 26 slides
Implementing Radar Algorithms on CUDA Hardware Pietro Monsurr, Alessandro Trifiletti,

Implementing Radar Algorithms on CUDA Hardware Pietro Monsurr, Alessandro Trifiletti,

Implementing Radar Algorithms on CUDA Hardware Pietro Monsurr, Alessandro Trifiletti, Francesco Lannutti Dipartimento di Ingegneria dellInformazione, Elettronica e delle Telecomunicazioni (DIET) Universit di Roma Sapienza, Roma,

683 views • 25 slides
Raccoon Hill Lot (north) This 465 acre lot contains red pine, white pine, white pine/

Raccoon Hill Lot (north) This 465 acre lot contains red pine, white pine, white pine/

Raccoon Hill Lot (north) This 465 acre lot contains red pine, white pine, white pine/ hardwood, oak /hardwood and white pine/ hemlock forest types. Our goal is to harvest as much of the red pine as possible before it is impacted by

280 views • 17 slides
2017 Interim Results 23 August 2017 Focused, Efficient and Delivering Growth Disclaimer The

2017 Interim Results 23 August 2017 Focused, Efficient and Delivering Growth Disclaimer The

2017 Interim Results 23 August 2017 Focused, Efficient and Delivering Growth Disclaimer The information contained in this presentation is intended solely for your personal reference and may not be reproduced, redistributed or passed on,

516 views • 35 slides
WMC Performing Provider System(PPS) Presentation to Primary Care Physicians March 11, 2015

WMC Performing Provider System(PPS) Presentation to Primary Care Physicians March 11, 2015

WMC Performing Provider System(PPS) Presentation to Primary Care Physicians March 11, 2015 8:00AM-9:00AM 1 http://www.policymed.com/2015/01/secretary-burwell-announces-hhs-quality-payment-goals-introduces-timeline-for-shifting-

792 views • 26 slides
Hawai i Health Care Innovation Models Project Steering Committee Meeting July 7, 2015

Hawai i Health Care Innovation Models Project Steering Committee Meeting July 7, 2015

Hawai i Health Care Innovation Models Project Steering Committee Meeting July 7, 2015 EXECUTIVE CHAMBERS HONOLULU DAVID Y. IGE GOVERNOR Hawaii Health Care Innovation Models Project Steering Committee Meeting State Office Tower, Room

799 views • 31 slides
Charging Battery with Clean Energy By Mr. Raksapol Thananuwong Senior Academic Staff The

Charging Battery with Clean Energy By Mr. Raksapol Thananuwong Senior Academic Staff The

Charging Battery with Clean Energy By Mr. Raksapol Thananuwong Senior Academic Staff The Institute for the Promotion of Teaching Science and Technology (IPST), Thailand Raksapol Thananuwong BA in Physics and Math MSc in Physics

807 views • 53 slides

More recommend