efficient compression of sidh public keys
play

Efficient compression of SIDH public keys Craig Costello 1 David Jao - PowerPoint PPT Presentation

Nov 25, 2023 •380 likes •835 views

Efficient compression of SIDH public keys Craig Costello 1 David Jao 2 Patrick Longa 1 Michael Naehrig 1 Joost Renes 3 David Urbanik 2 1 Microsoft Research, Redmond, USA 2 University of Waterloo, Ontario, Canada 3 Radboud University, Nijmegen, The

  1. Efficient compression of SIDH public keys Craig Costello 1 David Jao 2 Patrick Longa 1 Michael Naehrig 1 Joost Renes 3 David Urbanik 2 1 Microsoft Research, Redmond, USA 2 University of Waterloo, Ontario, Canada 3 Radboud University, Nijmegen, The Netherlands 1 May 2017 1 May 2017 1 / 14

  2. Supersingular-isogeny Diffie-Hellman ◮ Post-quantum secure (ephemeral) key exchange [JF11] ◮ Based on hardness of finding large-degree isogenies ◮ Small keys ( ≈ 564 bytes public) ◮ Relatively slow compared to other PQ proposals ◮ Key compression ( ≈ 385 bytes), at very high cost [Aza+16] 1 May 2017 2 / 14

  3. Supersingular-isogeny Diffie-Hellman ◮ Post-quantum secure (ephemeral) key exchange [JF11] ◮ Based on hardness of finding large-degree isogenies ◮ Small keys ( ≈ 564 bytes public) ◮ Relatively slow compared to other PQ proposals ◮ Key compression ( ≈ 385 bytes), at very high cost [Aza+16] This talk ◮ Key size reduced by 12 . 5% ( ≈ 330 bytes) ◮ Compression up to 66 × faster ◮ Decompression up to 15 × faster 1 May 2017 2 / 14

  4. Isogeny graphs p = 2 3 · 3 2 − 1 , E / F p 2 : y 2 = x 3 + x , j ( E ) = 24 , ℓ = 2 41 24 66 17 0 48 40 1 May 2017 3 / 14

  5. Isogeny graphs p = 2 3 · 3 2 − 1 , E / F p 2 : y 2 = x 3 + x , j ( E ) = 24 , ℓ = 2 41 2 2 24 2 66 17 0 48 3 40 1 May 2017 3 / 14

  6. Isogeny graphs p = 2 3 · 3 2 − 1 , E / F p 2 : y 2 = x 3 + x , j ( E ) = 24 , ℓ = 2 41 24 66 17 0 48 40 1 May 2017 3 / 14

  7. Isogeny graphs p = 2 3 · 3 2 − 1 , E / F p 2 : y 2 = x 3 + x , j ( E ) = 24 , ℓ = 3 41 3 24 2 2 2 66 17 0 2 48 2 2 2 40 1 May 2017 3 / 14

  8. Key generation = private party A , = private party B , = public keys 41 2 2 24 2 66 17 0 48 3 40 1 May 2017 4 / 14

  9. Key generation = private party A , = private party B , = public keys 41 3 24 2 2 2 66 17 0 2 48 2 2 2 40 1 May 2017 4 / 14

  10. Supersingular-isogeny Diffie-Hellman [JF11] = private party A , = private party B , = public key ր ր ր = 2-graph walk, ց = 3-graph walk, ց ց E A φ A E φ B E B 1 May 2017 5 / 14

  11. Supersingular-isogeny Diffie-Hellman [JF11] = private party A , = private party B , = public key ր ր ր = 2-graph walk, ց = 3-graph walk, ց ց E A [ ℓ e ] = � P , Q � E A φ A E AB E φ B E B 1 May 2017 5 / 14

  12. Supersingular-isogeny Diffie-Hellman [JF11] = private party A , = private party B , = public key ր ր ր = 2-graph walk, ց ց ց = 3-graph walk, ∈ F 2 E A [ ℓ e ] = � P , Q � p 2 (= 4 log p bits) ∈ F p 2 (= 2 log p bits) E A φ A E AB E φ B E B 1 May 2017 5 / 14

  13. Supersingular-isogeny Diffie-Hellman [JF11] = private party A , = private party B , = public key ր ր ր = 2-graph walk, ց ց ց = 3-graph walk, E A [ ℓ e ] = � R , S � ∈ F 2 E A [ ℓ e ] = � P , Q � p 2 (= 4 log p bits) ∈ F p 2 (= 2 log p bits) E A φ A E AB E φ B E B 1 May 2017 5 / 14

  14. Supersingular-isogeny Diffie-Hellman [JF11] = private party A , = private party B , = public key ր ր ր = 2-graph walk, ց ց ց = 3-graph walk, E A [ ℓ e ] = � R , S � ∈ Z 4 ( α, β, γ, δ ) ℓ e ( ≈ 2 log p bits) ∈ F p 2 (= 2 log p bits) E A φ A E AB E φ B E B 1 May 2017 5 / 14

  15. Public-key compression [Aza+16] Compression � R , S � � P , Q � ( α, β, γ, δ ) � α R + β S , γ R + δ S � Decompression � R , S � ( α, β, γ, δ ) � P , Q � ( α, β, γ, δ ) 1 May 2017 6 / 14

  16. Public-key compression [Aza+16] Compression � R , S � Expensive � P , Q � ( α, β, γ, δ ) � α R + β S , γ R + δ S � Decompression � R , S � ( α, β, γ, δ ) � P , Q � ( α, β, γ, δ ) 1 May 2017 6 / 14

  17. Public-key compression [Aza+16] Significantly improve efficiency (up to 66 × ) Compression � R , S � � P , Q � ( α, β, γ, δ ) � α R + β S , γ R + δ S � Decompression � R , S � ( α, β, γ, δ ) � P , Q � ( α, β, γ, δ ) Significantly improve efficiency (up to 15 × ) 1 May 2017 6 / 14

  18. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = 1 May 2017 7 / 14

  19. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick R ∈ E ( F p 2 ) \ 2 E ( F p 2 ) 1 May 2017 7 / 14

  20. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick R ∈ E ( F p 2 ) \ 2 E ( F p 2 ) For E : y 2 = x ( x − γ )( x − δ ), R ∈ 2 E ( F p 2 ) ⇐ ⇒ x R , x R − δ, x R − γ are squares 1 May 2017 7 / 14

  21. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick a non-square x R ∈ F p 2 For E : y 2 = x ( x − γ )( x − δ ), R ∈ 2 E ( F p 2 ) ⇐ ⇒ x R , x R − δ, x R − γ are squares 1 May 2017 7 / 14

  22. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick a non-square x R ∈ F p 2 2 If x 3 R + Ax 2 R + x R is not a square, goto 1 1 May 2017 7 / 14

  23. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick a non-square x R ∈ F p 2 2 If x 3 R + Ax 2 R + x R is not a square, goto 1 � x 3 R + Ax 2 3 Set R ← ( x R , R + x R ) 1 May 2017 7 / 14

  24. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick a non-square x R ∈ F p 2 2 If x 3 R + Ax 2 R + x R is not a square, goto 1 � x 3 R + Ax 2 3 Set R ← ( x R , R + x R ) 4 Set R ← [3 239 ] R 1 May 2017 7 / 14

  25. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick a non-square x R ∈ F p 2 2 If x 3 R + Ax 2 R + x R is not a square, goto 1 � x 3 R + Ax 2 3 Set R ← ( x R , R + x R ) 4 Set R ← [3 239 ] R Finding a canonical basis of E [2 372 ] 1 Pick R ∈ E ( F p 2 ) of order 2 372 2 Pick S ∈ E ( F p 2 ) of order 2 372 3 If E [2 372 ] � = � R , S � , goto 2. 1 May 2017 7 / 14

  26. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S 1 May 2017 8 / 14

  27. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S e ( R , S ) e ( R , P ) e ( R , Q ) e ( S , P ) e ( S , Q ) f 0 ← f n , R f 0 ← f 0 ( S ) . . . 1 May 2017 8 / 14

  28. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S e ( R , S ) e ( R , P ) e ( R , Q ) e ( S , P ) e ( S , Q ) f 0 ← f n , R f 1 ← f n , R f 0 ← f 0 ( S ) f 1 ← f 1 ( P ) . . . . . . 1 May 2017 8 / 14

  29. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S e ( R , S ) e ( R , P ) e ( R , Q ) e ( S , P ) e ( S , Q ) f 0 ← f n , R f 0 ← f 0 ( S ) f 1 ← f 0 ( P ) . . . . . . 1 May 2017 8 / 14

  30. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S e ( R , S ) e ( R , P ) e ( R , Q ) e ( S , P ) e ( S , Q ) f 0 ← f n , R f 2 ← f n , R f 0 ← f 0 ( S ) f 1 ← f 0 ( P ) f 2 ← f 2 ( Q ) . . . . . . . . . 1 May 2017 8 / 14

  31. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S e ( R , S ) e ( R , P ) e ( R , Q ) e ( S , P ) e ( S , Q ) f 0 ← f n , R f 0 ← f 0 ( S ) f 1 ← f 0 ( P ) f 2 ← f 0 ( Q ) . . . . . . . . . 1 May 2017 8 / 14

  32. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S e ( R , S ) e ( R , P ) e ( R , Q ) e ( S , P ) e ( S , Q ) f 0 ← f n , R f 3 ← f n , S f 0 ← f 0 ( S ) f 1 ← f 0 ( P ) f 2 ← f 0 ( Q ) f 3 ← f 3 ( P ) . . . . . . . . . . . . 1 May 2017 8 / 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Deep Compression and EIE: Deep Neural Network Model Compression and Efficient Inference

Deep Compression and EIE: Deep Neural Network Model Compression and Efficient Inference

Deep Compression and EIE: Deep Neural Network Model Compression and Efficient Inference Engine Song Han CVA group, Stanford University Apr 7, 2016 1 Intro about me and my advisor Fourth year PhD with Prof. Bill Dally at Stanford.

2.06k views • 70 slides
Deep Compression and EIE: Deep Neural Network Model Compression and Efficient Inference

Deep Compression and EIE: Deep Neural Network Model Compression and Efficient Inference

Deep Compression and EIE: Deep Neural Network Model Compression and Efficient Inference Engine Song Han CVA group, Stanford University Jan 6, 2015 A few words about us Fourth year PhD with Prof. Bill Dally at Stanford.

966 views • 54 slides
Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross

Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross

Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross DaMoN 2015, Melbourne, Victoria, Australia Databases & Compression Process data on disk Nearly unlimited capacity Affects query

490 views • 48 slides
GAN Compression: Efficient Architectures for Interactive Conditional GANs Muyang Li 1,3 , Ji Lin 1

GAN Compression: Efficient Architectures for Interactive Conditional GANs Muyang Li 1,3 , Ji Lin 1

GAN Compression: Efficient Architectures for Interactive Conditional GANs Muyang Li 1,3 , Ji Lin 1 , Yaoyao Ding 1,3 , Zhijian Liu 1 , Jun-Yan Zhu 2 , and Song Han 1 1 Massachusetts Institute of Technology 2 Adobe Research. 3 Shanghai Jiao Tong

442 views • 15 slides
Compressing Intermediate Keys between Mappers and Reducers in SciHadoop Adam Crume, Joe Buck,

Compressing Intermediate Keys between Mappers and Reducers in SciHadoop Adam Crume, Joe Buck,

Background Semantically-informed byte-level compression User-level semantic compression Compressing Intermediate Keys between Mappers and Reducers in SciHadoop Adam Crume, Joe Buck, Carlos Maltzahn, Scott Brandt { adamcrume,buck,carlosm,scott }

739 views • 22 slides
Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1 2 2047 2 2048 1 . Thanks to: University of Illinois at Chicago User knows prime factors of . NSF CCR9983950

768 views • 53 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Towards Efficient Video Compression Using Scalable Vector Graphics on the Cell Broadband Engine

Towards Efficient Video Compression Using Scalable Vector Graphics on the Cell Broadband Engine

Towards Efficient Video Compression Using Scalable Vector Graphics on the Cell Broadband Engine Andreea Sandu, Emil Slusanschi, Alin Murarasu, Andreea Serban, Alexandru Herisanu, Teodor Stoenescu University Politehnica of Bucharest Computer

447 views • 21 slides
Energy Efficient Distributed JPEG2000 Image Compression in Multihop Wireless Networks Huaming Wu

Energy Efficient Distributed JPEG2000 Image Compression in Multihop Wireless Networks Huaming Wu

Energy Efficient Distributed JPEG2000 Image Compression in Multihop Wireless Networks Huaming Wu & Alhussein A. Abouzeid Dept. of Electrical, Computer and Systems Engineering Rensselaer Polytechnic Institute Troy, New York 12180, USA

383 views • 35 slides
Recap: Part 6 Public key cryptosystem: a pair of keys Public-key: meant for public, should

Recap: Part 6 Public key cryptosystem: a pair of keys Public-key: meant for public, should

Recap: Part 6 Public key cryptosystem: a pair of keys Public-key: meant for public, should be given out Private-key: remains always secret An operation performed by one key in the pair can be inversed only by the other key

267 views • 13 slides
Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P = D(K D ,C) Often, works the other way, too Lecture 4 Page 1 CS 236 Online History of Public Key Cryptography Invented by Diffie and

618 views • 24 slides
CCHL: Compression-Consolidation Hardware Logging for Efficient Failure-Atomic Persistent Memory

CCHL: Compression-Consolidation Hardware Logging for Efficient Failure-Atomic Persistent Memory

CCHL: Compression-Consolidation Hardware Logging for Efficient Failure-Atomic Persistent Memory Updates Xueliang Wei, Dan Feng, Wei Tong, Jingning Liu, Chengning Wang, Liuqing Ye Huazhong University of Science and Technology Persistent Memory

817 views • 38 slides
2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys > 100 uses 4450 keys > 1000 uses An excursion in to the world of OSM tagging presets Simon Poole, SOtM 2018 In the beginning Bus

686 views • 50 slides
Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael

Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael

Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael Backes, Lucjan Hanzlik, Kamil Kluzcniak, Jonas Schneider This Talk New primitive! Signatures with Flexible Public Key Applications to

1.11k views • 56 slides
1 Key Exchange Diffie-Hellman Key Exchange Parties may have initial information Assume

1 Key Exchange Diffie-Hellman Key Exchange Parties may have initial information Assume

TECS Week 2005 Key Management Options Key Management Protocols Out of band and Compositionality Can set up some keys this way (Kerberos) Public-key infrastructure (PKI) Leverage small # of public signing keys Protocols for

282 views • 5 slides
Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Compression Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression Recap Bu ff er Management Thread Safety A piece of code is thread-safe if it functions correctly during simultaneous execution

784 views • 52 slides
Detect New Physics with Deep Learning Trigger at the LHC Zhenbin Wu (UIC) Thong Nguyen

Detect New Physics with Deep Learning Trigger at the LHC Zhenbin Wu (UIC) Thong Nguyen

Detect New Physics with Deep Learning Trigger at the LHC Zhenbin Wu (UIC) Thong Nguyen (Caltech), Maurizio Pierini(CERN) --on behalf of the CMS collaboration CPAD Instrumentation Frontier Workshop December 8-10, 2019 The LHC Big Data Problem

750 views • 20 slides
Fronthaul Compression for Cloud Radio Access Networks O. Simeone New Jersey Institute of

Fronthaul Compression for Cloud Radio Access Networks O. Simeone New Jersey Institute of

Fronthaul Compression for Cloud Radio Access Networks O. Simeone New Jersey Institute of Technology (NJIT) Joint work with S.-H. Park 1 , O. Sahin 2 and S. Shamai 3 3 1 2 Cloud Radio Access Networks Base stations operate as radio units

1.09k views • 57 slides
Modeling Analytics for Computational Storage Veronica Lagrange, Harry Li, Anahita Shayesteh

Modeling Analytics for Computational Storage Veronica Lagrange, Harry Li, Anahita Shayesteh

Modeling Analytics for Computational Storage Veronica Lagrange, Harry Li, Anahita Shayesteh Memory Solutions Lab 07 April 2020 Version 1.2 Samsung Semiconductor, Inc. ICPE 2020 Agenda Modeling Analytics for Computational Storage

848 views • 21 slides
When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

1.01k views • 53 slides
Parallel Streaming Computation on Error-Prone Processors Yavuz Yetim, Margaret Martonosi, Sharad

Parallel Streaming Computation on Error-Prone Processors Yavuz Yetim, Margaret Martonosi, Sharad

Parallel Streaming Computation on Error-Prone Processors Yavuz Yetim, Margaret Martonosi, Sharad Malik Hardware Errors on the Rise Soft Errors Due to Cosmic Rays Random Process Variation [Sierawski et al., 2011] [Khun et al., 2011] 25

500 views • 36 slides
Polyharmonic Local Cosine Transforms for Improving JPEG-Compressed Images Naoki Saito Department

Polyharmonic Local Cosine Transforms for Improving JPEG-Compressed Images Naoki Saito Department

Polyharmonic Local Cosine Transforms for Improving JPEG-Compressed Images Naoki Saito Department of Mathematics University of California, Davis Dagstuhl Seminar #16462: Inpainting-Based Image Compression November 15, 2016

929 views • 52 slides
Meet The Professor Management of Lung Cancer Paul K Paik, MD Associate Attending Physician

Meet The Professor Management of Lung Cancer Paul K Paik, MD Associate Attending Physician

Meet The Professor Management of Lung Cancer Paul K Paik, MD Associate Attending Physician Clinical Director, Thoracic Oncology Service Memorial Sloan Kettering Cancer Center New York, New York Commercial Support This activity is supported

1.22k views • 82 slides
Use of ICNP-based electronic nur sing documentation system for pr actice and research Hyeoun-Ae

Use of ICNP-based electronic nur sing documentation system for pr actice and research Hyeoun-Ae

Use of ICNP-based electronic nur sing documentation system for pr actice and research Hyeoun-Ae Park, PhD, RN Professor College of Nursing Seoul National University Brief history of ICNP in Korea 1997-2000: Translation of Alpha & Beta

973 views • 29 slides

More recommend