estimating size requirements for pairings simulating the
play

Estimating size requirements for pairings: Simulating the Tower-NFS - PowerPoint PPT Presentation

Dec 21, 2023 •317 likes •753 views

Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin Deschamps, Aurore Guillevic , Shashank Singh ENS Lyon, Inria Nancy, Loria, CNRS, Universit de Lorraine November 15, 1027 Elliptic Curve

  1. Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin Deschamps, Aurore Guillevic , Shashank Singh ENS Lyon, Inria Nancy, Loria, CNRS, Université de Lorraine November 15, 1027 Elliptic Curve Cryptography Conference ECC17–Nijmegen, Netherlands 1 / 35

  2. Cryptographic pairing: black-box properties ( G 1 , +) , ( G 2 , +) , ( G T , · ) three cyclic groups of large prime order ℓ Bilinear Pairing: map e : G 1 × G 2 → G T 1. bilinear: e ( P 1 + P 2 , Q ) = e ( P 1 , Q ) · e ( P 2 , Q ), e ( P , Q 1 + Q 2 ) = e ( P , Q 1 ) · e ( P , Q 2 ) 2. non-degenerate: e ( g 1 , g 2 ) � = 1 for � g 1 � = G 1 , � g 2 � = G 2 3. efficiently computable. Mostly used in practice: e ([ a ] P , [ b ] Q ) = e ([ b ] P , [ a ] Q ) = e ( P , Q ) ab . ❀ Many applications in asymmetric cryptography. 2 / 35

  3. Examples of application ◮ 1984: idea of identity-based encryption formalized by Shamir ◮ 1999: first practical identity-based cryptosystem of Sakai-Ohgishi-Kasahara ◮ 2000: constructive pairings, Joux’s tri-partite key-exchange (Triffie-Hellman) ◮ 2001: IBE of Boneh-Franklin, short signatures Boneh-Lynn-Shacham Rely on ◮ Discrete Log Problem (DLP): given g , y ∈ G , compute x s.t. g x = y Diffie-Hellman Problem (DHP) ◮ bilinear DLP and DHP Given G 1 , G 2 , G T , g 1 , g 2 , g T and y ∈ G T , compute P ∈ G 1 s.t. e ( P , g 2 ) = y , or Q ∈ G 2 s.t. e ( g 1 , Q ) = y if g x T = y then e ( g x 1 , g 2 ) = e ( g 1 , g x 2 ) = g x T = y ◮ pairing inversion problem 3 / 35

  4. Pairing setting: elliptic curves E / F p : y 2 = x 3 + ax + b , a , b ∈ F p , p ≥ 5 ◮ proposed in 1985 by Koblitz, Miller ◮ E ( F p ) has an efficient group law (chord an tangent rule) → G ◮ # E ( F p ) = p + 1 − tr , trace tr : | tr | ≤ 2 √ p ◮ efficient group order computation ( point counting ) ◮ large subgroup of prime order ℓ s.t. ℓ | p + 1 − tr and ℓ coprime to p ◮ E [ ℓ ] ≃ Z /ℓ Z ⊕ Z /ℓ Z (for crypto) ◮ only generic attacks against DLP on well-chosen genus 1 and genus 2 curves ◮ optimal parameter sizes (log 2 ℓ = log 2 p ) 4 / 35

  5. Pairings 1948 Weil pairing (accouplement) 1958 Tate pairing 1985 Miller, Koblitz: use Elliptic Curves in crypto 1986 Miller’s algorithm to compute pairings 1988 Kaliski’s implementation E / F 11 : y 2 = x 3 − x (PhD at MIT) At that time: ◮ easy to use supersingular curves for ECC: group order known 5 / 35

  6. Supersingular elliptic curves Example over F p , p ≥ 5 E : y 2 = x 3 + x / F p , p = 3 mod 4 s.t. t = 0, # E ( F p ) = p + 1. take p s.t. p + 1 = 4 · ℓ where ℓ is prime. 1993: Menezes-Okamoto-Vanstone and Frey-Rück attacks ∃ pairing e : E ( F p ) into F p 2 where DLP is much easier . Do not use supersingular curves (1993–1999) But computing a pairing is very slow : [Harasawa Shikata Suzuki Imai 99]: 161467s (112 days) on a 163-bit supersingular curve, where G T ⊂ F p 2 of 326 bits. 6 / 35

  7. Pairing-based cryptography 1999: Frey–Muller–Rück: actually, Miller Algorithm can be much faster . 2000: [Joux ANTS] Computing a pairing can be done efficiently (1s on a supersingular 528-bit curve, G T ⊂ F p 2 of 1055 bits). Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension. F ∗ p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ ℓ ] × E ( F p n )[ ℓ ] 7 / 35

  8. Pairing-based cryptography 1999: Frey–Muller–Rück: actually, Miller Algorithm can be much faster . 2000: [Joux ANTS] Computing a pairing can be done efficiently (1s on a supersingular 528-bit curve, G T ⊂ F p 2 of 1055 bits). Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension. F ∗ p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ ℓ ] × E ( F p n )[ ℓ ] Attacks 7 / 35

  9. Pairing-based cryptography 1999: Frey–Muller–Rück: actually, Miller Algorithm can be much faster . 2000: [Joux ANTS] Computing a pairing can be done efficiently (1s on a supersingular 528-bit curve, G T ⊂ F p 2 of 1055 bits). Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension. F ∗ p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ ℓ ] × E ( F p n )[ ℓ ] Attacks ◮ inversion of e : hard problem (exponential) 7 / 35

  10. Pairing-based cryptography 1999: Frey–Muller–Rück: actually, Miller Algorithm can be much faster . 2000: [Joux ANTS] Computing a pairing can be done efficiently (1s on a supersingular 528-bit curve, G T ⊂ F p 2 of 1055 bits). Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension. F ∗ p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ ℓ ] × E ( F p n )[ ℓ ] Attacks ◮ inversion of e : hard problem (exponential) ◮ discrete logarithm computation in E ( F p ) : hard problem √ (exponential, in O ( ℓ )) 7 / 35

  11. Pairing-based cryptography 1999: Frey–Muller–Rück: actually, Miller Algorithm can be much faster . 2000: [Joux ANTS] Computing a pairing can be done efficiently (1s on a supersingular 528-bit curve, G T ⊂ F p 2 of 1055 bits). Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension. F ∗ p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ ℓ ] × E ( F p n )[ ℓ ] Attacks ◮ inversion of e : hard problem (exponential) ◮ discrete logarithm computation in E ( F p ) : hard problem √ (exponential, in O ( ℓ )) ◮ discrete logarithm computation in F ∗ p n : easier, subexponential → take a large enough field 7 / 35

  12. Pairing-friendly curves ℓ | p n − 1, E [ ℓ ] ⊂ E ( F p n ), n embedding degree p n ) ℓ Tate Pairing: e : E ( F p n )[ ℓ ] × E ( F p n ) /ℓ E ( F p n ) → F ∗ p n / ( F ∗ When n is small i.e. 1 � n � 24, the curve is pairing-friendly . This is very rare: For a given curve, log n ∼ log ℓ ([Balasubramanian Koblitz]). p n p 2 , p 6 p 3 , p 4 , p 6 p 12 p 16 p 18 Curve supersingular MNT BN, BLS12 KSS16 KSS18 MNT, n = 6: p ( x ) = 4 x 2 + 1, t ( x ) = 1 ± 2 x , # E ( F p ) x 2 ∓ 2 x + 1 BN, n = 12: p ( x ) = 36 x 4 + 36 x 3 + 24 x 2 + 6 x + 1, t ( x ) = 6 x 2 + 1, r ( x ) = 36 x 4 + 36 x 3 + 18 x 2 + 6 x + 1 More in Aranha’s talk. 8 / 35

  13. security estimates [Lenstra-Verheul’01] estimates RSA key-sizes The usual security estimates use ◮ the asymptotic complexity of the best known algorithm (here NFS) ◮ the latest record computations (now 768-bit) ◮ extrapolation 9 / 35

  14. Number Field Sieve Algorithm Subexponential asymptotic complexity: L p n [ α, c ] = e ( c + o (1))(log p n ) α (log log p n ) 1 − α ◮ α = 1: exponential ◮ α = 0: polynomial ◮ 0 < α < 1: sub-exponential (including NFS) 1. polynomial selection (less than 10% of total time) 2. relation collection L p n [1 / 3 , c ] 3. linear algebra L p n [1 / 3 , c ] 4. individual discrete log computation L p n [1 / 3 , c ′ < c ] 10 / 35

  15. Example for RSA key sizes 3 , 072 s = log 2 ( L N [1 / 3 , 1 . 923]) − 14 2 , 816 s.t. log 2 N = 512 ↔ s = 50 bits 2 , 560 s = log 2 ( L N [1 / 3 , 1 . 923]) − 8 s.t. 768 ↔ 67 bits 2 , 304 log 2 N in bits 2 , 048 1 , 792 1 , 536 1 , 280 1 , 024 768 512 48 64 80 96 112 128 Equivalent symmetric security in bits 11 / 35

  16. Pairing key-sizes in the 2000’s Assumed: DLP in prime fields F p as hard as in medium and large characteristic fields F Q → take the same size as for prime fields. Security log 2 finite log 2 deg P ρ curve n level ℓ field p p = P ( u ) 128 256 3072 3072 (prime field) 256 3072 2 1536 no poly 6 supersingular 128 256 3072 3 1024 no poly 4 supersingular 256 3072 12 256 4 1 Barreto-Naehrig 640 7680 12 640 4 1 → 5/3 BN 427 7680 12 640 6 3/2 BLS12 192 384 9216 18 512 8 4/3 KSS18 384 7680 16 480 10 5/4 KSS16 384 11520 24 480 10 5/4 BLS24 12 / 35

  17. Small, medium, large characteristic Q = p n , the characteristic p is ◮ small: p = L Q [ α, c ] where α < 1 / 3 ◮ medium: p = L Q [ α, c ] where 1 / 3 < α < 2 / 3 ◮ large: p = L Q [ α, c ] where α > 2 / 3 ◮ boundary cases: p = L Q [1 / 3 , c ] and p = L Q [2 / 3 , c ] 13 / 35

  18. Estimating key sizes for DL in GF( p n ) GF( p n ) much less studied than GF( p ) or integer factorization. ◮ 2000 LUC, XTR cryptosystems: multiplicative subgroup of prime order | Φ n ( p ) (cyclotomic subgroup) of GF( p 2 ), GF( p 6 ) ◮ what is the hardness of computing DL in GF( p n ), n = 2 , 6? ◮ 2005 [Granger Vercauteren] L Q [1 / 2] ◮ 2006 Joux–Lercier–Smart–Vercauteren L Q [1 / 3 , 2 . 423] (NFS-HD) ◮ rising of pairings: what is the security of DL in GF(2 n ),GF(3 m ),GF( p 12 )? 14 / 35

  19. Asymptotic complexities Needed: ◮ asymptotic complexity (constants α, c ) ◮ record computations to scale the shape (guess the o (1)) Asymptotic complexities now: ◮ For tiny characteristic: quasi-polynomial ◮ For small characteristic: L ( α ) for α < 1 / 3 ◮ For medium and large characteristic: L (1 / 3 , c + o (1)) 15 / 35

  20. Asymptotic complexities Needed: ◮ asymptotic complexity (constants α, c ) ◮ record computations to scale the shape (guess the o (1)) Asymptotic complexities now: ◮ For tiny characteristic: quasi-polynomial ◮ For small characteristic: L ( α ) for α < 1 / 3 ◮ For medium and large characteristic: L (1 / 3 , c + o (1)) What is c for medium and large characteristic? 15 / 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Planning III-A: Planning III-A: Estimating Software Size - Estimating Software Size -

Planning III-A: Planning III-A: Estimating Software Size - Estimating Software Size -

Planning III-A: Planning III-A: Estimating Software Size - Estimating Software Size - Estimating Methods, Proxies Estimating Methods, Proxies AU INSY 560, Singapore 1997, Dan Turk Humphrey Ch. 5A - slide 1 Outline Outline I Review of PSP

272 views • 11 slides
Estimating web size and search engine index size Near-duplicate document detection Size of the

Estimating web size and search engine index size Near-duplicate document detection Size of the

CS490W Web Search (I I ) Luo Si Department of Computer Science Purdue University Modified Slides from Manning, C., Raghavan, P. and Schtze, H. Todays topics Estimating web size and search engine index size Near-duplicate document

193 views • 16 slides
Estimating Size and Effort Dr. James A. Bednar jbednar@inf.ed.ac.uk

Estimating Size and Effort Dr. James A. Bednar jbednar@inf.ed.ac.uk

Estimating Size and Effort Dr. James A. Bednar jbednar@inf.ed.ac.uk http://homepages.inf.ed.ac.uk/jbednar Dr. David Robertson dr@inf.ed.ac.uk http://www.inf.ed.ac.uk/ssp/members/dave.htm SAPM Spring 2007: Estimation 1 Estimating SW Size and

560 views • 24 slides
Estimating and Simulating a SIRD Model of COVID-19 for Many Countries, States, and Cities Jes

Estimating and Simulating a SIRD Model of COVID-19 for Many Countries, States, and Cities Jes

Estimating and Simulating a SIRD Model of COVID-19 for Many Countries, States, and Cities Jes us Fern andez-Villaverde and Chad Jones August 28, 2020 0 xkcd: Everyones an Epidemiologist Help macroeconomists with data and model 1

1.03k views • 89 slides
Estimating and Simulating a SIRD Model of COVID-19 for Many Countries, States, and Cities

Estimating and Simulating a SIRD Model of COVID-19 for Many Countries, States, and Cities

Estimating and Simulating a SIRD Model of COVID-19 for Many Countries, States, and Cities andez-Villaverde 1 Chad Jones 2 Jes us Fern May 27, 2020 1 University of Pennsylvania 2 Stanford GSB 1 Outline We want to take a basic SIRD model

869 views • 66 slides
Estimating Size and Effort Massimo Felici and Conrad Hughes mfelici@staffmail.ed.ac.uk

Estimating Size and Effort Massimo Felici and Conrad Hughes mfelici@staffmail.ed.ac.uk

Estimating Size and Effort Massimo Felici and Conrad Hughes mfelici@staffmail.ed.ac.uk conrad.hughes@ed.ac.uk http://www.inf.ed.ac.uk/teaching/courses/sapm/ Slides: Dr James A. Bednar SAPM Spring 2009: Estimation 1 Estimating SW Size and

675 views • 24 slides
Simulating and Estimating DSGE Model with Dynare Tao Zeng Wuhan University April 2016 SEM

Simulating and Estimating DSGE Model with Dynare Tao Zeng Wuhan University April 2016 SEM

Simulating and Estimating DSGE Model with Dynare Tao Zeng Wuhan University April 2016 SEM (Institute) Short Couse 04/28 1 / 68 What is Dynare? Dynare is a Matlab frontend to solve and simulate dynamic models Either deterministic or

701 views • 68 slides
A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks

744 views • 72 slides
CANADAS INNOVATION GAP ESTIMATING ITS SIZE; EXPLAINING ITS CAUSES by Peter J. Nicholson,

CANADAS INNOVATION GAP ESTIMATING ITS SIZE; EXPLAINING ITS CAUSES by Peter J. Nicholson,

www.scienceadvice.ca Science Advice in the Public Interest CANADAS INNOVATION GAP ESTIMATING ITS SIZE; EXPLAINING ITS CAUSES by Peter J. Nicholson, President The Council of Canadian Academies Presentation to Socio-Economic Conference 2009

913 views • 39 slides
Estimating the Size of the Largest Families not Containing Tree-like Posets Wei-Tian Li Jerrold

Estimating the Size of the Largest Families not Containing Tree-like Posets Wei-Tian Li Jerrold

Estimating the Size of the Largest Families not Containing Tree-like Posets Wei-Tian Li Jerrold R. Griggs &amp; Linyuan Lu Department of Mathematics University of South Carolina 24th Cumberland Conference May 14th 2011 Theorem (Sperner, 1928)

467 views • 31 slides
HOW MANY? Estimating the Size of the Los Angeles County Jail Mental Health Population Appropriate

HOW MANY? Estimating the Size of the Los Angeles County Jail Mental Health Population Appropriate

2/5/2020 HOW MANY? Estimating the Size of the Los Angeles County Jail Mental Health Population Appropriate for Release into Community Services STEPHANIE BROOKS HOLLIDAY, NICHOLAS PACE, NEIL GOWENSMITH, IRA PACKER, DANIEL MURRIE, ALICIA VIRANI,

246 views • 7 slides
Function Points What is Function Point Analysis? Approach to estimating SW size, which is

Function Points What is Function Point Analysis? Approach to estimating SW size, which is

Function Points What is Function Point Analysis? Approach to estimating SW size, which is independent of language development methodology technology capability of the project team hardness of the problem

630 views • 21 slides
Outline of Presentation TOSSIM : Introduction Need for simulating sensor networks

Outline of Presentation TOSSIM : Introduction Need for simulating sensor networks

Outline of Presentation TOSSIM : Introduction Need for simulating sensor networks Accurate and Scalable Simulation Requirements for simulating sensor networks of Entire TinyOS Applications TOSSIM Overview Philip Lewis

79 views • 4 slides
Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of

Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of

Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of Engineering Aarhus University Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q ) e (

1.52k views • 55 slides
Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of Computing University of Campinas Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q

1.02k views • 58 slides
Contents Introduction Approaches and Methods for Software Size Estimation FPA Method

Contents Introduction Approaches and Methods for Software Size Estimation FPA Method

Estimating Software Size and Effort Software Size and Effort Estimation Dr. Ale ivkovi , CISA, PRINCE 2 University of Maribor, Slovenia Faculty of Electrical Engineering and Computer Science e-mail: ales.zivkovic@uni-mb.si

800 views • 38 slides
Database Stalls, From the Ordinary to the Obscure Preetam Jinka (@PreetamJinka) Software

Database Stalls, From the Ordinary to the Obscure Preetam Jinka (@PreetamJinka) Software

Database Stalls, From the Ordinary to the Obscure Preetam Jinka (@PreetamJinka) Software Engineer Percona Live 2017 VividCortexs database monitoring application is the best way to improve your database performance, efficiency, and uptime.

573 views • 36 slides
Context Context Context Context Full control of EIP no longer yields immediate arbitrary

Context Context Context Context Full control of EIP no longer yields immediate arbitrary

Context Context Context Context Full control of EIP no longer yields immediate arbitrary code execution y Primarily due to increasing availability and utilization of exploit mitigations such as DEP and ASLR Attackers must identify

1.05k views • 91 slides
Novinky ve starm dobrm SQL svt Overview PRESENTED BY: Honza Hork Co ns ek

Novinky ve starm dobrm SQL svt Overview PRESENTED BY: Honza Hork Co ns ek

Novinky ve starm dobrm SQL svt Overview PRESENTED BY: Honza Hork Co ns ek Obecn pohled na data ve svt Staronov lenov SQL klubu MySQL MariaDB Galera PostgreSQL Mal odboka... Buzzword

625 views • 29 slides
Business Process Education - Quantum PCard July 9, 2019 Disclaimer This is not meant to be

Business Process Education - Quantum PCard July 9, 2019 Disclaimer This is not meant to be

A leap forward. Transforming systems. Empowering People! Business Process Education - Quantum PCard July 9, 2019 Disclaimer This is not meant to be TRAINING training will be offered closer to Go-Live some will be required to get

479 views • 27 slides
or the keys to open the door of the BSM world Aurore Savoy-Navarro, LPNHE, Universit Pierre et

or the keys to open the door of the BSM world Aurore Savoy-Navarro, LPNHE, Universit Pierre et

or the keys to open the door of the BSM world Aurore Savoy-Navarro, LPNHE, Universit Pierre et Marie Curie/CNRS-IN2P3, Paris, France HADRON COLLIDER PHYSICS HADRON COLLIDER PHYSICS Summer school 2008 Summer school 2008 FNAL WINE &amp; CHEESE

903 views • 64 slides
Modelling the gravitational radiation emitted by merging black holes Harald Pfeiffer CITA,

Modelling the gravitational radiation emitted by merging black holes Harald Pfeiffer CITA,

Modelling the gravitational radiation emitted by merging black holes Harald Pfeiffer CITA, University of Toronto AEI, Potsdam Stephen Hawking 75th Birthday Conference July 4, 2017 LIGO-G1701238 Waveform-knowledge essential to GW astronomy

884 views • 72 slides
Search for Continuous Gravitational Waves from Spinning Neutron Stars Speaker : Ling Sun

Search for Continuous Gravitational Waves from Spinning Neutron Stars Speaker : Ling Sun

Composite optical/X-ray image of the Crab Nebula (Optical: NASA/HST/ASU/J. Hester et al. X-Ray: NASA/CXC/ASU/J. Hester et al.) Search for Continuous Gravitational Waves from Spinning Neutron Stars Speaker : Ling Sun Supervisor : Andrew Melatos

451 views • 41 slides
THE TENSOR AND THE SCALAR CHARGES OF THE NUCLEON FROM HADRON PHENOMENOLOGY AURORE COURTOY

THE TENSOR AND THE SCALAR CHARGES OF THE NUCLEON FROM HADRON PHENOMENOLOGY AURORE COURTOY

THE TENSOR AND THE SCALAR CHARGES OF THE NUCLEON FROM HADRON PHENOMENOLOGY AURORE COURTOY Instituto de Fsica, UNAM, Mexico How can hadronic physics help BSM search? Hadronic observables extraction Impact on -decay observables partially

448 views • 28 slides

More recommend