fast and simple constant time hashing to the bls12 381
play

Fast and simple constant-time hashing to the BLS12-381 elliptic - PowerPoint PPT Presentation

May 24, 2023 •109 likes •1.38k views

Fast and simple constant-time hashing to the BLS12-381 elliptic curve (and other curves, too!) Riad S. Wahby, Dan Boneh Stanford December 3 rd , 2019 Motivation Our initial motivation: BLS signatures [BLS01] Motivation Our initial

  1. Attempt #2: hash and check HashToCurve H&C (msg): ✗ ctr ← 0 y ← ⊥ while y = ⊥ : x ← H p (ctr || msg) ctr ← ctr + 1 ySq ← x 3 + ax + b y ← sqrt( ySq ) // ⊥ if ySq is non-square P ← ( x , y ) return [ h ] P // map to G via cofactor mul Not constant time; “bad” inputs are common.

  2. Attempt #2: hash and check HashToCurve H&C (msg): ✗ ctr ← 0 y ← ⊥ while y = ⊥ : x ← H p (ctr || msg) ctr ← ctr + 1 ySq ← x 3 + ax + b y ← sqrt( ySq ) // ⊥ if ySq is non-square P ← ( x , y ) return [ h ] P // map to G via cofactor mul Not constant time; “bad” inputs are common. Loop a fixed number of times?

  3. Attempt #2: hash and check HashToCurve H&C (msg): ✗ ctr ← 0 y ← ⊥ while y = ⊥ : x ← H p (ctr || msg) ctr ← ctr + 1 ySq ← x 3 + ax + b y ← sqrt( ySq ) // ⊥ if ySq is non-square P ← ( x , y ) return [ h ] P // map to G via cofactor mul Not constant time; “bad” inputs are common. ✗ Loop a fixed number of times? Slow; well-meaning “optimization” breaks CT.

  4. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5:

  5. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp

  6. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp y 2 = x 3 + b y 2 − b � 3 = ⇒ x =

  7. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp

  8. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp

  9. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] p ≡ 2 mod 3 1 exp

  10. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] p ≡ 3 mod 4, ab � = 0 2 exp

  11. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] b � = 0, 2 | # E ( F p ) 1 exp

  12. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] b � = 0, 2 | # E ( F p ) 1 exp [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  13. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] b � = 0, 2 | # E ( F p ) 1 exp This work ab � = 0 1 exp + exp none 1 [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  14. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] b � = 0, 2 | # E ( F p ) 1 exp This work ab � = 0 1 exp + exp none 1 BLS12-381: p ≡ 1 mod 3, a = 0, 2 ∤ # E ( F p ) [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  15. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] ✗ p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] ✗ p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] b � = 0, 2 | # E ( F p ) 1 exp This work ab � = 0 1 exp + exp none 1 BLS12-381: p ≡ 1 mod 3, a = 0, 2 ∤ # E ( F p ) [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  16. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] ✗ p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] ✗ p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] ✗ p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] ✗ p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] b � = 0, 2 | # E ( F p ) 1 exp This work ab � = 0 1 exp + exp none 1 BLS12-381: p ≡ 1 mod 3, a = 0, 2 ∤ # E ( F p ) [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  17. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] ✗ p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] ✗ p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] ✗ p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] ✗ p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] ✗ b � = 0, 2 | # E ( F p ) 1 exp This work ab � = 0 1 exp + exp none 1 BLS12-381: p ≡ 1 mod 3, a = 0, 2 ∤ # E ( F p ) [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  18. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] ✗ p ≡ 2 mod 3, a = 0 1 exp [SW06] ✓ none 3 exp SWU [Ulas07] ✗ p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] ✗ p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] ✗ p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] ✗ b � = 0, 2 | # E ( F p ) 1 exp This work ab � = 0 1 exp + exp none 1 BLS12-381: p ≡ 1 mod 3, a = 0, 2 ∤ # E ( F p ) [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  19. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] ✗ p ≡ 2 mod 3, a = 0 1 exp [SW06] ✓ none 3 exp SWU [Ulas07] ✗ p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] ✗ p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] ✗ p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] ✗ b � = 0, 2 | # E ( F p ) 1 exp This work ✗ ab � = 0 1 exp + exp ✓ none 1 BLS12-381: p ≡ 1 mod 3, a = 0, 2 ∤ # E ( F p ) [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  20. The Shallue–van de Woestijne map [SW06] (high level) E : y 2 = f ( x ) = x 3 + ax + b Idea #1 (Ska� lba): For X 1 , X 2 , X 3 , X 4 � = 0, let V ( F p ) : f ( X 1 ) · f ( X 2 ) · f ( X 3 ) = X 2 4

  21. The Shallue–van de Woestijne map [SW06] (high level) E : y 2 = f ( x ) = x 3 + ax + b Idea #1 (Ska� lba): For X 1 , X 2 , X 3 , X 4 � = 0, let V ( F p ) : f ( X 1 ) · f ( X 2 ) · f ( X 3 ) = X 2 4 � One of f ( X i ), i ∈ { 1, 2, 3 } must be square ⇒ that X i must be an x-coordinate on E ( F p )

  22. The Shallue–van de Woestijne map [SW06] (high level) E : y 2 = f ( x ) = x 3 + ax + b Idea #1 (Ska� lba): For X 1 , X 2 , X 3 , X 4 � = 0, let V ( F p ) : f ( X 1 ) · f ( X 2 ) · f ( X 3 ) = X 2 4 Idea #2: Construct a map F p �→ V ( F p ), yielding polynomials X 1 ( t ), X 2 ( t ), X 3 ( t ).

  23. The Shallue–van de Woestijne map [SW06] (high level) E : y 2 = f ( x ) = x 3 + ax + b Idea #1 (Ska� lba): For X 1 , X 2 , X 3 , X 4 � = 0, let V ( F p ) : f ( X 1 ) · f ( X 2 ) · f ( X 3 ) = X 2 4 Idea #2: Construct a map F p �→ V ( F p ), yielding polynomials X 1 ( t ), X 2 ( t ), X 3 ( t ).  � ( X 1 ( t ), f ( X 1 ( t ))) if f ( X 1 ( t )) is square, else   SW( t ) � � ( X 2 ( t ), f ( X 2 ( t ))) if f ( X 2 ( t )) is square, else  � ( X 3 ( t ), f ( X 3 ( t ))) 

  24. The Shallue–van de Woestijne map [SW06] (high level) E : y 2 = f ( x ) = x 3 + ax + b Idea #1 (Ska� lba): For X 1 , X 2 , X 3 , X 4 � = 0, let V ( F p ) : f ( X 1 ) · f ( X 2 ) · f ( X 3 ) = X 2 4 Idea #2: Construct a map F p �→ V ( F p ), yielding polynomials X 1 ( t ), X 2 ( t ), X 3 ( t ).  � ( X 1 ( t ), f ( X 1 ( t ))) if f ( X 1 ( t )) is square, else   SW( t ) � � ( X 2 ( t ), f ( X 2 ( t ))) if f ( X 2 ( t )) is square, else  � ( X 3 ( t ), f ( X 3 ( t )))  � constant-time cost dominated by 3 exps (recall: Legendre symbol in F p ops is 1 exp)

  25. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G

  26. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G

  27. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G

  28. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G

  29. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G � Can use a faster method for cofactor clearing: • via endomorphisms [GLV01,SBCDK09,FKR11,BP18] • via subgroup structure [S19 (see WB19, § 5)]

  30. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G Possible issue: M is not a bijection: # E ( F p ) � = p � output distribution is nonuniform

  31. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G Possible issue: M is not a bijection: # E ( F p ) � = p � output distribution is nonuniform This could be OK—but what if we need uniformity?

  32. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P P ← P 1 + P 2 return [ h ] P

  33. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P P ← P 1 + P 2 return [ h ] P

  34. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P P ← P 1 + P 2 return [ h ] P

  35. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P P ← P 1 + P 2 return [ h ] P

  36. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P P ← P 1 + P 2 return [ h ] P � [ x ]ˆ P acts as a “one-time pad”

  37. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P P ← P 1 + P 2 return [ h ] P � [ x ]ˆ P acts as a “one-time pad” � HashToCurve OTP is indifferentiable from RO [MRH05]

  38. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P // ✗ expensive P ← P 1 + P 2 return [ h ] P � [ x ]ˆ P acts as a “one-time pad” � HashToCurve OTP is indifferentiable from RO [MRH05]

  39. Faster uniform hashing from deterministic maps Problem: point multiplication is usually much more expensive than evaluating M .

  40. Faster uniform hashing from deterministic maps Problem: point multiplication is usually much more expensive than evaluating M . Idea [BCIMRT10,FFSTV13]: HashToCurve(msg) : P 1 ← M ( H p (0 || msg)) P 2 ← M ( H p (1 || msg)) P ← P 1 + P 2 return [ h ] P

  41. Faster uniform hashing from deterministic maps Problem: point multiplication is usually much more expensive than evaluating M . Idea [BCIMRT10,FFSTV13]: HashToCurve(msg) : P 1 ← M ( H p (0 || msg)) P 2 ← M ( H p (1 || msg)) P ← P 1 + P 2 return [ h ] P

  42. Faster uniform hashing from deterministic maps Problem: point multiplication is usually much more expensive than evaluating M . Idea [BCIMRT10,FFSTV13]: HashToCurve(msg) : P 1 ← M ( H p (0 || msg)) P 2 ← M ( H p (1 || msg)) P ← P 1 + P 2 return [ h ] P � Indifferentiable from RO if M is well distributed ✓ All of the M we’ve seen are well distributed.

  43. Roadmap 1. Hash functions to elliptic curves 2. Optimizing the map of [BCIMRT10] 3. Evaluation results 4. IETF standardization efforts

  44. The Simplified SWU map [BCIMRT10] E : y 2 = f ( x ) = x 3 + ax + b , ab � = 0 Idea: pick x s.t. f ( ux ) = u 3 f ( x ). � For u non-square ∈ F p , f ( x ) or f ( ux ) is square.

  45. The Simplified SWU map [BCIMRT10] E : y 2 = f ( x ) = x 3 + ax + b , ab � = 0 Idea: pick x s.t. f ( ux ) = u 3 f ( x ). � For u non-square ∈ F p , f ( x ) or f ( ux ) is square. u 3 x 3 + aux + b = u 3 ( x 3 + ax + b ) � � x = − b 1 ∴ 1 + u 2 + u a

  46. The Simplified SWU map [BCIMRT10] E : y 2 = f ( x ) = x 3 + ax + b , ab � = 0 Idea: pick x s.t. f ( ux ) = u 3 f ( x ). � For u non-square ∈ F p , f ( x ) or f ( ux ) is square. u 3 x 3 + aux + b = u 3 ( x 3 + ax + b ) � � x = − b 1 ∴ 1 + u 2 + u a � If p ≡ 3 mod 4, u = − t 2 is non-square

  47. The Simplified SWU map [BCIMRT10] E : y 2 = f ( x ) = x 3 + ax + b , ab � = 0 Idea: pick x s.t. f ( ux ) = u 3 f ( x ). � For u non-square ∈ F p , f ( x ) or f ( ux ) is square. u 3 x 3 + aux + b = u 3 ( x 3 + ax + b ) � � x = − b 1 ∴ 1 + u 2 + u a � If p ≡ 3 mod 4, u = − t 2 is non-square, so: � � X 0 ( t ) � − b 1 X 1 ( t ) � − t 2 X 0 ( t ) 1 + t 4 − t 2 a

  48. Evaluating the S-SWU map � � ( X 0 ( t ), f ( X 0 ( t ))) if f ( X 0 ( t )) is square S-SWU( t ) � � ( X 1 ( t ), f ( X 1 ( t ))) otherwise

  49. Evaluating the S-SWU map � � ( X 0 ( t ), f ( X 0 ( t ))) if f ( X 0 ( t )) is square S-SWU( t ) � � ( X 1 ( t ), f ( X 1 ( t ))) otherwise Attempt #1 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) p +1 y 0 ← f ( x 0 ) // ✗ expensive 4 x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) p +1 y 1 ← f ( x 1 ) // ✗ expensive 4 if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 )

  50. Evaluating the S-SWU map � � ( X 0 ( t ), f ( X 0 ( t ))) if f ( X 0 ( t )) is square S-SWU( t ) � � ( X 1 ( t ), f ( X 1 ( t ))) otherwise Attempt #1 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) p +1 y 0 ← f ( x 0 ) // ✗ expensive 4 x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) p +1 y 1 ← f ( x 1 ) // ✗ expensive 4 if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 )

  51. Evaluating the S-SWU map � � ( X 0 ( t ), f ( X 0 ( t ))) if f ( X 0 ( t )) is square S-SWU( t ) � � ( X 1 ( t ), f ( X 1 ( t ))) otherwise Attempt #1 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) p +1 y 0 ← f ( x 0 ) // ✗ expensive 4 x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) p +1 y 1 ← f ( x 1 ) // ✗ expensive 4 if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 )

  52. Evaluating the S-SWU map � � ( X 0 ( t ), f ( X 0 ( t ))) if f ( X 0 ( t )) is square S-SWU( t ) � � ( X 1 ( t ), f ( X 1 ( t ))) otherwise Attempt #1 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) p +1 y 0 ← f ( x 0 ) // ✗ expensive 4 x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) p +1 y 1 ← f ( x 1 ) // ✗ expensive 4 if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 ) Requires two exponentiations! Can we do better?

  53. Eliminating an exponentiation Recall: f ( x 1 ) = − t 6 f ( x 0 ). So: � p +1 p +1 4 = − t 6 f ( x 0 ) � f ( x 1 ) 4

  54. Eliminating an exponentiation Recall: f ( x 1 ) = − t 6 f ( x 0 ). So: � p +1 p +1 4 = − t 6 f ( x 0 ) � f ( x 1 ) 4 = t 3 ( − f ( x 0 )) p +1 4 = t 3 � − f ( x 0 )

  55. Eliminating an exponentiation Recall: f ( x 1 ) = − t 6 f ( x 0 ). So: � p +1 p +1 4 = − t 6 f ( x 0 ) � f ( x 1 ) 4 = t 3 ( − f ( x 0 )) p +1 4 = t 3 � − f ( x 0 ) p +1 4 . Can we use this? � We have f ( x 0 )

  56. Eliminating an exponentiation Recall: f ( x 1 ) = − t 6 f ( x 0 ). So: � p +1 p +1 4 = − t 6 f ( x 0 ) � f ( x 1 ) 4 = t 3 ( − f ( x 0 )) p +1 4 = t 3 � − f ( x 0 ) p +1 4 . Can we use this? � We have f ( x 0 ) � 2 � p +1 p +1 p − 1 2 = f ( x 0 ) · f ( x 0 ) f ( x 0 ) = f ( x 0 ) 4 2

  57. Eliminating an exponentiation Recall: f ( x 1 ) = − t 6 f ( x 0 ). So: � p +1 p +1 4 = − t 6 f ( x 0 ) � f ( x 1 ) 4 = t 3 ( − f ( x 0 )) p +1 4 = t 3 � − f ( x 0 ) p +1 4 . Can we use this? � We have f ( x 0 ) � 2 � p +1 p +1 p − 1 2 = f ( x 0 ) · f ( x 0 ) f ( x 0 ) = f ( x 0 ) 4 2 Legendre symbol!

  58. Eliminating an exponentiation Recall: f ( x 1 ) = − t 6 f ( x 0 ). So: � p +1 p +1 4 = − t 6 f ( x 0 ) � f ( x 1 ) 4 = t 3 ( − f ( x 0 )) p +1 4 = t 3 � − f ( x 0 ) p +1 4 . Can we use this? � We have f ( x 0 ) � 2 � p +1 p +1 p − 1 2 = f ( x 0 ) · f ( x 0 ) f ( x 0 ) = f ( x 0 ) 4 2 = − f ( x 0 ) if f ( x 0 ) is non-square p +1 4 is � ✓ f ( x 0 ) − f ( x 0 ) when f ( x 0 ) is non-square!

  59. Evaluating the S-SWU map—faster! Attempt #2 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) y 0 ← f ( x 0 ) ( p +1) / 4 // ✗ expensive x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) y 1 ← t 3 y 0 // ✓ cheap! if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 )

  60. Evaluating the S-SWU map—faster! Attempt #2 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) y 0 ← f ( x 0 ) ( p +1) / 4 // ✗ expensive x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) y 1 ← t 3 y 0 // ✓ cheap! if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 ) ✓ Prior work [BDLSY12] lets us avoid inversions.

  61. Evaluating the S-SWU map—faster! Attempt #2 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) y 0 ← f ( x 0 ) ( p +1) / 4 // ✗ expensive x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) y 1 ← t 3 y 0 // ✓ cheap! if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 ) ✓ Prior work [BDLSY12] lets us avoid inversions. ✓ Straightforward to generalize to p ≡ 1 mod 4.

  62. Generalizing: the p ≡ 5 mod 8 case -1 is square in F p ⇒ need u = ξ t 2 for ξ nonsquare.

  63. Generalizing: the p ≡ 5 mod 8 case -1 is square in F p ⇒ need u = ξ t 2 for ξ nonsquare. Recall Atkin’s square-root trick: � 1 � 2 � � p +3 p − 1 2 z = z · z 8 2

  64. Generalizing: the p ≡ 5 mod 8 case -1 is square in F p ⇒ need u = ξ t 2 for ξ nonsquare. Recall Atkin’s square-root trick: � 1 � 2 � � p +3 p − 1 2 z = z · z 8 2 Legendre symbol!

  65. Generalizing: the p ≡ 5 mod 8 case -1 is square in F p ⇒ need u = ξ t 2 for ξ nonsquare. Recall Atkin’s square-root trick: � 1 � 2 � � p +3 p − 1 2 z = z · z 8 2 4 = √ z p +3 8 · 1 − 1 z

  66. Generalizing: the p ≡ 5 mod 8 case -1 is square in F p ⇒ need u = ξ t 2 for ξ nonsquare. Recall Atkin’s square-root trick: � 1 � 2 � � p +3 p − 1 2 z = z · z 8 2 4 = √ z p +3 8 · 1 − 1 z So we want: � � ξ 3 t 6 f ( x 0 ) f ( x 1 ) = � p +3 8 · 1 − 1 = t 3 � ξ 3 f ( x 0 ) 4

  67. Generalizing: the p ≡ 5 mod 8 case -1 is square in F p ⇒ need u = ξ t 2 for ξ nonsquare. Recall Atkin’s square-root trick: � 1 � 2 � � p +3 p − 1 2 z = z · z 8 2 4 = √ z p +3 8 · 1 − 1 z So we want: � � ξ 3 t 6 f ( x 0 ) f ( x 1 ) = � p +3 8 · 1 − 1 = t 3 � ξ 3 f ( x 0 ) 4 ξ 3 � p +3 � � ξ is fixed, so we can preompute 8

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Uniform Hashing in Constant Time and Linear Space Anna Ostlin and Rasmus Pagh IT University

Uniform Hashing in Constant Time and Linear Space Anna Ostlin and Rasmus Pagh IT University

Uniform Hashing in Constant Time and Linear Space Anna Ostlin and Rasmus Pagh IT University of Copenhagen STOC 2003, San Diego Presented by Martin Dietzfelbinger TU Ilmenau Uniform hashing U Uniform hashing assumption: h V h maps

279 views • 14 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.5k views • 58 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.25k views • 98 slides
Fast Constant-Time GCD Computation and Modular Inversion Daniel J. Bernstein 1,2 Bo-Yin Yang 3 1

Fast Constant-Time GCD Computation and Modular Inversion Daniel J. Bernstein 1,2 Bo-Yin Yang 3 1

Fast Constant-Time GCD Computation and Modular Inversion Daniel J. Bernstein 1,2 Bo-Yin Yang 3 1 University of Illinois at Chicago 2 Ruhr Universt at Bochum 3 Academia Sinica Monday, August 26, 2019 Summary: Fast, Safe GCD and Inversions

431 views • 23 slides
Fixslicing: A New GIFT Representation Fast Constant-Time Implementations of GIFT and GIFT-COFB on

Fixslicing: A New GIFT Representation Fast Constant-Time Implementations of GIFT and GIFT-COFB on

Fixslicing: A New GIFT Representation Fast Constant-Time Implementations of GIFT and GIFT-COFB on ARM Cortex-M Alexandre Adomnicai 1,2 Zakaria Najm 1,2,3 Thomas Peyrin 1,2 1 Nanyang Technological University, Singapore 2 Temasek Laboratories,

457 views • 34 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work

969 views • 94 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

746 views • 73 slides
Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing? Distribute key/value pairs across bins with a hash function , Hashing Performance Hashing (Application of Probability) which maps elements from

497 views • 3 slides
Discrete Hashing Fast, scalable retrieval and classification Fumin Shen Center for Future Media,

Discrete Hashing Fast, scalable retrieval and classification Fumin Shen Center for Future Media,

Discrete Hashing Fast, scalable retrieval and classification Fumin Shen Center for Future Media, University of Electronic Science and Technology of China Outline Introduction to Hashing Discrete optimization for Hashing Applications

818 views • 48 slides
10. Repetition Binary Search Trees and Disadvantages of hashing: linear access time in worst case.

10. Repetition Binary Search Trees and Disadvantages of hashing: linear access time in worst case.

Dictionary implementation Hashing: implementation of dictionaries with expected very fast access times. 10. Repetition Binary Search Trees and Disadvantages of hashing: linear access time in worst case. Some Heaps operations not supported at

173 views • 16 slides
Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing

Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing

Lecture 8 Hashing I 6.006 Fall 2011 Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing Hashing Chaining Simple uniform hashing Good hash functions Dictionary Problem Abstract

452 views • 21 slides
McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands October 13, 2015 Joint work with Daniel J. Bernstein and Peter Schwabe Outline Summary of Our Work Background Main

439 views • 32 slides
14. Hashing Gloal: Efficient management of a table of all n ETH-students of Possible Requirement:

14. Hashing Gloal: Efficient management of a table of all n ETH-students of Possible Requirement:

Motivating Example 14. Hashing Gloal: Efficient management of a table of all n ETH-students of Possible Requirement: fast access (insertion, removal, find) of a Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using dataset by name

158 views • 15 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

625 views • 41 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

823 views • 46 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

643 views • 52 slides
Lecture 8: Information Theory and Maximum Entropy Lecturer: Mike Morais Scribes: 8.1

Lecture 8: Information Theory and Maximum Entropy Lecturer: Mike Morais Scribes: 8.1

NEU 560: Statistical Modeling and Analysis of Neural Data Spring 2018 Lecture 8: Information Theory and Maximum Entropy Lecturer: Mike Morais Scribes: 8.1 Fundamentals of Information theory Information theory started with Claude Shannons A

488 views • 7 slides
Circuits TM: A single program that works for every input length Circuits: A program tailored to

Circuits TM: A single program that works for every input length Circuits: A program tailored to

Circuits TM: A single program that works for every input length Circuits: A program tailored to a specific input length Motivation: -that's what computers really are -cryptography: attackers focus on specific key length -more combinatorial,

415 views • 30 slides
Discuss: P rogramming L anguage What is a PL? CS 251

Discuss: P rogramming L anguage What is a PL? CS 251

1/30/15 Discuss: P rogramming L anguage What is a PL? CS 251 What goes into the design of a PL? Principles of Programming Languages

269 views • 5 slides
Bayesian Learning l A powerful approach in machine learning l Combine data seen so far with prior

Bayesian Learning l A powerful approach in machine learning l Combine data seen so far with prior

Bayesian Learning l A powerful approach in machine learning l Combine data seen so far with prior beliefs This is what has allowed us to do machine learning, have good inductive biases, overcome "No free lunch", and obtain good

1.42k views • 29 slides
Optimal Slack-Driven Block Shaping Algorithm in Fixed-Outline Floorplanning Jackey Z. Yan Chris

Optimal Slack-Driven Block Shaping Algorithm in Fixed-Outline Floorplanning Jackey Z. Yan Chris

Optimal Slack-Driven Block Shaping Algorithm in Fixed-Outline Floorplanning Jackey Z. Yan Chris Chu Placement Tech. Group Department of ECE Cadence Design Systems Iowa State University San Jose, CA 95134, U.S.A. Ames, IA 50010, U.S.A. 1 A

680 views • 31 slides
Bayesian Networks in Reliability: A primer Helge Langseth helgel@math.ntnu.no Department of

Bayesian Networks in Reliability: A primer Helge Langseth helgel@math.ntnu.no Department of

NTNU Bayesian Networks in Reliability: A primer Helge Langseth helgel@math.ntnu.no Department of Mathematical Sciences, Norwegian University of Science and Technology, Trondheim, Norway MMR 2004 p.1/13 Outline NTNU Basics of Bayesian

316 views • 29 slides
1 Ancient DNA: would the real Neandertal please stand up? Eur. Eur. Afr. Asia Afr. Asia H.

1 Ancient DNA: would the real Neandertal please stand up? Eur. Eur. Afr. Asia Afr. Asia H.

Ancient DNA: would the real Neandertal please stand up? Multiregional continuity model : Transition between archaic and modern forms took place within a single evolutionary lineage. The single lineage is composed of geographic

556 views • 18 slides
Dictionaries and strings (part 2) Ole Christian Lingjrde, Dept of Informatics, UiO 20 October

Dictionaries and strings (part 2) Ole Christian Lingjrde, Dept of Informatics, UiO 20 October

Dictionaries and strings (part 2) Ole Christian Lingjrde, Dept of Informatics, UiO 20 October 2017 Todays agenda Quiz Exercise 6.7 String manipulation Quiz 1 Question A d = {-2:-1, -1:0, 0:1, 1:2, 2:-2} print(d[0]) # What is printed

512 views • 35 slides

More recommend