faster isogeny based compressed key agreement
play

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, - PowerPoint PPT Presentation

Jun 13, 2023 •45 likes •856 views

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

  1. Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1

  2. REVI EW : SI DH AND COMPRESSED KEYS 2

  3. Isogeny-based Crypto n SIDH: proposed replacement for DH-based elliptic curves in a post-quantum world. n Smallest post-quantum public keys ( < 200 bytes) ¨ boosted by key compression techniques ¨ applications with low bandwidth requirements n Downside: ¨ ≈ 2 order of magnitude slower than Four ℚ -based DH or other fast post-quantum KEM schemes (NewHope/ NTRU). 3

  4. SIDH Parameter Setting n ! = 2 $ ⋅ 3 ' − 1 for post-quantum sec. level ≈ 128 bits ¨ Previous: 751-bit prime for , = 372, / = 239 ¨ [ 2018] Adj et al. suggest ≈ 448 -bit primes are enough n 2 3 /5 6 7 ∶ 9: ; = < = + ?< ; + < a supersingular Montgomery curve of order p + 1 ; = 2 ;$ 3 ;' B , C B = 2(5 6 7 )[2 $ ] , A H , C H = 2(5 6 7 )[3 ' ] ¨ A n User private key: I ∈ K ℤ/ℓ N ℤ for ℓ ∈ 2,3 , O ∈ {,, /} n User public key: curve R S,T and points U V , U W . 4

  5. SIDH Parameter Setting n ! = 2 $ ⋅ 3 ' − 1 for post-quantum sec. level ≈ 128 bits ¨ Previous: 751-bit prime for , = 372, / = 239 ¨ [ 2018] Adj et al. suggest ≈ 448 -bit primes are enough n 2 3 /5 6 7 ∶ 9: ; = < = + ?< ; + < a supersingular Montgomery curve of order p + 1 ; = 2 ;$ 3 ;' B , C B = 2(5 6 7 )[2 $ ] , A H , C H = 2(5 6 7 )[3 ' ] ¨ A n User private key: I ∈ K ℤ/ℓ N ℤ for ℓ ∈ 2,3 , O ∈ {,, /} n User public key: curve R S,T and points U V , U W . 5

  6. SIDH Parameter Setting n ! = 2 $ ⋅ 3 ' − 1 for post-quantum sec. level ≈ 128 bits ¨ Previous: 751-bit prime for , = 372, / = 239 ¨ [ 2018] Adj et al. suggest ≈ 448 -bit primes are enough n 2 3 /5 6 7 ∶ 9: ; = < = + ?< ; + < a supersingular Montgomery curve of order p + 1 ; = 2 ;$ 3 ;' B , C B = 2(5 6 7 )[2 $ ] , A H , C H = 2(5 6 7 )[3 ' ] ¨ A n User private key: I ∈ K ℤ/ℓ N ℤ for ℓ ∈ 2,3 , O ∈ {,, /} n User public key: curve R S,T = U(2 3 ) and points V W , V X ∈ 2 B,H . 6

  7. SIDH Public Key Compression n Goal: transmit public key {" #,% , & ' , &())} " #,% /- . / : 12 3 = 5 6 + 85 3 + 5 & ' , & ) ∈ E ;,< 7

  8. SIDH Public Key Compression n [ 2011] Jao et al. ’s public key representation: !, # , $ % & , $ %(() ∈ + , - Pub. Key size: . /01 2 bits 3 4,5 /+ , - : #8 9 = ; < + !; 9 + ; % & , % ( ∈ E ?,@ 8

  9. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: '() *,+ ) ) *,+ /. / 0 : 23 4 = 6 7 + 96 4 + 6 ! " # ,% # ← '() *,+ ) : ; , : < ∈ E ?,@ isomorphic curve 9

  10. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: ! " #,% ∈ ' ( ) : * +,- . bits vs " #,% /' ( ) : 56 7 = 9 : + <9 7 + 9 #, % ∈ ' ( ) : / +,- . bits = > , = ? ∈ E A,B * 012 . bits saved 10

  11. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: :(< =,> ) < =,> /A B C : EF % = G H + IG % + G 4 5 , 4 8 ∈ / 0,1 There is a canonical basis {" # , " % } such that " # , " % = / 0,1 3 3 Idea: express 4 5 = 6 # " # + 6 % " % 4 8 = 9 # " # + 9 % " % 11

  12. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: :(< =,> ) < =,> /A B C : EF % = G H + IG % + G 4 5 , 4 8 ∈ / 0,1 There is a canonical basis {" # , " % } such that " # , " % = / 0,1 3 3 Linear algebra tasks - Build a basis Idea: express 4 5 = 6 # " # + 6 % " % - Internal product: pairing 4 8 = 9 # " # + 9 % " % - Coeff. extraction: DLOG 12

  13. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: %(' (,) ) ' (,) /. / 0 : 23 $ = 5 6 + 85 $ + 5 9 : = @ " ! " + @ $ ! $ 9 : , 9 ; ∈ = >,? 9 ; = A " ! " + A $ ! $ Find ! " , ! $ : Compression (1/ 3): Expensive scalar multiplications involved • find a basis {! " , ! $ } 13

  14. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: 7(9 :,; ) 9 :,; /> ? @ : BC ( = D E + FD ( + D ! " = $ % & % + $ ( & ( ! " , ! ) ∈ H I,J ! ) = * % & % + * ( & ( + = , - . / 0 , / 2 Compression (2/ 3): + 3 = , - . / 0 , 4 5 • prepare DLOG instances + 0 = , - . / 2 , 4 5 • Cost: 5 pairings + 2 = , - . / 0 , 4 6 + - = , - . / 2 , 4 6 21

  15. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: 9(; <,> ) ; <,> /A B C : EF ( = G H + IG ( + G ! " , ! ) ∈ K L,M ! " = $ % & % + $ ( & ( ! ) = * % & % + * ( & ( Compression (3/ 3): + , = − ./0 1 1 , + 2 = ./0 1 1 3 • Compute $ 6 ’s and * 6 ’s • Cost: 4 order 3 8 DLOGs 4 , = − ./0 1 1 5 (Pohlig-Hellman) 4 2 = ./0 1 1 2 22

  16. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: !(# $,& ) ( ) , ( * , + ) , + * ∈ ℤ . / # $,& /1 2 3 : 56 7 = 9 . + ;9 7 + 9 < = , < > ∈ ? @,A 23

  17. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: !(# $,& ) ( ) , ( * , + ) , + * ∈ ℤ . / 0 : * 123 4 bits Vs 5 6 7 , 5 6(8) ∈ 9 : ; : < 123 4 bits # $,& /A : ; : CD E = 5 . + H5 E + 5 I J , I K ∈ L M,N * =>? 4 bits saved 24

  18. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: 9(; <,= ) 3 4 , 3 6 , 8 4 , 8 6 ; <,= /@ A B : DE % = F G + HF % + F Decompression I J , I K ∈ ( ),+ • Compute ⟨" # , " % ⟩ = ( ) * ,+ * [3 . ] • Recover points: 0 1 ← 3 4 " # + 3 6 " % 0 7 ← 8 4 " # + 8 6 " % • Cost: 4 scalar muls. 25

  19. SIDH Public Key Compression n [ 2016] Azarderakhsh et al.’s key compression: ! " #,% ∈ ' ( ) : * +,- . bits / 0 , / * , 1 0 , 1 * ∈ ℤ 3 4 : * +,- . bits vs #, % ∈ 5 ( ) : 6 +,- . bits 7 8(:) , 7 8 < : 6 +,- . bits Public key size: 6 =>? . bits Keys shrunk by 2× J • • Com pression tim e > 0C× KEX L 26

  20. SIDH Public Key Compression n [ 2017] Costello et al. key compression: L(4 M,; ) N O , N P , Q O , Q P !/# $ % : '( ) = + , + .+ ) + + Further compression / 0 , / 2 ∈ 4 • Bob recovers 5 6 , 5 7 to compute the kernel 8 = ⟨5 6 + : ; 5 7 ⟩ = = > + : ; ? > )A > + (= ) +: ; ? > )A ) • wlog. assume = > is invertible CDE 3 G (otherwise ? > is), then H> A > + (= ) = > H> + J K ? ) = > H> 8 = H> )A ) = 8 = > 1 + J K ? > = > 27

  21. SIDH Public Key Compression n [ 2017] Costello et al. key compression: L(4 M,; ) N O , N P , Q O , Q P !/# $ % : '( ) = + , + .+ ) + + Further compression / 0 , / 2 ∈ 4 • After recovering 5 6 , 5 7 , Bob computes the kernel 8 = ⟨5 6 + : ; 5 7 ⟩ = = > + : ; ? > )A > + (= ) +: ; ? > )A ) • wlog. assume = > is invertible CDE 3 G (otherwise ? > is), then H> A > + (= ) = > H> + J K ? ) = > H> 8 = H> )A ) = 8 = > 1 + J K ? > = > 28

  22. SIDH Public Key Compression n [ 2017] Costello et al. key compression: L(4 M,; ) N O , N P , Q O , Q P !/# $ % : '( ) = + , + .+ ) + + Further compression / 0 , / 2 ∈ 4 • After recovering 5 6 , 5 7 , Bob computes the kernel 8 = ⟨5 6 + : ; 5 7 ⟩ = = > + : ; ? > )A > + (= ) +: ; ? > )A ) • wlog. assume = > is invertible CDE 3 G (otherwise ? > is), then H> A > + (= ) = > H> + J K ? ) = > H> 8 = H> )A ) = 8 = > 1 + J K ? > = > 29

  23. SIDH Public Key Compression n [ 2017] Costello et al.’s key compression: >, ?, @ ∈ ℤ , 6 A : A/B CDE F bits !/# $ % : '( ) = + , + .+ ) + + / 0 , / 2 ∈ 4 3 elements in ℤ , 6 are enough: ;9 ∈ ℤ , 6 7 = 8 9 : 9 ;9 ∈ ℤ , 6 < = : ) : 9 ;9 ∈ ℤ , 6 = = 8 ) : 9 Plus 1 bit about invertibility of : 9 or 8 9 30

  24. SIDH Public Key Compression n 2017, Costello et al.’s key compression: !/# $ % : '( ) = + , + .+ ) + + To compress / 0 , / 2 : / 0 , / 2 ∈ 4 generate basis 5 6 , 5 ) • • Optimizations on compute 5 pairings steps 1, 2 and 3 • NB: cost of 5-way Monty Inv.: 30 muls (report) of compression and compute 4 DLOGs, i.e., {8 6 , 8 ) , 9 6 , 9 ) } • on decompression. compute ;, <, = from the quadruple above • 31

  25. SIDH Public Key Compression n 2017, Costello et al.’s key compression: !(#) ∈ & ' ( : ) *+, - bits ., 0, 1 ∈ ℤ 3 4 3 : 5/) *+, - bits 7/8 ' ( : :; < = > 3 + @> < + > A B , A C ∈ # Public key size: 5. E FGH - bits • Ex.: IJ = 328 bytes for I = 751 bits Compression time ≈ R× KEX and decompression ≈ T. U× KEX 32

  26. SIDH Public Key Compression n Is the current (de)compression performance acceptable? 33

  27. SIDH Public Key Compression n Is the current (de)compression performance acceptable? n Current state of classical elliptic curves: ¨ CHES’2 0 1 7 * : speed records for ECDH on embedded devices using curve Four ℚ . n Compression = free (similar to original SIDH, send one coordinate of the point) n Decompression = 0.04x key agreement * Liu Z, Longa P, Pereira G, Reparaz O, Seo H. FourQ on embedded devices with strong countermeasures against side-channel attacks. 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi

593 views • 36 slides
A Faster P Solution for the Byzantine Agreement Problem Michael J. Dinneen, Yun-Bum Kim, and Radu

A Faster P Solution for the Byzantine Agreement Problem Michael J. Dinneen, Yun-Bum Kim, and Radu

Introduction Byzantine agreement P modules Faster Byzantine solution Conclusions A Faster P Solution for the Byzantine Agreement Problem Michael J. Dinneen, Yun-Bum Kim, and Radu Nicolescu Department of Computer Science, University of

1.07k views • 69 slides
Faster Subsequence and Dont -Care Pattern Matching on Compressed Texts Takanori Yamamoto,

Faster Subsequence and Dont -Care Pattern Matching on Compressed Texts Takanori Yamamoto,

Faster Subsequence and Dont -Care Pattern Matching on Compressed Texts Takanori Yamamoto, Hideo Bannai, Shunsuke Inenaga, Masayuki Takeda Department of Informatics, Kyushu University, JAPAN Originally presented at CPM 2011 1 Self

1.17k views • 47 slides
Faster Pattern Matching with Mismatches in Compressed Texts Karl Bringmann, Marvin Knnemann, and

Faster Pattern Matching with Mismatches in Compressed Texts Karl Bringmann, Marvin Knnemann, and

Few Matches or Almost Periodicity: Faster Pattern Matching with Mismatches in Compressed Texts Karl Bringmann, Marvin Knnemann, and Philip Wellnitz Max Planck Institute for Informatics, Saarland Informatics Campus (SIC), Saarbrcken, Germany

1.61k views • 134 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
Compressed Membership for NFA (DFA) with Compressed Labels is in NP (P) Artur Je University of

Compressed Membership for NFA (DFA) with Compressed Labels is in NP (P) Artur Je University of

Compressed Membership for NFA (DFA) with Compressed Labels is in NP (P) Artur Je University of Wrocaw Compressed membership for NFA 1 / 17 Artur Je What this talk is about Fully compressed membership problem for automata Compressed

733 views • 69 slides
Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea Basso 1 , P eter Kutas 1 , Simon-Philipp Merz 2 , Christophe Petit 1 , Charlotte Weitk amper 1 University of Birmingham, UK Royal Holloway,

575 views • 19 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 &amp; 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ &amp; Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

1.07k views • 84 slides
Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1 2 2047 2 2048 1 . Thanks to: University of Illinois at Chicago User knows prime factors of . NSF CCR9983950

768 views • 53 slides
Compression Overview Multimedia Encoding and Compression Huffman codes Lossless

Compression Overview Multimedia Encoding and Compression Huffman codes Lossless

Compression Overview Multimedia Encoding and Compression Huffman codes Lossless Outline data received = data sent Compression used for executables, text files, numeric data RTP Lossy Scheduling data received

83 views • 4 slides
Aligning DNA sequences on compressed collections of genomes Part 2. Compressed indexing The

Aligning DNA sequences on compressed collections of genomes Part 2. Compressed indexing The

Aligning DNA sequences on compressed collections of genomes Part 2. Compressed indexing The CODATA-RDA Research Data Science Applied workshop on Bioinformatics ICTP, Trieste - Italy July 24-28, 2017 Nicola Prezza Technical University of

788 views • 45 slides
Mesh Compression Mesh Compression Connectivity: Often, triangulated graph CS101 - Meshing

Mesh Compression Mesh Compression Connectivity: Often, triangulated graph CS101 - Meshing

Triangle Meshes Two main parts: Mesh Compression Mesh Compression Connectivity: Often, triangulated graph CS101 - Meshing Sometimes, polygons 3-connected graphs Geometry: Positions in space CS101b - Meshing 2 Basic

781 views • 20 slides
in RIOT? R I O T S U M M I T 2 0 2 0 - B A R T M O O N S MAIN GOAL Integrate libSCHC for

in RIOT? R I O T S U M M I T 2 0 2 0 - B A R T M O O N S MAIN GOAL Integrate libSCHC for

Static Context Header Compression [sjiek] Where do we want to go in RIOT? R I O T S U M M I T 2 0 2 0 - B A R T M O O N S MAIN GOAL Integrate libSCHC for standard, IPv6-based connectivity to the smallest devices reliable

471 views • 20 slides
Models for Sentence Compression A Comparison across Domains, Training Requirements and Evaluation

Models for Sentence Compression A Comparison across Domains, Training Requirements and Evaluation

Models for Sentence Compression A Comparison across Domains, Training Requirements and Evaluation Measures James Clarke and Mirella Lapata School of Informatics University of Edinburgh July 2006 ACL 2006 James Clarke and Mirella Lapata 1

1.07k views • 62 slides
Benchmarking HDF5 Compression Filters in R Mike L. Smith @grimbough HDF5 is a file format for

Benchmarking HDF5 Compression Filters in R Mike L. Smith @grimbough HDF5 is a file format for

Benchmarking HDF5 Compression Filters in R Mike L. Smith @grimbough HDF5 is a file format for storing large, heterogenous, data Used in a variety of software, e.g: DelayedArray Kallisto ONT sequencing mz5 mass spec

414 views • 12 slides
On The Complexity of Compressing Obfuscation Gilad Asharov, Naomi Ephraim, Ilan Komargodski, and

On The Complexity of Compressing Obfuscation Gilad Asharov, Naomi Ephraim, Ilan Komargodski, and

On The Complexity of Compressing Obfuscation Gilad Asharov, Naomi Ephraim, Ilan Komargodski, and Rafael Pass Cornell University and Cornell Tech CRYPTO 2018 Indistinguishability Obfuscation (iO) An obfuscator is a compiler which preserves

1.01k views • 86 slides

More recommend