hard to compute bits for elliptic curve based one way
play

Hard-to-Compute Bits for Elliptic Curve-Based One-Way Functions - PowerPoint PPT Presentation

Nov 26, 2023 •126 likes •757 views

Hard-to-Compute Bits for Elliptic Curve-Based One-Way Functions Alexandre Duc 1 Dimitar Jetchev 1 1 EPFL, Switzerland Crypto2012, August 23rd, 2012, Santa Barbara, CA Alexandre Duc , Dimitar Jetchev Security of Individual Bits Alexandre Duc

  1. Hard-to-Compute Bits for Elliptic Curve-Based One-Way Functions Alexandre Duc 1 Dimitar Jetchev 1 1 EPFL, Switzerland Crypto’2012, August 23rd, 2012, Santa Barbara, CA Alexandre Duc , Dimitar Jetchev

  2. Security of Individual Bits Alexandre Duc , Dimitar Jetchev

  3. Pairing-based One-Way and FAPI-2 E / F p - elliptic curve ( p is a prime), Alexandre Duc , Dimitar Jetchev

  4. Pairing-based One-Way and FAPI-2 E / F p - elliptic curve ( p is a prime), G - a large cyclic subgroup of points on E , Alexandre Duc , Dimitar Jetchev

  5. Pairing-based One-Way and FAPI-2 E / F p - elliptic curve ( p is a prime), G - a large cyclic subgroup of points on E , e : G × G → G T - a cryptographic pairing, Alexandre Duc , Dimitar Jetchev

  6. Pairing-based One-Way and FAPI-2 E / F p - elliptic curve ( p is a prime), G - a large cyclic subgroup of points on E , e : G × G → G T - a cryptographic pairing, By fixing the second argument, one gets f Q : G → G T , f Q ( • ) = e ( • , Q ) Alexandre Duc , Dimitar Jetchev

  7. Pairing-based One-Way and FAPI-2 E / F p - elliptic curve ( p is a prime), G - a large cyclic subgroup of points on E , e : G × G → G T - a cryptographic pairing, By fixing the second argument, one gets f Q : G → G T , f Q ( • ) = e ( • , Q ) FAPI-2 problem is the problem of inverting this function Alexandre Duc , Dimitar Jetchev

  8. Why is FAPI-2 relevant? The security of the following schemes relies on the hardness of solving FAPI-2: Alexandre Duc , Dimitar Jetchev

  9. Why is FAPI-2 relevant? The security of the following schemes relies on the hardness of solving FAPI-2: Boneh–Franklin: identity-based encryption scheme Alexandre Duc , Dimitar Jetchev

  10. Why is FAPI-2 relevant? The security of the following schemes relies on the hardness of solving FAPI-2: Boneh–Franklin: identity-based encryption scheme Joux: three-party one-round key agreement protocol Alexandre Duc , Dimitar Jetchev

  11. Why is FAPI-2 relevant? The security of the following schemes relies on the hardness of solving FAPI-2: Boneh–Franklin: identity-based encryption scheme Joux: three-party one-round key agreement protocol Hess: identity-based signature scheme Alexandre Duc , Dimitar Jetchev

  12. Why is FAPI-2 relevant? The security of the following schemes relies on the hardness of solving FAPI-2: Boneh–Franklin: identity-based encryption scheme Joux: three-party one-round key agreement protocol Hess: identity-based signature scheme FAPI-2 is Hard! Solving FAPI-1 and FAPI-2 yields a solution to CDH. Alexandre Duc , Dimitar Jetchev

  13. Why is FAPI-2 relevant? The security of the following schemes relies on the hardness of solving FAPI-2: Boneh–Franklin: identity-based encryption scheme Joux: three-party one-round key agreement protocol Hess: identity-based signature scheme FAPI-2 is Hard! Solving FAPI-1 and FAPI-2 yields a solution to CDH. Our Contribution Assuming the hardness of FAPI-2, we show that all the bits of the input to the pairing-based one-way function are secure. Alexandre Duc , Dimitar Jetchev

  14. Elliptic Curves, Weierstrass Equations, Isomorphism Classes (Short) Weierstrass Equations Equations E a , b : y 2 = x 3 + ax + b , a , b ∈ F p , 4 a 3 + 27 b 2 � = 0. Alexandre Duc , Dimitar Jetchev

  15. Elliptic Curves, Weierstrass Equations, Isomorphism Classes (Short) Weierstrass Equations Equations E a , b : y 2 = x 3 + ax + b , a , b ∈ F p , 4 a 3 + 27 b 2 � = 0. Two Weierstrass equations might represent isomorphic curves. Alexandre Duc , Dimitar Jetchev

  16. Elliptic Curves, Weierstrass Equations, Isomorphism Classes (Short) Weierstrass Equations Equations E a , b : y 2 = x 3 + ax + b , a , b ∈ F p , 4 a 3 + 27 b 2 � = 0. Two Weierstrass equations might represent isomorphic curves. Isomorphism classes Two elliptic curves E a , b and E a ′ , b ′ are isomorphic (over F p ) if and only if a ′ = λ − 4 a , b ′ = λ − 6 b for some λ ∈ F × p . The isomorphism between E a , b and E a ′ , b ′ is given by ( x , y ) �→ ( λ 2 x , λ 3 y ) . Alexandre Duc , Dimitar Jetchev

  17. Elliptic Curves, Weierstrass Equations, Isomorphism Classes (Short) Weierstrass Equations Equations E a , b : y 2 = x 3 + ax + b , a , b ∈ F p , 4 a 3 + 27 b 2 � = 0. Two Weierstrass equations might represent isomorphic curves. Isomorphism classes Two elliptic curves E a , b and E a ′ , b ′ are isomorphic (over F p ) if and only if a ′ = λ − 4 a , b ′ = λ − 6 b for some λ ∈ F × p . The isomorphism between E a , b and E a ′ , b ′ is given by ( x , y ) �→ ( λ 2 x , λ 3 y ) . Each isomorphism class thus contains precisely p − 1 short Weierstrass equations. Alexandre Duc , Dimitar Jetchev

  18. The main result All bits of the pairing-based OWF are hard-to-compute If there is an oracle that predicts the k th bit of the input to f Q on a significant fraction of all short Weierstrass equations in an isomorphism class then there is an efficient algorithm to invert f Q . Alexandre Duc , Dimitar Jetchev

  19. The main result All bits of the pairing-based OWF are hard-to-compute If there is an oracle that predicts the k th bit of the input to f Q on a significant fraction of all short Weierstrass equations in an isomorphism class then there is an efficient algorithm to invert f Q . Conclusion Thus, if FAPI-2 is hard, all the bits of the input of the pairing-based OWF are hard-to-compute. Alexandre Duc , Dimitar Jetchev

  20. Elliptic Curve-Based OWFs The result is in fact much more general as few properties of the pairing-based function f Q are used. Alexandre Duc , Dimitar Jetchev

  21. Elliptic Curve-Based OWFs The result is in fact much more general as few properties of the pairing-based function f Q are used. Bit Security for EC-based OWFs Let G be an elliptic curve group and f : G → G T be any function with the property that its definition is independent of the choice of short Weierstrass equation in the isomorphism class (e.g., the pairing-based OWF). Assuming that inverting f is hard, every bit of the input to f is secure. Alexandre Duc , Dimitar Jetchev

  22. Elliptic Curve-Based OWFs The result is in fact much more general as few properties of the pairing-based function f Q are used. Bit Security for EC-based OWFs Let G be an elliptic curve group and f : G → G T be any function with the property that its definition is independent of the choice of short Weierstrass equation in the isomorphism class (e.g., the pairing-based OWF). Assuming that inverting f is hard, every bit of the input to f is secure. Open Question: Are there other cryptographically interesting EC-based OWFs besides the pairing-based functions for which this result could apply? Alexandre Duc , Dimitar Jetchev

  23. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Alexandre Duc , Dimitar Jetchev

  24. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Alexandre Duc , Dimitar Jetchev

  25. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Use oracle to get a noisy codeword close to the hidden input, Alexandre Duc , Dimitar Jetchev

  26. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Use oracle to get a noisy codeword close to the hidden input, Inverting the function ⇔ list-decoding, Alexandre Duc , Dimitar Jetchev

  27. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Use oracle to get a noisy codeword close to the hidden input, Inverting the function ⇔ list-decoding, List-decoding via Fourier transforms: Alexandre Duc , Dimitar Jetchev

  28. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Use oracle to get a noisy codeword close to the hidden input, Inverting the function ⇔ list-decoding, List-decoding via Fourier transforms: Codewords viewed as functions on F × p , Alexandre Duc , Dimitar Jetchev

  29. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Use oracle to get a noisy codeword close to the hidden input, Inverting the function ⇔ list-decoding, List-decoding via Fourier transforms: Codewords viewed as functions on F × p , Heavy Fourier coefficients: computation of heavy Fourier coefficients (a version of the SFT algorithm by Akavia–Goldwasser–Safra) Alexandre Duc , Dimitar Jetchev

  30. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Use oracle to get a noisy codeword close to the hidden input, Inverting the function ⇔ list-decoding, List-decoding via Fourier transforms: Codewords viewed as functions on F × p , Heavy Fourier coefficients: computation of heavy Fourier coefficients (a version of the SFT algorithm by Akavia–Goldwasser–Safra) Recoverability: for a given frequency, find all inputs having large Fourier coefficient at this frequency (a technique of Morillo–R` afols). Alexandre Duc , Dimitar Jetchev

  31. Using the prediction oracle - na¨ ıve idea! Suppose that we are given Alexandre Duc , Dimitar Jetchev

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
= Z r T E ( Q ) rank torsion Rank < , hard to compute!

= Z r T E ( Q ) rank torsion Rank < , hard to compute!

A F AMILY OF R ANK S IX E LLIPTIC C URVES OVER N UMBER F IELDS David Mehrle & Tomer Reiter Carnegie Mellon University August 22, 2014 E LLIPTIC C URVES E : y 2 = x 3 + ax 2 + bx + c Elliptic curve Adding points on E makes group

724 views • 19 slides
The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views • 18 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography 16 September 2008 What is an elliptic curve? (1) An elliptic curve E over a field k in Weierstra

298 views • 25 slides
Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher

Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher

Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher Leonardi 1 Anzo Teh 1 David Jao 1,2 Kunpeng Wang 3,4,5 Wei Yu 3,4,5 Reza Azarderakhsh 6 [1] Department of Combinatorics and Optimization, University of

911 views • 72 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views • 16 slides
Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e Montpellier 2 Summer School ECC 2011 Nancy, September 12-16, 2011 Part 2 Elliptic curve arithmetic 1/41 The two facets of an elliptic curve

606 views • 42 slides
Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Twenty-Three Years of Elliptic Curve Cryptography Alfred Menezes University of Waterloo September 3 2008 1 Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm

300 views • 18 slides
Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic Implementations group: eindhoven.cr.yp.to working closely with the Coding Theory and Cryptology group: www.win.tue.nl/cc/ Next-generation elliptic-curve

456 views • 18 slides
Create Pivot Tables using Excel 2008/2013 1/26/2016 V1H Create Pivot Tables using Excel 2008 1

Create Pivot Tables using Excel 2008/2013 1/26/2016 V1H Create Pivot Tables using Excel 2008 1

Create Pivot Tables using Excel 2008/2013 1/26/2016 V1H Create Pivot Tables using Excel 2008 1 Create Pivot Tables using Excel 2008 2 V1H V1H Creating Pivot Tables The Goal Using Excel 2008, 2010 or 2013 Goal: to show the steps involved

528 views • 28 slides
New Way to Amend Consolidated Plans and Annual Action Plans in eCon Planning Suite March 10,

New Way to Amend Consolidated Plans and Annual Action Plans in eCon Planning Suite March 10,

New Way to Amend Consolidated Plans and Annual Action Plans in eCon Planning Suite March 10, 2020 Introductions Presenters Ben Sturm, The Cloudburst Group Rob Sronce, The Cloudburst Group HUD Gloria Coates, OBGA Housekeeping

487 views • 32 slides
Explanation of Air Pollution Using External Data Sources Mahdi Esmailoghli, Sergey Redyuk,

Explanation of Air Pollution Using External Data Sources Mahdi Esmailoghli, Sergey Redyuk,

Explanation of Air Pollution Using External Data Sources Mahdi Esmailoghli, Sergey Redyuk, Ricardo Martinez, Ariane Ziehn, Ziawasch Abedjan, Tilmann Rabl, Volker Markl (DIMA and BIGDAMA groups) BTW Data Science Challenge LuftDaten (pollution

724 views • 29 slides
BERLIN PROPERTY 30 JUNE 2015 Berlin Property 1 Disclaimer This presentation may contain

BERLIN PROPERTY 30 JUNE 2015 Berlin Property 1 Disclaimer This presentation may contain

ACQUISITION OF BERLIN PROPERTY 30 JUNE 2015 Berlin Property 1 Disclaimer This presentation may contain forward-looking statements that involve assumptions, risks and uncertainties. Actual future performance, outcomes and results may differ

633 views • 14 slides
A new way to pick up your packages How many student packages arrive on campus annually? A.

A new way to pick up your packages How many student packages arrive on campus annually? A.

INTRODUCING A new way to pick up your packages How many student packages arrive on campus annually? A. 40,00070,000 B. 70,000100,000 C. 100,000130,000 D. More than 130,000 C. 100,000130,000 128,407 packages delivered in AY

557 views • 27 slides
Slides short explanation: Slide1: Title I chose this title Building communities as if

Slides short explanation: Slide1: Title I chose this title Building communities as if

Slides short explanation: Slide1: Title I chose this title Building communities as if people mattered , because it is catchy, I believe that some of the people will think that I am neglecting the human being, but at the end of the

186 views • 3 slides
Addressing the ICO Report: an IAB UK update 19 November 2019 Who we are Responding to

Addressing the ICO Report: an IAB UK update 19 November 2019 Who we are Responding to

Addressing the ICO Report: an IAB UK update 19 November 2019 Who we are Responding to the ICOs report: - Process - What weve done - What we do next Who we are Responding to the ICOs report: - Process - What weve

286 views • 25 slides
Sonoma State University Engineering Industry Advisory Board Meeting January 31, 2014 3-5 PM

Sonoma State University Engineering Industry Advisory Board Meeting January 31, 2014 3-5 PM

Department of Engineering Science BS Electrical Engineering MS Computer & Engineering Science Sonoma State University Engineering Industry Advisory Board Meeting January 31, 2014 3-5 PM Salazar Hall Jan. 31, 2014 IAB Meeting

415 views • 30 slides

More recommend