hardware operators for pairing based cryptography
play

Hardware Operators for Pairing-Based Cryptography Part I: Because - PowerPoint PPT Presentation

Apr 09, 2023 •318 likes •1.73k views

Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc Beuchat Laboratory of Cryptography and Informantion Security University of Tsukuba, Japan jeanluc.beuchat@gmail.com Joint work with: enaire, LIP,

  1. 5 Bilinear pairings ◮ ( ● 2 , × ), a multiplicatively-written cyclic group of order # ● 2 = # ● 1 = ℓ ◮ A bilinear pairing on ( ● 1 , ● 2 ) is a map ˆ e : ● 1 × ● 1 → ● 2 that satisfies the following conditions: • non-degeneracy: ˆ e ( P , P ) � = 1 ● 2 (equivalently ˆ e ( P , P ) generates ● 2 ) • bilinearity: e ( Q 1 + Q 2 , R ) = ˆ ˆ e ( Q 1 , R ) · ˆ e ( Q 2 , R ) ˆ e ( Q , R 1 + R 2 ) = ˆ e ( Q , R 1 ) · ˆ e ( Q , R 2 ) • computability: ˆ e can be efficiently computed ◮ Immediate property: for any two integers k 1 and k 2 e ( Q , R ) k 1 k 2 ˆ e ( k 1 Q , k 2 R ) = ˆ e ( Q , R ) k 2 k 1 ˆ k 1 Q k 2 R ˆ e Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 5 / 38

  2. 6 Pairings in cryptography ◮ At first, used to attack supersingular elliptic curves • Menezes-Okamoto-Vanstone and Frey-R¨ uck attacks, 1993 and 1994 DLP ● 1 kP Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 6 / 38

  3. 6 Pairings in cryptography ◮ At first, used to attack supersingular elliptic curves • Menezes-Okamoto-Vanstone and Frey-R¨ uck attacks, 1993 and 1994 DLP ● 1 < P DLP ● 2 e ( P , P ) k − → ˆ e ( kP , P ) = ˆ kP Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 6 / 38

  4. 6 Pairings in cryptography ◮ At first, used to attack supersingular elliptic curves • Menezes-Okamoto-Vanstone and Frey-R¨ uck attacks, 1993 and 1994 DLP ● 1 < P DLP ● 2 e ( P , P ) k − → ˆ e ( kP , P ) = ˆ kP • for cryptographic applications, we will also require the DLP in ● 2 to be hard Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 6 / 38

  5. 6 Pairings in cryptography ◮ At first, used to attack supersingular elliptic curves • Menezes-Okamoto-Vanstone and Frey-R¨ uck attacks, 1993 and 1994 DLP ● 1 < P DLP ● 2 e ( P , P ) k − → e ( kP , P ) = ˆ ˆ kP • for cryptographic applications, we will also require the DLP in ● 2 to be hard ◮ One-round three-party key agreement (Joux, 2000) ◮ Identity-based encryption • Boneh-Franklin, 2001 • Sakai-Kasahara, 2001 ◮ Short digital signatures • Boneh-Lynn-Shacham, 2001 • Zang-Safavi-Naini-Susilo, 2004 ◮ ... Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 6 / 38

  6. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  7. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  8. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Message digest D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  9. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Signature: Message digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  10. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Signature: Message digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  11. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Signature: Message digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  12. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Signature: Message digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  13. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a aD D Signature: Message digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  14. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a aD D Signature: Message a P P digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  15. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a aD D Signature: Message a P P ˆ e ( D , aP ) ˆ e ( aD , P ) digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  16. 8 Outline of the talk ◮ Pairing-based cryptography ◮ Pairings over elliptic curves ◮ Finite-field arithmetic ◮ Implementation results ◮ Concluding thoughts Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 8 / 38

  17. 9 Pairings over elliptic curves ◮ We first define • ❋ q , a finite field, with q = 2 m , 3 m or p • E , an elliptic curve defined over ❋ q • ℓ , a large prime factor of # E ( ❋ q ) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

  18. 9 Pairings over elliptic curves ◮ We first define • ❋ q , a finite field, with q = 2 m , 3 m or p • E , an elliptic curve defined over ❋ q • ℓ , a large prime factor of # E ( ❋ q ) ◮ ● 1 = E ( ❋ q )[ ℓ ], the ❋ q -rational ℓ -torsion of E : ● 1 = { P ∈ E ( ❋ q ) | ℓ P = O} Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

  19. 9 Pairings over elliptic curves ◮ We first define • ❋ q , a finite field, with q = 2 m , 3 m or p • E , an elliptic curve defined over ❋ q • ℓ , a large prime factor of # E ( ❋ q ) ◮ ● 1 = E ( ❋ q )[ ℓ ], the ❋ q -rational ℓ -torsion of E : ● 1 = { P ∈ E ( ❋ q ) | ℓ P = O} ◮ ● 2 = µ ℓ , the group of ℓ -th roots of unity in ❋ × q k : q k | U ℓ = 1 } ● 2 = { U ∈ ❋ × Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

  20. 9 Pairings over elliptic curves ◮ We first define • ❋ q , a finite field, with q = 2 m , 3 m or p • E , an elliptic curve defined over ❋ q • ℓ , a large prime factor of # E ( ❋ q ) ◮ ● 1 = E ( ❋ q )[ ℓ ], the ❋ q -rational ℓ -torsion of E : ● 1 = { P ∈ E ( ❋ q ) | ℓ P = O} ◮ ● 2 = µ ℓ , the group of ℓ -th roots of unity in ❋ × q k : q k | U ℓ = 1 } ● 2 = { U ∈ ❋ × ◮ k is the embedding degree, the smallest integer such that µ ℓ ⊆ ❋ × q k • usually large for ordinary elliptic curves • bounded in the case of supersingular elliptic curves (4 in characteristic 2; 6 in characteristic 3; and 2 in characteristic > 3) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

  21. 9 Pairings over elliptic curves ◮ We first define • ❋ q , a finite field, with q = 2 m , 3 m or p • E , an elliptic curve defined over ❋ q • ℓ , a large prime factor of # E ( ❋ q ) ◮ ● 1 = E ( ❋ q )[ ℓ ], the ❋ q -rational ℓ -torsion of E : ● 1 = { P ∈ E ( ❋ q ) | ℓ P = O} ◮ ● 2 = µ ℓ , the group of ℓ -th roots of unity in ❋ × q k : q k | U ℓ = 1 } ● 2 = { U ∈ ❋ × ◮ k is the embedding degree, the smallest integer such that µ ℓ ⊆ ❋ × q k • usually large for ordinary elliptic curves • bounded in the case of supersingular elliptic curves (4 in characteristic 2; 6 in characteristic 3; and 2 in characteristic > 3) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

  22. 10 The Tate pairing E ˆ e Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 10 / 38

  23. 10 The Tate pairing E P = ( x P , y P ) Q = ( x Q , y Q ) ˆ : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] e ( , ) P Q Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 10 / 38

  24. 10 The Tate pairing ˆ e ( P , Q ) E µ ℓ P = ( x P , y P ) Q = ( x Q , y Q ) ⊆ ❋ × ˆ : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] − → µ ℓ e q k ( , ) �− → ˆ e ( P , Q ) P Q Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 10 / 38

  25. 10 The Tate pairing ˆ e ( P , Q ) E µ ℓ P = ( x P , y P ) Q = ( x Q , y Q ) ⊆ ❋ × ˆ : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] − → µ ℓ e q k ( , ) �− → e ( P , Q ) ˆ P Q ◮ Computation via Miller’s iterative algorithm: • m / 2 iterations over ❋ 2 m and ❋ 3 m ( η T pairing) • log 2 p iterations over ❋ p Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 10 / 38

  26. 11 Security considerations aP Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  27. 11 Security considerations aP dlog ● 1 a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  28. 11 Security considerations aP dlog ● 1 a ◮ Discrete logarithm problem should be hard in ● 1 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  29. 11 Security considerations aP dlog ● 1 a ◮ Discrete logarithm problem should be hard in ● 1 aP Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  30. 11 Security considerations aP dlog ● 1 a ◮ Discrete logarithm problem should be hard in ● 1 aP P Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  31. 11 Security considerations aP dlog ● 1 a ◮ Discrete logarithm problem should be hard in ● 1 aP a ˆ e ( P , P ) ˆ e P Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  32. 11 Security considerations aP dlog ● 1 a ◮ Discrete logarithm problem should be hard in ● 1 aP a ˆ e ( P , P ) dlog ● 2 ˆ e a P Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  33. 11 Security considerations aP dlog ● 1 a ◮ Discrete logarithm problem should be hard in ● 1 aP a e ( P , P ) ˆ dlog ● 2 ˆ e a P ◮ Discrete logarithm problem should be hard in ● 2 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  34. 12 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 12 / 38

  35. 12 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ Discrete logarithm in ● 1 = E ( ❋ q )[ ℓ ] (Pollard’s ρ ): √ ℓ ≈ √ q ◮ Discrete logarithm in ● 2 = µ ℓ ⊆ ❋ × q k (FFS or NFS): � � 1 2 c · (ln q k ) 3 · (ln ln q k ) exp 3 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 12 / 38

  36. 12 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ Discrete logarithm in ● 1 = E ( ❋ q )[ ℓ ] (Pollard’s ρ ): � 1 � √ ℓ ≈ √ q = exp 2 · (ln q ) ◮ Discrete logarithm in ● 2 = µ ℓ ⊆ ❋ × q k (FFS or NFS): � � 1 2 c · (ln q k ) 3 · (ln ln q k ) exp 3 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 12 / 38

  37. 12 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ Discrete logarithm in ● 1 = E ( ❋ q )[ ℓ ] (Pollard’s ρ ): � 1 � √ ℓ ≈ √ q = exp 2 · (ln q ) ◮ Discrete logarithm in ● 2 = µ ℓ ⊆ ❋ × q k (FFS or NFS): � � 1 2 c · (ln q k ) 3 · (ln ln q k ) exp 3 ◮ The discrete logarithm problem is usually easier in ● 2 than in ● 1 • current security: ∼ 2 80 , equivalent to 80-bit symmetric encryption or RSA-1024 • recommended security: ∼ 2 128 (AES-128, RSA-3072) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 12 / 38

  38. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  39. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Base field ( ❋ q ) ❋ 2 m ❋ 3 m ❋ p Embedding degree ( k ) 4 6 2 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  40. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Base field ( ❋ q ) ❋ 2 m ❋ 3 m ❋ p Embedding degree ( k ) 4 6 2 Lower security ( ∼ 2 64 ) m = 239 m = 97 | p | ≈ 256 bits Medium security ( ∼ 2 80 ) m = 373 m = 163 | p | ≈ 512 bits Higher security ( ∼ 2 128 ) m = 1103 m = 503 | p | ≈ 1536 bits Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  41. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Base field ( ❋ q ) ❋ 2 m ❋ 3 m ❋ p Embedding degree ( k ) 4 6 2 Lower security ( ∼ 2 64 ) m = 239 m = 97 | p | ≈ 256 bits Medium security ( ∼ 2 80 ) m = 373 m = 163 | p | ≈ 512 bits Higher security ( ∼ 2 128 ) m = 1103 m = 503 | p | ≈ 1536 bits ◮ ❋ 2 m : simpler finite field arithmetic Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  42. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Base field ( ❋ q ) ❋ 2 m ❋ 3 m ❋ p Embedding degree ( k ) 4 6 2 Lower security ( ∼ 2 64 ) m = 239 m = 97 | p | ≈ 256 bits Medium security ( ∼ 2 80 ) m = 373 m = 163 | p | ≈ 512 bits Higher security ( ∼ 2 128 ) m = 1103 m = 503 | p | ≈ 1536 bits ◮ ❋ 2 m : simpler finite field arithmetic ◮ ❋ 3 m : smaller field extension Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  43. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Base field ( ❋ q ) ❋ 2 m ❋ 3 m ❋ p Embedding degree ( k ) 4 6 2 Lower security ( ∼ 2 64 ) m = 239 m = 97 | p | ≈ 256 bits Medium security ( ∼ 2 80 ) m = 373 m = 163 | p | ≈ 512 bits Higher security ( ∼ 2 128 ) m = 1103 m = 503 | p | ≈ 1536 bits ◮ ❋ 2 m : simpler finite field arithmetic ◮ ❋ 3 m : smaller field extension ◮ ❋ p : prohibitive field sizes Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  44. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Base field ( ❋ q ) ❋ 2 m ❋ 3 m ❋ p Embedding degree ( k ) 4 6 2 Lower security ( ∼ 2 64 ) m = 239 m = 97 | p | ≈ 256 bits Medium security ( ∼ 2 80 ) m = 373 m = 163 | p | ≈ 512 bits Higher security ( ∼ 2 128 ) m = 1103 m = 503 | p | ≈ 1536 bits ◮ ❋ 2 m : simpler finite field arithmetic ◮ ❋ 3 m : smaller field extension ◮ ❋ p : prohibitive field sizes Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  45. 14 Computation of the Tate pairing ˆ e : E ( ❋ p m )[ ℓ ] × E ( ❋ p m )[ ℓ ] → µ ℓ ⊆ ❋ × p km Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

  46. 14 Computation of the Tate pairing ˆ e : E ( ❋ p m )[ ℓ ] × E ( ❋ p m )[ ℓ ] → µ ℓ ⊆ ❋ × p km ◮ Arithmetic over ❋ p m : • polynomial basis: ❋ p m ∼ = ❋ p [ x ] / ( f ( x )) • f ( x ), degree- m polynomial irreducible over ❋ p Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

  47. 14 Computation of the Tate pairing ˆ e : E ( ❋ p m )[ ℓ ] × E ( ❋ p m )[ ℓ ] → µ ℓ ⊆ ❋ × p km ◮ Arithmetic over ❋ p m : • polynomial basis: ❋ p m ∼ = ❋ p [ x ] / ( f ( x )) • f ( x ), degree- m polynomial irreducible over ❋ p ◮ Arithmetic over ❋ × p km : • tower-field representation • only arithmetic over the underlying field ❋ p m Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

  48. 14 Computation of the Tate pairing ˆ e : E ( ❋ p m )[ ℓ ] × E ( ❋ p m )[ ℓ ] → µ ℓ ⊆ ❋ × p km ◮ Arithmetic over ❋ p m : • polynomial basis: ❋ p m ∼ = ❋ p [ x ] / ( f ( x )) • f ( x ), degree- m polynomial irreducible over ❋ p ◮ Arithmetic over ❋ × p km : • tower-field representation • only arithmetic over the underlying field ❋ p m ◮ Operations over ❋ p m : Characteristic 2 Characteristic 3 Base field ( ❋ p m ) ❋ 2 m ❋ 2 313 ❋ 3 m ❋ 3 127 27 ⌊ m 119 ⌊ m + / − 2 ⌋ + 75 4287 4 ⌋ + 260 3949 7 ⌊ m 25 ⌊ m × 2 ⌋ + 29 1121 4 ⌋ + 93 868 17 ⌊ m a p 6 m + 9 1887 2 ⌋ + 8 1079 a − 1 1 1 1 1 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

  49. 14 Computation of the Tate pairing ˆ e : E ( ❋ p m )[ ℓ ] × E ( ❋ p m )[ ℓ ] → µ ℓ ⊆ ❋ × p km ◮ Arithmetic over ❋ p m : • polynomial basis: ❋ p m ∼ = ❋ p [ x ] / ( f ( x )) • f ( x ), degree- m polynomial irreducible over ❋ p ◮ Arithmetic over ❋ × p km : • tower-field representation • only arithmetic over the underlying field ❋ p m ◮ Operations over ❋ p m : Characteristic 2 Characteristic 3 Base field ( ❋ p m ) ❋ 2 m ❋ 2 313 ❋ 3 m ❋ 3 127 27 ⌊ m 119 ⌊ m + / − 2 ⌋ + 75 4287 4 ⌋ + 260 3949 7 ⌊ m 25 ⌊ m × 2 ⌋ + 29 1121 4 ⌋ + 93 868 17 ⌊ m a p 6 m + 9 1887 2 ⌋ + 8 1079 a − 1 1 1 1 1 ◮ Software not well suited to small characteristic: need for hardware acceleration Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

  50. 15 Outline of the talk ◮ Pairing-based cryptography ◮ Pairings over elliptic curves ◮ Finite-field arithmetic ◮ Implementation results ◮ Concluding thoughts Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 15 / 38

  51. 15 Outline of the talk ◮ Pairing-based cryptography ◮ Pairings over elliptic curves ◮ Finite-field arithmetic (only in characteristic 3) ◮ Implementation results ◮ Concluding thoughts Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 15 / 38

  52. 16 Arithmetic over ❋ 3 m ◮ f ∈ ❋ 3 [ x ]: degree- m irreducible polynomial over ❋ 3 f = x m + f m − 1 x m − 1 + · · · + f 1 x + f 0 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 16 / 38

  53. 16 Arithmetic over ❋ 3 m ◮ f ∈ ❋ 3 [ x ]: degree- m irreducible polynomial over ❋ 3 f = x m + f m − 1 x m − 1 + · · · + f 1 x + f 0 ◮ ❋ 3 m ∼ = ❋ 3 [ x ] / ( f ) ◮ a ∈ ❋ 3 m : a = a m − 1 x m − 1 + · · · + a 1 x + a 0 ◮ Each element of ❋ 3 stored using two bits Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 16 / 38

  54. 17 Addition over ❋ 3 m a b a + b ◮ r = a + b = ( a m − 1 + b m − 1 ) x m − 1 + · · · + ( a 1 + b 1 ) x + ( a 0 + b 0 ) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 17 / 38

  55. 17 Addition over ❋ 3 m a m − 1 b m − 1 a 1 b 1 a 0 b 0 a b a + b ( + ) ( + ) ( + ) a m − 1 b m − 1 a 1 b 1 a 0 b 0 mod 3 mod 3 mod 3 ◮ r = a + b = ( a m − 1 + b m − 1 ) x m − 1 + · · · + ( a 1 + b 1 ) x + ( a 0 + b 0 ) • coefficient-wise additions over ❋ 3 : r i = ( a i + b i ) mod 3 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 17 / 38

  56. 17 Addition over ❋ 3 m a m − 1 b m − 1 a 1 b 1 a 0 b 0 a b + 0 1 2 0 0 1 2 1 1 2 0 2 2 0 1 a + b ( + ) ( + ) ( + ) a m − 1 b m − 1 a 1 b 1 a 0 b 0 mod 3 mod 3 mod 3 ◮ r = a + b = ( a m − 1 + b m − 1 ) x m − 1 + · · · + ( a 1 + b 1 ) x + ( a 0 + b 0 ) • coefficient-wise additions over ❋ 3 : r i = ( a i + b i ) mod 3 • addition over ❋ 3 : small look-up tables Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 17 / 38

  57. 18 Addition, subtraction and accumulation over ❋ 3 m load add/sub enable c 0 c 2 c 5 + / − a R 0 r + / − b R 1 0 c 1 c 3 c 4 load add/sub accumulate • sign selection: multiplication by 1 or 2 − a ≡ 2 a (mod 3) • feedback loop for accumulation Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 18 / 38

  58. 19 Multiplication over ❋ 3 m ◮ Parallel-serial multiplication • multiplicand loaded in a parallel register • multiplier loaded in a shift register ◮ Most significant coefficients first (Horner scheme) � m � ◮ D coefficients processed at each clock cycle: cycles per multiplication D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 19 / 38

  59. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  60. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  61. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · b m − 1 a · b m − 2 a b m − 3 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  62. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · b m − 1 a · · x b m − 2 a b m − 3 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  63. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · b m − 1 a · · x b m − 2 a b m − 3 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  64. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 ( · ) mod f b m − 1 a ( · · x ) mod f b m − 2 a b m − 3 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  65. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 ( · ) mod f b m − 1 a ( · · x ) mod f b m − 2 a b m − 3 · a r (partial sum) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  66. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( ( b m − 1 · · ) mod f ) mod f b m − 1 a a ( b m − 2 · ( · · x · x ) mod f ) mod f b m − 2 a a b m − 3 b m − 3 · · a a r (partial sum) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  67. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( ( b m − 1 · · ) mod f ) mod f b m − 1 a a ( b m − 2 · ( · · x · x ) mod f ) mod f b m − 2 a a b m − 3 b m − 3 · · a a r (partial sum) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  68. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( ( b m − 1 · · ) mod f ) mod f b m − 1 a a ( b m − 2 · ( · · x · x ) mod f ) mod f b m − 2 a a b m − 3 · b m − 3 · a a r (partial sum) · b m − 4 a · b m − 5 a b m − 6 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  69. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( b m − 1 · ( · ) ) mod f mod f b m − 1 a a ( ( b m − 2 · · · x · x ) mod f ) mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 r (partial sum) · x 2 · b m − 4 a · · x b m − 5 a b m − 6 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  70. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( b m − 1 · ( · ) ) mod f mod f b m − 1 a a ( ( b m − 2 · · · x · x ) mod f ) mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 r (partial sum) · x 2 · b m − 4 a · · x b m − 5 a b m − 6 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  71. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( b m − 1 · ( · ) ) mod f mod f b m − 1 a a ( b m − 2 · ( · · x · x ) mod f ) mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 ( r (partial sum) ) mod f · x 2 ( · ) mod f b m − 4 a ( · · x ) mod f b m − 5 a b m − 6 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  72. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( b m − 1 · ( · ) ) mod f mod f b m − 1 a a ( b m − 2 · ( · · x · x ) mod f ) mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 ( r (partial sum) ) mod f · x 2 ( · ) mod f b m − 4 a ( · · x ) mod f b m − 5 a b m − 6 · a r (partial sum) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  73. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( ( b m − 1 · · ) ) mod f mod f b m − 1 a a ( ( b m − 2 · · · x · x ) ) mod f mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 · x 3 ( ( r (partial sum) ) mod f ) mod f r · x 2 · x 2 ( b m − 4 · ( · ) ) mod f mod f b m − 4 a a ( ( b m − 5 · · · x · x ) mod f ) mod f b m − 5 a a b m − 6 b m − 6 · · a a r (partial sum) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  74. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( ( b m − 1 · · ) ) mod f mod f b m − 1 a a ( ( b m − 2 · · · x · x ) ) mod f mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 · x 3 ( ( r (partial sum) ) mod f ) mod f r · x 2 · x 2 ( b m − 4 · ( · ) ) mod f mod f b m − 4 a a ( ( b m − 5 · · · x · x ) mod f ) mod f b m − 5 a a b m − 6 b m − 6 · · a a r (partial sum) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  75. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( ( b m − 1 · · ) ) mod f mod f b m − 1 a a ( ( b m − 2 · · · x · x ) ) mod f mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 · x 3 ( ( r (partial sum) ) mod f ) mod f r · x 2 · x 2 ( b m − 4 · ( · ) ) mod f mod f b m − 4 a a ( ( b m − 5 · · · x · x ) mod f ) mod f b m − 5 a a b m − 6 b m − 6 · · a a r (partial sum) · · · Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  76. 21 Multiplication over ❋ 3 m ◮ Computing the partial products b j · a : • coefficient-wise multiplication over ❋ 3 : ( b j · a i ) mod 3 • multiplications over ❋ 3 : small look-up tables Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 21 / 38

  77. 21 Multiplication over ❋ 3 m ◮ Computing the partial products b j · a : • coefficient-wise multiplication over ❋ 3 : ( b j · a i ) mod 3 • multiplications over ❋ 3 : small look-up tables ◮ Multiplication by x j : simple shift (only wires) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 21 / 38

  78. 21 Multiplication over ❋ 3 m ◮ Computing the partial products b j · a : • coefficient-wise multiplication over ❋ 3 : ( b j · a i ) mod 3 • multiplications over ❋ 3 : small look-up tables ◮ Multiplication by x j : simple shift (only wires) ◮ Modulo f reduction: • f = x m + f m − 1 x m − 1 + · · · + f 1 x + f 0 gives x m ≡ ( − f m − 1 ) x m − 1 + · · · + ( − f 1 ) x + ( − f 0 ) (mod f ) • highest degree of polynomial to reduce: m + D − 1 • if f is carefully selected ( e.g. a trinomial or pentanomial), only a few multiplications and additions over ❋ 3 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 21 / 38

  79. 21 Multiplication over ❋ 3 m ◮ Computing the partial products b j · a : • coefficient-wise multiplication over ❋ 3 : ( b j · a i ) mod 3 • multiplications over ❋ 3 : small look-up tables ◮ Multiplication by x j : simple shift (only wires) ◮ Modulo f reduction: • f = x m + f m − 1 x m − 1 + · · · + f 1 x + f 0 gives x m ≡ ( − f m − 1 ) x m − 1 + · · · + ( − f 1 ) x + ( − f 0 ) (mod f ) • highest degree of polynomial to reduce: m + D − 1 • if f is carefully selected ( e.g. a trinomial or pentanomial), only a few multiplications and additions over ❋ 3 • example for m = 97: f = x 97 + x 12 + 2 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 21 / 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1 Tennodai, Tsukuba Ibaraki, 305-8573,

896 views • 58 slides
Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles St-Quentin-en-Yvelines France 1 Introduction: EC in cryptography Starting point: 1985 (V. Miller) Discrete logarithm based

487 views • 45 slides
Pairing-Based Cryptography &amp; Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography &amp; Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography &amp; Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Bilinear Pairing Two (or three) groups with an

1.44k views • 105 slides
Pairing-Based Cryptography &amp; Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography &amp; Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography &amp; Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Bilinear Pairing Two (or three) groups with an

1.67k views • 118 slides
Pairing-Based Cryptography &amp; Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear

Pairing-Based Cryptography &amp; Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear

Pairing-Based Cryptography &amp; Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear 2 Bilinear Pairing Two (or three) groups

1.06k views • 102 slides
Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based Encryption 2 Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair 2 Identity-Based Encryption In PKE, KeyGen produces a random

1.47k views • 114 slides
Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia El Mrabet (1) and Christophe Negre (2) (1) Team Arith/LIRMM, Universit e Montpellier 2 (2) Team DALI/ELIAUS, Universit e de Perpignan

753 views • 49 slides
Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based Encryption Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair

1.65k views • 115 slides
An Algorithm for the T Pairing Calculation in Characteristic Three and its Hardware

An Algorithm for the T Pairing Calculation in Characteristic Three and its Hardware

An Algorithm for the T Pairing Calculation in Characteristic Three and its Hardware Implementation Jean-Luc Beuchat 1 Masaaki Shirase 2 Tsuyoshi Takagi 2 Eiji Okamoto 1 1 Graduate School of Systems and Information Engineering University of

576 views • 41 slides
Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the HW/SW Co-Design of qTESLA Wen Wang , Shanquan Tian, Bernhard Jungk, Nina Bindel, Patrick Longa, and Jakub Szefer CHES 2020 September 14, 2020

711 views • 69 slides
A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Analyzing the Algorithm A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties David Freeman Stanford

537 views • 16 slides
Hardware-based Cryptography Smart cards, YubiKeys &amp; more Karol Babioch Security Engineer

Hardware-based Cryptography Smart cards, YubiKeys &amp; more Karol Babioch Security Engineer

Hardware-based Cryptography Smart cards, YubiKeys &amp; more Karol Babioch Security Engineer kbabioch@suse.de Rationale - Computers running general purpose software can be compromised hacked Offline-access, etc. -

619 views • 26 slides
Low-Cost Threshold Cryptography HSM for OpenDNSSEC Francisco Cifuentes francisco@niclabs.cl

Low-Cost Threshold Cryptography HSM for OpenDNSSEC Francisco Cifuentes francisco@niclabs.cl

Low-Cost Threshold Cryptography HSM for OpenDNSSEC Francisco Cifuentes francisco@niclabs.cl Problem description To satisfy security needs, DNS operators use Hardware Security Modules. Specialized hardware that have special security

445 views • 21 slides
Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing &amp; Manding Vincent J. Carbone Ed.D., BCBA-D NYS Licensed Behavior Analyst Carbone Clinic New York Boston Dubai www.CarboneClinic.com www.TheCarboneclinic.ae IESCUM Parma, Italy December 1,2 &amp; 3, 2016 1 Pairing

622 views • 35 slides
Pairing time-reversal states J = 0 + (a) +m -m k F k F K k F + L.N.

Pairing time-reversal states J = 0 + (a) +m -m k F k F K k F + L.N.

Nuclear pairing from microscopic forces (with applications) Paolo Finelli Dept. of Physics and Astronomy, University of Bologna paolo. fj nelli@bo.infn.it Based on Phys. Rev. C 90, 044003 Published 21 October 2014 Pairing time-reversal

674 views • 22 slides
Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is device pairing? What is the problem? The wireless communica8on channel is rela8vely easy to

298 views • 9 slides
Theory of Computer Games: Concluding Remarks Tsan-sheng Hsu tshsu@iis.sinica.edu.tw

Theory of Computer Games: Concluding Remarks Tsan-sheng Hsu tshsu@iis.sinica.edu.tw

Theory of Computer Games: Concluding Remarks Tsan-sheng Hsu tshsu@iis.sinica.edu.tw http://www.iis.sinica.edu.tw/~tshsu 1 Abstract Introducing practical issues. The open book. The graph history interaction (GHI) problem. Smart

884 views • 28 slides
S i l i c o n d e t e c t o r s : s t a t e o f t h e a r t &amp; p

S i l i c o n d e t e c t o r s : s t a t e o f t h e a r t &amp; p

S i l i c o n d e t e c t o r s : s t a t e o f t h e a r t &amp; p o s s i b l e o p t i o n s f o r MU o n E S t e f a n o Me r s i , C E R N T h e E v a l u a t i o

1.05k views • 66 slides
Privileges Grant and Revoke Grant Diagrams A file system:

Privileges Grant and Revoke Grant Diagrams A file system:

Privileges Grant and Revoke Grant Diagrams A file system: Identifies certain privileges on the objects (files) it manages. Typically read, write, execute. Identifies certain participants to whom

722 views • 30 slides
Advanced Breakpointing Software Breakpoints INT 3 Memory

Advanced Breakpointing Software Breakpoints INT 3 Memory

Advanced Breakpointing Software Breakpoints INT 3 Memory Breakpoints Page guarding Hardware Breakpoints CPU hardware 2 Software Breakpoints

482 views • 35 slides
Multivariate Extreme Value models Michel Bierlaire michel.bierlaire@epfl.ch Transport and

Multivariate Extreme Value models Michel Bierlaire michel.bierlaire@epfl.ch Transport and

Multivariate Extreme Value models Michel Bierlaire michel.bierlaire@epfl.ch Transport and Mobility LAboratory Multivariate Extreme Value models p. 1/62 Logit Random utility: U in = V in + in in is i.i.d. EV (Extreme Value)

990 views • 62 slides
Open Problems for Polynomials over Finite Fields and Applications 1 Daniel Panario School of

Open Problems for Polynomials over Finite Fields and Applications 1 Daniel Panario School of

Introduction Prescribed Coefficients Low Weight Polynomials Potpourri of Open Problems Conclusions Open Problems for Polynomials over Finite Fields and Applications 1 Daniel Panario School of Mathematics and Statistics Carleton University

954 views • 52 slides
MDS Matrices with Lightweight Circuits S ebastien Duval Ga etan Leurent March 26, 2019

MDS Matrices with Lightweight Circuits S ebastien Duval Ga etan Leurent March 26, 2019

MDS Matrices with Lightweight Circuits S ebastien Duval Ga etan Leurent March 26, 2019 Introduction Objective Search Algorithm Instantiating the Results Comparison with the Literature 2 / 18 SPN Ciphers Plaintext Shannons

482 views • 34 slides
Goals and Objectives Life throws at us many different types of problems. Being able to solve

Goals and Objectives Life throws at us many different types of problems. Being able to solve

Slide 1 / 224 Slide 2 / 224 New Jersey Center for Teaching and Learning Algebra II Progressive Mathematics Initiative This material is made freely available at www.njctl.org and is intended for the non-commercial use of Fundamental Skills of

415 views • 38 slides

More recommend