implement all the pairings in software
play

Implement all the pairings in software! CARAMBA Seminar Diego F. - PowerPoint PPT Presentation

Jan 02, 2024 •951 likes •1.52k views

Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of Engineering Aarhus University Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q ) e (

  1. Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of Engineering – Aarhus University

  2. Bilinear pairings 1

  3. Bilinear pairings e ( P + R , Q ) = e ( P , Q ) · e ( R , Q ) and e ( P , Q + S ) = e ( P , Q ) · e ( P , S ) . 2

  4. Introduction Pairing-Based Cryptography (PBC) enables many elegant solutions to cryptographic problems: • Implicit certification schemes (IBE, CLPKC, etc.) • Short signatures (in group elements, BLS, BBS) • More efficient key agreements (Joux’s 3DH, NIKDS) • Low-depth homomorphic encryption (BGN and variants) • Zero-knowledge proof systems (LegoSNARK and Sonic) • Isogeny-based cryptography (key compression and VDFs) Not dead: Pairings are not only interesting solely for research, but actually deployed in practice! 3

  5. Classic: IBE in Voltage’s SecureMail Implemented with supersingular curve over large characteristic [BF01]. Figure 1: Source: http://www.securemailworks.com/SecureMail.asp 4

  6. Modern applications

  7. IBE in Cloudflare’s Geo Key Manager Figure 2: https://blog.cloudflare.com/geo-key-manager-how-it-works/ 5

  8. IBE in Cloudflare’s Geo Key Manager Implemented using a 256-bit Barreto-Naehrig curve [BN05] Figure 3: https://blog.cloudflare.com/geo-key-manager-how-it-works/ 6

  9. Remote attestation in Intel SGX Remote attestation scheme employs a pairing-based anonymous group signature by Brickell and Li (EPID) [BL12]. Enhanced Privacy ID anonymous group signatures Signatures verified to Issuer , holds the belong to the group, hiding "master key", can grant the member that signed access to the group Group = CPUs of same type, same SGX version Members sign an Verifier ensures that an enclave's measurement enclave does run on a anonymously trusted SGX platform Figure 4: Slides from BlackHat 2016 talk by Aumasson and Merino [AM16]. 7

  10. Remote attestation in Intel SGX Implemented using a 256-bit Barreto-Naehrig curve [BN05]. EPID implementation Not in microcode, too complex Not in SGX libs, but in the QE and PVE binaries Undocumented implementation details: ● Scheme from https://eprint.iacr.org/2009/095 ● Barretto-Naehrig curve, optimal Ate pairing ● Code allegedly based on https://eprint.iacr.org/2010/354 Pubkey and parameters provided by Intel Attestation Service (IAS) Figure 5: Slides from BlackHat 2016 talk by Aumasson and Merino [AM16]. 8

  11. Zcash cryptocurrency zk-SNARKs by Ben-Sasson et al. [BCG + 14] for privacy-preserving cryptocurrencies, also recently adopted by Ethereum. 9

  12. Background

  13. Pairing groups Let G 1 = � P � and G 2 = � Q � be additive groups and G T be a multiplicative group such that | G 1 | = | G 2 | = | G T | = prime r . A general pairing e : G 1 × G 2 → G T • G 1 is typically a subgroup of E ( F p ). • G 2 is typically a subgroup of E ( F p k ). • G T is a multiplicative subgroup of F ∗ p k . Hence pairing-based cryptography involves arithmetic in F p k , for embedding degree k , the main tool used to balance security. 10

  14. Pairing operations A general pairing e : G 1 × G 2 → G T Cryptographic schemes require multiple operations in pairing groups: 1. Exponentiation , membership testing , compression in G 1 , G 2 and G T . 2. Hashing strings to G 1 , G 2 . 3. Efficient maps between G 1 and G 2 . 4. Efficient pairing computation . 11

  15. Curve families At some point, pairing-based cryptography had an explosion of parameter choices to choose from: BN curves : k = 12, ρ ≈ 1 p ( x ) = 36 x 4 + 36 x 3 + 24 x 2 + 6 x + 1 r ( x ) = 36 x 4 + 36 x 3 + 18 x 2 + 6 x + 1, t ( x ) = 6 z 2 + 1 BLS12 curves : k = 12, ρ ≈ 1 . 5 p ( x ) = ( x − 1) 2 ( x 4 − x 2 + 1) / 3 + x , r ( x ) = x 4 − x 2 + 1, t ( x ) = x + 1 KSS18 curves : k = 18, ρ ≈ 4 / 3 p ( x ) = ( x 8 + 5 x 7 + 7 x 6 + 37 x 5 + 188 x 4 + 259 x 3 + 343 x 2 + 1763 x + 2401) / 21 r ( x ) = ( x 6 + 37 x 3 + 343) / 343, t ( x ) = ( x 4 + 16 z + 7) / 7 BLS24 curves : k = 24, ρ ≈ 1 . 25 p ( x ) = ( x − 1) 2 ( x 8 − x 4 + 1) / 3 + x , r ( x ) = x 8 − x 4 + 1, t ( x ) = x + 1 12

  16. Barreto-Naehrig curves Let x ∈ Z such that p ( x ) and r ( x ) are prime: • p ( x ) = 36 x 4 + 36 x 3 + 24 x 2 + 6 x + 1 • r ( x ) = 36 x 4 + 36 x 3 + 18 x 2 + 6 x + 1 Then E : y 2 = x 3 + b , b ∈ F p is a curve of order r and embedding degree k = 12 [BN05] and E ′ its twist of degree d = 6. For curve BN-254, fix x = − (2 62 + 2 55 + 1) and b = 2, the towering can be: • F p 2 = F p [ i ] / ( i 2 − β ), where β = − 1 • F p 4 = F p 2 [ s ] / ( s 2 − ǫ ), where ξ = 1 + i • F p 6 = F p 2 [ v ] / ( v 3 − ξ ), where ξ = 1 + i • F p 12 = F p 4 [ v ] / ( t 3 − s ) or F p 6 [ w ] / ( w 2 − v ) Until recently: BN curves were king at the 128-bit security level and got even close to standardization (IETF RFC). 13

  17. Barreto-Naehrig curves Instantiating pairings over BN curves had many performance features: 1. Implementation-friendly parameters, with fast towering and compact generators [GJNB11]. 2. Prime-order group G 1 , facilitating membership testing. 3. Twist of maximum degree , reducing size of G 2 . 4. Gallant-Lambert-Vanstone [GLV01] endomorphism in G 1 . 5. Galbraith-Scott homomorphism [GS08] in G 2 , G T . 6. Compressed squarings for exponentiation in G T . 14

  18. Barreto-Naehrig curves Instantiating pairings over BN curves had many performance features: 1. Implementation-friendly parameters, with fast towering and compact generators [GJNB11]. 2. Prime-order group G 1 , facilitating membership testing. 3. Twist of maximum degree , reducing size of G 2 . 4. Gallant-Lambert-Vanstone [GLV01] endomorphism in G 1 . 5. Galbraith-Scott homomorphism [GS08] in G 2 , G T . 6. Compressed squarings for exponentiation in G T . Alfred Menezes, 2007 “ These curves should not exist, they are too good to be true. ” 14

  19. Updating the security of pairings Recent results have undermined the security of pairings in some contexts: 1. Pairings over small char , due to many advances in the DLP, including a quasi-polynomial algorithm by Barbulescu et al. [BGJT14]. Impact: Pairings may not be that viable in resource-constrained devices anymore. 15

  20. Updating the security of pairings Recent results have undermined the security of pairings in some contexts: 1. Pairings over small char , due to many advances in the DLP, including a quasi-polynomial algorithm by Barbulescu et al. [BGJT14]. Impact: Pairings may not be that viable in resource-constrained devices anymore. 2. Smooth embedding degree , affected by Kim-Barbulescu attack on medium-prime case [KB16]. Impact: Security of BN-254 degraded to around 100 bits. 3. Miller inversion problem , shown to be easy for supersingular curves with k = 2 [Sat19]. Impact: These curves may be not just inefficient, but dangerous. 15

  21. Curve families And now we are somewhat back to that situation again. Recently proposed parameters, from the most conservative: 1. Elliptic curves with embedding degree k = 1 ( large base field ) [CMR17] 2. Symmetric pairings with prime embedding degree k = 2 , 3 ( still large base field ) [Sco05, ZW13] 3. Elliptic curves with less smooth embedding degrees (ordinary with k = 9 , 13 , 15 , 21 , 27) [CM18, BMG19] 4. Cocks-Pinch curves with moderate embedding degrees [GMT19] 5. Optimal TNFS-resistant families [FM18] → Adjusted field sizes and smooth embedding degrees such as Barreto-Lynn-Scott (BLS) and Kachisa-Scott-Schaefer (KSS) curves [BLS02, KSS08]. 16

  22. What do we want? 17

  23. Implementation techniques

  24. Arithmetic levels Protocols Low-level backend 18

  25. Software libraries There are many different open-source software implementations of pairings: • PBC : on top of GMP, outdated . • Panda : not as efficient anymore, but constant-time . • Ate-pairing: CINVESTAV, previous state of the art. • MIRACL : special support for constrained platforms. • Apache Milagro : fast C and bindings to many languages. • OpenPairing : OpenSSL patch, never merged. • libsnark: BN-254 and ZKPs. • pairing: BLS12-381 implementation from ZCash in Rust. • mcl: BN and BLS12 over multiple fields by Shigeo Mitsunari. 19

  26. Software libraries There are many different open-source software implementations of pairings: • PBC : on top of GMP, outdated . • Panda : not as efficient anymore, but constant-time . • Ate-pairing: CINVESTAV, previous state of the art. • MIRACL : special support for constrained platforms. • Apache Milagro : fast C and bindings to many languages. • OpenPairing : OpenSSL patch, never merged. • libsnark: BN-254 and ZKPs. • pairing: BLS12-381 implementation from ZCash in Rust. • mcl: BN and BLS12 over multiple fields by Shigeo Mitsunari. → RELIC : flexible and current state of the art, under heavy development again. 19

  27. Finite field arithmetic Target platform: Desktop processor. 1. An efficient 64-bit implementation of the base field arithmetic typically employs: • Montgomery representation. • Wide multiplication instructions MUL and MULX . • Lazy reduction : ( a · b ) mod p + ( c · d ) mod p = ( a · b + c · d ) mod p 2. Techniques for extension field arithmetic: • Small quadratic/cubic non-residues and change of representation . • Fastest formulas available in the literature (asymmetric squarings due to [CH07]. • General lazy reduction: k reductions for F p k arithmetic [AKL + 11]. 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks

744 views • 72 slides
Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of

Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of

Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of Computer Science University of Bras lia Joint work with K. Karabina, P. Longa, C. Gebotys, J. L opez, D. Hankerson, A. Menezes, E. Knapp, F.

759 views • 41 slides
Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of Computing University of Campinas Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q

1.02k views • 58 slides
Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert

Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert

Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert Inria Bordeaux Sud-Ouest Millers algorithm Pairings on abelian varieties Theta functions Pairings with theta functions Performance Outline

676 views • 50 slides
Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David

Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David

Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David Lubicz, Damien Robert June 6, 2013 Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance Outline 1

833 views • 33 slides
Pairings implementation in the PARI computer algebra system (explained by a mere programmer)

Pairings implementation in the PARI computer algebra system (explained by a mere programmer)

Pairings implementation in the PARI computer algebra system (explained by a mere programmer) jerome.milan (at) lix.polytechnique.fr Outline 1 Motivations and context 2 Pairings over elliptic curves 3 Pairing computation 4 Implementation in PARI

739 views • 51 slides
Group pairings with equivalent rigidity properties for bar-joint and point-hyperplane frameworks

Group pairings with equivalent rigidity properties for bar-joint and point-hyperplane frameworks

Group pairings with equivalent rigidity properties for bar-joint and point-hyperplane frameworks Bernd Schulze (with Katie Clinch, Anthony Nixon and Walter Whiteley) Lancaster University June 13, 2019 Bernd Schulze Group pairings with

746 views • 49 slides
ClickPoint Software Lead Management Software ClickPoint Software Confidential ClickPoint

ClickPoint Software Lead Management Software ClickPoint Software Confidential ClickPoint

ClickPoint Software Lead Management Software ClickPoint Software Confidential ClickPoint Software was created because there was no software that was easy to implement for managing and distributing leads and phone calls. The process was

225 views • 11 slides
The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena Thanks to the organizers of SAC

The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena Thanks to the organizers of SAC

The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena Thanks to the organizers of SAC 2013 for the invitation! Accompanying paper: joint work with D. Aranha, P. Longa and J. Ricardini. I know Im speaking in a marvelous

648 views • 45 slides
The Spoofax Language Workbench Lennart Kats Eelco Visser Software Engineering implement

The Spoofax Language Workbench Lennart Kats Eelco Visser Software Engineering implement

The Spoofax Language Workbench Lennart Kats Eelco Visser Software Engineering implement Problem Software validate High-level languages reduce problem/solution gap Problem HLL Machine Domain Domain-Specific Languages Problem DSL HLL

478 views • 47 slides
Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin

Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin

Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin Deschamps, Aurore Guillevic , Shashank Singh ENS Lyon, Inria Nancy, Loria, CNRS, Universit de Lorraine November 15, 1027 Elliptic Curve

753 views • 43 slides
Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Choosing G 1 and G 2 Ate Pairing Optimal Pairing Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer School - 2011 Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic

289 views • 24 slides
Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet

Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet

Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet GREYC - LMNO Universit e de Caen Darmstadt 29th of April 2010 1 / 59 Outline Pairing over elliptic curves 1 Definition and properties of

1.55k views • 111 slides
Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work with J. Burdges, S. Masson, C. Petit, A. Sanso IBM Research Zrich December 4, 2019, ECC, Bochum Slides online at https://defeo.lu/docet

928 views • 72 slides
Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S. Masson, C. Petit, A. Sanso Universit Paris Saclay UVSQ, France July 13, 2019, SIAM AG, Bern Slides online at https://defeo.lu/docet Tired of

350 views • 23 slides
Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David

Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David

Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David Lubicz 1,2 , Damien Robert 3 1 CLAR 2 IRMAR, Universit de Rennes 1 1 LFANT Team, IMB & Inria Bordeaux Sud-Ouest Motivations Millers

313 views • 30 slides
Wordnet Ontology as a Wordnet Ontology as a Geographical Information Geographical Information

Wordnet Ontology as a Wordnet Ontology as a Geographical Information Geographical Information

Wordnet Ontology as a Wordnet Ontology as a Geographical Information Geographical Information Resource Resource Davide Buscaldi, Davide Buscaldi, Dpto. Sistemas Informticos y Dpto. Sistemas Informticos y (DSIC) Computacin (DSIC)

311 views • 18 slides
Constantine believed that the Roman Empire had The

Constantine believed that the Roman Empire had The

World Religions and the History of Christianity: Eastern Orthodox Constantine believed that the Roman Empire had The Byzantine Empire (the Eastern Roman Empire) become

463 views • 10 slides
Analytical data bases Database lectures for mathematics students Zbigniew Jurkiewicz, Institute

Analytical data bases Database lectures for mathematics students Zbigniew Jurkiewicz, Institute

Analytical data bases Database lectures for mathematics students Zbigniew Jurkiewicz, Institute of Informatics UW May 14, 2017 Analytical data bases Database lectures for mathematics Zbigniew Jurkiewicz, Institute of Informatics UW Decision

749 views • 56 slides
Lighting/Shading II Week 6, Fri Feb 16 http://www.ugrad.cs.ubc.ca/~cs314/Vjan2007

Lighting/Shading II Week 6, Fri Feb 16 http://www.ugrad.cs.ubc.ca/~cs314/Vjan2007

University of British Columbia CPSC 314 Computer Graphics Jan-Apr 2007 Tamara Munzner Lighting/Shading II Week 6, Fri Feb 16 http://www.ugrad.cs.ubc.ca/~cs314/Vjan2007 Correction/News Homework 2 was posted Wed due Fri Mar 2

896 views • 50 slides
Simulation of Computer Networks Holger Fler Lehrstuhl fr Praktische Informatik IV,

Simulation of Computer Networks Holger Fler Lehrstuhl fr Praktische Informatik IV,

Simulation of Computer Networks Holger Fler Lehrstuhl fr Praktische Informatik IV, University of Mannheim Holger Fler Simulation of Computer Networks Universitt Mannheim, WS 2005/2005 Vorbemerkungen Lehrstuhl fr Praktische

691 views • 35 slides
The Greatest Life Ever Lived December 25, 2012 The Greatest Life Ever Lived Nearly two

The Greatest Life Ever Lived December 25, 2012 The Greatest Life Ever Lived Nearly two

The Greatest Life Ever Lived December 25, 2012 The Greatest Life Ever Lived Nearly two thousand years ago in an obscure village, a child was born of a peasant woman. He grew up in another village (called Nazareth) where He worked as a

319 views • 31 slides
Revelation 13 The Beast and the Number 666 Becoming Closer The Beast from the Sea (Rev 13:1-2

Revelation 13 The Beast and the Number 666 Becoming Closer The Beast from the Sea (Rev 13:1-2

Revelation 13 The Beast and the Number 666 Becoming Closer The Beast from the Sea (Rev 13:1-2 NIV) And the dragon stood on the shore of the sea. And I saw a beast coming out of the sea. He had ten horns and seven heads, with ten crowns on

259 views • 15 slides
Adapting the Dynamic Model to historical linguistics Case studies on the Middle English and

Adapting the Dynamic Model to historical linguistics Case studies on the Middle English and

Adapting the Dynamic Model to historical linguistics Case studies on the Middle English and Anglo-Norman contact situation Michael Percillier 1 ICEHL XX, Edinburgh, 30 August 2018 1 Introduction NB: Handout available at

1.06k views • 34 slides

More recommend