on the static diffie hellman problem on elliptic curves
play

On the Static Diffie-Hellman Problem on Elliptic Curves over - PowerPoint PPT Presentation

Jul 19, 2023 •159 likes •655 views

Background and Motivation Main Algorithm and Results On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger rgranger@computing.dcu.ie Claude Shannon Institute, UCD and DCU, Ireland ASIACRYPT, 8th December

  1. Background and Motivation Main Algorithm and Results On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger rgranger@computing.dcu.ie Claude Shannon Institute, UCD and DCU, Ireland ASIACRYPT, 8th December 2010 R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  2. Background and Motivation Main Algorithm and Results Outline Background and Motivation 1 The Static Diffie-Hellman Problem An oracle-assisted Static DHP algorithm Main Algorithm and Results 2 Algorithm Overview Potentially Vulnerable Curves Simulation Results R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  3. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm Diffie-Hellman Key Agreement Let G be a cyclic group of prime order r with generator g . R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  4. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm Diffie-Hellman Key Agreement Let G be a cyclic group of prime order r with generator g . − Z r , computes g x and sends to Bob R Alice chooses x ← R − Z r , computes g y and sends to Alice Bob chooses y ← Alice computes ( g y ) x , Bob computes ( g x ) y to give shared secret g xy R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  5. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm Diffie-Hellman Key Agreement Let G be a cyclic group of prime order r with generator g . R − Z r , computes g x and sends to Bob Alice chooses x ← R − Z r , computes g y and sends to Alice Bob chooses y ← Alice computes ( g y ) x , Bob computes ( g x ) y to give shared secret g xy A fundamental security requirement of DH Key Agreement is that the Computational Diffie-Hellman problem should be hard: Definition (CDH): Given g and random g x and g y , find g xy R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  6. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm The Static Diffie-Hellman Problem (Static DHP) Suppose to minimise her exponentiation cost in multiple DH key agreements Alice repeatedly reuses x = d . R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  7. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm The Static Diffie-Hellman Problem (Static DHP) Suppose to minimise her exponentiation cost in multiple DH key agreements Alice repeatedly reuses x = d . This set of problem instances is a tiny subset of all CDH problem instances R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  8. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm The Static Diffie-Hellman Problem (Static DHP) Suppose to minimise her exponentiation cost in multiple DH key agreements Alice repeatedly reuses x = d . This set of problem instances is a tiny subset of all CDH problem instances Not a priori clear that these instances should be hard, even if CDH is hard R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  9. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm The Static Diffie-Hellman Problem (Static DHP) Suppose to minimise her exponentiation cost in multiple DH key agreements Alice repeatedly reuses x = d . This set of problem instances is a tiny subset of all CDH problem instances Not a priori clear that these instances should be hard, even if CDH is hard Definition (Static DHP d ): Given fixed g and g d , and random g y , find g dy R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  10. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm The Static DHP - inception and first result Introduced by Brown and Gallant in 2004, who gave a reduction from the DLP for d to the Static DHP d R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  11. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm The Static DHP - inception and first result Introduced by Brown and Gallant in 2004, who gave a reduction from the DLP for d to the Static DHP d Hence if the DLP for d is hard, then so is the Static DHP d R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  12. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm The Static DHP - inception and first result Introduced by Brown and Gallant in 2004, who gave a reduction from the DLP for d to the Static DHP d Hence if the DLP for d is hard, then so is the Static DHP d Equivalently, given access to a Static DHP d oracle, one can find the associated DLP d R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  13. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm The Static DHP - inception and first result Introduced by Brown and Gallant in 2004, who gave a reduction from the DLP for d to the Static DHP d Hence if the DLP for d is hard, then so is the Static DHP d Equivalently, given access to a Static DHP d oracle, one can find the associated DLP d Definition (Static DHP d oracle): Let G be a cyclic group of prime order r , written additively. For a fixed base element P ∈ G and a fixed element Q ∈ G let d ∈ Z r be such that Q = dP . Then a Static DHP d oracle (w.r.t. ( G , P , Q ) ) computes the function δ : G → G where δ ( X ) = dX R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  14. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm Oracle-assisted Static DHP d algorithm A Static DHP d algorithm is said to be oracle-assisted if during an initial learning phase, it can make a number of Static DHP d queries, after which, given a previously unseen challenge element X , it outputs dX . R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  15. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm Oracle-assisted Static DHP d algorithm A Static DHP d algorithm is said to be oracle-assisted if during an initial learning phase, it can make a number of Static DHP d queries, after which, given a previously unseen challenge element X , it outputs dX . Theorem Let r = uv + 1 . Then d can be found with u calls to a Static DHP d oracle, and off-line computational work of O ( √ u + √ v ) group operations. R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  16. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm DLP to Static DHP d reduction The complexity of the attack is minimised when u ≈ r 1 / 3 Depending on the factorisation of r − 1, can lead to a real attack which is quicker than solving the DLP R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  17. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm DLP to Static DHP d reduction The complexity of the attack is minimised when u ≈ r 1 / 3 Depending on the factorisation of r − 1, can lead to a real attack which is quicker than solving the DLP Brown and Gallant showed that a system entity acts as a Static DHP d oracle, transforming their reduction into a DLP solver, for the following protocols: textbook El Gamal encryption Ford-Kaliski key retrieval Chaum-Van Antwerpen’s undeniable signatures R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  18. Background and Motivation The Static Diffie-Hellman Problem Main Algorithm and Results An oracle-assisted Static DHP algorithm Results of Koblitz and Menezes In ‘Another look at non-standard discrete log and Diffie-Hellman problems’ [07], Koblitz and Menezes studied a set of problems in the Jacobian of small genus hyperelliptic curves Delayed Target DLP/DHP , One-More DLP/DHP , and DLP1/DHP1 Using ‘Index Calculus’ or Brown-Gallant show that some are easier than DLP - hardness separation Argue that problems which are either interactive or have complicated inputs can produce weaknesses Conclude that security assurances provided by such assumptions should be reassessed/are difficult to assess R. Granger On the Static DHP on Elliptic Curves over Extension Fields

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

1.32k views • 105 slides
E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald

E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald

E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald Lercier 2 , David Naccache 3 , Emmanuel Thom e 4 Elliptic Curve Cryptography 2008 Utrecht 1 DGA and UVSQ 2 DGA and IRMAR 3 ENS 4 INRIA Lorraine 1

538 views • 25 slides
A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1 Liqun Chen 2 Jiangtao Li 1 1. Intel Corporation, Hillsboro, Oregon, USA 2. Hewlett-Packard Laboratories, Bristol, UK InTrust 2012 Royal Holloway,

827 views • 17 slides
Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a number of perspectives Today: authenticating users, services Agreeing on Secret Keys Without Prior Arrangement Diffie-Hellman Key Exchange

1.07k views • 73 slides
Elliptic curves and cryptography Jan Willemson September 2019 Intro: some ancient cryptography

Elliptic curves and cryptography Jan Willemson September 2019 Intro: some ancient cryptography

Elliptic curves and cryptography Jan Willemson September 2019 Intro: some ancient cryptography 2 September 2019 Diffie-Hellman key exchange Prime p , g Z p g a g b a Z b Z ( g b ) a = ( g a ) b 3 September 2019 Security of

748 views • 62 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption: with

445 views • 17 slides
Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

810 views • 42 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

256 views • 22 slides
Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based on joint work: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry,

879 views • 63 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic question about the Diffie-Hellman system: How quickly can we compute n th powers mod p ? Modular exponentiation. p ; Assume standard prime p =

684 views • 45 slides
On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

Symmetric cryptography Both parties must agree on a secret key, K message is encrypted, sent, decrypted at other side E K (P) D K (C) Secure Communication Bob Alice Key distribution must be secret otherwise messages can be

553 views • 10 slides
Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao

Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao

Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao Song , Mentee: Lisette del Pino University of Pennsylvania Directed Reading Program May 16, 2020 Mentor: Tao Song , Mentee: Lisette del Pino

1.35k views • 98 slides
Finding People in Images and Videos Navneet DALAL GRAVIR, INRIA Rhne-Alpes Thesis Advisors

Finding People in Images and Videos Navneet DALAL GRAVIR, INRIA Rhne-Alpes Thesis Advisors

Finding People in Images and Videos Navneet DALAL GRAVIR, INRIA Rhne-Alpes Thesis Advisors Cordelia SCHMID et Bill TRIGGS 17 July, 2006 Institut National Polytechnique de Grenoble Goals & Applications Goal: Detect and localise people

950 views • 45 slides
Motion Tracking CS6240 Multimedia Analysis Leow Wee Kheng Department of Computer Science School

Motion Tracking CS6240 Multimedia Analysis Leow Wee Kheng Department of Computer Science School

Motion Tracking CS6240 Multimedia Analysis Leow Wee Kheng Department of Computer Science School of Computing National University of Singapore (CS6240) Motion Tracking 1 / 55 Introduction Introduction Video contains motion information

721 views • 55 slides
Current rent U Use A Applica lications ions 2018-2019 Presentation to Clark County Planning

Current rent U Use A Applica lications ions 2018-2019 Presentation to Clark County Planning

Current rent U Use A Applica lications ions 2018-2019 Presentation to Clark County Planning Commission March 21, 2019 What at is is Open S n Spac ace? (NON-FARM/TIMBERLAND)? The Washington State Legislature recognizes that it

715 views • 26 slides
and Analysts Q2 2020 Results Presentation to Investors and Analysts We are Iceland Seafood

and Analysts Q2 2020 Results Presentation to Investors and Analysts We are Iceland Seafood

Q2 2020 Results Presentation to Investors and Analysts Q2 2020 Results Presentation to Investors and Analysts We are Iceland Seafood Iceland Seafood International is proud of its strong heritage and history and Q2 2020 Results

543 views • 18 slides
Incorporating IPMVP and Six Sigma Strategies into Monitoring and Evaluation Prepared for the

Incorporating IPMVP and Six Sigma Strategies into Monitoring and Evaluation Prepared for the

Incorporating IPMVP and Six Sigma Strategies into Monitoring and Evaluation Prepared for the 2007 ECEEE Summer Study Prepared by Kathleen Carlson, Robert J. Mowris, Ean Jones Robert Mowris & Associates Introduction Energy efficiency

603 views • 22 slides
Earth Ocean Atmospheric Sciences Building, Florida State University, Tallahassee Urban water

Earth Ocean Atmospheric Sciences Building, Florida State University, Tallahassee Urban water

Earth Ocean Atmospheric Sciences Building, Florida State University, Tallahassee Urban water supply and demand in a changing demography The three states account for 27% (81 million) of the current US population They account for 48% of US

356 views • 18 slides
Stability analysys of retrial queing system with non Poisson input and constant retrial rate

Stability analysys of retrial queing system with non Poisson input and constant retrial rate

Stability analysys of retrial queing system with non Poisson input and constant retrial rate Ruslana S. Nekrasova 1 Institute of Applied Mathematical Research Karelian Research Centre, RAS 1 . Petrozavodsk, October 15-17, 2013 Petrozavodsk,

357 views • 12 slides
OUT-OF-EQUILIBRIUM CORRELATIONS AND ENTROPY PRODUCTION IN A DRIVEN GRANULAR FLUID Giacomo

OUT-OF-EQUILIBRIUM CORRELATIONS AND ENTROPY PRODUCTION IN A DRIVEN GRANULAR FLUID Giacomo

OUT-OF-EQUILIBRIUM CORRELATIONS AND ENTROPY PRODUCTION IN A DRIVEN GRANULAR FLUID Giacomo Gradenigo Andrea Gnoli Andrea Puglisi Alessandro Sarracino Dario Villamaina CNR-ISC & University Sapienza CONGRATULATIONS TO ANDREA

352 views • 21 slides

More recommend