on the static diffie hellman problem on elliptic curves
play

On the Static Diffie-Hellman Problem on Elliptic Curves over - PowerPoint PPT Presentation

Dec 21, 2022 •254 likes •1.32k views

Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

  1. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Diffie-Hellman Key Agreement Let G be a cyclic group of prime order r with generator g . − Z r , computes g x and sends to Bob R Alice chooses x ← R − Z r , computes g y and sends to Alice Bob chooses y ← R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  2. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Diffie-Hellman Key Agreement Let G be a cyclic group of prime order r with generator g . − Z r , computes g x and sends to Bob R Alice chooses x ← R − Z r , computes g y and sends to Alice Bob chooses y ← Alice computes ( g y ) x , Bob computes ( g x ) y to give shared secret g xy R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  3. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Diffie-Hellman Key Agreement Let G be a cyclic group of prime order r with generator g . R − Z r , computes g x and sends to Bob Alice chooses x ← R − Z r , computes g y and sends to Alice Bob chooses y ← Alice computes ( g y ) x , Bob computes ( g x ) y to give shared secret g xy A fundamental security requirement of DH Key Agreement is that the Computational Diffie-Hellman problem should be hard: Definition (CDH): Given g and random g x and g y , find g xy R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  4. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static Diffie-Hellman Problem (Static DHP) Suppose in DH Key Agreement Alice repeatedly reuses x = d . R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  5. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static Diffie-Hellman Problem (Static DHP) Suppose in DH Key Agreement Alice repeatedly reuses x = d . Definition (Static DHP d ): Given fixed g and g d , and random g y , find g dy R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  6. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static Diffie-Hellman Problem (Static DHP) Suppose in DH Key Agreement Alice repeatedly reuses x = d . Definition (Static DHP d ): Given fixed g and g d , and random g y , find g dy Set of problem instances in Static DHP is a tiny subset of CDH problem instances R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  7. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static Diffie-Hellman Problem (Static DHP) Suppose in DH Key Agreement Alice repeatedly reuses x = d . Definition (Static DHP d ): Given fixed g and g d , and random g y , find g dy Set of problem instances in Static DHP is a tiny subset of CDH problem instances Not a priori clear that these instances should be hard, even if CDH is hard R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  8. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static Diffie-Hellman Problem (Static DHP) Suppose in DH Key Agreement Alice repeatedly reuses x = d . Definition (Static DHP d ): Given fixed g and g d , and random g y , find g dy Set of problem instances in Static DHP is a tiny subset of CDH problem instances Not a priori clear that these instances should be hard, even if CDH is hard Can arise as an efficiency measure during multiple DH key agreements R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  9. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static Diffie-Hellman Problem (Static DHP) Suppose in DH Key Agreement Alice repeatedly reuses x = d . Definition (Static DHP d ): Given fixed g and g d , and random g y , find g dy Set of problem instances in Static DHP is a tiny subset of CDH problem instances Not a priori clear that these instances should be hard, even if CDH is hard Can arise as an efficiency measure during multiple DH key agreements Also arises in textbook El Gamal encryption, Ford-Kaliski key retrieval, and Chaum-Van Antwerpen’s undeniable signatures R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  10. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Static DHP d example: textbook El Gamal Alice has public key g d . To encrypt a message m , Bob R picks a random x ← − Z r and computes c = ( c 1 , c 2 ) = ( g x , mg dx ) R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  11. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Static DHP d example: textbook El Gamal Alice has public key g d . To encrypt a message m , Bob R picks a random x ← − Z r and computes c = ( c 1 , c 2 ) = ( g x , mg dx ) To decrypt Alice computes m = c 2 / c d 1 . So if one can compute g dx for any g x one can decrypt R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  12. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Static DHP d example: textbook El Gamal Alice has public key g d . To encrypt a message m , Bob R picks a random x ← − Z r and computes c = ( c 1 , c 2 ) = ( g x , mg dx ) To decrypt Alice computes m = c 2 / c d 1 . So if one can compute g dx for any g x one can decrypt Furthermore, in a chosen-ciphertext attack an adversary has access to a decryption oracle R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  13. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Static DHP d example: textbook El Gamal Alice has public key g d . To encrypt a message m , Bob R picks a random x ← − Z r and computes c = ( c 1 , c 2 ) = ( g x , mg dx ) To decrypt Alice computes m = c 2 / c d 1 . So if one can compute g dx for any g x one can decrypt Furthermore, in a chosen-ciphertext attack an adversary has access to a decryption oracle If adversary chooses c = ( g x , c 2 ) the decryption oracle returns m = c 2 / g dx R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  14. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Static DHP d example: textbook El Gamal Alice has public key g d . To encrypt a message m , Bob R picks a random x ← − Z r and computes c = ( c 1 , c 2 ) = ( g x , mg dx ) To decrypt Alice computes m = c 2 / c d 1 . So if one can compute g dx for any g x one can decrypt Furthermore, in a chosen-ciphertext attack an adversary has access to a decryption oracle If adversary chooses c = ( g x , c 2 ) the decryption oracle returns m = c 2 / g dx Adversary computes g dx = c 2 / m , which solves the Static DHP d for instance g x , hence the adversary has access to a Static DHP d oracle R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  15. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Static DHP d oracle Definition (Static DHP d oracle). Let G be a cyclic group of prime order r , written additively. For a fixed base element P ∈ G and a fixed element Q ∈ G let d ∈ Z r be such that Q = dP . Then a Static DHP d oracle (wrt G ) computes the function δ : G → G where: δ ( X ) = dX . R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  16. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Static DHP d oracle Definition (Static DHP d oracle). Let G be a cyclic group of prime order r , written additively. For a fixed base element P ∈ G and a fixed element Q ∈ G let d ∈ Z r be such that Q = dP . Then a Static DHP d oracle (wrt G ) computes the function δ : G → G where: δ ( X ) = dX . Likewise, a Static DHP d algorithm is said to be oracle-assisted if during an initial learning phase, it can make a number of Static DHP d queries, after which, given a previously unseen challenge element X , it outputs dX . R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  17. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static DHP - inception and 1st result Introduced by Brown and Gallant in 2004, who gave a reduction from the DLP for d to the Static DHP d R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  18. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static DHP - inception and 1st result Introduced by Brown and Gallant in 2004, who gave a reduction from the DLP for d to the Static DHP d Hence if the DLP for d is hard, then so is the Static DHP d R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  19. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static DHP - inception and 1st result Introduced by Brown and Gallant in 2004, who gave a reduction from the DLP for d to the Static DHP d Hence if the DLP for d is hard, then so is the Static DHP d Equivalently, given access to a Static DHP d oracle, one can find the associated DLP R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  20. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static DHP - inception and 1st result Introduced by Brown and Gallant in 2004, who gave a reduction from the DLP for d to the Static DHP d Hence if the DLP for d is hard, then so is the Static DHP d Equivalently, given access to a Static DHP d oracle, one can find the associated DLP Theorem Let r = uv + 1 . Then d can be found with u calls to a Static DHP d oracle, and off-line computational work of about ( √ u + √ v ) group operations. R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  21. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example DLP to Static DHP d reduction A LGORITHM 1: DLP to Static DHP d reduction P , dP ∈ G with G cyclic of prime order INPUT: and | G | = uv + 1 OUTPUT: d Find a generator g ∈ F × 1. p Compute w = g u and d u P via u calls to oracle 2. Let m v = ⌈√ v ⌉ 3. Find 0 ≤ u 1 , v 1 < m v such that w − u 1 d u P = w m v v 1 P 4. Let k 0 = m v v 1 + u 1 so that d u = w k 0 5. Let m u = ⌈√ u ⌉ 6. Find 0 ≤ u 2 , v 2 < m u such that g − u 2 v dP = g k 0 + m u v 2 v P 7. Return g k 0 +( m u v 2 + u 2 ) v 8. R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  22. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example DLP to Static DHP d reduction The complexity of the attack is minimised when u ≈ r 1 / 3 R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  23. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example DLP to Static DHP d reduction The complexity of the attack is minimised when u ≈ r 1 / 3 For the three schemes mentioned, Brown and Gallant showed that a system entity acts as a Static DHP d oracle, transforming their reduction into a DLP solver R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  24. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example DLP to Static DHP d reduction The complexity of the attack is minimised when u ≈ r 1 / 3 For the three schemes mentioned, Brown and Gallant showed that a system entity acts as a Static DHP d oracle, transforming their reduction into a DLP solver Depending on the factorisation of r − 1, can lead to a real attack which is quicker than solving the DLP R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  25. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example DLP to Static DHP d reduction The complexity of the attack is minimised when u ≈ r 1 / 3 For the three schemes mentioned, Brown and Gallant showed that a system entity acts as a Static DHP d oracle, transforming their reduction into a DLP solver Depending on the factorisation of r − 1, can lead to a real attack which is quicker than solving the DLP Attack was rediscovered by Cheon in 2006, when the requisite information is provided in the guise of the l -Strong DHP: R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  26. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example DLP to Static DHP d reduction The complexity of the attack is minimised when u ≈ r 1 / 3 For the three schemes mentioned, Brown and Gallant showed that a system entity acts as a Static DHP d oracle, transforming their reduction into a DLP solver Depending on the factorisation of r − 1, can lead to a real attack which is quicker than solving the DLP Attack was rediscovered by Cheon in 2006, when the requisite information is provided in the guise of the l -Strong DHP: Definition l -Strong Diffie-Hellman problem: Given P and d i P in G for i = 1 , 2 , . . . , l , compute d l + 1 P . R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  27. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example DLP to l -Strong DHP reduction Cheon also formulated an algorithm for the l -Strong DHP when l | ( r + 1 ) R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  28. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example DLP to l -Strong DHP reduction Cheon also formulated an algorithm for the l -Strong DHP when l | ( r + 1 ) Brown-Gallant reduction and Cheon’s algorithm can be seen as using the DLP to DHP reduction due to den Boer, Maurer, Wolf et al, but with limited access to CDH oracle R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  29. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example DLP to l -Strong DHP reduction Cheon also formulated an algorithm for the l -Strong DHP when l | ( r + 1 ) Brown-Gallant reduction and Cheon’s algorithm can be seen as using the DLP to DHP reduction due to den Boer, Maurer, Wolf et al, but with limited access to CDH oracle For the l -Strong DHP , security proofs were in one direction only, so Cheon’s algorithm does not break any protocols R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  30. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example DLP to l -Strong DHP reduction Cheon also formulated an algorithm for the l -Strong DHP when l | ( r + 1 ) Brown-Gallant reduction and Cheon’s algorithm can be seen as using the DLP to DHP reduction due to den Boer, Maurer, Wolf et al, but with limited access to CDH oracle For the l -Strong DHP , security proofs were in one direction only, so Cheon’s algorithm does not break any protocols For Boneh-Boyen signatures, in 2009 Jao and Yoshida gave a reduction in the reverse direction, thus strengthening the security proof, and giving an attack with complexity O ( r 2 / 5 + ǫ ) if O ( r 1 / 5 + ǫ ) signatures queries may be performed R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  31. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Delayed Target DHP Definition A solver is given initial access to a Static DHP d oracle for the element Q = dP ∈ G ; when the oracle is removed, the solver is given a random challenge X ∈ G and must solve the CDH for input ( Q , X ) , i.e., output dX . R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  32. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Delayed Target DHP Definition A solver is given initial access to a Static DHP d oracle for the element Q = dP ∈ G ; when the oracle is removed, the solver is given a random challenge X ∈ G and must solve the CDH for input ( Q , X ) , i.e., output dX . Situation identical to oracle-assisted Static DHP R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  33. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Delayed Target DHP Definition A solver is given initial access to a Static DHP d oracle for the element Q = dP ∈ G ; when the oracle is removed, the solver is given a random challenge X ∈ G and must solve the CDH for input ( Q , X ) , i.e., output dX . Situation identical to oracle-assisted Static DHP Described by Freeman, 2005 — ‘Pairing-based identification schemes’ R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  34. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Delayed Target DHP Definition A solver is given initial access to a Static DHP d oracle for the element Q = dP ∈ G ; when the oracle is removed, the solver is given a random challenge X ∈ G and must solve the CDH for input ( Q , X ) , i.e., output dX . Situation identical to oracle-assisted Static DHP Described by Freeman, 2005 — ‘Pairing-based identification schemes’ Security of scheme equivalent to Delayed Target DHP R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  35. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Delayed Target DHP Definition A solver is given initial access to a Static DHP d oracle for the element Q = dP ∈ G ; when the oracle is removed, the solver is given a random challenge X ∈ G and must solve the CDH for input ( Q , X ) , i.e., output dX . Situation identical to oracle-assisted Static DHP Described by Freeman, 2005 — ‘Pairing-based identification schemes’ Security of scheme equivalent to Delayed Target DHP Koblitz-Menezes also studied the Delayed Target DLP R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  36. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The oracle-assisted Static DHP/Delayed Target DHP Koblitz-Menezes used index calculus methodology: R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  37. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The oracle-assisted Static DHP/Delayed Target DHP Koblitz-Menezes used index calculus methodology: Construct a factor base F over which a non-negligible proportion of group elements factor R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  38. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The oracle-assisted Static DHP/Delayed Target DHP Koblitz-Menezes used index calculus methodology: Construct a factor base F over which a non-negligible proportion of group elements factor Call the Static DHP d oracle δ on all f ∈ F R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  39. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The oracle-assisted Static DHP/Delayed Target DHP Koblitz-Menezes used index calculus methodology: Construct a factor base F over which a non-negligible proportion of group elements factor Call the Static DHP d oracle δ on all f ∈ F For a target element X attempt to write random mutiples aX as a sum of elements of F , i.e., aX = P 1 + · · · + P n R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  40. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The oracle-assisted Static DHP/Delayed Target DHP Koblitz-Menezes used index calculus methodology: Construct a factor base F over which a non-negligible proportion of group elements factor Call the Static DHP d oracle δ on all f ∈ F For a target element X attempt to write random mutiples aX as a sum of elements of F , i.e., aX = P 1 + · · · + P n Then dX = ( a − 1 mod r )( δ ( P 1 ) + · · · + δ ( P n )) R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  41. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The oracle-assisted Static DHP/Delayed Target DHP Koblitz-Menezes used index calculus methodology: Construct a factor base F over which a non-negligible proportion of group elements factor Call the Static DHP d oracle δ on all f ∈ F For a target element X attempt to write random mutiples aX as a sum of elements of F , i.e., aX = P 1 + · · · + P n Then dX = ( a − 1 mod r )( δ ( P 1 ) + · · · + δ ( P n )) Used for finite fields and small genus hyperelliptic curves — hardness separation from DLP R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  42. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static DHP - JLNT Joux, Naccache and Thomé showed that initial subexponential access to an e -th root oracle in RSA enables later e -th root computations — faster than one can factor the modulus R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  43. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static DHP - JLNT Joux, Naccache and Thomé showed that initial subexponential access to an e -th root oracle in RSA enables later e -th root computations — faster than one can factor the modulus Ports easily over to Static DHP d in finite fields (+Lercier) R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  44. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static DHP - JLNT Joux, Naccache and Thomé showed that initial subexponential access to an e -th root oracle in RSA enables later e -th root computations — faster than one can factor the modulus Ports easily over to Static DHP d in finite fields (+Lercier) √ x ) complexities of the JLNT algorithm are The L q n ( 1 / 3 , 3 variant oracle access learning phase post-learning phase FFS 4 / 9 - 4 / 9 NFS-HD 48 / 91 384 / 91 384 / 91 NFS 4 / 9 32 / 9 3 R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  45. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example The Static DHP - JLNT Joux, Naccache and Thomé showed that initial subexponential access to an e -th root oracle in RSA enables later e -th root computations — faster than one can factor the modulus Ports easily over to Static DHP d in finite fields (+Lercier) √ x ) complexities of the JLNT algorithm are The L q n ( 1 / 3 , 3 variant oracle access learning phase post-learning phase FFS 4 / 9 - 4 / 9 NFS-HD 48 / 91 384 / 91 384 / 91 NFS 4 / 9 32 / 9 3 Observe that each is faster than the DLP in the corresponding fields R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  46. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Index calculus example: Delayed Target DHP Let H ( F q ) be a genus g hyperelliptic curve and Jac H ( F q ) its Jacobian. Let F be a proportion q α of degree one divisors for 0 < α ≤ 1. Call the Static DHP d oracle for Q = dP for all D ∈ F . Prob. random aX factors over F is q g ( α − 1 ) / g ! Hence expected number of trials to obtain an F -smooth element aX is q g ( 1 − α ) g ! Balancing this with the oracle calls gives α = ( g + log q g !) / ( g + 1 ) ≈ 1 − 1 / ( g + 1 ) R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  47. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Index calculus example: Delayed Target DHP For DLP , there are four basic variants: Gaudry (2000): basic index calculus — O ( q 2 ) Harley (2000): reduce factor base — O ( q 2 − 2 / ( g + 1 ) ) Thériault (2003): large-prime variation — O ( q 2 − 2 / ( g + 1 / 2 ) ) GTTD (2007): double large-prime variation — O ( q 2 − 2 / g ) The Delayed Target DHP algorithm is O ( q 1 − 1 / ( g + 1 ) ) — the square root of Harley’s algorithm: No linear algebra Only one relation so can only balance the two stages R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  48. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Index calculus example: Delayed Target DHP For DLP , there are four basic variants: Gaudry (2000): basic index calculus — O ( q 2 ) Harley (2000): reduce factor base — O ( q 2 − 2 / ( g + 1 ) ) Thériault (2003): large-prime variation — O ( q 2 − 2 / ( g + 1 / 2 ) ) GTTD (2007): double large-prime variation — O ( q 2 − 2 / g ) The Delayed Target DHP algorithm is O ( q 1 − 1 / ( g + 1 ) ) — the square root of Harley’s algorithm: No linear algebra Only one relation so can only balance the two stages Question: For g = 1 have O ( q 1 / 2 ) , so can we do better? R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  49. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example A contrived example: oracle-assisted pairing inversion Let G 1 , G 2 and G T be cyclic groups of prime order r , and let e : G 1 × G 2 − → G T be a non-degenerate bilinear pairing. Verheul considered the consequences of the existence of an efficiently computable, injective homomorphism ψ : G T − → G 1 when G 1 = G 2 If ψ is efficiently computable, can efficiently solve CDH in G 1 , G 2 and G T R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  50. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Oracle-assisted pairing inversion Galbriath, Hess and Vercauteren (2008) considered the following two problems when G 1 � = G 2 : Definition The Fixed Argument Pairing Inversion 1 (FAPI-1) problem: Given P 1 ∈ G 1 and z ∈ G T , find P 2 ∈ G 2 s.t. e ( P 1 , P 2 ) = z . The Fixed Argument Pairing Inversion 2 (FAPI-2) problem: Given P 2 ∈ G 2 and z ∈ G T , find P 1 ∈ G 1 s.t. e ( P 1 , P 2 ) = z . If can solve FAPI-1 and 2, can solve CDH in G 1 , G 2 and G T Given P , aP , bP ∈ G 1 , fix Q ∈ G 2 and let z = e ( P , Q ) . Compute z b = e ( bP , Q ) , FAPI-1 ( P , z b ) = bQ , e ( aP , bQ ) = z ab , then FAPI-2 ( Q , z ab ) = abP . R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  51. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Oracle-assisted pairing inversion GHV also showed that if one has an efficiently computable homomorphism ψ : G 2 → G 1 and access to a FAPI-1 oracle, then the same conclusion holds. Some natural questions arise: In this case, what if one only has initial access to a FAPI-1 oracle? Can one solve further FAPI-1 instances — Delayed Target FAPI-1 problem Does this problem feature in the security of any protocol? What other security implications are there? Can FAPI-1 and no ψ aid in solving Static DHP? R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  52. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Delayed Target FAPI-1 problem Since G T ⊂ F p k , natural (only?) idea is to use factor base in F p k as in JLNT First problem is that in general elements of factor base in F p k are not in G T . Second problem is that one can’t invert pairing! However, can do the following: Compute Q i = FAPI-1 ( P , p ( p k − 1 ) / r ) for each p i ∈ F i Want to compute FAPI-1 ( P , z ) for z ∈ G T Write z = � p α i where p i ∈ F using JLNT i Assuming (( p k − 1 ) / r , r ) = 1, one has FAPI-1 ( P , z ) = ((( p k − 1 ) / r ) − 1 mod r ) � α i Q i R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  53. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Delayed Target FAPI-1 problem This solves the FAPI-1 for z since e ( P , ((( p k − 1 ) / r ) − 1 mod r ) � α i Q i ) e ( P , Q i ) α i ((( p k − 1 ) / r ) − 1 mod r ) � = p ((( p k − 1 ) / r )(( p k − 1 ) / r ) − 1 mod r ) α i � = = z i Hence can solve any further FAPI-1 problem with the complexity of JLNT Static DHP algorithm For curves with ψ : G 2 → G 1 can then solve any further CDH in G 1 , G 2 and G T faster than DLP Using DLP to DHP reduction, for suitable parameters can solve DLP faster R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  54. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Delayed Target FAPI-1 problem FAPI-i allows one to use factorisation in an auxilliary group to form a factor base in G i Only works if can map both ways Assumptions too strong to solve Static DHP but not CDH, so what if no ψ ? Can’t solve Static DHP without efficiently computable ψ , as result is in the wrong group Academic anyhow as no known way to implement FAPI-i R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  55. Motivation - Exotic Security Assumptions in Cryptography The Static Diffie-Hellman Problem Main Algorithm and Results Other Assumptions Oracle-assisted Static DHP for binary curves A Contrived Example Delayed Target FAPI-1 problem FAPI-i allows one to use factorisation in an auxilliary group to form a factor base in G i Only works if can map both ways Assumptions too strong to solve Static DHP but not CDH, so what if no ψ ? Can’t solve Static DHP without efficiently computable ψ , as result is in the wrong group Academic anyhow as no known way to implement FAPI-i Realised that for ECs over extension fields, already have native factorisation via Gaudry/Semaev idea, so can use the Menezes-Koblitz methodology directedly. R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  56. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Algorithm Overview Let E : Y 2 = X 3 + aX + b , over a field F q n with char ( F q ) > 3. Let F = { P = ( x , y ) ∈ E s . t . x ∈ F q } For all P ∈ F compute δ ( P ) = dP For a given R ∈ E ( F q n ) add random linear combinations P r of elements of F to R until it can be written R + P r = P 1 + · · · + P n Then dR = δ ( P 1 ) + · · · + δ ( P n ) − δ ( P r ) R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  57. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Semaev’s summation polynomials For m ≥ 2 define f m = f m ( X 1 , . . . , X m ) by the following property. Let x 1 , . . . , x m ∈ F q , then f m ( x 1 , . . . , x m ) = 0 is equivalent to ∃ y 1 , . . . , y m ∈ F q | ( x i , y i ) ∈ E and ( x 1 , y 1 ) + · · · + ( x m , y m ) = O ∈ E ( F q ) f 2 ( X 1 , X 2 ) = X 1 − X 2 , and f 3 ( X 1 , X 2 , X 3 ) = ( X 1 − X 2 ) 2 X 2 3 − 2 (( X 1 + X 2 )( X 1 X 2 + a ) + 2 b ) X 3 +(( X 1 X 2 − a ) 2 − 4 b ( X 1 + X 2 )) R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  58. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Semaev’s summation polynomials In general, for any m ≥ 4, and m − 3 ≥ k ≥ 1, f m ( X 1 , . . . , X m ) = Res X ( f m − k ( X 1 , . . . , X m − k − 1 , X ) , f k + 2 ( X m − k , . . . , X m , X )) Degree of f m in each X i is 2 m − 2 for m ≥ 3. If F q = F p , natural factor base is { P = ( x , y ) ∈ E s . t . x < p 1 / n } However no known way to efficiently find such small roots x 1 , ..., x m of f m + 1 ( x 1 , . . . , x m , x R ) = 0 corresponding to R = P i 1 + · · · + P i m For m ≥ 5 would give sub-square-root DLP algorithm R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  59. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Gaudry’s insight Let E : Y 2 = X 3 + aX + b , over a field F q n with char ( F q ) > 3 Use a poly basis { t n − 1 , . . . , t , 1 } for F q n / F q Define F = { P = ( x , y ) ∈ E ( F q n ) s . t . x ∈ F q } Note |F| ≈ q Observe that f n + 1 ( x 1 , . . . , x n , x R ) = 0 now has n components: f n + 1 , 0 + f n + 1 , 1 t + · · · + f n + 1 , n − 1 t n − 1 = 0 ∈ F q n System of n equations over F q in n variables in F q Solved via resultants, or Grobner basis computation R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  60. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Gaudry’s insight Decomposition complexity O ( Poly ( 2 n ( n − 1 ) )) Decomposition probability is 1 / n ! For fixed n , q → ∞ , complexity is O ( q 2 ) , rho is O ( q n / 2 ) Using double large-prime variation reduces to O ( q 2 − 2 / n ) Works for all curves over any extension field, even of prime extension degree. Details are computationally more intensive than Weil Descent. Subexponential attack for a large class of fields (Diem) e O (( log q n ) 2 / 3 ) R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  61. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Algorithm complexity Heuristic Result 1. For any elliptic curve E ( F q n ) , by making O ( q ) queries to a Static DHP d oracle during an initial learning phase, for fixed n > 1 and q → ∞ , an adversary can solve any further instance of the Static DHP d in time O ( Poly ( log q )) . R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  62. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Algorithm complexity Heuristic Result 1. For any elliptic curve E ( F q n ) , by making O ( q ) queries to a Static DHP d oracle during an initial learning phase, for fixed n > 1 and q → ∞ , an adversary can solve any further instance of the Static DHP d in time O ( Poly ( log q )) . Can reduce the factor base à la Koblitz-Menezes: R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  63. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Algorithm complexity Heuristic Result 1. For any elliptic curve E ( F q n ) , by making O ( q ) queries to a Static DHP d oracle during an initial learning phase, for fixed n > 1 and q → ∞ , an adversary can solve any further instance of the Static DHP d in time O ( Poly ( log q )) . Can reduce the factor base à la Koblitz-Menezes: Heuristic Result 2. For any elliptic curve E ( F q n ) , by making 1 O ( q 1 − n + 1 ) queries to a Static DHP d oracle during an initial learning phase, for fixed n > 1 and q → ∞ , an adversary can 1 solve any further instance of the Static DHP d in time ˜ O ( q 1 − n + 1 ) R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  64. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Algorithm complexity Heuristic Result 1. For any elliptic curve E ( F q n ) , by making O ( q ) queries to a Static DHP d oracle during an initial learning phase, for fixed n > 1 and q → ∞ , an adversary can solve any further instance of the Static DHP d in time O ( Poly ( log q )) . Can reduce the factor base à la Koblitz-Menezes: Heuristic Result 2. For any elliptic curve E ( F q n ) , by making 1 O ( q 1 − n + 1 ) queries to a Static DHP d oracle during an initial learning phase, for fixed n > 1 and q → ∞ , an adversary can 1 solve any further instance of the Static DHP d in time ˜ O ( q 1 − n + 1 ) Can also obtain subexponential algorithm à la Diem R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  65. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results The Galbraith-Lin-Scott Curves At EUROCRYPT 2009 the use of curves defined over extension fields with degree a power of 2 were proposed. Exploits the existence of efficiently computable homomorphism to enable use of the GLV fast point multiplication method GLV: if ψ is an efficiently computable endomorphism of E then one can compute [ n ] P = [ n 0 ] P + [ n 1 ] ψ ( P ) with | n i | ≈ √ # E Over F p 2 method takes about 0 . 75 the time of the previous best methods Performance over F p 4 currently uninvestigated, but subject to Gaudry’s DLP attack R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  66. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results The Oakley key determination protocol curves ‘Well-Known Group’ 3 Group 3 is defined over the field F 2 155 = F 2 [ ω ] / ( ω 155 + ω 62 + 1 ) , by the equation Y 2 + XY = X 3 + β, where β = ω 18 + ω 17 + ω 16 + ω 13 + ω 12 + ω 9 + ω 8 + ω 7 + ω 3 + ω 2 + ω + 1 . # E ( F 2 155 ) = 12 · r , with r = 3805993847215893016155463826195386266397436443 Subject to several unsuccessful DLP attacks via Weil Descent: Jacobson/Menezes/Stein[01], Gaudry/Hess/Smart[02], Galbraith/Hess/Smart[02], Hess[03]. R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  67. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results The Oakley key determination protocol curves ‘Well-Known Group’ 4 Group 4 is defined over the field F 2 185 = F 2 [ ω ] / ( ω 185 + ω 69 + 1 ) , by the equation Y 2 + XY = X 3 + β, where β = ω 12 + ω 11 + ω 10 + ω 9 + ω 7 + ω 6 + ω 5 + ω 3 + 1 . # E ( F 2 185 ) = 4 · r , with r = 12259964326927110866866776214413170562013096 \ 250261263279 DLP studied by Maurer/Menezes/Teske[01] and Menezes/Teske/Weng[04], the latter concluding that the fields F 2 5 l for l > 37 are ‘weak’ while the security of ECs over F 2 185 is questionable R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  68. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Large prime characteristic For each of n = 2 , 3 , 4 and 5 we used curves of the form E ( F p n ) : y 2 = x 3 + ax + b , for a and b randomly chosen elements of F p n , such that # E ( F p n ) was a prime of bitlength 256. Implemented in MAGMA (V2.16-5) run on a 3 . 16 GHz Intel Xeon with 32G RAM Data for testing and decomposing points for elliptic curves over extension fields (times in s): n log p # f n + 1 # sym f n + 1 T ( GB ) T ( roots ) 2 128 13 5 0 . 001 0 . 009 3 85 . 3 439 43 0 . 029 0 . 027 4 64 54777 1100 5363 3 . 68 R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  69. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Large prime characteristic Upper bounds on attack time Given data, compute α such that: p n ( 1 − α ) · n ! · ( T ( GB ) + T ( roots )) = p α · T ( scalar ) R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  70. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Large prime characteristic Upper bounds on attack time Given data, compute α such that: p n ( 1 − α ) · n ! · ( T ( GB ) + T ( roots )) = p α · T ( scalar ) Attack time estimates for our implementation (times in s): n α Attack time Pollard rho 2 79 . 8 2 111 . 3 2 0 . 6701 (2 / 3) 2 59 . 7 2 111 . 4 3 0 . 7645 (3 / 4) 2 50 . 5 2 111 . 4 4 0 . 8730 (4 / 5) R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  71. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Characteristic two For each of n = 2 , 3 , 4 and 5 we used curves of the form E ( F 2 ln ) : y 2 + xy = x 3 + b , (1) for b a randomly chosen element of F 2 ln , such that # E ( F 2 ln ) was a four times a prime of bitlength 256. R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  72. Motivation - Exotic Security Assumptions in Cryptography Algorithm Overview Main Algorithm and Results Potentially Vulnerable Curves Oracle-assisted Static DHP for binary curves Simulation results Characteristic two For each of n = 2 , 3 , 4 and 5 we used curves of the form E ( F 2 ln ) : y 2 + xy = x 3 + b , (1) for b a randomly chosen element of F 2 ln , such that # E ( F 2 ln ) was a four times a prime of bitlength 256. Data for testing and decomposing points for elliptic curves over binary extension fields and attack time estimates (times in s): n # f n + 1 # sym f n + 1 Time GB α Attack time 2 80 . 9 2 5 3 0 . 000 0 . 6672 2 60 . 0 3 24 6 0 . 005 0 . 7572 2 50 . 6 0 . 8575 4 729 39 247 5 148300 638 N/A N/A N/A R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  73. Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves Back to Delayed Target FAPI-1 problem... Recall that central issue was that there is no known algorithm to invert pairing. R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  74. Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves Back to Delayed Target FAPI-1 problem... Recall that central issue was that there is no known algorithm to invert pairing. For binary curves defined over composite degree extension fields, natural auxiliary group comes from GHS attack R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  75. Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves Back to Delayed Target FAPI-1 problem... Recall that central issue was that there is no known algorithm to invert pairing. For binary curves defined over composite degree extension fields, natural auxiliary group comes from GHS attack Here, one can invert the GHS homomorphism! R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  76. Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves Back to Delayed Target FAPI-1 problem... Recall that central issue was that there is no known algorithm to invert pairing. For binary curves defined over composite degree extension fields, natural auxiliary group comes from GHS attack Here, one can invert the GHS homomorphism! Hence can mimic Delayed Target FAPI-1 problem algorithm and apply to this context R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  77. Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves Weil descent (Frey, Hess, Gaudry, Smart, Galbraith, Diem, Scholten,...) Let E be an elliptic curve over F q k , with k > 1. Define abelian variety W E of dimension k over F q with W E ( F q ) = E ( F q k ) . W E is called the Weil restriction of E . Try to find a curve H on W E and map the DLOG φ : E ( F q k ) → Jac H ( F q ) . Apply index calculus to Jac H ( F q ) . R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  78. Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves Oracle-assisted Static DHP via GHS attack In GHS attack elements of E ( F 2 ln )[ r ] map to Jacobian of hyperelliptic curve H ( F 2 l ) of genus at most 2 n − 1 Let F be the set of degree one divisors in Jac H ( F 2 l ) Let N = # Jac H ( F 2 l ) and h = N / r Project each D ∈ F into im ( φ ) by multiplying by h Compute φ − 1 ( hD ) for each D ∈ F Call the Static DHP d oracle on each φ − 1 ( hD ) in E ( F 2 ln ) For a target X ∈ E ( F 2 ln ) take random multiples until φ ( aX ) = � D i ∈ F Then assuming ( h , r ) = 1 one computes δ ( X ) = ( a − 1 mod r )( h − 1 mod r ) � δ ( φ − 1 ( hD i )) R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  79. Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves GHS for ‘Well-Known Group’ 3 We have φ : E ( F 2 155 )[ r ] − → Jac H ( F 2 31 ) for hyperelliptic H : Y 2 + h ( X ) · Y = f ( X ) , with F 2 31 = F 2 [ ω ] / ( ω 31 + ω 3 + 1 ) and 289804524 X 16 + 607247628 X 8 + 1798965180 X 4 h ( X ) = 1103766465 X 2 + 742287012 X , + 505223067 X 33 + 1000507042 X 17 + 1992775259 X 16 f ( X ) = 1146351457 X 9 + 1078048302 X 8 + 284388091 X 5 + 518998412 X 4 + 1875045691 X 3 + 2001664187 X 2 + + 1973705837 X , and genus ( H ) = 16 = 2 155 / 31 − 1 . R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  80. Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves Static DHP for ‘Well-Known Group’ 3 via GHS Using Florian’s LMS J. Comput. Math paper (or a magma computation), one finds N = # Jac H ( F 2 31 ) which has bitlength 497 Furthermore ( N / r , r ) = 1 and so attack can proceed Using Victor Shoup’s Number Theory Library on a 3 . 16GHz Intel Xeon, testing 1-smoothness of a random multiple of φ ( P ) takes ≈ 0 . 690 ms Other basic cost is a point addition in the Jacobian; Jacobson estimates this to be < 1 / 2 . 3 the cost of smoothness test using NUCOMP Hence expected time to find a relation using a single processor is ≈ 650 years. R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  81. Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves GHS for ‘Well-Known Group’ 4 We have φ : E ( F 2 185 )[ r ] − → Jac H ( F 2 37 ) for hyperelliptic H : Y 2 + h ( X ) · Y = f ( X ) , with F 2 37 = F 2 [ ω ] / ( ω 37 + ω 9 + ω 2 + ω + 1 ) and 73994877348 X 16 + 113350789030 X 8 + 86827085475 X 4 h ( X ) = 21964938327 X 2 + 125543309305 X , + 49045248530 X 33 + 40737336296 X 17 + 45140903646 X 16 f ( X ) = 120039047741 X 9 + 105120752497 X 8 + 72787224919 X 5 + 25040887869 X 4 + 72047225547 X 3 + 94586877616 X 2 + + 68639477599 X , and genus ( H ) = 16 = 2 185 / 37 − 1 . R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  82. Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves Static DHP for ‘Well-Known Group’ 4 via GHS N = # Jac H ( F 2 37 ) has bitlength 592 Furthermore ( N / r , r ) = 1 and so attack can proceed Using Victor Shoup’s Number Theory Library on a 3 . 16GHz Intel Xeon, testing 1-smoothness of a random multiple of φ ( P ) takes ≈ 0 . 854 ms Other basic cost is a point addition in the Jacobian; Jacobson estimates this to be ≈ 1 / 2 . 3 the cost of smoothness test using NUCOMP Hence expected time to find a relation using a single processor is ≈ 810 years. R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  83. Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves Static DHP for E ( F 2 ln ) via GHS Components of learning phase: Construct factor base F of degree 1 divisors: ≈ 2 l − 1 such divisors ignoring negatives Map each D ∈ F to an element of im ( φ ) via multiplication by h = # Jac H ( F 2 l ) / r ≈ 2 l (( 2 n − 1 )! − n ) Compute φ − 1 ( hD ) for each D ∈ F Call the Static DHP d oracle on each φ − 1 ( hD ) in E ( F 2 ln ) Expected cost of relation find: Cost of each smoothness test ≈ ( 128 l − 288 ) F 2 l multiplications Hence total cost is ≈ ( 2 n − 1 )! · ( 128 l − 288 ) F 2 l multiplications R. Granger On the Static DHP on Elliptic Curves over Extension Fields

  84. Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves Static DHP for E ( F 2 ln ) via GHS Consider asymptotics for fixed n and l → ∞ . Write g = 2 n − 1 . For 2 l > g ! the dominant cost is the oracle calls Hence should reduce F to balance the two stages Let q = 2 l and let |F s | = q α with 0 < α ≤ 1 Probability that a random point decomposes over F s is q g ( α − 1 ) / g ! g + log q g ! Solving g ! · q g ( 1 − α ) = q α gives α = and so complexity g + 1 of algorithm is 1 O ( q 1 − ˜ g + 1 ) . This is the square-root of the balanced DLP algorithm complexity for fixed genus (Gaudry/Harley) R. Granger On the Static DHP on Elliptic Curves over Extension Fields

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

Background and Motivation Main Algorithm and Results On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger rgranger@computing.dcu.ie Claude Shannon Institute, UCD and DCU, Ireland ASIACRYPT, 8th December

655 views • 48 slides
E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald

E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald

E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald Lercier 2 , David Naccache 3 , Emmanuel Thom e 4 Elliptic Curve Cryptography 2008 Utrecht 1 DGA and UVSQ 2 DGA and IRMAR 3 ENS 4 INRIA Lorraine 1

538 views • 25 slides
A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1 Liqun Chen 2 Jiangtao Li 1 1. Intel Corporation, Hillsboro, Oregon, USA 2. Hewlett-Packard Laboratories, Bristol, UK InTrust 2012 Royal Holloway,

827 views • 17 slides
Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a number of perspectives Today: authenticating users, services Agreeing on Secret Keys Without Prior Arrangement Diffie-Hellman Key Exchange

1.07k views • 73 slides
Elliptic curves and cryptography Jan Willemson September 2019 Intro: some ancient cryptography

Elliptic curves and cryptography Jan Willemson September 2019 Intro: some ancient cryptography

Elliptic curves and cryptography Jan Willemson September 2019 Intro: some ancient cryptography 2 September 2019 Diffie-Hellman key exchange Prime p , g Z p g a g b a Z b Z ( g b ) a = ( g a ) b 3 September 2019 Security of

748 views • 62 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption: with

445 views • 17 slides
Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

810 views • 42 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

256 views • 22 slides
Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based on joint work: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry,

879 views • 63 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic question about the Diffie-Hellman system: How quickly can we compute n th powers mod p ? Modular exponentiation. p ; Assume standard prime p =

684 views • 45 slides
On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

Symmetric cryptography Both parties must agree on a secret key, K message is encrypted, sent, decrypted at other side E K (P) D K (C) Secure Communication Bob Alice Key distribution must be secret otherwise messages can be

553 views • 10 slides
Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao

Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao

Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao Song , Mentee: Lisette del Pino University of Pennsylvania Directed Reading Program May 16, 2020 Mentor: Tao Song , Mentee: Lisette del Pino

1.35k views • 98 slides
Discrete Log Problem Discrete Log Problem Given a prime number p Z * x

Discrete Log Problem Discrete Log Problem Given a prime number p Z * x

Discrete Log Problem Discrete Log Problem Given a prime number p Z * x (mod p ) Given a prime number p , Z p , (mod p ) finding x is called the discrete logarithm problem Not every discrete

640 views • 11 slides
The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science ACM

The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science ACM

The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science ACM Turing Award Lecture Lessons Learned Try to solve real-world problems using computer science theory and number theory.

806 views • 22 slides
Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over

Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over

Multilinear Maps and Their Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over a public channel: Public group , generator , order (Potential) Hard Problems in Groups Discrete Log (DL):

621 views • 60 slides
MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): For each problem give the

MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): For each problem give the

MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): For each problem give the standard representation of the answer. Try not to use a calculator. 2 1 (mod 11) 2 2 = 2 2 (mod 11) 2 4 = (2 2) (2 2) (mod 11) 2 8 = (2

467 views • 7 slides
15-853:Algorithms in the Real World Cryptography #2 15-853 Page 1 Cryptography Outline

15-853:Algorithms in the Real World Cryptography #2 15-853 Page 1 Cryptography Outline

15-853:Algorithms in the Real World Cryptography #2 15-853 Page 1 Cryptography Outline Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory Groups Public-Key Algorithms: RSA, ElGamal,

525 views • 26 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Crypto Fundamentals Dr. Mohammed Shafiul Alam Khan Assistant Professor Institute of Information

Crypto Fundamentals Dr. Mohammed Shafiul Alam Khan Assistant Professor Institute of Information

Crypto Fundamentals Dr. Mohammed Shafiul Alam Khan Assistant Professor Institute of Information Technology (IIT), University of Dhaka (DU) shafiul@du.ac.bd December 10, 2017 M S A Khan (IIT, DU) Crypto Fundamentals December 10, 2017 1 / 31

596 views • 32 slides

More recommend