Download presentation

Presentation is loading. Please wait.

Published byHannah Lane Modified over 4 years ago

1
Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT

2
Contents 1.Background – XTR, torus-based crypto 2.Our Contributions 1.Relax a problem concerning tori 2.Solve the relaxation 3.Applications 1.Generalized ElGamal Signatures 2.Hybrid ElGamal Encryption 3.Conclusions

3
Diffie-Hellman Key Exchange gaga gbgb a 2 Z p Agree on key g ab b 2 Z p q = 2p + 1, g generates G p 2 GF(q) *, G p cyclic group of order p ElGamal: work in extension field GF(q d ) * Schnorr: work in small prime subgroup of GF(q) *

4
The XTR Public-Key System [BPV99] Combine ideas: use prime subgroup G of GF(q 6 ) * of w/order(G) = p | (q^2 – q + 1). Field representation of elts in G uses 6 log q bits [BPV99] More efficient representation of G 2log q bits/elt Known attacks ~ size of minimal field containing G => Can show this is GF(q 6 ) So 1/3 bits exchanged, yet full security of GF(q 6 ) * ! DL, CDH in p-subgroup of GF(q 6 ) * believed as hard as DL, CDH in p-subgroup of GF(P) where prime P ~ q 6 [LV00] XTR = this idea + efficient arithmetic

5
Why does it work? Background: N-th cyclotomic polynomial n (x) = 0< k<n : gcd(k, n) = 1 (x- e 2 i k/n ) deg( n (x)) = (n) |GF(q n ) * | = q n – 1 = d | n d (q) But 6 (q) = q 2 –q + 1 as in [BPV99] So 6 (q) | GF(q 6 ) *, can show GF(q 6 ) smallest such field. Recall: |G| | (q 2 – q + 1) Best attack number field sieve, uses field structure, so time ~ minimal field containing G

6
Representation problem Save even more? Use G ½ GF(q n ) * for n > 6 with |G| = n (q)? Savings: log |G| = (n) log q bits Vs. n log q Ratio approaches 1 / log log n for n prod. distinct primes But how to represent elts of G? Want < n log q bits, ideally (n) log q bits [BPV99] represent G, |G| | 6 (q), with 2log q bits. [BHV02, RS03] show no straightforward way to extend [BPV99] to n prod. ¸ 3 distinct primes

7
Torus-Based Cryptography [RS03]: group T n ½ GF(q n ) * of order n (q) is just GF(q) points of algebraic torus => Extending [BPV99] = rational parameterization of algebraic torus Only known how if n product · 2 prime powers. [RS03] give another cryptosystem for n = 6. But need n product ¸ 3 distinct primes for savings (n)/n to get better.

8
Our Relaxation 1.Dont need to rationally parameterize torus 2.Get optimal communication for signatures, + PK encryption 3.Get Asymptotically optimal communication for key exchange It suffices to represent a sequence of m elts of T n with m (n) log q + C bits, C independent of m Assume n (q) = |T n | prime, o.w. let G ½ T n have large prime order Relax rqmt of representing individual elts of T n and observe for some applications:

9
Solving the Relaxed Problem n product of first k primes Mobius function (n) = (-1) k Construct efficiently computable bijections, -1 : T n x (X d | n, (n/d) = -1 GF(q d ) * ) X d | n, (n/d) = +1 GF(q d ) *

10
Developing the Bijections n = 2*3*5 = 30 : T 30 x GF(q) * x GF(q 6 ) * x GF(q 10 ) * x GF(q 15 ) * ! GF(q 2 ) * x GF(q 3 ) * x GF(q 5 ) * x GF(q 30 ) * Strategy: For e = 1, 6, 10, 15, map GF(q e ) * into X d | e T d Collect tuple C = £ {e=1, 6, 10, 15} £ d | e T d Use T 30 and permute C to get C = £ e = 2, 3, 5, 30 £ d | e T d For e=2, 3, 5, 30, decompose C to map X d | e T d into GF(q e ) * Map -1 is similar.

11
The Bijections Question: Which map : GF(q e ) * to X d | e T d to use? If for all a,b | e, gcd(|T a |, |T b |) = 1, then domain & range of isomorphic follows from structure theorem: H 1, …, H k are cyclic groups s.t. 8 i j gcd(|H i |, |H j |) = 1, m = |H 1 | |H k |, and G m cyclic of order m. Then : G m -> H 1 x … x H k, and -1 are isomorphisms: ( ) = ( m/|Hi| ) i 2 [k] -1 ( 1, …, k ) = 1 e1 k ek, where i me i /|H i | = 1

12
: The General Case Example: Map GF(q 2 ) * to T 1 x T 2 |T 1 | = q-1, |T 2 | = q+1, so 2 | gcd(|T 1 |, |T 2 |) Suppose 2 | (q-1), 4 | (q+1), gcd(|T 1 |/2, |T 2 |/4) = 1 GF(q 2 ) * G 8 x G (q-1)/2 x G (q+1)/4 Bijection from G 8 to G 2 x G 4 using table lookup G 2 x G (q-1)/2 T 1 and G 4 x G (q+1)/4 T 2 + Isomorphisms are efficient using structure theorem + Table efficient since it is small GF(q e ) *, X d | e T d not if gcd(|T a |, |T b |) > 1 for a, b | e. Idea: divide out common factors U of |T d | and decompose into isomorphism + table lookup:

13
Parameter Selection Choose q wisely Want small table Heuristic algorithm for n = 30, 210 Choose random q certain size Check n (q) contains large prime factor by trial division Check U is small Theoretical algorithm for general n Choose random prime r first Choose q at random subject to r | n (q) Test q to ensure U is small Density theorems => terminates quickly w.h.p.

14
Applying the Bijections : T n x (X d | n, (n/d) = -1 GF(q d ) * ) -> X d | n, (n/d) = +1 GF(q d )* Let - = d | n, (n/d) = -1 d, + = d | n, (n/d) = +1 d Think of as map: T n £ F q - to F q + Negligibly few points where undefined Handle these points separately Use randomization to avoid bad points

15
Applications To represent x 1, …, x m in T n, choose seed s 1 2 F q - compute (x 1, s 1 ) = t 1 2 F q + split t 1 into s 2 x r 1 2 F q - x F q (n) compute (x 2, s 2 ) = t 2 2 F q + split t 2 into s 3 x r 2 2 F q - x F q (n) … Efficient representation for large m { Output r 1 … r m, s m+1

16
A Signature Scheme - Generalized ElGamal Signatures work for any group: use T n ElGamal Box alg outputs h 2 T n + other stuff I Message M in I Write I as I 1 x I 2 2 F q - x {0,1} * Output sig(M) = (h, I 1 ), I 2 Verifier inverts, uses ElGamal verification Key idea: Embed message into F q - so small signature

17
Hybrid ElGamal Encryption Let a 2 R {1, …, n (q)} be Alices private key Let g a be her public key, g generator of T n E = symmetric cipher Encrypt(m): (1) choose k 2 R {1,…, n (q)}, set e = g k (2) use g ak to get symmetric key k (4) compute E k (m) = (c, d) 2 F q - x {0,1} * (5) output (e, c), d Decryption: Use a, -1 to get k, E k (m) and then m Key idea: Embed E k (m) into F q - so small encryption

18
Conclusions & Future Work Results: Compact representation of sequences of elts of T n Protocols w/optimal communication ElGamal signature / encryption (both hybrid and almost non-hybrid) schemes Diffie-Hellman key exchange (asyptotically optimal) Future Work: Rational parameterization of algebraic torus => efficient representation of single elts of T n Our computational costs Improvements [vdWS] give ~ 21log q multiplications per evaluation of

Similar presentations

OK

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google