2-source Randomness Extractors for Elliptic Curves Abdoul Aziz Ciss - PowerPoint PPT Presentation

Motivations Extractors Character sums Randomness extractors for EC 2-source Randomness Extractors for Elliptic Curves Abdoul Aziz Ciss Laboratoire de Traitement de l’Information et Syst` emes Intelligents ´ Ecole Polytechnique de Thi` es, S´ en´ egal aaciss@ept.sn Workshop FAST – Bordeaux 1 / 22

Motivations Extractors Character sums Randomness extractors for EC Randomness Extractors Definition A randomness extractor for a group G is a function which converts a random element of G into a uniformly random bit-string of fixed length. Applications • Key derivation • Encryption, signatures • Construction of cryptographically secure pseudorandom numbers generator • Error correcting codes 2 / 22

Motivations Extractors Character sums Randomness extractors for EC Statistical distance Let X and Y be S -valued random variables, where S is a finite set. The statistical distance ∆( X, Y ) between X and Y is � ∆( X, Y ) = 1 | Pr[ X = s ] − Pr[ Y = s ] | 2 s ∈ S Let U S be a random variable uniformly distributed on S . Then a random variable X on S is said to be ε -uniform if ∆( X, U S ) ≤ ε 3 / 22

Motivations Extractors Character sums Randomness extractors for EC Extractor Let S and T be two finite sets. A ( T, ε )-extractor is a function Ext : S − → T such that for every distribution X on S , the distribution Ext ( X ) is ε -close to the uniform distribution on T . That is ∆( Ext ( X ) , U T ) ≤ ε, where U T is the uniform distribution on T 4 / 22

Motivations Extractors Character sums Randomness extractors for EC Two-source extractor Let R , S and T be finite sets. The function Ext : R × S − → T is a two-source extractor if the distribution Ext ( X 1 , X 2 ) is ε -close to the uniform distribution U T for every uniformly distributed random variables X 1 in R and X 2 in S . That is, ∆( Ext ( X 1 , X 2 ) , U T ) ≤ ε, 5 / 22

Motivations Extractors Character sums Randomness extractors for EC Collision probability Let S be a finite set and X be an S -valued random variable. The collision probability of X , denoted by Col ( X ), is the probability � Pr[ X = s ] 2 Col ( X ) = s ∈ S If X and X ′ are identically distributed random variables on S , the collision probability of X is interpreted as Col ( X ) = Pr[ X = X ′ ] 6 / 22

Motivations Extractors Character sums Randomness extractors for EC Collision probability Lemma Let S be a finite set and let ( α x ) x ∈ S be a sequence of real numbers. Then, ( � x ∈ S | α x | ) 2 � α 2 ≤ x . (1) | S | x ∈ S This inequality is a direct consequence of Cauchy-Schwarz inequality: �� �� �� 1 2 ≤ � � � | α x | = | α x | . 1 ≤ α 2 | S | α 2 x . x x ∈ S x ∈ S x ∈ S x ∈ S x ∈ S If X is an S -valued random variable and if we consider that α x = Pr[ X = x ], then 1 | S | ≤ Col ( X ) , (2) 7 / 22

Motivations Extractors Character sums Randomness extractors for EC Relation btw ∆ and Col Lemma Let X be a random variable over a finite S of size | S | and δ = ∆( X, U S ) be the statistical distance between X and U S , the uniformly distributed random variable over S . Then, Col ( X ) ≥ 1 + 4 δ 2 | S | 8 / 22

Motivations Extractors Character sums Randomness extractors for EC Relation btw ∆ and Col Proof. If δ = 0, then the result is an easy consequence of Equation 2. Let suppose that δ � = 0 and define q x = | Pr[ X = x ] − 1 / | S || / 2 δ. Then � x q x = 1 and by Equation 1, we have �� � (Pr[ X = x ] − 1 / | S | ) 2 1 1 Pr[ X = x ] 2 − 1 / | S | � � q 2 | S | ≤ x = = 4 δ 2 4 δ 2 x ∈ S x ∈ S x ∈ S 1 ≤ 4 δ 2 ( Col ( X ) − 1 / | S | ) . The lemma can be deduced easily. 9 / 22

Motivations Extractors Character sums Randomness extractors for EC Character sums Definition Let G be a commutative group. A character χ of G is a homomorphism → C ∗ . χ : G − ˆ G = Hom( G, C ∗ ) is a multiplicative group with neutral element χ 0 , the character defined by χ 0 ( x ) = 1 , ∀ x ∈ G . If G is a cyclic group of order r , then χ ( x ) r = χ ( x r ) = χ (1) = 1. If x ∈ G , then χ ( x ) ∈ µ r , the subgroup of C ∗ of r th of unity. 10 / 22

Motivations Extractors Character sums Randomness extractors for EC Character sums If χ ∈ ˆ G , then the inverse of χ in ˆ G is the conjugate character ¯ χ of χ defined by ¯ χ ( x ) = χ ( x ) Proposition Let K = F q , with q = p n and let F be an n -variables polynomial with coefficients in K . If ϕ is a non-trivial additive character of K , then the number of solution of the equation F = 0 is given by N = q − 1 � yϕ ( F ( x 1 , x 2 , . . . , x n )) , y,x where the summation is extended to all points ( y, x 1 , . . . , x n ) of K n +1 11 / 22

Motivations Extractors Character sums Randomness extractors for EC Character sums over prime fields Let e p be the character on F p such that, for all x ∈ F p 2 iπx ∈ C ∗ . e p ( x ) = e p � Let S ( a, G ) = e p ( ax ), then x ∈ G a ( | S ( a, G ) | ) ≤ √ p. M = max If I is an interval of integers, it’s well known that � � � � � � e p ( ax ) � ≤ p log 2 ( p ) . � � � � x ∈ F ∗ � a ∈ I p 12 / 22

Motivations Extractors Character sums Randomness extractors for EC Character sums over F q We denote by ψ the additive character in F q such that for all z ∈ F q , ψ ( z ) = e p (Tr( x )). Let G be a subgroup of F q and let introduce the following Gauss sum � T ( a, G ) = ψ ( ax ) . x ∈ G Then, | T ( a, G ) | ≤ q 1 / 2 . max a ∈ F ∗ q If V is an additive subgroup of F q and if ψ is an additive character of F q , then, � � � � � � ψ ( yz ) � ≤ q. � � � � � y ∈ F q z ∈ V 13 / 22

Motivations Extractors Character sums Randomness extractors for EC Character sums over elliptic curves Let E be an elliptic curve defined over F q . For a point P � = O on E we write P = (x( P ) , y( P )). Let ψ be a nonprincipal additive character of F q and let P and Q be two subsets of E ( F q ). For arbitrary complex functions ρ ( P ) and ϑ ( Q ) supported on P and Q we consider the bilinear sums of additive type: � � V ρ,ϑ ( ψ, P , Q ) = ρ ( P ) ϑ ( Q ) ψ (x( P ⊕ Q )) . P ∈P Q ∈Q Let | ρ ( P ) | 2 ≤ R | ϑ ( Q ) | 2 ≤ T. � � and P ∈P Q ∈Q Then, uniformly over all nontrivial additive character ψ of F q , � | V ρ,ϑ ( ψ, P , Q ) | ≪ qRT. 14 / 22

Motivations Extractors Character sums Randomness extractors for EC 2-source randomness extractors for E ( F p ) Definition Let E be an elliptic curve defined a finite field F q , with q = p a prime greater than 5, and let P and Q be two subgroups of E ( F q ) with # P = r and # Q = t . Define the function → { 0 , 1 } k Ext 1 : P × Q − ( P, Q ) �− → lsb k (x( P ⊕ Q )) 15 / 22

Motivations Extractors Character sums Randomness extractors for EC 2-source randomness extractors for E ( F p ) Theorem Let E be an elliptic curve defined over F p and let P and Q be two subgroups of E ( F p ), with # P = r and # Q = t . Let U P and U Q be two random variables uniformly distributed in P and Q respectively and let U k be the uniform distribution in { 0 , 1 } k . Then, � 2 k − 1 p log( p ) ∆( Ext 1 ( U P , U Q ) , U k ) ≪ rt 16 / 22

Motivations Extractors Character sums Randomness extractors for EC 2-source randomness extractors for E ( F p ) Corollary Let m and l be the bit size of r and t respectively and let e be a positive integer. If k is a positive integer such that k ≤ m + l − ( n + 2 e + log 2 ( n ) + 1) , then Ext 1 is a ( k, O (2 − e ))-deterministic extractor for P × Q . 17 / 22

Motivations Extractors Character sums Randomness extractors for EC Application to the Unified Model KE Bit size of # P : | m | 2 Symetric key size Bit size of p 521 378 | k | 2 = 64 : DES-64 384 309 256 245 521 410 | k | 2 = 128 : AES-128 384 340 | k | 2 = 256 : AES-256 521 474 Table: Parameters for Ext 1 ( Z e , Z s ) at the 80 -bit security level 18 / 22

Motivations Extractors Character sums Randomness extractors for EC 2-source randomness extractors for E ( F p n ) , with p > 5 Definition Let E be an elliptic curve defined over the finite field F p n , where p is a prime greater than 5 and n > 1. Consider two subgroups P and Q of E ( F q ). Define the function → F k Ext 2 : P × Q − p ( P, Q ) �− → ( x 1 , x 2 , . . . , x k ) where x( P ⊕ Q ) = ( x 1 , x 2 , . . . , x k , x k +1 , . . . , x n ). In other words, the function Ext 2 output the k first F p -coefficients of the abscissa of the point P ⊕ Q . 19 / 22

Motivations Extractors Character sums Randomness extractors for EC 2-source randomness extractors for E ( F p n ) , with p > 5 Theorem Let E be an elliptic curve defined over F p n and let P and Q be two subgroup of E ( F p n ) with # P = r and # Q = t . Denote by U P and U Q two random variables uniformly distributed on P and Q respectively. Then, � p n + k ∆( Ext 2 ( U P , U Q ) , U F k p ) ≪ 4 rt 20 / 22

Motivations Extractors Character sums Randomness extractors for EC Future work 1. Generalization of Ext 1 and Ext 2 → { 0 , 1 } k Ext 1 : P 1 × P 2 × . . . × P s − ( P 1 , P 2 , . . . , P s ) �− → lsb k (x( P 1 ⊕ P 2 ⊕ . . . ⊕ P s )) → F k Ext 2 : P 1 × P 2 × . . . × P s − p ( P 1 , P 2 , . . . , P s ) �− → D k (x( P 1 ⊕ P 2 ⊕ . . . ⊕ P s )) 2. Construct good pseudorandom number generators with Ext 1 and Ext 2 21 / 22