arithmetic operators for pairing based cryptography
play

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat - PowerPoint PPT Presentation

Mar 17, 2024 •307 likes •896 views

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1 Tennodai, Tsukuba Ibaraki, 305-8573,

  1. Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1 Tennodai, Tsukuba Ibaraki, 305-8573, Japan mailto:beuchat@risk.tsukuba.ac.jp e J. Monnet, Saint-´ Joint work with Nicolas Brisebarre (Universit´ Etienne, France), J´ er´ emie Detrey (ENS Lyon, France), Eiji Okamoto (University of Tsukuba, Japan), Masaaki Shirase (Future University, Hakodate, Japan), and Tsuyoshi Takagi (Future University, Hakodate, Japan) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 1 / 38

  2. Outline of the Talk Example: Three-Party Key Agreement 1 Computation of the η T Pairing 2 A Coprocessor for the η T Pairing Computation 3 A Coprocessor for the Final Exponentiation 4 A Coprocessor for the Full Pairing Computation 5 Conclusion 6 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 2 / 38

  3. Example: Three-Party Key Agreement Key agreement How can Alice, Bob, and Chris agree upon a shared secret key? Alice Bob ? Chris Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 3 / 38

  4. Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = � P � : additively-written group of order n DLP: given P , Q , find the integer x ∈ { 0 , . . . , n − 1 } such that Q = xP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 4 / 38

  5. Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = � P � : additively-written group of order n DLP: given P , Q , find the integer x ∈ { 0 , . . . , n − 1 } such that Q = xP Diffie-Hellman problem (DHP) Given P , aP , and bP , find abP . Alice Bob a b aP bP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 4 / 38

  6. Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = � P � : additively-written group of order n DLP: given P , Q , find the integer x ∈ { 0 , . . . , n − 1 } such that Q = xP Diffie-Hellman problem (DHP) Given P , aP , and bP , find abP . Alice aP Bob a b aP bP bP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 4 / 38

  7. Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = � P � : additively-written group of order n DLP: given P , Q , find the integer x ∈ { 0 , . . . , n − 1 } such that Q = xP Diffie-Hellman problem (DHP) Given P , aP , and bP , find abP . Alice Bob a b abP abP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 4 / 38

  8. Example: Three-Party Key Agreement Alice Bob a b aP bP Chris c cP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

  9. Example: Three-Party Key Agreement Alice Bob a b aP bP bP First round aP cP Chris c cP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

  10. Example: Three-Party Key Agreement Alice Bob a b abP acP Chris c bcP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

  11. Example: Three-Party Key Agreement Alice Bob a b abP acP acP Second round abP bcP Chris c bcP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

  12. Example: Three-Party Key Agreement Alice Bob a b abcP abcP Chris c abcP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

  13. Example: Three-Party Key Agreement Three-party two-round key agreement protocol Does a three-party one-round key agreement protocol exist? Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 6 / 38

  14. Example: Three-Party Key Agreement Bilinear pairing G 1 = � P � : additively-written group G 2 : multiplicatively-written group with identity 1 A bilinear pairing on ( G 1 , G 2 ) is a map ˆ e : G 1 × G 1 → G 2 that satisfies the following conditions: Bilinearity. For all Q , R , S ∈ G 1 , 1 ˆ e ( Q + R , S ) = ˆ e ( Q , S )ˆ e ( R , S ) and ˆ e ( Q , R + S ) = ˆ e ( Q , R )ˆ e ( Q , S ). Non-degeneracy. ˆ e ( P , P ) � = 1. 2 Computability. ˆ e can be efficiently computed. 3 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 7 / 38

  15. Example: Three-Party Key Agreement Bilinear Diffie-Hellman problem (BDHP) e ( P , P ) abc Given P , aP , bP , and cP , compute ˆ Assumption: the BDHP is difficult Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 8 / 38

  16. Example: Three-Party Key Agreement Alice Bob a b aP bP Chris c cP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 9 / 38

  17. Example: Three-Party Key Agreement bP Alice Bob a b aP bP aP aP cP bP cP Chris c cP Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 9 / 38

  18. Example: Three-Party Key Agreement Alice Bob a b ˆ e ( bP , cP ) a e ( aP , cP ) b ˆ e ( bP , cP ) a = ˆ e ( aP , cP ) b = ˆ e ( aP , bP ) c = ˆ e ( P , P ) abc ˆ Chris c e ( aP , bP ) c ˆ Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 9 / 38

  19. Example: Three-Party Key Agreement Examples of cryptographic bilinear maps Weil pairing Tate pairing η T pairing (Barreto et al. ) Ate pairing (Hess et al. ) Applications Identity based encryption Short signature Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 10 / 38

  20. Computation of the η T Pairing Elliptic curve over F 3 m Q = ( x q , y q ) P = ( x p , y p ) P η T pairing η T ( P , Q ) η T ( P , Q ) W ∈ F 3 6 m Exponentiation calculation ( F 3 6 m ) Q Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 11 / 38

  21. Computation of the η T Pairing – Tower Field ρ 2 1 ρ F 3 6 m = F 3 2 m [ ρ ] / ( ρ 3 − ρ − 1) 1 σ F 3 2 m = F 3 m [ σ ] / ( σ 2 + 1) x 2 x m − 3 x m − 2 x m − 1 1 x F 3 m = F 3 [ x ] / ( f ( x )) F 3 = Z / 3 Z = { 0, 1, 2 } Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 12 / 38

  22. Computation of the η T Pairing – Tower Field F 3 2 m F 3 2 m F 3 2 m ρ 2 σρ 2 1 σ ρ σρ 12 m bits F 3 6 m x m − 3 x m − 2 x m − 1 x 2 1 x 2 m bits F 3 m 2 bits F 3 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 13 / 38

  23. Computation of the η T Pairing m +1 η T ( P , Q ) 3 2 η T ( P , Q ) (Arith 18) Addition Addition Multiplication Multiplication Cubing Cubing Cube root Bilinearity of η T ( P , Q ) W � 2 � W m +1 � � � 3 η T ( P , Q ) W = 3 m � �� m − 1 � η T 3 P , Q � 2 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 14 / 38

  24. Computation of the η T Pairing Multiplication over F 3 6 m – η T ( P , Q ) m +1 multiplications 2 Operands: A and B ∈ F 3 6 m with ρ 2 σρ 2 1 σ ρ σρ − r 2 B = y p y q − r 0 0 − 1 0 0 r 0 , y p , and y q ∈ F 3 m Cost: 13 multiplications and 46 additions over F 3 m Multiplication over F 3 6 m – Exponentiation Only one multiplication Operands: A and B ∈ F 3 6 m Cost: 18 multiplications and 58 additions over F 3 m Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 15 / 38

  25. A Coprocessor for the η T Pairing Computation P = ( x p , y p ) η T ( P , Q ) Exponentiation η T ( P , Q ) W η T pairing Q = ( x q , y q ) (Waifi 2007) calculation (Arith 18) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 16 / 38

  26. A Coprocessor for the η T Pairing Computation P = ( x p , y p ) η T ( P , Q ) Exponentiation η T ( P , Q ) W η T pairing Q = ( x q , y q ) (Waifi 2007) calculation (Arith 18) Computation of η T ( P , Q ): multiplication over F 3 6 m New algorithm ◮ 15 multiplications and 29 additions over F 3 m ◮ Allows one to share operands between multipliers (less registers) Architecture ◮ 9 multipliers ◮ Most significant coefficient first (Horner’s rule) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 16 / 38

  27. A Coprocessor for the η T Pairing Computation Prototype Field: F 3 97 = F 3 [ x ] / ( x 97 + x 12 + 2) FPGA: Cyclone II EP2C35 (Altera) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 17 / 38

  28. A Coprocessor for the η T Pairing Computation Prototype Field: F 3 97 = F 3 [ x ] / ( x 97 + x 12 + 2) FPGA: Cyclone II EP2C35 (Altera) η T ( P , Q ) (Arith 18) Arithmetic over F 3 97 ◮ 9 multipliers ◮ 2 adders ◮ 1 cubing unit Area: 14895 LEs Frequency: 149 MHz Computation time: 33 µ s Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 17 / 38

  29. A Coprocessor for the η T Pairing Computation Prototype Field: F 3 97 = F 3 [ x ] / ( x 97 + x 12 + 2) FPGA: Cyclone II EP2C35 (Altera) η T ( P , Q ) (Arith 18) Exponentiation (Waifi 2007) Arithmetic over F 3 97 Challenge ◮ 9 multipliers Raise η T ( P , Q ) to the W power ◮ 2 adders in 33 µ s (or less) ◮ 1 cubing unit with the smallest amount of Area: 14895 LEs hardware Frequency: 149 MHz Computation time: 33 µ s Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 17 / 38

  30. A Coprocessor for the η T Pairing Computation Why FPGAs? Prototyping Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 18 / 38

  31. A Coprocessor for the η T Pairing Computation Why FPGAs? Prototyping Short time to market Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 18 / 38

  32. A Coprocessor for the η T Pairing Computation Why FPGAs? Prototyping Short time to market Small series Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 18 / 38

Recommend

Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc

Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc

Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc Beuchat Laboratory of Cryptography and Informantion Security University of Tsukuba, Japan jeanluc.beuchat@gmail.com Joint work with: enaire, LIP,

1.73k views • 139 slides
Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles St-Quentin-en-Yvelines France 1 Introduction: EC in cryptography Starting point: 1985 (V. Miller) Discrete logarithm based

487 views • 45 slides
Pairing-Based Cryptography & Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Bilinear Pairing Two (or three) groups with an

1.44k views • 105 slides
Pairing-Based Cryptography & Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Bilinear Pairing Two (or three) groups with an

1.67k views • 118 slides
Pairing-Based Cryptography & Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear

Pairing-Based Cryptography & Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear

Pairing-Based Cryptography & Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear 2 Bilinear Pairing Two (or three) groups

1.06k views • 102 slides
RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core

RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core

22nd IEEE Symposium on Computer Arithmetic RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core Procedure Jean-Claude Bajard , Julien Eynard Nabil Merkiche , Thomas Plantard Sorbonne

383 views • 25 slides
Assignment and Arithmetic Operators http://cs.mst.edu What are operators? Operators allow us

Assignment and Arithmetic Operators http://cs.mst.edu What are operators? Operators allow us

Assignment and Arithmetic Operators http://cs.mst.edu What are operators? Operators allow us to modify and manipulate information. They are symbols that represent a commonly used operation, such as addition 2 + 2 http://cs.mst.edu

365 views • 17 slides
Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based Encryption 2 Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair 2 Identity-Based Encryption In PKE, KeyGen produces a random

1.47k views • 114 slides
Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia El Mrabet (1) and Christophe Negre (2) (1) Team Arith/LIRMM, Universit e Montpellier 2 (2) Team DALI/ELIAUS, Universit e de Perpignan

753 views • 49 slides
Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based Encryption Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair

1.65k views • 115 slides
Lecture 6 Arithmetic Operators 3. Hardware and Softw are 4. High Level Languages C has a

Lecture 6 Arithmetic Operators 3. Hardware and Softw are 4. High Level Languages C has a

1. Introduction 2. Binary Representation Lecture 6 Arithmetic Operators 3. Hardware and Softw are 4. High Level Languages C has a number of arithmetic operators which are used to 5. Standard input and output combine variables and

403 views • 3 slides
Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power

Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power

Introduction Arithmetic in GF ( 2 m ) Summary - results, comments, future prospects Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power consumption - security tradeoffs Danuta Pamua 17th December 2012

695 views • 32 slides
A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Analyzing the Algorithm A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties David Freeman Stanford

537 views • 16 slides
Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
Avoiding Full Extension Field Arithmetic in Pairing Computations Craig Costello

Avoiding Full Extension Field Arithmetic in Pairing Computations Craig Costello

Introduction Motivation Miller 2 n -tupling Results Related Work Avoiding Full Extension Field Arithmetic in Pairing Computations Craig Costello craig.costello@qut.edu.au Queensland University of Technology AfricaCrypt 2010 Joint work with

556 views • 26 slides
Quasiperiodic Schrodinger operators: sharp arithmetic spectral transitions and universal

Quasiperiodic Schrodinger operators: sharp arithmetic spectral transitions and universal

Quasiperiodic Schrodinger operators: sharp arithmetic spectral transitions and universal hierarchical structure of eigenfunctions S. Jitomirskaya Atlanta, October 10, 2016 S. Jitomirskaya Quasiperiodic Schrodinger operators: sharp arithmetic

849 views • 72 slides
Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing & Manding Vincent J. Carbone Ed.D., BCBA-D NYS Licensed Behavior Analyst Carbone Clinic New York Boston Dubai www.CarboneClinic.com www.TheCarboneclinic.ae IESCUM Parma, Italy December 1,2 & 3, 2016 1 Pairing

622 views • 35 slides
Pairing time-reversal states J = 0 + (a) +m -m k F k F K k F + L.N.

Pairing time-reversal states J = 0 + (a) +m -m k F k F K k F + L.N.

Nuclear pairing from microscopic forces (with applications) Paolo Finelli Dept. of Physics and Astronomy, University of Bologna paolo. fj nelli@bo.infn.it Based on Phys. Rev. C 90, 044003 Published 21 October 2014 Pairing time-reversal

674 views • 22 slides
Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms

Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms

Cryptography Number Theory Divisibility and Primes Modular Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms Computationally Hard Problems School of Engineering and Technology CQUniversity

964 views • 67 slides
Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is device pairing? What is the problem? The wireless communica8on channel is rela8vely easy to

298 views • 9 slides
A Look Back at Arithmetic Operators: the Increment and Decrement Spring Semester 2016

A Look Back at Arithmetic Operators: the Increment and Decrement Spring Semester 2016

1/21/2016 A Look Back at Arithmetic Operators: the Increment and Decrement Spring Semester 2016 Programming and Data Structure 27 Increment (++) and Decrement (--) Both of these are unary operators; they operate on a single operand.

483 views • 12 slides
Operators C emphasizes expressions rather than statements. Expressions are built from

Operators C emphasizes expressions rather than statements. Expressions are built from

1/28/14 Operators C emphasizes expressions rather than statements. Expressions are built from variables, constants, and Expressions operators. C has a rich collection of operators, including o arithmetic operators o relational

946 views • 6 slides
Computing Hecke Operators for Cohomology of Arithmetic Subgroups of SL n ( Z ) Mark McConnell

Computing Hecke Operators for Cohomology of Arithmetic Subgroups of SL n ( Z ) Mark McConnell

Computing Hecke Operators for Cohomology of Arithmetic Subgroups of SL n ( Z ) Mark McConnell Princeton University March 25, 2019 Joint with: Avner Ash, Paul Gunnells, Dan Yasaki Bob MacPherson Introduction G = connected semisimple algebraic

642 views • 37 slides
Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel

Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel

Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel GALLIN CNRS IRISA Univ. Rennes 1 November 29 th , 2018 Ph.D. supervised by Arnaud TISSERAND, CNRS Lab-STICC Introduction 1 HTMM

591 views • 40 slides

More recommend