bivariate polynomials modulo composites and their
play

Bivariate Polynomials Modulo Composites and Their Applications Dan - PowerPoint PPT Presentation

Oct 07, 2022 •252 likes •1.09k views

Bivariate Polynomials Modulo Composites and Their Applications Dan Boneh and Henry Corrigan-Gibbs Stanford University ASIACRYPT 8 December 2014 Cryptos Bread and Butter Let N = pq be an RSA modulus of unknown factorization. 2/27

  1. Bivariate Polynomials Modulo Composites and Their Applications Dan Boneh and Henry Corrigan-Gibbs Stanford University ASIACRYPT — 8 December 2014

  2. Crypto’s Bread and Butter Let N = pq be an RSA modulus of unknown factorization. 2/27

  3. Crypto’s Bread and Butter Let N = pq be an RSA modulus of unknown factorization. i.e., p and q are large distinct random primes 2/27

  4. Crypto’s Bread and Butter Let N = pq be an RSA modulus of unknown factorization. 2/27

  5. Crypto’s Bread and Butter Let N = pq be an RSA modulus of unknown factorization. Question Given a fixed polynomial f ∈ Z [ x ] and c ← R Z N How hard is it to solve: f ( x ) = c mod N ? 2/27

  6. Crypto’s Bread and Butter When f ( x ) = x 2 , solving x 2 = c mod N is as hard as factoring N [Rabin ’79] 3/27

  7. Crypto’s Bread and Butter When f ( x ) = x 2 , solving x 2 = c mod N is as hard as factoring N [Rabin ’79] When f ( x ) = x 3 , solving x 3 = c mod N is the RSA problem [Rivest-Shamir-Adleman ’78] 3/27

  8. Crypto’s Bread and Butter When f ( x ) = x 2 , solving x 2 = c mod N is as hard as factoring N [Rabin ’79] When f ( x ) = x 3 , solving x 3 = c mod N is the RSA problem [Rivest-Shamir-Adleman ’78] When f ∈ Z N [ x ] is random (of fixed degree), solving: f ( x ) = 0 mod N is as hard as factoring N [Schwenk-Eisfeld ’96] 3/27

  9. A Natural Extension: Bivariates Question Fix a bivariate polynomial f ∈ Z [ x, y ] , choose c ← R Z N For which f is it hard to solve: f ( x, y ) = c mod N ? 4/27

  10. A Natural Extension: Bivariates Question Fix a bivariate polynomial f ∈ Z [ x, y ] , choose c ← R Z N For which f is it hard to solve: f ( x, y ) = c mod N ? When does f ( x, y ) mod N have interesting cryptographic properties? 4/27

  11. A Natural Extension: Bivariates Question Fix a bivariate polynomial f ∈ Z [ x, y ] , choose c ← R Z N For which f is it hard to solve: f ( x, y ) = c mod N ? When does f ( x, y ) mod N have interesting cryptographic properties? Subject of this talk 4/27

  12. Immediate Application From the discrete log problem . . . M = g m 5/27

  13. Immediate Application From the discrete log problem . . . M = g m . . . we get a commit- ment scheme: C ( m ; r ) = g m h r [Pedersen ’91] 5/27

  14. Immediate Application From the From the RSA problem . . . discrete log problem . . . M = m 3 mod N M = g m . . . we get a commit- ment scheme: C ( m ; r ) = g m h r [Pedersen ’91] 5/27

  15. Immediate Application From the From the RSA problem . . . discrete log problem . . . M = m 3 mod N M = g m . . . we get a commit- . . . do we get a ment scheme: commitment scheme? C ( m ; r ) = g m h r C ( m ; r ) = m 3 + 2 r 3 mod N [Pedersen ’91] 5/27

  16. Immediate Application From the From the RSA problem . . . discrete log problem . . . M = m 3 mod N M = g m . . . we get a commit- . . . do we get a ment scheme: commitment scheme? Or maybe m 4 ? m 5 ? C ( m ; r ) = g m h r C ( m ; r ) = m 3 + 2 r 3 mod N [Pedersen ’91] 5/27

  17. Immediate Application From the From the RSA problem . . . discrete log problem . . . M = m 3 mod N M = g m . . . we get a commit- . . . do we get a ment scheme: commitment scheme? C ( m ; r ) = g m h r C ( m ; r ) = m 3 + 2 r 3 mod N [Pedersen ’91] 5/27

  18. Immediate Application From the From the RSA problem . . . discrete log problem . . . M = m 3 mod N M = g m . . . we get a commit- . . . do we get a ment scheme: commitment scheme? X C ( m ; r ) = g m h r C ( m ; r ) = m 3 + 2 r 3 mod N [Pedersen ’91] 5/27

  19. Overview Motivation Classifying Polynomials One way functions Second preimage resistance Collision Resistance Applications Conclusion 6/27

  20. Classifying Polynomials Useful cryptographic properties of f ( x, y ) mod N : ▶ one-wayness ▶ second preimage resistance ▶ collision resistance 7/27

  21. Classifying Polynomials Useful cryptographic properties of f ( x, y ) mod N : ▶ one-wayness ▶ second preimage resistance ▶ collision resistance Question Which polynomials f ∈ Z [ x, y ] define functions mod N with these properties? 7/27

  22. To understand properties of c ← f ( x, y ) mod N , look at the properties of f ( x, y ) = c ∈ Q . 8/27

  23. Our Approach Fact If it’s easy to find rational solutions to f ( x, y ) = c ∈ Q then , for random RSA moduli N , it’s easy find solutions to f ( x, y ) = c mod N. 9/27

  24. Our Approach Find solution Fact and reduce it mod N . If it’s easy to find rational solutions to f ( x, y ) = c ∈ Q then , for random RSA moduli N , it’s easy find solutions to f ( x, y ) = c mod N. 9/27

  25. Our Approach Fact If it’s easy to find rational solutions to f ( x, y ) = c ∈ Q then , for random RSA moduli N , it’s easy find solutions to f ( x, y ) = c mod N. 9/27

  26. Our Approach Fact If it’s easy to find rational solutions to f ( x, y ) = c ∈ Q then , for random RSA moduli N , it’s easy find solutions to f ( x, y ) = c mod N. Question Is this the only way to find solutions mod N ? 9/27

  27. Our Approach Fact If it’s easy to find rational solutions to f ( x, y ) = c ∈ Q then , for random RSA moduli N , it’s easy find solutions to f ( x, y ) = c Can compute + , − , ∗ , / . mod N. Not √ x . Question Is this the only way to find solutions mod N ? 9/27

  28. Our Approach Fact If it’s easy to find rational solutions to f ( x, y ) = c ∈ Q then , for random RSA moduli N , it’s easy find solutions to f ( x, y ) = c mod N. Question Is this the only way to find solutions mod N ? 9/27

  29. Our Approach Fact If it’s easy to find rational solutions to f ( x, y ) = c ∈ Q then , for random RSA moduli N , it’s easy find solutions to f ( x, y ) = c mod N. Question Is this the only way to find solutions mod N ? More generally: Are rational properties of f sufficient to get cryptographic properties mod N ? 9/27

  30. One Wayness Example You want this to be a OWF. Is it? f ( x, y ) = x 2 − 5 y 2 + 3 xy mod N 10/27

  31. One Wayness Example You want this to be a OWF. Is it? f ( x, y ) = x 2 − 5 y 2 + 3 xy mod N No! The curve f ( x, y ) = c is of genus zero over Q , so can efficiently invert the OWF. [Pollard-Schnorr ’87] 10/27

  32. One Wayness Example You want this to be a OWF. Is it? f ( x, y ) = x 2 − 5 y 2 + 3 xy mod N No! The curve f ( x, y ) = c is of genus zero over Q , so can efficiently invert the OWF. [Pollard-Schnorr ’87] OSS’84 sigs (broken) relied on the hardness of a related problem. 10/27

  33. One Wayness Classify polynomials f ∈ Z [ x, y ] according to the genus of f ( x, y ) − c = 0 for most c ∈ Z N 11/27

  34. One Wayness Classify polynomials f ∈ Z [ x, y ] according to the genus of f ( x, y ) − c = 0 for most c ∈ Z N Genus Type Easy to invert mod N ? 0 “rational” Yes 1 “elliptic” ? ≥ 2 ? 11/27

  35. One Wayness Classify polynomials f ∈ Z [ x, y ] according to the genus of f ( x, y ) − c = 0 for most c ∈ Z N Genus Type Easy to invert mod N ? 0 “rational” Yes 1 “elliptic” ? ≥ 2 ? Necessary Condition: For f to give rise to OWF, curve f ( x, y ) − c = 0 must have genus > 0 for almost all c . 11/27

  36. Second Preimage Resistance Definition: Given a point ( x, y ) ← R Z 2 N , should be hard to find a second point ( x ′ , y ′ ) such that: f ( x, y ) = f ( x ′ , y ′ ) mod N 12/27

  37. Second Preimage Resistance Definition: Given a point ( x, y ) ← R Z 2 N , should be hard to find a second point ( x ′ , y ′ ) such that: f ( x, y ) = f ( x ′ , y ′ ) mod N Breaking SPR is only as hard as finding a second rational point on the curve f ( x, y ) = c . 12/27

  38. Second Preimage Resistance Definition: Given a point ( x, y ) ← R Z 2 N , should be hard to find a second point ( x ′ , y ′ ) such that: f ( x, y ) = f ( x ′ , y ′ ) mod N Breaking SPR is only as hard as finding a second rational point on the curve f ( x, y ) = c . Necessary Condition: For f to be SPR, curve f ( x, y ) = c must have no non-trivial rational mapping ( x, y ) �→ ( x ′ , y ′ ) for almost all c . 12/27

  39. Second Preimage Resistance Definition: Given a point ( x, y ) ← R Z 2 N , should be hard to find a second point ( x ′ , y ′ ) such that: f ( x, y ) = f ( x ′ , y ′ ) mod N Details are in Breaking SPR is only as hard as finding a second rational the paper point on the curve f ( x, y ) = c . Necessary Condition: For f to be SPR, curve f ( x, y ) = c must have no non-trivial rational mapping ( x, y ) �→ ( x ′ , y ′ ) for almost all c . 12/27

  40. Collision Resistance Definition: f is collision resistant if it is computationally hard to find ( x, y ) ̸ = ( x ′ , y ′ ) ∈ Z 2 N such that f ( x, y ) = f ( x ′ , y ′ ) mod N. 13/27

  41. Collision Resistance Definition: f is collision resistant if it is computationally hard to find ( x, y ) ̸ = ( x ′ , y ′ ) ∈ Z 2 N such that f ( x, y ) = f ( x ′ , y ′ ) mod N. Definition: A function f : Q × Q �→ Q is injective if f ( x, y ) = f ( x ′ , y ′ ) = ⇒ ( x, y ) = ( x ′ , y ′ ) . 13/27

  42. Collision Resistance Fact f ( x, y ) is NOT = ⇒ f ( x, y ) is NOT an injective map CR mod N 14/27

  43. Collision Resistance Find “collision” in Q and reduce it mod N . Fact f ( x, y ) is NOT = ⇒ f ( x, y ) is NOT an injective map CR mod N 14/27

  44. Collision Resistance Fact f ( x, y ) is NOT = ⇒ f ( x, y ) is NOT an injective map CR mod N 14/27

Recommend

Counting reducible and singular bivariate polynomials Joachim von zur Gathen Bonn 1 Four

Counting reducible and singular bivariate polynomials Joachim von zur Gathen Bonn 1 Four

Counting reducible and singular bivariate polynomials Joachim von zur Gathen Bonn 1 Four accidents can happen to a bivariate (or multivariate) polynomial over a field: a nontrivial factor, a square factor, a factor over an

1.18k views • 98 slides
Bivariate Dimension Polynomials of Non-Reflexive Prime Difference-Differential Ideals. The Case

Bivariate Dimension Polynomials of Non-Reflexive Prime Difference-Differential Ideals. The Case

Bivariate Dimension Polynomials of Non-Reflexive Prime Difference-Differential Ideals. The Case of One Translation Alexander Levin The Catholic University of America Washington, D. C. 20064 43rd International Symposium on Symbolic and

398 views • 28 slides
Fast Reduction of Bivariate Polynomials with Respect to Sufficiently Regular Gr obner Bases

Fast Reduction of Bivariate Polynomials with Respect to Sufficiently Regular Gr obner Bases

Fast Reduction of Bivariate Polynomials with Respect to Sufficiently Regular Gr obner Bases Joris van der Hoeven, Robin Larrieu Laboratoire dInformatique de lEcole Polytechnique (LIX) ISSAC 18 New York, USA 18 / 07 / 2018 Joris

419 views • 27 slides
Factoring bivariate lacunary polynomials without heights Bruno Grenet ENS Lyon Joint work

Factoring bivariate lacunary polynomials without heights Bruno Grenet ENS Lyon Joint work

Factoring bivariate lacunary polynomials without heights Bruno Grenet ENS Lyon Joint work with Arkadev Chattophyay Pascal Koiran TIFR, Mumbai ENS Lyon Natacha Portier Yann Strozecki ENS Lyon U. Versailles Palindromic Dagstuhl

1.07k views • 92 slides
On Computing the Resultant of Generic Bivariate Polynomials Gilles Villard ISSAC, New York, July

On Computing the Resultant of Generic Bivariate Polynomials Gilles Villard ISSAC, New York, July

On Computing the Resultant of Generic Bivariate Polynomials Gilles Villard ISSAC, New York, July 17th, 2018 Outline of the talk Appetizer The problem New algorithm: A key ingredient A central remark Outline of the talk Appetizer The

935 views • 57 slides
Bivariate Correlation r > 0 r < 0 r = 0 r = 0 r > 0 r = 0 remember: r measures

Bivariate Correlation r > 0 r < 0 r = 0 r = 0 r > 0 r = 0 remember: r measures

Today bivariate correlation bivariate regression multiple regression Bivariate Correlation Pearson product-moment correlation (r) assesses nature and strength of the linear relationship between two continuous variables ( X

1.03k views • 89 slides
Distribution of PCF cubic polynomials Charles Favre charles.favre@polytechnique.edu June 28th,

Distribution of PCF cubic polynomials Charles Favre charles.favre@polytechnique.edu June 28th,

Distribution of PCF cubic polynomials Charles Favre charles.favre@polytechnique.edu June 28th, 2016 The parameter space of polynomials Poly d : degree d polynomials modulo conjugacy by affine transformations. { P = a d z d + + a 0

707 views • 42 slides
Diagnostics and Transformations Part 2 Bivariate Linear Regression James H. Steiger

Diagnostics and Transformations Part 2 Bivariate Linear Regression James H. Steiger

Introduction Linear Transformations Polynomial Regression Orthogonal Polynomials Empirically Motivated Nonlinear Transformations Diagnostics and Transformations Part 2 Bivariate Linear Regression James H. Steiger Department of Psychology

961 views • 46 slides
Modulo- Parallel Prefix Addition via Excess-Modulo Encoding of

Modulo- Parallel Prefix Addition via Excess-Modulo Encoding of

SBU - Tehran ENSL - Lyon Modulo- Parallel Prefix Addition via Excess-Modulo Encoding of Residues Seyed Hamed Fatemi Langroudi & Ghassem Jaberipur Computer Science & Engineering Department Shahid

1.35k views • 113 slides
IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites IOC: Internet

IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites IOC: Internet

IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites Robert Bjekovic, University of applied sciences Ravensburg Weingarten, Weingarten, Germany Michael Elwert, University of applied

351 views • 32 slides
Today. Summary: polynomials. Farewell (for now) to modular arithmetic... Set of d + 1 points

Today. Summary: polynomials. Farewell (for now) to modular arithmetic... Set of d + 1 points

Today. Summary: polynomials. Farewell (for now) to modular arithmetic... Set of d + 1 points determines degree d polynomial. Modular arithmetic modulo a prime. Encode secret using degree k 1 polynomial: Add, subtract, commutative,

431 views • 7 slides
! Wood%Plas*c!Composites!(WPC)!and!Natural% Fibre!Composites!(NFC):!

! Wood%Plas*c!Composites!(WPC)!and!Natural% Fibre!Composites!(NFC):!

! Wood%Plas*c!Composites!(WPC)!and!Natural% Fibre!Composites!(NFC):! European!Automo*ve!Industry!2012 Michael Carus (Physicist) Managing Director, nova-Institut GmbH Hrth-Knapsack (next to Cologne), Germany 1 2 3 Facts and figures

368 views • 20 slides
Contents 1 The Classic Bivariate Least Squares Model 1 1.1 The Setup . . . . . . . . . . . . .

Contents 1 The Classic Bivariate Least Squares Model 1 1.1 The Setup . . . . . . . . . . . . .

Review of Bivariate Linear Regression Contents 1 The Classic Bivariate Least Squares Model 1 1.1 The Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 An Example Predicting Kids IQ . . . . . . . . . . . . . . .

254 views • 9 slides
Composites Research Network: Background UBC Composites Group has been active since late

Composites Research Network: Background UBC Composites Group has been active since late

Composites Research Network: A Sustainable Approach to Design and Manufacturing UTIAS National Colloquium on Sustainable Aviation Toronto, June 2013 Alireza Forghani, PhD Research Associate Team-Lead: Modelling Composites Research Network:

495 views • 25 slides
Week 6 Congruence Relation Modulo n Discrete Math Marie Demlov

Week 6 Congruence Relation Modulo n Discrete Math Marie Demlov

Congruence Relation Modulo n Residue Classes Modulo n Exercises Week 6 Congruence Relation Modulo n Discrete Math Marie Demlov http://math.feld.cvut.cz/demlova April 2, 2020 M. Demlova: Discrete Math Congruence Relation Modulo n Residue

390 views • 14 slides
Congruence Modulo Operation: Question: What is 12 mod 9? Answer: 12 mod 9 3 or 12

Congruence Modulo Operation: Question: What is 12 mod 9? Answer: 12 mod 9 3 or 12

Congruence Modulo Operation: Question: What is 12 mod 9? Answer: 12 mod 9 3 or 12 3 (mod 9) ( ) Number Theory for Cryptography 12 is congruent to 3 modulo 9 Definition: Let a , r , m (where is the set of

261 views • 11 slides
More Zeroes of Polynomials In this lecture we look more carefully at zeroes of polynomials.

More Zeroes of Polynomials In this lecture we look more carefully at zeroes of polynomials.

More Zeroes of Polynomials In this lecture we look more carefully at zeroes of polynomials. (Recall: a zero of a polynomial is sometimes called a root.) Our goal in the next few presentations is to set up a strategy for Elementary

331 views • 9 slides
The Foundation of Regression Analysis Bivariate Linear Regression James H. Steiger Department of

The Foundation of Regression Analysis Bivariate Linear Regression James H. Steiger Department of

The Classic Bivariate Least Squares Model Evaluating and Extending the Model The Foundation of Regression Analysis Bivariate Linear Regression James H. Steiger Department of Psychology and Human Development Vanderbilt University Multilevel

1.36k views • 112 slides
28 4x 81y 4 z rt 3 2 , 4 5 6 7 2 17x mn 3 We usually write the variables in exponential

28 4x 81y 4 z rt 3 2 , 4 5 6 7 2 17x mn 3 We usually write the variables in exponential

Slide 1 / 216 Slide 2 / 216 Algebra I Polynomials 2015-11-02 www.njctl.org Slide 3 / 216 Click on the topic to go to that section Table of Contents Definitions of Monomials, Polynomials and Degrees Adding and Subtracting Polynomials

964 views • 72 slides
Local Approaches in Composites Dmitry S. Ivanov Bristol Composites Institute National

Local Approaches in Composites Dmitry S. Ivanov Bristol Composites Institute National

Local Approaches in Composites Dmitry S. Ivanov Bristol Composites Institute National Composites Centre conference 2019 21/11/2019 2 To discuss Local tuning properties of the composite structures or composite precursors for efficiency

386 views • 11 slides
Unit 4c Division and Module Idioms 2 Unit Objectives Apply division and modulo operation to

Unit 4c Division and Module Idioms 2 Unit Objectives Apply division and modulo operation to

1 Unit 4c Division and Module Idioms 2 Unit Objectives Apply division and modulo operation to solve specific conversion problems 3 Arithmetic Idioms APPLICATIONS OF DIVISION AND MODULO 4 Integer Division and Modulo Operations

575 views • 11 slides
Zenon Modulo: When Achilles Outruns the Tortoise using Deduction Modulo November 18, 2013 David

Zenon Modulo: When Achilles Outruns the Tortoise using Deduction Modulo November 18, 2013 David

Zenon Modulo: When Achilles Outruns the Tortoise using Deduction Modulo November 18, 2013 David Delahaye David.Delahaye@cnam.fr Cnam / Inria, CPR / Deducteam, Paris, France GDR GPL, GT LTP , LaBRI, Bordeaux, France Proof Search in Axiomatic

693 views • 50 slides
Bayesian and Non-Bayesian Analysis of Soccer Data using Bivariate Poisson Regression Models

Bayesian and Non-Bayesian Analysis of Soccer Data using Bivariate Poisson Regression Models

Bivariate Poisson models for soccer April 2003 Bayesian and Non-Bayesian Analysis of Soccer Data using Bivariate Poisson Regression Models Dimitris Karlis John Ntzoufras Department of Statistics Dept. of Business Administration

909 views • 39 slides
Classification of Combinatorial Polynomials (in particular, Ehrhart Polynomials of Zonotopes)

Classification of Combinatorial Polynomials (in particular, Ehrhart Polynomials of Zonotopes)

Classification of Combinatorial Polynomials (in particular, Ehrhart Polynomials of Zonotopes) Matthias Beck San Francisco State University Katharina Jochemko Kungliga Tekniska H ogskolan Emily McCullough University of San Francisco

244 views • 20 slides

More recommend