efficient compression of sidh public keys
play

Efficient compression of SIDH public keys Craig Costello 1 David Jao - PowerPoint PPT Presentation

Nov 25, 2023 •380 likes •835 views

Efficient compression of SIDH public keys Craig Costello 1 David Jao 2 Patrick Longa 1 Michael Naehrig 1 Joost Renes 3 David Urbanik 2 1 Microsoft Research, Redmond, USA 2 University of Waterloo, Ontario, Canada 3 Radboud University, Nijmegen, The

  1. Efficient compression of SIDH public keys Craig Costello 1 David Jao 2 Patrick Longa 1 Michael Naehrig 1 Joost Renes 3 David Urbanik 2 1 Microsoft Research, Redmond, USA 2 University of Waterloo, Ontario, Canada 3 Radboud University, Nijmegen, The Netherlands 1 May 2017 1 May 2017 1 / 14

  2. Supersingular-isogeny Diffie-Hellman ◮ Post-quantum secure (ephemeral) key exchange [JF11] ◮ Based on hardness of finding large-degree isogenies ◮ Small keys ( ≈ 564 bytes public) ◮ Relatively slow compared to other PQ proposals ◮ Key compression ( ≈ 385 bytes), at very high cost [Aza+16] 1 May 2017 2 / 14

  3. Supersingular-isogeny Diffie-Hellman ◮ Post-quantum secure (ephemeral) key exchange [JF11] ◮ Based on hardness of finding large-degree isogenies ◮ Small keys ( ≈ 564 bytes public) ◮ Relatively slow compared to other PQ proposals ◮ Key compression ( ≈ 385 bytes), at very high cost [Aza+16] This talk ◮ Key size reduced by 12 . 5% ( ≈ 330 bytes) ◮ Compression up to 66 × faster ◮ Decompression up to 15 × faster 1 May 2017 2 / 14

  4. Isogeny graphs p = 2 3 · 3 2 − 1 , E / F p 2 : y 2 = x 3 + x , j ( E ) = 24 , ℓ = 2 41 24 66 17 0 48 40 1 May 2017 3 / 14

  5. Isogeny graphs p = 2 3 · 3 2 − 1 , E / F p 2 : y 2 = x 3 + x , j ( E ) = 24 , ℓ = 2 41 2 2 24 2 66 17 0 48 3 40 1 May 2017 3 / 14

  6. Isogeny graphs p = 2 3 · 3 2 − 1 , E / F p 2 : y 2 = x 3 + x , j ( E ) = 24 , ℓ = 2 41 24 66 17 0 48 40 1 May 2017 3 / 14

  7. Isogeny graphs p = 2 3 · 3 2 − 1 , E / F p 2 : y 2 = x 3 + x , j ( E ) = 24 , ℓ = 3 41 3 24 2 2 2 66 17 0 2 48 2 2 2 40 1 May 2017 3 / 14

  8. Key generation = private party A , = private party B , = public keys 41 2 2 24 2 66 17 0 48 3 40 1 May 2017 4 / 14

  9. Key generation = private party A , = private party B , = public keys 41 3 24 2 2 2 66 17 0 2 48 2 2 2 40 1 May 2017 4 / 14

  10. Supersingular-isogeny Diffie-Hellman [JF11] = private party A , = private party B , = public key ր ր ր = 2-graph walk, ց = 3-graph walk, ց ց E A φ A E φ B E B 1 May 2017 5 / 14

  11. Supersingular-isogeny Diffie-Hellman [JF11] = private party A , = private party B , = public key ր ր ր = 2-graph walk, ց = 3-graph walk, ց ց E A [ ℓ e ] = � P , Q � E A φ A E AB E φ B E B 1 May 2017 5 / 14

  12. Supersingular-isogeny Diffie-Hellman [JF11] = private party A , = private party B , = public key ր ր ր = 2-graph walk, ց ց ց = 3-graph walk, ∈ F 2 E A [ ℓ e ] = � P , Q � p 2 (= 4 log p bits) ∈ F p 2 (= 2 log p bits) E A φ A E AB E φ B E B 1 May 2017 5 / 14

  13. Supersingular-isogeny Diffie-Hellman [JF11] = private party A , = private party B , = public key ր ր ր = 2-graph walk, ց ց ց = 3-graph walk, E A [ ℓ e ] = � R , S � ∈ F 2 E A [ ℓ e ] = � P , Q � p 2 (= 4 log p bits) ∈ F p 2 (= 2 log p bits) E A φ A E AB E φ B E B 1 May 2017 5 / 14

  14. Supersingular-isogeny Diffie-Hellman [JF11] = private party A , = private party B , = public key ր ր ր = 2-graph walk, ց ց ց = 3-graph walk, E A [ ℓ e ] = � R , S � ∈ Z 4 ( α, β, γ, δ ) ℓ e ( ≈ 2 log p bits) ∈ F p 2 (= 2 log p bits) E A φ A E AB E φ B E B 1 May 2017 5 / 14

  15. Public-key compression [Aza+16] Compression � R , S � � P , Q � ( α, β, γ, δ ) � α R + β S , γ R + δ S � Decompression � R , S � ( α, β, γ, δ ) � P , Q � ( α, β, γ, δ ) 1 May 2017 6 / 14

  16. Public-key compression [Aza+16] Compression � R , S � Expensive � P , Q � ( α, β, γ, δ ) � α R + β S , γ R + δ S � Decompression � R , S � ( α, β, γ, δ ) � P , Q � ( α, β, γ, δ ) 1 May 2017 6 / 14

  17. Public-key compression [Aza+16] Significantly improve efficiency (up to 66 × ) Compression � R , S � � P , Q � ( α, β, γ, δ ) � α R + β S , γ R + δ S � Decompression � R , S � ( α, β, γ, δ ) � P , Q � ( α, β, γ, δ ) Significantly improve efficiency (up to 15 × ) 1 May 2017 6 / 14

  18. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = 1 May 2017 7 / 14

  19. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick R ∈ E ( F p 2 ) \ 2 E ( F p 2 ) 1 May 2017 7 / 14

  20. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick R ∈ E ( F p 2 ) \ 2 E ( F p 2 ) For E : y 2 = x ( x − γ )( x − δ ), R ∈ 2 E ( F p 2 ) ⇐ ⇒ x R , x R − δ, x R − γ are squares 1 May 2017 7 / 14

  21. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick a non-square x R ∈ F p 2 For E : y 2 = x ( x − γ )( x − δ ), R ∈ 2 E ( F p 2 ) ⇐ ⇒ x R , x R − δ, x R − γ are squares 1 May 2017 7 / 14

  22. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick a non-square x R ∈ F p 2 2 If x 3 R + Ax 2 R + x R is not a square, goto 1 1 May 2017 7 / 14

  23. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick a non-square x R ∈ F p 2 2 If x 3 R + Ax 2 R + x R is not a square, goto 1 � x 3 R + Ax 2 3 Set R ← ( x R , R + x R ) 1 May 2017 7 / 14

  24. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick a non-square x R ∈ F p 2 2 If x 3 R + Ax 2 R + x R is not a square, goto 1 � x 3 R + Ax 2 3 Set R ← ( x R , R + x R ) 4 Set R ← [3 239 ] R 1 May 2017 7 / 14

  25. Finding a canonical basis Find R , S such that E [2 372 ] = � R , S � , where 2 372 3 239 � 2 . � # E ( F p 2 ) = Finding an element of order 2 372 1 Deterministically pick a non-square x R ∈ F p 2 2 If x 3 R + Ax 2 R + x R is not a square, goto 1 � x 3 R + Ax 2 3 Set R ← ( x R , R + x R ) 4 Set R ← [3 239 ] R Finding a canonical basis of E [2 372 ] 1 Pick R ∈ E ( F p 2 ) of order 2 372 2 Pick S ∈ E ( F p 2 ) of order 2 372 3 If E [2 372 ] � = � R , S � , goto 2. 1 May 2017 7 / 14

  26. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S 1 May 2017 8 / 14

  27. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S e ( R , S ) e ( R , P ) e ( R , Q ) e ( S , P ) e ( S , Q ) f 0 ← f n , R f 0 ← f 0 ( S ) . . . 1 May 2017 8 / 14

  28. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S e ( R , S ) e ( R , P ) e ( R , Q ) e ( S , P ) e ( S , Q ) f 0 ← f n , R f 1 ← f n , R f 0 ← f 0 ( S ) f 1 ← f 1 ( P ) . . . . . . 1 May 2017 8 / 14

  29. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S e ( R , S ) e ( R , P ) e ( R , Q ) e ( S , P ) e ( S , Q ) f 0 ← f n , R f 0 ← f 0 ( S ) f 1 ← f 0 ( P ) . . . . . . 1 May 2017 8 / 14

  30. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S e ( R , S ) e ( R , P ) e ( R , Q ) e ( S , P ) e ( S , Q ) f 0 ← f n , R f 2 ← f n , R f 0 ← f 0 ( S ) f 1 ← f 0 ( P ) f 2 ← f 2 ( Q ) . . . . . . . . . 1 May 2017 8 / 14

  31. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S e ( R , S ) e ( R , P ) e ( R , Q ) e ( S , P ) e ( S , Q ) f 0 ← f n , R f 0 ← f 0 ( S ) f 1 ← f 0 ( P ) f 2 ← f 0 ( Q ) . . . . . . . . . 1 May 2017 8 / 14

  32. Transferring to µ n via reduced Tate pairing Transfer the discrete logs to µ n e β = e ( R , P ) e δ = e ( R , Q ) e = e ( R , S ) e − α = e ( S , P ) e − γ = e ( S , Q ) such that P = α R + β S and Q = γ R + δ S e ( R , S ) e ( R , P ) e ( R , Q ) e ( S , P ) e ( S , Q ) f 0 ← f n , R f 3 ← f n , S f 0 ← f 0 ( S ) f 1 ← f 0 ( P ) f 2 ← f 0 ( Q ) f 3 ← f 3 ( P ) . . . . . . . . . . . . 1 May 2017 8 / 14

Recommend

Deep Compression and EIE: Deep Neural Network Model Compression and Efficient Inference

Deep Compression and EIE: Deep Neural Network Model Compression and Efficient Inference

Deep Compression and EIE: Deep Neural Network Model Compression and Efficient Inference Engine Song Han CVA group, Stanford University Apr 7, 2016 1 Intro about me and my advisor Fourth year PhD with Prof. Bill Dally at Stanford.

2.06k views • 70 slides
Deep Compression and EIE: Deep Neural Network Model Compression and Efficient Inference

Deep Compression and EIE: Deep Neural Network Model Compression and Efficient Inference

Deep Compression and EIE: Deep Neural Network Model Compression and Efficient Inference Engine Song Han CVA group, Stanford University Jan 6, 2015 A few words about us Fourth year PhD with Prof. Bill Dally at Stanford.

966 views • 54 slides
Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross

Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross

Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross DaMoN 2015, Melbourne, Victoria, Australia Databases & Compression Process data on disk Nearly unlimited capacity Affects query

490 views • 48 slides
GAN Compression: Efficient Architectures for Interactive Conditional GANs Muyang Li 1,3 , Ji Lin 1

GAN Compression: Efficient Architectures for Interactive Conditional GANs Muyang Li 1,3 , Ji Lin 1

GAN Compression: Efficient Architectures for Interactive Conditional GANs Muyang Li 1,3 , Ji Lin 1 , Yaoyao Ding 1,3 , Zhijian Liu 1 , Jun-Yan Zhu 2 , and Song Han 1 1 Massachusetts Institute of Technology 2 Adobe Research. 3 Shanghai Jiao Tong

442 views • 15 slides
Compressing Intermediate Keys between Mappers and Reducers in SciHadoop Adam Crume, Joe Buck,

Compressing Intermediate Keys between Mappers and Reducers in SciHadoop Adam Crume, Joe Buck,

Background Semantically-informed byte-level compression User-level semantic compression Compressing Intermediate Keys between Mappers and Reducers in SciHadoop Adam Crume, Joe Buck, Carlos Maltzahn, Scott Brandt { adamcrume,buck,carlosm,scott }

739 views • 22 slides
Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1 2 2047 2 2048 1 . Thanks to: University of Illinois at Chicago User knows prime factors of . NSF CCR9983950

768 views • 53 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Towards Efficient Video Compression Using Scalable Vector Graphics on the Cell Broadband Engine

Towards Efficient Video Compression Using Scalable Vector Graphics on the Cell Broadband Engine

Towards Efficient Video Compression Using Scalable Vector Graphics on the Cell Broadband Engine Andreea Sandu, Emil Slusanschi, Alin Murarasu, Andreea Serban, Alexandru Herisanu, Teodor Stoenescu University Politehnica of Bucharest Computer

447 views • 21 slides
Energy Efficient Distributed JPEG2000 Image Compression in Multihop Wireless Networks Huaming Wu

Energy Efficient Distributed JPEG2000 Image Compression in Multihop Wireless Networks Huaming Wu

Energy Efficient Distributed JPEG2000 Image Compression in Multihop Wireless Networks Huaming Wu & Alhussein A. Abouzeid Dept. of Electrical, Computer and Systems Engineering Rensselaer Polytechnic Institute Troy, New York 12180, USA

383 views • 35 slides
Recap: Part 6 Public key cryptosystem: a pair of keys Public-key: meant for public, should

Recap: Part 6 Public key cryptosystem: a pair of keys Public-key: meant for public, should

Recap: Part 6 Public key cryptosystem: a pair of keys Public-key: meant for public, should be given out Private-key: remains always secret An operation performed by one key in the pair can be inversed only by the other key

267 views • 13 slides
Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P = D(K D ,C) Often, works the other way, too Lecture 4 Page 1 CS 236 Online History of Public Key Cryptography Invented by Diffie and

618 views • 24 slides
CCHL: Compression-Consolidation Hardware Logging for Efficient Failure-Atomic Persistent Memory

CCHL: Compression-Consolidation Hardware Logging for Efficient Failure-Atomic Persistent Memory

CCHL: Compression-Consolidation Hardware Logging for Efficient Failure-Atomic Persistent Memory Updates Xueliang Wei, Dan Feng, Wei Tong, Jingning Liu, Chengning Wang, Liuqing Ye Huazhong University of Science and Technology Persistent Memory

817 views • 38 slides
2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys > 100 uses 4450 keys > 1000 uses An excursion in to the world of OSM tagging presets Simon Poole, SOtM 2018 In the beginning Bus

686 views • 50 slides
Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael

Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael

Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael Backes, Lucjan Hanzlik, Kamil Kluzcniak, Jonas Schneider This Talk New primitive! Signatures with Flexible Public Key Applications to

1.11k views • 56 slides
1 Key Exchange Diffie-Hellman Key Exchange Parties may have initial information Assume

1 Key Exchange Diffie-Hellman Key Exchange Parties may have initial information Assume

TECS Week 2005 Key Management Options Key Management Protocols Out of band and Compositionality Can set up some keys this way (Kerberos) Public-key infrastructure (PKI) Leverage small # of public signing keys Protocols for

282 views • 5 slides
Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Compression Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression Recap Bu ff er Management Thread Safety A piece of code is thread-safe if it functions correctly during simultaneous execution

784 views • 52 slides
waveSZ: A Hardware-Algorithm Co-Design of Efficient Lossy Compression for Scientific Data The

waveSZ: A Hardware-Algorithm Co-Design of Efficient Lossy Compression for Scientific Data The

waveSZ: A Hardware-Algorithm Co-Design of Efficient Lossy Compression for Scientific Data The University of Alabama Jiannan Tian Sheng Di Argonne National Laboratory Chengming Zhang The University of Alabama Xin Liang University of

545 views • 21 slides
Random Access Archives for Efficient Compression of Many Small Files or Avoiding the void

Random Access Archives for Efficient Compression of Many Small Files or Avoiding the void

Introduction Current Methods New Archiving Method Soup Generator Conclusion Random Access Archives for Efficient Compression of Many Small Files or Avoiding the void Robert Jan Hensing July 8, 2011 Introduction Current Methods New

524 views • 24 slides
From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg in browsers gzip, pkzip, compress, zip, ... for files (stacker?) Lossy compression, Lossless compression Huffman coding possible to

275 views • 6 slides
SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi

593 views • 36 slides
Efficient Neural Network Compression Namhoon Lee University of Oxford 3 May 2019 A Challenge in

Efficient Neural Network Compression Namhoon Lee University of Oxford 3 May 2019 A Challenge in

Efficient Neural Network Compression Namhoon Lee University of Oxford 3 May 2019 A Challenge in Deep Learning: Overparameterization Large neural networks require: memory & computations power consumption A Challenge in Deep Learning:

722 views • 49 slides
Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression Background Focus on spatial compression Best in class lossy compressor Point wise max error bound: 10 -5 Open questions Random noise

564 views • 19 slides
Public Key Infrastructures Using PKC to solve network security problems Distributing public

Public Key Infrastructures Using PKC to solve network security problems Distributing public

Public Key Infrastructures Using PKC to solve network security problems Distributing public keys P keys allow parties to share secrets over unprotected channels Extremely useful in an open network: Parties are not under a single

420 views • 21 slides
Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler

Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler

Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler August 2018 DEF CON 26 Public keys what for? Break them! Retrieve the private keys Show how easy it is If we can do it

684 views • 31 slides

More recommend