estimating size requirements for pairings simulating the
play

Estimating size requirements for pairings: Simulating the Tower-NFS - PowerPoint PPT Presentation

Dec 21, 2023 •317 likes •753 views

Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin Deschamps, Aurore Guillevic , Shashank Singh ENS Lyon, Inria Nancy, Loria, CNRS, Universit de Lorraine November 15, 1027 Elliptic Curve

  1. Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin Deschamps, Aurore Guillevic , Shashank Singh ENS Lyon, Inria Nancy, Loria, CNRS, Université de Lorraine November 15, 1027 Elliptic Curve Cryptography Conference ECC17–Nijmegen, Netherlands 1 / 35

  2. Cryptographic pairing: black-box properties ( G 1 , +) , ( G 2 , +) , ( G T , · ) three cyclic groups of large prime order ℓ Bilinear Pairing: map e : G 1 × G 2 → G T 1. bilinear: e ( P 1 + P 2 , Q ) = e ( P 1 , Q ) · e ( P 2 , Q ), e ( P , Q 1 + Q 2 ) = e ( P , Q 1 ) · e ( P , Q 2 ) 2. non-degenerate: e ( g 1 , g 2 ) � = 1 for � g 1 � = G 1 , � g 2 � = G 2 3. efficiently computable. Mostly used in practice: e ([ a ] P , [ b ] Q ) = e ([ b ] P , [ a ] Q ) = e ( P , Q ) ab . ❀ Many applications in asymmetric cryptography. 2 / 35

  3. Examples of application ◮ 1984: idea of identity-based encryption formalized by Shamir ◮ 1999: first practical identity-based cryptosystem of Sakai-Ohgishi-Kasahara ◮ 2000: constructive pairings, Joux’s tri-partite key-exchange (Triffie-Hellman) ◮ 2001: IBE of Boneh-Franklin, short signatures Boneh-Lynn-Shacham Rely on ◮ Discrete Log Problem (DLP): given g , y ∈ G , compute x s.t. g x = y Diffie-Hellman Problem (DHP) ◮ bilinear DLP and DHP Given G 1 , G 2 , G T , g 1 , g 2 , g T and y ∈ G T , compute P ∈ G 1 s.t. e ( P , g 2 ) = y , or Q ∈ G 2 s.t. e ( g 1 , Q ) = y if g x T = y then e ( g x 1 , g 2 ) = e ( g 1 , g x 2 ) = g x T = y ◮ pairing inversion problem 3 / 35

  4. Pairing setting: elliptic curves E / F p : y 2 = x 3 + ax + b , a , b ∈ F p , p ≥ 5 ◮ proposed in 1985 by Koblitz, Miller ◮ E ( F p ) has an efficient group law (chord an tangent rule) → G ◮ # E ( F p ) = p + 1 − tr , trace tr : | tr | ≤ 2 √ p ◮ efficient group order computation ( point counting ) ◮ large subgroup of prime order ℓ s.t. ℓ | p + 1 − tr and ℓ coprime to p ◮ E [ ℓ ] ≃ Z /ℓ Z ⊕ Z /ℓ Z (for crypto) ◮ only generic attacks against DLP on well-chosen genus 1 and genus 2 curves ◮ optimal parameter sizes (log 2 ℓ = log 2 p ) 4 / 35

  5. Pairings 1948 Weil pairing (accouplement) 1958 Tate pairing 1985 Miller, Koblitz: use Elliptic Curves in crypto 1986 Miller’s algorithm to compute pairings 1988 Kaliski’s implementation E / F 11 : y 2 = x 3 − x (PhD at MIT) At that time: ◮ easy to use supersingular curves for ECC: group order known 5 / 35

  6. Supersingular elliptic curves Example over F p , p ≥ 5 E : y 2 = x 3 + x / F p , p = 3 mod 4 s.t. t = 0, # E ( F p ) = p + 1. take p s.t. p + 1 = 4 · ℓ where ℓ is prime. 1993: Menezes-Okamoto-Vanstone and Frey-Rück attacks ∃ pairing e : E ( F p ) into F p 2 where DLP is much easier . Do not use supersingular curves (1993–1999) But computing a pairing is very slow : [Harasawa Shikata Suzuki Imai 99]: 161467s (112 days) on a 163-bit supersingular curve, where G T ⊂ F p 2 of 326 bits. 6 / 35

  7. Pairing-based cryptography 1999: Frey–Muller–Rück: actually, Miller Algorithm can be much faster . 2000: [Joux ANTS] Computing a pairing can be done efficiently (1s on a supersingular 528-bit curve, G T ⊂ F p 2 of 1055 bits). Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension. F ∗ p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ ℓ ] × E ( F p n )[ ℓ ] 7 / 35

  8. Pairing-based cryptography 1999: Frey–Muller–Rück: actually, Miller Algorithm can be much faster . 2000: [Joux ANTS] Computing a pairing can be done efficiently (1s on a supersingular 528-bit curve, G T ⊂ F p 2 of 1055 bits). Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension. F ∗ p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ ℓ ] × E ( F p n )[ ℓ ] Attacks 7 / 35

  9. Pairing-based cryptography 1999: Frey–Muller–Rück: actually, Miller Algorithm can be much faster . 2000: [Joux ANTS] Computing a pairing can be done efficiently (1s on a supersingular 528-bit curve, G T ⊂ F p 2 of 1055 bits). Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension. F ∗ p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ ℓ ] × E ( F p n )[ ℓ ] Attacks ◮ inversion of e : hard problem (exponential) 7 / 35

  10. Pairing-based cryptography 1999: Frey–Muller–Rück: actually, Miller Algorithm can be much faster . 2000: [Joux ANTS] Computing a pairing can be done efficiently (1s on a supersingular 528-bit curve, G T ⊂ F p 2 of 1055 bits). Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension. F ∗ p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ ℓ ] × E ( F p n )[ ℓ ] Attacks ◮ inversion of e : hard problem (exponential) ◮ discrete logarithm computation in E ( F p ) : hard problem √ (exponential, in O ( ℓ )) 7 / 35

  11. Pairing-based cryptography 1999: Frey–Muller–Rück: actually, Miller Algorithm can be much faster . 2000: [Joux ANTS] Computing a pairing can be done efficiently (1s on a supersingular 528-bit curve, G T ⊂ F p 2 of 1055 bits). Weil or Tate pairing on an elliptic curve Discrete logarithm problem with one more dimension. F ∗ p n , e ([ a ] P , [ b ] Q ) = e ( P , Q ) ab e : E ( F p n )[ ℓ ] × E ( F p n )[ ℓ ] Attacks ◮ inversion of e : hard problem (exponential) ◮ discrete logarithm computation in E ( F p ) : hard problem √ (exponential, in O ( ℓ )) ◮ discrete logarithm computation in F ∗ p n : easier, subexponential → take a large enough field 7 / 35

  12. Pairing-friendly curves ℓ | p n − 1, E [ ℓ ] ⊂ E ( F p n ), n embedding degree p n ) ℓ Tate Pairing: e : E ( F p n )[ ℓ ] × E ( F p n ) /ℓ E ( F p n ) → F ∗ p n / ( F ∗ When n is small i.e. 1 � n � 24, the curve is pairing-friendly . This is very rare: For a given curve, log n ∼ log ℓ ([Balasubramanian Koblitz]). p n p 2 , p 6 p 3 , p 4 , p 6 p 12 p 16 p 18 Curve supersingular MNT BN, BLS12 KSS16 KSS18 MNT, n = 6: p ( x ) = 4 x 2 + 1, t ( x ) = 1 ± 2 x , # E ( F p ) x 2 ∓ 2 x + 1 BN, n = 12: p ( x ) = 36 x 4 + 36 x 3 + 24 x 2 + 6 x + 1, t ( x ) = 6 x 2 + 1, r ( x ) = 36 x 4 + 36 x 3 + 18 x 2 + 6 x + 1 More in Aranha’s talk. 8 / 35

  13. security estimates [Lenstra-Verheul’01] estimates RSA key-sizes The usual security estimates use ◮ the asymptotic complexity of the best known algorithm (here NFS) ◮ the latest record computations (now 768-bit) ◮ extrapolation 9 / 35

  14. Number Field Sieve Algorithm Subexponential asymptotic complexity: L p n [ α, c ] = e ( c + o (1))(log p n ) α (log log p n ) 1 − α ◮ α = 1: exponential ◮ α = 0: polynomial ◮ 0 < α < 1: sub-exponential (including NFS) 1. polynomial selection (less than 10% of total time) 2. relation collection L p n [1 / 3 , c ] 3. linear algebra L p n [1 / 3 , c ] 4. individual discrete log computation L p n [1 / 3 , c ′ < c ] 10 / 35

  15. Example for RSA key sizes 3 , 072 s = log 2 ( L N [1 / 3 , 1 . 923]) − 14 2 , 816 s.t. log 2 N = 512 ↔ s = 50 bits 2 , 560 s = log 2 ( L N [1 / 3 , 1 . 923]) − 8 s.t. 768 ↔ 67 bits 2 , 304 log 2 N in bits 2 , 048 1 , 792 1 , 536 1 , 280 1 , 024 768 512 48 64 80 96 112 128 Equivalent symmetric security in bits 11 / 35

  16. Pairing key-sizes in the 2000’s Assumed: DLP in prime fields F p as hard as in medium and large characteristic fields F Q → take the same size as for prime fields. Security log 2 finite log 2 deg P ρ curve n level ℓ field p p = P ( u ) 128 256 3072 3072 (prime field) 256 3072 2 1536 no poly 6 supersingular 128 256 3072 3 1024 no poly 4 supersingular 256 3072 12 256 4 1 Barreto-Naehrig 640 7680 12 640 4 1 → 5/3 BN 427 7680 12 640 6 3/2 BLS12 192 384 9216 18 512 8 4/3 KSS18 384 7680 16 480 10 5/4 KSS16 384 11520 24 480 10 5/4 BLS24 12 / 35

  17. Small, medium, large characteristic Q = p n , the characteristic p is ◮ small: p = L Q [ α, c ] where α < 1 / 3 ◮ medium: p = L Q [ α, c ] where 1 / 3 < α < 2 / 3 ◮ large: p = L Q [ α, c ] where α > 2 / 3 ◮ boundary cases: p = L Q [1 / 3 , c ] and p = L Q [2 / 3 , c ] 13 / 35

  18. Estimating key sizes for DL in GF( p n ) GF( p n ) much less studied than GF( p ) or integer factorization. ◮ 2000 LUC, XTR cryptosystems: multiplicative subgroup of prime order | Φ n ( p ) (cyclotomic subgroup) of GF( p 2 ), GF( p 6 ) ◮ what is the hardness of computing DL in GF( p n ), n = 2 , 6? ◮ 2005 [Granger Vercauteren] L Q [1 / 2] ◮ 2006 Joux–Lercier–Smart–Vercauteren L Q [1 / 3 , 2 . 423] (NFS-HD) ◮ rising of pairings: what is the security of DL in GF(2 n ),GF(3 m ),GF( p 12 )? 14 / 35

  19. Asymptotic complexities Needed: ◮ asymptotic complexity (constants α, c ) ◮ record computations to scale the shape (guess the o (1)) Asymptotic complexities now: ◮ For tiny characteristic: quasi-polynomial ◮ For small characteristic: L ( α ) for α < 1 / 3 ◮ For medium and large characteristic: L (1 / 3 , c + o (1)) 15 / 35

  20. Asymptotic complexities Needed: ◮ asymptotic complexity (constants α, c ) ◮ record computations to scale the shape (guess the o (1)) Asymptotic complexities now: ◮ For tiny characteristic: quasi-polynomial ◮ For small characteristic: L ( α ) for α < 1 / 3 ◮ For medium and large characteristic: L (1 / 3 , c + o (1)) What is c for medium and large characteristic? 15 / 35

Recommend

Planning III-A: Planning III-A: Estimating Software Size - Estimating Software Size -

Planning III-A: Planning III-A: Estimating Software Size - Estimating Software Size -

Planning III-A: Planning III-A: Estimating Software Size - Estimating Software Size - Estimating Methods, Proxies Estimating Methods, Proxies AU INSY 560, Singapore 1997, Dan Turk Humphrey Ch. 5A - slide 1 Outline Outline I Review of PSP

272 views • 11 slides
Estimating web size and search engine index size Near-duplicate document detection Size of the

Estimating web size and search engine index size Near-duplicate document detection Size of the

CS490W Web Search (I I ) Luo Si Department of Computer Science Purdue University Modified Slides from Manning, C., Raghavan, P. and Schtze, H. Todays topics Estimating web size and search engine index size Near-duplicate document

193 views • 16 slides
Estimating Size and Effort Dr. James A. Bednar jbednar@inf.ed.ac.uk

Estimating Size and Effort Dr. James A. Bednar jbednar@inf.ed.ac.uk

Estimating Size and Effort Dr. James A. Bednar jbednar@inf.ed.ac.uk http://homepages.inf.ed.ac.uk/jbednar Dr. David Robertson dr@inf.ed.ac.uk http://www.inf.ed.ac.uk/ssp/members/dave.htm SAPM Spring 2007: Estimation 1 Estimating SW Size and

560 views • 24 slides
Estimating and Simulating a SIRD Model of COVID-19 for Many Countries, States, and Cities Jes

Estimating and Simulating a SIRD Model of COVID-19 for Many Countries, States, and Cities Jes

Estimating and Simulating a SIRD Model of COVID-19 for Many Countries, States, and Cities Jes us Fern andez-Villaverde and Chad Jones August 28, 2020 0 xkcd: Everyones an Epidemiologist Help macroeconomists with data and model 1

1.03k views • 89 slides
Estimating and Simulating a SIRD Model of COVID-19 for Many Countries, States, and Cities

Estimating and Simulating a SIRD Model of COVID-19 for Many Countries, States, and Cities

Estimating and Simulating a SIRD Model of COVID-19 for Many Countries, States, and Cities andez-Villaverde 1 Chad Jones 2 Jes us Fern May 27, 2020 1 University of Pennsylvania 2 Stanford GSB 1 Outline We want to take a basic SIRD model

869 views • 66 slides
Estimating Size and Effort Massimo Felici and Conrad Hughes mfelici@staffmail.ed.ac.uk

Estimating Size and Effort Massimo Felici and Conrad Hughes mfelici@staffmail.ed.ac.uk

Estimating Size and Effort Massimo Felici and Conrad Hughes mfelici@staffmail.ed.ac.uk conrad.hughes@ed.ac.uk http://www.inf.ed.ac.uk/teaching/courses/sapm/ Slides: Dr James A. Bednar SAPM Spring 2009: Estimation 1 Estimating SW Size and

675 views • 24 slides
Simulating and Estimating DSGE Model with Dynare Tao Zeng Wuhan University April 2016 SEM

Simulating and Estimating DSGE Model with Dynare Tao Zeng Wuhan University April 2016 SEM

Simulating and Estimating DSGE Model with Dynare Tao Zeng Wuhan University April 2016 SEM (Institute) Short Couse 04/28 1 / 68 What is Dynare? Dynare is a Matlab frontend to solve and simulate dynamic models Either deterministic or

701 views • 68 slides
A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks

744 views • 72 slides
CANADAS INNOVATION GAP ESTIMATING ITS SIZE; EXPLAINING ITS CAUSES by Peter J. Nicholson,

CANADAS INNOVATION GAP ESTIMATING ITS SIZE; EXPLAINING ITS CAUSES by Peter J. Nicholson,

www.scienceadvice.ca Science Advice in the Public Interest CANADAS INNOVATION GAP ESTIMATING ITS SIZE; EXPLAINING ITS CAUSES by Peter J. Nicholson, President The Council of Canadian Academies Presentation to Socio-Economic Conference 2009

913 views • 39 slides
Estimating the Size of the Largest Families not Containing Tree-like Posets Wei-Tian Li Jerrold

Estimating the Size of the Largest Families not Containing Tree-like Posets Wei-Tian Li Jerrold

Estimating the Size of the Largest Families not Containing Tree-like Posets Wei-Tian Li Jerrold R. Griggs &amp; Linyuan Lu Department of Mathematics University of South Carolina 24th Cumberland Conference May 14th 2011 Theorem (Sperner, 1928)

467 views • 31 slides
HOW MANY? Estimating the Size of the Los Angeles County Jail Mental Health Population Appropriate

HOW MANY? Estimating the Size of the Los Angeles County Jail Mental Health Population Appropriate

2/5/2020 HOW MANY? Estimating the Size of the Los Angeles County Jail Mental Health Population Appropriate for Release into Community Services STEPHANIE BROOKS HOLLIDAY, NICHOLAS PACE, NEIL GOWENSMITH, IRA PACKER, DANIEL MURRIE, ALICIA VIRANI,

246 views • 7 slides
Function Points What is Function Point Analysis? Approach to estimating SW size, which is

Function Points What is Function Point Analysis? Approach to estimating SW size, which is

Function Points What is Function Point Analysis? Approach to estimating SW size, which is independent of language development methodology technology capability of the project team hardness of the problem

630 views • 21 slides
Outline of Presentation TOSSIM : Introduction Need for simulating sensor networks

Outline of Presentation TOSSIM : Introduction Need for simulating sensor networks

Outline of Presentation TOSSIM : Introduction Need for simulating sensor networks Accurate and Scalable Simulation Requirements for simulating sensor networks of Entire TinyOS Applications TOSSIM Overview Philip Lewis

79 views • 4 slides
Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of

Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of

Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of Engineering Aarhus University Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q ) e (

1.52k views • 55 slides
Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of Computing University of Campinas Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q

1.02k views • 58 slides
Contents Introduction Approaches and Methods for Software Size Estimation FPA Method

Contents Introduction Approaches and Methods for Software Size Estimation FPA Method

Estimating Software Size and Effort Software Size and Effort Estimation Dr. Ale ivkovi , CISA, PRINCE 2 University of Maribor, Slovenia Faculty of Electrical Engineering and Computer Science e-mail: ales.zivkovic@uni-mb.si

800 views • 38 slides
Simulating Complex Power- Ground Plane Shapes with Variable-Size Cell SPICE Grids Istvan Novak,

Simulating Complex Power- Ground Plane Shapes with Variable-Size Cell SPICE Grids Istvan Novak,

Simulating Complex Power- Ground Plane Shapes with Variable-Size Cell SPICE Grids Istvan Novak, Jason R. Miller, Eric Blomberg SUN Microsystems, Inc. One Network Drive, Burlington, MA 01803 Complex plane shapes 1 EPEP2002 Outline

372 views • 23 slides
Estimating the size and impact of Affirmative Action in South African Higher Education Andrew Kerr

Estimating the size and impact of Affirmative Action in South African Higher Education Andrew Kerr

Estimating the size and impact of Affirmative Action in South African Higher Education Andrew Kerr 1 Patrizio Piraino 2 Vimal Ranchhod 3 1 DataFirst, University of Cape Town 2 School of Economics, UCT 3 SALDRU, UCT UNU-WIDER Conference on

500 views • 17 slides
On Estimating the Size and Confidence of a Statistical Audit Raluca A. Popa and Ronald L. Rivest

On Estimating the Size and Confidence of a Statistical Audit Raluca A. Popa and Ronald L. Rivest

On Estimating the Size and Confidence of a Statistical Audit Raluca A. Popa and Ronald L. Rivest Javed A. Aslam College of Computer and Computer Science and Artificial Information Science Intelligence Laboratory Northeastern University

322 views • 20 slides
Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert

Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert

Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert Inria Bordeaux Sud-Ouest Millers algorithm Pairings on abelian varieties Theta functions Pairings with theta functions Performance Outline

676 views • 50 slides
Estimating the Size of Hidden Populations based on Partially-Observed Network Data Mark S.

Estimating the Size of Hidden Populations based on Partially-Observed Network Data Mark S.

Estimating the Size of Hidden Populations based on Partially-Observed Network Data Mark S. Handcock Krista J. Gile Department of Statistics Department of Mathematics University of California University of Massachusetts - Los Angeles -

776 views • 55 slides
Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David

Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David

Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David Lubicz, Damien Robert June 6, 2013 Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance Outline 1

833 views • 33 slides
Pairings implementation in the PARI computer algebra system (explained by a mere programmer)

Pairings implementation in the PARI computer algebra system (explained by a mere programmer)

Pairings implementation in the PARI computer algebra system (explained by a mere programmer) jerome.milan (at) lix.polytechnique.fr Outline 1 Motivations and context 2 Pairings over elliptic curves 3 Pairing computation 4 Implementation in PARI

739 views • 51 slides
Estimating Estimating Covariance . . . Statistical Characteristics Estimating . . . Proof of

Estimating Estimating Covariance . . . Statistical Characteristics Estimating . . . Proof of

Need for Estimating . . . Case of Interval . . . Need to Preserve . . . Computing E under . . . Estimating Estimating Covariance . . . Statistical Characteristics Estimating . . . Proof of the First . . . Under Interval Uncertainty Toward

696 views • 46 slides

More recommend