fast and simple constant time hashing to the bls12 381
play

Fast and simple constant-time hashing to the BLS12-381 elliptic - PowerPoint PPT Presentation

May 24, 2023 •109 likes •1.38k views

Fast and simple constant-time hashing to the BLS12-381 elliptic curve (and other curves, too!) Riad S. Wahby, Dan Boneh Stanford December 3 rd , 2019 Motivation Our initial motivation: BLS signatures [BLS01] Motivation Our initial

  1. Attempt #2: hash and check HashToCurve H&C (msg): ✗ ctr ← 0 y ← ⊥ while y = ⊥ : x ← H p (ctr || msg) ctr ← ctr + 1 ySq ← x 3 + ax + b y ← sqrt( ySq ) // ⊥ if ySq is non-square P ← ( x , y ) return [ h ] P // map to G via cofactor mul Not constant time; “bad” inputs are common.

  2. Attempt #2: hash and check HashToCurve H&C (msg): ✗ ctr ← 0 y ← ⊥ while y = ⊥ : x ← H p (ctr || msg) ctr ← ctr + 1 ySq ← x 3 + ax + b y ← sqrt( ySq ) // ⊥ if ySq is non-square P ← ( x , y ) return [ h ] P // map to G via cofactor mul Not constant time; “bad” inputs are common. Loop a fixed number of times?

  3. Attempt #2: hash and check HashToCurve H&C (msg): ✗ ctr ← 0 y ← ⊥ while y = ⊥ : x ← H p (ctr || msg) ctr ← ctr + 1 ySq ← x 3 + ax + b y ← sqrt( ySq ) // ⊥ if ySq is non-square P ← ( x , y ) return [ h ] P // map to G via cofactor mul Not constant time; “bad” inputs are common. ✗ Loop a fixed number of times? Slow; well-meaning “optimization” breaks CT.

  4. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5:

  5. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp

  6. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp y 2 = x 3 + b y 2 − b � 3 = ⇒ x =

  7. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp

  8. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp

  9. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] p ≡ 2 mod 3 1 exp

  10. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] p ≡ 3 mod 4, ab � = 0 2 exp

  11. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] b � = 0, 2 | # E ( F p ) 1 exp

  12. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] b � = 0, 2 | # E ( F p ) 1 exp [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  13. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] b � = 0, 2 | # E ( F p ) 1 exp This work ab � = 0 1 exp + exp none 1 [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  14. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] b � = 0, 2 | # E ( F p ) 1 exp This work ab � = 0 1 exp + exp none 1 BLS12-381: p ≡ 1 mod 3, a = 0, 2 ∤ # E ( F p ) [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  15. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] ✗ p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] ✗ p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] b � = 0, 2 | # E ( F p ) 1 exp This work ab � = 0 1 exp + exp none 1 BLS12-381: p ≡ 1 mod 3, a = 0, 2 ∤ # E ( F p ) [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  16. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] ✗ p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] ✗ p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] ✗ p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] ✗ p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] b � = 0, 2 | # E ( F p ) 1 exp This work ab � = 0 1 exp + exp none 1 BLS12-381: p ≡ 1 mod 3, a = 0, 2 ∤ # E ( F p ) [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  17. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] ✗ p ≡ 2 mod 3, a = 0 1 exp [SW06] none 3 exp SWU [Ulas07] ✗ p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] ✗ p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] ✗ p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] ✗ b � = 0, 2 | # E ( F p ) 1 exp This work ab � = 0 1 exp + exp none 1 BLS12-381: p ≡ 1 mod 3, a = 0, 2 ∤ # E ( F p ) [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  18. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] ✗ p ≡ 2 mod 3, a = 0 1 exp [SW06] ✓ none 3 exp SWU [Ulas07] ✗ p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] ✗ p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] ✗ p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] ✗ b � = 0, 2 | # E ( F p ) 1 exp This work ab � = 0 1 exp + exp none 1 BLS12-381: p ≡ 1 mod 3, a = 0, 2 ∤ # E ( F p ) [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  19. Deterministic maps to elliptic curves M : F p → E ( F p ), where E : y 2 = x 3 + ax + b and p > 5: Map M Restrictions Cost [BF01] ✗ p ≡ 2 mod 3, a = 0 1 exp [SW06] ✓ none 3 exp SWU [Ulas07] ✗ p ≡ 3 mod 4, ab � = 0 3 exp [Icart09] ✗ p ≡ 2 mod 3 1 exp S-SWU [BCIMRT10] ✗ p ≡ 3 mod 4, ab � = 0 2 exp Elligator [BHKL13] ✗ b � = 0, 2 | # E ( F p ) 1 exp This work ✗ ab � = 0 1 exp + exp ✓ none 1 BLS12-381: p ≡ 1 mod 3, a = 0, 2 ∤ # E ( F p ) [SS04,Ska05,FSV09,FT10a,FT10b,KLR10,CK11,Far11,FT12,FJT13,BLMP19. . . ]

  20. The Shallue–van de Woestijne map [SW06] (high level) E : y 2 = f ( x ) = x 3 + ax + b Idea #1 (Ska� lba): For X 1 , X 2 , X 3 , X 4 � = 0, let V ( F p ) : f ( X 1 ) · f ( X 2 ) · f ( X 3 ) = X 2 4

  21. The Shallue–van de Woestijne map [SW06] (high level) E : y 2 = f ( x ) = x 3 + ax + b Idea #1 (Ska� lba): For X 1 , X 2 , X 3 , X 4 � = 0, let V ( F p ) : f ( X 1 ) · f ( X 2 ) · f ( X 3 ) = X 2 4 � One of f ( X i ), i ∈ { 1, 2, 3 } must be square ⇒ that X i must be an x-coordinate on E ( F p )

  22. The Shallue–van de Woestijne map [SW06] (high level) E : y 2 = f ( x ) = x 3 + ax + b Idea #1 (Ska� lba): For X 1 , X 2 , X 3 , X 4 � = 0, let V ( F p ) : f ( X 1 ) · f ( X 2 ) · f ( X 3 ) = X 2 4 Idea #2: Construct a map F p �→ V ( F p ), yielding polynomials X 1 ( t ), X 2 ( t ), X 3 ( t ).

  23. The Shallue–van de Woestijne map [SW06] (high level) E : y 2 = f ( x ) = x 3 + ax + b Idea #1 (Ska� lba): For X 1 , X 2 , X 3 , X 4 � = 0, let V ( F p ) : f ( X 1 ) · f ( X 2 ) · f ( X 3 ) = X 2 4 Idea #2: Construct a map F p �→ V ( F p ), yielding polynomials X 1 ( t ), X 2 ( t ), X 3 ( t ).  � ( X 1 ( t ), f ( X 1 ( t ))) if f ( X 1 ( t )) is square, else   SW( t ) � � ( X 2 ( t ), f ( X 2 ( t ))) if f ( X 2 ( t )) is square, else  � ( X 3 ( t ), f ( X 3 ( t ))) 

  24. The Shallue–van de Woestijne map [SW06] (high level) E : y 2 = f ( x ) = x 3 + ax + b Idea #1 (Ska� lba): For X 1 , X 2 , X 3 , X 4 � = 0, let V ( F p ) : f ( X 1 ) · f ( X 2 ) · f ( X 3 ) = X 2 4 Idea #2: Construct a map F p �→ V ( F p ), yielding polynomials X 1 ( t ), X 2 ( t ), X 3 ( t ).  � ( X 1 ( t ), f ( X 1 ( t ))) if f ( X 1 ( t )) is square, else   SW( t ) � � ( X 2 ( t ), f ( X 2 ( t ))) if f ( X 2 ( t )) is square, else  � ( X 3 ( t ), f ( X 3 ( t )))  � constant-time cost dominated by 3 exps (recall: Legendre symbol in F p ops is 1 exp)

  25. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G

  26. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G

  27. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G

  28. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G

  29. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G � Can use a faster method for cofactor clearing: • via endomorphisms [GLV01,SBCDK09,FKR11,BP18] • via subgroup structure [S19 (see WB19, § 5)]

  30. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G Possible issue: M is not a bijection: # E ( F p ) � = p � output distribution is nonuniform

  31. Hash functions from deterministic maps Compose H p and M in a natural way: HashToCurve NU (msg) : // { 0, 1 } ⋆ �→ F p t ← H p (msg) P ← M ( t ) // F p �→ E ( F p ) return [ h ] P // E ( F p ) �→ G Possible issue: M is not a bijection: # E ( F p ) � = p � output distribution is nonuniform This could be OK—but what if we need uniformity?

  32. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P P ← P 1 + P 2 return [ h ] P

  33. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P P ← P 1 + P 2 return [ h ] P

  34. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P P ← P 1 + P 2 return [ h ] P

  35. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P P ← P 1 + P 2 return [ h ] P

  36. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P P ← P 1 + P 2 return [ h ] P � [ x ]ˆ P acts as a “one-time pad”

  37. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P P ← P 1 + P 2 return [ h ] P � [ x ]ˆ P acts as a “one-time pad” � HashToCurve OTP is indifferentiable from RO [MRH05]

  38. Uniform hashing from deterministic maps [BCIMRT10] For some distinguished point ˆ P ∈ G : HashToCurve OTP (msg) : P 1 ← M ( H p (msg)) x ← H q (msg) P 2 ← [ x ]ˆ P // ✗ expensive P ← P 1 + P 2 return [ h ] P � [ x ]ˆ P acts as a “one-time pad” � HashToCurve OTP is indifferentiable from RO [MRH05]

  39. Faster uniform hashing from deterministic maps Problem: point multiplication is usually much more expensive than evaluating M .

  40. Faster uniform hashing from deterministic maps Problem: point multiplication is usually much more expensive than evaluating M . Idea [BCIMRT10,FFSTV13]: HashToCurve(msg) : P 1 ← M ( H p (0 || msg)) P 2 ← M ( H p (1 || msg)) P ← P 1 + P 2 return [ h ] P

  41. Faster uniform hashing from deterministic maps Problem: point multiplication is usually much more expensive than evaluating M . Idea [BCIMRT10,FFSTV13]: HashToCurve(msg) : P 1 ← M ( H p (0 || msg)) P 2 ← M ( H p (1 || msg)) P ← P 1 + P 2 return [ h ] P

  42. Faster uniform hashing from deterministic maps Problem: point multiplication is usually much more expensive than evaluating M . Idea [BCIMRT10,FFSTV13]: HashToCurve(msg) : P 1 ← M ( H p (0 || msg)) P 2 ← M ( H p (1 || msg)) P ← P 1 + P 2 return [ h ] P � Indifferentiable from RO if M is well distributed ✓ All of the M we’ve seen are well distributed.

  43. Roadmap 1. Hash functions to elliptic curves 2. Optimizing the map of [BCIMRT10] 3. Evaluation results 4. IETF standardization efforts

  44. The Simplified SWU map [BCIMRT10] E : y 2 = f ( x ) = x 3 + ax + b , ab � = 0 Idea: pick x s.t. f ( ux ) = u 3 f ( x ). � For u non-square ∈ F p , f ( x ) or f ( ux ) is square.

  45. The Simplified SWU map [BCIMRT10] E : y 2 = f ( x ) = x 3 + ax + b , ab � = 0 Idea: pick x s.t. f ( ux ) = u 3 f ( x ). � For u non-square ∈ F p , f ( x ) or f ( ux ) is square. u 3 x 3 + aux + b = u 3 ( x 3 + ax + b ) � � x = − b 1 ∴ 1 + u 2 + u a

  46. The Simplified SWU map [BCIMRT10] E : y 2 = f ( x ) = x 3 + ax + b , ab � = 0 Idea: pick x s.t. f ( ux ) = u 3 f ( x ). � For u non-square ∈ F p , f ( x ) or f ( ux ) is square. u 3 x 3 + aux + b = u 3 ( x 3 + ax + b ) � � x = − b 1 ∴ 1 + u 2 + u a � If p ≡ 3 mod 4, u = − t 2 is non-square

  47. The Simplified SWU map [BCIMRT10] E : y 2 = f ( x ) = x 3 + ax + b , ab � = 0 Idea: pick x s.t. f ( ux ) = u 3 f ( x ). � For u non-square ∈ F p , f ( x ) or f ( ux ) is square. u 3 x 3 + aux + b = u 3 ( x 3 + ax + b ) � � x = − b 1 ∴ 1 + u 2 + u a � If p ≡ 3 mod 4, u = − t 2 is non-square, so: � � X 0 ( t ) � − b 1 X 1 ( t ) � − t 2 X 0 ( t ) 1 + t 4 − t 2 a

  48. Evaluating the S-SWU map � � ( X 0 ( t ), f ( X 0 ( t ))) if f ( X 0 ( t )) is square S-SWU( t ) � � ( X 1 ( t ), f ( X 1 ( t ))) otherwise

  49. Evaluating the S-SWU map � � ( X 0 ( t ), f ( X 0 ( t ))) if f ( X 0 ( t )) is square S-SWU( t ) � � ( X 1 ( t ), f ( X 1 ( t ))) otherwise Attempt #1 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) p +1 y 0 ← f ( x 0 ) // ✗ expensive 4 x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) p +1 y 1 ← f ( x 1 ) // ✗ expensive 4 if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 )

  50. Evaluating the S-SWU map � � ( X 0 ( t ), f ( X 0 ( t ))) if f ( X 0 ( t )) is square S-SWU( t ) � � ( X 1 ( t ), f ( X 1 ( t ))) otherwise Attempt #1 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) p +1 y 0 ← f ( x 0 ) // ✗ expensive 4 x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) p +1 y 1 ← f ( x 1 ) // ✗ expensive 4 if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 )

  51. Evaluating the S-SWU map � � ( X 0 ( t ), f ( X 0 ( t ))) if f ( X 0 ( t )) is square S-SWU( t ) � � ( X 1 ( t ), f ( X 1 ( t ))) otherwise Attempt #1 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) p +1 y 0 ← f ( x 0 ) // ✗ expensive 4 x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) p +1 y 1 ← f ( x 1 ) // ✗ expensive 4 if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 )

  52. Evaluating the S-SWU map � � ( X 0 ( t ), f ( X 0 ( t ))) if f ( X 0 ( t )) is square S-SWU( t ) � � ( X 1 ( t ), f ( X 1 ( t ))) otherwise Attempt #1 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) p +1 y 0 ← f ( x 0 ) // ✗ expensive 4 x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) p +1 y 1 ← f ( x 1 ) // ✗ expensive 4 if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 ) Requires two exponentiations! Can we do better?

  53. Eliminating an exponentiation Recall: f ( x 1 ) = − t 6 f ( x 0 ). So: � p +1 p +1 4 = − t 6 f ( x 0 ) � f ( x 1 ) 4

  54. Eliminating an exponentiation Recall: f ( x 1 ) = − t 6 f ( x 0 ). So: � p +1 p +1 4 = − t 6 f ( x 0 ) � f ( x 1 ) 4 = t 3 ( − f ( x 0 )) p +1 4 = t 3 � − f ( x 0 )

  55. Eliminating an exponentiation Recall: f ( x 1 ) = − t 6 f ( x 0 ). So: � p +1 p +1 4 = − t 6 f ( x 0 ) � f ( x 1 ) 4 = t 3 ( − f ( x 0 )) p +1 4 = t 3 � − f ( x 0 ) p +1 4 . Can we use this? � We have f ( x 0 )

  56. Eliminating an exponentiation Recall: f ( x 1 ) = − t 6 f ( x 0 ). So: � p +1 p +1 4 = − t 6 f ( x 0 ) � f ( x 1 ) 4 = t 3 ( − f ( x 0 )) p +1 4 = t 3 � − f ( x 0 ) p +1 4 . Can we use this? � We have f ( x 0 ) � 2 � p +1 p +1 p − 1 2 = f ( x 0 ) · f ( x 0 ) f ( x 0 ) = f ( x 0 ) 4 2

  57. Eliminating an exponentiation Recall: f ( x 1 ) = − t 6 f ( x 0 ). So: � p +1 p +1 4 = − t 6 f ( x 0 ) � f ( x 1 ) 4 = t 3 ( − f ( x 0 )) p +1 4 = t 3 � − f ( x 0 ) p +1 4 . Can we use this? � We have f ( x 0 ) � 2 � p +1 p +1 p − 1 2 = f ( x 0 ) · f ( x 0 ) f ( x 0 ) = f ( x 0 ) 4 2 Legendre symbol!

  58. Eliminating an exponentiation Recall: f ( x 1 ) = − t 6 f ( x 0 ). So: � p +1 p +1 4 = − t 6 f ( x 0 ) � f ( x 1 ) 4 = t 3 ( − f ( x 0 )) p +1 4 = t 3 � − f ( x 0 ) p +1 4 . Can we use this? � We have f ( x 0 ) � 2 � p +1 p +1 p − 1 2 = f ( x 0 ) · f ( x 0 ) f ( x 0 ) = f ( x 0 ) 4 2 = − f ( x 0 ) if f ( x 0 ) is non-square p +1 4 is � ✓ f ( x 0 ) − f ( x 0 ) when f ( x 0 ) is non-square!

  59. Evaluating the S-SWU map—faster! Attempt #2 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) y 0 ← f ( x 0 ) ( p +1) / 4 // ✗ expensive x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) y 1 ← t 3 y 0 // ✓ cheap! if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 )

  60. Evaluating the S-SWU map—faster! Attempt #2 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) y 0 ← f ( x 0 ) ( p +1) / 4 // ✗ expensive x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) y 1 ← t 3 y 0 // ✓ cheap! if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 ) ✓ Prior work [BDLSY12] lets us avoid inversions.

  61. Evaluating the S-SWU map—faster! Attempt #2 (assume p ≡ 3 mod 4): x 0 ← X 0 ( t ) y 0 ← f ( x 0 ) ( p +1) / 4 // ✗ expensive x 1 ← − t 2 x 0 // a.k.a. X 1 ( t ) y 1 ← t 3 y 0 // ✓ cheap! if y 2 0 = f ( x 0 ): return ( x 0 , y 0 ) else: return ( x 1 , y 1 ) ✓ Prior work [BDLSY12] lets us avoid inversions. ✓ Straightforward to generalize to p ≡ 1 mod 4.

  62. Generalizing: the p ≡ 5 mod 8 case -1 is square in F p ⇒ need u = ξ t 2 for ξ nonsquare.

  63. Generalizing: the p ≡ 5 mod 8 case -1 is square in F p ⇒ need u = ξ t 2 for ξ nonsquare. Recall Atkin’s square-root trick: � 1 � 2 � � p +3 p − 1 2 z = z · z 8 2

  64. Generalizing: the p ≡ 5 mod 8 case -1 is square in F p ⇒ need u = ξ t 2 for ξ nonsquare. Recall Atkin’s square-root trick: � 1 � 2 � � p +3 p − 1 2 z = z · z 8 2 Legendre symbol!

  65. Generalizing: the p ≡ 5 mod 8 case -1 is square in F p ⇒ need u = ξ t 2 for ξ nonsquare. Recall Atkin’s square-root trick: � 1 � 2 � � p +3 p − 1 2 z = z · z 8 2 4 = √ z p +3 8 · 1 − 1 z

  66. Generalizing: the p ≡ 5 mod 8 case -1 is square in F p ⇒ need u = ξ t 2 for ξ nonsquare. Recall Atkin’s square-root trick: � 1 � 2 � � p +3 p − 1 2 z = z · z 8 2 4 = √ z p +3 8 · 1 − 1 z So we want: � � ξ 3 t 6 f ( x 0 ) f ( x 1 ) = � p +3 8 · 1 − 1 = t 3 � ξ 3 f ( x 0 ) 4

  67. Generalizing: the p ≡ 5 mod 8 case -1 is square in F p ⇒ need u = ξ t 2 for ξ nonsquare. Recall Atkin’s square-root trick: � 1 � 2 � � p +3 p − 1 2 z = z · z 8 2 4 = √ z p +3 8 · 1 − 1 z So we want: � � ξ 3 t 6 f ( x 0 ) f ( x 1 ) = � p +3 8 · 1 − 1 = t 3 � ξ 3 f ( x 0 ) 4 ξ 3 � p +3 � � ξ is fixed, so we can preompute 8

Recommend

Uniform Hashing in Constant Time and Linear Space Anna Ostlin and Rasmus Pagh IT University

Uniform Hashing in Constant Time and Linear Space Anna Ostlin and Rasmus Pagh IT University

Uniform Hashing in Constant Time and Linear Space Anna Ostlin and Rasmus Pagh IT University of Copenhagen STOC 2003, San Diego Presented by Martin Dietzfelbinger TU Ilmenau Uniform hashing U Uniform hashing assumption: h V h maps

279 views • 14 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.5k views • 58 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.25k views • 98 slides
Fast Constant-Time GCD Computation and Modular Inversion Daniel J. Bernstein 1,2 Bo-Yin Yang 3 1

Fast Constant-Time GCD Computation and Modular Inversion Daniel J. Bernstein 1,2 Bo-Yin Yang 3 1

Fast Constant-Time GCD Computation and Modular Inversion Daniel J. Bernstein 1,2 Bo-Yin Yang 3 1 University of Illinois at Chicago 2 Ruhr Universt at Bochum 3 Academia Sinica Monday, August 26, 2019 Summary: Fast, Safe GCD and Inversions

431 views • 23 slides
Fixslicing: A New GIFT Representation Fast Constant-Time Implementations of GIFT and GIFT-COFB on

Fixslicing: A New GIFT Representation Fast Constant-Time Implementations of GIFT and GIFT-COFB on

Fixslicing: A New GIFT Representation Fast Constant-Time Implementations of GIFT and GIFT-COFB on ARM Cortex-M Alexandre Adomnicai 1,2 Zakaria Najm 1,2,3 Thomas Peyrin 1,2 1 Nanyang Technological University, Singapore 2 Temasek Laboratories,

457 views • 34 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work

969 views • 94 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

746 views • 73 slides
Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing? Distribute key/value pairs across bins with a hash function , Hashing Performance Hashing (Application of Probability) which maps elements from

497 views • 3 slides
Discrete Hashing Fast, scalable retrieval and classification Fumin Shen Center for Future Media,

Discrete Hashing Fast, scalable retrieval and classification Fumin Shen Center for Future Media,

Discrete Hashing Fast, scalable retrieval and classification Fumin Shen Center for Future Media, University of Electronic Science and Technology of China Outline Introduction to Hashing Discrete optimization for Hashing Applications

818 views • 48 slides
10. Repetition Binary Search Trees and Disadvantages of hashing: linear access time in worst case.

10. Repetition Binary Search Trees and Disadvantages of hashing: linear access time in worst case.

Dictionary implementation Hashing: implementation of dictionaries with expected very fast access times. 10. Repetition Binary Search Trees and Disadvantages of hashing: linear access time in worst case. Some Heaps operations not supported at

173 views • 16 slides
Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing

Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing

Lecture 8 Hashing I 6.006 Fall 2011 Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing Hashing Chaining Simple uniform hashing Good hash functions Dictionary Problem Abstract

452 views • 21 slides
McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands October 13, 2015 Joint work with Daniel J. Bernstein and Peter Schwabe Outline Summary of Our Work Background Main

439 views • 32 slides
14. Hashing Gloal: Efficient management of a table of all n ETH-students of Possible Requirement:

14. Hashing Gloal: Efficient management of a table of all n ETH-students of Possible Requirement:

Motivating Example 14. Hashing Gloal: Efficient management of a table of all n ETH-students of Possible Requirement: fast access (insertion, removal, find) of a Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using dataset by name

158 views • 15 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

625 views • 41 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

823 views • 46 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

643 views • 52 slides
McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter Schwabe Radboud University

902 views • 43 slides
Linear probing with constant independence Anna Pagh, Rasmus Pagh, and Milan Ru i IT

Linear probing with constant independence Anna Pagh, Rasmus Pagh, and Milan Ru i IT

Linear probing with constant independence Anna Pagh, Rasmus Pagh, and Milan Ru i IT University of Copenhagen STOC 2007 Hashing with linear probing Hashing with linear probing Hashing with linear probing Hashing with linear probing

827 views • 48 slides
Lecture 8 HASHING!!!!! Announcements HW3 due Friday! HW4 posted Friday! Today: hashing

Lecture 8 HASHING!!!!! Announcements HW3 due Friday! HW4 posted Friday! Today: hashing

Lecture 8 HASHING!!!!! Announcements HW3 due Friday! HW4 posted Friday! Today: hashing # 1 NIL 22 2 NIL 13 43 3 NIL 9 9 NIL n=9 buckets Outline Hash tables are another sort of data structure that allows fast

966 views • 59 slides
Hashing and Dictionaries 15-110 Monday 03/02 Learning Goals Understand how and why hashing

Hashing and Dictionaries 15-110 Monday 03/02 Learning Goals Understand how and why hashing

Hashing and Dictionaries 15-110 Monday 03/02 Learning Goals Understand how and why hashing makes it possible to search for values in O(1) time Compute indexes in a hashtable using a specific hash function Define the concept of a

771 views • 29 slides
Algorithmic Improvements for Fast Concurrent Cuckoo Hashing Xiaozhou

Algorithmic Improvements for Fast Concurrent Cuckoo Hashing Xiaozhou

Algorithmic Improvements for Fast Concurrent Cuckoo Hashing Xiaozhou Li ( Princeton ) David G. Andersen (CMU) Michael Kaminsky (Intel Labs) Michael J. Freedman

969 views • 38 slides
MIMA Group Fast Scalable Supervised Hashing Xin Luo 1 , Liqiang Nie 2 , Xiangnan He 3 Ye Wu 1 ,

MIMA Group Fast Scalable Supervised Hashing Xin Luo 1 , Liqiang Nie 2 , Xiangnan He 3 Ye Wu 1 ,

MIMA Group Fast Scalable Supervised Hashing Xin Luo 1 , Liqiang Nie 2 , Xiangnan He 3 Ye Wu 1 , Zhen-Duo Chen 1 , Xin-Shun Xu 1 1 Lab of M achine I ntelligence & M edia A nalysis, School of Software, Shandong University, China 2 School of

541 views • 34 slides
Space Efficient Hash Tables with Worst Case Constant Access Time Dimitris Fotakis and Peter

Space Efficient Hash Tables with Worst Case Constant Access Time Dimitris Fotakis and Peter

Fotakis/Pagh/Sanders/Spirakis: d -ary Cuckoo Hashing 1 INFORMATIK Space Efficient Hash Tables with Worst Case Constant Access Time Dimitris Fotakis and Peter Sanders (MPII) Rasmus Pagh (IT U. Copenhagen) Paul

153 views • 12 slides
Gdel Hashing matt.might.net @mattmight Disclaimer simple, fun idea simple, fun

Gdel Hashing matt.might.net @mattmight Disclaimer simple, fun idea simple, fun

Gdel Hashing matt.might.net @mattmight Disclaimer simple, fun idea simple, fun idea works well in practice, simple, fun idea works well in practice, but theory says it will not. An old problem An

2.43k views • 151 slides

More recommend