hard to compute bits for elliptic curve based one way
play

Hard-to-Compute Bits for Elliptic Curve-Based One-Way Functions - PowerPoint PPT Presentation

Nov 26, 2023 •126 likes •757 views

Hard-to-Compute Bits for Elliptic Curve-Based One-Way Functions Alexandre Duc 1 Dimitar Jetchev 1 1 EPFL, Switzerland Crypto2012, August 23rd, 2012, Santa Barbara, CA Alexandre Duc , Dimitar Jetchev Security of Individual Bits Alexandre Duc

  1. Hard-to-Compute Bits for Elliptic Curve-Based One-Way Functions Alexandre Duc 1 Dimitar Jetchev 1 1 EPFL, Switzerland Crypto’2012, August 23rd, 2012, Santa Barbara, CA Alexandre Duc , Dimitar Jetchev

  2. Security of Individual Bits Alexandre Duc , Dimitar Jetchev

  3. Pairing-based One-Way and FAPI-2 E / F p - elliptic curve ( p is a prime), Alexandre Duc , Dimitar Jetchev

  4. Pairing-based One-Way and FAPI-2 E / F p - elliptic curve ( p is a prime), G - a large cyclic subgroup of points on E , Alexandre Duc , Dimitar Jetchev

  5. Pairing-based One-Way and FAPI-2 E / F p - elliptic curve ( p is a prime), G - a large cyclic subgroup of points on E , e : G × G → G T - a cryptographic pairing, Alexandre Duc , Dimitar Jetchev

  6. Pairing-based One-Way and FAPI-2 E / F p - elliptic curve ( p is a prime), G - a large cyclic subgroup of points on E , e : G × G → G T - a cryptographic pairing, By fixing the second argument, one gets f Q : G → G T , f Q ( • ) = e ( • , Q ) Alexandre Duc , Dimitar Jetchev

  7. Pairing-based One-Way and FAPI-2 E / F p - elliptic curve ( p is a prime), G - a large cyclic subgroup of points on E , e : G × G → G T - a cryptographic pairing, By fixing the second argument, one gets f Q : G → G T , f Q ( • ) = e ( • , Q ) FAPI-2 problem is the problem of inverting this function Alexandre Duc , Dimitar Jetchev

  8. Why is FAPI-2 relevant? The security of the following schemes relies on the hardness of solving FAPI-2: Alexandre Duc , Dimitar Jetchev

  9. Why is FAPI-2 relevant? The security of the following schemes relies on the hardness of solving FAPI-2: Boneh–Franklin: identity-based encryption scheme Alexandre Duc , Dimitar Jetchev

  10. Why is FAPI-2 relevant? The security of the following schemes relies on the hardness of solving FAPI-2: Boneh–Franklin: identity-based encryption scheme Joux: three-party one-round key agreement protocol Alexandre Duc , Dimitar Jetchev

  11. Why is FAPI-2 relevant? The security of the following schemes relies on the hardness of solving FAPI-2: Boneh–Franklin: identity-based encryption scheme Joux: three-party one-round key agreement protocol Hess: identity-based signature scheme Alexandre Duc , Dimitar Jetchev

  12. Why is FAPI-2 relevant? The security of the following schemes relies on the hardness of solving FAPI-2: Boneh–Franklin: identity-based encryption scheme Joux: three-party one-round key agreement protocol Hess: identity-based signature scheme FAPI-2 is Hard! Solving FAPI-1 and FAPI-2 yields a solution to CDH. Alexandre Duc , Dimitar Jetchev

  13. Why is FAPI-2 relevant? The security of the following schemes relies on the hardness of solving FAPI-2: Boneh–Franklin: identity-based encryption scheme Joux: three-party one-round key agreement protocol Hess: identity-based signature scheme FAPI-2 is Hard! Solving FAPI-1 and FAPI-2 yields a solution to CDH. Our Contribution Assuming the hardness of FAPI-2, we show that all the bits of the input to the pairing-based one-way function are secure. Alexandre Duc , Dimitar Jetchev

  14. Elliptic Curves, Weierstrass Equations, Isomorphism Classes (Short) Weierstrass Equations Equations E a , b : y 2 = x 3 + ax + b , a , b ∈ F p , 4 a 3 + 27 b 2 � = 0. Alexandre Duc , Dimitar Jetchev

  15. Elliptic Curves, Weierstrass Equations, Isomorphism Classes (Short) Weierstrass Equations Equations E a , b : y 2 = x 3 + ax + b , a , b ∈ F p , 4 a 3 + 27 b 2 � = 0. Two Weierstrass equations might represent isomorphic curves. Alexandre Duc , Dimitar Jetchev

  16. Elliptic Curves, Weierstrass Equations, Isomorphism Classes (Short) Weierstrass Equations Equations E a , b : y 2 = x 3 + ax + b , a , b ∈ F p , 4 a 3 + 27 b 2 � = 0. Two Weierstrass equations might represent isomorphic curves. Isomorphism classes Two elliptic curves E a , b and E a ′ , b ′ are isomorphic (over F p ) if and only if a ′ = λ − 4 a , b ′ = λ − 6 b for some λ ∈ F × p . The isomorphism between E a , b and E a ′ , b ′ is given by ( x , y ) �→ ( λ 2 x , λ 3 y ) . Alexandre Duc , Dimitar Jetchev

  17. Elliptic Curves, Weierstrass Equations, Isomorphism Classes (Short) Weierstrass Equations Equations E a , b : y 2 = x 3 + ax + b , a , b ∈ F p , 4 a 3 + 27 b 2 � = 0. Two Weierstrass equations might represent isomorphic curves. Isomorphism classes Two elliptic curves E a , b and E a ′ , b ′ are isomorphic (over F p ) if and only if a ′ = λ − 4 a , b ′ = λ − 6 b for some λ ∈ F × p . The isomorphism between E a , b and E a ′ , b ′ is given by ( x , y ) �→ ( λ 2 x , λ 3 y ) . Each isomorphism class thus contains precisely p − 1 short Weierstrass equations. Alexandre Duc , Dimitar Jetchev

  18. The main result All bits of the pairing-based OWF are hard-to-compute If there is an oracle that predicts the k th bit of the input to f Q on a significant fraction of all short Weierstrass equations in an isomorphism class then there is an efficient algorithm to invert f Q . Alexandre Duc , Dimitar Jetchev

  19. The main result All bits of the pairing-based OWF are hard-to-compute If there is an oracle that predicts the k th bit of the input to f Q on a significant fraction of all short Weierstrass equations in an isomorphism class then there is an efficient algorithm to invert f Q . Conclusion Thus, if FAPI-2 is hard, all the bits of the input of the pairing-based OWF are hard-to-compute. Alexandre Duc , Dimitar Jetchev

  20. Elliptic Curve-Based OWFs The result is in fact much more general as few properties of the pairing-based function f Q are used. Alexandre Duc , Dimitar Jetchev

  21. Elliptic Curve-Based OWFs The result is in fact much more general as few properties of the pairing-based function f Q are used. Bit Security for EC-based OWFs Let G be an elliptic curve group and f : G → G T be any function with the property that its definition is independent of the choice of short Weierstrass equation in the isomorphism class (e.g., the pairing-based OWF). Assuming that inverting f is hard, every bit of the input to f is secure. Alexandre Duc , Dimitar Jetchev

  22. Elliptic Curve-Based OWFs The result is in fact much more general as few properties of the pairing-based function f Q are used. Bit Security for EC-based OWFs Let G be an elliptic curve group and f : G → G T be any function with the property that its definition is independent of the choice of short Weierstrass equation in the isomorphism class (e.g., the pairing-based OWF). Assuming that inverting f is hard, every bit of the input to f is secure. Open Question: Are there other cryptographically interesting EC-based OWFs besides the pairing-based functions for which this result could apply? Alexandre Duc , Dimitar Jetchev

  23. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Alexandre Duc , Dimitar Jetchev

  24. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Alexandre Duc , Dimitar Jetchev

  25. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Use oracle to get a noisy codeword close to the hidden input, Alexandre Duc , Dimitar Jetchev

  26. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Use oracle to get a noisy codeword close to the hidden input, Inverting the function ⇔ list-decoding, Alexandre Duc , Dimitar Jetchev

  27. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Use oracle to get a noisy codeword close to the hidden input, Inverting the function ⇔ list-decoding, List-decoding via Fourier transforms: Alexandre Duc , Dimitar Jetchev

  28. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Use oracle to get a noisy codeword close to the hidden input, Inverting the function ⇔ list-decoding, List-decoding via Fourier transforms: Codewords viewed as functions on F × p , Alexandre Duc , Dimitar Jetchev

  29. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Use oracle to get a noisy codeword close to the hidden input, Inverting the function ⇔ list-decoding, List-decoding via Fourier transforms: Codewords viewed as functions on F × p , Heavy Fourier coefficients: computation of heavy Fourier coefficients (a version of the SFT algorithm by Akavia–Goldwasser–Safra) Alexandre Duc , Dimitar Jetchev

  30. Outline of the Method Define a code - elliptic curve multiplication code (ECMC), Codewords are in bijection with the inputs to the OWF, Use oracle to get a noisy codeword close to the hidden input, Inverting the function ⇔ list-decoding, List-decoding via Fourier transforms: Codewords viewed as functions on F × p , Heavy Fourier coefficients: computation of heavy Fourier coefficients (a version of the SFT algorithm by Akavia–Goldwasser–Safra) Recoverability: for a given frequency, find all inputs having large Fourier coefficient at this frequency (a technique of Morillo–R` afols). Alexandre Duc , Dimitar Jetchev

  31. Using the prediction oracle - na¨ ıve idea! Suppose that we are given Alexandre Duc , Dimitar Jetchev

Recommend

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
= Z r T E ( Q ) rank torsion Rank < , hard to compute!

= Z r T E ( Q ) rank torsion Rank < , hard to compute!

A F AMILY OF R ANK S IX E LLIPTIC C URVES OVER N UMBER F IELDS David Mehrle & Tomer Reiter Carnegie Mellon University August 22, 2014 E LLIPTIC C URVES E : y 2 = x 3 + ax 2 + bx + c Elliptic curve Adding points on E makes group

724 views • 19 slides
The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views • 18 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography 16 September 2008 What is an elliptic curve? (1) An elliptic curve E over a field k in Weierstra

298 views • 25 slides
Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher

Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher

Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher Leonardi 1 Anzo Teh 1 David Jao 1,2 Kunpeng Wang 3,4,5 Wei Yu 3,4,5 Reza Azarderakhsh 6 [1] Department of Combinatorics and Optimization, University of

911 views • 72 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views • 16 slides
Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e Montpellier 2 Summer School ECC 2011 Nancy, September 12-16, 2011 Part 2 Elliptic curve arithmetic 1/41 The two facets of an elliptic curve

606 views • 42 slides
Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Twenty-Three Years of Elliptic Curve Cryptography Alfred Menezes University of Waterloo September 3 2008 1 Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm

300 views • 18 slides
Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic Implementations group: eindhoven.cr.yp.to working closely with the Coding Theory and Cryptology group: www.win.tue.nl/cc/ Next-generation elliptic-curve

456 views • 18 slides
An elliptic curve and zero knowledge based forward secure RFID Protocol S. Mart nez, M.

An elliptic curve and zero knowledge based forward secure RFID Protocol S. Mart nez, M.

An elliptic curve and zero knowledge based forward secure RFID Protocol S. Mart nez, M. Valls, C. Roig, F. Gin e and J.M. Miret Escola Polit` ecnica Superior. Universitat de Lleida. { santi,magda,roig,sisco,miret } @eps.udl.es

417 views • 12 slides
Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven 22 April 2008 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

491 views • 32 slides
A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March 21 st , 2016 1/13 A Brief Introduction to Elliptic Curve Cryptography Elliptic Curve 2/13 A

385 views • 13 slides
Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun

Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun

Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun Goudarzi, Matthieu Rivain, Damien Vergnaud SAC 2016, 12 Aug, St. Johns Outline EC signature schemes based on random nonces computed from [ k ]

696 views • 52 slides
DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN

DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN

ECC 2019: 23rd Workshop on DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN QUASI-POLYNOMIAL TIME Based on a joint work with Thorsten Kleinjung IN FINITE FIELDS OF SMALL CHARACTERISTIC Benjamin Wesolowski

700 views • 47 slides
elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 11, 2018 ibenik , Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4:

1.38k views • 48 slides
Efficient arithmetic on elliptic curves in large characteristic D. J. Bernstein University of

Efficient arithmetic on elliptic curves in large characteristic D. J. Bernstein University of

Efficient arithmetic on elliptic curves in large characteristic D. J. Bernstein University of Illinois at Chicago Fix a field and an elliptic curve. e.g. NIST P-224: the elliptic curve a 6 over Z =p . y 2 = x 3 3 x + p = 2 224 2 96 + 1

417 views • 23 slides
The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985) Schoof: Algorithm to count points on elliptic curves over finite fields. Input: prime power q ; F q such that 6(4

784 views • 47 slides

More recommend