implement all the pairings in software
play

Implement all the pairings in software! CARAMBA Seminar Diego F. - PowerPoint PPT Presentation

Jan 02, 2024 •951 likes •1.52k views

Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of Engineering Aarhus University Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q ) e (

  1. Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of Engineering – Aarhus University

  2. Bilinear pairings 1

  3. Bilinear pairings e ( P + R , Q ) = e ( P , Q ) · e ( R , Q ) and e ( P , Q + S ) = e ( P , Q ) · e ( P , S ) . 2

  4. Introduction Pairing-Based Cryptography (PBC) enables many elegant solutions to cryptographic problems: • Implicit certification schemes (IBE, CLPKC, etc.) • Short signatures (in group elements, BLS, BBS) • More efficient key agreements (Joux’s 3DH, NIKDS) • Low-depth homomorphic encryption (BGN and variants) • Zero-knowledge proof systems (LegoSNARK and Sonic) • Isogeny-based cryptography (key compression and VDFs) Not dead: Pairings are not only interesting solely for research, but actually deployed in practice! 3

  5. Classic: IBE in Voltage’s SecureMail Implemented with supersingular curve over large characteristic [BF01]. Figure 1: Source: http://www.securemailworks.com/SecureMail.asp 4

  6. Modern applications

  7. IBE in Cloudflare’s Geo Key Manager Figure 2: https://blog.cloudflare.com/geo-key-manager-how-it-works/ 5

  8. IBE in Cloudflare’s Geo Key Manager Implemented using a 256-bit Barreto-Naehrig curve [BN05] Figure 3: https://blog.cloudflare.com/geo-key-manager-how-it-works/ 6

  9. Remote attestation in Intel SGX Remote attestation scheme employs a pairing-based anonymous group signature by Brickell and Li (EPID) [BL12]. Enhanced Privacy ID anonymous group signatures Signatures verified to Issuer , holds the belong to the group, hiding "master key", can grant the member that signed access to the group Group = CPUs of same type, same SGX version Members sign an Verifier ensures that an enclave's measurement enclave does run on a anonymously trusted SGX platform Figure 4: Slides from BlackHat 2016 talk by Aumasson and Merino [AM16]. 7

  10. Remote attestation in Intel SGX Implemented using a 256-bit Barreto-Naehrig curve [BN05]. EPID implementation Not in microcode, too complex Not in SGX libs, but in the QE and PVE binaries Undocumented implementation details: ● Scheme from https://eprint.iacr.org/2009/095 ● Barretto-Naehrig curve, optimal Ate pairing ● Code allegedly based on https://eprint.iacr.org/2010/354 Pubkey and parameters provided by Intel Attestation Service (IAS) Figure 5: Slides from BlackHat 2016 talk by Aumasson and Merino [AM16]. 8

  11. Zcash cryptocurrency zk-SNARKs by Ben-Sasson et al. [BCG + 14] for privacy-preserving cryptocurrencies, also recently adopted by Ethereum. 9

  12. Background

  13. Pairing groups Let G 1 = � P � and G 2 = � Q � be additive groups and G T be a multiplicative group such that | G 1 | = | G 2 | = | G T | = prime r . A general pairing e : G 1 × G 2 → G T • G 1 is typically a subgroup of E ( F p ). • G 2 is typically a subgroup of E ( F p k ). • G T is a multiplicative subgroup of F ∗ p k . Hence pairing-based cryptography involves arithmetic in F p k , for embedding degree k , the main tool used to balance security. 10

  14. Pairing operations A general pairing e : G 1 × G 2 → G T Cryptographic schemes require multiple operations in pairing groups: 1. Exponentiation , membership testing , compression in G 1 , G 2 and G T . 2. Hashing strings to G 1 , G 2 . 3. Efficient maps between G 1 and G 2 . 4. Efficient pairing computation . 11

  15. Curve families At some point, pairing-based cryptography had an explosion of parameter choices to choose from: BN curves : k = 12, ρ ≈ 1 p ( x ) = 36 x 4 + 36 x 3 + 24 x 2 + 6 x + 1 r ( x ) = 36 x 4 + 36 x 3 + 18 x 2 + 6 x + 1, t ( x ) = 6 z 2 + 1 BLS12 curves : k = 12, ρ ≈ 1 . 5 p ( x ) = ( x − 1) 2 ( x 4 − x 2 + 1) / 3 + x , r ( x ) = x 4 − x 2 + 1, t ( x ) = x + 1 KSS18 curves : k = 18, ρ ≈ 4 / 3 p ( x ) = ( x 8 + 5 x 7 + 7 x 6 + 37 x 5 + 188 x 4 + 259 x 3 + 343 x 2 + 1763 x + 2401) / 21 r ( x ) = ( x 6 + 37 x 3 + 343) / 343, t ( x ) = ( x 4 + 16 z + 7) / 7 BLS24 curves : k = 24, ρ ≈ 1 . 25 p ( x ) = ( x − 1) 2 ( x 8 − x 4 + 1) / 3 + x , r ( x ) = x 8 − x 4 + 1, t ( x ) = x + 1 12

  16. Barreto-Naehrig curves Let x ∈ Z such that p ( x ) and r ( x ) are prime: • p ( x ) = 36 x 4 + 36 x 3 + 24 x 2 + 6 x + 1 • r ( x ) = 36 x 4 + 36 x 3 + 18 x 2 + 6 x + 1 Then E : y 2 = x 3 + b , b ∈ F p is a curve of order r and embedding degree k = 12 [BN05] and E ′ its twist of degree d = 6. For curve BN-254, fix x = − (2 62 + 2 55 + 1) and b = 2, the towering can be: • F p 2 = F p [ i ] / ( i 2 − β ), where β = − 1 • F p 4 = F p 2 [ s ] / ( s 2 − ǫ ), where ξ = 1 + i • F p 6 = F p 2 [ v ] / ( v 3 − ξ ), where ξ = 1 + i • F p 12 = F p 4 [ v ] / ( t 3 − s ) or F p 6 [ w ] / ( w 2 − v ) Until recently: BN curves were king at the 128-bit security level and got even close to standardization (IETF RFC). 13

  17. Barreto-Naehrig curves Instantiating pairings over BN curves had many performance features: 1. Implementation-friendly parameters, with fast towering and compact generators [GJNB11]. 2. Prime-order group G 1 , facilitating membership testing. 3. Twist of maximum degree , reducing size of G 2 . 4. Gallant-Lambert-Vanstone [GLV01] endomorphism in G 1 . 5. Galbraith-Scott homomorphism [GS08] in G 2 , G T . 6. Compressed squarings for exponentiation in G T . 14

  18. Barreto-Naehrig curves Instantiating pairings over BN curves had many performance features: 1. Implementation-friendly parameters, with fast towering and compact generators [GJNB11]. 2. Prime-order group G 1 , facilitating membership testing. 3. Twist of maximum degree , reducing size of G 2 . 4. Gallant-Lambert-Vanstone [GLV01] endomorphism in G 1 . 5. Galbraith-Scott homomorphism [GS08] in G 2 , G T . 6. Compressed squarings for exponentiation in G T . Alfred Menezes, 2007 “ These curves should not exist, they are too good to be true. ” 14

  19. Updating the security of pairings Recent results have undermined the security of pairings in some contexts: 1. Pairings over small char , due to many advances in the DLP, including a quasi-polynomial algorithm by Barbulescu et al. [BGJT14]. Impact: Pairings may not be that viable in resource-constrained devices anymore. 15

  20. Updating the security of pairings Recent results have undermined the security of pairings in some contexts: 1. Pairings over small char , due to many advances in the DLP, including a quasi-polynomial algorithm by Barbulescu et al. [BGJT14]. Impact: Pairings may not be that viable in resource-constrained devices anymore. 2. Smooth embedding degree , affected by Kim-Barbulescu attack on medium-prime case [KB16]. Impact: Security of BN-254 degraded to around 100 bits. 3. Miller inversion problem , shown to be easy for supersingular curves with k = 2 [Sat19]. Impact: These curves may be not just inefficient, but dangerous. 15

  21. Curve families And now we are somewhat back to that situation again. Recently proposed parameters, from the most conservative: 1. Elliptic curves with embedding degree k = 1 ( large base field ) [CMR17] 2. Symmetric pairings with prime embedding degree k = 2 , 3 ( still large base field ) [Sco05, ZW13] 3. Elliptic curves with less smooth embedding degrees (ordinary with k = 9 , 13 , 15 , 21 , 27) [CM18, BMG19] 4. Cocks-Pinch curves with moderate embedding degrees [GMT19] 5. Optimal TNFS-resistant families [FM18] → Adjusted field sizes and smooth embedding degrees such as Barreto-Lynn-Scott (BLS) and Kachisa-Scott-Schaefer (KSS) curves [BLS02, KSS08]. 16

  22. What do we want? 17

  23. Implementation techniques

  24. Arithmetic levels Protocols Low-level backend 18

  25. Software libraries There are many different open-source software implementations of pairings: • PBC : on top of GMP, outdated . • Panda : not as efficient anymore, but constant-time . • Ate-pairing: CINVESTAV, previous state of the art. • MIRACL : special support for constrained platforms. • Apache Milagro : fast C and bindings to many languages. • OpenPairing : OpenSSL patch, never merged. • libsnark: BN-254 and ZKPs. • pairing: BLS12-381 implementation from ZCash in Rust. • mcl: BN and BLS12 over multiple fields by Shigeo Mitsunari. 19

  26. Software libraries There are many different open-source software implementations of pairings: • PBC : on top of GMP, outdated . • Panda : not as efficient anymore, but constant-time . • Ate-pairing: CINVESTAV, previous state of the art. • MIRACL : special support for constrained platforms. • Apache Milagro : fast C and bindings to many languages. • OpenPairing : OpenSSL patch, never merged. • libsnark: BN-254 and ZKPs. • pairing: BLS12-381 implementation from ZCash in Rust. • mcl: BN and BLS12 over multiple fields by Shigeo Mitsunari. → RELIC : flexible and current state of the art, under heavy development again. 19

  27. Finite field arithmetic Target platform: Desktop processor. 1. An efficient 64-bit implementation of the base field arithmetic typically employs: • Montgomery representation. • Wide multiplication instructions MUL and MULX . • Lazy reduction : ( a · b ) mod p + ( c · d ) mod p = ( a · b + c · d ) mod p 2. Techniques for extension field arithmetic: • Small quadratic/cubic non-residues and change of representation . • Fastest formulas available in the literature (asymmetric squarings due to [CH07]. • General lazy reduction: k reductions for F p k arithmetic [AKL + 11]. 20

Recommend

A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks

744 views • 72 slides
Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of

Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of

Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of Computer Science University of Bras lia Joint work with K. Karabina, P. Longa, C. Gebotys, J. L opez, D. Hankerson, A. Menezes, E. Knapp, F.

759 views • 41 slides
Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of Computing University of Campinas Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q

1.02k views • 58 slides
Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert

Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert

Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert Inria Bordeaux Sud-Ouest Millers algorithm Pairings on abelian varieties Theta functions Pairings with theta functions Performance Outline

676 views • 50 slides
Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David

Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David

Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David Lubicz, Damien Robert June 6, 2013 Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance Outline 1

833 views • 33 slides
Pairings implementation in the PARI computer algebra system (explained by a mere programmer)

Pairings implementation in the PARI computer algebra system (explained by a mere programmer)

Pairings implementation in the PARI computer algebra system (explained by a mere programmer) jerome.milan (at) lix.polytechnique.fr Outline 1 Motivations and context 2 Pairings over elliptic curves 3 Pairing computation 4 Implementation in PARI

739 views • 51 slides
Group pairings with equivalent rigidity properties for bar-joint and point-hyperplane frameworks

Group pairings with equivalent rigidity properties for bar-joint and point-hyperplane frameworks

Group pairings with equivalent rigidity properties for bar-joint and point-hyperplane frameworks Bernd Schulze (with Katie Clinch, Anthony Nixon and Walter Whiteley) Lancaster University June 13, 2019 Bernd Schulze Group pairings with

746 views • 49 slides
ClickPoint Software Lead Management Software ClickPoint Software Confidential ClickPoint

ClickPoint Software Lead Management Software ClickPoint Software Confidential ClickPoint

ClickPoint Software Lead Management Software ClickPoint Software Confidential ClickPoint Software was created because there was no software that was easy to implement for managing and distributing leads and phone calls. The process was

225 views • 11 slides
The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena Thanks to the organizers of SAC

The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena Thanks to the organizers of SAC

The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena Thanks to the organizers of SAC 2013 for the invitation! Accompanying paper: joint work with D. Aranha, P. Longa and J. Ricardini. I know Im speaking in a marvelous

648 views • 45 slides
The Spoofax Language Workbench Lennart Kats Eelco Visser Software Engineering implement

The Spoofax Language Workbench Lennart Kats Eelco Visser Software Engineering implement

The Spoofax Language Workbench Lennart Kats Eelco Visser Software Engineering implement Problem Software validate High-level languages reduce problem/solution gap Problem HLL Machine Domain Domain-Specific Languages Problem DSL HLL

478 views • 47 slides
Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin

Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin

Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin Deschamps, Aurore Guillevic , Shashank Singh ENS Lyon, Inria Nancy, Loria, CNRS, Universit de Lorraine November 15, 1027 Elliptic Curve

753 views • 43 slides
Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Choosing G 1 and G 2 Ate Pairing Optimal Pairing Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer School - 2011 Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic

289 views • 24 slides
Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet

Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet

Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet GREYC - LMNO Universit e de Caen Darmstadt 29th of April 2010 1 / 59 Outline Pairing over elliptic curves 1 Definition and properties of

1.55k views • 111 slides
Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work with J. Burdges, S. Masson, C. Petit, A. Sanso IBM Research Zrich December 4, 2019, ECC, Bochum Slides online at https://defeo.lu/docet

928 views • 72 slides
Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S. Masson, C. Petit, A. Sanso Universit Paris Saclay UVSQ, France July 13, 2019, SIAM AG, Bern Slides online at https://defeo.lu/docet Tired of

350 views • 23 slides
Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David

Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David

Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David Lubicz 1,2 , Damien Robert 3 1 CLAR 2 IRMAR, Universit de Rennes 1 1 LFANT Team, IMB & Inria Bordeaux Sud-Ouest Motivations Millers

313 views • 30 slides
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First

Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First

Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got both! (Maybe not quite

509 views • 47 slides
Attractive Subfamilies of BLS Curves for Implementing High-Security Pairings Craig Costello

Attractive Subfamilies of BLS Curves for Implementing High-Security Pairings Craig Costello

Attractive Subfamilies of BLS Curves for Implementing High-Security Pairings Craig Costello craig.costello@qut.edu.au Queensland University of Technology IndoCrypt 2011 Chennai, India Joint work with Kristin Lauter (Microsoft) and Michael

531 views • 23 slides
Faster Implementation of Pairings Francisco Rodr guez-Henr quez CINVESTAV, IPN, Mexico

Faster Implementation of Pairings Francisco Rodr guez-Henr quez CINVESTAV, IPN, Mexico

ECC 2010 Redmond, USA Faster Implementation of Pairings Francisco Rodr guez-Henr quez CINVESTAV, IPN, Mexico City, Mexico Joint work with: Jean-Luc Beuchat LCIS, University of Tsukuba, Japan enaire, LIP, Nicolas Brisebarre

1.6k views • 145 slides
Functional Encryption from Pairings Michel Abdalla, CNRS and ENS Romain Gay, ENS Mariana

Functional Encryption from Pairings Michel Abdalla, CNRS and ENS Romain Gay, ENS Mariana

Multi-input Inner-Product Functional Encryption from Pairings Michel Abdalla, CNRS and ENS Romain Gay, ENS Mariana Raykova, Yale University Hoeteck Wee, CNRS and ENS Functional Encryption [Boneh, Sahai, Waters 11] m Alice Functional

585 views • 40 slides
RPCexpress: a try to implement an efficient middleware from the ground up based on requirements

RPCexpress: a try to implement an efficient middleware from the ground up based on requirements

RPCexpress: a try to implement an efficient middleware from the ground up based on requirements of embedded software defined systems Qi Tang 1,3 , Jin Lian 2,1,3 , Li Zhou 1,3 , Shan Wang 1,3 , Haitao Zhao 1,3 , Jun Xiong 1,3 , Shengchun Huang

572 views • 26 slides
Software smart by design. SoftMachine.ws 1 PAGE Who We Are We design,

Software smart by design. SoftMachine.ws 1 PAGE Who We Are We design,

Software smart by design. SoftMachine.ws 1 PAGE Who We Are We design, supply, implement and support customized software development , including development of Internet and intranet applications, SQL based database

433 views • 14 slides
Perfect Pairings food+wine By Paris Food And Wine By Paris Food And Wine ParisFoodAndWine.net

Perfect Pairings food+wine By Paris Food And Wine By Paris Food And Wine ParisFoodAndWine.net

Perfect Pairings food+wine By Paris Food And Wine By Paris Food And Wine ParisFoodAndWine.net ParisFoodAndWine.net Perfect Pairings food+wine Paris Food And Wine The 4 steps to wine tasting: 1. Look: A visual inspection of the wine

342 views • 10 slides
Pairings I Michael Naehrig Eindhoven Institute for the Protection of Systems and Information

Pairings I Michael Naehrig Eindhoven Institute for the Protection of Systems and Information

Pairings I Michael Naehrig Eindhoven Institute for the Protection of Systems and Information Technische Universiteit Eindhoven rtr ECC Summer School 2008, Eindhoven 18 September 2008

336 views • 32 slides

More recommend