security on the line modern curve based cryptography
play

Security on the Line: Modern Curve-based Cryptography Joost Renes - PowerPoint PPT Presentation

Sep 16, 2022 •404 likes •1.39k views

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019 Modern curve-based cryptography Modern curve-based cryptography 1 / 11 Modern curve-based cryptography Internet of Things Size & speed

  1. Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

  2. Modern curve-based cryptography “Modern” curve-based cryptography 1 / 11

  3. Modern curve-based cryptography Internet of Things Size & speed ... Genus 2 Kummer varieties “Modern” curve-based cryptography 1 / 11

  4. Modern curve-based cryptography Classical setting (Ben Smith’s talk) Internet of Things Size & speed ... Genus 2 Kummer varieties “Modern” curve-based cryptography 1 / 11

  5. Modern curve-based cryptography Classical setting (Ben Smith’s talk) Internet of Things Size & speed ... Genus 2 Kummer varieties “Modern” curve-based cryptography Isogeny-based cryptography 1 / 11

  6. Elliptic curves in cryptography Discrete-log-based elliptic-curve cryptography [Mil86; Kob87] 2 / 11

  7. Elliptic curves in cryptography Discrete-log-based elliptic-curve cryptography [Mil86; Kob87] Ordinary isogeny-based group actions [Cou06; RS06; DKS18] 2 / 11

  8. Elliptic curves in cryptography Discrete-log-based elliptic-curve cryptography [Mil86; Kob87] Ordinary isogeny-based group actions [Cou06; RS06; DKS18] Supersingular isogeny-based cryptography / F p 2 [CLG09; JF11] 2 / 11

  9. Elliptic curves in cryptography Discrete-log-based elliptic-curve cryptography [Mil86; Kob87] Ordinary isogeny-based group actions [Cou06; RS06; DKS18] Supersingular isogeny-based cryptography / F p 2 [CLG09; JF11] Supersingular isogeny-based group actions / F p [Cas+18] 2 / 11

  10. Elliptic curves & isogenies (1) Fixed: prime p E a , b : y 2 = x 3 + ax + b 3 / 11

  11. Elliptic curves & isogenies (1) Fixed: prime p E c , d : y 2 = x 3 + cx + d E a , b : y 2 = x 3 + ax + b 3 / 11

  12. Elliptic curves & isogenies (1) Fixed: prime p  isogeny    x �→ f ( x ) / g ( x ) , y �→ . . .      E c , d : y 2 = x 3 + cx + d E a , b : y 2 = x 3 + ax + b 3 / 11

  13. Elliptic curves & isogenies (1) Fixed: prime p  ℓ -isogeny    x �→ f ( x ) / g ( x ) , y �→ . . .  with deg ( f ) = ℓ     and deg ( g ) = ℓ − 1 E c , d : y 2 = x 3 + cx + d E a , b : y 2 = x 3 + ax + b 3 / 11

  14. Elliptic curves & isogenies (1) Fixed: prime p  1-isogeny    x �→ f ( x ) / g ( x ) , y �→ . . .  with deg ( f ) = 1     and deg ( g ) = 0 E c , d : y 2 = x 3 + cx + d E a , b : y 2 = x 3 + ax + b 3 / 11

  15. Elliptic curves & isogenies (1) Fixed: prime p  2-isogeny    x �→ f ( x ) / g ( x ) , y �→ . . .  with deg ( f ) = 2     and deg ( g ) = 1 E c , d : y 2 = x 3 + cx + d E a , b : y 2 = x 3 + ax + b 3 / 11

  16. Elliptic curves & isogenies (1) Fixed: prime p  3-isogeny    x �→ f ( x ) / g ( x ) , y �→ . . .  with deg ( f ) = 3     and deg ( g ) = 2 E c , d : y 2 = x 3 + cx + d E a , b : y 2 = x 3 + ax + b 3 / 11

  17. Elliptic curves & isogenies (1) Fixed: prime p  5-isogeny    x �→ f ( x ) / g ( x ) , y �→ . . .  with deg ( f ) = 5     and deg ( g ) = 4 E c , d : y 2 = x 3 + cx + d E a , b : y 2 = x 3 + ax + b 3 / 11

  18. Elliptic curves & isogenies (1) Fixed: prime p  7-isogeny    x �→ f ( x ) / g ( x ) , y �→ . . .  with deg ( f ) = 7     and deg ( g ) = 6 E c , d : y 2 = x 3 + cx + d E a , b : y 2 = x 3 + ax + b 3 / 11

  19. Elliptic curves & isogenies (1) Fixed: prime p  11-isogeny    x �→ f ( x ) / g ( x ) , y �→ . . .  with deg ( f ) = 11     and deg ( g ) = 10 E c , d : y 2 = x 3 + cx + d E a , b : y 2 = x 3 + ax + b 3 / 11

  20. Elliptic curves & isogenies (1) Fixed: prime p  13-isogeny    x �→ f ( x ) / g ( x ) , y �→ . . .  with deg ( f ) = 13     and deg ( g ) = 12 E c , d : y 2 = x 3 + cx + d E a , b : y 2 = x 3 + ax + b 3 / 11

  21. Elliptic curves & isogenies (1) Fixed: prime p , End F p ( E a , b ) = O Q ( π ) 3 / 11

  22. Elliptic curves & isogenies (1) Fixed: prime p , End F p ( E a , b ) = O Q ( π ) , ℓ = 2 3 / 11

  23. Elliptic curves & isogenies (1) Fixed: prime p , End F p ( E a , b ) = O Q ( π ) , ℓ = 2 3 / 11

  24. Elliptic curves & isogenies (1) Fixed: prime p , End F p ( E a , b ) = O Q ( π ) , ℓ = 2 3 / 11

  25. Elliptic curves & isogenies (1) Fixed: prime p , End F p ( E a , b ) = O Q ( π ) , ℓ = 3 3 / 11

  26. Elliptic curves & isogenies (1) Fixed: prime p , End F p ( E a , b ) = O Q ( π ) , ℓ = 5 3 / 11

  27. Elliptic curves & isogenies (1) Fixed: prime p , End F p ( E a , b ) = O Q ( π ) , ℓ = 7 3 / 11

  28. Elliptic curves & isogenies (1) Fixed: prime p , End F p ( E a , b ) = O Q ( π ) , ℓ = 11 3 / 11

  29. Elliptic curves & isogenies (1) Fixed: prime p , End F p ( E a , b ) = O Q ( π ) , ℓ = 13 3 / 11

  30. Elliptic curves & isogenies (2) 2 4 / 11

  31. Elliptic curves & isogenies (2) 2 4 / 11

  32. Elliptic curves & isogenies (2) 2 4 / 11

  33. Elliptic curves & isogenies (2) 2 4 / 11

  34. Elliptic curves & isogenies (2) 2 4 / 11

  35. Elliptic curves & isogenies (2) 3 4 / 11

  36. Elliptic curves & isogenies (2) 3 4 / 11

  37. Elliptic curves & isogenies (2) 3 4 / 11

  38. Elliptic curves & isogenies (2) 3 4 / 11

  39. Elliptic curves & isogenies (2) 3 4 / 11

  40. Elliptic curves & isogenies (2) 5 4 / 11

  41. Elliptic curves & isogenies (2) 7 4 / 11

  42. Isogeny volcanoes 2 3 5 7 11 13 5 / 11

  43. Isogeny-based cryptography (1) 2 6 / 11

  44. Isogeny-based cryptography (1) 2 6 / 11

  45. Isogeny-based cryptography (1) 3 6 / 11

  46. Isogeny-based cryptography (1) 3 6 / 11

  47. Isogeny-based cryptography (1) 5 6 / 11

  48. Isogeny-based cryptography (1) 5 6 / 11

  49. Isogeny-based cryptography (1) 2 3 5 7 11 13 6 / 11

  50. Isogeny-based cryptography (1) 6 / 11

  51. Isogeny-based cryptography (1) # primes: 1 Work (per prime): ≤ t Work (total): ≤ t Entropy: t 6 / 11

  52. Isogeny-based cryptography (1) # primes: 1 Work (per prime): ≤ t Work (total): ≤ t Entropy: t 6 / 11

  53. Isogeny-based cryptography (1) # primes: 1 Work (per prime): ≤ t Work (total): ≤ t Entropy: t 6 / 11

  54. Isogeny-based cryptography (1) # primes: 2 Work (per prime): ≤ t Work (total): ≤ 2 · t t 2 Entropy: 6 / 11

  55. Isogeny-based cryptography (1) # primes: 3 Work (per prime): ≤ t Work (total): ≤ 3 · t t 3 Entropy: 6 / 11

  56. Isogeny-based cryptography (1) # primes: 4 Work (per prime): ≤ t Work (total): ≤ 4 · t t 4 Entropy: 6 / 11

  57. Isogeny-based cryptography (1) # primes: 5 Work (per prime): ≤ t Work (total): ≤ 5 · t t 5 Entropy: 6 / 11

  58. Isogeny-based cryptography (1) # primes: 6 Work (per prime): ≤ t Work (total): ≤ 6 · t t 6 Entropy: 6 / 11

  59. Isogeny-based cryptography (1) # primes: L Work (per prime): ≤ t Work (total): ≤ L · t t L Entropy: 6 / 11

  60. OIDH & CSIDH Two different ways to instantiate; 1. Ordinary isogeny Diffie–Hellman (OIDH) 2. Supersingular isogeny Diffie–Hellman (CSIDH) The idea for OIDH first by Couveignes in ’96 [Cou06] = ⇒ Post-quantum security with very small keys [DKS18] = ⇒ CSIDH almost identical but easier to instantiate [Cas+18] 7 / 11

  61. State of CSIDH ( ∼ NIST level I security) 1. CSIDH key exchange ◮ Non-interactive with 64-byte public keys ◮ ∼ 80 ms for full exchange (not constant-time) 8 / 11

  62. State of CSIDH ( ∼ NIST level I security) 1. CSIDH key exchange ◮ Non-interactive with 64-byte public keys ◮ ∼ 80 ms for full exchange (not constant-time) 2. Constant-time implementations [MCR18] (at ∼ 246 ms) 8 / 11

  63. State of CSIDH ( ∼ NIST level I security) 1. CSIDH key exchange ◮ Non-interactive with 64-byte public keys ◮ ∼ 80 ms for full exchange (not constant-time) 2. Constant-time implementations [MCR18] (at ∼ 246 ms) 3. SeaSign signatures [DG19] large and/or slow 8 / 11

  64. State of CSIDH ( ∼ NIST level I security) 1. CSIDH key exchange ◮ Non-interactive with 64-byte public keys ◮ ∼ 80 ms for full exchange (not constant-time) 2. Constant-time implementations [MCR18] (at ∼ 246 ms) 3. SeaSign signatures [DG19] large and/or slow 4. CSI-FiSh signatures [BKV19] smaller and faster (small p ) 8 / 11

  65. State of CSIDH ( ∼ NIST level I security) 1. CSIDH key exchange ◮ Non-interactive with 64-byte public keys ◮ ∼ 80 ms for full exchange (not constant-time) 2. Constant-time implementations [MCR18] (at ∼ 246 ms) 3. SeaSign signatures [DG19] large and/or slow 4. CSI-FiSh signatures [BKV19] smaller and faster (small p ) 5. Bunch of cryptanalysis [BS18; Ber+19] ◮ Quantum subexponential attacks! 8 / 11

Recommend

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

1.72k views • 143 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 14ss 1 Outline Cryptography

780 views • 54 slides
iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 15ws 1 / 72 Outline Cryptography

903 views • 88 slides
Security II: Cryptography Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography

Security II: Cryptography Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography

Related textbooks Main reference: Security II: Cryptography Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography Chapman & Hall/CRC, 2nd ed., 2014 Further reading: Markus Kuhn Christof Paar, Jan Pelzl: Understanding

794 views • 27 slides
Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography Symmetric cryptography DES 3DES AES Asymmetric cryptography Diffie-Hellman key exchange 2 Modern cryptography Moving into

338 views • 16 slides
iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de

iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de

iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 16ss 1 / 38 Outline

504 views • 46 slides
Fundamental Ellip.c Curve Cryptography Algorithms

Fundamental Ellip.c Curve Cryptography Algorithms

Fundamental Ellip.c Curve Cryptography Algorithms draft-mcgrew-fundamental-ecc-02 mcgrew@cisco.com kmigoe@nsa.gov Ellip.c Curve Cryptography Alterna.ve to integer-based Key

384 views • 19 slides
All iLabs and P2PSS Modern cryptography for communications security part 1 Benjamin Hof

All iLabs and P2PSS Modern cryptography for communications security part 1 Benjamin Hof

All iLabs and P2PSS Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 17ss 1 / 34

705 views • 44 slides
Objectives Goals of Cryptography Security Services Security Mechanisms Relationship

Objectives Goals of Cryptography Security Services Security Mechanisms Relationship

Overview on Modern Cryptography Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Goals of Cryptography Security Services

658 views • 16 slides
Modern cryptography 2 CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography 2 CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography 2 CSCI 470: Web Science Keith Vertanen Overview Modern cryptography Asymmetric cryptography Diffie-Hellman key exchange (last time) Pubic key: RSA Pretty Good Privacy (PGP) Digital signing Public

682 views • 26 slides
+ Mohammad Mahmoody Rafael Pass + Modern Cryptography and One-Way Functions Modern

+ Mohammad Mahmoody Rafael Pass + Modern Cryptography and One-Way Functions Modern

+ Mohammad Mahmoody Rafael Pass + Modern Cryptography and One-Way Functions Modern Cryptography is based on computational assumptions. [Shannon 1950s] easy OWFs, a central player: f {0,1} n {0,1} n Easy to compute f(x) Hard to find x

686 views • 24 slides
CS 4803 Crypto as a science (modern cryptography) has short but Computer and Network Security

CS 4803 Crypto as a science (modern cryptography) has short but Computer and Network Security

Cryptography is very old and very new Crypto is an ancient discipline Recall Julius Caesar, Enigma,... CS 4803 Crypto as a science (modern cryptography) has short but Computer and Network Security exciting history Most of it

638 views • 4 slides
Curve-Based Cryptography Nicolas Thriault nicolas.theriault@usach.cl Departamento de

Curve-Based Cryptography Nicolas Thriault nicolas.theriault@usach.cl Departamento de

Curve-Based Cryptography Nicolas Thriault nicolas.theriault@usach.cl Departamento de Matemtica y Ciencia de la Computacin Universidad de Santiago de Chile Discrete Log Problem Computational Diffie-Hellman Problem: Given g 1 , [ a ] g 1 ,

897 views • 51 slides
Related textbooks Jonathan Katz, Yehuda Lindell: Security II: Cryptography Introduction to

Related textbooks Jonathan Katz, Yehuda Lindell: Security II: Cryptography Introduction to

Related textbooks Jonathan Katz, Yehuda Lindell: Security II: Cryptography Introduction to Modern Cryptography Chapman & Hall/CRC, 2008 Christof Paar, Jan Pelzl: Markus Kuhn Understanding Cryptography Springer, 2010

470 views • 20 slides
Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but

Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but

Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but hard-to-solve problems were discovered. Computational Complexity, by Fu Yuxi Cryptography 1 / 75 Cryptography is closely related to some

785 views • 76 slides
Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Twenty-Three Years of Elliptic Curve Cryptography Alfred Menezes University of Waterloo September 3 2008 1 Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm

300 views • 18 slides
Advanced Constructions in Curve-based Cryptography Benjamin Smith Team GRACE INRIA and Laboratoire

Advanced Constructions in Curve-based Cryptography Benjamin Smith Team GRACE INRIA and Laboratoire

Advanced Constructions in Curve-based Cryptography Benjamin Smith Team GRACE INRIA and Laboratoire dInformatique de l Ecole polytechnique (LIX) Summer school on real-world crypto and privacy Sibenik, Croatia, June 9 2016 Smith

512 views • 29 slides
Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter

Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter

Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 3 Page 1 CS 236 Online Outline What is data encryption? Cryptanalysis Basic encryption methods Substitution ciphers

766 views • 21 slides
More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 4 Page 1 CS 236 Online Outline Desirable characteristics of ciphers Stream and block ciphers Cryptographic modes Uses of

475 views • 29 slides
Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Cryptography Game-based Proofs Assumptions BF IB-Encryption Conclusion Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs Introduction Provable Security David Pointcheval 2 Game-based Methodology

722 views • 10 slides
Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven 22 April 2008 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

491 views • 32 slides

More recommend