Tieta functions and applications in cryptography Fonctions thta et - PowerPoint PPT Presentation

Tieta functions and applications in cryptography Fonctions thêta et applications en cryptographie Tièse d’informatique Damien Robert 1 1 Caramel team, Nancy Universités, CNRS, INRIA Nancy Grand Est 21/07/2010 (Nancy)

Outline Public-key cryptography 1 Abelian varieties 2 3 Tieta functions 4 Pairings 5 Isogenies Perspectives 6 Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 2 / 40

Public-key cryptography Outline Public-key cryptography 1 Abelian varieties 2 3 Tieta functions 4 Pairings 5 Isogenies Perspectives 6 Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 3 / 40

Public-key cryptography Public-key systems A brief history of public-key cryptography Secret-key cryptography: Vigenère (1553), One time pad (1917), AES (NIST, 2001). Public-key cryptography: Diffje–Hellman key exchange (1976). RSA (1978): multiplication/factorisation. ElGamal: exponentiation/discrete logarithm in G ≙ F ∗ q . ECC/HECC (1985): discrete logarithm in G ≙ A ( F q ) . Lattices, NTRU (1996), Ideal Lattices (2006): perturbate a lattice point/Closest Vector Problem, Bounded Distance Decoding. Polynomial systems, HFE (1996): evaluating polynomials/fjnding roots. Coding-based cryptography, McEliece (1978): Matrix.vector/decoding a linear code. ⇒ Encryption, Signature (+Pseudo Random Number Generator, Zero Knowledge). Pairing-based cryptography (2000–2001). Homomorphic cryptography (2009). Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 4 / 40

Public-key cryptography Public-key systems RSA versus (H)ECC Security RSA ECC (bits level) 72 1008 144 80 1248 160 96 1776 192 112 2432 224 128 3248 256 256 15424 512 Key length comparison between RSA and ECC Factorisation of a 768-bit RSA modulus [Kle+10]. Currently: attempt to attack a 130-bit Koblitz elliptic curve. Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 5 / 40

Public-key cryptography Discrete logarithm in cryptography Discrete logarithm Defjnition (DLP) Let G ≙ ⟨  ⟩ be a cyclic group of prime order. Let x ∈ N and h ≙  x . Tie discrete logarithm log  ( h ) is x . O (√ p ) (in a generic group). Exponentiation: O ( log p ) . DLP: ̃ G ≙ F ∗ p : sub-exponential attacks. ⇒ Find secure groups with effjcient law, compact representation. Protocol [Diffje–Hellman Key Exchange] Alice sends  a , Bob sends  b , the common key is  ab ≙ (  b ) a ≙ (  a ) b . Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 6 / 40

Public-key cryptography Discrete logarithm in cryptography Pairing-based cryptography Defjnition A pairing is a bilinear application e ∶ G 1 × G 1 → G 2 . Identity-based cryptography [BF03]. Short signature [BLS04]. One way tripartite Diffje–Hellman [Jou04]. Self-blindable credential certifjcates [Ver01]. Attribute based cryptography [SW05]. Broadcast encryption [Goy+06]. Tripartite Diffje–Helman Alice sends  a , Bob sends  b , Charlie sends  c . Tie common key is e (  ,  ) abc ≙ e (  b ,  c ) a ≙ e (  c ,  a ) b ≙ e (  a ,  b ) c ∈ G 2 . Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 7 / 40

Abelian varieties Outline Public-key cryptography 1 Abelian varieties 2 3 Tieta functions 4 Pairings 5 Isogenies Perspectives 6 Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 8 / 40

Abelian varieties Jacobian of curves Abelian varieties Defjnition An Abelian variety is a complete connected group variety over a base fjeld k . Abelian variety = points on a projective space (locus of homogeneous polynomials) + an abelian group law given by rational functions. ⇒ Use G ≙ A ( k ) with k ≙ F q for the DLP. ⇒ Pairing-based cryptography with the Weil or Tate pairing. (Only available on abelian varieties.) Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 9 / 40

Abelian varieties Jacobian of curves Elliptic curves Defjnition (car k ≠ 2, 3) E ∶ y 2 ≙ x 3 + ax + b . 4 a 3 + 27 b 2 ≠ 0. An elliptic curve is a plane curve of genus 1. Elliptic curves = Abelian varieties of dimension 1. 3 2 R P + Q ≙ − R ≙ ( x R , − y R ) 1 λ ≙ y Q − y P Q P 0 x Q − x P -2 -1 0 1 2 3 x R ≙ λ 2 − x P − x Q -1 y R ≙ y P + λ ( x R − x P ) -2 -3 -R -4 Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 10 / 40

Abelian varieties Jacobian of curves Jacobian of hyperelliptic curves C ∶ y 2 ≙ f ( x ) , hyperelliptic curve of genus  . (deg f ≙ 2  − 1) Divisor: formal sum D ≙ ∑ n i P i , P i ∈ C ( k ) . deg D ≙ ∑ n i . f ∈ k ( C ) . Principal divisor: ∑ P ∈ C ( k ) v P ( f ) . P ; Jacobian of C = Divisors of degree 0 modulo principal divisors = Abelian variety of dimension  . Divisor class D ⇒ unique representative (Riemann–Roch): k D ≙ ( P i − P ∞ ) k ⩽  , symmetric P i ≠ P j ∑ i ≙ 1 Mumford coordinates: D ≙ ( u , v ) ⇒ u ≙ ∏( x − x i ) , v ( x i ) ≙ y i . Cantor algorithm: addition law. Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 11 / 40

b b b b b b Abelian varieties Jacobian of curves Example of the addition law in genus 2 D = P 1 + P 2 − 2 ∞ D ′ = Q 1 + Q 2 − 2 ∞ b Q 2 Q 1 b P 2 P 1 Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 12 / 40

b b b b b Abelian varieties Jacobian of curves Example of the addition law in genus 2 D = P 1 + P 2 − 2 ∞ D ′ = Q 1 + Q 2 − 2 ∞ b Q 2 Q 1 b R ′ 2 b P 2 R ′ 1 P 1 Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 12 / 40

b b b Abelian varieties Jacobian of curves Example of the addition law in genus 2 D = P 1 + P 2 − 2 ∞ D ′ = Q 1 + Q 2 − 2 ∞ D + D ′ = R 1 + R 2 − 2 ∞ b Q 2 Q 1 b R 1 b R ′ 2 b P 2 R ′ b R 2 1 P 1 Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 12 / 40

Abelian varieties Jacobian of curves Security of Jacobians  # points DLP ̃ O ( q ) O ( q 1 / 2 ) 1 ̃ O ( q 2 ) O ( q ) 2 ̃ O ( q 4 / 3 ) (Jacobian of hyperelliptic curve) O ( q 3 ) 3 ̃ O ( q ) (Jacobian of non hyperelliptic curve) ̃ O ( q 2 − 2 /  )  O ( q  )  > log ( q ) L 1 / 2 ( q  )≙ exp ( O ( 1 ) log ( x ) 1 / 2 loglog ( x ) 1 / 2 ) Security of the DLP Weak curves (MOV attack, Weil descent, anomal curves). ⇒ Public-key cryptography with the DLP: Elliptic curves, Jacobian of hyperelliptic curves of genus 2. ⇒ Pairing-based cryptography: Abelian varieties of dimension  ⩽ 4. Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 13 / 40

Abelian varieties Jacobian of curves Security of Jacobians  # points DLP ̃ O ( q ) O ( q 1 / 2 ) 1 ̃ O ( q 2 ) O ( q ) 2 ̃ O ( q 4 / 3 ) (Jacobian of hyperelliptic curve) O ( q 3 ) 3 ̃ O ( q ) (Jacobian of non hyperelliptic curve) ̃ O ( q 2 − 2 /  )  O ( q  )  > log ( q ) L 1 / 2 ( q  )≙ exp ( O ( 1 ) log ( x ) 1 / 2 loglog ( x ) 1 / 2 ) Security of the DLP Weak curves (MOV attack, Weil descent, anomal curves). ⇒ Public-key cryptography with the DLP: Elliptic curves, Jacobian of hyperelliptic curves of genus 2. ⇒ Pairing-based cryptography: Abelian varieties of dimension  ⩽ 4. Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 13 / 40

Abelian varieties Isogenies Isogenies Defjnition A (separable) isogeny is a fjnite surjective (separable) morphism between two Abelian varieties. Isogenies = Rational map + group morphism + fjnite kernel. Isogenies ⇔ Finite subgroups. ( f ∶ A → B ) ↦ Ker f ( A → A / H ) ↤ H Example: Multiplication by ℓ ( ⇒ ℓ -torsion), Frobenius (non separable). Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 14 / 40

Abelian varieties Isogenies Cryptographic usage of isogenies Transfer the DLP from one Abelian variety to another. Point counting algorithms ( ℓ -adic or p -adic) ⇒ Verify a curve is secure. Compute the class fjeld polynomials (CM-method) ⇒ Construct a secure curve. Compute the modular polynomials ⇒ Compute isogenies. Determine End ( A ) ⇒ CRT method for class fjeld polynomials. Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 15 / 40

Abelian varieties Computing isogenies in genus 1 V élu’s formula Tieorem Let E ∶ y 2 ≙ f ( x ) be an elliptic curve and G ⊂ E ( k ) a fjnite subgroup. Tien E / G is given by Y 2 ≙  ( X ) where X ( P ) ≙ x ( P ) + ( x ( P + Q ) − x ( Q )) ∑ Q ∈ G ∖{ 0 E } Y ( P ) ≙ y ( P ) + ( y ( P + Q ) − y ( Q )) . ∑ Q ∈ G ∖{ 0 E } Uses the fact that x and y are characterised in k ( E ) by v 0 E ( x ) ≙ − 2 v P ( x ) ⩾ 0 if P ≠ 0 E v 0 E ( y ) ≙ − 3 v P ( y ) ⩾ 0 if P ≠ 0 E y 2 / x 3 ( 0 E ) ≙ 1 No such characterisation in genus  ⩾ 2. Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 16 / 40