Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.

Slides:



Advertisements
Similar presentations
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Advertisements

Trusted 3rd parties Basic key exchange
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Cryptography and Network Security Chapter 9
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Lecture 8: Lattices and Elliptic Curves
Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Scott CH Huang COM5336 Cryptography Lecture 14 XTR Cryptosystem Scott CH Huang COM 5336 Cryptography Lecture 10.
The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul.
7. Asymmetric encryption-
Great Theoretical Ideas in Computer Science.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
Practical Cryptography in High Dimensional Tori Marten van Dijk 1, Robert Granger 2, Dan Page 2, Karl Rubin 3, Alice Silverberg 3, Martijn Stam 2, David.
Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
Introduction to Public Key Cryptography
Public Key Model 8. Cryptography part 2.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Chapter 12 Cryptography (slides edited by Erin Chambers)
Rachana Y. Patil 1 1.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Introduction to Modular Arithmetic and Public Key Cryptography.
Cryptography Lecture 8 Stefan Dziembowski
1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz
Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei
Great Theoretical Ideas in Computer Science.
RSA Ramki Thurimella.
Prelude to Public-Key Cryptography Rocky K. C. Chang, February
1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS CIS 5357 Network Security.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Midterm Review Cryptography & Network Security
Number Theory and Advanced Cryptography 2
Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
CS461/ECE422 Spring 2012 Nikita Borisov — UIUC1.  Text Chapters 2 and 21  Handbook of Applied Cryptography, Chapter 8 
Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013
Public key ciphers 2 Session 6.
Understanding Cryptography by Christof Paar and Jan Pelzl These slides were prepared by Christof Paar and Jan Pelzl Chapter 8 –
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Public Key Algorithms Lesson Introduction ●Modular arithmetic ●RSA ●Diffie-Hellman.
CS Modular Division and RSA1 RSA Public Key Encryption To do RSA we need fast Modular Exponentiation and Primality generation which we have shown.
Introduction to Cryptography Lecture 9. Public – Key Cryptosystems Each participant has a public key and a private key. It should be infeasible to determine.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
Elgamal Public Key Encryption CSCI 5857: Encoding and Encryption.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2014.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Cryptography and Network Security Chapter 13
Lecture 5 Asymmetric Cryptography. Private-Key Cryptography Traditional private/secret/single key cryptography uses one key Shared by both sender and.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.
Outline Primitive Element Theorem Diffie Hellman Key Distribution
Topic 26: Discrete LOG Applications
RSA and El Gamal Cryptosystems
Public-key Cryptography
Topic 25: Discrete LOG, DDH + Attacks on Plain RSA
Foundations of Network and Computer Security
El Gamal and Diffie Hellman
El Gamal and Diffie Hellman
Practical Aspects of Modern Cryptography
Presentation transcript:

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT

Contents 1.Background – XTR, torus-based crypto 2.Our Contributions 1.Relax a problem concerning tori 2.Solve the relaxation 3.Applications 1.Generalized ElGamal Signatures 2.Hybrid ElGamal Encryption 3.Conclusions

Diffie-Hellman Key Exchange gaga gbgb a 2 Z p Agree on key g ab b 2 Z p q = 2p + 1, g generates G p 2 GF(q) *, G p cyclic group of order p ElGamal: work in extension field GF(q d ) * Schnorr: work in small prime subgroup of GF(q) *

The XTR Public-Key System [BPV99] Combine ideas: use prime subgroup G of GF(q 6 ) * of w/order(G) = p | (q^2 – q + 1). Field representation of elts in G uses 6 log q bits [BPV99] More efficient representation of G 2log q bits/elt Known attacks ~ size of minimal field containing G => Can show this is GF(q 6 ) So 1/3 bits exchanged, yet full security of GF(q 6 ) * ! DL, CDH in p-subgroup of GF(q 6 ) * believed as hard as DL, CDH in p-subgroup of GF(P) where prime P ~ q 6 [LV00] XTR = this idea + efficient arithmetic

Why does it work? Background: N-th cyclotomic polynomial n (x) = 0< k<n : gcd(k, n) = 1 (x- e 2 i k/n ) deg( n (x)) = (n) |GF(q n ) * | = q n – 1 = d | n d (q) But 6 (q) = q 2 –q + 1 as in [BPV99] So 6 (q) | GF(q 6 ) *, can show GF(q 6 ) smallest such field. Recall: |G| | (q 2 – q + 1) Best attack number field sieve, uses field structure, so time ~ minimal field containing G

Representation problem Save even more? Use G ½ GF(q n ) * for n > 6 with |G| = n (q)? Savings: log |G| = (n) log q bits Vs. n log q Ratio approaches 1 / log log n for n prod. distinct primes But how to represent elts of G? Want < n log q bits, ideally (n) log q bits [BPV99] represent G, |G| | 6 (q), with 2log q bits. [BHV02, RS03] show no straightforward way to extend [BPV99] to n prod. ¸ 3 distinct primes

Torus-Based Cryptography [RS03]: group T n ½ GF(q n ) * of order n (q) is just GF(q) points of algebraic torus => Extending [BPV99] = rational parameterization of algebraic torus Only known how if n product · 2 prime powers. [RS03] give another cryptosystem for n = 6. But need n product ¸ 3 distinct primes for savings (n)/n to get better.

Our Relaxation 1.Dont need to rationally parameterize torus 2.Get optimal communication for signatures, + PK encryption 3.Get Asymptotically optimal communication for key exchange It suffices to represent a sequence of m elts of T n with m (n) log q + C bits, C independent of m Assume n (q) = |T n | prime, o.w. let G ½ T n have large prime order Relax rqmt of representing individual elts of T n and observe for some applications:

Solving the Relaxed Problem n product of first k primes Mobius function (n) = (-1) k Construct efficiently computable bijections, -1 : T n x (X d | n, (n/d) = -1 GF(q d ) * ) X d | n, (n/d) = +1 GF(q d ) *

Developing the Bijections n = 2*3*5 = 30 : T 30 x GF(q) * x GF(q 6 ) * x GF(q 10 ) * x GF(q 15 ) * ! GF(q 2 ) * x GF(q 3 ) * x GF(q 5 ) * x GF(q 30 ) * Strategy: For e = 1, 6, 10, 15, map GF(q e ) * into X d | e T d Collect tuple C = £ {e=1, 6, 10, 15} £ d | e T d Use T 30 and permute C to get C = £ e = 2, 3, 5, 30 £ d | e T d For e=2, 3, 5, 30, decompose C to map X d | e T d into GF(q e ) * Map -1 is similar.

The Bijections Question: Which map : GF(q e ) * to X d | e T d to use? If for all a,b | e, gcd(|T a |, |T b |) = 1, then domain & range of isomorphic follows from structure theorem: H 1, …, H k are cyclic groups s.t. 8 i j gcd(|H i |, |H j |) = 1, m = |H 1 | |H k |, and G m cyclic of order m. Then : G m -> H 1 x … x H k, and -1 are isomorphisms: ( ) = ( m/|Hi| ) i 2 [k] -1 ( 1, …, k ) = 1 e1 k ek, where i me i /|H i | = 1

: The General Case Example: Map GF(q 2 ) * to T 1 x T 2 |T 1 | = q-1, |T 2 | = q+1, so 2 | gcd(|T 1 |, |T 2 |) Suppose 2 | (q-1), 4 | (q+1), gcd(|T 1 |/2, |T 2 |/4) = 1 GF(q 2 ) * G 8 x G (q-1)/2 x G (q+1)/4 Bijection from G 8 to G 2 x G 4 using table lookup G 2 x G (q-1)/2 T 1 and G 4 x G (q+1)/4 T 2 + Isomorphisms are efficient using structure theorem + Table efficient since it is small GF(q e ) *, X d | e T d not if gcd(|T a |, |T b |) > 1 for a, b | e. Idea: divide out common factors U of |T d | and decompose into isomorphism + table lookup:

Parameter Selection Choose q wisely Want small table Heuristic algorithm for n = 30, 210 Choose random q certain size Check n (q) contains large prime factor by trial division Check U is small Theoretical algorithm for general n Choose random prime r first Choose q at random subject to r | n (q) Test q to ensure U is small Density theorems => terminates quickly w.h.p.

Applying the Bijections : T n x (X d | n, (n/d) = -1 GF(q d ) * ) -> X d | n, (n/d) = +1 GF(q d )* Let - = d | n, (n/d) = -1 d, + = d | n, (n/d) = +1 d Think of as map: T n £ F q - to F q + Negligibly few points where undefined Handle these points separately Use randomization to avoid bad points

Applications To represent x 1, …, x m in T n, choose seed s 1 2 F q - compute (x 1, s 1 ) = t 1 2 F q + split t 1 into s 2 x r 1 2 F q - x F q (n) compute (x 2, s 2 ) = t 2 2 F q + split t 2 into s 3 x r 2 2 F q - x F q (n) … Efficient representation for large m { Output r 1 … r m, s m+1

A Signature Scheme - Generalized ElGamal Signatures work for any group: use T n ElGamal Box alg outputs h 2 T n + other stuff I Message M in I Write I as I 1 x I 2 2 F q - x {0,1} * Output sig(M) = (h, I 1 ), I 2 Verifier inverts, uses ElGamal verification Key idea: Embed message into F q - so small signature

Hybrid ElGamal Encryption Let a 2 R {1, …, n (q)} be Alices private key Let g a be her public key, g generator of T n E = symmetric cipher Encrypt(m): (1) choose k 2 R {1,…, n (q)}, set e = g k (2) use g ak to get symmetric key k (4) compute E k (m) = (c, d) 2 F q - x {0,1} * (5) output (e, c), d Decryption: Use a, -1 to get k, E k (m) and then m Key idea: Embed E k (m) into F q - so small encryption

Conclusions & Future Work Results: Compact representation of sequences of elts of T n Protocols w/optimal communication ElGamal signature / encryption (both hybrid and almost non-hybrid) schemes Diffie-Hellman key exchange (asyptotically optimal) Future Work: Rational parameterization of algebraic torus => efficient representation of single elts of T n Our computational costs Improvements [vdWS] give ~ 21log q multiplications per evaluation of