Practical Cryptography in High Dimensional Tori Marten van Dijk 1, Robert Granger 2, Dan Page 2, Karl Rubin 3, Alice Silverberg 3, Martijn Stam 2, David Woodruff 1 MIT CSAIL, University of Bristol, UC Irvine

Outline 1.Application of Torus Cryptography 2.Goals of Torus Cryptography -Security -Efficiency -Space – Compression -Time – Exponentiations 3.Our Contribution 4.Implementation 5.Conclusion

Sample Application gbgb gaga b 2 Z q a 2 Z q Target: Secret key exchange over insecure channel Setting: Cyclic group G q µ F * p n of order q Key g ab

Outline 1.Application of Torus Cryptography 2.Goals of Torus Cryptography -Security -Efficiency -Space – Compression -Time – Exponentiations 3.Our Contribution 4.Implementation 5.Conclusion

Security Setting: G q µ F * p n How to choose G q ? Security: Can’t compute g ab from g a, g b (CDH) 1.Pollard  : log 2 q > Index Calculus: n log 2 p > Pohlig-Hellman: G q not in proper subfield

Security: Pohlig-Hellman Setting: G q µ F * p n How to choose G q ? Pohlig-Hellman: G q not in proper subfield F * p n is cyclic of cardinality p n – 1 =  d | n  d (p),  d (p) is the d-th cyclotomic polynomial.  1 (p) = p-1,  2 (p) = p+1,  3 (p) = p 2 + p + 1,  6 (p) = p 2 – p + 1

Security: Pohlig-Hellman Setting: G q µ F * p n How to choose G q ? Pohlig-Hellman: G q not in proper subfield Example: |F * p 6 | = p 6 -1 = (p-1)(p+1)(p 2 +p+1)(p 2 -p+1) =  1 (p)  2 (p) ¢  3 (p) ¢  6 (p)  d (p) ¼ p  (d), where  (d) is Euler totient function

Security: Pohlig-Hellman Setting: G q µ F * p n How to choose G q ? Pohlig-Hellman: G q not in proper subfield [Lenstra]: If q |  n (p), q > n, then G q is not in a proper subfield. Order  n (p) subgroup is torus T n (F p ) Other tori: T 1 = {g 2 F * p n : g p-1 = 1} = F * p, T 2 = {g 2 F * p n : g p+1 = 1}, T d = {g 2 F * p n : g  d (p) = 1} for d | n Choose G q µ T n (F p )

Outline 1.Application of Torus Cryptography 2.Goals of Torus Cryptography -Security -Efficiency -Space – Compression -Time – Exponentiations 3.Our Contribution 4.Implementation 5.Conclusion

Efficiency: Communication - Represent G q with n log 2 p bits - But G q is much smaller! Can’t we do better? - We don’t know how to efficiently achieve log 2 q bits - We can achieve |T n (F p )| ¼  (n) log 2 p bits for some n LUC[LS], XTR [LV], CEILIDH [RS] Setting: G q µ T n (F p ) µ F * p n

Efficiency: Communication - Affine space A n (F p ) = n-tuples (g 1, …, g n ) 2 (F p ) n - LUC: T 2 (F p ) $ A 1 (F p ) - XTR: T 6 (F p ) $ A 2 (F p ) -CEILIDH: T n (F p ) $ A  (n) (F p ) if and only if n is a product of at most two prime powers - If n the product of at most two prime powers,  (n)/n >= 1/3 and this is achieved for n = 6. Setting: G q µ T n (F p ) µ F * p n

Efficiency: Communication Setting: G q µ T n (F p ) µ F * p n - Ideally want a map T n (F p ) $ A  (n) (F p ) for all n - [vdW]: 8 n, 9 m and a map T n (F p ) x A m (F p ) $ A m +  (n) (F p ) - But I thought we wanted a different type of map… nm ……

Efficiency: Communication Setting: G q µ T n (F p ) µ F * p n Wanted: T n (F p ) $ A  (n) (F p ) Got: T n (F p ) x A m (F p ) A m +  (n) (F p ) - Is this useful? Yes! - If your application has m ¢ log p extra bits E to transmit or store, can compute  (g, E)   -1

Efficiency: Computation -[vDW]: T n (F p ) x A m $ A m +  (n) -Problem 1: m may be too large for applications -Problem 2: very computationally inefficient -[vDW]: Ask, can computation be reduced?

Outline 1.Application of Torus Cryptography 2.Goals of Torus Cryptography -Security -Efficiency -Space – Compression -Time – Exponentiations 3.Our Contribution 4.Implementation 5.Conclusion

Our Contribution Reduce m in the map T n (F p ) x A m $ A m +  (n) Better for more applications More computationally efficient Give the first implementation of T 30 (F p ) and show it is practical

Our Contribution Let n = 30. Our map is inspired by the equation:  30 (p) ¢  6 (p) =  6 (p 5 ) This suggests a mapping: T 30 (F p ) x T 6 (F p ) $ T 6 (F p5 ) We can represent T 6 (F p ) and T 6 (F p5 ) using CEILIDH! Get an “almost bijection” T 30 (F p ) x A 2 (F p ) $ A 10 (F p ) Affine surplus m = 2, instead of m = 32 in [vDW]

Our Contribution T 30 (F p ) x A 2 (F p ) T 30 (F p ) x T 6 (F p ) T 6 (F p 5 ) A 2 (F p 5 ) = A 10 (F p ) CEILIDH decompressionCRT CEILIDH compression

Applications Let’s compress two elements of T 30 (F p ) in different ways: Using CEILIDH, takes 20 p-ary symbols Using [vDW], takes 48 p-ary symbols Using our map, takes = 18 p-ary symbols Obtain 10% ciphertext size reduction in ElGamal variants Our map: T 30 (F p ) x A 2 (F p ) $ A 10 (F p )

Our Contribution Also have T 210 x A 22 ! A 232 For n = 210, [vDW] had m = 264 Simplicity of map greatly improves computation For n = 30, Forward direction =1 multiplication + CEILIDH maps Reverse direction = 1 exponentiation + CEILIDH maps

Outline 1.Application of Torus Cryptography 2.Goals of Torus Cryptography -Security -Efficiency -Space – Compression -Time – Exponentiations 3.Our Contribution 4.Our Implementation 5.Conclusion

Parameter Selection We only consider T 30 (F p ) µ F * p 30 Using a Macintosh G5 dual 2.5GHz computer, we got: log 2 |G q |log 2 pSecurityHow long did it take us? bit RSA~ 1 per minute bit RSA~ 1 per hour

Timings T 6 (F p L )T 30 (F p S ) Compress.13 ms Decompress.19 ms4.9 ms T 6 (F p L )T 30 (F p S ) Binary5.21 ms9.12 ms Sliding Window4.39 ms7.53 ms p S -ary3.11 ms JSF single2.79 ms4.57 ms Timings based on log 2 (p L ) ¼ 5 log 2 (p S ), and G q with log 2 q ¼ GHz Pentium 4 with 1GB of memory

Conclusion T 30 (F p ) crypto is practical! Compression outperforms existing schemes for as few as 2 elements The method is only slightly slower (2-3) than T 6 (F p 5 ) and XTR