Practical Cryptography in High Dimensional Tori - PowerPoint PPT Presentation
1 / 24
Title:
Practical Cryptography in High Dimensional Tori
Description:
... Cryptography in High Dimensional Tori. Marten van Dijk1, Robert Granger2, Dan Page2, Karl Rubin3, Alice Silverberg3, Martijn Stam2, David Woodruff1 ... – PowerPoint PPT presentation
Number of Views:29
Avg rating:3.0/5.0
Title: Practical Cryptography in High Dimensional Tori
1
Practical Cryptography in High Dimensional Tori
- Marten van Dijk1, Robert Granger2, Dan Page2,
- Karl Rubin3, Alice Silverberg3, Martijn Stam2,
- David Woodruff1
MIT CSAIL, University of Bristol, UC Irvine
2
Outline
- Application of Torus Cryptography
- Goals of Torus Cryptography
- Security
- Efficiency
- Space Compression
- Time Exponentiations
- Our Contribution
- Implementation
- Conclusion
3
Sample Application
Target Secret key exchange over insecure
channel Setting Cyclic group Gq µ Fpn of
order q
ga
b 2 Zq
a 2 Zq
gb
4
Outline
- Application of Torus Cryptography
- Goals of Torus Cryptography
- Security
- Efficiency
- Space Compression
- Time Exponentiations
- Our Contribution
- Implementation
- Conclusion
5
Security
- Setting Gq µ Fpn
- How to choose Gq?
- Security Cant compute gab from ga, gb (CDH)
- Pollard ? log2 q gt 160
- Index Calculus n log2 p gt 1024
- Pohlig-Hellman Gq not in proper subfield
6
Security Pohlig-Hellman
- Setting Gq µ Fpn
- How to choose Gq?
- Pohlig-Hellman Gq not in proper subfield
Fpn is cyclic of cardinality pn 1 ?d n
?d(p), ?d(p) is the d-th cyclotomic
polynomial. ?1(p) p-1, ?2(p) p1, ?3(p) p2
p 1, ?6(p) p2 p 1
7
Security Pohlig-Hellman
- Setting Gq µ Fpn
- How to choose Gq?
- Pohlig-Hellman Gq not in proper subfield
Example Fp6 p6-1 (p-1)(p1)(p2p1)(p2-p1
)
?1(p)?2(p) ?3(p) ?6(p) ?d(p) ¼ p?(d) , where
?(d) is Euler totient function
8
Security Pohlig-Hellman
- Setting Gq µ Fpn
- How to choose Gq?
- Pohlig-Hellman Gq not in proper subfield
Choose Gq µ Tn(Fp)
Lenstra If q ?n(p), q gt n, then Gq is not in
a proper subfield. Order
?n(p) subgroup is torus Tn(Fp) Other tori T1
g 2 Fpn gp-1 1 Fp , T2 g 2 Fpn
gp1 1 , Td g 2 Fpn g?d(p) 1 for d n
9
Outline
- Application of Torus Cryptography
- Goals of Torus Cryptography
- Security
- Efficiency
- Space Compression
- Time Exponentiations
- Our Contribution
- Implementation
- Conclusion
10
Efficiency Communication
Setting Gq µ Tn(Fp) µ Fpn
- - Represent Gq with n log2 p bits
- - But Gq is much smaller! Cant we do
better? - - We dont know how to efficiently achieve
log2 q bits - - We can achieve Tn(Fp) ¼ ?(n) log2 p bits
for some n - LUCLS, XTR LV,
CEILIDH RS
11
Efficiency Communication
Setting Gq µ Tn(Fp) µ Fpn
- - Affine space An(Fp) n-tuples (g1, , gn) 2
(Fp)n - - LUC T2(Fp) A1(Fp)
- - XTR T6(Fp) A2(Fp)
- CEILIDH Tn(Fp) A?(n)(Fp) if and only if n is a
product of at most two prime powers - If n the product of at most two prime powers,
?(n)/n gt 1/3 and this is achieved for n 6.
12
Efficiency Communication
Setting Gq µ Tn(Fp) µ Fpn
- - Ideally want a map Tn(Fp) A?(n) (Fp) for all
n - vdW 8 n, 9 m and a map Tn(Fp) x Am(Fp) Am
?(n)(Fp) - But I thought we wanted a different type of map
13
Efficiency Communication
Setting Gq µ Tn(Fp) µ Fpn
- Wanted Tn(Fp) A?(n)(Fp)
- Got Tn(Fp) x Am(Fp) Am ?(n)(Fp)
- - Is this useful? Yes!
- If your application has m log p extra bits E
to transmit or store, can compute ?(g, E)
14
Efficiency Computation
- vDW Tn(Fp) x Am Am ?(n)
- Problem 1 m may be too large for applications
- Problem 2 very computationally inefficient
- vDW Ask, can computation be reduced?
15
Outline
- Application of Torus Cryptography
- Goals of Torus Cryptography
- Security
- Efficiency
- Space Compression
- Time Exponentiations
- Our Contribution
- Implementation
- Conclusion
16
Our Contribution
- Reduce m in the map Tn(Fp) x Am Am ?(n)
- Better for more applications
- More computationally efficient
- Give the first implementation of T30(Fp) and show
it is practical
17
Our Contribution
- Let n 30. Our map is inspired by the equation
- ?30(p) ?6(p)
?6(p5) - This suggests a mapping
- T30(Fp) x T6(Fp)
T6(Fp5) - We can represent T6(Fp) and T6(Fp5) using
CEILIDH! - Get an almost bijection T30(Fp) x A2(Fp)
A10(Fp) - Affine surplus m 2, instead of m 32 in vDW
18
Our Contribution
T30(Fp) x A2(Fp)
T30(Fp) x T6(Fp)
T6(Fp5)
A2(Fp5) A10(Fp)
19
Applications
Our map T30(Fp) x A2(Fp) A10(Fp)
- Lets compress two elements of T30(Fp) in
different ways - Using CEILIDH, takes 20 p-ary symbols
- Using vDW, takes 48 p-ary symbols
- Using our map, takes 8 10 18 p-ary symbols
- Obtain 10 ciphertext size reduction in ElGamal
variants
20
Our Contribution
- Also have
- T210 x A22 ! A232
- For n 210, vDW had m 264
- Simplicity of map greatly improves computation
- For n 30,
- Forward direction 1 multiplication
CEILIDH maps - Reverse direction 1 exponentiation
CEILIDH maps
21
Outline
- Application of Torus Cryptography
- Goals of Torus Cryptography
- Security
- Efficiency
- Space Compression
- Time Exponentiations
- Our Contribution
- Our Implementation
- Conclusion
22
Parameter Selection
- We only consider T30(Fp) µ Fp30
- Using a Macintosh G5 dual 2.5GHz computer, we got
23
Timings
- Timings based on log2(pL) ¼ 5 log2(pS), and Gq
with log2 q ¼ 160 - 2.8 GHz Pentium 4 with 1GB of memory
24
Conclusion
- T30(Fp) crypto is practical!
- Compression outperforms existing schemes for as
few as 2 elements - The method is only slightly slower (2-3) than
T6(Fp5) and XTR
