# Practical Cryptography in High

Τεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 4 χρόνια και 6 μήνες)

105 εμφανίσεις

Practical Cryptography in High
Dimensional Tori

Marten van Dijk
1
, Robert Granger
2
, Dan Page
2
,

Karl Rubin
3
, Alice Silverberg
3
, Martijn Stam
2
,

David Woodruff
1

MIT CSAIL, University of Bristol, UC Irvine

Outline

1.
Application of Torus Cryptography

2.
Goals of Torus Cryptography

-
Security

-
Efficiency

-
Space

Compression

-
Time

Exponentiations

3.
Our Contribution

4.
Implementation

5.
Conclusion

Sample Application

g
b

g
a

b
2

Z
q

a
2

Z
q

Target:

Secret key exchange over insecure channel

Setting:

Cyclic group
G
q

µ

F
*
p
n

of order
q

Key
g
ab

Outline

1.
Application of Torus Cryptography

2.
Goals of Torus Cryptography

-
Security

-
Efficiency

-
Space

Compression

-
Time

Exponentiations

3.
Our Contribution

4.
Implementation

5.
Conclusion

Security

Setting:

G
q

µ

F
*
p
n

How to choose
G
q
?

Security:
Can’t compute
g
ab

from
g
a
, g
b

(CDH)

1.
Pollard

:
log
2

q > 160

2.
Index Calculus:

n log
2

p > 1024

3.
Pohlig
-
Hellman:
G
q

not in proper subfield

Security: Pohlig
-
Hellman

Setting:

G
q

µ

F
*
p
n

How to choose
G
q
?

Pohlig
-
Hellman:

G
q

not in proper subfield

F
*
p
n

is cyclic of cardinality
p
n

1 =

d | n

d
(p),

d
(p)

is the
d
-
th

cyclotomic polynomial.

1
(p) = p
-
1,

2
(p) = p+1,

3
(p) = p
2

+ p + 1,

6
(p) = p
2

p + 1

Security: Pohlig
-
Hellman

Setting:

G
q

µ

F
*
p
n

How to choose
G
q
?

Pohlig
-
Hellman:

G
q

not in proper subfield

Example:
|F
*
p
6
| = p
6
-
1 = (p
-
1)(p+1)(p
2
+p+1)(p
2
-
p+1)

=

1
(p)

2
(p)
¢

3
(p)
¢

6
(p)

d
(p)
¼

p

(d)
,

where

(d)
is Euler totient function

Security: Pohlig
-
Hellman

Setting:

G
q

µ

F
*
p
n

How to choose
G
q
?

Pohlig
-
Hellman:

G
q

not in proper subfield

[Lenstra]: If
q |

n
(p), q > n
, then
G
q

is not in a proper subfield.

Order

n
(p)

subgroup is
torus

T
n
(F
p
)

Other tori
: T
1

= {g
2

F
*
p
n

: g
p
-
1

= 1} = F
*
p
,

T
2

= {g
2

F
*
p
n

: g
p+1

= 1} , T
d

= {g
2

F
*
p
n

: g

d
(p)

= 1}
for

d | n

Choose

G
q

µ

T
n
(F
p
)

Outline

1.
Application of Torus Cryptography

2.
Goals of Torus Cryptography

-
Security

-
Efficiency

-
Space

Compression

-
Time

Exponentiations

3.
Our Contribution

4.
Implementation

5.
Conclusion

Efficiency: Communication

-

Represent
G
q

with
n log
2

p

bits

-

But
G
q

is much smaller! Can’t we do better?

-

We don’t know how to
efficiently

achieve
log
2

q

bits

-

We can achieve
|T
n
(F
p
)|
¼

(n) log
2

p

bits for some n

LUC[LS], XTR [LV], CEILIDH [RS]

Setting:

G
q

µ

T
n
(F
p
)
µ

F
*
p
n

Efficiency: Communication

-

Affine space
A
n
(F
p
)
=
n
-
tuples
(g
1
, …, g
n
)
2

(F
p
)
n

-

LUC:
T
2
(F
p
)
\$

A
1
(F
p
)

-

XTR:
T
6
(F
p
)
\$

A
2
(F
p
)

-
CEILIDH:
T
n
(F
p
)
\$

A

(n)
(F
p
)

if and only if n is a product
of at most two prime powers

-

If
n

the product of at most two prime powers,

(n)/n
>= 1/3

and this is achieved for
n = 6
.

Setting:

G
q

µ

T
n
(F
p
)
µ

F
*
p
n

Efficiency: Communication

Setting:

G
q

µ

T
n
(F
p
)
µ

F
*
p
n

-

Ideally want a map
T
n
(F
p
)
\$

A

(n)

(F
p
)

for all
n

-

[vdW]:
8
n
,
9

m

and a map
T
n
(F
p
) x A
m
(F
p
)
\$

A
m +

(n)
(F
p
)

-

But I thought we wanted a different type of map…

n

m

30

32

210

264

Efficiency: Communication

Setting:

G
q

µ

T
n
(F
p
)
µ

F
*
p
n

Wanted:

T
n
(F
p
)
\$

A

(n)
(F
p
)

Got:

T
n
(F
p
) x A
m
(F
p
) A
m +

(n)
(F
p
)

-

Is this useful?
Yes!

-

m
¢

log p

extra bits
E

to
transmit or store, can compute

(g, E)

-
1

Efficiency: Computation

-
[vDW]:
T
n
(F
p
) x A
m
\$

A
m +

(n)

-
Problem 1: m may be too large for applications

-
Problem 2:
very

computationally inefficient

-
[vDW]: Ask, can computation be reduced?

Outline

1.
Application of Torus Cryptography

2.
Goals of Torus Cryptography

-
Security

-
Efficiency

-
Space

Compression

-
Time

Exponentiations

3.
Our Contribution

4.
Implementation

5.
Conclusion

Our Contribution

Reduce m in the map
T
n
(F
p
) x A
m
\$

A
m +

(n)

Better for more applications

More computationally efficient

Give the first implementation of

T
30
(F
p
)
and
show it is practical

Our Contribution

Let n = 30. Our map is inspired by the equation:

30
(p)
¢

6
(p) =

6
(p
5
)

This suggests a mapping:

T
30
(F
p
) x T
6
(F
p
)
\$
T
6
(F
p5
)

We can represent
T
6
(F
p
)

and
T
6
(F
p5
)

using CEILIDH!

Get an “almost bijection”
T
30
(F
p
) x A
2
(F
p
)
\$

A
10
(F
p
)

Affine surplus m = 2, instead of m = 32 in [vDW]

Our Contribution

T
30
(F
p
) x A
2
(F
p
)

T
30
(F
p
) x T
6
(F
p
)

T
6
(F
p
5
)

A
2
(F
p
5
) = A
10
(F
p
)

CEILIDH decompression

CRT

CEILIDH compression

Applications

Let’s compress two elements of
T
30
(F
p
)
in different ways
:

Using CEILIDH, takes
20

p
-
ary symbols

Using [vDW], takes
48
p
-
ary symbols

Using our map, takes
8 + 10 = 18

p
-
ary symbols

Obtain 10% ciphertext size reduction in ElGamal variants

Our map:

T
30
(F
p
) x A
2
(F
p
)
\$

A
10
(F
p
)

Our Contribution

Also have

T
210

x A
22

!

A
232

For
n = 210
m = 264

Simplicity of map greatly improves computation

For
n = 30,

Forward direction =1 multiplication + CEILIDH maps

Reverse direction = 1 exponentiation + CEILIDH maps

Outline

1.
Application of Torus Cryptography

2.
Goals of Torus Cryptography

-
Security

-
Efficiency

-
Space

Compression

-
Time

Exponentiations

3.
Our Contribution

4.
Our Implementation

5.
Conclusion

Parameter Selection

We only consider
T
30
(F
p
)
µ

F
*
p
30

Using a Macintosh G5 dual 2.5GHz computer, we got:

log
2

|G
q
|

log
2

p

Security

How long did it
take us?

160

32

960
-
bit RSA

~ 1 per minute

200

64

1920
-
bit RSA

~ 1 per hour

Timings

T
6
(F
p
L
)

T
30
(F
p
S
)

Compress

.13 ms

.13 ms

Decompress

.19 ms

4.9 ms

T
6
(F
p
L
)

T
30
(F
p
S
)

Binary

5.21 ms

9.12 ms

Sliding Window

4.39 ms

7.53 ms

p
S

-
ary

3.11 ms

JSF single

2.79 ms

4.57 ms

Timings based on
log
2
(p
L
)
¼

5 log
2
(p
S
),

and G
q

with
log
2

q
¼

160

2.8 GHz Pentium 4 with 1GB of memory

Conclusion

T
30
(F
p
)

crypto is practical!

Compression outperforms existing
schemes for as few as 2 elements

The method is only slightly slower (2
-
3)
than
T
6
(F
p
5
)
and XTR