Practical Cryptography in High

innocentsickΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

85 εμφανίσεις

Practical Cryptography in High
Dimensional Tori

Marten van Dijk
1
, Robert Granger
2
, Dan Page
2
,

Karl Rubin
3
, Alice Silverberg
3
, Martijn Stam
2
,

David Woodruff
1

MIT CSAIL, University of Bristol, UC Irvine

Outline

1.
Application of Torus Cryptography


2.
Goals of Torus Cryptography

-
Security

-
Efficiency

-
Space


Compression

-
Time


Exponentiations


3.
Our Contribution

4.
Implementation

5.
Conclusion

Sample Application

g
b

g
a

b
2

Z
q

a
2

Z
q

Target:

Secret key exchange over insecure channel


Setting:

Cyclic group
G
q

µ

F
*
p
n

of order
q

Key
g
ab

Outline

1.
Application of Torus Cryptography


2.
Goals of Torus Cryptography

-
Security

-
Efficiency

-
Space


Compression

-
Time


Exponentiations


3.
Our Contribution

4.
Implementation

5.
Conclusion

Security

Setting:

G
q

µ

F
*
p
n


How to choose
G
q
?


Security:
Can’t compute
g
ab

from
g
a
, g
b

(CDH)


1.
Pollard

:
log
2

q > 160


2.
Index Calculus:

n log
2

p > 1024


3.
Pohlig
-
Hellman:
G
q

not in proper subfield





Security: Pohlig
-
Hellman

Setting:

G
q

µ

F
*
p
n


How to choose
G
q
?


Pohlig
-
Hellman:

G
q

not in proper subfield

F
*
p
n

is cyclic of cardinality
p
n



1 =

d | n


d
(p),



d
(p)

is the
d
-
th

cyclotomic polynomial.



1
(p) = p
-
1,

2
(p) = p+1,

3
(p) = p
2

+ p + 1,


6
(p) = p
2



p + 1

Security: Pohlig
-
Hellman

Setting:

G
q

µ

F
*
p
n


How to choose
G
q
?


Pohlig
-
Hellman:

G
q

not in proper subfield

Example:
|F
*
p
6
| = p
6
-
1 = (p
-
1)(p+1)(p
2
+p+1)(p
2
-
p+1)



=

1
(p)

2
(p)
¢


3
(p)
¢


6
(p)



d
(p)
¼

p

(d)
,

where


(d)
is Euler totient function

Security: Pohlig
-
Hellman

Setting:

G
q

µ

F
*
p
n


How to choose
G
q
?


Pohlig
-
Hellman:

G
q

not in proper subfield

[Lenstra]: If
q |

n
(p), q > n
, then
G
q

is not in a proper subfield.



Order

n
(p)

subgroup is
torus

T
n
(F
p
)


Other tori
: T
1

= {g
2

F
*
p
n

: g
p
-
1

= 1} = F
*
p
,



T
2

= {g
2

F
*
p
n

: g
p+1

= 1} , T
d

= {g
2

F
*
p
n

: g

d
(p)

= 1}
for

d | n

Choose

G
q

µ

T
n
(F
p
)

Outline

1.
Application of Torus Cryptography


2.
Goals of Torus Cryptography

-
Security

-
Efficiency

-
Space


Compression

-
Time


Exponentiations


3.
Our Contribution

4.
Implementation

5.
Conclusion

Efficiency: Communication


-

Represent
G
q

with
n log
2

p

bits



-

But
G
q

is much smaller! Can’t we do better?



-

We don’t know how to
efficiently

achieve
log
2

q

bits



-

We can achieve
|T
n
(F
p
)|
¼


(n) log
2

p

bits for some n



LUC[LS], XTR [LV], CEILIDH [RS]

Setting:

G
q

µ

T
n
(F
p
)
µ

F
*
p
n


Efficiency: Communication

-

Affine space
A
n
(F
p
)
=
n
-
tuples
(g
1
, …, g
n
)
2

(F
p
)
n


-

LUC:
T
2
(F
p
)
$

A
1
(F
p
)


-

XTR:
T
6
(F
p
)
$

A
2
(F
p
)


-
CEILIDH:
T
n
(F
p
)
$

A

(n)
(F
p
)

if and only if n is a product
of at most two prime powers


-

If
n

the product of at most two prime powers,

(n)/n
>= 1/3

and this is achieved for
n = 6
.


Setting:

G
q

µ

T
n
(F
p
)
µ

F
*
p
n


Efficiency: Communication

Setting:

G
q

µ

T
n
(F
p
)
µ

F
*
p
n


-

Ideally want a map
T
n
(F
p
)
$

A

(n)

(F
p
)

for all
n


-

[vdW]:
8
n
,
9

m

and a map
T
n
(F
p
) x A
m
(F
p
)
$

A
m +

(n)
(F
p
)








-

But I thought we wanted a different type of map…

n

m

30

32

210

264





Efficiency: Communication

Setting:

G
q

µ

T
n
(F
p
)
µ

F
*
p
n


Wanted:

T
n
(F
p
)
$

A

(n)
(F
p
)



Got:

T
n
(F
p
) x A
m
(F
p
) A
m +

(n)
(F
p
)


-

Is this useful?
Yes!


-

If your application has
m
¢

log p

extra bits
E

to
transmit or store, can compute

(g, E)




-
1

Efficiency: Computation

-
[vDW]:
T
n
(F
p
) x A
m
$

A
m +

(n)


-
Problem 1: m may be too large for applications


-
Problem 2:
very

computationally inefficient


-
[vDW]: Ask, can computation be reduced?

Outline

1.
Application of Torus Cryptography


2.
Goals of Torus Cryptography

-
Security

-
Efficiency

-
Space


Compression

-
Time


Exponentiations


3.
Our Contribution

4.
Implementation

5.
Conclusion

Our Contribution


Reduce m in the map
T
n
(F
p
) x A
m
$

A
m +

(n)




Better for more applications



More computationally efficient



Give the first implementation of

T
30
(F
p
)
and
show it is practical




Our Contribution


Let n = 30. Our map is inspired by the equation:



30
(p)
¢


6
(p) =

6
(p
5
)



This suggests a mapping:


T
30
(F
p
) x T
6
(F
p
)
$
T
6
(F
p5
)



We can represent
T
6
(F
p
)

and
T
6
(F
p5
)

using CEILIDH!



Get an “almost bijection”
T
30
(F
p
) x A
2
(F
p
)
$

A
10
(F
p
)



Affine surplus m = 2, instead of m = 32 in [vDW]

Our Contribution

T
30
(F
p
) x A
2
(F
p
)

T
30
(F
p
) x T
6
(F
p
)

T
6
(F
p
5
)

A
2
(F
p
5
) = A
10
(F
p
)

CEILIDH decompression

CRT

CEILIDH compression

Applications


Let’s compress two elements of
T
30
(F
p
)
in different ways
:



Using CEILIDH, takes
20

p
-
ary symbols



Using [vDW], takes
48
p
-
ary symbols



Using our map, takes
8 + 10 = 18

p
-
ary symbols



Obtain 10% ciphertext size reduction in ElGamal variants


Our map:

T
30
(F
p
) x A
2
(F
p
)
$

A
10
(F
p
)

Our Contribution


Also have






T
210

x A
22

!

A
232



For
n = 210
, [vDW] had
m = 264



Simplicity of map greatly improves computation



For
n = 30,



Forward direction =1 multiplication + CEILIDH maps


Reverse direction = 1 exponentiation + CEILIDH maps



Outline

1.
Application of Torus Cryptography


2.
Goals of Torus Cryptography

-
Security

-
Efficiency

-
Space


Compression

-
Time


Exponentiations


3.
Our Contribution

4.
Our Implementation

5.
Conclusion

Parameter Selection


We only consider
T
30
(F
p
)
µ

F
*
p
30



Using a Macintosh G5 dual 2.5GHz computer, we got:

log
2

|G
q
|

log
2

p

Security

How long did it
take us?

160

32

960
-
bit RSA

~ 1 per minute

200

64

1920
-
bit RSA

~ 1 per hour

Timings

T
6
(F
p
L
)

T
30
(F
p
S
)

Compress

.13 ms

.13 ms

Decompress

.19 ms

4.9 ms

T
6
(F
p
L
)

T
30
(F
p
S
)

Binary

5.21 ms

9.12 ms

Sliding Window

4.39 ms

7.53 ms

p
S

-
ary

3.11 ms

JSF single

2.79 ms

4.57 ms



Timings based on
log
2
(p
L
)
¼

5 log
2
(p
S
),

and G
q

with
log
2

q
¼

160



2.8 GHz Pentium 4 with 1GB of memory

Conclusion


T
30
(F
p
)

crypto is practical!



Compression outperforms existing
schemes for as few as 2 elements



The method is only slightly slower (2
-
3)
than
T
6
(F
p
5
)
and XTR