Practical Cryptography in High Dimensional Tori
description
Transcript of Practical Cryptography in High Dimensional Tori
Practical Cryptography in High Dimensional Tori
Marten van Dijk1, Robert Granger2, Dan Page2, Karl Rubin3, Alice Silverberg3, Martijn Stam2,
David Woodruff1
MIT CSAIL, University of Bristol, UC Irvine
Outline
1. Application of Torus Cryptography
2. Goals of Torus Cryptography- Security- Efficiency
- Space – Compression- Time – Exponentiations
3. Our Contribution4. Implementation5. Conclusion
Sample Application
gb
gab 2 Zq a 2 Zq
Target: Secret key exchange over insecure channel
Setting: Cyclic group Gq µ F*pn of order q
Key gab
Outline
1. Application of Torus Cryptography
2. Goals of Torus Cryptography- Security- Efficiency
- Space – Compression- Time – Exponentiations
3. Our Contribution4. Implementation5. Conclusion
SecuritySetting: Gq µ F*
pn
How to choose Gq?
Security: Can’t compute gab from ga, gb (CDH)
1. Pollard : log2 q > 160
2. Index Calculus: n log2 p > 1024
3. Pohlig-Hellman: Gq not in proper subfield
Security: Pohlig-Hellman
Setting: Gq µ F*pn
How to choose Gq?
Pohlig-Hellman: Gq not in proper subfield
F*pn is cyclic of cardinality pn – 1 = d | n d(p),
d(p) is the d-th cyclotomic polynomial.
1(p) = p-1, 2(p) = p+1, 3(p) = p2 + p + 1, 6(p) = p2 – p + 1
Security: Pohlig-Hellman
Setting: Gq µ F*pn
How to choose Gq?
Pohlig-Hellman: Gq not in proper subfield
Example: |F*p6| = p6-1 = (p-1)(p+1)(p2+p+1)(p2-p+1)
= 1(p)2(p) ¢ 3(p) ¢ 6(p)
d(p) ¼ p(d) , where (d) is Euler totient function
Security: Pohlig-Hellman
Setting: Gq µ F*pn
How to choose Gq?
Pohlig-Hellman: Gq not in proper subfield
[Lenstra]: If q | n(p), q > n, then Gq is not in a proper subfield.
Order n(p) subgroup is torus Tn(Fp)
Other tori: T1 = {g 2 F*pn : gp-1 = 1} = F*
p ,
T2 = {g 2 F*pn : gp+1 = 1} , Td = {g 2 F*
pn : gd(p) = 1} for d | n
Choose Gq µ Tn(Fp)
Outline
1. Application of Torus Cryptography
2. Goals of Torus Cryptography- Security- Efficiency
- Space – Compression- Time – Exponentiations
3. Our Contribution4. Implementation5. Conclusion
Efficiency: Communication
- Represent Gq with n log2 p bits
- But Gq is much smaller! Can’t we do better?
- We don’t know how to efficiently achieve log2 q bits
- We can achieve |Tn(Fp)| ¼ (n) log2 p bits for some n
LUC[LS], XTR [LV], CEILIDH [RS]
Setting: Gq µ Tn(Fp) µ F*pn
Efficiency: Communication
- Affine space An(Fp) = n-tuples (g1, …, gn) 2 (Fp)n
- LUC: T2(Fp) $ A1(Fp)
- XTR: T6(Fp) $ A2(Fp)
-CEILIDH: Tn(Fp) $ A(n)(Fp) if and only if n is a product of at most two prime powers
- If n the product of at most two prime powers, (n)/n >= 1/3 and this is achieved for n = 6.
Setting: Gq µ Tn(Fp) µ F*pn
Efficiency: Communication
Setting: Gq µ Tn(Fp) µ F*pn
- Ideally want a map Tn(Fp) $ A(n) (Fp) for all n
- [vdW]: 8 n, 9 m and a map Tn(Fp) x Am(Fp) $ Am + (n)(Fp)
- But I thought we wanted a different type of map…
n m
30 32
210 264
… …
Efficiency: Communication
Setting: Gq µ Tn(Fp) µ F*pn
Wanted: Tn(Fp) $ A(n)(Fp)
Got: Tn(Fp) x Am(Fp) Am + (n)(Fp)
- Is this useful? Yes!
- If your application has m ¢ log p extra bits E to transmit or store, can compute (g, E)
-1
Efficiency: Computation
- [vDW]: Tn(Fp) x Am $ Am + (n)
- Problem 1: m may be too large for applications
- Problem 2: very computationally inefficient
- [vDW]: Ask, can computation be reduced?
Outline
1. Application of Torus Cryptography
2. Goals of Torus Cryptography- Security- Efficiency
- Space – Compression- Time – Exponentiations
3. Our Contribution4. Implementation5. Conclusion
Our Contribution
• Reduce m in the map Tn(Fp) x Am $ Am + (n)
Better for more applications
More computationally efficient
• Give the first implementation of T30(Fp) and show it is practical
Our Contribution
• Let n = 30. Our map is inspired by the equation:
30(p) ¢ 6(p) = 6(p5)
• This suggests a mapping:
T30(Fp) x T6(Fp) $ T6(Fp5)
• We can represent T6(Fp) and T6(Fp5) using CEILIDH!
• Get an “almost bijection” T30(Fp) x A2(Fp) $ A10(Fp)
• Affine surplus m = 2, instead of m = 32 in [vDW]
Our Contribution
T30(Fp) x A2(Fp)
T30(Fp) x T6(Fp)
T6(Fp5)
A2(Fp5) = A10(Fp)
CEILIDH decompression
CRT
CEILIDH compression
Applications
• Let’s compress two elements of T30(Fp) in different ways:
• Using CEILIDH, takes 20 p-ary symbols
• Using [vDW], takes 48 p-ary symbols
• Using our map, takes 8 + 10 = 18 p-ary symbols
• Obtain 10% ciphertext size reduction in ElGamal variants
Our map: T30(Fp) x A2(Fp) $ A10(Fp)
Our Contribution
• Also have
T210 x A22 ! A232
• For n = 210, [vDW] had m = 264
• Simplicity of map greatly improves computation
• For n = 30, Forward direction =1 multiplication + CEILIDH maps Reverse direction = 1 exponentiation + CEILIDH maps
Outline
1. Application of Torus Cryptography
2. Goals of Torus Cryptography- Security- Efficiency
- Space – Compression- Time – Exponentiations
3. Our Contribution4. Our Implementation5. Conclusion
Parameter Selection
• We only consider T30(Fp) µ F*p30
• Using a Macintosh G5 dual 2.5GHz computer, we got:
log2 |Gq| log2 p Security How long did it take us?
160 32 960-bit RSA ~ 1 per minute
200 64 1920-bit RSA ~ 1 per hour
TimingsT6(FpL
) T30(FpS)
Compress .13 ms .13 ms
Decompress .19 ms 4.9 ms
T6(FpL) T30(FpS
)
Binary 5.21 ms 9.12 ms
Sliding Window 4.39 ms 7.53 ms
pS -ary 3.11 ms
JSF single 2.79 ms 4.57 ms
• Timings based on log2(pL) ¼ 5 log2(pS), and Gq with log2 q ¼ 160• 2.8 GHz Pentium 4 with 1GB of memory
Conclusion
• T30(Fp) crypto is practical!
• Compression outperforms existing schemes for as few as 2 elements
• The method is only slightly slower (2-3) than T6(Fp5) and XTR