1 / 24

Practical Cryptography in High Dimensional Tori

Practical Cryptography in High Dimensional Tori. Marten van Dijk 1 , Robert Granger 2 , Dan Page 2 , Karl Rubin 3 , Alice Silverberg 3 , Martijn Stam 2 , David Woodruff 1. MIT CSAIL, University of Bristol, UC Irvine. Outline. Application of Torus Cryptography Goals of Torus Cryptography

katherine
Download Presentation

Practical Cryptography in High Dimensional Tori

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical Cryptography in High Dimensional Tori Marten van Dijk1, Robert Granger2, Dan Page2, Karl Rubin3, Alice Silverberg3, Martijn Stam2, David Woodruff1 MIT CSAIL, University of Bristol, UC Irvine

  2. Outline • Application of Torus Cryptography • Goals of Torus Cryptography • Security • Efficiency • Space – Compression • Time – Exponentiations • Our Contribution • Implementation • Conclusion

  3. Key gab Sample Application Target: Secret key exchange over insecure channel Setting: Cyclic group Gqµ F*pn of order q ga b 2 Zq a 2 Zq gb

  4. Outline • Application of Torus Cryptography • Goals of Torus Cryptography • Security • Efficiency • Space – Compression • Time – Exponentiations • Our Contribution • Implementation • Conclusion

  5. Security Setting:Gqµ F*pn How to choose Gq? Security: Can’t compute gab from ga, gb (CDH) • Pollard : log2 q > 160 • Index Calculus:n log2 p > 1024 • Pohlig-Hellman: Gq not in proper subfield

  6. Security: Pohlig-Hellman Setting:Gqµ F*pn How to choose Gq? Pohlig-Hellman:Gq not in proper subfield F*pn is cyclic of cardinality pn – 1 = d | nd(p), d(p) is the d-th cyclotomic polynomial. 1(p) = p-1, 2(p) = p+1, 3(p) = p2 + p + 1, 6(p) = p2 – p + 1

  7. Security: Pohlig-Hellman Setting:Gqµ F*pn How to choose Gq? Pohlig-Hellman:Gq not in proper subfield Example: |F*p6| = p6-1 = (p-1)(p+1)(p2+p+1)(p2-p+1) = 1(p)2(p) ¢3(p) ¢6(p) d(p) ¼ p(d) , where (d) is Euler totient function

  8. Security: Pohlig-Hellman Setting:Gqµ F*pn How to choose Gq? Pohlig-Hellman:Gq not in proper subfield ChooseGqµ Tn(Fp) [Lenstra]: If q | n(p), q > n, then Gq is not in a proper subfield. Order n(p) subgroup is torusTn(Fp) Other tori: T1 = {g 2 F*pn : gp-1 = 1} = F*p , T2 = {g 2 F*pn : gp+1 = 1} , Td = {g 2 F*pn : gd(p) = 1} for d | n

  9. Outline • Application of Torus Cryptography • Goals of Torus Cryptography • Security • Efficiency • Space – Compression • Time – Exponentiations • Our Contribution • Implementation • Conclusion

  10. Efficiency: Communication • Setting:Gqµ Tn(Fp) µ F*pn • - Represent Gq with n log2 p bits • - But Gq is much smaller! Can’t we do better? • - We don’t know how to efficiently achieve log2 q bits • - We can achieve |Tn(Fp)| ¼(n) log2 p bits for some n • LUC[LS], XTR [LV], CEILIDH [RS]

  11. Efficiency: Communication • Setting:Gqµ Tn(Fp) µ F*pn • - Affine space An(Fp) = n-tuples (g1, …, gn) 2 (Fp)n • - LUC: T2(Fp) $ A1(Fp) • - XTR: T6(Fp) $ A2(Fp) • CEILIDH: Tn(Fp) $ A(n)(Fp) if and only if n is a product of at most two prime powers • If n the product of at most two prime powers, (n)/n >= 1/3 and this is achieved for n = 6.

  12. Efficiency: Communication • Setting:Gqµ Tn(Fp) µ F*pn • - Ideally want a map Tn(Fp) $ A(n) (Fp) for all n • [vdW]: 8 n, 9 m and a map Tn(Fp) x Am(Fp) $ Am + (n)(Fp) • But I thought we wanted a different type of map…

  13. -1 Efficiency: Communication • Setting:Gqµ Tn(Fp) µ F*pn • Wanted:Tn(Fp) $ A(n)(Fp) • Got:Tn(Fp) x Am(Fp) Am + (n)(Fp) • - Is this useful? Yes! • If your application has m ¢ log p extra bits E to transmit or store, can compute (g, E)

  14. Efficiency: Computation • [vDW]: Tn(Fp) x Am $ Am + (n) • Problem 1: m may be too large for applications • Problem 2: verycomputationally inefficient • [vDW]: Ask, can computation be reduced?

  15. Outline • Application of Torus Cryptography • Goals of Torus Cryptography • Security • Efficiency • Space – Compression • Time – Exponentiations • Our Contribution • Implementation • Conclusion

  16. Our Contribution • Reduce m in the map Tn(Fp) x Am $ Am + (n) Better for more applications More computationally efficient • Give the first implementation of T30(Fp) and show it is practical

  17. Our Contribution • Let n = 30. Our map is inspired by the equation: 30(p) ¢6(p) = 6(p5) • This suggests a mapping: T30(Fp) x T6(Fp) $ T6(Fp5) • We can represent T6(Fp) and T6(Fp5) using CEILIDH! • Get an “almost bijection” T30(Fp) x A2(Fp) $ A10(Fp) • Affine surplus m = 2, instead of m = 32 in [vDW]

  18. CEILIDH decompression CRT CEILIDH compression Our Contribution T30(Fp) x A2(Fp) T30(Fp) x T6(Fp) T6(Fp5) A2(Fp5) = A10(Fp)

  19. Applications Our map:T30(Fp) x A2(Fp) $ A10(Fp) • Let’s compress two elements of T30(Fp) in different ways: • Using CEILIDH, takes 20 p-ary symbols • Using [vDW], takes 48 p-ary symbols • Using our map, takes 8 + 10 = 18 p-ary symbols • Obtain 10% ciphertext size reduction in ElGamal variants

  20. Our Contribution • Also have T210 x A22! A232 • For n = 210, [vDW] had m = 264 • Simplicity of map greatly improves computation • For n = 30, Forward direction =1 multiplication + CEILIDH maps Reverse direction = 1 exponentiation + CEILIDH maps

  21. Outline • Application of Torus Cryptography • Goals of Torus Cryptography • Security • Efficiency • Space – Compression • Time – Exponentiations • Our Contribution • Our Implementation • Conclusion

  22. Parameter Selection • We only consider T30(Fp) µ F*p30 • Using a Macintosh G5 dual 2.5GHz computer, we got:

  23. Timings • Timings based on log2(pL) ¼ 5 log2(pS), and Gq with log2 q ¼ 160 • 2.8 GHz Pentium 4 with 1GB of memory

  24. Conclusion • T30(Fp) crypto is practical! • Compression outperforms existing schemes for as few as 2 elements • The method is only slightly slower (2-3) than T6(Fp5) and XTR

More Related