Practical Cryptography in High Dimensional Tori

Practical Cryptography in High Dimensional Tori

Marten van Dijk1, Robert Granger2, Dan Page2, Karl Rubin3, Alice Silverberg3, Martijn Stam2,

David Woodruff1

MIT CSAIL, University of Bristol, UC Irvine

Outline

1. Application of Torus Cryptography

2. Goals of Torus Cryptography- Security- Efficiency

- Space – Compression- Time – Exponentiations

3. Our Contribution4. Implementation5. Conclusion

Sample Application

gb

gab 2 Zq a 2 Zq

Target: Secret key exchange over insecure channel

Setting: Cyclic group Gq µ F*pn of order q

Key gab

Outline

1. Application of Torus Cryptography

2. Goals of Torus Cryptography- Security- Efficiency

- Space – Compression- Time – Exponentiations

3. Our Contribution4. Implementation5. Conclusion

SecuritySetting: Gq µ F*

pn

How to choose Gq?

Security: Can’t compute gab from ga, gb (CDH)

1. Pollard : log2 q > 160

2. Index Calculus: n log2 p > 1024

3. Pohlig-Hellman: Gq not in proper subfield

Security: Pohlig-Hellman

Setting: Gq µ F*pn

How to choose Gq?

Pohlig-Hellman: Gq not in proper subfield

F*pn is cyclic of cardinality pn – 1 = d | n d(p),

d(p) is the d-th cyclotomic polynomial.

1(p) = p-1, 2(p) = p+1, 3(p) = p2 + p + 1, 6(p) = p2 – p + 1

Security: Pohlig-Hellman

Setting: Gq µ F*pn

How to choose Gq?

Pohlig-Hellman: Gq not in proper subfield

Example: |F*p6| = p6-1 = (p-1)(p+1)(p2+p+1)(p2-p+1)

= 1(p)2(p) ¢ 3(p) ¢ 6(p)

d(p) ¼ p(d) , where (d) is Euler totient function

Security: Pohlig-Hellman

Setting: Gq µ F*pn

How to choose Gq?

Pohlig-Hellman: Gq not in proper subfield

[Lenstra]: If q | n(p), q > n, then Gq is not in a proper subfield.

Order n(p) subgroup is torus Tn(Fp)

Other tori: T1 = {g 2 F*pn : gp-1 = 1} = F*

p ,

T2 = {g 2 F*pn : gp+1 = 1} , Td = {g 2 F*

pn : gd(p) = 1} for d | n

Choose Gq µ Tn(Fp)

Outline

1. Application of Torus Cryptography

2. Goals of Torus Cryptography- Security- Efficiency

- Space – Compression- Time – Exponentiations

3. Our Contribution4. Implementation5. Conclusion

Efficiency: Communication

- Represent Gq with n log2 p bits

- But Gq is much smaller! Can’t we do better?

- We don’t know how to efficiently achieve log2 q bits

- We can achieve |Tn(Fp)| ¼ (n) log2 p bits for some n

LUC[LS], XTR [LV], CEILIDH [RS]

Setting: Gq µ Tn(Fp) µ F*pn

Efficiency: Communication

- Affine space An(Fp) = n-tuples (g1, …, gn) 2 (Fp)n

- LUC: T2(Fp) $ A1(Fp)

- XTR: T6(Fp) $ A2(Fp)

-CEILIDH: Tn(Fp) $ A(n)(Fp) if and only if n is a product of at most two prime powers

- If n the product of at most two prime powers, (n)/n >= 1/3 and this is achieved for n = 6.

Setting: Gq µ Tn(Fp) µ F*pn

Efficiency: Communication

Setting: Gq µ Tn(Fp) µ F*pn

- Ideally want a map Tn(Fp) $ A(n) (Fp) for all n

- [vdW]: 8 n, 9 m and a map Tn(Fp) x Am(Fp) $ Am + (n)(Fp)

- But I thought we wanted a different type of map…

n m

30 32

210 264

… …

Efficiency: Communication

Setting: Gq µ Tn(Fp) µ F*pn

Wanted: Tn(Fp) $ A(n)(Fp)

Got: Tn(Fp) x Am(Fp) Am + (n)(Fp)

- Is this useful? Yes!

- If your application has m ¢ log p extra bits E to transmit or store, can compute (g, E)

-1

Efficiency: Computation

- [vDW]: Tn(Fp) x Am $ Am + (n)

- Problem 1: m may be too large for applications

- Problem 2: very computationally inefficient

- [vDW]: Ask, can computation be reduced?

Outline

1. Application of Torus Cryptography

2. Goals of Torus Cryptography- Security- Efficiency

- Space – Compression- Time – Exponentiations

3. Our Contribution4. Implementation5. Conclusion

Our Contribution

• Reduce m in the map Tn(Fp) x Am $ Am + (n)

Better for more applications

More computationally efficient

• Give the first implementation of T30(Fp) and show it is practical

Our Contribution

• Let n = 30. Our map is inspired by the equation:

30(p) ¢ 6(p) = 6(p5)

• This suggests a mapping:

T30(Fp) x T6(Fp) $ T6(Fp5)

• We can represent T6(Fp) and T6(Fp5) using CEILIDH!

• Get an “almost bijection” T30(Fp) x A2(Fp) $ A10(Fp)

• Affine surplus m = 2, instead of m = 32 in [vDW]

Our Contribution

T30(Fp) x A2(Fp)

T30(Fp) x T6(Fp)

T6(Fp5)

A2(Fp5) = A10(Fp)

CEILIDH decompression

CRT

CEILIDH compression

Applications

• Let’s compress two elements of T30(Fp) in different ways:

• Using CEILIDH, takes 20 p-ary symbols

• Using [vDW], takes 48 p-ary symbols

• Using our map, takes 8 + 10 = 18 p-ary symbols

• Obtain 10% ciphertext size reduction in ElGamal variants

Our map: T30(Fp) x A2(Fp) $ A10(Fp)

Our Contribution

• Also have

T210 x A22 ! A232

• For n = 210, [vDW] had m = 264

• Simplicity of map greatly improves computation

• For n = 30, Forward direction =1 multiplication + CEILIDH maps Reverse direction = 1 exponentiation + CEILIDH maps

Outline

1. Application of Torus Cryptography

2. Goals of Torus Cryptography- Security- Efficiency

- Space – Compression- Time – Exponentiations

3. Our Contribution4. Our Implementation5. Conclusion

Parameter Selection

• We only consider T30(Fp) µ F*p30

• Using a Macintosh G5 dual 2.5GHz computer, we got:

log2 |Gq| log2 p Security How long did it take us?

160 32 960-bit RSA ~ 1 per minute

200 64 1920-bit RSA ~ 1 per hour

TimingsT6(FpL

) T30(FpS)

Compress .13 ms .13 ms

Decompress .19 ms 4.9 ms

T6(FpL) T30(FpS

)

Binary 5.21 ms 9.12 ms

Sliding Window 4.39 ms 7.53 ms

pS -ary 3.11 ms

JSF single 2.79 ms 4.57 ms

• Timings based on log2(pL) ¼ 5 log2(pS), and Gq with log2 q ¼ 160• 2.8 GHz Pentium 4 with 1GB of memory

Conclusion

• T30(Fp) crypto is practical!

• Compression outperforms existing schemes for as few as 2 elements

• The method is only slightly slower (2-3) than T6(Fp5) and XTR