Centro de Investigacion´ y de Estudios Avanzados del Instituto Politecnico´ Nacional Unidad Zacatenco Departamento de Computacion´ An´alisis e implementaci´oneficiente de protocolos criptogr´aficosde llave p´ublica Tesis que presenta Jos´eEduardo Ochoa Jim´enez para obtener el grado de Doctor en Ciencias en Computaci´on Director de tesis Dr. Francisco Jos´eRamb´oRodr´ıguezHenr´ıquez Ciudad de M´exico Febrero, 2019 ii Center for Research and Advanced Studies of National Polytechnic Institute Zacatenco campus Computer science department Analysis and efficient implementation of public key cryptographic protocols Submitted by Jos´eEduardo Ochoa Jim´enez for the degree of Ph.D. in Computer Science Advisor Francisco Jos´eRamb´oRodr´ıguezHenr´ıquez,Ph.D. Mexico City February, 2019 iv Dedication To my family. v vi Acknowledgements I thank my advisor Francisco Rodr´ıguez-Henr´ıquezfor his guidance and support during my Ph.D. studies. I also thank my friends from the cryptography laboratory for sharing their knowledge and for having shared with me hard and good times. I thank the Consejo Nacional de Ciencia y Tecnolog´ıaCONACyT for the scholarship pro- vided to me during the period that I was a Ph.D. candidate at Cinvestav. And finally, a special thanks to the Department staff who supported me during my Ph.D. research. vii viii Resumen Durante las ´ultimascuatro d´ecadas,el paradigma de la criptograf´ıa de llave p´ublica ha brindado soluciones elegantes a diversos problemas dif´ıcilesque surgen de aplicaciones contempor´aneasde seguridad de la informaci´on.Ejemplos de estos problemas incluyen: au- tenticaci´onde entidades, anonimato, no repudio, por nombrar s´oloalgunos. No obstante, la implementaci´oneficiente de la criptograf´ıade llave p´ublica implica el c´alculode operaciones aritm´eticasno triviales sobre operandos extremadamente grandes. Por tal motivo, el objetivo principal de esta tesis es analizar cuidadosamente algunos de los protocolos criptogr´aficosde llave p´ublicam´aspopulares, con la finalidad de identificar las operaciones cr´ıticasque influ- yen significativamente en el costo computacional de dichos esquemas. Una vez identificadas estas operaciones, nuestro siguiente objetivo es proponer mejoras algor´ıtmicasy/o de imple- mentaci´onque permitan reducir significativamente el tiempo de ejecuci´onde estos protocolos, mientras se mantiene la seguridad en contra de ataques de canal lateral de los esquemas. Este trabajo de investigaci´onexamina tres sub´areasdiferentes de la criptograf´ıade llave p´ublica,es decir, esquemas basados en la factorizaci´onde n´umerosenteros, emparejamientos e isogenias. Las primeras dos sub´areasse han utilizado e implementado intensamente en innumerables aplicaciones de seguridad de la informaci´on.Mientras que el ´ultimoesquema es un candida- to prometedor para realizar el intercambio de llaves secretas en un escenario post-cu´antico, donde se supone que ya se encuentran disponibles computadoras cu´anticas suficientemente poderosas. Nuestro estudio comienza realizando un an´alisiscuidadoso de la implementaci´on eficiente de la aritm´eticaentera y de campos finitos en las micro-arquitecturas de los pro- cesadores m´asrecientes. Este an´alisisnos permiti´odise~naruna biblioteca de software que es utilizada para implementar de manera segura el algoritmo de firma RSA. De la sub´area de criptograf´ıabasada en emparejamientos, se aborda el problema general del \hashing" de tiempo constante hacia curvas el´ıpticas,donde se proponen algoritmos pr´acticos,eficientes y seguros para realizar el \hashing" a los subgrupos de curva el´ıpticautilizados en este tipo de protocolos. Adem´as,se dise~n´ouna biblioteca de software que implementa dos protocolos de autenticaci´onde dos factores, los cuales son seguros contra ataques simples de canal lateral. Por otra parte, proponemos el uso de emparejamientos sobre curvas el´ıpticascon grado de encajamiento uno para implementar el protocolo de firma corta propuesto por Boneh, Lynn y Shacham (BLS). Nuestro esquema aprovecha el hecho de que la mejora algor´ıtmicapara el c´alculode logaritmos discretos, reportado recientemente por Kim y Barbulescu, no se aplica al escenario cuando el \Discrete Logarithm Problem" (DLP) se calcula en campos finitos de orden primo. En el caso de la criptograf´ıabasada en isogenias, se proponen diversas optimiza- ciones algor´ıtmicascuyo objetivo es mejorar el desempe~node las operaciones aritm´eticasde curvas el´ıpticasy campos finitos. Estas optimizaciones producen una aceleraci´onimportante del tiempo de ejecuci´ondel protocolo \Supersingular Isogeny Diffie-Hellman" (SIDH). Fi- nalmente, se presenta una nueva construcci´ondel protocolo SIDH, utilizando isogenias cuyo grado no es una potencia de un primo, la cual permite conseguir una aceleraci´onconsiderable en su c´alculo. ix x Abstract During the last four decades, the public-key cryptography paradigm has provided ele- gant solutions to several difficult problems that arise in contemporary information security applications. Examples of these problems include, entity authentication, anonymity, non- repudiation to name just a few. Nevertheless, the efficient implementation of public-key cryptography involves the computation of non-trivial arithmetic operations with extremely large operands. Accordingly, the main research goal of this thesis is to carefully analyze some of the most popular public key cryptographic protocols with the aim of identifying critical operations that significantly influence the whole computational cost of those schemes. Once that these operations were identified, our next objective was to propose algorithmic and/or implementation improvements that allow us to obtain significant speedups in the running time of those protocols, while keeping a sound security of those schemes against side-channel attacks. In this research work, we examine three different sub-areas of public-key cryptog- raphy, namely, Integer-factorization-based, pairing-based and isogeny-based cryptographic schemes. The first two sub-areas have been intensively used and deployed in innumerable information security applications. The last sub-area is a promising candidate for computing secret key-exchange in a post-quantum scenario, where it is assumed that powerful quantum computers are already available. Taking into account practical considerations, we started our study by performing a careful analysis of the efficient implementation of integer and finite field arithmetic over the newest desktop micro-architectures. In this study, different techniques for the efficient computation of modular multiplication were especially analyzed due to the large influence of this operation in the performance achieved by the cryptographic schemes studied in this work. This study allows us to design a software library used for implementing the RSA signature algorithm in a secure way. In the case of pairing-based cryptography, we discuss the general problem of constant-time hashing into elliptic curves and we propose practical, efficient, and secure algorithms for hashing values to elliptic curve subgroups used in pairing-based cryptographic protocols. Moreover, we design a software library that implements two pairing-based two-factor authentication protocols, which allows to thwart simple side-channel attacks. Then, we also propose the usage of pairings over elliptic curves with embedding degree one to implement the Boneh, Lynn and Shacham (BLS) short signature protocol. Our scheme takes advantage of the fact that the algorithmic improvement for computing discrete logarithms recently reported by Kim and Barbulescu, do not apply to the scenario when the Discrete Logarithm Problem (DLP) is computed on prime-order fields Fp. In the case of isogeny-based cryptography, we proposed several al- gorithmic optimizations targeting both elliptic curve and finite field arithmetic operations. These optimizations yielded an important speedup in the runtime cost of the Supersingular Isogeny Diffie-Helmann (SIDH) protocol. Finally, we presented a new construction of the SIDH using non-prime power degree isogenies in the Bob's side, which allows us to achieve a considerable speedup in its computation. xi Cinvestav xii Contents 1. Introduction 13 1.1. Motivation..................................... 15 1.2. Outline....................................... 16 2. Mathematical background 17 2.1. Groups........................................ 17 2.1.1. Subgroups.................................. 19 2.1.2. Cyclic groups................................ 19 2.1.3. Cosets.................................... 20 2.1.4. Group homomorphisms.......................... 21 2.2. Rings........................................ 22 2.3. Fields........................................ 24 2.3.1. Field extensions.............................. 25 2.4. Elliptic curves.................................... 26 2.4.1. The group law............................... 27 2.4.2. Elliptic curves over finite fields...................... 30 2.5. Discrete Logarithm Problem (DLP)....................... 32 I Integer-factorization-based cryptography 33 3. Integer and finite field arithmetic 35 3.1. Representation of large integers.......................... 35 3.2. Arithmetic instructions in processors....................... 36 3.2.1. AVX2 instruction set............................ 36 3.3. Integer arithmetic................................. 37 3.3.1. Addition and subtraction......................... 37 3.3.2. Multiplication................................ 38 3.3.3. Squaring................................... 41 3.3.4. Modular
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages193 Page
-
File Size-