Table Of ContentElliptic Curve Multiset Hash
JeremyMaitin-Shepard MehdiTibouchi
UCBerkeley NTTSecurePlatformLaboratories
[email protected] [email protected]
DiegoF.Aranha
InstituteofComputing,UniversityofCampinas
[email protected]
6 Abstract
1
Ahomomorphic,orincremental,multisethashfunction,associatesahashvaluetoarbitrarycollec-
0
2 tions of objects (with possible repetitions) in such a way that the hash of the union of two collections
is easy to compute from the hashes of the two collections themselves: it is simply their sum under a
n
suitablegroupoperation. Inparticular,hashvaluesoflargecollectionscanbecomputedincrementally
a
J and/orinparallel. Homomorphichashingisthusaveryusefulprimitivewithapplicationsrangingfrom
5 databaseintegrityverificationtostreamingset/multisetcomparisonandnetworkcoding.
2
Unfortunately, constructionsofhomomorphichashfunctionsintheliteraturearehamperedbytwo
] maindrawbacks: theytendtobemuchlongerthanusualhashfunctionsatthesamesecuritylevel(e.g.
R toachieveacollisionresistanceof2128,theyareseveralthousandbitslong,asopposedto256bitsfor
C usualhashfunctions),andtheyarealsoquiteslow.
.
s In this paper, we introduce the Elliptic Curve Multiset Hash (ECMH), which combines a usual bit
c
string-valuedhashfunctionlikeBLAKE2withanefficientencodingintobinaryellipticcurvestoover-
[
comebothdifficulties. Ontheonehand,thesizeofECMHdigestsisessentiallyoptimal: 2m-bithash
1 valuesprovideO(2m)collisionresistance.Ontheotherhand,wedemonstrateahighly-efficientsoftware
v
implementationofECMH,whichourthoroughempiricalevaluationshowstobecapableofprocessing
2
0 over3millionsetelementspersecondona4GHzIntelHaswellmachineatthe128-bitsecuritylevel—
5 manytimesfasterthanpreviouspracticalmethods.
6
Whileincrementalhashingbasedonellipticcurveshasbeenconsideredpreviously[1],theproposed
0
. methodwaslessefficient, susceptibletotimingattacks, andpotentiallypatent-encumbered[2], andno
1
practicalimplementationwasdemonstrated.
0
6
1 Keywords: homomorphichashing,ellipticcurves,efficientimplementation,GLS254,PCLMULQDQ.
:
v
i
X 1 Introduction
r
a
Homomorphichashing
A multiset is a generalization of a set in which each element has an associated integer multiplicity. Given
a possibly infinite set A, a set (resp. multiset) homomorphic hash function on A maps finite subsets of A
(resp. finitely-supported multisets on A) to fixed-length hash values, allowing incremental updates: when
newelementsareaddedtothe(multi)set,thehashvalueofthemodified(multi)setcanbecomputedintime
proportionaltothedegreeofmodification.
1
The incremental update property makes homomorphic hashing a very useful and versatile primitive. It
has found applications in many areas of computer security and algorithmics, including network coding [3]
andverifiablepeer-to-peercontentdistribution[4],secureInternetrouting[5],Byzantinefaulttolerance[6,
7], streaming set and multiset equality comparison [8], and various aspects of database security, such as
accesspatternprivacy[9]andintegrityprotection[10].
This latter use case provides a simple example of how the primitive is used in practice: one can use
homomorphichashingtoverifytheintegrityofadatabasewithatransactionlog,bycomputingahashvalue
foreachtransactioninsuchawaythatthehashofthecompletedatabasestateisequaltothe(appropriately-
defined) sum of the hashes of all transactions. Another observation [11] is that homomorphic hashing can
be used for incremental and parallel hashing of lists, arrays, strings and other similar data structures: for
example,thelist(b ,...,b )canberepresentedastheset{(1,b ),...,(n,b )},anditsufficestoapplythe
1 n 1 n
homomorphichashfunctiontothatset.
Constructinghomomorphichashfunctions
A framework for constructing provably secure homomorphic hash functions (in some suitably idealized
model,suchastherandomoraclemodel)wasintroducedbyBellareandMicciancio[11],andlaterextended
tothemultisethashsettingbyClarkeetal.[10],andrevisitedbyCathaloetal.[8].
Roughlyspeaking, theframeworkofBellareandMiccianciocanbedescribedasfollows. Toconstruct
a (multi)set homomorphic hash function on A, one can start with a usual hash function Hˆ from A to some
additivegroupG, andextendittofinitesubsetsofA(resp. multisetsonA)bysettingH({a ,...,a }) =
1 n
Hˆ(a1) + ··· + Hˆ(an) (resp. H({am1 1,...,amnn}) = m1 · Hˆ(a1) + ··· + mn · Hˆ(an), where mi is the
multiplicity of a ). And in fact, it is clear that all possible homomorphic hash functions arise in that way.
i
Note that as in Clarke et al. [10], and unlike the original framework of Bellare and Miciancio [11], there
is no block index i included in the hash Hˆ(a ) of each element a , because we are hashing unordered
i i
sets/multisets,ratherthanorderedsequencesofblocks.
Assume that the underlying hash function Hˆ is ideal (i.e. it behaves like a random oracle). Then we
can ask when the corresponding homomorphic hash function H is secure (collision resistant, say). This
translates to a knapsack-like number-theoretic assumption on the group G, which Bellare and Micciancio
showholds,forexample,whenthediscretelogarithmproblemishardinG.
Concretely, Bellare andMicciancioand theauthorsof subsequentworkspropose anumberof possible
instantiations for H which essentially amount to choosing G = Z× or G = Zn for suitable parameters
p m
p,m,n. These concrete instantiations yield simple implementations, but they all suffer from suboptimal
output size (they require outputs of several thousand bits to achieve collision resistance at the 128 security
level),andtheirefficiencyisgenerallyunsatisfactory. Essentiallyallpracticalapplicationsofhomomorphic
hashinginthesecurityliteratureseemtofocusonthecaseG = Z×,calledMuHash.
p
Ourcontributions
WithinBellareandMicciancio’sframework,constructingahomomorphichashfunctionamountstochoos-
ingagroupGwheretheappropriatenumber-theoreticassumptionholds,togetherwithahashfunctiontoG
whosebehavioriscloseenoughtoidealforthesecurityprooftogothrough.
Inthispaper,weproposeanovelconcreteconstructionofamultisethashfunctionbychoosingGasthe
groupofpointsofabinaryellipticcurves,andpickingthehashfunctionfollowingtheapproachofBrieret
al.[12](whichweimproveuponslightly)appliedtothebinarycurvevariantofShallueandvandeWoesti-
jne’s encoding function [13]. We also describe a software implementation of our proposal (building upon
2
the work of Aranha et al. [14] for binary curve hashing, and using BLAKE2 [15] as the actual underlying
hash function) and provide extensive performance results showing that our function outperforms existing
methodsbyalargemarginonmodernCPUarchitectures(especiallythosesupportingcarry-lessmultiplica-
tion). Furthermore, choosinganellipticcurve(withsmallcofactor)forthegroupofhashvaluessolvesthe
“outputsize”problemofhomomorphichashingoutright: O(2n)collisionsecurityisachievedwithroughly
2n-bitlongdigests. Yet,theydonotseemtohavebeenusedinconcreteimplementationsofhomomorphic
hashing so far1. One can wonder why; the most likely explanation is that usual methods for hashing to el-
lipticcurvesarefartooinefficienttomakecurvesattractivefromaperformancestandpoint: almostallsuch
methodsrequireatleastonefullsizeexponentiationinthebasefieldofthecurve,whichwillbemuchmore
costlybyitselfthanthesinglemultiplication(inamuchlargerfield)requiredbyMuHash—evenoncurves
overfastprimefieldsatthe128-bitsecuritylevel[14],suchanencodingfunctionisover3timesslowerthan
MuHashatequivalentsecurityonHaswell,andover20timesslowerthanourconstruction. Onlybyusing
binarycurvesandrelativelysophisticatedimplementationtechniquesdoweavoidthatstumblingblockand
prove that elliptic curves can be competitive. As a result, we achieve a processing speed of over 3 million
setelementspersecondona4GHzIntelHaswellCPUatthe128-bitsecuritylevel. Speedupsareexpected
withthereleaseofIntelBroadwellprocessorsanditsimprovedimplementationofcarry-lessmultiplication.
Arebinaryellipticcurvessafe?
Recently,newdevelopmentshavebeenannouncedregardingtheasymptoticcomplexityofthediscretelog-
arithm problem on binary elliptic curves, particularly by Semaev [16]. These results are somewhat con-
troversial, since they are based on heuristic assumptions that prevailing evidence suggests are unlikely to
hold[17,18],andtheirstoragerequirementsappeartomakethempurelytheoreticalanyway[19].
However,ifSemaev’sclaimsofanL[1/2]attackturnouttobecorrect,theasymptoticsecurityofbinary
ellipticcurve-basedECMHwouldbereduced. Theconcretesecurityofourconstruction,ontheotherhand,
wouldbecompletelyunaffectedoncurvesofupto300+bits(andinparticularatthe128-bitsecuritylevelon
GLS254),sincetheclaimedattackisworsethangenericattacksonsuchcurves. Moreover,evenifactually
practical L[1/2] attacks were to be found, ECMH on binary curves is likely to remain attractive, since it
mainlycompetesagainstMuHash,whichisvulnerabletoanL[1/3]subexponentialattack.
Forallthesereasons,webelievethatECMHonbinaryellipticcurvesisasafechoiceforsecurity-minded
practitioners, and that the switch from MuHash to ECMH is entirely justified in view of the considerable
performancegain(whichletsdesignerschooseahighersecuritymarginandstillcomeoutfarahead).
2 Homomorphic Multiset Hash Function
Formally, we define a multiset M ∈ Z(A) as a function with finite support mapping a base set A to the
integers Z. As an extension of the usual definition in which multiplicities are restricted to Z , we allow
≥0
negativemultiplicitiesaswell. WewillimplicitlyconsidersubsetsS ⊆ AtobemultisetsinZ(A).
Clarke et al. [10] introduce a definition of a multiset hash function that efficiently supports incremen-
tally adding (multisets of) elements. We give a simpler (but nearly equivalent2) definition that makes the
connectiontohomomorphichashfunctions[20]explicit:
1OnecanmentionEECH[1]asrelevantrelatedworkthatalsousesbinarycurvesforhashing,buttheauthorsdidn’tconsider
homomorphichashingatall,andtheirfunctionsseemspoorlysuitedforthatgoal.SeeSection8foramoredetaileddiscussion.
2Wegiveaproofofequivalence(underamildassumption)inappendixD.
3
Definition 1. Let A be a set and let (G,+ ) be a finite group. A function H: Z(A) → G that maps
G
multisets over the base set A to a point in G is said to be a homomorphic multiset hash function if H is a
group homomorphism from the pointwise-additive group of functions (Z(A),+) to (G,+ ); equivalently,
G
H(M +M ) = H(M )+ H(M )forallM ,M ∈ Z(A). WedefineHˆ: A → GbyHˆ(a) = H({a}).
1 2 1 G 2 1 2
Thisdefinitionminimallycapturesanintuitivenotionofamultisethashfunctionthatsupportsincremen-
tally adding and removing (multisets of) elements. These incremental updates are efficient assuming that
additionandnegationinGcanbeperformedefficientlyandH(M)canbecomputedefficiently(e.g.intime
linearintherepresentationlengthofthenon-zerovaluesofM). NotethatsincepointwiseadditioninZ(A)
iscommutative,therelevantsubgroupH(Z(A)) ≤ Gisnecessarilycommutative,andthereforewithoutloss
of generality we can assume that G is commutative. It may seem that it is too strong of an assumption to
requireagroupstructureonG,orequivalently,that(multisetsof)elementscanberemovedaswellasadded.
In fact, provided that + is lossless, in that a+ b = a+ c implies b = c, there is no loss of generality.
G G G
We show in appendix C that we can construct a group that supports (efficient) incremental removals based
onlyon(efficient)incrementaladditions.
Since the set of singleton subsets of A generates the group (Z(A),+), H can conversely be uniquely
definedbyHˆ:
(cid:88)
H(M) = M(a)·Hˆ(a).
a∈A
Indeed,thisispreciselytherandomize-then-combineparadigmproposedbyBellareandMicciancio[11]for
incrementalhashingofmessages,whichisreadily(infact,morenaturallythantomessagehashing)applied
by Clarke et al. [10] to multiset hashing. Our goal is to minimize the computational cost for computing H
andtherepresentationsizeforelementsofGwhileachievingagivenlevelofcollisionresistance.
Collisionresistance
A collision for a hash function H is a pair x,x(cid:48) such that x (cid:54)= x(cid:48) but H(x) = H(x(cid:48)). For any group-
homomorphic hash function H from a group (X,+) to (G,+), a collision can equivalently be defined as
a value x ∈ kerH \ {0 }. By the birthday bound that applies to any hash function, a collision can be
X
(cid:112)
found with at most expected O( |G|) hash computations; we can hope to design a multiset hash function
(cid:112)
forwhichexpectedtimeΩ( |G|)isalsoalowerbound.3
Apreimageattackseekstoinvertthehashfunction,namelytofindavaluexsuchthatH(x) = y,fora
randomelementyintheimageofH. Wecanhopetodesignamultisethashfunctionforwhichtheexpected
timecomplexityofthebestpreimageattackisalsoequaltothegenericupperboundΩ(|G|). Notethatfor
a homomorphic hash function we do not consider preimage attacks on the identity element 0 , since its
G
preimageisfixed.
A second preimage attack seeks to find a value x(cid:48) such that H(x(cid:48)) = H(x), for some known value
x. Since a second preimage implies a collision, the time complexity of a second preimage attack is
(cid:112)
lower bounded by the time complexity of the best collision attack, ideally Ω( |G|). For a general, non-
homomorphic hash function, we can hope that the best attack has expected Ω(|G|) time complexity. For
any homomorphic hash function, however, the group structure implies that a second preimage attack is no
(cid:112)
harderthanacollisionattack(withexpectedtimecomplexityupper-boundedbyO( |G|)).
3Inthisandtheothercollisionboundsthatfollow,itisassumedthattheexpectationsaretakenoverarandomchoiceofhash
functionHandgroup(G,+ )fromsomehashfunctionfamily(distribution)H.
G
4
3 Generic multiset hash families
A random oracle Hˆ: A → G clearly achieves the optimal preimage resistance of Θ(|G|) and the optimal
(cid:112)
collision resistance of Θ( |G|), in the sense that at least this many oracle queries are needed to compute
preimagesandcollisionsrespectively.
It does not follow, however, that the associated multiset hash function H = H : Z(A) → G has the
G
same security level; for example, if we choose G = Zn, then O(n) oracle queries, instead of Ω(2n), are
2
enough to find arbitrary preimages in polynomial time by solving a simple n × n linear system over Z .
2
However, Bellare and Micciancio [11] have shown (in the set hash setting, but this generalizes naturally
to multisets) how to obtain a security reduction for H based on a computational hardness assumption on
G
the group G. For concrete choices of G, that hardness assumption is related to standard number theoretic
problems,suchasthediscretelogarithmproblemormodularknapsacks.
WhenG = Z×,theresultingmultisethashfunctionH isessentiallyMSet-Mu-Hash[10],themul-
p G
tisetvariantofMuHash[11]. WhenG = Zn,weessentiallyobtainMSet-VAdd-Hash[10],themultiset
m
variant of LtHash (for n > 1) or AdHash (for n = 1) [11]. These functions all have security reductions
intheframeworksketchedabove.
It isrelatively easy to find plausibleconcrete instantiations of the random oracleHˆ to a grouplike Zn,
2
butformoregeneralgroups,thisisusuallymorecomplicated,andasaresultitisoftenconvenienttoreplace
Hˆ byapseudo-randomoracle,i.e.aconstructionthatisindifferentiablefromarandomoracleinthesense
ofMaureretal.[21]. Typically,wecantakeHˆ oftheformHˆ(a) = f(cid:0)h(a)(cid:1)whereh: A → X isarandom
oracle to some intermediate set X (such as bit strings, so that we can plausibly instantiate it with standard
hash function constructions like SHA-24) and f: X → G is an admissible encoding function [22, 12] that
hasthepropertyofmappingtheuniformdistributionoverX toadistributionindistinguishablefromuniform
overG.
Securitybounds
AdHash is appealing for its simplicity, but is far from optimal in terms of hash code size. In the set
hashingsetting(i.e.M(a) ∈ {0,1}),thebestknownattackisthegeneralizedbirthdayattack[23];underthe
√
assumptionthatthisattackisoptimal,thegroupZ correspondstoasecuritylevelofroughly2 nbits. In
2n
the multiset hashing setting, AdHash is completely impractical due to the extremely large hash code sizes
nrequiredtodefeatlatticereductionattacksdescribedinappendixB.
There are reductions from computing discrete logarithms in a group G to finding collisions in the cor-
responding random oracle multiset hash function H [24, 11, 10]. These reductions can be used to prove
G
acollisionresistancepropertyforthegenericmultisethashfamilyoveranygroupinwhichcomputingdis-
crete logarithms is hard, such as Z×. However, because discrete logarithms in Z× can be solved by e.g.
p p
(cid:2) (cid:112) (cid:3)
the Number Field Sieve with (heuristic) subexponential time complexity L 1/3, 3 64/9 [25, p. 128], it
p
is usually estimated that we need to choose p of around 3200 bits for 128-bit security (see for example the
evaluation of the ECRYPT II report on key sizes [26]). In contrast, in a generic group, discrete logarithms
(cid:112)
cannotbecomputedfasterthanexpectedtimeΘ( |G|),whichisalsotheoptimalcollisionresistance.
4WewillassumethatelementsofAcanbereadilyencodedasoctetstrings.
5
4 Elliptic Curve Multiset Hash
Forproperlychosenellipticcurvesoverfinitefields,therearenoknownalgorithmsforsolvingthediscrete
(cid:112)
logarithm problem in the elliptic curve group faster than in a generic group, i.e. expected time Θ( |G|).
Therefore, there is a clear possibility for using an elliptic curve group to obtain a given level of collision
resistancewithamuchlowergroupsizethanwithMSet-Mu-Hash.
Applying the generic multiset hash construction to elliptic curve groups presents a problem, however:
whileitiseasytodefineaveryefficientadmissibleencodingfrom{0,1}k toZ× forsufficientlylargek,an
p
admissible encoding to an elliptic curve group is not so easily defined. While constructions for admissible
encodingfunctionshavebeendemonstrated[12],theircomputationalcostishigherthanwewouldlike.
4.1 Generalizeddiscretelogarithmsecurityreduction
In fact, we can significantly relax the requirement on the encoding function f and still obtain a very tight
reduction, due to random self-reducibility of the discrete logarithm problem. Our relaxed requirement is
relatedtothedefinitionofα-weakencodingsbyBrieretal.[12],andissatisfiedinpracticebyalargeclass
ofencodingfunctions[12].
Definition 2. A function f: S → R between finite sets is said to be an (α,β)-weak encoding, for integer
α ≥ 1andrealvalueβ ≥ 1,ifitsatisfiesthefollowingproperties:
1. Samplable: thereisanefficientrandomizedalgorithmforcomputing|f−1(r)|andsamplinguniformly
fromf−1(r)foranyr ∈ R.
2. |f−1(r)| ≤ αforallr ∈ R.
3. IE [|f−1(r)|/α] ≥ 1/β.
r
An(α,β)-weakencodingfunctionf allowsustoefficientlysamples ∈ S uniformlyatrandomusingβ
uniformsamplesr ∈ Rinexpectation,withthepropertythatf(s) = r foranyacceptedsamplesobtained
fromr.5
Definition3. Letf: X → Gbean(α,β)-weakencoding fromX tothe abeliangroupG. Assume thatG
admitsasadirectfactoracyclicsubgroup(cid:104)g(cid:105)ofprimeorderρ,andthatwecanefficientlysamplefromthe
complementgroup(cid:104)g(cid:105)inthedirectfactordecompositionH = (cid:104)g(cid:105)⊕(cid:104)g(cid:105). Givenarandomoracleh: A → X,
we denote by Hˆ the function A → G given by Hˆ (a) = f(cid:0)h(a)(cid:1), and by H : Z(A) → G the associated
f f f
multisethashfunction.
ThefollowingtheoremshowsthatfindingacollisioninH withmultiplicitiesuptoρ−1isashardas
f
computingdiscretelogarithmstothebaseg,uptoasmallfactorthatdependsonβ. NotethatH doesnot
f
depend on the choice of subgroup (cid:104)g(cid:105), but the strongest security result is obtained by choosing the largest
prime-order subgroup. The requirement of efficient samplability of (cid:104)g(cid:105) is easily satisfied in practice, since
efficiency concerns regarding representation size dictate that (cid:104)g(cid:105) be as small as possible (usually having at
most8elements,andmostofthetimeonly1or2).
5UnderthedefinitionofBrieretal.[12],anα-weakencodingf isan(α|S|/|R|,α2|S|/|R|)-weakencoding. Ourdefinition
allowsforatighterboundtobegivenintheorem1.
6
Theorem1. LetH beamultisethashfunctionasindefinition3. GivenanalgorithmC withaccesstothe
f
underlyingrandomoraclehthatfindsanon-emptymultisetM ∈ kerH with|M| < ρ,inexpectedtime
f ∞
t(cid:48)withprobability(cid:15)(cid:48)usingqqueriestoh,discretelogarithmstothebasegcanbecomputedwithprobability
(cid:15) = (cid:15)(cid:48)/2 in expected time t+T +qT +qβT +LT , where L ≥ |M| is a bound on the length of the
1 2 3 4 0
output of C; T ,...,T denote the time required for a constant number of group operations, and are given
1 4
intheproof.
Proof. SeeAppendixA.
Concretely,ifG = E(F )isthegroupofF -rationalpointsonasuitableellipticcurveE chosento
pm pm
avoidanydiscretelogarithmweaknesses,withasubgroup(cid:104)g(cid:105)ofprimeorderρ ≥ |G|/4,andf isan(α,β)-
weak encoding function with small constant β, then H has collision resistance roughly pm/2/2. Since an
f
element of E(F ) can be represented using (cid:100)log pm(cid:101) bits, the collision resistance of H is essentially
pm 2 f
optimal(towithinafewbits).
4.2 Shallue-vandeWoestijne(SW)encodingincharacteristic2
TheShallue-vandeWoestijne(SW)algorithmforcharacteristic2fields[13]canbeusedtomapanypoint
w ∈ F toapair(x,y) ∈ (F )2 satisfyinganarbitraryellipticcurveequation
2m 2n
E : y2+x·y = x3+a·x2+b, (1)
a,b
where a,b ∈ F . It constructs three values of x from w with the property that at least one necessarily
2m
has a corresponding value y satisfying eq. (1). In addition to the usual arithmetic operations over F , its
2m
definitiondependsonthreelinearmaps:
1. thetracefunctionTr: F → F definedbyTr(x) = (cid:80)m−1x2i;[27,p.130]
2m 2 i=0
2. aquadraticsolver functionQS: {x ∈ F |Tr(x) = 0} → F thatsatisfiesQS(x)2 +QS(x) = x
2m 2m
andQS(0) = 0;
3. coeff : F → F wherecoeff (x)isthezerothcoefficientofany(fixed)polynomialrepresentation
0 2m 2 0
ofx.
An optimized version of the algorithm that requires only a single field inversion [14] is shown as al-
gorithm 1. The algorithm is parameterized by a value t ∈ F satisfying t4 +t (cid:54)= 0; for fields of degree
2m
m > 4, we can choose t = z where z is the indeterminate in the polynomial representation of F . The
2m
result(x,λ) = (x,x+y/x)isrepresentedinλ-affinecoordinates[28]forefficiency.6 Theadditiontoλof
coeff (w)inline12isnotpartoftheoriginalSWalgorithm;thistrivialadditionservestohalvethenumber
0
ofcollisionsatessentiallynoextracost.
It is clear from the definition that the number of preimages of any point (x,λ) under SWCHAR2 is at
mostα = 3,sincec ∈ {t−1·x|j = 1,2,3}andw isuniquelydeterminedfromc,x,andλby
j
w ∈ {QS(c−a),QS(c−a)+1},
coeff (w) = λ+x+QS(x−2·b+x+a).
0
√
6Thereisexactlyonepointwithx=0satisfyingeq.(1): (x=0,y = b). Whenusingλ-affinecoordinates,thisvaluemust
berepresentedspecially.
7
Algorithm1.OptimizedShallue–vandeWoestijneencodingincharacteristic2[14]
Require: t ∈ F suchthatt·(t+1)·(t2+t+1) = t4+t (cid:54)= 0
2m
Precompute: t = t ,t = 1+t ,t = t·(1+t);t−1 = 1/t forj = 1,2,3
1 t2+t+1 2 t2+t+1 3 t2+t+1 j j
1: function SWCHAR2(w ∈ F2m ;a,b ∈ F2m)
2: c ← w2+w+a
3: ifc = 0then √ (cid:46)ThisconditionmayholdonlyifTr(a) = 0
4: return(x = 0,y = b) (cid:46)Thisisthesinglepointsatisfyingeq.(1)withx = 0
5: endif
6: c−1 ← 1/c
7: forj = 1to3do
8: x ← tj ·c
9: x−1 ← t−1·c−1
j
10: hj ← (x−1)2·b+x+a
11: ifTr(hj) = 0then (cid:46)Thisconditionnecessarilyholdsforatleastonej
12: λ ← QS(hj)+x+coeff0(w) (cid:46)cdoesnotdependoncoeff0(w)
13: return(x,λ) (cid:46)y = (λ+x)·x = QS(hj)·x
14: endif
15: endfor
16: endfunction
The preimage set for any point (x,λ) can be efficiently computed by these same formulas. Furthermore,
Aranha et al. [14] show that the proportion of curve points with k preimages under SWCHAR2 for k =
0,1,2,3 is 9/32, 15/32, 7/32, and 1/32, respectively, up to an error term of O(2−n/2). It follows that
IEP[|SWCHAR2−1(P)|/α] = 1/3±O(2−n/2),andtherefore,SWCHAR2isan(α,β)-weakencodingwith
β = 3+O(2−n/2).
4.3 Hashfunctiondefinition
Basedonthisencodingfunction,wedefinetheellipticcurvemultisethash(ECMH):givenabinaryelliptic
curvegroupE (F )andan intermediatehashfunctionh: A → Z (modeledas arandomoracle), we
a,b 2m 2m
define ECMHa,b,h(x) = SWCHAR2(h(x);a,b). Commonly used elliptic curves over F2m, including the
NIST-recommendedones,haveageneratorofprimeorderρ > 2m−2withaneasilydeterminedcomplement
groupofsizeh = |(cid:104)g(cid:105)| ≤ 4. Thus,thesamplabilityrequirementon(cid:104)g(cid:105)iseasilysatisfiedinpractice. Hence,
by theorem 1, finding a collision in ECMH is as hard (up to a small constant factor) as computing discrete
logarithmstothebaseg,whichweassumetobeO(2m/2).
Similarsuitableencodingalgorithmsexistforellipticcurvesoverfieldsofcharacteristicp > 2[13,12],
andcouldalsobeusedtodefineanellipticcurvemultisethash. However,theuseofacharacteristic2field
eliminatestheneedforanexpensivefieldexponentiationinordertosolveaquadraticequation,whichwould
otherwisedominatethecomputationtime, andonmodernCPUsthatsupportfastcarry-lessmultiplication,
fastimplementationsofallotherrequiredfieldoperationsarealsopossibleforcharacteristic2[29].
4.4 Compressedrepresentationofcurvepoints
The group of F -rational points on an elliptic curve E has order |E (F )| ≈ 2m. Each point is
2m a,b a,b 2m
naturally represented as a pair (x,y) ∈ F2 (or (x,λ) ∈ F2 ), but there is a well-known method for
2m 2m
8
encodingapointusingjustm+1bits: givenxthereareatmosttwopossiblevaluesfory(orλ)if(x,y)(or
(x,λ))satisfyE ,andtheycanberecoveredefficientlyusingasmallnumberoffieldoperations. Thus,a
a,b
pointcanbeencodedbyitsxvalueandasingleadditionalbittodisambiguatethetwopossiblepoints. The
elliptic curve group identity element (the point at infinity) can be encoded specially without increasing the
representationsize,byusingabitsequencethatwouldnototherwiseencodeavalidpoint.
5 Implementation
Wedevelopedanoptimizedimplementationofellipticcurvemultisethash(ECMH)asanopen-sourceC++
library [30], with support for all NIST-recommended binary elliptic curves [31] and the record-breaking
GLS254curve[28],aswellasseveralotherSEC2-recommendedcurves[32]. UsingacombinationofC++
templatesandcodegeneration,wewereabletowritegenericcodetosupportmanydifferentconfigurations
withoutsacrificingruntimeperformance;onlyformodularreductionwasacustomimplementationrequired
foreachsupportedfield. Weincorporatedexistingfastx86/x86-64polynomialmultiplication,squaring,and
modularreductionroutinesforF ,F ,F ,F ,F ,F ,F [33]andforF [28].
2163 2193 2233 2239 2283 2409 2571 2127
We implemented field inversion using a polynomial-basis Itoh–Tsujii inversion method making use of
multi-squaring tables [34, 29, 28, 14]. We generated field inversion routines for each field degree auto-
maticallybasedonanA* searchprocedureforcomputingtheoptimalItoh–Tsujiiadditionchainandsetof
multi-squaring tables, based on a machine-specific cost model estimated from field operation performance
measurements[35].
We also developed optimized implementations of the MSet-Mu-Hash and MSet-Add-Hash hash
functions,basedonthemodulararithmeticfunctionsintheOpenSSLlibraryversion1.0.1i,forthepurpose
ofcomparison.
5.1 Intermediatehashfunction
ECMHrequiresanintermediatehashfunctionh: A → Z . UnderourassumptionthatthebasesetAisthe
2m
setofoctetstrings,wesimplyrequireastandardcryptographichashfunction(modeledasarandomoracle)
with output size m. Given the inherent property of any homomorphic hash function that a single collision
leadstoarbitrarysecondpreimages,weadviseusingakeyedhashfunctionwhenpossibletominimizerisk.
Any standard hash function with fixed output size greater than m bits can simply be truncated to m
bits. Standard expansion techniques can be used to efficiently generate an arbitrary length m output from
a hash function with fixed output size b < m. Sponge constructions, such as Keccak [36], are particularly
convenientsincetheysupportarbitraryoutputsizes.
BothAdHashandMuHashsimilarlyrequireintermediatehashfunctions,butwithmuchlargeroutput
sizesmforequivalentsecuritylevels.
Wedesignedourimplementationtosupportarbitraryhashfunctions,butforourperformanceevaluation,
weselectedBLAKE2[15]becauseofitsstate-of-the-artperformance. Form ≤ 256,weusedtheBLAKE2s
variant(256-bitoutput),truncatingtheoutputtombits. For256 < m ≤ 512,weusedtheBLAKE2bvariant
(512-bitoutput)withtruncation. Form > 512,weusedBLAKE2brepeatedlytogeneratesufficientoutput,
insuchawaythattheunderlyingcompressionfunctioniscalledaminimumnumberoftimes.
5.2 Linearfieldoperations
SeveralkeyoperationsforF ,suchassquaring,multi-squaring(x (cid:55)→ x2i),squareroot,andhalf-trace,are
2m
linearinthecoefficients. Formulti-squaring(usefulforinversion)andhalf-trace,animplementationbased
9
on a lookup table can be significantly faster than direct computation [37, 29, 28, 14]. The coefficients are
splitinto(cid:100)m/β(cid:101)blocksofβ bits,andaseparatetableof2β entriesisprecomputedforeachblockposition,
using a total of s = (cid:100)m/β(cid:101)·2β ·(cid:100)m/W(cid:101)·W/8 bytes of memory, where W is the word size in bits.
m,β
Thelineartransformcanthenbecomputedfromtheprecomputedtableswithk = (cid:100)m/β·(cid:100)m/W(cid:101)memory
accessesandk−1XORoperations.
5.3 Blindingforside-channelresistance
The fastest implementation of ECMH is susceptible to timing and cache side-channel attacks, due to the
use of lookup tables (for inversion and QS), and the use of branching (for SWCHAR2). A branch-free
implementation of SWCHAR2 adds only a few additional multiplications and squarings. Lookup tables
are unavoidable for good performance, but we can blind inversion at a cost of just two multiplications and
generationofonerandomfieldelement. WelikewisecanblindQSatacostof1squaring,2additions,and
generation of one random field element, as well as a few bit operations to ensure the random element is in
the image of QS. In this way we can fully protect against timing and cache side-channel attacks at only a
smalladditionalcost.
5.4 Quadraticextensionfield
Forevenm,representingF asaquadraticextensionofF resultsinsignificantlyfasterfieldoperations
2m 2m/2
relative to an odd-degree field of roughly the same size: inversion in the extension field requires only one
inversion in the base field (effectively reducing the memory and computation costs by nearly a factor of 4
foratable-basedmulti-squaringimplementation),andhalf-tracerequiresonly2half-tracecomputationsin
the base field (reducing, for a table-based implementation, the computation cost by a factor of 2 and the
memoryrequirementbyafactorof4)[28]. WeusethisrepresentationtosupporttheGLS254ellipticcurve
overF [28].
2254
5.5 In-memoryrepresentationofellipticcurvepoints
Although an element in the elliptic curve group of points E (F ) can be represented directly using the
a,b 2m
standard affine (x,y)-representation or the λ-affine (x,λ) representation, and more compactly using just
m + 1 bits as described in section 4.4, we can more efficiently perform group operations using the λ-
projective representation (x˜,λ˜,z) corresponding to the λ-affine representation (x = x˜/z,λ = λ˜/z): This
representationallowspointadditionandpointdoublingtobeperformedwithoutanyfieldinversions[28].
5.6 Batch SWCHAR2 computation
Alargefractionofthecomputationalcostofourellipticcurvemultisethashconstructionisduetothesingle
field inversion required by the SWCHAR2 encoding function. Using Montgomery’s trick, n independent
elements can be inverted simultaneously at the cost of just 1 field inversion and 3(n−1) field multiplica-
tions[38]. Sincefieldinversionismuchmorethan3timesasexpensiveasfieldmultiplication,thisprovides
significantcomputationalsavings.
10
