Table Of Content

Elliptic Curve Multiset Hash JeremyMaitin-Shepard MehdiTibouchi UCBerkeley NTTSecurePlatformLaboratories [email protected] [email protected] DiegoF.Aranha InstituteofComputing,UniversityofCampinas [email protected] 6 Abstract 1 Ahomomorphic,orincremental,multisethashfunction,associatesahashvaluetoarbitrarycollec- 0 2 tions of objects (with possible repetitions) in such a way that the hash of the union of two collections is easy to compute from the hashes of the two collections themselves: it is simply their sum under a n suitablegroupoperation. Inparticular,hashvaluesoflargecollectionscanbecomputedincrementally a J and/orinparallel. Homomorphichashingisthusaveryusefulprimitivewithapplicationsrangingfrom 5 databaseintegrityverificationtostreamingset/multisetcomparisonandnetworkcoding. 2 Unfortunately, constructionsofhomomorphichashfunctionsintheliteraturearehamperedbytwo ] maindrawbacks: theytendtobemuchlongerthanusualhashfunctionsatthesamesecuritylevel(e.g. R toachieveacollisionresistanceof2128,theyareseveralthousandbitslong,asopposedto256bitsfor C usualhashfunctions),andtheyarealsoquiteslow. . s In this paper, we introduce the Elliptic Curve Multiset Hash (ECMH), which combines a usual bit c string-valuedhashfunctionlikeBLAKE2withanefficientencodingintobinaryellipticcurvestoover- [ comebothdifficulties. Ontheonehand,thesizeofECMHdigestsisessentiallyoptimal: 2m-bithash 1 valuesprovideO(2m)collisionresistance.Ontheotherhand,wedemonstrateahighly-efficientsoftware v implementationofECMH,whichourthoroughempiricalevaluationshowstobecapableofprocessing 2 0 over3millionsetelementspersecondona4GHzIntelHaswellmachineatthe128-bitsecuritylevel— 5 manytimesfasterthanpreviouspracticalmethods. 6 Whileincrementalhashingbasedonellipticcurveshasbeenconsideredpreviously[1],theproposed 0 . methodwaslessefficient, susceptibletotimingattacks, andpotentiallypatent-encumbered[2], andno 1 practicalimplementationwasdemonstrated. 0 6 1 Keywords: homomorphichashing,ellipticcurves,efficientimplementation,GLS254,PCLMULQDQ. : v i X 1 Introduction r a Homomorphichashing A multiset is a generalization of a set in which each element has an associated integer multiplicity. Given a possibly infinite set A, a set (resp. multiset) homomorphic hash function on A maps finite subsets of A (resp. finitely-supported multisets on A) to fixed-length hash values, allowing incremental updates: when newelementsareaddedtothe(multi)set,thehashvalueofthemodified(multi)setcanbecomputedintime proportionaltothedegreeofmodification. 1 The incremental update property makes homomorphic hashing a very useful and versatile primitive. It has found applications in many areas of computer security and algorithmics, including network coding [3] andverifiablepeer-to-peercontentdistribution[4],secureInternetrouting[5],Byzantinefaulttolerance[6, 7], streaming set and multiset equality comparison [8], and various aspects of database security, such as accesspatternprivacy[9]andintegrityprotection[10]. This latter use case provides a simple example of how the primitive is used in practice: one can use homomorphichashingtoverifytheintegrityofadatabasewithatransactionlog,bycomputingahashvalue foreachtransactioninsuchawaythatthehashofthecompletedatabasestateisequaltothe(appropriately- defined) sum of the hashes of all transactions. Another observation [11] is that homomorphic hashing can be used for incremental and parallel hashing of lists, arrays, strings and other similar data structures: for example,thelist(b ,...,b )canberepresentedastheset{(1,b ),...,(n,b )},anditsufficestoapplythe 1 n 1 n homomorphichashfunctiontothatset. Constructinghomomorphichashfunctions A framework for constructing provably secure homomorphic hash functions (in some suitably idealized model,suchastherandomoraclemodel)wasintroducedbyBellareandMicciancio[11],andlaterextended tothemultisethashsettingbyClarkeetal.[10],andrevisitedbyCathaloetal.[8]. Roughlyspeaking, theframeworkofBellareandMiccianciocanbedescribedasfollows. Toconstruct a (multi)set homomorphic hash function on A, one can start with a usual hash function Hˆ from A to some additivegroupG, andextendittofinitesubsetsofA(resp. multisetsonA)bysettingH({a ,...,a }) = 1 n Hˆ(a1) + ··· + Hˆ(an) (resp. H({am1 1,...,amnn}) = m1 · Hˆ(a1) + ··· + mn · Hˆ(an), where mi is the multiplicity of a ). And in fact, it is clear that all possible homomorphic hash functions arise in that way. i Note that as in Clarke et al. [10], and unlike the original framework of Bellare and Miciancio [11], there is no block index i included in the hash Hˆ(a ) of each element a , because we are hashing unordered i i sets/multisets,ratherthanorderedsequencesofblocks. Assume that the underlying hash function Hˆ is ideal (i.e. it behaves like a random oracle). Then we can ask when the corresponding homomorphic hash function H is secure (collision resistant, say). This translates to a knapsack-like number-theoretic assumption on the group G, which Bellare and Micciancio showholds,forexample,whenthediscretelogarithmproblemishardinG. Concretely, Bellare andMicciancioand theauthorsof subsequentworkspropose anumberof possible instantiations for H which essentially amount to choosing G = Z× or G = Zn for suitable parameters p m p,m,n. These concrete instantiations yield simple implementations, but they all suffer from suboptimal output size (they require outputs of several thousand bits to achieve collision resistance at the 128 security level),andtheirefficiencyisgenerallyunsatisfactory. Essentiallyallpracticalapplicationsofhomomorphic hashinginthesecurityliteratureseemtofocusonthecaseG = Z×,calledMuHash. p Ourcontributions WithinBellareandMicciancio’sframework,constructingahomomorphichashfunctionamountstochoos- ingagroupGwheretheappropriatenumber-theoreticassumptionholds,togetherwithahashfunctiontoG whosebehavioriscloseenoughtoidealforthesecurityprooftogothrough. Inthispaper,weproposeanovelconcreteconstructionofamultisethashfunctionbychoosingGasthe groupofpointsofabinaryellipticcurves,andpickingthehashfunctionfollowingtheapproachofBrieret al.[12](whichweimproveuponslightly)appliedtothebinarycurvevariantofShallueandvandeWoesti- jne’s encoding function [13]. We also describe a software implementation of our proposal (building upon 2 the work of Aranha et al. [14] for binary curve hashing, and using BLAKE2 [15] as the actual underlying hash function) and provide extensive performance results showing that our function outperforms existing methodsbyalargemarginonmodernCPUarchitectures(especiallythosesupportingcarry-lessmultiplica- tion). Furthermore, choosinganellipticcurve(withsmallcofactor)forthegroupofhashvaluessolvesthe “outputsize”problemofhomomorphichashingoutright: O(2n)collisionsecurityisachievedwithroughly 2n-bitlongdigests. Yet,theydonotseemtohavebeenusedinconcreteimplementationsofhomomorphic hashing so far1. One can wonder why; the most likely explanation is that usual methods for hashing to el- lipticcurvesarefartooinefficienttomakecurvesattractivefromaperformancestandpoint: almostallsuch methodsrequireatleastonefullsizeexponentiationinthebasefieldofthecurve,whichwillbemuchmore costlybyitselfthanthesinglemultiplication(inamuchlargerfield)requiredbyMuHash—evenoncurves overfastprimefieldsatthe128-bitsecuritylevel[14],suchanencodingfunctionisover3timesslowerthan MuHashatequivalentsecurityonHaswell,andover20timesslowerthanourconstruction. Onlybyusing binarycurvesandrelativelysophisticatedimplementationtechniquesdoweavoidthatstumblingblockand prove that elliptic curves can be competitive. As a result, we achieve a processing speed of over 3 million setelementspersecondona4GHzIntelHaswellCPUatthe128-bitsecuritylevel. Speedupsareexpected withthereleaseofIntelBroadwellprocessorsanditsimprovedimplementationofcarry-lessmultiplication. Arebinaryellipticcurvessafe? Recently,newdevelopmentshavebeenannouncedregardingtheasymptoticcomplexityofthediscretelog- arithm problem on binary elliptic curves, particularly by Semaev [16]. These results are somewhat con- troversial, since they are based on heuristic assumptions that prevailing evidence suggests are unlikely to hold[17,18],andtheirstoragerequirementsappeartomakethempurelytheoreticalanyway[19]. However,ifSemaev’sclaimsofanL[1/2]attackturnouttobecorrect,theasymptoticsecurityofbinary ellipticcurve-basedECMHwouldbereduced. Theconcretesecurityofourconstruction,ontheotherhand, wouldbecompletelyunaffectedoncurvesofupto300+bits(andinparticularatthe128-bitsecuritylevelon GLS254),sincetheclaimedattackisworsethangenericattacksonsuchcurves. Moreover,evenifactually practical L[1/2] attacks were to be found, ECMH on binary curves is likely to remain attractive, since it mainlycompetesagainstMuHash,whichisvulnerabletoanL[1/3]subexponentialattack. Forallthesereasons,webelievethatECMHonbinaryellipticcurvesisasafechoiceforsecurity-minded practitioners, and that the switch from MuHash to ECMH is entirely justified in view of the considerable performancegain(whichletsdesignerschooseahighersecuritymarginandstillcomeoutfarahead). 2 Homomorphic Multiset Hash Function Formally, we define a multiset M ∈ Z(A) as a function with finite support mapping a base set A to the integers Z. As an extension of the usual definition in which multiplicities are restricted to Z , we allow ≥0 negativemultiplicitiesaswell. WewillimplicitlyconsidersubsetsS ⊆ AtobemultisetsinZ(A). Clarke et al. [10] introduce a definition of a multiset hash function that efficiently supports incremen- tally adding (multisets of) elements. We give a simpler (but nearly equivalent2) definition that makes the connectiontohomomorphichashfunctions[20]explicit: 1OnecanmentionEECH[1]asrelevantrelatedworkthatalsousesbinarycurvesforhashing,buttheauthorsdidn’tconsider homomorphichashingatall,andtheirfunctionsseemspoorlysuitedforthatgoal.SeeSection8foramoredetaileddiscussion. 2Wegiveaproofofequivalence(underamildassumption)inappendixD. 3 Definition 1. Let A be a set and let (G,+ ) be a finite group. A function H: Z(A) → G that maps G multisets over the base set A to a point in G is said to be a homomorphic multiset hash function if H is a group homomorphism from the pointwise-additive group of functions (Z(A),+) to (G,+ ); equivalently, G H(M +M ) = H(M )+ H(M )forallM ,M ∈ Z(A). WedefineHˆ: A → GbyHˆ(a) = H({a}). 1 2 1 G 2 1 2 Thisdefinitionminimallycapturesanintuitivenotionofamultisethashfunctionthatsupportsincremen- tally adding and removing (multisets of) elements. These incremental updates are efficient assuming that additionandnegationinGcanbeperformedefficientlyandH(M)canbecomputedefficiently(e.g.intime linearintherepresentationlengthofthenon-zerovaluesofM). NotethatsincepointwiseadditioninZ(A) iscommutative,therelevantsubgroupH(Z(A)) ≤ Gisnecessarilycommutative,andthereforewithoutloss of generality we can assume that G is commutative. It may seem that it is too strong of an assumption to requireagroupstructureonG,orequivalently,that(multisetsof)elementscanberemovedaswellasadded. In fact, provided that + is lossless, in that a+ b = a+ c implies b = c, there is no loss of generality. G G G We show in appendix C that we can construct a group that supports (efficient) incremental removals based onlyon(efficient)incrementaladditions. Since the set of singleton subsets of A generates the group (Z(A),+), H can conversely be uniquely definedbyHˆ: (cid:88) H(M) = M(a)·Hˆ(a). a∈A Indeed,thisispreciselytherandomize-then-combineparadigmproposedbyBellareandMicciancio[11]for incrementalhashingofmessages,whichisreadily(infact,morenaturallythantomessagehashing)applied by Clarke et al. [10] to multiset hashing. Our goal is to minimize the computational cost for computing H andtherepresentationsizeforelementsofGwhileachievingagivenlevelofcollisionresistance. Collisionresistance A collision for a hash function H is a pair x,x(cid:48) such that x (cid:54)= x(cid:48) but H(x) = H(x(cid:48)). For any group- homomorphic hash function H from a group (X,+) to (G,+), a collision can equivalently be defined as a value x ∈ kerH \ {0 }. By the birthday bound that applies to any hash function, a collision can be X (cid:112) found with at most expected O( |G|) hash computations; we can hope to design a multiset hash function (cid:112) forwhichexpectedtimeΩ( |G|)isalsoalowerbound.3 Apreimageattackseekstoinvertthehashfunction,namelytofindavaluexsuchthatH(x) = y,fora randomelementyintheimageofH. Wecanhopetodesignamultisethashfunctionforwhichtheexpected timecomplexityofthebestpreimageattackisalsoequaltothegenericupperboundΩ(|G|). Notethatfor a homomorphic hash function we do not consider preimage attacks on the identity element 0 , since its G preimageisfixed. A second preimage attack seeks to find a value x(cid:48) such that H(x(cid:48)) = H(x), for some known value x. Since a second preimage implies a collision, the time complexity of a second preimage attack is (cid:112) lower bounded by the time complexity of the best collision attack, ideally Ω( |G|). For a general, non- homomorphic hash function, we can hope that the best attack has expected Ω(|G|) time complexity. For any homomorphic hash function, however, the group structure implies that a second preimage attack is no (cid:112) harderthanacollisionattack(withexpectedtimecomplexityupper-boundedbyO( |G|)). 3Inthisandtheothercollisionboundsthatfollow,itisassumedthattheexpectationsaretakenoverarandomchoiceofhash functionHandgroup(G,+ )fromsomehashfunctionfamily(distribution)H. G 4 3 Generic multiset hash families A random oracle Hˆ: A → G clearly achieves the optimal preimage resistance of Θ(|G|) and the optimal (cid:112) collision resistance of Θ( |G|), in the sense that at least this many oracle queries are needed to compute preimagesandcollisionsrespectively. It does not follow, however, that the associated multiset hash function H = H : Z(A) → G has the G same security level; for example, if we choose G = Zn, then O(n) oracle queries, instead of Ω(2n), are 2 enough to find arbitrary preimages in polynomial time by solving a simple n × n linear system over Z . 2 However, Bellare and Micciancio [11] have shown (in the set hash setting, but this generalizes naturally to multisets) how to obtain a security reduction for H based on a computational hardness assumption on G the group G. For concrete choices of G, that hardness assumption is related to standard number theoretic problems,suchasthediscretelogarithmproblemormodularknapsacks. WhenG = Z×,theresultingmultisethashfunctionH isessentiallyMSet-Mu-Hash[10],themul- p G tisetvariantofMuHash[11]. WhenG = Zn,weessentiallyobtainMSet-VAdd-Hash[10],themultiset m variant of LtHash (for n > 1) or AdHash (for n = 1) [11]. These functions all have security reductions intheframeworksketchedabove. It isrelatively easy to find plausibleconcrete instantiations of the random oracleHˆ to a grouplike Zn, 2 butformoregeneralgroups,thisisusuallymorecomplicated,andasaresultitisoftenconvenienttoreplace Hˆ byapseudo-randomoracle,i.e.aconstructionthatisindifferentiablefromarandomoracleinthesense ofMaureretal.[21]. Typically,wecantakeHˆ oftheformHˆ(a) = f(cid:0)h(a)(cid:1)whereh: A → X isarandom oracle to some intermediate set X (such as bit strings, so that we can plausibly instantiate it with standard hash function constructions like SHA-24) and f: X → G is an admissible encoding function [22, 12] that hasthepropertyofmappingtheuniformdistributionoverX toadistributionindistinguishablefromuniform overG. Securitybounds AdHash is appealing for its simplicity, but is far from optimal in terms of hash code size. In the set hashingsetting(i.e.M(a) ∈ {0,1}),thebestknownattackisthegeneralizedbirthdayattack[23];underthe √ assumptionthatthisattackisoptimal,thegroupZ correspondstoasecuritylevelofroughly2 nbits. In 2n the multiset hashing setting, AdHash is completely impractical due to the extremely large hash code sizes nrequiredtodefeatlatticereductionattacksdescribedinappendixB. There are reductions from computing discrete logarithms in a group G to finding collisions in the cor- responding random oracle multiset hash function H [24, 11, 10]. These reductions can be used to prove G acollisionresistancepropertyforthegenericmultisethashfamilyoveranygroupinwhichcomputingdis- crete logarithms is hard, such as Z×. However, because discrete logarithms in Z× can be solved by e.g. p p (cid:2) (cid:112) (cid:3) the Number Field Sieve with (heuristic) subexponential time complexity L 1/3, 3 64/9 [25, p. 128], it p is usually estimated that we need to choose p of around 3200 bits for 128-bit security (see for example the evaluation of the ECRYPT II report on key sizes [26]). In contrast, in a generic group, discrete logarithms (cid:112) cannotbecomputedfasterthanexpectedtimeΘ( |G|),whichisalsotheoptimalcollisionresistance. 4WewillassumethatelementsofAcanbereadilyencodedasoctetstrings. 5 4 Elliptic Curve Multiset Hash Forproperlychosenellipticcurvesoverfinitefields,therearenoknownalgorithmsforsolvingthediscrete (cid:112) logarithm problem in the elliptic curve group faster than in a generic group, i.e. expected time Θ( |G|). Therefore, there is a clear possibility for using an elliptic curve group to obtain a given level of collision resistancewithamuchlowergroupsizethanwithMSet-Mu-Hash. Applying the generic multiset hash construction to elliptic curve groups presents a problem, however: whileitiseasytodefineaveryefficientadmissibleencodingfrom{0,1}k toZ× forsufficientlylargek,an p admissible encoding to an elliptic curve group is not so easily defined. While constructions for admissible encodingfunctionshavebeendemonstrated[12],theircomputationalcostishigherthanwewouldlike. 4.1 Generalizeddiscretelogarithmsecurityreduction In fact, we can significantly relax the requirement on the encoding function f and still obtain a very tight reduction, due to random self-reducibility of the discrete logarithm problem. Our relaxed requirement is relatedtothedefinitionofα-weakencodingsbyBrieretal.[12],andissatisfiedinpracticebyalargeclass ofencodingfunctions[12]. Definition 2. A function f: S → R between finite sets is said to be an (α,β)-weak encoding, for integer α ≥ 1andrealvalueβ ≥ 1,ifitsatisfiesthefollowingproperties: 1. Samplable: thereisanefficientrandomizedalgorithmforcomputing|f−1(r)|andsamplinguniformly fromf−1(r)foranyr ∈ R. 2. |f−1(r)| ≤ αforallr ∈ R. 3. IE [|f−1(r)|/α] ≥ 1/β. r An(α,β)-weakencodingfunctionf allowsustoefficientlysamples ∈ S uniformlyatrandomusingβ uniformsamplesr ∈ Rinexpectation,withthepropertythatf(s) = r foranyacceptedsamplesobtained fromr.5 Definition3. Letf: X → Gbean(α,β)-weakencoding fromX tothe abeliangroupG. Assume thatG admitsasadirectfactoracyclicsubgroup(cid:104)g(cid:105)ofprimeorderρ,andthatwecanefficientlysamplefromthe complementgroup(cid:104)g(cid:105)inthedirectfactordecompositionH = (cid:104)g(cid:105)⊕(cid:104)g(cid:105). Givenarandomoracleh: A → X, we denote by Hˆ the function A → G given by Hˆ (a) = f(cid:0)h(a)(cid:1), and by H : Z(A) → G the associated f f f multisethashfunction. ThefollowingtheoremshowsthatfindingacollisioninH withmultiplicitiesuptoρ−1isashardas f computingdiscretelogarithmstothebaseg,uptoasmallfactorthatdependsonβ. NotethatH doesnot f depend on the choice of subgroup (cid:104)g(cid:105), but the strongest security result is obtained by choosing the largest prime-order subgroup. The requirement of efficient samplability of (cid:104)g(cid:105) is easily satisfied in practice, since efficiency concerns regarding representation size dictate that (cid:104)g(cid:105) be as small as possible (usually having at most8elements,andmostofthetimeonly1or2). 5UnderthedefinitionofBrieretal.[12],anα-weakencodingf isan(α|S|/|R|,α2|S|/|R|)-weakencoding. Ourdefinition allowsforatighterboundtobegivenintheorem1. 6 Theorem1. LetH beamultisethashfunctionasindefinition3. GivenanalgorithmC withaccesstothe f underlyingrandomoraclehthatfindsanon-emptymultisetM ∈ kerH with|M| < ρ,inexpectedtime f ∞ t(cid:48)withprobability(cid:15)(cid:48)usingqqueriestoh,discretelogarithmstothebasegcanbecomputedwithprobability (cid:15) = (cid:15)(cid:48)/2 in expected time t+T +qT +qβT +LT , where L ≥ |M| is a bound on the length of the 1 2 3 4 0 output of C; T ,...,T denote the time required for a constant number of group operations, and are given 1 4 intheproof. Proof. SeeAppendixA. Concretely,ifG = E(F )isthegroupofF -rationalpointsonasuitableellipticcurveE chosento pm pm avoidanydiscretelogarithmweaknesses,withasubgroup(cid:104)g(cid:105)ofprimeorderρ ≥ |G|/4,andf isan(α,β)- weak encoding function with small constant β, then H has collision resistance roughly pm/2/2. Since an f element of E(F ) can be represented using (cid:100)log pm(cid:101) bits, the collision resistance of H is essentially pm 2 f optimal(towithinafewbits). 4.2 Shallue-vandeWoestijne(SW)encodingincharacteristic2 TheShallue-vandeWoestijne(SW)algorithmforcharacteristic2fields[13]canbeusedtomapanypoint w ∈ F toapair(x,y) ∈ (F )2 satisfyinganarbitraryellipticcurveequation 2m 2n E : y2+x·y = x3+a·x2+b, (1) a,b where a,b ∈ F . It constructs three values of x from w with the property that at least one necessarily 2m has a corresponding value y satisfying eq. (1). In addition to the usual arithmetic operations over F , its 2m definitiondependsonthreelinearmaps: 1. thetracefunctionTr: F → F definedbyTr(x) = (cid:80)m−1x2i;[27,p.130] 2m 2 i=0 2. aquadraticsolver functionQS: {x ∈ F |Tr(x) = 0} → F thatsatisfiesQS(x)2 +QS(x) = x 2m 2m andQS(0) = 0; 3. coeff : F → F wherecoeff (x)isthezerothcoefficientofany(fixed)polynomialrepresentation 0 2m 2 0 ofx. An optimized version of the algorithm that requires only a single field inversion [14] is shown as al- gorithm 1. The algorithm is parameterized by a value t ∈ F satisfying t4 +t (cid:54)= 0; for fields of degree 2m m > 4, we can choose t = z where z is the indeterminate in the polynomial representation of F . The 2m result(x,λ) = (x,x+y/x)isrepresentedinλ-affinecoordinates[28]forefficiency.6 Theadditiontoλof coeff (w)inline12isnotpartoftheoriginalSWalgorithm;thistrivialadditionservestohalvethenumber 0 ofcollisionsatessentiallynoextracost. It is clear from the definition that the number of preimages of any point (x,λ) under SWCHAR2 is at mostα = 3,sincec ∈ {t−1·x|j = 1,2,3}andw isuniquelydeterminedfromc,x,andλby j w ∈ {QS(c−a),QS(c−a)+1}, coeff (w) = λ+x+QS(x−2·b+x+a). 0 √ 6Thereisexactlyonepointwithx=0satisfyingeq.(1): (x=0,y = b). Whenusingλ-affinecoordinates,thisvaluemust berepresentedspecially. 7 Algorithm1.OptimizedShallue–vandeWoestijneencodingincharacteristic2[14] Require: t ∈ F suchthatt·(t+1)·(t2+t+1) = t4+t (cid:54)= 0 2m Precompute: t = t ,t = 1+t ,t = t·(1+t);t−1 = 1/t forj = 1,2,3 1 t2+t+1 2 t2+t+1 3 t2+t+1 j j 1: function SWCHAR2(w ∈ F2m ;a,b ∈ F2m) 2: c ← w2+w+a 3: ifc = 0then √ (cid:46)ThisconditionmayholdonlyifTr(a) = 0 4: return(x = 0,y = b) (cid:46)Thisisthesinglepointsatisfyingeq.(1)withx = 0 5: endif 6: c−1 ← 1/c 7: forj = 1to3do 8: x ← tj ·c 9: x−1 ← t−1·c−1 j 10: hj ← (x−1)2·b+x+a 11: ifTr(hj) = 0then (cid:46)Thisconditionnecessarilyholdsforatleastonej 12: λ ← QS(hj)+x+coeff0(w) (cid:46)cdoesnotdependoncoeff0(w) 13: return(x,λ) (cid:46)y = (λ+x)·x = QS(hj)·x 14: endif 15: endfor 16: endfunction The preimage set for any point (x,λ) can be efficiently computed by these same formulas. Furthermore, Aranha et al. [14] show that the proportion of curve points with k preimages under SWCHAR2 for k = 0,1,2,3 is 9/32, 15/32, 7/32, and 1/32, respectively, up to an error term of O(2−n/2). It follows that IEP[|SWCHAR2−1(P)|/α] = 1/3±O(2−n/2),andtherefore,SWCHAR2isan(α,β)-weakencodingwith β = 3+O(2−n/2). 4.3 Hashfunctiondefinition Basedonthisencodingfunction,wedefinetheellipticcurvemultisethash(ECMH):givenabinaryelliptic curvegroupE (F )andan intermediatehashfunctionh: A → Z (modeledas arandomoracle), we a,b 2m 2m define ECMHa,b,h(x) = SWCHAR2(h(x);a,b). Commonly used elliptic curves over F2m, including the NIST-recommendedones,haveageneratorofprimeorderρ > 2m−2withaneasilydeterminedcomplement groupofsizeh = |(cid:104)g(cid:105)| ≤ 4. Thus,thesamplabilityrequirementon(cid:104)g(cid:105)iseasilysatisfiedinpractice. Hence, by theorem 1, finding a collision in ECMH is as hard (up to a small constant factor) as computing discrete logarithmstothebaseg,whichweassumetobeO(2m/2). Similarsuitableencodingalgorithmsexistforellipticcurvesoverfieldsofcharacteristicp > 2[13,12], andcouldalsobeusedtodefineanellipticcurvemultisethash. However,theuseofacharacteristic2field eliminatestheneedforanexpensivefieldexponentiationinordertosolveaquadraticequation,whichwould otherwisedominatethecomputationtime, andonmodernCPUsthatsupportfastcarry-lessmultiplication, fastimplementationsofallotherrequiredfieldoperationsarealsopossibleforcharacteristic2[29]. 4.4 Compressedrepresentationofcurvepoints The group of F -rational points on an elliptic curve E has order |E (F )| ≈ 2m. Each point is 2m a,b a,b 2m naturally represented as a pair (x,y) ∈ F2 (or (x,λ) ∈ F2 ), but there is a well-known method for 2m 2m 8 encodingapointusingjustm+1bits: givenxthereareatmosttwopossiblevaluesfory(orλ)if(x,y)(or (x,λ))satisfyE ,andtheycanberecoveredefficientlyusingasmallnumberoffieldoperations. Thus,a a,b pointcanbeencodedbyitsxvalueandasingleadditionalbittodisambiguatethetwopossiblepoints. The elliptic curve group identity element (the point at infinity) can be encoded specially without increasing the representationsize,byusingabitsequencethatwouldnototherwiseencodeavalidpoint. 5 Implementation Wedevelopedanoptimizedimplementationofellipticcurvemultisethash(ECMH)asanopen-sourceC++ library [30], with support for all NIST-recommended binary elliptic curves [31] and the record-breaking GLS254curve[28],aswellasseveralotherSEC2-recommendedcurves[32]. UsingacombinationofC++ templatesandcodegeneration,wewereabletowritegenericcodetosupportmanydifferentconfigurations withoutsacrificingruntimeperformance;onlyformodularreductionwasacustomimplementationrequired foreachsupportedfield. Weincorporatedexistingfastx86/x86-64polynomialmultiplication,squaring,and modularreductionroutinesforF ,F ,F ,F ,F ,F ,F [33]andforF [28]. 2163 2193 2233 2239 2283 2409 2571 2127 We implemented field inversion using a polynomial-basis Itoh–Tsujii inversion method making use of multi-squaring tables [34, 29, 28, 14]. We generated field inversion routines for each field degree auto- maticallybasedonanA* searchprocedureforcomputingtheoptimalItoh–Tsujiiadditionchainandsetof multi-squaring tables, based on a machine-specific cost model estimated from field operation performance measurements[35]. We also developed optimized implementations of the MSet-Mu-Hash and MSet-Add-Hash hash functions,basedonthemodulararithmeticfunctionsintheOpenSSLlibraryversion1.0.1i,forthepurpose ofcomparison. 5.1 Intermediatehashfunction ECMHrequiresanintermediatehashfunctionh: A → Z . UnderourassumptionthatthebasesetAisthe 2m setofoctetstrings,wesimplyrequireastandardcryptographichashfunction(modeledasarandomoracle) with output size m. Given the inherent property of any homomorphic hash function that a single collision leadstoarbitrarysecondpreimages,weadviseusingakeyedhashfunctionwhenpossibletominimizerisk. Any standard hash function with fixed output size greater than m bits can simply be truncated to m bits. Standard expansion techniques can be used to efficiently generate an arbitrary length m output from a hash function with fixed output size b < m. Sponge constructions, such as Keccak [36], are particularly convenientsincetheysupportarbitraryoutputsizes. BothAdHashandMuHashsimilarlyrequireintermediatehashfunctions,butwithmuchlargeroutput sizesmforequivalentsecuritylevels. Wedesignedourimplementationtosupportarbitraryhashfunctions,butforourperformanceevaluation, weselectedBLAKE2[15]becauseofitsstate-of-the-artperformance. Form ≤ 256,weusedtheBLAKE2s variant(256-bitoutput),truncatingtheoutputtombits. For256 < m ≤ 512,weusedtheBLAKE2bvariant (512-bitoutput)withtruncation. Form > 512,weusedBLAKE2brepeatedlytogeneratesufficientoutput, insuchawaythattheunderlyingcompressionfunctioniscalledaminimumnumberoftimes. 5.2 Linearfieldoperations SeveralkeyoperationsforF ,suchassquaring,multi-squaring(x (cid:55)→ x2i),squareroot,andhalf-trace,are 2m linearinthecoefficients. Formulti-squaring(usefulforinversion)andhalf-trace,animplementationbased 9 on a lookup table can be significantly faster than direct computation [37, 29, 28, 14]. The coefficients are splitinto(cid:100)m/β(cid:101)blocksofβ bits,andaseparatetableof2β entriesisprecomputedforeachblockposition, using a total of s = (cid:100)m/β(cid:101)·2β ·(cid:100)m/W(cid:101)·W/8 bytes of memory, where W is the word size in bits. m,β Thelineartransformcanthenbecomputedfromtheprecomputedtableswithk = (cid:100)m/β·(cid:100)m/W(cid:101)memory accessesandk−1XORoperations. 5.3 Blindingforside-channelresistance The fastest implementation of ECMH is susceptible to timing and cache side-channel attacks, due to the use of lookup tables (for inversion and QS), and the use of branching (for SWCHAR2). A branch-free implementation of SWCHAR2 adds only a few additional multiplications and squarings. Lookup tables are unavoidable for good performance, but we can blind inversion at a cost of just two multiplications and generationofonerandomfieldelement. WelikewisecanblindQSatacostof1squaring,2additions,and generation of one random field element, as well as a few bit operations to ensure the random element is in the image of QS. In this way we can fully protect against timing and cache side-channel attacks at only a smalladditionalcost. 5.4 Quadraticextensionfield Forevenm,representingF asaquadraticextensionofF resultsinsignificantlyfasterfieldoperations 2m 2m/2 relative to an odd-degree field of roughly the same size: inversion in the extension field requires only one inversion in the base field (effectively reducing the memory and computation costs by nearly a factor of 4 foratable-basedmulti-squaringimplementation),andhalf-tracerequiresonly2half-tracecomputationsin the base field (reducing, for a table-based implementation, the computation cost by a factor of 2 and the memoryrequirementbyafactorof4)[28]. WeusethisrepresentationtosupporttheGLS254ellipticcurve overF [28]. 2254 5.5 In-memoryrepresentationofellipticcurvepoints Although an element in the elliptic curve group of points E (F ) can be represented directly using the a,b 2m standard affine (x,y)-representation or the λ-affine (x,λ) representation, and more compactly using just m + 1 bits as described in section 4.4, we can more efficiently perform group operations using the λ- projective representation (x˜,λ˜,z) corresponding to the λ-affine representation (x = x˜/z,λ = λ˜/z): This representationallowspointadditionandpointdoublingtobeperformedwithoutanyfieldinversions[28]. 5.6 Batch SWCHAR2 computation Alargefractionofthecomputationalcostofourellipticcurvemultisethashconstructionisduetothesingle field inversion required by the SWCHAR2 encoding function. Using Montgomery’s trick, n independent elements can be inverted simultaneously at the cost of just 1 field inversion and 3(n−1) field multiplica- tions[38]. Sincefieldinversionismuchmorethan3timesasexpensiveasfieldmultiplication,thisprovides significantcomputationalsavings. 10

ebook img

Elliptic Curve Multiset Hash PDF

0.45 MB·
by  Jeremy Maitin-Shepard
#journals #arxiv
Save to my drive
Quick download
Download
Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Elliptic Curve Multiset Hash

Elliptic Curve Multiset Hash JeremyMaitin-Shepard MehdiTibouchi UCBerkeley NTTSecurePlatformLaboratories [email protected] [email protected] DiegoF.Aranha InstituteofComputing,UniversityofCampinas [email protected] 6 Abstract 1 Ahomomorphic,orincremental,multisethashfunction,associatesahashvaluetoarbitrarycollec- 0 2 tions of objects (with possible repetitions) in such a way that the hash of the union of two collections is easy to compute from the hashes of the two collections themselves: it is simply their sum under a n suitablegroupoperation. Inparticular,hashvaluesoflargecollectionscanbecomputedincrementally a J and/orinparallel. Homomorphichashingisthusaveryusefulprimitivewithapplicationsrangingfrom 5 databaseintegrityverificationtostreamingset/multisetcomparisonandnetworkcoding. 2 Unfortunately, constructionsofhomomorphichashfunctionsintheliteraturearehamperedbytwo ] maindrawbacks: theytendtobemuchlongerthanusualhashfunctionsatthesamesecuritylevel(e.g. R toachieveacollisionresistanceof2128,theyareseveralthousandbitslong,asopposedto256bitsfor C usualhashfunctions),andtheyarealsoquiteslow. . s In this paper, we introduce the Elliptic Curve Multiset Hash (ECMH), which combines a usual bit c string-valuedhashfunctionlikeBLAKE2withanefficientencodingintobinaryellipticcurvestoover- [ comebothdifficulties. Ontheonehand,thesizeofECMHdigestsisessentiallyoptimal: 2m-bithash 1 valuesprovideO(2m)collisionresistance.Ontheotherhand,wedemonstrateahighly-efficientsoftware v implementationofECMH,whichourthoroughempiricalevaluationshowstobecapableofprocessing 2 0 over3millionsetelementspersecondona4GHzIntelHaswellmachineatthe128-bitsecuritylevel— 5 manytimesfasterthanpreviouspracticalmethods. 6 Whileincrementalhashingbasedonellipticcurveshasbeenconsideredpreviously[1],theproposed 0 . methodwaslessefficient, susceptibletotimingattacks, andpotentiallypatent-encumbered[2], andno 1 practicalimplementationwasdemonstrated. 0 6 1 Keywords: homomorphichashing,ellipticcurves,efficientimplementation,GLS254,PCLMULQDQ. : v i X 1 Introduction r a Homomorphichashing A multiset is a generalization of a set in which each element has an associated integer multiplicity. Given a possibly infinite set A, a set (resp. multiset) homomorphic hash function on A maps finite subsets of A (resp. finitely-supported multisets on A) to fixed-length hash values, allowing incremental updates: when newelementsareaddedtothe(multi)set,thehashvalueofthemodified(multi)setcanbecomputedintime proportionaltothedegreeofmodification. 1 The incremental update property makes homomorphic hashing a very useful and versatile primitive. It has found applications in many areas of computer security and algorithmics, including network coding [3] andverifiablepeer-to-peercontentdistribution[4],secureInternetrouting[5],Byzantinefaulttolerance[6, 7], streaming set and multiset equality comparison [8], and various aspects of database security, such as accesspatternprivacy[9]andintegrityprotection[10]. This latter use case provides a simple example of how the primitive is used in practice: one can use homomorphichashingtoverifytheintegrityofadatabasewithatransactionlog,bycomputingahashvalue foreachtransactioninsuchawaythatthehashofthecompletedatabasestateisequaltothe(appropriately- defined) sum of the hashes of all transactions. Another observation [11] is that homomorphic hashing can be used for incremental and parallel hashing of lists, arrays, strings and other similar data structures: for example,thelist(b ,...,b )canberepresentedastheset{(1,b ),...,(n,b )},anditsufficestoapplythe 1 n 1 n homomorphichashfunctiontothatset. Constructinghomomorphichashfunctions A framework for constructing provably secure homomorphic hash functions (in some suitably idealized model,suchastherandomoraclemodel)wasintroducedbyBellareandMicciancio[11],andlaterextended tothemultisethashsettingbyClarkeetal.[10],andrevisitedbyCathaloetal.[8]. Roughlyspeaking, theframeworkofBellareandMiccianciocanbedescribedasfollows. Toconstruct a (multi)set homomorphic hash function on A, one can start with a usual hash function Hˆ from A to some additivegroupG, andextendittofinitesubsetsofA(resp. multisetsonA)bysettingH({a ,...,a }) = 1 n Hˆ(a1) + ··· + Hˆ(an) (resp. H({am1 1,...,amnn}) = m1 · Hˆ(a1) + ··· + mn · Hˆ(an), where mi is the multiplicity of a ). And in fact, it is clear that all possible homomorphic hash functions arise in that way. i Note that as in Clarke et al. [10], and unlike the original framework of Bellare and Miciancio [11], there is no block index i included in the hash Hˆ(a ) of each element a , because we are hashing unordered i i sets/multisets,ratherthanorderedsequencesofblocks. Assume that the underlying hash function Hˆ is ideal (i.e. it behaves like a random oracle). Then we can ask when the corresponding homomorphic hash function H is secure (collision resistant, say). This translates to a knapsack-like number-theoretic assumption on the group G, which Bellare and Micciancio showholds,forexample,whenthediscretelogarithmproblemishardinG. Concretely, Bellare andMicciancioand theauthorsof subsequentworkspropose anumberof possible instantiations for H which essentially amount to choosing G = Z× or G = Zn for suitable parameters p m p,m,n. These concrete instantiations yield simple implementations, but they all suffer from suboptimal output size (they require outputs of several thousand bits to achieve collision resistance at the 128 security level),andtheirefficiencyisgenerallyunsatisfactory. Essentiallyallpracticalapplicationsofhomomorphic hashinginthesecurityliteratureseemtofocusonthecaseG = Z×,calledMuHash. p Ourcontributions WithinBellareandMicciancio’sframework,constructingahomomorphichashfunctionamountstochoos- ingagroupGwheretheappropriatenumber-theoreticassumptionholds,togetherwithahashfunctiontoG whosebehavioriscloseenoughtoidealforthesecurityprooftogothrough. Inthispaper,weproposeanovelconcreteconstructionofamultisethashfunctionbychoosingGasthe groupofpointsofabinaryellipticcurves,andpickingthehashfunctionfollowingtheapproachofBrieret al.[12](whichweimproveuponslightly)appliedtothebinarycurvevariantofShallueandvandeWoesti- jne’s encoding function [13]. We also describe a software implementation of our proposal (building upon 2 the work of Aranha et al. [14] for binary curve hashing, and using BLAKE2 [15] as the actual underlying hash function) and provide extensive performance results showing that our function outperforms existing methodsbyalargemarginonmodernCPUarchitectures(especiallythosesupportingcarry-lessmultiplica- tion). Furthermore, choosinganellipticcurve(withsmallcofactor)forthegroupofhashvaluessolvesthe “outputsize”problemofhomomorphichashingoutright: O(2n)collisionsecurityisachievedwithroughly 2n-bitlongdigests. Yet,theydonotseemtohavebeenusedinconcreteimplementationsofhomomorphic hashing so far1. One can wonder why; the most likely explanation is that usual methods for hashing to el- lipticcurvesarefartooinefficienttomakecurvesattractivefromaperformancestandpoint: almostallsuch methodsrequireatleastonefullsizeexponentiationinthebasefieldofthecurve,whichwillbemuchmore costlybyitselfthanthesinglemultiplication(inamuchlargerfield)requiredbyMuHash—evenoncurves overfastprimefieldsatthe128-bitsecuritylevel[14],suchanencodingfunctionisover3timesslowerthan MuHashatequivalentsecurityonHaswell,andover20timesslowerthanourconstruction. Onlybyusing binarycurvesandrelativelysophisticatedimplementationtechniquesdoweavoidthatstumblingblockand prove that elliptic curves can be competitive. As a result, we achieve a processing speed of over 3 million setelementspersecondona4GHzIntelHaswellCPUatthe128-bitsecuritylevel. Speedupsareexpected withthereleaseofIntelBroadwellprocessorsanditsimprovedimplementationofcarry-lessmultiplication. Arebinaryellipticcurvessafe? Recently,newdevelopmentshavebeenannouncedregardingtheasymptoticcomplexityofthediscretelog- arithm problem on binary elliptic curves, particularly by Semaev [16]. These results are somewhat con- troversial, since they are based on heuristic assumptions that prevailing evidence suggests are unlikely to hold[17,18],andtheirstoragerequirementsappeartomakethempurelytheoreticalanyway[19]. However,ifSemaev’sclaimsofanL[1/2]attackturnouttobecorrect,theasymptoticsecurityofbinary ellipticcurve-basedECMHwouldbereduced. Theconcretesecurityofourconstruction,ontheotherhand, wouldbecompletelyunaffectedoncurvesofupto300+bits(andinparticularatthe128-bitsecuritylevelon GLS254),sincetheclaimedattackisworsethangenericattacksonsuchcurves. Moreover,evenifactually practical L[1/2] attacks were to be found, ECMH on binary curves is likely to remain attractive, since it mainlycompetesagainstMuHash,whichisvulnerabletoanL[1/3]subexponentialattack. Forallthesereasons,webelievethatECMHonbinaryellipticcurvesisasafechoiceforsecurity-minded practitioners, and that the switch from MuHash to ECMH is entirely justified in view of the considerable performancegain(whichletsdesignerschooseahighersecuritymarginandstillcomeoutfarahead). 2 Homomorphic Multiset Hash Function Formally, we define a multiset M ∈ Z(A) as a function with finite support mapping a base set A to the integers Z. As an extension of the usual definition in which multiplicities are restricted to Z , we allow ≥0 negativemultiplicitiesaswell. WewillimplicitlyconsidersubsetsS ⊆ AtobemultisetsinZ(A). Clarke et al. [10] introduce a definition of a multiset hash function that efficiently supports incremen- tally adding (multisets of) elements. We give a simpler (but nearly equivalent2) definition that makes the connectiontohomomorphichashfunctions[20]explicit: 1OnecanmentionEECH[1]asrelevantrelatedworkthatalsousesbinarycurvesforhashing,buttheauthorsdidn’tconsider homomorphichashingatall,andtheirfunctionsseemspoorlysuitedforthatgoal.SeeSection8foramoredetaileddiscussion. 2Wegiveaproofofequivalence(underamildassumption)inappendixD. 3 Definition 1. Let A be a set and let (G,+ ) be a finite group. A function H: Z(A) → G that maps G multisets over the base set A to a point in G is said to be a homomorphic multiset hash function if H is a group homomorphism from the pointwise-additive group of functions (Z(A),+) to (G,+ ); equivalently, G H(M +M ) = H(M )+ H(M )forallM ,M ∈ Z(A). WedefineHˆ: A → GbyHˆ(a) = H({a}). 1 2 1 G 2 1 2 Thisdefinitionminimallycapturesanintuitivenotionofamultisethashfunctionthatsupportsincremen- tally adding and removing (multisets of) elements. These incremental updates are efficient assuming that additionandnegationinGcanbeperformedefficientlyandH(M)canbecomputedefficiently(e.g.intime linearintherepresentationlengthofthenon-zerovaluesofM). NotethatsincepointwiseadditioninZ(A) iscommutative,therelevantsubgroupH(Z(A)) ≤ Gisnecessarilycommutative,andthereforewithoutloss of generality we can assume that G is commutative. It may seem that it is too strong of an assumption to requireagroupstructureonG,orequivalently,that(multisetsof)elementscanberemovedaswellasadded. In fact, provided that + is lossless, in that a+ b = a+ c implies b = c, there is no loss of generality. G G G We show in appendix C that we can construct a group that supports (efficient) incremental removals based onlyon(efficient)incrementaladditions. Since the set of singleton subsets of A generates the group (Z(A),+), H can conversely be uniquely definedbyHˆ: (cid:88) H(M) = M(a)·Hˆ(a). a∈A Indeed,thisispreciselytherandomize-then-combineparadigmproposedbyBellareandMicciancio[11]for incrementalhashingofmessages,whichisreadily(infact,morenaturallythantomessagehashing)applied by Clarke et al. [10] to multiset hashing. Our goal is to minimize the computational cost for computing H andtherepresentationsizeforelementsofGwhileachievingagivenlevelofcollisionresistance. Collisionresistance A collision for a hash function H is a pair x,x(cid:48) such that x (cid:54)= x(cid:48) but H(x) = H(x(cid:48)). For any group- homomorphic hash function H from a group (X,+) to (G,+), a collision can equivalently be defined as a value x ∈ kerH \ {0 }. By the birthday bound that applies to any hash function, a collision can be X (cid:112) found with at most expected O( |G|) hash computations; we can hope to design a multiset hash function (cid:112) forwhichexpectedtimeΩ( |G|)isalsoalowerbound.3 Apreimageattackseekstoinvertthehashfunction,namelytofindavaluexsuchthatH(x) = y,fora randomelementyintheimageofH. Wecanhopetodesignamultisethashfunctionforwhichtheexpected timecomplexityofthebestpreimageattackisalsoequaltothegenericupperboundΩ(|G|). Notethatfor a homomorphic hash function we do not consider preimage attacks on the identity element 0 , since its G preimageisfixed. A second preimage attack seeks to find a value x(cid:48) such that H(x(cid:48)) = H(x), for some known value x. Since a second preimage implies a collision, the time complexity of a second preimage attack is (cid:112) lower bounded by the time complexity of the best collision attack, ideally Ω( |G|). For a general, non- homomorphic hash function, we can hope that the best attack has expected Ω(|G|) time complexity. For any homomorphic hash function, however, the group structure implies that a second preimage attack is no (cid:112) harderthanacollisionattack(withexpectedtimecomplexityupper-boundedbyO( |G|)). 3Inthisandtheothercollisionboundsthatfollow,itisassumedthattheexpectationsaretakenoverarandomchoiceofhash functionHandgroup(G,+ )fromsomehashfunctionfamily(distribution)H. G 4 3 Generic multiset hash families A random oracle Hˆ: A → G clearly achieves the optimal preimage resistance of Θ(|G|) and the optimal (cid:112) collision resistance of Θ( |G|), in the sense that at least this many oracle queries are needed to compute preimagesandcollisionsrespectively. It does not follow, however, that the associated multiset hash function H = H : Z(A) → G has the G same security level; for example, if we choose G = Zn, then O(n) oracle queries, instead of Ω(2n), are 2 enough to find arbitrary preimages in polynomial time by solving a simple n × n linear system over Z . 2 However, Bellare and Micciancio [11] have shown (in the set hash setting, but this generalizes naturally to multisets) how to obtain a security reduction for H based on a computational hardness assumption on G the group G. For concrete choices of G, that hardness assumption is related to standard number theoretic problems,suchasthediscretelogarithmproblemormodularknapsacks. WhenG = Z×,theresultingmultisethashfunctionH isessentiallyMSet-Mu-Hash[10],themul- p G tisetvariantofMuHash[11]. WhenG = Zn,weessentiallyobtainMSet-VAdd-Hash[10],themultiset m variant of LtHash (for n > 1) or AdHash (for n = 1) [11]. These functions all have security reductions intheframeworksketchedabove. It isrelatively easy to find plausibleconcrete instantiations of the random oracleHˆ to a grouplike Zn, 2 butformoregeneralgroups,thisisusuallymorecomplicated,andasaresultitisoftenconvenienttoreplace Hˆ byapseudo-randomoracle,i.e.aconstructionthatisindifferentiablefromarandomoracleinthesense ofMaureretal.[21]. Typically,wecantakeHˆ oftheformHˆ(a) = f(cid:0)h(a)(cid:1)whereh: A → X isarandom oracle to some intermediate set X (such as bit strings, so that we can plausibly instantiate it with standard hash function constructions like SHA-24) and f: X → G is an admissible encoding function [22, 12] that hasthepropertyofmappingtheuniformdistributionoverX toadistributionindistinguishablefromuniform overG. Securitybounds AdHash is appealing for its simplicity, but is far from optimal in terms of hash code size. In the set hashingsetting(i.e.M(a) ∈ {0,1}),thebestknownattackisthegeneralizedbirthdayattack[23];underthe √ assumptionthatthisattackisoptimal,thegroupZ correspondstoasecuritylevelofroughly2 nbits. In 2n the multiset hashing setting, AdHash is completely impractical due to the extremely large hash code sizes nrequiredtodefeatlatticereductionattacksdescribedinappendixB. There are reductions from computing discrete logarithms in a group G to finding collisions in the cor- responding random oracle multiset hash function H [24, 11, 10]. These reductions can be used to prove G acollisionresistancepropertyforthegenericmultisethashfamilyoveranygroupinwhichcomputingdis- crete logarithms is hard, such as Z×. However, because discrete logarithms in Z× can be solved by e.g. p p (cid:2) (cid:112) (cid:3) the Number Field Sieve with (heuristic) subexponential time complexity L 1/3, 3 64/9 [25, p. 128], it p is usually estimated that we need to choose p of around 3200 bits for 128-bit security (see for example the evaluation of the ECRYPT II report on key sizes [26]). In contrast, in a generic group, discrete logarithms (cid:112) cannotbecomputedfasterthanexpectedtimeΘ( |G|),whichisalsotheoptimalcollisionresistance. 4WewillassumethatelementsofAcanbereadilyencodedasoctetstrings. 5 4 Elliptic Curve Multiset Hash Forproperlychosenellipticcurvesoverfinitefields,therearenoknownalgorithmsforsolvingthediscrete (cid:112) logarithm problem in the elliptic curve group faster than in a generic group, i.e. expected time Θ( |G|). Therefore, there is a clear possibility for using an elliptic curve group to obtain a given level of collision resistancewithamuchlowergroupsizethanwithMSet-Mu-Hash. Applying the generic multiset hash construction to elliptic curve groups presents a problem, however: whileitiseasytodefineaveryefficientadmissibleencodingfrom{0,1}k toZ× forsufficientlylargek,an p admissible encoding to an elliptic curve group is not so easily defined. While constructions for admissible encodingfunctionshavebeendemonstrated[12],theircomputationalcostishigherthanwewouldlike. 4.1 Generalizeddiscretelogarithmsecurityreduction In fact, we can significantly relax the requirement on the encoding function f and still obtain a very tight reduction, due to random self-reducibility of the discrete logarithm problem. Our relaxed requirement is relatedtothedefinitionofα-weakencodingsbyBrieretal.[12],andissatisfiedinpracticebyalargeclass ofencodingfunctions[12]. Definition 2. A function f: S → R between finite sets is said to be an (α,β)-weak encoding, for integer α ≥ 1andrealvalueβ ≥ 1,ifitsatisfiesthefollowingproperties: 1. Samplable: thereisanefficientrandomizedalgorithmforcomputing|f−1(r)|andsamplinguniformly fromf−1(r)foranyr ∈ R. 2. |f−1(r)| ≤ αforallr ∈ R. 3. IE [|f−1(r)|/α] ≥ 1/β. r An(α,β)-weakencodingfunctionf allowsustoefficientlysamples ∈ S uniformlyatrandomusingβ uniformsamplesr ∈ Rinexpectation,withthepropertythatf(s) = r foranyacceptedsamplesobtained fromr.5 Definition3. Letf: X → Gbean(α,β)-weakencoding fromX tothe abeliangroupG. Assume thatG admitsasadirectfactoracyclicsubgroup(cid:104)g(cid:105)ofprimeorderρ,andthatwecanefficientlysamplefromthe complementgroup(cid:104)g(cid:105)inthedirectfactordecompositionH = (cid:104)g(cid:105)⊕(cid:104)g(cid:105). Givenarandomoracleh: A → X, we denote by Hˆ the function A → G given by Hˆ (a) = f(cid:0)h(a)(cid:1), and by H : Z(A) → G the associated f f f multisethashfunction. ThefollowingtheoremshowsthatfindingacollisioninH withmultiplicitiesuptoρ−1isashardas f computingdiscretelogarithmstothebaseg,uptoasmallfactorthatdependsonβ. NotethatH doesnot f depend on the choice of subgroup (cid:104)g(cid:105), but the strongest security result is obtained by choosing the largest prime-order subgroup. The requirement of efficient samplability of (cid:104)g(cid:105) is easily satisfied in practice, since efficiency concerns regarding representation size dictate that (cid:104)g(cid:105) be as small as possible (usually having at most8elements,andmostofthetimeonly1or2). 5UnderthedefinitionofBrieretal.[12],anα-weakencodingf isan(α|S|/|R|,α2|S|/|R|)-weakencoding. Ourdefinition allowsforatighterboundtobegivenintheorem1. 6 Theorem1. LetH beamultisethashfunctionasindefinition3. GivenanalgorithmC withaccesstothe f underlyingrandomoraclehthatfindsanon-emptymultisetM ∈ kerH with|M| < ρ,inexpectedtime f ∞ t(cid:48)withprobability(cid:15)(cid:48)usingqqueriestoh,discretelogarithmstothebasegcanbecomputedwithprobability (cid:15) = (cid:15)(cid:48)/2 in expected time t+T +qT +qβT +LT , where L ≥ |M| is a bound on the length of the 1 2 3 4 0 output of C; T ,...,T denote the time required for a constant number of group operations, and are given 1 4 intheproof. Proof. SeeAppendixA. Concretely,ifG = E(F )isthegroupofF -rationalpointsonasuitableellipticcurveE chosento pm pm avoidanydiscretelogarithmweaknesses,withasubgroup(cid:104)g(cid:105)ofprimeorderρ ≥ |G|/4,andf isan(α,β)- weak encoding function with small constant β, then H has collision resistance roughly pm/2/2. Since an f element of E(F ) can be represented using (cid:100)log pm(cid:101) bits, the collision resistance of H is essentially pm 2 f optimal(towithinafewbits). 4.2 Shallue-vandeWoestijne(SW)encodingincharacteristic2 TheShallue-vandeWoestijne(SW)algorithmforcharacteristic2fields[13]canbeusedtomapanypoint w ∈ F toapair(x,y) ∈ (F )2 satisfyinganarbitraryellipticcurveequation 2m 2n E : y2+x·y = x3+a·x2+b, (1) a,b where a,b ∈ F . It constructs three values of x from w with the property that at least one necessarily 2m has a corresponding value y satisfying eq. (1). In addition to the usual arithmetic operations over F , its 2m definitiondependsonthreelinearmaps: 1. thetracefunctionTr: F → F definedbyTr(x) = (cid:80)m−1x2i;[27,p.130] 2m 2 i=0 2. aquadraticsolver functionQS: {x ∈ F |Tr(x) = 0} → F thatsatisfiesQS(x)2 +QS(x) = x 2m 2m andQS(0) = 0; 3. coeff : F → F wherecoeff (x)isthezerothcoefficientofany(fixed)polynomialrepresentation 0 2m 2 0 ofx. An optimized version of the algorithm that requires only a single field inversion [14] is shown as al- gorithm 1. The algorithm is parameterized by a value t ∈ F satisfying t4 +t (cid:54)= 0; for fields of degree 2m m > 4, we can choose t = z where z is the indeterminate in the polynomial representation of F . The 2m result(x,λ) = (x,x+y/x)isrepresentedinλ-affinecoordinates[28]forefficiency.6 Theadditiontoλof coeff (w)inline12isnotpartoftheoriginalSWalgorithm;thistrivialadditionservestohalvethenumber 0 ofcollisionsatessentiallynoextracost. It is clear from the definition that the number of preimages of any point (x,λ) under SWCHAR2 is at mostα = 3,sincec ∈ {t−1·x|j = 1,2,3}andw isuniquelydeterminedfromc,x,andλby j w ∈ {QS(c−a),QS(c−a)+1}, coeff (w) = λ+x+QS(x−2·b+x+a). 0 √ 6Thereisexactlyonepointwithx=0satisfyingeq.(1): (x=0,y = b). Whenusingλ-affinecoordinates,thisvaluemust berepresentedspecially. 7 Algorithm1.OptimizedShallue–vandeWoestijneencodingincharacteristic2[14] Require: t ∈ F suchthatt·(t+1)·(t2+t+1) = t4+t (cid:54)= 0 2m Precompute: t = t ,t = 1+t ,t = t·(1+t);t−1 = 1/t forj = 1,2,3 1 t2+t+1 2 t2+t+1 3 t2+t+1 j j 1: function SWCHAR2(w ∈ F2m ;a,b ∈ F2m) 2: c ← w2+w+a 3: ifc = 0then √ (cid:46)ThisconditionmayholdonlyifTr(a) = 0 4: return(x = 0,y = b) (cid:46)Thisisthesinglepointsatisfyingeq.(1)withx = 0 5: endif 6: c−1 ← 1/c 7: forj = 1to3do 8: x ← tj ·c 9: x−1 ← t−1·c−1 j 10: hj ← (x−1)2·b+x+a 11: ifTr(hj) = 0then (cid:46)Thisconditionnecessarilyholdsforatleastonej 12: λ ← QS(hj)+x+coeff0(w) (cid:46)cdoesnotdependoncoeff0(w) 13: return(x,λ) (cid:46)y = (λ+x)·x = QS(hj)·x 14: endif 15: endfor 16: endfunction The preimage set for any point (x,λ) can be efficiently computed by these same formulas. Furthermore, Aranha et al. [14] show that the proportion of curve points with k preimages under SWCHAR2 for k = 0,1,2,3 is 9/32, 15/32, 7/32, and 1/32, respectively, up to an error term of O(2−n/2). It follows that IEP[|SWCHAR2−1(P)|/α] = 1/3±O(2−n/2),andtherefore,SWCHAR2isan(α,β)-weakencodingwith β = 3+O(2−n/2). 4.3 Hashfunctiondefinition Basedonthisencodingfunction,wedefinetheellipticcurvemultisethash(ECMH):givenabinaryelliptic curvegroupE (F )andan intermediatehashfunctionh: A → Z (modeledas arandomoracle), we a,b 2m 2m define ECMHa,b,h(x) = SWCHAR2(h(x);a,b). Commonly used elliptic curves over F2m, including the NIST-recommendedones,haveageneratorofprimeorderρ > 2m−2withaneasilydeterminedcomplement groupofsizeh = |(cid:104)g(cid:105)| ≤ 4. Thus,thesamplabilityrequirementon(cid:104)g(cid:105)iseasilysatisfiedinpractice. Hence, by theorem 1, finding a collision in ECMH is as hard (up to a small constant factor) as computing discrete logarithmstothebaseg,whichweassumetobeO(2m/2). Similarsuitableencodingalgorithmsexistforellipticcurvesoverfieldsofcharacteristicp > 2[13,12], andcouldalsobeusedtodefineanellipticcurvemultisethash. However,theuseofacharacteristic2field eliminatestheneedforanexpensivefieldexponentiationinordertosolveaquadraticequation,whichwould otherwisedominatethecomputationtime, andonmodernCPUsthatsupportfastcarry-lessmultiplication, fastimplementationsofallotherrequiredfieldoperationsarealsopossibleforcharacteristic2[29]. 4.4 Compressedrepresentationofcurvepoints The group of F -rational points on an elliptic curve E has order |E (F )| ≈ 2m. Each point is 2m a,b a,b 2m naturally represented as a pair (x,y) ∈ F2 (or (x,λ) ∈ F2 ), but there is a well-known method for 2m 2m 8 encodingapointusingjustm+1bits: givenxthereareatmosttwopossiblevaluesfory(orλ)if(x,y)(or (x,λ))satisfyE ,andtheycanberecoveredefficientlyusingasmallnumberoffieldoperations. Thus,a a,b pointcanbeencodedbyitsxvalueandasingleadditionalbittodisambiguatethetwopossiblepoints. The elliptic curve group identity element (the point at infinity) can be encoded specially without increasing the representationsize,byusingabitsequencethatwouldnototherwiseencodeavalidpoint. 5 Implementation Wedevelopedanoptimizedimplementationofellipticcurvemultisethash(ECMH)asanopen-sourceC++ library [30], with support for all NIST-recommended binary elliptic curves [31] and the record-breaking GLS254curve[28],aswellasseveralotherSEC2-recommendedcurves[32]. UsingacombinationofC++ templatesandcodegeneration,wewereabletowritegenericcodetosupportmanydifferentconfigurations withoutsacrificingruntimeperformance;onlyformodularreductionwasacustomimplementationrequired foreachsupportedfield. Weincorporatedexistingfastx86/x86-64polynomialmultiplication,squaring,and modularreductionroutinesforF ,F ,F ,F ,F ,F ,F [33]andforF [28]. 2163 2193 2233 2239 2283 2409 2571 2127 We implemented field inversion using a polynomial-basis Itoh–Tsujii inversion method making use of multi-squaring tables [34, 29, 28, 14]. We generated field inversion routines for each field degree auto- maticallybasedonanA* searchprocedureforcomputingtheoptimalItoh–Tsujiiadditionchainandsetof multi-squaring tables, based on a machine-specific cost model estimated from field operation performance measurements[35]. We also developed optimized implementations of the MSet-Mu-Hash and MSet-Add-Hash hash functions,basedonthemodulararithmeticfunctionsintheOpenSSLlibraryversion1.0.1i,forthepurpose ofcomparison. 5.1 Intermediatehashfunction ECMHrequiresanintermediatehashfunctionh: A → Z . UnderourassumptionthatthebasesetAisthe 2m setofoctetstrings,wesimplyrequireastandardcryptographichashfunction(modeledasarandomoracle) with output size m. Given the inherent property of any homomorphic hash function that a single collision leadstoarbitrarysecondpreimages,weadviseusingakeyedhashfunctionwhenpossibletominimizerisk. Any standard hash function with fixed output size greater than m bits can simply be truncated to m bits. Standard expansion techniques can be used to efficiently generate an arbitrary length m output from a hash function with fixed output size b < m. Sponge constructions, such as Keccak [36], are particularly convenientsincetheysupportarbitraryoutputsizes. BothAdHashandMuHashsimilarlyrequireintermediatehashfunctions,butwithmuchlargeroutput sizesmforequivalentsecuritylevels. Wedesignedourimplementationtosupportarbitraryhashfunctions,butforourperformanceevaluation, weselectedBLAKE2[15]becauseofitsstate-of-the-artperformance. Form ≤ 256,weusedtheBLAKE2s variant(256-bitoutput),truncatingtheoutputtombits. For256 < m ≤ 512,weusedtheBLAKE2bvariant (512-bitoutput)withtruncation. Form > 512,weusedBLAKE2brepeatedlytogeneratesufficientoutput, insuchawaythattheunderlyingcompressionfunctioniscalledaminimumnumberoftimes. 5.2 Linearfieldoperations SeveralkeyoperationsforF ,suchassquaring,multi-squaring(x (cid:55)→ x2i),squareroot,andhalf-trace,are 2m linearinthecoefficients. Formulti-squaring(usefulforinversion)andhalf-trace,animplementationbased 9 on a lookup table can be significantly faster than direct computation [37, 29, 28, 14]. The coefficients are splitinto(cid:100)m/β(cid:101)blocksofβ bits,andaseparatetableof2β entriesisprecomputedforeachblockposition, using a total of s = (cid:100)m/β(cid:101)·2β ·(cid:100)m/W(cid:101)·W/8 bytes of memory, where W is the word size in bits. m,β Thelineartransformcanthenbecomputedfromtheprecomputedtableswithk = (cid:100)m/β·(cid:100)m/W(cid:101)memory accessesandk−1XORoperations. 5.3 Blindingforside-channelresistance The fastest implementation of ECMH is susceptible to timing and cache side-channel attacks, due to the use of lookup tables (for inversion and QS), and the use of branching (for SWCHAR2). A branch-free implementation of SWCHAR2 adds only a few additional multiplications and squarings. Lookup tables are unavoidable for good performance, but we can blind inversion at a cost of just two multiplications and generationofonerandomfieldelement. WelikewisecanblindQSatacostof1squaring,2additions,and generation of one random field element, as well as a few bit operations to ensure the random element is in the image of QS. In this way we can fully protect against timing and cache side-channel attacks at only a smalladditionalcost. 5.4 Quadraticextensionfield Forevenm,representingF asaquadraticextensionofF resultsinsignificantlyfasterfieldoperations 2m 2m/2 relative to an odd-degree field of roughly the same size: inversion in the extension field requires only one inversion in the base field (effectively reducing the memory and computation costs by nearly a factor of 4 foratable-basedmulti-squaringimplementation),andhalf-tracerequiresonly2half-tracecomputationsin the base field (reducing, for a table-based implementation, the computation cost by a factor of 2 and the memoryrequirementbyafactorof4)[28]. WeusethisrepresentationtosupporttheGLS254ellipticcurve overF [28]. 2254 5.5 In-memoryrepresentationofellipticcurvepoints Although an element in the elliptic curve group of points E (F ) can be represented directly using the a,b 2m standard affine (x,y)-representation or the λ-affine (x,λ) representation, and more compactly using just m + 1 bits as described in section 4.4, we can more efficiently perform group operations using the λ- projective representation (x˜,λ˜,z) corresponding to the λ-affine representation (x = x˜/z,λ = λ˜/z): This representationallowspointadditionandpointdoublingtobeperformedwithoutanyfieldinversions[28]. 5.6 Batch SWCHAR2 computation Alargefractionofthecomputationalcostofourellipticcurvemultisethashconstructionisduetothesingle field inversion required by the SWCHAR2 encoding function. Using Montgomery’s trick, n independent elements can be inverted simultaneously at the cost of just 1 field inversion and 3(n−1) field multiplica- tions[38]. Sincefieldinversionismuchmorethan3timesasexpensiveasfieldmultiplication,thisprovides significantcomputationalsavings. 10

See more

The list of books you might like

Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.
DMCA & Copyright: Dear all, most of the website is community built, users are uploading hundred of books everyday, which makes really hard for us to identify copyrighted material, please contact us if you want any material removed.
Copyright @ PDFdrive.to, 2022 | We love our users