A comparison of pairing-friendly curves at the 192-bit security - PowerPoint PPT Presentation

A comparison of pairing-friendly curves at the 192-bit security level Aurore Guillevic Inria Nancy, Caramba team 17/04/2019 WRACH workshop, Roscoff Joint work with Shashank Singh, IISER Bhopal, India 1/43

Plan Introduction: Discrete logarithm and NFS Key sizes for DL-based crypto Pairings Key-sizes for pairing-based crypto Future work 2/43

Asymmetric cryptography Factorization (RSA cryptosystem) Discrete logarithm problem (use in Diffie-Hellman, etc) Given a finite cyclic group ( G , · ), a generator g and h ∈ G , compute x s.t. h = g x . → can you invert the exponentiation function ( g , x ) �→ g x ? Common choice of G : ◮ prime finite field F p = Z / p Z (1976) ◮ characteristic 2 field F 2 n ( ≈ 1979) ◮ elliptic curve E ( F p ) (1985) 3/43

Discrete log problem How fast can you invert the exponentiation function ( g , x ) �→ g x ? ◮ g ∈ G generator, ∃ always a preimage x ∈ { 1 , . . . , # G } ◮ naive search, try them all: # G tests ◮ random walk in G , cycle path finding algorithm in a connected graph Floyd → Pollard, baby-step-giant-step, O ( √ # G ) (the cycle path encodes the answer) ◮ parallel search in each distinct subgroup (Pohlig-Hellman) ◮ algorithmic refinements 4/43

Discrete log problem How fast can you invert the exponentiation function ( g , x ) �→ g x ? ◮ g ∈ G generator, ∃ always a preimage x ∈ { 1 , . . . , # G } ◮ naive search, try them all: # G tests ◮ random walk in G , cycle path finding algorithm in a connected graph Floyd → Pollard, baby-step-giant-step, O ( √ # G ) (the cycle path encodes the answer) ◮ parallel search in each distinct subgroup (Pohlig-Hellman) ◮ algorithmic refinements → Choose G of large prime order (no subgroup) → complexity of inverting exponentiation in O ( √ # G ) → security level 128 bits means √ # G ≥ 2 128 analogy with symmetric crypto, keylength 128 bits (16 bytes) 4/43

Discrete log problem How fast can you invert the exponentiation function ( g , x ) �→ g x ? G cyclic group of prime order, complexity O ( √ # G ). 5/43

Discrete log problem How fast can you invert the exponentiation function ( g , x ) �→ g x ? G cyclic group of prime order, complexity O ( √ # G ). better way? 5/43

Discrete log problem How fast can you invert the exponentiation function ( g , x ) �→ g x ? G cyclic group of prime order, complexity O ( √ # G ). better way? → Use additional structure of G . 5/43

Discrete log problem when G = ( Z / p Z ) ∗ Index calculus algorithm [Western–Miller 68, Adleman 79], prequel of the Number Field Sieve algorithm (NFS) ◮ p prime, ( p − 1) / 2 prime, G = ( Z / p Z ) ∗ , gen. g , target h ◮ get many multiplicative relations in G g t = g e 1 1 g e 2 2 · · · g e i (mod p ), g , g 1 , g 2 , . . . , g i ∈ G i e ′ e ′ e ′ ◮ find a relation h = g 1 2 · · · g 2 i (mod p ) 1 g i ◮ take logarithm: linear relations = e 1 log g g 1 + e 2 log g g 2 + . . . + e i log g g i (mod p − 1) t . . . e ′ 1 log g g 1 + e ′ 2 log g g 2 + . . . + e ′ log g h = i log g g i (mod p − 1) ◮ solve a linear system ◮ get x = log g h 6/43

Index calculus in ( Z / p Z ) ∗ : example p = 1109, r = ( p − 1) / 4 = 277 prime Smoothness bound B = 13 F 13 = { 2 , 3 , 5 , 7 , 11 , 13 } small primes up to B B -smooth integer: n = � p i ≤ B p e i i , p i prime is g i smooth? 1 ≤ i ≤ 72 is enough g 1 =     2 = 2 1 0 0 0 0 0 1 g 13 = 429 = 3 · 11 · 13 0 1 0 0 1 1 13         g 16 = 105 = 3 · 5 · 7     0 1 1 1 0 0 16     → · x = g 21 =     33 = 3 · 11 0 1 0 0 1 0 21     g 44 = 1029 = 3 · 7 3     0 1 0 3 0 0 44     g 72 = 325 = 5 2 · 13 0 0 2 0 0 1 72 x = [1 , 219 , 40 , 34 , 79 , 269] mod 277 → log g 7 = 34 mod 277, that is, ( g 34 ) 4 = 7 4 g 34 = 7 u and u 4 = 1 7/43

Index calculus in ( Z / p Z ) ∗ : example x = [1 , 219 , 40 , 34 , 79 , 269] mod 277 subgroup of order 4: g 4 = g ( p − 1) / 4 { 1 , g 4 , g 2 4 , g 3 4 } = { 1 , 354 , 1108 , 755 } 3 / g 219 = 1 ⇒ log g 3 = = 219 5 / g 40 = − 1 ⇒ log g 5 = 40+ ( p − 1) / 2 = 594 7 / g 34 = g 4 ⇒ log g 7 = 34+ ( p − 1) / 4 = 311 11 / g 79 = g 3 4 ⇒ log g 11 = 79+ 3( p − 1) / 4 = 910 13 / g 269 = g 3 4 ⇒ log g 13 = 269+ 3( p − 1) / 4 = 1100 v = [1 , 219 , 594 , 311 , 910 , 1100] mod p − 1 Target h = 777 g 10 · 777 = 495 = 3 2 · 5 · 11 mod p log 2 777 = − 10 + 2 log g 3 + log g 5 + log g 11 = 824 mod p − 1 g 824 = 777 8/43

Index calculus in ( Z / p Z ) ∗ : example Trick Multiplicative relations over the integers g 1 , g 2 , . . . , g i ← → small prime integers Smooth integers n = � p i ≤ B p e i are quite common → it works i 9/43

Index calculus in ( Z / p Z ) ∗ : example Trick Multiplicative relations over the integers g 1 , g 2 , . . . , g i ← → small prime integers Smooth integers n = � p i ≤ B p e i are quite common → it works i Improvements in the 80’s, 90’s: ◮ Sieve (faster relation collection) ◮ Multiplicative relations in number fields Smaller integers and norms to factor ◮ Better sparse linear algebra ◮ Independent target h 9/43

Number Field: Toy example with Z [ i ] (1986 technology, Coppersmith–Odlyzko–Schroeppel) reduce further the size of the integers to factor If p = 1 mod 4, ∃ U , V s.t. p = U 2 + V 2 and | U | , | V | < √ p U / V ≡ m mod p and m 2 + 1 = 0 mod p Define a map from Z [ i ] to Z / p Z φ : Z [ i ] → Z / p Z m mod p where m = U / V , m 2 + 1 = 0 mod p i �→ ring homomorphism φ ( a + bi ) = a + bm ) V − 1 φ ( a + bi ) = a + bm = ( a + b U / V ) = ( aV + bU mod p � �� � � �� � � �� � = m factor in Z factor in Z [ i ] 10/43

Example in Z [ i ] p = 1109 = 1 mod 4, r = ( p − 1) / 4 = 277 prime p = 22 2 + 25 2 max( | a | , | b | ) = A = 20, B = 13 smoothness bound Rational side F rat = { 2 , 3 , 5 , 7 , 11 , 13 } primes up to B Algebraic side: think about the complex number in C (1 + i )(1 − i ) = 2, (2 + i )(2 − i ) = 5, (2 + 3 i )(2 − 3 i ) = 13 All primes p = 1 mod 4 ◮ can be written as a sum of two squares p = a 2 + b 2 ◮ factor into two conjugate Gaussian integers ( a + ib )( a − ib ) Units: i 2 = − 1 F alg = { 1 + i , 1 − i , 2 + i , 2 − i , 2 + 3 i , 2 − 3 i } “primes” of norm up to B U alg = {− 1 , i } Units 11/43

Example in Z [ i ] p = 1109 ( a , b ) = ( − 4 , 7), Norm( − 4 + 7 i ) = ( − 4) 2 + 7 2 = 65 = 5 · 13 In Z [ i ], ◮ 5 = (2 + i )(2 − i ) ◮ 13 = (2 + 3 i )(2 − 3 i ) Then, → (2 ± i )(2 ± 3 i ) has norm 65 → ± (( i ))(2 ± i )(2 ± 3 i ) = ( − 4 + 7 i ) We obtain i (2 − i )(2 + 3 i ) = − 4 + 7 i 12/43

Example in Z [ i ] a 2 + b 2 a + bi aV + bU = factor in Z factor in Z [ i ] 650 = 2 · 5 2 · 13 − (1 − i )(2 + i ) 2 (2 − 3 i ) − 17 + 19 i − 7 = − 7 125 = 5 3 i (2 + i ) 3 − 11 + 2 i − 231 = − 3 · 7 · 11 224 = 2 5 · 7 325 = 5 2 · 13 (2 + i ) 2 (2 + 3 i ) − 6 + 17 i 54 = 2 · 3 3 − 4 + 7 i 65 = 5 · 13 i (2 − i )(2 + 3 i ) 25 = 5 2 − (2 − i ) 2 − 3 + 4 i 13 = 13 − 28 = − 2 2 · 7 − 2 + i 5 = 5 − (2 − i ) 16 = 2 4 − 2 + 3 i 13 = 13 − (2 − 3 i ) 192 = 2 6 · 3 125 = 5 3 − (2 − i ) 3 − 2 + 11 i − 1 + i − 3 = − 3 2 = 2 − (1 − i ) 22 = 2 · 11 1 = 1 i i 1 + 3 i 91 = 7 · 13 10 = 2 · 5 (1 + i )(2 + i ) 135 = 3 3 · 5 1 + 5 i 26 = 2 · 13 − (1 − i )(2 − 3 i ) 72 = 2 3 · 3 2 2 + i 5 = 5 (2 + i ) 147 = 3 · 7 2 5 + i 26 = 2 · 13 − i (1 + i )(2 + 3 i ) 13/43

Example in Z [ i ]: Matrix Build the matrix of relations: ◮ one row per ( a , b ) pair s.t. both norms are smooth ◮ one column per prime of F rat ◮ one column for 1 / V ◮ one column per prime ideal of F alg ◮ one column per unit ( − 1 , i ) ◮ store the exponents 14/43

Example in Z [ i ] 2 + 3 i 2 − 3 i 1 + i 1 − i 2 + i 2 − i 1 2 3 5 7 11 13 V − 1 i   0 0 0 0 0 0 0 1 2 0 0 0 0 0 0  0 0 0 1 0 0 1 0 0 0 1 2 0 0 1      0 1 0 1 1 0 1 1 1 0 0 3 0 0 0     5 0 0 1 0 0 1 0 0 0 0 2 0 1 0     1 3 0 0 0 0 1 0 1 0 0 0 1 1 0      0 0 0 0 0 1 1 1 0 0 0 0 2 0 0      2 0 0 1 0 0 1 0 0 0 0 0 1 0 0     M = 4 0 0 0 0 0 1 1 0 0 0 0 0 0 1      6 1 0 0 0 0 1 1 0 0 0 0 3 0 0      0 1 0 0 0 0 1 0 0 0 1 0 0 0 0     1 0 0 0 1 0 1 0 1 0 0 0 0 0 0     0 0 0 1 0 1 1 0 0 1 0 1 0 0 0      0 3 1 0 0 0 1 1 0 0 1 0 0 0 1      3 2 0 0 0 0 1 0 0 0 0 1 0 0 0   0 1 0 2 0 0 1 1 1 1 0 0 0 1 0 15/43