algebraic approaches for the elliptic curve discrete
play

Algebraic approaches for the Elliptic Curve Discrete Logarithm - PowerPoint PPT Presentation

Apr 20, 2023 •148 likes •562 views

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields Christophe Petit, Michiel Kosters, Ange Messeng University of Oxford, University of California Irvine, University of Passau Christophe Petit - PKC2016 -

  1. Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields Christophe Petit, Michiel Kosters, Ange Messeng University of Oxford, University of California Irvine, University of Passau Christophe Petit - PKC2016 - Prime ECDLP 1

  2. Elliptic Curve Discrete Logarithm Problem ◮ Elliptic Curve Discrete Logarithm Problem (ECDLP) Let K a finite field and let E be an elliptic curve over K . Let P ∈ E ( K ) and let Q ∈ G := < P > . Find k ∈ Z such that Q = kP . ◮ In practice K is a prime field, a binary field with prime degree extension, or F p n with n relatively small Christophe Petit - PKC2016 - Prime ECDLP 2

  3. Elliptic Curve Discrete Logarithm Problem ◮ Elliptic Curve Discrete Logarithm Problem (ECDLP) Let K a finite field and let E be an elliptic curve over K . Let P ∈ E ( K ) and let Q ∈ G := < P > . Find k ∈ Z such that Q = kP . ◮ In practice K is a prime field, a binary field with prime degree extension, or F p n with n relatively small ◮ Elliptic Curve Cryptography secure ⇒ ECDLP hard Christophe Petit - PKC2016 - Prime ECDLP 2

  4. Is ECDLP hard ? ◮ Can apply generic attacks Christophe Petit - PKC2016 - Prime ECDLP 3

  5. Is ECDLP hard ? ◮ Can apply generic attacks ◮ For exceptional parameters, can reduce it to another discrete logarithm problem ◮ Anomalous attack ◮ Reduction to finite field DLP using pairings ◮ Reduction to a hyperelliptic curve DLP Christophe Petit - PKC2016 - Prime ECDLP 3

  6. Is ECDLP hard ? ◮ Can apply generic attacks ◮ For exceptional parameters, can reduce it to another discrete logarithm problem ◮ Anomalous attack ◮ Reduction to finite field DLP using pairings ◮ Reduction to a hyperelliptic curve DLP ◮ Index calculus approaches being developed since 2004, but mostly focused on extension fields Christophe Petit - PKC2016 - Prime ECDLP 3

  7. Is ECDLP hard ? ◮ Can apply generic attacks ◮ For exceptional parameters, can reduce it to another discrete logarithm problem ◮ Anomalous attack ◮ Reduction to finite field DLP using pairings ◮ Reduction to a hyperelliptic curve DLP ◮ Index calculus approaches being developed since 2004, but mostly focused on extension fields ◮ Our goal : extend previous index calculus algorithms to ECDLP over prime fields Christophe Petit - PKC2016 - Prime ECDLP 3

  8. Outline Previous index calculus algorithms for ECDLP New variants for curves over prime fields Christophe Petit - PKC2016 - Prime ECDLP 4

  9. Outline Previous index calculus algorithms for ECDLP New variants for curves over prime fields Christophe Petit - PKC2016 - Prime ECDLP 5

  10. Index Calculus for Elliptic Curves 1. Fix m ∈ Z , and fix V ⊂ K with | V | m ≈ K Define a factor basis F = { ( x , y ) ∈ E ( K ) | x ∈ V } Christophe Petit - PKC2016 - Prime ECDLP 6

  11. Index Calculus for Elliptic Curves 1. Fix m ∈ Z , and fix V ⊂ K with | V | m ≈ K Define a factor basis F = { ( x , y ) ∈ E ( K ) | x ∈ V } 2. Compute about |F| relations a i P + b i Q = P i , 1 + P i , 2 + . . . + P i , m with P i , j ∈ F Christophe Petit - PKC2016 - Prime ECDLP 6

  12. Index Calculus for Elliptic Curves 1. Fix m ∈ Z , and fix V ⊂ K with | V | m ≈ K Define a factor basis F = { ( x , y ) ∈ E ( K ) | x ∈ V } 2. Compute about |F| relations a i P + b i Q = P i , 1 + P i , 2 + . . . + P i , m with P i , j ∈ F 3. Linear algebra on relations gives aP + bQ = 0 Christophe Petit - PKC2016 - Prime ECDLP 6

  13. Relation search : Semaev polynomials ◮ Semaev polynomials relate the x -coordinates of points that sum up to 0 : S r ( x 1 , . . . , x r ) = 0 ⇔ ∃ ( x i , y i ) ∈ E ( ¯ K ) s.t. ( x 1 , y 1 ) + · · · + ( x r , y r ) = 0 ◮ Relation search ◮ Compute ( X , Y ) := aP + bQ for random a , b ◮ Search for x i ∈ V with S m +1 ( x 1 , . . . , x m , X ) = 0 ◮ For any such solution, find corresponding y i values Christophe Petit - PKC2016 - Prime ECDLP 7

  14. Existing Variants ◮ Semaev ◮ K = F p and V contains all “small” elements ◮ No algorithm to solve S m +1 Christophe Petit - PKC2016 - Prime ECDLP 8

  15. Existing Variants ◮ Semaev ◮ K = F p and V contains all “small” elements ◮ No algorithm to solve S m +1 ◮ Gaudry-Diem ◮ K = F q n and V = F q ◮ Reduction to polynomial system over F q ◮ Generic bounds give L q n (2 / 3) complexity if q = L q n (2 / 3) Christophe Petit - PKC2016 - Prime ECDLP 8

  16. Existing Variants ◮ Semaev ◮ K = F p and V contains all “small” elements ◮ No algorithm to solve S m +1 ◮ Gaudry-Diem ◮ K = F q n and V = F q ◮ Reduction to polynomial system over F q ◮ Generic bounds give L q n (2 / 3) complexity if q = L q n (2 / 3) ◮ Diem, FPPR, P-Quisquater ◮ K = F 2 n and V a vector space of K over F 2 ◮ Reduction to polynomial system over F 2 ◮ Experiments suggest system “somewhat easy” Christophe Petit - PKC2016 - Prime ECDLP 8

  17. Relation search : Weil Descent ◮ For each relation solve a generalized root-finding problem Given f ∈ F q n [ x 1 , . . . , x m ] and vector space V ⊂ F q n , find x i ∈ V such that f ( x 1 , . . . , x m ) = 0 Christophe Petit - PKC2016 - Prime ECDLP 9

  18. Relation search : Weil Descent ◮ For each relation solve a generalized root-finding problem Given f ∈ F q n [ x 1 , . . . , x m ] and vector space V ⊂ F q n , find x i ∈ V such that f ( x 1 , . . . , x m ) = 0 ◮ Solved by Weil Descent : reduction to polynomial system ◮ Fix a basis for V over F q ◮ Introduce variables x ij ∈ F q with x i = � j x ij v j �� � ◮ See single equation f j x 1 j v j , . . . , � j x mj v j = 0 over F q n as a system of n equations over F q Christophe Petit - PKC2016 - Prime ECDLP 9

  19. Limits of previous works ◮ Fields with q = L q n (2 / 3) are not used in practice Christophe Petit - PKC2016 - Prime ECDLP 10

  20. Limits of previous works ◮ Fields with q = L q n (2 / 3) are not used in practice ◮ In binary case asymptotic complexity is not clear, and practical complexity is poor Christophe Petit - PKC2016 - Prime ECDLP 10

  21. Limits of previous works ◮ Fields with q = L q n (2 / 3) are not used in practice ◮ In binary case asymptotic complexity is not clear, and practical complexity is poor ◮ Not clear how to extend to prime fields : no subspace available and we a priori want small degree equations Christophe Petit - PKC2016 - Prime ECDLP 10

  22. Outline Previous index calculus algorithms for ECDLP New variants for curves over prime fields Christophe Petit - PKC2016 - Prime ECDLP 11

  23. Main idea ◮ Find low degree rational maps L j such that � deg L j ≈ p 1 / m # { x ∈ F p | L ( x ) = L n ′ ◦ . . . ◦ L 1 ( x ) = 0 } ≈ ◮ Define V = { x ∈ F p | L ( x ) = 0 } ◮ Define F = { ( x , y ) ∈ E ( K ) | x ∈ V } Christophe Petit - PKC2016 - Prime ECDLP 12

  24. Main idea ◮ Find low degree rational maps L j such that � deg L j ≈ p 1 / m # { x ∈ F p | L ( x ) = L n ′ ◦ . . . ◦ L 1 ( x ) = 0 } ≈ ◮ Define V = { x ∈ F p | L ( x ) = 0 } ◮ Define F = { ( x , y ) ∈ E ( K ) | x ∈ V } ◮ Relation search : solve the polynomial system  S m +1 ( x 11 , . . . , x m 1 , X ) = 0   i = 1 , . . . , m ; j = 1 , . . . , n ′ − 1 x i , j +1 = L j ( x i , j )  0 = L n ′ ( x i , n ′ ) i = 1 , . . . , m .  Christophe Petit - PKC2016 - Prime ECDLP 12

  25. Remarks ◮ One can write similar systems in binary cases, and show they are equivalent to Weil descent systems ◮ Precomputation of the maps L j can a priori be used for any DLP defined over any curve over the same field Christophe Petit - PKC2016 - Prime ECDLP 13

  26. Remarks ◮ One can write similar systems in binary cases, and show they are equivalent to Weil descent systems ◮ Precomputation of the maps L j can a priori be used for any DLP defined over any curve over the same field ◮ Remaining of the talk : ◮ How to compute the maps L j ? ◮ How to solve the system ? Christophe Petit - PKC2016 - Prime ECDLP 13

  27. Finding good maps : p − 1 “smooth” ◮ Suppose p − 1 = S · N ′ with S ≈ p 1 / m smooth ◮ We want low degree rational maps L j such that � deg L j ≈ p 1 / m # { x ∈ F p | L ( x ) = L n ′ ◦ . . . ◦ L 1 ( x ) = 0 } ≈ Christophe Petit - PKC2016 - Prime ECDLP 14

  28. Finding good maps : p − 1 “smooth” ◮ Suppose p − 1 = S · N ′ with S ≈ p 1 / m smooth ◮ We want low degree rational maps L j such that � deg L j ≈ p 1 / m # { x ∈ F p | L ( x ) = L n ′ ◦ . . . ◦ L 1 ( x ) = 0 } ≈ ◮ Take L ( X ) = X S − 1 and V subgroup of order S in F ∗ p j =1 q j take L j ( X ) = X q j and L n ′ ( X ) = X q n ′ − 1 ◮ If S = � n ′ Christophe Petit - PKC2016 - Prime ECDLP 14

  29. Finding good maps : p − 1 “smooth” ◮ Suppose p − 1 = S · N ′ with S ≈ p 1 / m smooth ◮ We want low degree rational maps L j such that � deg L j ≈ p 1 / m # { x ∈ F p | L ( x ) = L n ′ ◦ . . . ◦ L 1 ( x ) = 0 } ≈ ◮ Take L ( X ) = X S − 1 and V subgroup of order S in F ∗ p j =1 q j take L j ( X ) = X q j and L n ′ ( X ) = X q n ′ − 1 ◮ If S = � n ′ ◮ Remark : NIST P-224 curve satisfies p − 1 = 2 96 · N ′ Christophe Petit - PKC2016 - Prime ECDLP 14

  30. Finding good maps : isogeny Kernels ◮ Find an auxiliary curve E ′ with # E ′ ( F p ) = S · N ′ j =1 q j ≈ p 1 / m smooth and S = � n ′ ◮ Let G be a subgroup of E ′ ( F p ) with order S Christophe Petit - PKC2016 - Prime ECDLP 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve Cryptography Nicolas Thriault ntheriau@fields.utoronto.ca Fields Institute Discrete Logarithms Suppose that G = a , an additive group of order

230 views • 21 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN

DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN

ECC 2019: 23rd Workshop on DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN QUASI-POLYNOMIAL TIME Based on a joint work with Thorsten Kleinjung IN FINITE FIELDS OF SMALL CHARACTERISTIC Benjamin Wesolowski

700 views • 47 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete Logarithm Problem (ECDLP) Typical DLP: Find a such that a = , given and ECDLP: Find k such that P=kQ, given P and Q How do

1.58k views • 16 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago &amp; energy (gas

1.07k views • 76 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views • 18 slides
On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne Universit es UPMC, INRIA, CNRS LIP6 1/43 General Context Discrete Logarithm Problem (DLP) Given a finite cyclic group ( G = g , +) and h

595 views • 56 slides
New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein and Tanja Lange Difference between security of: Elliptic-Curve Cryptography (ECC) Elliptic-Curve Discrete-Logarithm Problem (ECDLP)

384 views • 6 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography 16 September 2008 What is an elliptic curve? (1) An elliptic curve E over a field k in Weierstra

298 views • 25 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views • 16 slides
Computing abelian extensions of quartic fields using complex multiplication Jared Asuncion

Computing abelian extensions of quartic fields using complex multiplication Jared Asuncion

Computing abelian extensions of quartic fields using complex multiplication Jared Asuncion Supervision: Andreas Enge and Marco Streng JNCF 2020 Computing abelian extensions of quartic fields via CM Jared Asuncion JNCF 2020 1 degree [ L : K ]

913 views • 56 slides
An Efficient Implementation for Computing Gr obner bases over algebraic number fields

An Efficient Implementation for Computing Gr obner bases over algebraic number fields

An Efficient Implementation for Computing Gr obner bases over algebraic number fields Masayuki Noro Kobe University An Efficient Implementation for Computing Gr obner bases over algebraic number fields p. 1 Multiple algebraic

447 views • 25 slides
Hardy Fields, Transseries, and Surreal Numbers Lou van den Dries University of Illinois at

Hardy Fields, Transseries, and Surreal Numbers Lou van den Dries University of Illinois at

Hardy Fields, Transseries, and Surreal Numbers Lou van den Dries University of Illinois at Urbana-Champaign PAULO RIBENBOIM DAY at IHP, March 20, 2018 PAULO RIBENBOIM DAY at IHP, March 20, 2018 1 Lou van den Dries Hardy Fields, Transseries,

517 views • 30 slides
Construction of the Lindstr om valuation of an algebraic matroid Dustin Cartwright University

Construction of the Lindstr om valuation of an algebraic matroid Dustin Cartwright University

Construction of the Lindstr om valuation of an algebraic matroid Dustin Cartwright University of Tennessee, Knoxville August 3, 2017 Dustin Cartwright Construction of Lindstr om valuation Algebraic matroids Given K L = K ( x 1 , . .

468 views • 11 slides
Allocator Basics Pages too coarse-grained for allocating individual objects. Instead:

Allocator Basics Pages too coarse-grained for allocating individual objects. Instead:

Allocator Basics Pages too coarse-grained for allocating individual objects. Instead: flexible-sized, word-aligned blocks. Dynamic Memory Allocation in the Heap Free word (malloc and free) Allocated word Allocated block Free block (4 words)

96 views • 6 slides
Memory Management Disclaimer: some slides are adopted from book authors slides with permission

Memory Management Disclaimer: some slides are adopted from book authors slides with permission

Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 Roadmap CPU management Process, thread, synchronization, scheduling Memory management Virtual memory Disk management Other

416 views • 26 slides
Operating Systems Memory Management Lecture 9 Michael OBoyle 1 Chapter 8: Memory

Operating Systems Memory Management Lecture 9 Michael OBoyle 1 Chapter 8: Memory

Operating Systems Memory Management Lecture 9 Michael OBoyle 1 Chapter 8: Memory Management Background Logical/Virtual Address Space vs Physical Address Space Swapping Contiguous Memory Allocation Segmentation

376 views • 35 slides
Virtual Memory 2 Schedule Today Chapter 6

Virtual Memory 2 Schedule Today Chapter 6

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Virtual Memory 2 Schedule Today Chapter 6

681 views • 21 slides

More recommend