Algorithms for integer factorization and discrete logarithms - PowerPoint PPT Presentation

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la factorisation d’entiers et le calcul de logarithme discret Cyril Bouvier CARAMEL project-team, LORIA Université de Lorraine / CNRS / Inria Cyril.Bouvier@loria.fr PhD defense – June 22nd, 2015 /* */ C,A, /* */ R,a, /* */ M,E, L,i= 5,e, d[5],Q[999 ]={0};main(N ){for (;i--;e=scanf("%" "d",d+i));for(A =*d; ++i<A ;++Q[ i*i% A],R= i[Q]? R:i); for(;i --;) for(M =A;M --;N +=!M*Q [E%A ],e+= Q[(A +E*E- R*L* L%A) %A]) for( E=i,L=M,a=4;a;C= i*E+R*M*L,L=(M*E +i*L) %A,E=C%A+a --[d]);printf ("%d" "\n", (e+N* N)/2 /* cc caramel.c; echo f3 f2 f1 f0 p | ./a.out */ -A);}

Introduction — Cryptography § Public-key cryptography (or asymmetric cryptography): § Public-key cryptography is widely used to secure internet connections, credit cards, electronic voting, . . . § The security of many public-key cryptosystems relies on the supposed difficulty of two mathematical problems: § integer factorization § discrete logarithm 1 / 31

Introduction — Factorization Integer Factorization Problem Given an integer N , find all prime factors of N . § Example of cryptosystem based on integer factorization: RSA cryptosystem. § Private key: derived from two prime numbers p and q . § Public key: the product N “ pq . § Studied two algorithms for integer factorization: § Elliptic Curve Method (ECM): uses elliptic curves to find small- to medium-size factors of integers. § Number Field Sieve algorithm (NFS): best algorithm to completely factor large integers that are free of small factors. 2 / 31

Introduction — Discrete logarithm Discrete Logarithm Problem (DLP) Given a finite cyclic group G , a generator g P G of this group, and an element h P G , find an integer e such that h “ g e . § Example of cryptosystem based on DLP: ElGamal cryptosystem. § Private key: an integer e . § Public key: h “ g e . § Every group does not provide the same security. § Studied two algorithms to solve the discrete logarithm problem in finite fields: § Number Field Sieve for Discrete Logarithm (NFS-DL) for finite fields of large characteristic ( F p n with large p and small n ). § Function Field Sieve (FFS) for finite fields of small characteristic ( F p n with small p and large n ). 3 / 31

Outline of the presentation ECM: Galois properties of elliptic curves and ECM-friendly curves Joint work with J. Bos, R. Barbulescu, T. Kleinjung, and P. Montgomery NFS: size optimization in the polynomial selection step Joint work with S. Bai, A. Kruppa, and P. Zimmermann NFS, NFS-DL, FFS: the filtering step Conclusion and perspectives

Outline of the presentation ECM: Galois properties of elliptic curves and ECM-friendly curves Joint work with J. Bos, R. Barbulescu, T. Kleinjung, and P. Montgomery NFS: size optimization in the polynomial selection step Joint work with S. Bai, A. Kruppa, and P. Zimmermann NFS, NFS-DL, FFS: the filtering step Conclusion and perspectives

Elliptic curves § An elliptic curve E over a field K , denoted by E { K , y consists of a set of points of the form ˇ y 2 “ x 3 ` ax ` b p x , y q P K 2 ˇ � ( E p K q “ Y t O u , R where a , b P K and O is the point at infinity. Q § A group law can be defined on the set of points E p K q . x § Given P , Q P E p K q , their sum is denoted by P ‘ Q . P § Given P P E p K q and k P N , kP is defined by kP “ P ‘ ¨ ¨ ¨ ‘ P ( k times). P ‘ Q § Given E { Q , for almost all primes p , the curve can be reduced modulo p . The set of points E p F p q of the reduced curve is a finite group. 4 / 31

Elliptic Curve Method (ECM) § Elliptic Curve Method (ECM): first described by H. Lenstra; best algorithm to find small- to medium-size factors of integers (largest factor found had 83 digits). § ECM starts by choosing a positive integer B , a curve E { Q and a point P P E p Q q . Then it computes Q “ sP , where ź π t log p B q{ log p π q u s “ π ď B π prime and where the operations of the group law from E { Q are performed modulo N . § A factor p of N can be retrieved from Q if # E p F p q is B -powersmooth, i.e. , if all prime powers dividing # E p F p q are at most B . § If a curve fails to find a factor, other curves can be used. § What curves should be used? All curves are not equivalent. For example, A. Kruppa observed that the Suyama curve σ “ 11 found more factors and that the orders of the reduced curves have a higher average valuation of 2 than other Suyama curves. 5 / 31

Torsion and Galois representations § Let E { Q be an elliptic curve and m ě 2 be an integer. § The set of m -torsion points: E p K qr m s “ t P P E p K q | mP “ O u . Here, K is either a field extension of Q or of a finite field F p , for a prime p . § An important theorem: over K , the algebraic closure of K , if the characteristic of K is zero or coprime with m , E p K qr m s » Z { m Z ˆ Z { m Z . § Q p E r m sq : smallest field extension of Q such that all the m -torsion points are defined. It is a Galois extension. § The Galois group Gal p Q p E r m sq{ Q q acts on the m -torsion points and can be identified to a subgroup of GL 2 p Z { m Z q , via an injective morphism denoted by ρ m : ρ m : Gal p Q p E r m sq{ Q q ã Ñ Aut p E p Q qr m sq » Aut p Z { m Z ˆ Z { m Z q » GL 2 p Z { m Z q . The image of Gal p Q p E r m sq{ Q q via ρ m will be noted G p E , m q . 6 / 31

Main theorem Theorem Let E { Q be an elliptic curve, m ě 2 be an integer and T be a subgroup of Z { m Z ˆ Z { m Z . Then, Prob p E p F p qr m s » T q “ # t g P G p E , m q | Fix p g q » T u . # G p E , m q § Prob p E p F p qr m s » T q is defined as the limit of the density of primes p satisfying this property. § Proof: Chebotarev’s density theorem applied to G p E , m q “ Gal p Q p E r m sq{ Q q . § Also proved a version where only primes congruent to a given a mod n are considered. Corollary Let E { Q be an elliptic curve and π be a prime number. Then, Prob p E p F p qr π s » Z { π Z q “ # t g P G p E , π q | det p g ´ Id q “ 0 , g ‰ Id u and # G p E , π q 1 Prob p E p F p qr π s » Z { π Z ˆ Z { π Z q “ # G p E , π q . 7 / 31

Example T d 1 Prob th p E 1 p F p qr π s » T q d 2 Prob th p E 2 p F p qr π s » T q π Prob exp p E 1 p F p qr π s » T q Prob exp p E 2 p F p qr π s » T q 1 1 3 Z { 3 Z ˆ Z { 3 Z 48 48 « 0 . 02083 16 16 “ 0 . 06250 0 . 02082 0 . 06245 20 4 3 Z { 3 Z 48 48 « 0 . 4167 16 16 “ 0 . 2500 0 . 4165 0 . 2501 1 1 5 Z { 5 Z ˆ Z { 5 Z 480 480 « 0 . 002083 32 32 “ 0 . 03125 0 . 002091 0 . 03123 114 10 5 Z { 5 Z 480 480 « 0 . 2375 32 32 “ 0 . 3125 0 . 2373 0 . 3125 § E 1 { Q : y 2 “ x 3 ` 5 x ` 7 and E 2 { Q : y 2 “ x 3 ´ 11 x ` 14. § Theoretical values come from the previous corollary. § For experimental values, all primes below 2 25 were considered. § Columns d 1 and d 2 indicate the size of G p E 1 , π q and G p E 2 , π q , respectively. 8 / 31

Divisibility by prime powers and average valuation § Next goal is to compute Prob p π k � # E p F p qq and the average valuation defined by ÿ v π “ ¯ k Prob p v π p # E p F p qq “ k q . k ě 1 § For an elliptic curve E { Q , a prime π and a positive integer k , I p E , π, k q is defined by I p E , π, k q “ r GL 2 p Z { π k Z q : G p E , π k qs . § Theorem from Serre: for almost all elliptic curves E { Q and for all primes π , the sequence p I p E , π, k qq k ě 1 is bounded and non-decreasing when k goes to infinity. Theorem Let E { Q be an elliptic curve, π be a prime and n be a positive integer such that @ k ě n , I p E , π, k q “ I p E , π, n q . Then, the probabilities Prob p π k � # E p F p qq , for all k ě 1 , and the average valuation ¯ v π can be computed as linear combinations of the probabilities Prob p E p F p qr π t s » Z { π i Z ˆ Z { π j Z q , with i ď j ď t ď n . 9 / 31

Example n p E 1 , π q ¯ n p E 3 , π q ¯ v π, th v π, th π ¯ ¯ v π, exp v π, exp 14 895 2 1 9 « 1 . 556 3 576 « 1 . 554 1 . 555 1 . 554 87 39 3 1 128 « 0 . 680 1 32 « 1 . 219 0 . 679 1 . 218 695 155 5 1 2304 « 0 . 302 1 192 « 0 . 807 0 . 301 0 . 807 § E 1 { Q : y 2 “ x 3 ` 5 x ` 7 and E 3 { Q : y 2 “ x 3 ´ 10875 x ` 526250. § n p E , π q is the smallest integer n such that I p E , π, k q “ I p E , π, n q , for k ě n . § Values of n p E 1 , π q are proven, values of n p E 3 , π q are conjectured. § Theoretical values come from the previous theorem used with n “ n p E i , π q . § For experimental values, all primes below 2 25 were considered. 10 / 31