Can we Beat the Square Root Bound for ECDLP over F p 2 via - - PowerPoint PPT Presentation

Can we Beat the Square Root Bound for ECDLP over Fp2 via Representation?

NutMiC 2019, Paris Claire Delaplace Alexander May

Elliptic Curve

−2 2 4 −4 −2 2 4 O x y

K: Field of characteristic = 2, 3 E : y2 = f(x) = x3 + ax + b

2

Elliptic Curve

−2 2 4 −4 −2 2 4 O x y

K: Field of characteristic = 2, 3 E : y2 = f(x) = x3 + ax + b (E(K), +): Abelian group P = (x, y) Q = (x′, y′)

Group Law

• P + Q = (xs, ys)

xs = y − y′ x − x′ 2 − x − x′ ys = y + y − y′ x − x′ (xs − x)

• 2P = (xd, yd)

xd = 3x2 + a 2y 2 − 2x yd = y + 3x2 + a 2y (xd − x)

2

Elliptic Curve Discrete Logarithm Problem

Fq: Finite field with q elements

Order of a point

The order r of a point P ∈ E(Fq) is the smallest integer > 0 s.t. rP = O

ECDLP

Given P, Q ∈ E(Fq) s.t. P of order r = O (q), Q ∈ P Find k ∈ N such that kP = Q.

3

Elliptic Curve Discrete Logarithm Problem

Fp2: Finite field with p2 elements

Order of a point

The order r of a point P ∈ E(Fp2) is the smallest integer > 0 s.t. rP = O

p2-ECDLP

Given P, Q ∈ E(Fp2) s.t. P of order r = O

• p2

, Q ∈ P Find k ∈ N such that kP = Q. This paper: Fp2, p prime.

3

Overview

Previous algorithms

• Pollard Rho: T = ˜

O

• p2
• = ˜

O (p)

• [Gaudry09]: T = ˜

O

• p2− 2

2

• = ˜

O (p)

4

Overview

Previous algorithms

• Pollard Rho: T = ˜

O

• p2
• = ˜

O (p)

• [Gaudry09]: T = ˜

O

• p2− 2

2

• = ˜

O (p)

Question

Is there an algorithm for p2-ECDLP with runtime o(p)?

4

Overview

Previous algorithms

• Pollard Rho: T = ˜

O

• p2
• = ˜

O (p)

• [Gaudry09]: T = ˜

O

• p2− 2

2

• = ˜

O (p)

Question

Is there an algorithm for p2-ECDLP with runtime o(p)? Our work...

• gives a new algorithm with runtime T = O
• p1.314
• may lead to a o(p) algorithm if improved

4

Core Idea: Representation Technique

• Introduced by [H-GJ10] for the subset-sum problem
• In our case: k can be decomposed as k = k1 + k2

k1 = k2 = In base 2

log(p)

log(p) 2 log(p) 2

in ≈ p different ways

5

Core Idea: Representation Technique

• Introduced by [H-GJ10] for the subset-sum problem
• In our case: k can be decomposed as k = k1 + k2

k1 = k2 = In base 2

log(p)

log(p) 2 log(p) 2

in ≈ p different ways Find a needle in a haystack ֒ → Find any needle among p

5

Core Idea: Representation Technique

• Introduced by [H-GJ10] for the subset-sum problem
• In our case: k can be decomposed as k = k1 + k2

k1 = k2 = In base 2

log(p)

log(p) 2 log(p) 2

in ≈ p different ways Find a needle in a haystack ֒ → Find any needle among p

5

General Idea

k1 = k2 = L L′ p representations k1P = Q − k2P = ⇒ k = k1 + k2 k1P Q − k2P ≈ p

3 2

≈ p

3 2 6

General Idea

k1 = k2 = L L′ 1 representation k1P = Q − k2P = ⇒ k = k1 + k2 k1P Q − k2P ≈ p

1 2

≈ p

1 2 6

General Idea

k1 = k2 = L L′ 1 representation k1P = Q − k2P = ⇒ k = k1 + k2 k1P Q − k2P ≈ p

1 2

≈ p

1 2

∀(x, y) ∈ L (resp. L′) x ∈ Fp

6

How to Proceed

Splitting k1 and k2 k1 =k11 + k12 k11 = k12 = k2 =k21 + k22 k21 = k22 =

log(p)

1 4 log p

log(p)

1 4 log p

7

How to Proceed

Splitting k1 and k2 k1 =k11 + k12 k11 = k12 = k2 =k21 + k22 k21 = k22 =

log(p)

1 4 log p

log(p)

1 4 log p

• L: list of all P1 = (k11 + k12)P = (x, y), x ∈ Fp
• L′: list of all P2 = Q − (k21 + k22)P = (x′, y′), x′ ∈ Fp

7

A 4-List Algorithm

k11 = k12 = k21 = k22 = k11P k12P Q − k21P −k22P

8

A 4-List Algorithm

k11 = k12 = k21 = k22 = k11P k12P Q − k21P −k22P p

3 4

p

3 4

p

3 4

p

3 4

T ≈ p

3 4 8

A 4-List Algorithm

k11 = k12 = k21 = k22 = k11P k12P Q − k21P −k22P Join Join (x, y) x ∈ Fp (x′, y′) x′ ∈ Fp

T ≈ p

3 4 + TJoin 8

A 4-List Algorithm

k11 = k12 = k21 = k22 = k11P k12P Q − k21P −k22P Join Join (x, y) x ∈ Fp (x′, y′) x′ ∈ Fp

T ≈ TJoin

8

A 4-List Algorithm

k11 = k12 = k21 = k22 = k11P k12P Q − k21P −k22P Join Join (x, y) x ∈ Fp (x′, y′) x′ ∈ Fp p

1 2

p

1 2

(k11 + k12)P = Q − (k21 + k22)P

T ≈ TJoin + p

1 2 8

A 4-List Algorithm

k11 = k12 = k21 = k22 = k11P k12P Q − k21P −k22P Join Join (x, y) x ∈ Fp (x′, y′) x′ ∈ Fp (k11 + k12)P = Q − (k21 + k22)P

T ≈ TJoin

8

Computing the Join

P1 = (x1, y1), P2 = (x2, y2) Check if (x, y) = P1 + P2 satisfy x ∈ Fp

9

Computing the Join

P1 = (x1, y1), P2 = (x2, y2) Check if (x, y) = P1 + P2 satisfy x ∈ Fp Group law: (x1 − x2)2(x1 + x2 + x) − y2

1 − y2 2 = −2y1y2

9

Computing the Join

P1 = (x1, y1), P2 = (x2, y2) Check if (x, y) = P1 + P2 satisfy x ∈ Fp Group law: (x1 − x2)2(x1 + x2 + x) − y2

1 − y2 2 = −2y1y2

9

Computing the Join

P1 = (x1, y1), P2 = (x2, y2) Check if (x, y) = P1 + P2 satisfy x ∈ Fp Weierstraß: ((x1−x2)2(x1+x2+x)−f(x1)2−f(x2)2)2−4f(x1)f(x2) = 0

9

Computing the Join

P1 = (x1, y1), P2 = (x2, y2) Check if (x, y) = P1 + P2 satisfy x ∈ Fp x1 = u1 + αv1, x2 = u2 + αv2 x = u + αv Weierstraß: ((x1−x2)2(x1+x2+x)−f(x1)2−f(x2)2)2+4f(x1)f(x2) = 0

9

Computing the Join

P1 = (x1, y1), P2 = (x2, y2) Check if (x, y) = P1 + P2 satisfy x ∈ Fp x1 = u1 + αv1, x2 = u2 + αv2 x = u + αv g0(u1, v1, u2, v2, u, v) + αg1(u1, v1, u2, v2, u, v) = 0

9

Computing the Join

P1 = (x1, y1), P2 = (x2, y2) Check if (x, y) = P1 + P2 satisfy x ∈ Fp x1 = u1 + αv1, x2 = u2 + αv2 x = u + αv g0(u1, v1, u2, v2, u, 0) + αg1(u1, v1, u2, v2, u, 0) = 0

9

Computing the Join

P1 = (x1, y1), P2 = (x2, y2) Check if (x, y) = P1 + P2 satisfy x ∈ Fp x1 = u1 + αv1, x2 = u2 + αv2 x = u + αv g′

0(u1, v1, u2, v2, u) + αg′ 1(u1, v1, u2, v2, u) = 0

9

Computing the Join

P1 = (x1, y1), P2 = (x2, y2) Check if (x, y) = P1 + P2 satisfy x ∈ Fp x1 = u1 + αv1, x2 = u2 + αv2 x = u + αv g′

0(u1, v1, u2, v2, u)

• =0

+α g′

1(u1, v2, u1, v2, u)

• =0

= 0 = ⇒ We can eliminate u

9

Computing the Join

P1 = (x1, y1), P2 = (x2, y2) Check if (x, y) = P1 + P2 satisfy x ∈ Fp x1 = u1 + αv1, x2 = u2 + αv2 x = u + αv f(u1, v1, u2, v2) = 0

9

The Zero-Join Problem ZJ-Problem

Given

• A polynomial f ∈ Fp[X1, . . . X4], deg(f) constant
• Two lists A, B of points (ui, vi) (resp. (uj, vj)) in F2

p s.t. |A||B| = p3/2

Compute the list C of all points (ui, vi, uj, vj) s.t. f(ui, vi, uj, vj) = 0

10

The Zero-Join Problem ZJ-Problem

Given

• A polynomial f ∈ Fp[X1, . . . X4], deg(f) constant
• Two lists A, B of points (ui, vi) (resp. (uj, vj)) in F2

p s.t. |A||B| = p3/2

Compute the list C of all points (ui, vi, uj, vj) s.t. f(ui, vi, uj, vj) = 0

How to solve this?

• Naive algorithm O (|A||B|) = O
• p3/2
• Can we do better?
• Can we solve this in o(p)?

10

The Zero-Join Problem ZJ-Problem

Given

• A polynomial f ∈ Fp[X1, . . . X4], deg(f) constant
• Two lists A, B of points (ui, vi) (resp. (uj, vj)) in F2

p s.t. |A||B| = p3/2

Compute the list C of all points (ui, vi, uj, vj) s.t. f(ui, vi, uj, vj) = 0

How to solve this?

• Naive algorithm O (|A||B|) = O
• p3/2
• Can we do better?

Yes!

• Can we solve this in o(p)?

We don’t know yet...

10

Sub-quadratic algorithm for the ZJ-problem

(ui, vi) (uj, vj) All (ui, vi, uj, vj) s.t. f(ui, vi, uj, vj) = 0

11

Sub-quadratic algorithm for the ZJ-problem

(uj, vj) fi = f(ui, vi, X, Y ) All (fi, (uj, vj)) s.t. fi(uj, vj) = 0

11

Sub-quadratic algorithm for the ZJ-problem

(uj, vj) fi = f(ui, vi, X, Y ) All (fi, (uj, vj)) s.t. fi(uj, vj) = 0 × ×

11

Sub-quadratic algorithm for the ZJ-problem

(uj, vj) fi = f(ui, vi, X, Y ) All (fi, (uj, vj)) s.t. fi(uj, vj) = 0 ×

11

Sub-quadratic algorithm for the ZJ-problem

F =

i fi

∀(uj, vj) s.t. F(uj, vj) = 0, find fi s.t fi(uj, vj) = 0

11

Sub-quadratic algorithm for the ZJ-problem

∀(uj, vj) s.t. F(uj, vj) = 0, find fi s.t fi(uj, vj) = 0 fi

11

Complexity analysis

• Start with √p polynomials fi(X, Y ) and p points (uj, vj)

12

Complexity analysis

• Start with √p polynomials fi(X, Y ) and p points (uj, vj)
• Compute F =

i fi

T = ˜ O (p)

12

Complexity analysis

• Start with √p polynomials fi(X, Y ) and p points (uj, vj)
• Compute F =

i fi

T = ˜ O (p)

• Multi-point evaluation of F in all (uj, vj)
• Using [NZ04] algorithm

T = ˜ O

• p

1 2 (1+ ω2 2 )+ǫ 12

Complexity analysis

• Start with √p polynomials fi(X, Y ) and p points (uj, vj)
• Compute F =

i fi

T = ˜ O (p)

• Multi-point evaluation of F in all (uj, vj)
• Using [NZ04] algorithm

T = ˜ O

• p

1 2 (1+ 3.257 2

)+ǫ

12

Complexity analysis

• Start with √p polynomials fi(X, Y ) and p points (uj, vj)
• Compute F =

i fi

T = ˜ O (p)

• Multi-point evaluation of F in all (uj, vj)
• Using [NZ04] algorithm

T = O

• p1.314

12

Complexity analysis

• Start with √p polynomials fi(X, Y ) and p points (uj, vj)
• Compute F =

i fi

T = ˜ O (p)

• Multi-point evaluation of F in all (uj, vj)
• Using [NZ04] algorithm

T = O

• p1.314
• Evaluate each fi in all (uj, vj) s.t. F(uj, vj) = 0

T = O (p)

12

Complexity analysis

• Start with √p polynomials fi(X, Y ) and p points (uj, vj)
• Compute F =

i fi

T = ˜ O (p)

• Multi-point evaluation of F in all (uj, vj)
• Using [NZ04] algorithm

T = O

• p1.314
• Evaluate each fi in all (uj, vj) s.t. F(uj, vj) = 0

T = O (p) = ⇒ Total runtime T = O

• p1.314

12

In a Nutshell

k11 = k12 = k21 = k22 = k11P k12P Q − k21P −k22P p √p p √p Join Join (x, y) x ∈ Fp (x′, y′) x′ ∈ Fp √p √p (k11 + k12)P = Q − (k21 + k22)P

T = TJoin = ˜ O

• p1.314

13

Conclusion

This work...

• Proposes new ideas to solve ECDLP over Fp2
• Does not beat previous work
• Any Improvement in ZJ-problem =

⇒ Better p2-ECDLP algorithm

14

Conclusion

This work...

• Proposes new ideas to solve ECDLP over Fp2
• Does not beat previous work
• Any Improvement in ZJ-problem =

⇒ Better p2-ECDLP algorithm Perspective

• More efficient zero-testing method?
• Another elliptic curve model (e.g. Edwards Curves)?
• Another restriction?

14

Conclusion

This work...

• Proposes new ideas to solve ECDLP over Fp2
• Does not beat previous work
• Any Improvement in ZJ-problem =

⇒ Better p2-ECDLP algorithm Perspective

• More efficient zero-testing method?
• Another elliptic curve model (e.g. Edwards Curves)?
• Another restriction?

Thanks for your attention!

14