DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 - - PowerPoint PPT Presentation
ECC 2019: 23rd Workshop on DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN QUASI-POLYNOMIAL TIME Based on a joint work with Thorsten Kleinjung IN FINITE FIELDS OF SMALL CHARACTERISTIC Benjamin Wesolowski
IN FINITE FIELDS OF SMALL CHARACTERISTIC
Benjamin Wesolowski
ECC 2019: 23rd Workshop on Elliptic Curve Cryptography December 2019 Bochum, Germany
Based on a joint work with
Thorsten Kleinjung
If it seems to work, is it good enough?
RIGOROUS ALGORITHMS FOR DLP
Discrete logarithm problem (DLP) in finite fields of fixed characteristic (𝔾pn with p fixed and n → ∞… think 𝔾2n):
integer m such that h = gm
➡ Pomerance (1987) proved complexity Lpn(1/2) ➡ We prove it can be done in quasi-polynomial time
×
Lpn(α) = eO((log pn)α (log log pn)1 – α) quasi-poly(log pn) = e (log log pn)O(1)
nO(1)
= e
log(n)O(1)
= e For constant p:
RIGOROUS ALGORITHMS FOR DLP
Discrete logarithm problem (DLP) in finite fields of fixed characteristic (𝔾pn with p fixed and n → ∞… think 𝔾2n):
integer m such that h = gm
➡ Pomerance (1987) proved complexity Lpn(1/2) ➡ We prove it can be done in quasi-polynomial time
Theorem: Given any prime number p and any positive integer n, the discrete logarithm problem in the group 𝔾pn can be solved in expected time (pn)
× ×
2log2(n) + O(1)
TIMELINE
1968 MILLER, WESTERN NO COMPLEXITY 1976 DIFFIE, HELLMAN BEST KNOWN O(Q1/2) 1979 ADLEMAN L(1/2) IN LARGE CHAR. 1982 HELLMAN, REYNERI L(1/2) 1984 COPPERSMITH L(1/3) 1987 POMERANCE L(1/2) 2013 JOUX L(1/4) 2013 BARBULESCU, GAUDRY, JOUX, THOME QUASI-POLY 2014 GRANGER, KLEINJUNG, ZUMBRAGEL QUASI-POLY 1922 KRAIT CHIK NO COMPLEXITY
... ...
2019 THIS WORK (KLEINJUNG, W.) QUASI-POLY
Finely crafted and analysed by Pomerance in 1987
AN INDEX CALCULUS ALGORITHM
➡ Relation collection: collect relations of the form ➡ Linear algebra: the relations form a linear system with
unknowns logg f. Solve it, recover the values logg f
➡ Individual logarithm: given h ∊ 𝔾pn, compute logg h
∑ ef logg f = r (mod pn – 1)
f ∊ 𝔊
×
INDEX CALCULUS FROM DESCENT
➡ Relation collection: generate random r ∊ [1, pn – 1], ➡ Individual logarithm: given h,
descent(h)
h = ∏ f ef
f ∊ 𝔊
r = logg(descent(gr)) = ∑ ef logg f
f ∊ 𝔊
logg h = logg(descent(h)) = ∑ ef logg f
f ∊ 𝔊
×
SUMMARY
EFFICIENT DESCENT ALGORITHM EFFICIENT ALGORITHM FOR COMPUTING LOGARITHMS P O M E R A N C E : T H E R E I S A D E S C E N T O F C O M P L E X I T Y L ( 1 / 2 ) S O O N E C A N S O L V E D L P I N T I M E L ( 1 / 2 )
Descending one step at a time
A HEURISTIC QUASI-POLYNOMIAL ALGORITHM
Theorem (Granger, Kleinjung, Zumbrägel): the DLP in fixed characteristic can be solved in expected quasi-poly. time in fields that admit a suitable representation
irreducible polynomial in 𝔾q4[x] such that with h0 and h1 polynomials in 𝔾q4[x] of degree at most 2
xq ≡ h0/h1 mod J
A DESCENT IS SUFFICIENT
A descent algorithm is sufficient
in 𝔊, such that
given a degree 2 polynomial over an extension k of 𝔾q4, rewrite it as a product of degree 1 polynomials over k
Q ≡ ∏ f ef mod J.
f ∊ 𝔊
The zigzag descent: transform the degree 2 to 1 elimination into a full descent algorithm
ZIGZAG DESCENT
2
Factorisation into quadratics over 𝔾qd2e – 1
1
D e g r e e 2 t
e l i m i n a t i
2
Norm
1 2 1 1 2
𝔾q4 𝔾q8 𝔾q4·2e – 1 𝔾q4·2e – 2
2 2 2 2
2e
The zigzag descent: transform the degree 2 to 1 elimination into a full descent algorithm
ZIGZAG DESCENT
2
Factorisation into quadratics over 𝔾qd2e – 1
1
D e g r e e 2 t
e l i m i n a t i
2
Norm
1 2 1 1 2
𝔾q4
2e
Rewrite as irreducible
D
Q in 𝔾q4[x]
𝔾q8 𝔾q4·2e – 1 𝔾q4·2e – 2
2 2 2 2
SUMMARY
DEGREE 2 TO 1 ELIMINATION EFFICIENT ALGORITHM FOR COMPUTING LOGARITHMS DESCENT ALGORITHM
A building block
POLYNOMIALS WITH HIGHER SPLITTING PROBABILITY
Fix an extension k of 𝔾q4, and let Q an irred. quadratic in k[x]
have a high probability to split over k (around q–3)
i.e., V = span(xq + 1, xq, x, 1) ⊂ k[x]
αxq + 1 + βxq + γx + δ in k[x]
Göloğlu, Granger, McGuire, and Zumbrägel. On the function field sieve and the impact of higher splitting probabilities. CRYPTO 2013.
divides the right-hand side:
SMOOTH RELATIONS
αxh0 + βh0 + γxh1 + δh1 αxq + 1 + βxq + γx + δ ≡ mod J h1 Splits with high probability n u m e r a t
d e g r e e 3
VQ = {αxq + 1 + βxq + γx + δ | αxh0 + βh0 + γxh1 + δh1 ≡ 0 mod Q}
THE DEGREE 2 TO 1 ELIMINATION
h1f ≡ αxh0 + βh0 + γxh1 + δh1 mod J Q ≡ h1 L0 L1 … Lq + 1 mod J
–1
h1f ≡ L0Q mod J
SUMMARY
DEGREE 2 TO 1 ELIMINATION ALGORITHM FOR COMPUTING DISCRETE LOGARITHMS DESCENT ALGORITHM D O N E , A S S U M I N G W E H A V E A S U I T A B L E M O D E L F O R T H E F I E L D !
A convenient model for the finite field
HEURISTIC MODEL
to a small degree rational map
and has a ‘small degree’ Frobenius?
a small degree rational map…
FINITE FIELDS FROM ELLIPTIC CURVES
FINITE FIELDS FROM ELLIPTIC CURVES
a small degree rational map…
S (qi) = S (qi – 1) + Q = S (qi – 2) + 2Q = … = S + iQ
FINITE FIELDS FROM ELLIPTIC CURVES
f ∼ g ⟺ f(S) = g(S)
FROBENIUS AS A SMALL DEGREE MAP
"Frobenius = translation by Q"
i s t h e n e w "x
q ≡ h 0/h 1 mod J"
f ∘ φq ∼ f ∘ τQ
f ∘ φq(S) = f (S (q)) = f (S+Q) = f ∘ τQ(S)
PROVABLE MODEL
such that |t| ≤ 2q1/2, there is an ordinary elliptic curve E/𝔾q such that |E(𝔾q)| = q + 1 − t.
n2 ≤ 2q1/2
Eliminations in the elliptic curve model
two points (0, y) with y2 = b
DEGREES
Fix an extension k of 𝔾q
SPLITTING POLYNOMIALS
Fix an extension k of 𝔾q
L1,…,Lq + 1 defined over k
A FIRST ATTEMPT…
has degree 4 – 3 = 1
degree 2 in k(E))
Y = {αxq+1 + βxq + γx + δ | α(x∘τQ)x + β(x∘τQ) + γx + δ ≡ 0 mod D} ⊂ ℙ(V)
g = (α(x∘τQ)x + β(x∘τQ) + γx + δ)/D degrees 1 and 2 D ≡ L1 … Lq+1 g –1 Warning: hand-wavy Degree 3 to degree 2 elimination??
A FIRST ATTEMPT…
kernel is expected to have dimension 1: Y is a single point
Y = {αxq+1 + βxq + γx + δ | α(x∘τQ)x + β(x∘τQ) + γx + δ ≡ 0 mod D} ⊂ ℙ(V)
AN EXTRA DEGREE OF FREEDOM
Fix an extension k of 𝔾q, and let D in k(E) of degree 3
ψP : V → k(E) : 1 ↦ 1 x ↦ x ∘ τP xq ↦ x ∘ τQ+P(q) xq + 1 ↦ (x ∘ τP)(x ∘ τQ+P(q))
Splits with high probability into degree 2’s Degree 4
DEGREE 3 TO DEGREE 2 ELIMINATION
X = {(f,P) | ψP(f) ≡ 0 mod D} ⊂ ℙ(V) × E degrees 1 and 2 D = ψP(f) g –1 ≡ (L1 ∘ τP) … (Lq+1 ∘ τP) g –1 Warning: hand-wavy Degree 3 to degree 2 elimination
DEGREE 2 TO 1 ELIMINATION ALGORITHM FOR COMPUTING DISCRETE LOGARITHMS DESCENT ALGORITHM H E U R I S T I C ZIG-ZAG DESCENT
DEGREE 3 TO 2 ELIMINATION ALGORITHM FOR COMPUTING DISCRETE LOGARITHMS DESCENT ALGORITHM R I G O R O U S ZIG-ZAG DESCENT
DEGREE 4 TO 2 ELIMINATION ALGORITHM FOR COMPUTING DISCRETE LOGARITHMS DESCENT ALGORITHM DEGREE 3 TO 2 ELIMINATION DEGREE 4 TO 3 ELIMINATION + RIGOROUS RIGOROUS RIGOROUS! ZIG-ZAG DESCENT
Irreducible covers
WHAT REMAINS TO BE PROVED?
IRREDUCIBLE CURVES
A CURVE IS IRREDUCIBLE IF IT IS NOT A UNION OF TWO SUB-CURVES
C1 C2
C1 AND C2 ARE BOTH IRREDUCIBLE
IRREDUCIBLE CURVES
A CURVE IS IRREDUCIBLE IF IT IS NOT A UNION OF TWO SUB-CURVES
C1 U C2
C1 AND C2 ARE BOTH IRREDUCIBLE C1 U C2 IS NOT IRREDUCIBLE
IRREDUCIBLE CURVES
A CURVE IS IRREDUCIBLE IF IT IS NOT A UNION OF TWO SUB-CURVES
C1 U C2
A CURVE IS ABSOLUTELY IRREDUCIBLE IF IT IS IRREDUCIBLE OVER THE ALGEBRAIC CLOSURE OF THE FIELD OF DEFINITION
CURVES AND MORPHISMS
polynomials in the coordinates
constant or surjective over the algebraic closure
PROOF STRATEGY
For how many (f,P) ∊ X(k) does f split over k?
θ : C → X such that
➡ For any point z in C(k), the polynomial in θ(z) splits over k ➡ C is absolutely irreducible
a lot of polynomials in X(k) split over k H a s s e
e i l b
n d s : a b s
u t e l y i r r e d u c i b l e c u r v e s h a v e a l
r a t i
a l p
n t s
Method from: Kleinjung, Wesolowski. A new perspective on the powers of two descent for discrete logarithms in finite fields. ANTS–XIII, 2018.
A DETERMINISTIC ALGORITHM? A P O L Y N O M I A L T I M E A L G O R I T H M ?
MEDIUM AND LARGE CHARACTERISTIC?
IN FINITE FIELDS OF SMALL CHARACTERISTIC
Benjamin Wesolowski
ECC 2019: 23rd Workshop on Elliptic Curve Cryptography December 2019 Bochum, Germany
Based on a joint work with
Thorsten Kleinjung