DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 - PowerPoint PPT Presentation

ECC 2019: 23rd Workshop on DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN QUASI-POLYNOMIAL TIME Based on a joint work with Thorsten Kleinjung IN FINITE FIELDS OF SMALL CHARACTERISTIC Benjamin Wesolowski

RIGOROUS OR HEURISTIC If it seems to work, is it good enough?

RIGOROUS ALGORITHMS FOR DLP Discrete logarithm problem (DLP) in finite fields of fixed characteristic ( 𝔾 p n with p fixed and n → ∞ … think 𝔾 2 n ): ‣ Given a generator g of 𝔾 p n and an arbitrary element h , find an × integer m such that h = g m ➡ Pomerance (1987) proved complexity L p n (1/2) ➡ We prove it can be done in quasi-polynomial time For constant p: L p n ( α ) = e O ((log p n ) α (log log p n ) 1 – α ) n O (1) = e quasi-poly(log p n ) = e (log log p n ) O (1) log(n) O (1) = e

RIGOROUS ALGORITHMS FOR DLP Discrete logarithm problem (DLP) in finite fields of fixed characteristic ( 𝔾 p n with p fixed and n → ∞ … think 𝔾 2 n ): × ‣ Given a generator g of 𝔾 p n and an arbitrary element h , find an integer m such that h = g m ➡ Pomerance (1987) proved complexity L p n (1/2) ➡ We prove it can be done in quasi-polynomial time Theorem: Given any prime number p and any positive integer n , × the discrete logarithm problem in the group 𝔾 p n can be solved in 2log 2 ( n ) + O (1) expected time ( pn )

1922 KRAIT CHIK NO COMPLEXITY TIMELINE 1968 MILLER, WESTERN NO COMPLEXITY 1976 DIFFIE, HELLMAN BEST KNOWN O(Q 1/2 ) 1979 ADLEMAN L(1/2) IN LARGE CHAR. 1982 HELLMAN, REYNERI L(1/2) 1984 COPPERSMITH L(1/3) 1987 POMERANCE L(1/2) ... ... 2013 JOUX L(1/4) 2013 BARBULESCU, GAUDRY, JOUX, THOME QUASI-POLY 2014 GRANGER, KLEINJUNG, ZUMBRAGEL QUASI-POLY 2019 THIS WORK (KLEINJUNG, W.) QUASI-POLY

A RIGOROUS ALGORITHM Finely crafted and analysed by Pomerance in 1987

AN INDEX CALCULUS ALGORITHM × ‣ 𝔾 p n = 𝔾 p [ x ]/( J ), generator g ∊ 𝔾 p n ‣ Factor base 𝔊 = { f ∊ 𝔾 p [ x ] | deg( f ) ≤ B , monic, irred.} ∪ { g } ‣ Index calculus: ➡ Relation collection: collect relations of the form ∑ e f log g f = r (mod p n – 1) f ∊ 𝔊 ➡ Linear algebra: the relations form a linear system with unknowns log g f . Solve it, recover the values log g f ➡ Individual logarithm: given h ∊ 𝔾 p n , compute log g h

INDEX CALCULUS FROM DESCENT × ‣ Descent: given h ∊ 𝔾 p n find integers e f , for f in 𝔊 , such that h = ∏ f e f f ∊ 𝔊 { descent ( h ) ➡ Relation collection: generate random r ∊ [1, p n – 1], r = log g ( descent ( g r )) = ∑ e f log g f f ∊ 𝔊 ➡ Individual logarithm: given h , log g h = log g ( descent ( h )) = ∑ e f log g f f ∊ 𝔊

SUMMARY EFFICIENT DESCENT ALGORITHM A S I E R E H T : E C N A R E M O P F O T N E C S E D ) 2 / 1 ( L Y T I X E L P M O C EFFICIENT ALGORITHM FOR COMPUTING LOGARITHMS E V L O S N A C E N O O S ) 2 / 1 ( L E M I T N I P L D

A ZIGZAG DESCENT Descending one step at a time

A HEURISTIC QUASI-POLYNOMIAL ALGORITHM Theorem (Granger, Kleinjung, Zumbrägel): the DLP in fixed characteristic can be solved in expected quasi-poly. time in fields that admit a suitable representation ‣ Suitable representation ? Field 𝔾 q 4 [ x ]/( J ) where J is an irreducible polynomial in 𝔾 q 4 [ x ] such that x q ≡ h 0 / h 1 mod J with h 0 and h 1 polynomials in 𝔾 q 4 [ x ] of degree at most 2 ‣ Expected time q log 2 (deg( J ))

A DESCENT IS SUFFICIENT A descent algorithm is su ffi cient ‣ Fix the factor base 𝔊 = { linear polynomials in 𝔾 q 4 [ x ] } ‣ Descent: Given any polynomial Q in 𝔾 q 4 [ x ] find integers e f , for f in 𝔊 , such that Q ≡ ∏ f e f mod J . f ∊ 𝔊 ‣ Main ingredient of the descent, degree 2 to 1 elimination : given a degree 2 polynomial over an extension k of 𝔾 q 4 , rewrite it as a product of degree 1 polynomials over k

ZIGZAG DESCENT The zigzag descent: transform the degree 2 to 1 elimination into a full descent algorithm n t i o n a m i l i 1 e o 2 t e r e e g D 1 2 𝔾 q 4 · 2 e – 1 Norm 2 1 2 Factorisation into 𝔾 q 4 · 2 e – 2 quadratics over 𝔾 q d2 e – 1 2 2 𝔾 q 8 1 2 2 2 e 1 2 𝔾 q 4

ZIGZAG DESCENT The zigzag descent: transform the degree 2 to 1 elimination into a full descent algorithm n t i o n a m i l i 1 e o 2 t e r e e g D 1 2 𝔾 q 4 · 2 e – 1 Norm 2 1 2 Factorisation into 𝔾 q 4 · 2 e – 2 quadratics over 𝔾 q d2 e – 1 2 2 Q in 𝔾 q 4 [x] 𝔾 q 8 1 2 of degree D 2 Rewrite as irreducible D 2 e 1 2 𝔾 q 4 of degree 2 e

SUMMARY DEGREE 2 TO 1 ELIMINATION DESCENT ALGORITHM EFFICIENT ALGORITHM FOR COMPUTING LOGARITHMS

GKZ’S DEGREE 2 TO 1 ELIMINATION A building block

POLYNOMIALS WITH HIGHER SPLITTING PROBABILITY Fix an extension k of 𝔾 q 4 , and let Q an irred. quadratic in k [ x ] ‣ Key idea (from [GGMZ13]): polynomials of the form α x q + 1 + β x q + γ x + δ in k [ x ] have a high probability to split over k (around q – 3 ) ‣ Let V be the vector space of dimension 4 of these polynomials, i.e., V = span( x q + 1 , x q , x , 1) ⊂ k [ x ] Gölo ğ lu, Granger, McGuire, and Zumbrägel. On the function field sieve and the impact of higher splitting probabilities . CRYPTO 2013.

SMOOTH RELATIONS ‣ V = span( x q + 1 , x q , x , 1) ⊂ k [ x ] ‣ We have x q ≡ h 0 / h 1 mod J , so α xh 0 + β h 0 + γ xh 1 + δ h 1 α x q + 1 + β x q + γ x + δ ≡ mod J h 1 Splits with high probability e g r e e 3 t o r o f d n u m e r a ‣ Consider the vector subspace V Q of dimension 2 in V , where Q divides the right-hand side: V Q = { α x q + 1 + β x q + γ x + δ | α xh 0 + β h 0 + γ xh 1 + δ h 1 ≡ 0 mod Q }

THE DEGREE 2 TO 1 ELIMINATION ‣ For any f = α x q + 1 + β x q + γ x + δ in V Q , h 1 f ≡ α xh 0 + β h 0 + γ xh 1 + δ h 1 mod J ‣ The quotient L 0 = ( α xh 0 + β h 0 + γ xh 1 + δ h 1 )/ Q is linear h 1 f ≡ L 0 Q mod J ‣ If f splits into linears L 1 ,…, L q + 1 in k [ x ], then –1 Q ≡ h 1 L 0 L 1 … L q + 1 mod J ‣ Algorithm: choose random f ∊ V Q until it splits over k

SUMMARY DEGREE 2 TO 1 ELIMINATION A E V A H E W G N I M ! U D S L S E A I F , E E N H O T D R O F L E D O M E L B A T I U S DESCENT ALGORITHM ALGORITHM FOR COMPUTING DISCRETE LOGARITHMS

ELLIPTIC CURVE MODEL A convenient model for the finite field

HEURISTIC MODEL ‣ Model 𝔾 q 4 [ x ]/( J ) used in heuristic algorithms ‣ Good: the relation x q ≡ h 0 / h 1 , i.e., the Frobenius is congruent to a small degree rational map ‣ Bad: we cannot prove this model always exists ‣ For our new rigorous algorithm: other model that always exists and has a ‘small degree’ Frobenius?

FINITE FIELDS FROM ELLIPTIC CURVES ‣ Construct a model for 𝔾 q n where the q -Frobenius is congruent to a small degree rational map… ‣ Use elliptic curves!

FINITE FIELDS FROM ELLIPTIC CURVES ‣ Construct a model for 𝔾 q n where the q -Frobenius is congruent to a small degree rational map… ‣ Let E / 𝔾 q be an elliptic curve such that E ( 𝔾 q ) has a point Q of order n ‣ Let S ∊ E such that S ( q ) = S + Q . Then S ( q i ) = S ( q i – 1 ) + Q = S ( q i – 2 ) + 2 Q = … = S + iQ ‣ Q of order n implies ( q n ) is the first Frobenius fixing S ? ‣ 𝔾 q n = residue field of S over 𝔾 q

FINITE FIELDS FROM ELLIPTIC CURVES ? ‣ 𝔾 q n = residue field of S over 𝔾 q ‣ ‘Coordinate ring of E ’ = 𝔾 q [ E ] = 𝔾 q [ x , y ] / ( y 2 – x 3 – ax – b ) ‣ ‘Residue field of S ’ = 𝔾 q [ E ]/ ∼ where f ∼ g ⟺ f ( S ) = g ( S )

FROBENIUS AS A SMALL DEGREE MAP ‣ Let φ q : E → E : P ↦ P ( q ) be the q -Frobenius ‣ For R ∊ E let τ R : E → E : P ↦ P + R be the translation by R ‣ For any f ∊ 𝔾 q [ E ]/ ∼ = 𝔾 q n , we have f ∘ φ q ∼ f ∘ τ Q "Frobenius = translation by Q" 1 mod J" 0 /h q ≡ h w "x e n h e s t i f ∘ φ q ( S ) = f ( S ( q ) ) = f ( S + Q ) = f ∘ τ Q ( S )

PROVABLE MODEL ‣ We want to solve DLP in 𝔾 q n : find E / 𝔾 q with a point of order n ‣ Theorem (Waterhouse, 1969): For any integer t coprime to q such that | t | ≤ 2 q 1/2 , there is an ordinary elliptic curve E / 𝔾 q such that | E ( 𝔾 q )| = q + 1 − t . ‣ If n 2 ≤ 2 q 1/2 , there exists E / 𝔾 q that contains a point of order n ‣ To solve DLP in 𝔾 p n , solve it in a small extension 𝔾 q n such that n 2 ≤ 2 q 1/2

NEW ELIMINATIONS Eliminations in the elliptic curve model

DEGREES Fix an extension k of 𝔾 q ‣ k ( E ) = k ( x , y ) / ( y 2 – x 3 – ax – b ) ‣ ‘Degree of f ∊ k ( E )’ = number of solutions of f ( P ) = 0, P ∊ E ‣ x ∊ k ( E ) has degree 2 two points (0, y) with y 2 = b

SPLITTING POLYNOMIALS Fix an extension k of 𝔾 q ‣ V = span( x q + 1 , x q , x , 1) ⊂ k ( E ) ‣ Random f ∊ V splits with high probability into ‘linear factors’ L 1 ,…, L q + 1 defined over k ‣ Each L i is of the form x – a , they are of degree 2… ‣ No ‘degree 2 to 1’ elimination… Can we do ‘3 to 2’? ‣ Let D in k ( E ) of degree 3