F4 traces and index calculus on elliptic curves over extension - PowerPoint PPT Presentation

F4 traces and index calculus on elliptic curves over extension fields Vanessa VITSE Joint work with Antoine Joux Universit´ e de Versailles Saint-Quentin, Laboratoire PRISM Elliptic Curve Cryptography, October 20, 2010 Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 1 / 35

Part I Index calculus methods Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 2 / 35

Context Hardness of ECDLP ECDLP Given P ∈ E ( F q ) and Q ∈ � P � , find x such that Q = [ x ] P Specific attacks on few families of curves: Transfer methods transfer to F ∗ q k via pairings: curves with small embedding degree lift to characteristic zero fields: anomalous curves Weil descent: transfer from E ( F q n ) to J C ( F q ) where C is a genus g ≥ n curve Otherwise, only generic attacks Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 3 / 35

Context Trying an index calculus approach Index calculus usually the best attack of the DLP over finite fields and hyperelliptic curves No known equivalent on E ( F p ), p prime Feasible on E ( F p n ) and asymptotically better than Weil descent or generic algorithms Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 4 / 35

Context Trying an index calculus approach Index calculus usually the best attack of the DLP over finite fields and hyperelliptic curves No known equivalent on E ( F p ), p prime Feasible on E ( F p n ) and asymptotically better than Weil descent or generic algorithms Basic outline of index calculus method for DLP 1 define a factor base: F = { P 1 , . . . , P N } 2 relation search: for random ( a i , b i ), try to decompose [ a i ] P + [ b i ] Q as sum of points in F 3 linear algebra step: once k > # F relations found, deduce with sparse algebra techniques the DLP of Q Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 4 / 35

Results Results Original algorithm (Gaudry, Diem) O ( q 2 − 2 Complexity of DLP over E ( F q n ) in ˜ n ) but with hidden constant exponential in n 2 faster than generic methods when n ≥ 3 and log q > C . n sub-exponential complexity when n = Θ( √ log q ) impracticable as soon as n > 4 Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 5 / 35

Results Results Original algorithm (Gaudry, Diem) O ( q 2 − 2 Complexity of DLP over E ( F q n ) in ˜ n ) but with hidden constant exponential in n 2 faster than generic methods when n ≥ 3 and log q > C . n sub-exponential complexity when n = Θ( √ log q ) impracticable as soon as n > 4 Our variant Complexity in ˜ O ( q 2 ) but with a better dependency in n faster than generic methods when n ≥ 5 and log q ≥ 2 ω n faster than Gaudry and Diem’s method when log q ≤ 3 − ω 2 n 3 works for n = 5 Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 5 / 35

Results Comparison of the three attacks of ECDLP over F q n n O (log 2 q ) 16 15 14 13 12 11 [Pollard] [this work] 10 9 � O ( 3 log 2 q ) 8 7 6 [Gaudry-Diem] 5 4 3 2 log 2 q 1 Comparison of Pollard’s rho method, Gaudry and Diem’s attack and our attack for ECDLP over F q n , n ≥ 1. Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 6 / 35

Ingredients Ingredients of index calculus approaches Goal Find at least # F decompositions of random combinations R = [ a ] P +[ b ] Q What kind of “decomposition” over E ( K ) Semaev (2004): consider decompositions in a fixed number of points of F R = [ a ] P + [ b ] Q = P 1 + . . . + P m use the ( m + 1)-th summation polynomial: f m +1 ( x R , x P 1 , . . . , x P m ) = 0 ⇔ ∃ ǫ 1 , . . . , ǫ m ∈ { 1 , − 1 } , R = ǫ 1 P 1 + · · · + ǫ m P m Nagao’s alternative approach with divisors: � � work with f ∈ L ( m + 1)( ∞ ) − ( R ) instead Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 7 / 35

Ingredients Ingredients of index calculus approaches (2) Convenient factor base on E ( F q n ) – Gaudry (2004) Natural factor base: F = { ( x , y ) ∈ E ( F q n ) : x ∈ F q } , # F ≃ q Weil restriction: decompose along a F q -linear basis of F q n  ϕ 1 ( x P 1 , . . . , x P m ) = 0   .  . f m +1 ( x R , x P 1 , . . . , x P m ) = 0 ⇔ ( S R ) .   ϕ n ( x P 1 , . . . , x P m ) = 0  One decomposition trial ↔ resolution of S R over F q Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 8 / 35

Ingredients Ingredients of index calculus approaches (2) Convenient factor base on E ( F q n ) – Gaudry (2004) Natural factor base: F = { ( x , y ) ∈ E ( F q n ) : x ∈ F q } , # F ≃ q Weil restriction: decompose along a F q -linear basis of F q n  ϕ 1 ( x P 1 , . . . , x P m ) = 0   .  . f m +1 ( x R , x P 1 , . . . , x P m ) = 0 ⇔ ( S R ) .   ϕ n ( x P 1 , . . . , x P m ) = 0  One decomposition trial ↔ resolution of S R over F q Additional optimizations symmetrization of the equations to reduce total degree consider a set of representatives of F / ∼ where P ∼ ( − P ) and decompositions of the form R = ± P 1 ± · · · ± P m → only ≃ q / 2 independent relations needed Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 8 / 35

Ingredients Polynomial system solving in finite fields Goal Find solutions of S R in F q More generally: compute V ( I ) where I ⊂ F q [ X 1 , . . . , X n ] ideal of dimension 0 ◮ univariate case is easy: Cantor-Zassenhaus ◮ multivariate case much more complicated Elimination theory Two techniques to find in I a univariate polynomial resultants Gr¨ obner bases Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 9 / 35

Ingredients Gr¨ obner bases: a tool for polynomial system solving The shape lemma For “most” zero-dimensional ideals I ⊂ F q [ X 1 , . . . , X n ], a Gr¨ obner basis for the lexicographic order is G = { X 1 − f 1 ( X n ) , X 2 − f 2 ( X n ) , · · · , X n − 1 − f n − 1 ( X n ) , f n ( X n ) } where deg f i < deg f n and deg f n = deg I . In any case, the GB always contains a univariate polynomial in X n Fast resolution: find roots of univariate polynomial f n and evaluate f n − 1 , . . . , f 1 to compute V ( I ) Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 10 / 35

Ingredients Complexity and choice of monomial order Hardness of GB computations complexity of GB computations is difficult to estimate worst-case upper bounds: ◮ general case: 2 2 O ( n ) (Mayr-Meyer) ◮ dimension 0: d O ( n 3 ) for lex order, d O ( n 2 ) for degrevlex (Caniglia,Lazard) → but performances are much better for average cases Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 11 / 35

Ingredients Complexity and choice of monomial order Hardness of GB computations complexity of GB computations is difficult to estimate worst-case upper bounds: ◮ general case: 2 2 O ( n ) (Mayr-Meyer) ◮ dimension 0: d O ( n 3 ) for lex order, d O ( n 2 ) for degrevlex (Caniglia,Lazard) → but performances are much better for average cases Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 11 / 35

Ingredients Complexity and choice of monomial order Hardness of GB computations complexity of GB computations is difficult to estimate worst-case upper bounds: ◮ general case: 2 2 O ( n ) (Mayr-Meyer) ◮ dimension 0: d O ( n 3 ) for lex order, d O ( n 2 ) for degrevlex (Caniglia,Lazard) → but performances are much better for average cases Strategy and complexity for lex order GB in dimension 0 instead of direct GB computation for lex order of I ⊂ K [ X 1 , . . . , X n ], do: degrevlex order GB computation & changing order algorithm (FGLM) � ω � �� d reg + n ˜ ˜ (deg I ) 3 � � O + O n Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 11 / 35

Three different approaches Back to index calculus Gaudry’s original attack and Diem’s analysis m = n → as many equations as unknowns, S R has total degree 2 n − 1 I ( S R ) has dimension 0 and degree 2 n ( n − 1) Probability of decomposition is ≃ 1 / n ! → need to solve n ! q systems Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 12 / 35

Three different approaches Back to index calculus Gaudry’s original attack and Diem’s analysis m = n → as many equations as unknowns, S R has total degree 2 n − 1 I ( S R ) has dimension 0 and degree 2 n ( n − 1) Probability of decomposition is ≃ 1 / n ! → need to solve n ! q systems Complexity estimates obner tools has complexity in ˜ 2 3 n ( n − 1) � � Each resolution with Gr¨ O Sparse linear algebra in ˜ O ( nq 2 ) “Double large prime” variation → overall complexity in ˜ ( n − 2)!2 3 n ( n − 1) q 2 − 2 / n � � O Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 12 / 35

Three different approaches Back to index calculus Gaudry’s original attack and Diem’s analysis m = n → as many equations as unknowns, S R has total degree 2 n − 1 I ( S R ) has dimension 0 and degree 2 n ( n − 1) Probability of decomposition is ≃ 1 / n ! → need to solve n ! q systems Complexity estimates obner tools has complexity in ˜ 2 3 n ( n − 1) � � Each resolution with Gr¨ O Sparse linear algebra in ˜ O ( nq 2 ) “Double large prime” variation → overall complexity in ˜ ( n − 2)!2 3 n ( n − 1) q 2 − 2 / n � � O = 2 n ( n − 1) . But most solutions not in F q � � Bottleneck: deg I ( S R ) However adding x q − x = 0 not practical for large q Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 12 / 35