Index Calculus Applied to Elliptic Curves Whats the Problem? - PowerPoint PPT Presentation

Index Calculus Applied to Elliptic Curves

What’s the Problem? • Elliptic Curve Discrete Logarithm Problem (ECDLP) • Typical DLP: Find “a” such that α a = β , given α and β • ECDLP: Find “k” such that P=kQ, given P and Q

How do we solve the ECDLP? • Usually depends on #E( F q ), q prime k +1, p prime • if p • Said to be Supersingular • For decent sized p can be reduced to Z (p k ) • if p, p prime • Said to be Anomalous • Isomorphic to Z p • if has small prime factors • Very susceptible to Pohlig-Hellman with Pollard-Rho

The Naïve Approach • Step One in Index Calculus: Create a Factor Base • Not as easy on elliptic curves • Must find linearly independent points • Must find quite a few of these to be successful

Stage 1 • Let Basis = {B 0 , B 1 , …} • Calculate x j Q for random x j until |Basis| # are found • Create Matrix of the following (a (i,j) are known) • x 0 = a (0,0) log Q (B 0 ) + a (1,0) log Q (B 1 ) • x 1 = a (0,1) log Q (B 0 ) + a (1,1) log Q (B 1 ) • …?

Stage 2 • Solve Matrix for the log Q (B i ) • This part is actually much faster

Stage 3 • Calculate H = P+ sQ for random s • When an H factors into basis (very likely) • H = c 0 B 0 + c 1 B 1 + … • log Q (P) + s = c 0 log Q (B 0 ) + c 1 log Q (B 1 ) +… • Solve for log Q (P) • Hard Part? Factoring and Basis.

How hard is point factorization? • As difficult as ECDLP (other way left for fun) • Assume we can factor (example is Rank 2) • P = kQ • let Q = aG + bH • let P = cG + dH • then k = c/a = d/b

What is Rank? • Think back to Linear Algebra (Similar to Dimension) • For example R 2 is spanned by {(1,0), (0,1)}, thus R 2 has Rank 2. • These can act as “primes”(irreducibles) for our factor basis • Fun Fact: Largest Rank found for a curve is 28

Upper Bound for Rank of E( Z p ) • With Weierstrass curves we know that that there is an isomorphism map, f , such that f : E( Z p ) -> Z m x Z n • Rank( Z m x Z n ) ≤ 2 (simply look at (1,0) and (0,1)) • f -1 ((1,0)) and f -1 ((0,1)) will span E( Z p )!

Upper Bound for Rank of E( F p ) • Lagrange’s Theorem says any subgroup must divide #E( F p ). • Look at Factorization of #E( F p )! • let k be the smallest prime factor and let kh = #E( F p ) • Worst case: h… but highly unlikely. • Would need h distinct subgroups or order k • if h is large then k is small thus #E( F p ) has small factors

So its impossible? • Not Exactly, Currently people are looking into “Lifting” • A Lift is a morphism taking the group to a larger group, kind of like a “group extension”. • We need specifically homomorphisms to respect algebra • People typically look at lifting #E( Z p ) to #E( Q )

So whats the problem with E( Q )? • Actually tied to Riemann Hypothesis • A subset of the Riemann Hypothesis would be to show it true specifically for the L-function of Elliptic Curves • Birch and Swinnerton-Dryer Conjecture • If true (unproven) then Rank(E( Q )) ≤ 2 • Notice a Pattern?

Why not just left to other Groups? • Very hard to notice if an morphism exists and with what group • Once realized even harder to lift points into that group then apply index calculus then return • Many believe it’s impossible to generalize (j-invariant helps)

How much does this matter? 6 RSA Z p ECC 1024 bits 160 bits 2048 bits 224 bits 3072 bits 256 bits 7680 bits 384 bits 15360 bits 512 bits * the table above describes key sizes of approximate equivalent strength

References 1. Miller, Victor S. "Use of elliptic curves in cryptography." Conference on the Theory and Application of Cryptographic Techniques. Springer Berlin Heidelberg, 1985. 2. Silverman, Joseph H., and Joe Suzuki. "Elliptic curve discrete logarithms and the index calculus." International Conference on the Theory and Application of Cryptology and Information Security. Springer Berlin Heidelberg, 1998. 3. Silverman, Joseph H. "Lifting and elliptic curve discrete logarithms." International Workshop on Selected Areas in Cryptography. Springer Berlin Heidelberg, 2008. 4. Madore, David A. "A first introduction to p-adic numbers." Notes (2000). 5. Swinnerton-Dyer, H.P .F ., and Birch, B.J.. "Notes on elliptic curves. II.." Journal für die reine und angewandte Mathematik 218 (1965): 79-108. 6. Maletsky, Kerry. "RSA vs ECC Comparison for Embedded Systems." Atmel (2015): Web. 7. Heath-Brown, D. R. "The average analytic rank of elliptic curves." Duke Mathematical Journal 122.3 (2004): 591-623. 8. Chahal, Jasbir S., and Brian Osserman. "The Riemann hypothesis for elliptic curves." American Mathematical Monthly 115.5 (2008): 431-442.