Index Calculus Applied to Elliptic Curves Whats the Problem? - - PowerPoint PPT Presentation

index calculus applied to elliptic curves what s the
SMART_READER_LITE
LIVE PREVIEW

Index Calculus Applied to Elliptic Curves Whats the Problem? - - PowerPoint PPT Presentation

Apr 30, 2023 1.35k likes •1.58k views

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete Logarithm Problem (ECDLP) Typical DLP: Find a such that a = , given and ECDLP: Find k such that P=kQ, given P and Q How do

slide-1
SLIDE 1

Index Calculus Applied to Elliptic Curves

slide-2
SLIDE 2

What’s the Problem?

  • Elliptic Curve Discrete Logarithm Problem (ECDLP)
  • Typical DLP: Find “a” such that αa=β, given α and β
  • ECDLP: Find “k” such that P=kQ, given P and Q
slide-3
SLIDE 3

How do we solve the ECDLP?

  • Usually depends on #E(Fq), q prime
  • if p

k+1, p prime

  • Said to be Supersingular
  • For decent sized p can be reduced to Z(pk)
  • if p, p prime
  • Said to be Anomalous
  • Isomorphic to Zp
  • if has small prime factors
  • Very susceptible to Pohlig-Hellman with Pollard-Rho
slide-4
SLIDE 4

The Naïve Approach

  • Step One in Index Calculus: Create a Factor Base
  • Not as easy on elliptic curves
  • Must find linearly independent points
  • Must find quite a few of these to be successful
slide-5
SLIDE 5

Stage 1

  • Let Basis = {B0, B1, …}
  • Calculate xjQ for random xj until |Basis| # are found
  • Create Matrix of the following (a(i,j) are known)
  • x0 = a(0,0)logQ(B0) + a(1,0)logQ(B1)
  • x1 = a(0,1)logQ(B0) + a(1,1)logQ(B1)
  • …?
slide-6
SLIDE 6

Stage 2

  • Solve Matrix for the logQ(Bi)
  • This part is actually much faster
slide-7
SLIDE 7

Stage 3

  • Calculate H = P+ sQ for random s
  • When an H factors into basis (very likely)
  • H = c0B0 + c1B1 + …
  • logQ(P) + s = c0logQ(B0) + c1logQ(B1) +…
  • Solve for logQ(P)
  • Hard Part? Factoring and Basis.
slide-8
SLIDE 8

How hard is point factorization?

  • As difficult as ECDLP (other way left for fun)
  • Assume we can factor (example is Rank 2)
  • P = kQ
  • let Q = aG + bH
  • let P = cG + dH
  • then k = c/a = d/b
slide-9
SLIDE 9

What is Rank?

  • Think back to Linear Algebra (Similar to Dimension)
  • For example R2 is spanned by {(1,0), (0,1)}, thus R2

has Rank 2.

  • These can act as “primes”(irreducibles) for our

factor basis

  • Fun Fact: Largest Rank found for a curve is 28
slide-10
SLIDE 10

Upper Bound for Rank of E(Zp)

  • With Weierstrass curves we know that that there is

an isomorphism map, f, such that f: E(Zp) -> ZmxZn

  • Rank(ZmxZn) ≤ 2 (simply look at (1,0) and (0,1))
  • f-1((1,0)) and f-1((0,1)) will span E(Zp)!
slide-11
SLIDE 11

Upper Bound for Rank of E(Fp)

  • Lagrange’s Theorem says any subgroup must divide

#E(Fp).

  • Look at Factorization of #E(Fp)!
  • let k be the smallest prime factor and let kh = #E(Fp)
  • Worst case: h… but highly unlikely.
  • Would need h distinct subgroups or order k
  • if h is large then k is small thus #E(Fp) has small factors
slide-12
SLIDE 12

So its impossible?

  • Not Exactly, Currently people are looking into

“Lifting”

  • A Lift is a morphism taking the group to a larger

group, kind of like a “group extension”.

  • We need specifically homomorphisms to respect

algebra

  • People typically look at lifting #E(Zp) to #E(Q)
slide-13
SLIDE 13

So whats the problem with E(Q)?

  • Actually tied to Riemann Hypothesis
  • A subset of the Riemann Hypothesis would be to

show it true specifically for the L-function of Elliptic Curves

  • Birch and Swinnerton-Dryer Conjecture
  • If true (unproven) then Rank(E(Q)) ≤ 2
  • Notice a Pattern?
slide-14
SLIDE 14

Why not just left to other Groups?

  • Very hard to notice if an morphism exists and with

what group

  • Once realized even harder to lift points into that

group then apply index calculus then return

  • Many believe it’s impossible to generalize

(j-invariant helps)

slide-15
SLIDE 15

How much does this matter?

RSA Zp ECC 1024 bits 160 bits 2048 bits 224 bits 3072 bits 256 bits 7680 bits 384 bits 15360 bits 512 bits

6

* the table above describes key sizes of approximate equivalent strength

slide-16
SLIDE 16

References

  • 1. Miller, Victor S. "Use of elliptic curves in cryptography." Conference on the Theory and Application of Cryptographic Techniques.

Springer Berlin Heidelberg, 1985.

  • 2. Silverman, Joseph H., and Joe Suzuki. "Elliptic curve discrete logarithms and the index calculus." International Conference on the

Theory and Application of Cryptology and Information Security. Springer Berlin Heidelberg, 1998.

  • 3. Silverman, Joseph H. "Lifting and elliptic curve discrete logarithms." International Workshop on Selected Areas in Cryptography.

Springer Berlin Heidelberg, 2008.

  • 4. Madore, David A. "A first introduction to p-adic numbers." Notes (2000).
  • 5. Swinnerton-Dyer, H.P

.F ., and Birch, B.J.. "Notes on elliptic curves. II.." Journal für die reine und angewandte Mathematik 218 (1965): 79-108.

  • 6. Maletsky, Kerry. "RSA vs ECC Comparison for Embedded Systems." Atmel (2015): Web.
  • 7. Heath-Brown, D. R. "The average analytic rank of elliptic curves." Duke Mathematical Journal 122.3 (2004): 591-623.
  • 8. Chahal, Jasbir S., and Brian Osserman. "The Riemann hypothesis for elliptic curves." American Mathematical Monthly 115.5 (2008):

431-442.