on using torsion points in the elliptic curve index
play

On Using Torsion Points in the Elliptic Curve Index Calculus Gu - PowerPoint PPT Presentation

Dec 10, 2023 •35 likes •595 views

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne Universit es UPMC, INRIA, CNRS LIP6 1/43 General Context Discrete Logarithm Problem (DLP) Given a finite cyclic group ( G = g , +) and h

  1. On Using Torsion Points in the Elliptic Curve Index Calculus Gu´ ena¨ el Renault Sorbonne Universit´ es UPMC, INRIA, CNRS LIP6 1/43

  2. General Context Discrete Logarithm Problem (DLP) Given a finite cyclic group ( G = � g � , +) and h ∈ G , find k such that h = [ k ] g = g + · · · + g k times � √ # G � Generic algorithms O ◮ Baby Step Giant Step, Pollard’s rho, etc. ◮ For any black box group G , optimal complexity (Shoup) Index Calculus can be quasi-polynomial, sub-exponential ◮ sieving + linear algebra ◮ G = ( F × 2 k , × ) ◮ G = ( F × q , × ) , G = ( J C ( F q ) , +) with genus g > 2 ☞ G = E ( F q ) no sub-exponential index calculus algo. in general 2/43

  3. Context ☞ Index calculus algo. adaptation for E ( F q n ) ( n small) Semaev/Gaudry/Diem ( ≈ 2005) (Point Decomposition Problem) Semaev Summation Polynomial Polynomial System Solving ☞ Increasing the efficiency by using the symmetries ☞ Using Symmetries in the Index Calculus for ECDLP (J. Crypto. 2014) (J.-C. Faug` ere, P. Gaudry, L. Huot, G. R.) ☞ Symmetrized Summation Polynomials (Eurocrypt’14) (J.-C. Faug` ere, L. Huot, A. Joux, G. R., V. Vitse) 3/43

  4. Outline PDP in the Index Calculus 1 Polynomial System Solving 2 PoSSo With Symmetries 3 From Torsion Point to Symmetry 4 Characteristic 2 5 New Computational Record: 8th Summation Polynomial 6 Conclusion 7 4/43

  5. Outline PDP in the Index Calculus 1 Polynomial System Solving 2 PoSSo With Symmetries 3 From Torsion Point to Symmetry 4 Characteristic 2 5 New Computational Record: 8th Summation Polynomial 6 Conclusion 7 5/43

  6. Index Calculus for ECDLP Algorithm (Gaudry 2005) Input: P, Q ∈ E ( F q n ) Output: x such that Q = [ x ] P 1. Def. factor base: F = { ( x, y ) ∈ E ( F q n ) | x ∈ F q } 2. Sieving: [ a j ] P ⊕ [ b j ] Q = P 1 ⊕ · · · ⊕ P n , P i ∈ F until having # F + 1 such relations � 3. Linear algebra [ λ j · a j ] P ⊕ [ λ j · b j ] Q = 0 E ( F qn ) j Point Decomposition Problem Given R ∈ E F a factor base of points in E find P 1 , . . . , P n ∈ F such that R = P 1 ⊕ . . . ⊕ P n 6/43

  7. Point Decomposition Problem PDP( n, R, F ) Given R ∈ E F a factor base of points in E find P 1 , . . . , P n ∈ F such that R = P 1 ⊕ . . . ⊕ P n ☞ Modeling the problem as a polynomial system { g 1 , . . . , g s } and solve this system: � ( x i , y i ) ∈ E ( x 1 , y 1 ) ⊕ ( x 2 , y 2 ) ⊕ · · · ⊕ ( x n , y n ) = ( R x , R y ) ☞ The solution has to be found in F 7/43

  8. Algebraic modelling of PDP: Summation polynomials Semaev, 2004, Gaudry, 2005 ☞ Projection of the PDP( n, R = 0 , F = { ( x, y ) ∈ E ( F q n ) | x ∈ F q } ) PDP: g 1 ( , . . . , ) = · · · = g s ( , . . . , ) = 0 Projection π n Summation: f n ( , . . . , ) = 0 8/43

  9. Algebraic modelling of PDP: Summation polynomials Semaev, 2004, Gaudry, 2005 ☞ Projection of the PDP( n, R = 0 , F = { ( x, y ) ∈ E ( F q n ) | x ∈ F q } ) PDP: � g 1 ( x 1 , . . . , x m , y 1 , . . . , y m ) , . . . , g s ( x 1 , . . . , x m , y 1 , . . . , y m ) � π : ( x, y ) → x Elimination (Resultant, Gr¨ obner basis) Summation: � f n ( x 1 , . . . , x n ) � = � g 1 , . . . , g s � ∩ F q n [ x 1 , . . . , x n ] deg x i ( f n ) � 2 n − 2 Characterization f n ( x 1 , ..., x n ) = 0 � n ∃ ( y 1 , ..., y n ) ∈ F q n s.t. ∀ i, P i = ( x i , y i ) ∈ E and P 1 ⊕ · · · ⊕ P n = 0 8/43

  10. Algebraic modelling of PDP: Summation polynomials Semaev, 2004, Gaudry, 2005 ☞ Projection of the PDP( n, R = 0 , F = { ( x, y ) ∈ E ( F q n ) | x ∈ F q } ) PDP: � g 1 ( x 1 , . . . , x m , y 1 , . . . , y m ) , . . . , g s ( x 1 , . . . , x m , y 1 , . . . , y m ) � π : ( x, y ) → x Elimination (Resultant, Gr¨ obner basis) Summation: � f n ( x 1 , . . . , x n ) � = � g 1 , . . . , g s � ∩ F q n [ x 1 , . . . , x n ] deg x i ( f n ) � 2 n − 2 Application in Index Calculus: ( Gaudry 2005 ) Solving PDP( R, F ) with factor base F = { ( x, y ) ∈ E ( F q n ) | x ∈ F q } . � Finding ( x 1 , . . . , x n ) with x i ∈ F q s.t. f n +1 ( x 1 , ..., x n , ( − R ) x ) = 0 ☞ In Weierstrass model R x = ( − R ) x 8/43

  11. From summation polynomials to PoSSo Problem We want to find P 1 , . . . , P n ∈ F = { ( x, y ) ∈ E | x ∈ F q } such that R = P 1 + · · · + P n ⇐ ⇒ P 1 + · · · + P n − R = 0 E � Finding ( x 1 , . . . , x n ) with x i ∈ F q s.t. f n +1 ( x 1 , ..., x n , R x ) = 0 Solving process: Restriction of scalar on sum. polynomial F q n ≃ F q ( ω ) : n dimensional F q -vector space n − 1 � ϕ i ( x 1 , . . . , x n ) · ω i f n +1 ( x 1 , . . . , x n , R x ) = 0 E = i =0 9/43

  12. From summation polynomials to PoSSo Solving process: Restriction of scalar on sum. polynomial F q n ≃ F q ( ω ) : n dimensional F q -vector space n − 1 � ϕ i ( x 1 , . . . , x n ) · ω i f n +1 ( x 1 , . . . , x n , R x ) = 0 E = i =0  S = { ϕ 0 , . . . , ϕ n − 1 } ⊂ F q [ x 1 , . . . , x n ] -  ⇒ - n variables, n equations  solutions in F q - H 1 : The polynomial systems S are zero-dimensional 9/43

  13. Outline PDP in the Index Calculus 1 Polynomial System Solving 2 PoSSo With Symmetries 3 From Torsion Point to Symmetry 4 Characteristic 2 5 New Computational Record: 8th Summation Polynomial 6 Conclusion 7 10/43

  14. Solving 0 -dim polynomial systems Let S = { f 1 , . . . , f n } where f i ∈ K [ x 1 , . . . , x n ] and Deg( f i ) ≤ 2 n − 1 Solving S means here to compute V K ( �S� ) 11/43

  15. Solving 0 -dim polynomial systems Let S = { f 1 , . . . , f n } where f i ∈ K [ x 1 , . . . , x n ] and Deg( f i ) ≤ 2 n − 1 Solving S means here to compute V K ( �S� ) Gr¨ obner basis Since |V K | < ∞ , the Gr¨ obner basis G of �S� w.r.t. lexicographical order with x 1 > . . . > x n then G has a triangular form  h 1 , 1 ( x 1 , . . . , x n ) , . . . , h 1 ,k 1 ( x 1 , . . . , x n )     . . .  h n − 1 , 1 ( x n − 1 , x n ) , . . . , h n − 1 ,k n − 1 ( x n − 1 , x n )    h n ( x n ) ☞ Factoring univariate polynomials over a finite field. 11/43

  16. Solving 0 -dim polynomial systems Let S = { f 1 , . . . , f n } where f i ∈ K [ x 1 , . . . , x n ] and Deg( f i ) ≤ 2 n − 1 Solving S means here to compute V K ( �S� ) ☞ Compute a GB of �S� w.r.t. a lexicographical order. Zero-dim solve 1. Compute GB DRL from S ( F 4 /F 5 ) 2. Compute GB LEX from GB DRL (FGLM) 11/43

  17. Solving 0 -dim polynomial systems Let S = { f 1 , . . . , f n } where f i ∈ K [ x 1 , . . . , x n ] and Deg( f i ) ≤ 2 n − 1 Compute GB DRL from S Compute GB LEX from GB DRL ☞ See K [ x 1 , . . . , x n ] / �S� as a K -ev ☞ Linear alg. on Macaulay mat. m 1 > m 2 > . . . GB DRL ⇒ K -ev B 1   . . . Change of basis  c 1 c 2  t i,j f i i,j . . . i,j B 1 → B 2 K -ev B 2 ⇒ GB LEX ere F 4 , F 5 Faug` ere, Gaudry, Huot, R. ISSAC’14 Faug` � ne nω 2 ( n − 1) nω + n · deg( � S � ) ω � � O ☞ deg( � S � ) = the number of solutions (with multiplicities) ☞ ω represents the linear algebra constant 11/43

  18. On the complexity of computing GB DRL ☞ These results are usually obtain for homogeneous polynomial systems ☞ In order to avoid fall of degree issues, need to consider regular situation Regular sequences A sequence of homogeneous polynomials ( f 1 , . . . , f n ) ⊂ K [ x 1 , . . . , x n ] is said to be regular when f i +1 is a regular element in K [ x 1 , . . . , x n ] / � f 1 , . . . f i � Affine regular sequences A sequence of affine polynomials ( f 1 , . . . , f n ) ⊂ K [ x 1 , . . . , x n ] is said to be regular when the sequence f ( h ) , . . . , f ( h ) of corresponding homogeneous n 1 component of highest degree is regular. ☞ Complexity DRL(pol. sys. affine regular) < DRL(its homogenization) H 2 : The affine polynomial systems S are regular ( H 2 ⇒ H 1 ) 12/43

  19. Outline PDP in the Index Calculus 1 Polynomial System Solving 2 PoSSo With Symmetries 3 From Torsion Point to Symmetry 4 Characteristic 2 5 New Computational Record: 8th Summation Polynomial 6 Conclusion 7 13/43

  20. Invariant Polynomial/System Let be given a polynomial system  f 1 ( x 1 , . . . , x n )     . . . S :  f n − 1 ( x 1 , . . . , x n )    f n ( x 1 , . . . , x n ) σ ∈ G ⊂ GL ( K , n ) , σ · f i = f i ( σ · x ) ☞ Assume all f i are invariant under the action of G . How this assumption can help in solving the polynomial system? 14/43

  21. Invariant ring Definition Let K [ x 1 , . . . , x n ] be a polynomial ring and G ⊂ GL ( K , n ) . K [ x 1 , . . . , x n ] G = { p ∈ K [ x 1 , . . . , x n ] | σ · p = p for all σ ∈ G } We want to efficiently solve  f 1 ( x 1 , . . . , x n )     . . . S :  f n − 1 ( x 1 , . . . , x n )    f n ( x 1 , . . . , x n ) under the assumption f 1 , . . . , f n ∈ K [ x 1 , . . . , x n ] G 15/43

  22. Hironaka decomposition Hilbert’s finiteness theorem Let G ⊂ GL ( K , n ) . Its invariant ring K [ x 1 , . . . , x n ] G is finitely generated. t � K [ x 1 , . . . , x n ] G = η i K [ θ 1 , . . . , θ n ] . i =1 primary invariants θ 1 , . . . , θ n ∈ K [ x 1 , . . . , x n ] G secondary invariants η 1 , . . . , η t ∈ K [ x 1 , . . . , x n ] G ☞ primary invariants are algebraically independent 16/43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
The rational group structure of modular Jacobians with applications to torsion points on elliptic

The rational group structure of modular Jacobians with applications to torsion points on elliptic

The rational group structure of modular Jacobians with applications to torsion points on elliptic curves over number fields Maarten Derickx 1 Algant (Leiden, Bordeaux and Milano) LMFDB Workshop 05-06-2014 Talk will only start after you opened:

861 views • 22 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Torsion points on elliptic curves over number fields of small degree. Several variations of

Torsion points on elliptic curves over number fields of small degree. Several variations of

Introduction Variations of Kamiennys Criterion Results of testing the criterion Summary Torsion points on elliptic curves over number fields of small degree. Several variations of kamiennys criterion Maarten Derickx Mathematisch

226 views • 20 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
= Z r T E ( Q ) rank torsion Rank &lt; , hard to compute!

= Z r T E ( Q ) rank torsion Rank &lt; , hard to compute!

A F AMILY OF R ANK S IX E LLIPTIC C URVES OVER N UMBER F IELDS David Mehrle &amp; Tomer Reiter Carnegie Mellon University August 22, 2014 E LLIPTIC C URVES E : y 2 = x 3 + ax 2 + bx + c Elliptic curve Adding points on E makes group

724 views • 19 slides
Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete Logarithm Problem (ECDLP) Typical DLP: Find a such that a = , given and ECDLP: Find k such that P=kQ, given P and Q How do

1.58k views • 16 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago &amp; energy (gas

1.07k views • 76 slides
Rational Points on an Elliptic Curve Dr. Carmen Bruni University of Waterloo November 11th, 2015

Rational Points on an Elliptic Curve Dr. Carmen Bruni University of Waterloo November 11th, 2015

Rational Points on an Elliptic Curve Dr. Carmen Bruni University of Waterloo November 11th, 2015 Lest We Forget Dr. Carmen Bruni Rational Points on an Elliptic Curve Revisit the Congruent Number Problem Congruent Number Problem Determine

572 views • 31 slides
1 / 25 Elliptic Curve Cryptography EC crypto consists of geometric points with an addition

1 / 25 Elliptic Curve Cryptography EC crypto consists of geometric points with an addition

1 / 25 Elliptic Curve Cryptography EC crypto consists of geometric points with an addition operator. Such a set is a group. Any group element G can be multiplied by an integer n by adding G to itself repeatedly. G + G + + G

363 views • 25 slides
The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985) Schoof: Algorithm to count points on elliptic curves over finite fields. Input: prime power q ; F q such that 6(4

784 views • 47 slides
The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views • 18 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Optimality Conditions in Optimal Control of Elastoplasticity Roland Herzog Gerd Wachsmuth

Optimality Conditions in Optimal Control of Elastoplasticity Roland Herzog Gerd Wachsmuth

Optimality Conditions in Optimal Control of Elastoplasticity Roland Herzog Gerd Wachsmuth Christian Meyer Numerical Mathematics TU Dortmund Workshop on Control and Optimization of PDEs Graz, October 10, 2011 DFG SPP 1253 Roland Herzog

1.33k views • 81 slides
Collision Detection CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Spring 2016

Collision Detection CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Spring 2016

Collision Detection CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Spring 2016 Collisions Collision Detection Collision detection is a geometric problem Given two moving objects defined in an initial and final

870 views • 49 slides
Elasticity of Workloads and Periods of Parallel Real-Time Tasks 26 th International Conference on

Elasticity of Workloads and Periods of Parallel Real-Time Tasks 26 th International Conference on

Elasticity of Workloads and Periods of Parallel Real-Time Tasks 26 th International Conference on Real-Time Networks and Systems (RTNS 18) Poitiers/Futuroscope, France, October 10-12, 2018 * James Orr, * Chris Gill, * Kunal Agrawal, * Sanjoy

520 views • 16 slides
Application of the Finite Element Exterior Calculus to the Equations of Linear Elasticity Richard

Application of the Finite Element Exterior Calculus to the Equations of Linear Elasticity Richard

Application of the Finite Element Exterior Calculus to the Equations of Linear Elasticity Richard S. Falk Department of Mathematics Rutgers University June 12, 2012 Joint work with: Douglas Arnold, University of Minnesota Ragnar Winther,

682 views • 35 slides
Weaker Forms of Monotonicity for Declarative Networking: a more fine-grained answer to the

Weaker Forms of Monotonicity for Declarative Networking: a more fine-grained answer to the

Weaker Forms of Monotonicity for Declarative Networking: a more fine-grained answer to the CALM-conjecture. Tom J Ameloot 1 , Bas Ketsman 1 , Frank Neven 1 and Daniel Zinn 2 1 Hasselt University 2 LogicBlox, Inc 1 Overview 1. Introduction 2.

815 views • 34 slides
nc : Going Beyond Marginal Policies for Multi-Agent Embodied Tasks ECCV 2020 (Spotlight) Unnat

nc : Going Beyond Marginal Policies for Multi-Agent Embodied Tasks ECCV 2020 (Spotlight) Unnat

A Cor Cordial dial Sync nc : Going Beyond Marginal Policies for Multi-Agent Embodied Tasks ECCV 2020 (Spotlight) Unnat Jain 1* , Luca Weihs 2* , Eric Kolve 2 , Ali Farhadi 3 , Svetlana Lazebnik 1 , Aniruddha Kembhavi 2,3 , Alexander Schwing 1

899 views • 37 slides
Co-regulation for the integration of sustainability assessment Final workshop, April 28th 2020

Co-regulation for the integration of sustainability assessment Final workshop, April 28th 2020

Sustainability Transition Assessment and Research of Bio-based Products Grant Agreement Number 727740 Co-regulation for the integration of sustainability assessment Final workshop, April 28th 2020 Sergio Ugarte, Doreen Fedrigo, Mathilde

799 views • 10 slides
RECWOWE Seminar Understanding the Europeanisation of Domestic Welfare States Brussels, 2

RECWOWE Seminar Understanding the Europeanisation of Domestic Welfare States Brussels, 2

RECWOWE Seminar Understanding the Europeanisation of Domestic Welfare States Brussels, 2 July 2010 Hybridisation of EU Social Policy Instruments? Key conclusions from a recent research project Yannick Vanderborght (Facults Saint-Louis

492 views • 8 slides

More recommend