valuation du thme SYM B November 15th, 2006 F . Morain ICA, - - PowerPoint PPT Presentation

Évaluation du thème SYM B

November 15th, 2006

F . Morain

ICA, professeur associé (École polytechnique) Vice-président du DIX, team leader

LIX TANC = Théorie Algorithmique des Nombres pour la Cryptologie (Algorithmic Number Theory for Cryptology). Promote the study, implementation and use of robust and verifiable asymmetric cryptosystems based on algorithmic number theory.

1/24

Outline

• 0. People from 2003 till 2006.
• I. Scientific context.
• II. Finding suitable groups for cryptography.
• III. Objectives.

2/24

• 0. People from 2003 till 2006

3/24

FM X P . Gaudry CR2 CNRS Spaces

• A. Enge

postdoc CR TANC

• M. Fouquet

ATER Paris VII MdC Paris VII

• E. Thomé

doctoral student thesis CR Spaces

• N. Gürel

doctoral student thesis Ministery

• f Defense
• R. Dupont

master student thesis Barclays Capital

• T. Houtmann

master student doctoral student TANC

• D. Raffo

master student thesis Hipercom

4/24

Composition of TANC for 2006

É. Rayssac (Gestionnaire X) J. Milan (Ingénieur associé)

• J. Herranz (Postdoc ERCIM)

→ CWI+Barcelona F . Laguillaumie (Postdoc INRIA) → MdC Caen

5/24

• I. Scientific context

6/24

Cryptology = Cryptography + Cryptanalysis Protect communications Break protections Applications: Internet (secure routing, secure emails, e-commerce, e-*, etc.); smart cards; mobile phones; etc. Two worlds:

◮ symmetric crypto: Alice and Bob share the same key; ◮ asymmetric crypto: Alice uses Kpub(B) to encrypt; Bob

decrypts using Kpriv(B). Products: (like SSL) use combinations of both.

7/24

Key example

Asymmetric crypto: breaking the system has something to do with solving a difficult problem. Diffie-Hellman: given a prechosen G = g, A

ga

− → B A

gb

← − B KAB = (gb)a KBA = (ga)b. Security levels:

◮ Elementary security: if Discrete Logarithm Problem (DLP)

is easy in G, the system is broken. Our job: find a resistant G.

◮ Reductionist proofs: DH ⇐

⇒ DLP . Not quite our job, though we did consider it recently (J. Herranz/F . Laguillaumie).

◮ Formal proofs: does this protocol have flaws?

Not our job.

8/24

Algebraic curves over finite fields

Traditional classification: genus g; associated group is the Jacobian (set of g-tuples of points), |Jac(Fq)| ≈ qg. Main interests:

◮ for g = 1 or 2, best known algorithm to solve DLP is in

O((qg)1/2).

◮ bio-diversity.

Hyperelliptic family: Y 2 = X 2g+1 +··· in genus g.

◮ g = 1 (elliptic curves): very well studied; objects are

points; group law is tangent-and-chord;

◮ g > 1: objects = divisors u(x),y −v(x),

u(x),v(x) ∈ K[x] group law by Cantor or computer algebra methods (Gröbner bases).

9/24

20 40 60 80 100 120 140 160 180 200 200 400 600 800 1000 1200 1400 1600 1800 2000

security key length √ N LN(1/2, √ 2) LN(1/3,2)

✛

ACC RSA

❄

2160 = 21024

LN(α,c) = exp(c(logN)α(loglogN)1−α).

10/24

The TANC way

Three main threads:

◮ Fundamental number theoretic algorithms:

integer factorization and primality proving.

◮ Algebraic curves over finite fields. ◮ Complex multiplication.

theorem algorithm efficient implementation record fast every day program

11/24

• II. Finding groups for cryptography

Build’em! Break’em!

12/24

A) Evaluate security

≡ Security of DLP in Jac. Asymptotically: g DLP g → ∞ Lqg[1/2,c′] (Adleman/Huang, heuristic) g ∈ Ω(logq) Lqg[1/2, √ 2] (Enge/Gaudry, proven) Enge/Gaudry/Thomé (2006): for Y g1−α +··· = X gα +··· , if g ∈ Ω((logq)2), 1

3 ≤ α ≤ 1 2, Lqg[1/3,c].

13/24

Fixed genus: (simplified setting) a curve is broken if there exists an algorithm in O((qg)1/2−δ) for some non-trivial δ > 0. Historically:

◮ Gaudry (2000): O(q2) ⇒ breaks g ≥ 5. ◮ Gaudry/Harley : O(q2−2/(g+1)) ⇒ breaks g = 4. ◮ Gaudry/Thériault/Thomé(2005): O(q2−2/g) ⇒ breaks

g = 3.

Genus 1,2: still not broken!!!

14/24

B) Building curves for cryptography

Two approaches:

◮ random objects and compute their identity card

(cardinality, etc.) ⇒ SEA (modular polynomials).

◮ objects with special properties (complex multiplication) ⇒

class polynomials. Genus Random instances CM instances q = p large q = pn p small 1 SEA (2100dd) AGM Morally Enge,FM/Gaudry, Enge/FM solved Bostan/FM/Salvy/Schost 2 SEA AGM Gaudry/Houtmann tbc Gaudry/Schost

15/24

Class polynomials

Fact: if 4p = U2 +DV 2, there exists E/Fp having cardinality p +1−U.

• Ex. D = 4, Y 2 = X 3 +X.

More generally: E is built over Q[X]/(HD(X)) for some polynomial HD(X) (of degree and height ˜ O( √ D)) and then reduced modulo p; Enge showed how to compute HD in (optimal) time ˜ O(D). When g > 1: analogous theory; many complications. g D deg(HD) prec (b) time size (gz) Enge 1 2,093,236,031 100,000 250,000 3 d 3 Gb FM

4,587,151,443

13,776 55,000 3 h 63 Mb Dupont/ 2 −(56+3 √ 3) 132 43,000 5 h 788 kb /Hout– mann

16/24

Applications of CM techniques

Genus 1:

◮ primality proving using elliptic curves with complex

multiplication (FM), fastECPP:

◮ theory: ˜

O((logN)4) (≪ AKS)

◮ practice: 20,000 dd (FM’s current world record using

MPI-based program); ≫≫≫≫ AKS.

◮ build curves of given MOV degree for ID-based

cryptosystems (Dupont/Enge/Morain, etc.). Genus 2: only known efficient way to build easily crypto-size curves (Houtmann: a few minutes); since SEA in genus 2 is not as efficient as in genus 1 (Gaudry/Schost: one week on a PC).

17/24

• III. Objectives (2006–2010)

◮ Recenter on our strong old threads, while nevertheless

keeping an eye on some real world crypto (ad hoc networks with Hipercom).

◮ Make our programs available. ◮ Start a new thread.

18/24

A) Strong threads

Fundamental number theoretic algorithms:

◮ Primality proving:

◮ Hard to see what could be improved (all steps in fastECPP

now have the same complexity).

◮ Make code available (Magma?). ◮ Perhaps: help in the Jacobi Sums test. Does there exist a

practical ˜ O((logN)3) method?

◮ Integer factorization:

◮ How fast can we factor medium-size integers (80 for NFS

• r 200 bits for Identity Card) ?

◮ Old methods need a new look: CFRAC, SIQS. ◮ Fast sieves à la Bernstein (Franke et al.). ◮ Joint ANR with Cacao on the theory and implementation

• f the Number Field Sieve (∋ one postdoc): sieve +

postsieve, etc.

19/24

Algebraic curves over finite fields

◮ Discrete log: find more families amenable to L(1/3)

attacks.

◮ Identity Card for Algebraic Curves (IDAC):

◮ find group structure: ◮ elliptic curves: needs Weil pairing; ◮ class groups: SNF (sparse) with transition matrices. ◮ g = 1: ◮ On-line computation of modular equations and/or can we

get rid of them?

◮ Fast eigenvalue searching using Galois properties (joint

work with P . Mih˘ ailescu).

◮ Endomorphism ring (class groups + order + etc.):

isogenies; applications to p-adic algorithms for class polynomial computations.

◮ g = 2: not as advanced; more work to be done on modular

equations (Cacao) to begin with.

◮ Isogenies: improve algorithms and incorporate in crypto

applications.

20/24

Complex multiplication

◮ g = 1:

◮ Rather satisfactory solution with optimal complexity and

very efficient in practice (for pairings or fastECPP).

◮ Try p-adic methods. ◮ How do we prove our results?

◮ g = 2: (Houtmann’s thesis)

◮ Theory still in progress (new invariants as in g = 1 case?); ◮ MOV? ◮ Implementations. 21/24

B) Programs todaytomorrow (?)by next evaluation

Magma ECPP SEASEA NTL GMP TIFA big poly (mppfr+mppc)(mppfr+mppc) big float (mpfr+mpc) Φℓ HD Galois mploc IDAC Cl SNF NFS C/C++; mpc is written in collaboration with Spaces.

22/24

C) Starting a new thread

Incorporate D. Augot Topic: deal with all algorithmic issues in the area of the construction and decoding of algebraic-geometric (AG) codes.

◮ Replace classical syndrome decoding by (hopefully fast)

interpolation decoding.

◮ Can we go from fast algorithms in the Reed-Solomon

case to fast algorithms in some dedicated constructions (e.g. modular curves) AG cases? Intersections with TANC:

◮ finite fields (p = 2); ◮ algebraic curves (including modular curves – SEA); ◮ computer algebra.

23/24

◮ Need help to clean our programs. ◮ Hire more people: CR + master students.

24/24