Évaluation du thème SYM B November 15th, 2006 F . Morain ICA, professeur associé (École polytechnique) Vice-président du DIX, team leader LIX TANC = Théorie Algorithmique des Nombres pour la Cryptologie ( Algorithmic Number Theory for Cryptology ). Promote the study, implementation and use of robust and verifiable asymmetric cryptosystems based on algorithmic number theory. 1/24
Outline 0. People from 2003 till 2006. I. Scientific context. II. Finding suitable groups for cryptography. III. Objectives. 2/24
0. People from 2003 till 2006 3/24
FM P . Gaudry A. Enge M. Fouquet X CR2 CNRS postdoc ATER Paris VII Spaces CR TANC MdC Paris VII E. Thomé N. Gürel R. Dupont T. Houtmann D. Raffo doctoral doctoral master master master student student student student student thesis thesis thesis doctoral thesis CR Spaces Ministery Barclays student Hipercom of Defense Capital TANC 4/24
Composition of TANC for 2006 É. Rayssac (Gestionnaire X) J. Milan (Ingénieur associé) J. Herranz (Postdoc ERCIM) F . Laguillaumie (Postdoc INRIA) → CWI+Barcelona → MdC Caen 5/24
I. Scientific context 6/24
Cryptology = Cryptography + Cryptanalysis Protect Break communications protections Applications: Internet (secure routing, secure emails, e-commerce, e-*, etc.); smart cards; mobile phones; etc. Two worlds: ◮ symmetric crypto: Alice and Bob share the same key; ◮ asymmetric crypto: Alice uses K pub ( B ) to encrypt; Bob decrypts using K priv ( B ) . Products: (like SSL) use combinations of both. 7/24
Key example Asymmetric crypto: breaking the system has something to do with solving a difficult problem. Diffie-Hellman: given a prechosen G = � g � , g a A − → B g b ← − B A K AB = ( g b ) a K BA = ( g a ) b . Security levels: ◮ Elementary security: if Discrete Logarithm Problem (DLP) is easy in G , the system is broken. Our job: find a resistant G . ◮ Reductionist proofs: DH ⇐ ⇒ DLP . Not quite our job, though we did consider it recently (J. Herranz/F . Laguillaumie). ◮ Formal proofs: does this protocol have flaws? Not our job. 8/24
Algebraic curves over finite fields Traditional classification: genus g ; associated group is the Jacobian (set of g -tuples of points), | Jac ( F q ) | ≈ q g . Main interests: ◮ for g = 1 or 2, best known algorithm to solve DLP is in O (( q g ) 1 / 2 ) . ◮ bio-diversity. Hyperelliptic family: Y 2 = X 2 g + 1 + ··· in genus g . ◮ g = 1 (elliptic curves): very well studied; objects are points; group law is tangent-and-chord; ◮ g > 1: objects = divisors � u ( x ) , y − v ( x ) � , u ( x ) , v ( x ) ∈ K [ x ] group law by Cantor or computer algebra methods (Gröbner bases). 9/24
200 180 ACC ✛ 160 RSA 140 120 security ❄ 100 80 60 √ N √ 40 L N ( 1 / 2 , 2 ) 20 L N ( 1 / 3 , 2 ) 0 200 400 600 800 1000 1200 1400 1600 1800 2000 key length 2 160 = 2 1024 L N ( α , c ) = exp ( c ( log N ) α ( loglog N ) 1 − α ) . 10/24
The TANC way Three main threads: ◮ Fundamental number theoretic algorithms: integer factorization and primality proving. ◮ Algebraic curves over finite fields . ◮ Complex multiplication . theorem algorithm efficient implementation fast every record day program 11/24
II. Finding groups for cryptography Build’em! Break’em! 12/24
A) Evaluate security ≡ Security of DLP in Jac . Asymptotically: DLP g L q g [ 1 / 2 , c ′ ] (Adleman/Huang, heuristic) g → ∞ √ g ∈ Ω ( log q ) L q g [ 1 / 2 , 2 ] (Enge/Gaudry, proven) Enge/Gaudry/Thomé (2006): for Y g 1 − α + ··· = X g α + ··· , if g ∈ Ω (( log q ) 2 ) , 1 3 ≤ α ≤ 1 2 , L q g [ 1 / 3 , c ] . 13/24
Fixed genus: (simplified setting) a curve is broken if there exists an algorithm in O (( q g ) 1 / 2 − δ ) for some non-trivial δ > 0. Historically: ◮ Gaudry (2000): O ( q 2 ) ⇒ breaks g ≥ 5. ◮ Gaudry/Harley : O ( q 2 − 2 / ( g + 1 ) ) ⇒ breaks g = 4. ◮ Gaudry/Thériault/Thomé(2005): O ( q 2 − 2 / g ) ⇒ breaks g = 3. Genus 1 , 2: still not broken!!! 14/24
B) Building curves for cryptography Two approaches: ◮ random objects and compute their identity card (cardinality, etc.) ⇒ SEA (modular polynomials). ◮ objects with special properties (complex multiplication) ⇒ class polynomials . Genus Random instances CM instances q = p large q = p n p small 1 SEA (2100dd) AGM Morally Enge,FM/Gaudry, Enge/FM solved Bostan/FM/Salvy/Schost 2 SEA AGM Gaudry/Houtmann tbc Gaudry/Schost 15/24
Class polynomials Fact: if 4 p = U 2 + DV 2 , there exists E / F p having cardinality p + 1 − U . Ex. D = 4, Y 2 = X 3 + X . More generally: E is built over Q [ X ] / ( H D ( X )) for some √ polynomial H D ( X ) (of degree and height ˜ D ) ) and then O ( reduced modulo p ; Enge showed how to compute H D in (optimal) time ˜ O ( D ) . When g > 1 : analogous theory; many complications. deg ( H D ) prec (b) time size (gz) g D Enge 1 2 , 093 , 236 , 031 100 , 000 250,000 3 d 3 Gb FM 4 , 587 , 151 , 443 13 , 776 55,000 3 h 63 Mb √ Dupont/ 2 − ( 56 + 3 3 ) 132 43,000 5 h 788 kb /Hout– mann 16/24
Applications of CM techniques Genus 1 : ◮ primality proving using elliptic curves with complex multiplication (FM), fastECPP: ◮ theory: ˜ O (( log N ) 4 ) ( ≪ AKS) ◮ practice: 20,000 dd (FM’s current world record using MPI-based program); ≫≫≫≫ AKS. ◮ build curves of given MOV degree for ID-based cryptosystems (Dupont/Enge/Morain, etc.). Genus 2 : only known efficient way to build easily crypto-size curves (Houtmann: a few minutes); since SEA in genus 2 is not as efficient as in genus 1 (Gaudry/Schost: one week on a PC). 17/24
III. Objectives (2006–2010) ◮ Recenter on our strong old threads, while nevertheless keeping an eye on some real world crypto ( ad hoc networks with Hipercom). ◮ Make our programs available. ◮ Start a new thread. 18/24
A) Strong threads Fundamental number theoretic algorithms: ◮ Primality proving: ◮ Hard to see what could be improved (all steps in fastECPP now have the same complexity). ◮ Make code available (Magma?). ◮ Perhaps: help in the Jacobi Sums test. Does there exist a O (( log N ) 3 ) method? practical ˜ ◮ Integer factorization: ◮ How fast can we factor medium-size integers (80 for NFS or 200 bits for Identity Card) ? ◮ Old methods need a new look: CFRAC, SIQS. ◮ Fast sieves à la Bernstein (Franke et al.). ◮ Joint ANR with Cacao on the theory and implementation of the Number Field Sieve ( ∋ one postdoc): sieve + postsieve, etc. 19/24
Algebraic curves over finite fields ◮ Discrete log: find more families amenable to L ( 1 / 3 ) attacks. ◮ Identity Card for Algebraic Curves (IDAC): ◮ find group structure: ◮ elliptic curves: needs Weil pairing; ◮ class groups: SNF (sparse) with transition matrices. ◮ g = 1: ◮ On-line computation of modular equations and/or can we get rid of them? ◮ Fast eigenvalue searching using Galois properties (joint work with P . Mih˘ ailescu). ◮ Endomorphism ring (class groups + order + etc.): isogenies; applications to p -adic algorithms for class polynomial computations. ◮ g = 2: not as advanced; more work to be done on modular equations (Cacao) to begin with. ◮ Isogenies: improve algorithms and incorporate in crypto applications. 20/24
Complex multiplication ◮ g = 1: ◮ Rather satisfactory solution with optimal complexity and very efficient in practice (for pairings or fastECPP). ◮ Try p -adic methods. ◮ How do we prove our results? ◮ g = 2: (Houtmann’s thesis) ◮ Theory still in progress (new invariants as in g = 1 case?); ◮ MOV? ◮ Implementations. 21/24
B) Programs todaytomorrow (?)by next evaluation IDAC Magma ECPP SEASEA mploc Galois NFS Cl H D Φ ℓ SNF big poly (mppfr+mppc)(mppfr+mppc) TIFA NTL big float (mpfr+mpc) GMP 22/24 C/C++; mpc is written in collaboration with Spaces.
C) Starting a new thread Incorporate D. Augot Topic: deal with all algorithmic issues in the area of the construction and decoding of algebraic-geometric (AG) codes. ◮ Replace classical syndrome decoding by (hopefully fast) interpolation decoding. ◮ Can we go from fast algorithms in the Reed-Solomon case to fast algorithms in some dedicated constructions (e.g. modular curves) AG cases? Intersections with TANC: ◮ finite fields ( p = 2); ◮ algebraic curves (including modular curves – SEA); ◮ computer algebra. 23/24
◮ Need help to clean our programs. ◮ Hire more people: CR + master students. 24/24
Recommend
More recommend
