Algebraic approaches for the Elliptic Curve Discrete Logarithm - PowerPoint PPT Presentation

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields Christophe Petit, Michiel Kosters, Ange Messeng University of Oxford, University of California Irvine, University of Passau Christophe Petit - PKC2016 - Prime ECDLP 1

Elliptic Curve Discrete Logarithm Problem ◮ Elliptic Curve Discrete Logarithm Problem (ECDLP) Let K a finite field and let E be an elliptic curve over K . Let P ∈ E ( K ) and let Q ∈ G := < P > . Find k ∈ Z such that Q = kP . ◮ In practice K is a prime field, a binary field with prime degree extension, or F p n with n relatively small Christophe Petit - PKC2016 - Prime ECDLP 2

Elliptic Curve Discrete Logarithm Problem ◮ Elliptic Curve Discrete Logarithm Problem (ECDLP) Let K a finite field and let E be an elliptic curve over K . Let P ∈ E ( K ) and let Q ∈ G := < P > . Find k ∈ Z such that Q = kP . ◮ In practice K is a prime field, a binary field with prime degree extension, or F p n with n relatively small ◮ Elliptic Curve Cryptography secure ⇒ ECDLP hard Christophe Petit - PKC2016 - Prime ECDLP 2

Is ECDLP hard ? ◮ Can apply generic attacks Christophe Petit - PKC2016 - Prime ECDLP 3

Is ECDLP hard ? ◮ Can apply generic attacks ◮ For exceptional parameters, can reduce it to another discrete logarithm problem ◮ Anomalous attack ◮ Reduction to finite field DLP using pairings ◮ Reduction to a hyperelliptic curve DLP Christophe Petit - PKC2016 - Prime ECDLP 3

Is ECDLP hard ? ◮ Can apply generic attacks ◮ For exceptional parameters, can reduce it to another discrete logarithm problem ◮ Anomalous attack ◮ Reduction to finite field DLP using pairings ◮ Reduction to a hyperelliptic curve DLP ◮ Index calculus approaches being developed since 2004, but mostly focused on extension fields Christophe Petit - PKC2016 - Prime ECDLP 3

Is ECDLP hard ? ◮ Can apply generic attacks ◮ For exceptional parameters, can reduce it to another discrete logarithm problem ◮ Anomalous attack ◮ Reduction to finite field DLP using pairings ◮ Reduction to a hyperelliptic curve DLP ◮ Index calculus approaches being developed since 2004, but mostly focused on extension fields ◮ Our goal : extend previous index calculus algorithms to ECDLP over prime fields Christophe Petit - PKC2016 - Prime ECDLP 3

Outline Previous index calculus algorithms for ECDLP New variants for curves over prime fields Christophe Petit - PKC2016 - Prime ECDLP 4

Outline Previous index calculus algorithms for ECDLP New variants for curves over prime fields Christophe Petit - PKC2016 - Prime ECDLP 5

Index Calculus for Elliptic Curves 1. Fix m ∈ Z , and fix V ⊂ K with | V | m ≈ K Define a factor basis F = { ( x , y ) ∈ E ( K ) | x ∈ V } Christophe Petit - PKC2016 - Prime ECDLP 6

Index Calculus for Elliptic Curves 1. Fix m ∈ Z , and fix V ⊂ K with | V | m ≈ K Define a factor basis F = { ( x , y ) ∈ E ( K ) | x ∈ V } 2. Compute about |F| relations a i P + b i Q = P i , 1 + P i , 2 + . . . + P i , m with P i , j ∈ F Christophe Petit - PKC2016 - Prime ECDLP 6

Index Calculus for Elliptic Curves 1. Fix m ∈ Z , and fix V ⊂ K with | V | m ≈ K Define a factor basis F = { ( x , y ) ∈ E ( K ) | x ∈ V } 2. Compute about |F| relations a i P + b i Q = P i , 1 + P i , 2 + . . . + P i , m with P i , j ∈ F 3. Linear algebra on relations gives aP + bQ = 0 Christophe Petit - PKC2016 - Prime ECDLP 6

Relation search : Semaev polynomials ◮ Semaev polynomials relate the x -coordinates of points that sum up to 0 : S r ( x 1 , . . . , x r ) = 0 ⇔ ∃ ( x i , y i ) ∈ E ( ¯ K ) s.t. ( x 1 , y 1 ) + · · · + ( x r , y r ) = 0 ◮ Relation search ◮ Compute ( X , Y ) := aP + bQ for random a , b ◮ Search for x i ∈ V with S m +1 ( x 1 , . . . , x m , X ) = 0 ◮ For any such solution, find corresponding y i values Christophe Petit - PKC2016 - Prime ECDLP 7

Existing Variants ◮ Semaev ◮ K = F p and V contains all “small” elements ◮ No algorithm to solve S m +1 Christophe Petit - PKC2016 - Prime ECDLP 8

Existing Variants ◮ Semaev ◮ K = F p and V contains all “small” elements ◮ No algorithm to solve S m +1 ◮ Gaudry-Diem ◮ K = F q n and V = F q ◮ Reduction to polynomial system over F q ◮ Generic bounds give L q n (2 / 3) complexity if q = L q n (2 / 3) Christophe Petit - PKC2016 - Prime ECDLP 8

Existing Variants ◮ Semaev ◮ K = F p and V contains all “small” elements ◮ No algorithm to solve S m +1 ◮ Gaudry-Diem ◮ K = F q n and V = F q ◮ Reduction to polynomial system over F q ◮ Generic bounds give L q n (2 / 3) complexity if q = L q n (2 / 3) ◮ Diem, FPPR, P-Quisquater ◮ K = F 2 n and V a vector space of K over F 2 ◮ Reduction to polynomial system over F 2 ◮ Experiments suggest system “somewhat easy” Christophe Petit - PKC2016 - Prime ECDLP 8

Relation search : Weil Descent ◮ For each relation solve a generalized root-finding problem Given f ∈ F q n [ x 1 , . . . , x m ] and vector space V ⊂ F q n , find x i ∈ V such that f ( x 1 , . . . , x m ) = 0 Christophe Petit - PKC2016 - Prime ECDLP 9

Relation search : Weil Descent ◮ For each relation solve a generalized root-finding problem Given f ∈ F q n [ x 1 , . . . , x m ] and vector space V ⊂ F q n , find x i ∈ V such that f ( x 1 , . . . , x m ) = 0 ◮ Solved by Weil Descent : reduction to polynomial system ◮ Fix a basis for V over F q ◮ Introduce variables x ij ∈ F q with x i = � j x ij v j �� � ◮ See single equation f j x 1 j v j , . . . , � j x mj v j = 0 over F q n as a system of n equations over F q Christophe Petit - PKC2016 - Prime ECDLP 9

Limits of previous works ◮ Fields with q = L q n (2 / 3) are not used in practice Christophe Petit - PKC2016 - Prime ECDLP 10

Limits of previous works ◮ Fields with q = L q n (2 / 3) are not used in practice ◮ In binary case asymptotic complexity is not clear, and practical complexity is poor Christophe Petit - PKC2016 - Prime ECDLP 10

Limits of previous works ◮ Fields with q = L q n (2 / 3) are not used in practice ◮ In binary case asymptotic complexity is not clear, and practical complexity is poor ◮ Not clear how to extend to prime fields : no subspace available and we a priori want small degree equations Christophe Petit - PKC2016 - Prime ECDLP 10

Outline Previous index calculus algorithms for ECDLP New variants for curves over prime fields Christophe Petit - PKC2016 - Prime ECDLP 11

Main idea ◮ Find low degree rational maps L j such that � deg L j ≈ p 1 / m # { x ∈ F p | L ( x ) = L n ′ ◦ . . . ◦ L 1 ( x ) = 0 } ≈ ◮ Define V = { x ∈ F p | L ( x ) = 0 } ◮ Define F = { ( x , y ) ∈ E ( K ) | x ∈ V } Christophe Petit - PKC2016 - Prime ECDLP 12

Main idea ◮ Find low degree rational maps L j such that � deg L j ≈ p 1 / m # { x ∈ F p | L ( x ) = L n ′ ◦ . . . ◦ L 1 ( x ) = 0 } ≈ ◮ Define V = { x ∈ F p | L ( x ) = 0 } ◮ Define F = { ( x , y ) ∈ E ( K ) | x ∈ V } ◮ Relation search : solve the polynomial system  S m +1 ( x 11 , . . . , x m 1 , X ) = 0   i = 1 , . . . , m ; j = 1 , . . . , n ′ − 1 x i , j +1 = L j ( x i , j )  0 = L n ′ ( x i , n ′ ) i = 1 , . . . , m .  Christophe Petit - PKC2016 - Prime ECDLP 12

Remarks ◮ One can write similar systems in binary cases, and show they are equivalent to Weil descent systems ◮ Precomputation of the maps L j can a priori be used for any DLP defined over any curve over the same field Christophe Petit - PKC2016 - Prime ECDLP 13

Remarks ◮ One can write similar systems in binary cases, and show they are equivalent to Weil descent systems ◮ Precomputation of the maps L j can a priori be used for any DLP defined over any curve over the same field ◮ Remaining of the talk : ◮ How to compute the maps L j ? ◮ How to solve the system ? Christophe Petit - PKC2016 - Prime ECDLP 13

Finding good maps : p − 1 “smooth” ◮ Suppose p − 1 = S · N ′ with S ≈ p 1 / m smooth ◮ We want low degree rational maps L j such that � deg L j ≈ p 1 / m # { x ∈ F p | L ( x ) = L n ′ ◦ . . . ◦ L 1 ( x ) = 0 } ≈ Christophe Petit - PKC2016 - Prime ECDLP 14

Finding good maps : p − 1 “smooth” ◮ Suppose p − 1 = S · N ′ with S ≈ p 1 / m smooth ◮ We want low degree rational maps L j such that � deg L j ≈ p 1 / m # { x ∈ F p | L ( x ) = L n ′ ◦ . . . ◦ L 1 ( x ) = 0 } ≈ ◮ Take L ( X ) = X S − 1 and V subgroup of order S in F ∗ p j =1 q j take L j ( X ) = X q j and L n ′ ( X ) = X q n ′ − 1 ◮ If S = � n ′ Christophe Petit - PKC2016 - Prime ECDLP 14

Finding good maps : p − 1 “smooth” ◮ Suppose p − 1 = S · N ′ with S ≈ p 1 / m smooth ◮ We want low degree rational maps L j such that � deg L j ≈ p 1 / m # { x ∈ F p | L ( x ) = L n ′ ◦ . . . ◦ L 1 ( x ) = 0 } ≈ ◮ Take L ( X ) = X S − 1 and V subgroup of order S in F ∗ p j =1 q j take L j ( X ) = X q j and L n ′ ( X ) = X q n ′ − 1 ◮ If S = � n ′ ◮ Remark : NIST P-224 curve satisfies p − 1 = 2 96 · N ′ Christophe Petit - PKC2016 - Prime ECDLP 14

Finding good maps : isogeny Kernels ◮ Find an auxiliary curve E ′ with # E ′ ( F p ) = S · N ′ j =1 q j ≈ p 1 / m smooth and S = � n ′ ◮ Let G be a subgroup of E ′ ( F p ) with order S Christophe Petit - PKC2016 - Prime ECDLP 15