cover and decomposition index calculus on elliptic curves
play

Cover and Decomposition Index Calculus on Elliptic Curves made - PowerPoint PPT Presentation

Jun 23, 2023 •139 likes •595 views

Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a previously unreachable curve over F p 6 Vanessa VITSE Antoine JOUX Universit e de Versailles Saint-Quentin, Laboratoire PRISM Eurocrypt 2012

  1. Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a previously unreachable curve over F p 6 Vanessa VITSE – Antoine JOUX Universit´ e de Versailles Saint-Quentin, Laboratoire PRISM Eurocrypt 2012 Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 1 / 21

  2. Known attacks of the ECDLP Section 1 Known attacks of the ECDLP Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 2 / 21

  3. Known attacks of the ECDLP Generalities on the DLP Discrete logarithm problem Discrete logarithm problem (DLP) Given a group G and g , h ∈ G , find – when it exists – an integer x s.t. h = g x Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 3 / 21

  4. Known attacks of the ECDLP Generalities on the DLP Discrete logarithm problem Discrete logarithm problem (DLP) Given a group G and g , h ∈ G , find – when it exists – an integer x s.t. h = g x Difficulty is related to the group: 1 Generic attacks: complexity in Ω(max( α i √ p i )) if # G = � i p α i i 2 G ⊂ ( F ∗ q , × ): index calculus method with complexity in L q (1 / 3) where L q ( α ) = exp( c (log q ) α (log log q ) 1 − α ). 3 G ⊂ (Jac C ( F q ) , +): index calculus method better than generic attacks (if g > 2) Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 3 / 21

  5. Known attacks of the ECDLP Generalities on the DLP The discrete logarithm problem on elliptic curves Use the group of points of an elliptic curve defined over a finite field (EC)DLP : given P , Q ∈ G , find (if it exists) x st Q = [ x ] P The group law is a good compromise between simplicity and intricacy − ( P + Q ) • Q • P • P + Q • Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 4 / 21

  6. Known attacks of the ECDLP Generalities on the DLP The discrete logarithm problem on elliptic curves Use the group of points of an elliptic curve defined over a finite field (EC)DLP : given P , Q ∈ G , find (if it exists) x st Q = [ x ] P The group law is a good compromise between simplicity and intricacy Choice of the field: − ( P + Q ) • Prime field F p = Z / p Z : good security Q • but modular arithmetic difficult to implement in hardware P • Extension field F p n : interesting when p = 2 or p fits into a computer word P + Q • Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 4 / 21

  7. Known attacks of the ECDLP Generalities on the DLP The discrete logarithm problem on elliptic curves Use the group of points of an elliptic curve defined over a finite field (EC)DLP : given P , Q ∈ G , find (if it exists) x st Q = [ x ] P The group law is a good compromise between simplicity and intricacy Choice of the field: − ( P + Q ) • Prime field F p = Z / p Z : good security Q • but modular arithmetic difficult to implement in hardware P • Extension field F p n : interesting when p = 2 or p fits into a computer word P + Q • Potentially vulnerable to index calculus Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 4 / 21

  8. Known attacks of the ECDLP Generalities on the DLP Basic outline of index calculus methods (additive notations) 1 Choice of a factor base: F = { g 1 , . . . , g N } ⊂ G 2 Relation search: decompose a i · g + b i · h ( a i , b i random) into F N � a i · g + b i · h = c i , j · g j j =1 3 Linear algebra: once k independent relations found ( k ≥ N ) ◮ construct the matrices A = � � a i b i 1 ≤ i ≤ k and M = ( c i , j ) 1 ≤ i ≤ k 1 ≤ j ≤ N ◮ find v = ( v 1 , . . . , v k ) ∈ ker( t M ) such that vA � = 0 mod # G ◮ compute the solution of DLP: x = − ( � i a i v i ) / ( � i b i v i ) mod # G Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 5 / 21

  9. Known attacks of the ECDLP Generalities on the DLP Index calculus Two difficulties : 1 From a practical point of view : linear algebra often the most delicate phase ◮ matrices are huge (several millions of unknowns) but very sparse (only a few non-zero coeff. per row) ◮ difficult to distribute dedicated algorithms 2 From a theoretical point of view : how to find relations? ◮ on E ( F p ), no known method ◮ on E ( F p n ), two existing methods: ⋆ transfer to Jac C ( F p ) via Weil descent ⋆ direct decompositions (Gaudry/Diem) Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 6 / 21

  10. Known attacks of the ECDLP Generalities on the DLP Index calculus Two difficulties : 1 From a practical point of view : linear algebra often the most delicate phase ◮ matrices are huge (several millions of unknowns) but very sparse (only a few non-zero coeff. per row) ◮ difficult to distribute dedicated algorithms 2 From a theoretical point of view : how to find relations? ◮ on E ( F p ), no known method ◮ on E ( F p n ), two existing methods: ⋆ transfer to Jac C ( F p ) via Weil descent ⋆ direct decompositions (Gaudry/Diem) Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 6 / 21

  11. Known attacks of the ECDLP Weil descent and cover attacks Transfer of the ECDLP via cover maps (Weil descent) Let W = W F qn / F q ( E ) be the Weil restriction of E | F qn elliptic curve. Inclusion of a curve C | F q ֒ → W induces a cover map π : C ( F q n ) → E ( F q n ). Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 7 / 21

  12. � � � Known attacks of the ECDLP Weil descent and cover attacks Transfer of the ECDLP via cover maps (Weil descent) Let W = W F qn / F q ( E ) be the Weil restriction of E | F qn elliptic curve. Inclusion of a curve C | F q ֒ → W induces a cover map π : C ( F q n ) → E ( F q n ). 1 transfer the DLP from � P � ⊂ E ( F q n ) to Jac C ( F q ) Tr � Jac C ( F q ) C ( F q n ) Jac C ( F q n ) g genus of C π π ∗ s.t. g ≥ n E ( F q n ) Jac E ( F q n ) ≃ E ( F q n ) 2 use index calculus on Jac C ( F q ): → efficient if C is hyperelliptic with small genus g [Gaudry] or has a small degree plane model [Diem] Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 7 / 21

  13. � � � Known attacks of the ECDLP Weil descent and cover attacks Transfer of the ECDLP via cover maps (Weil descent) Let W = W F qn / F q ( E ) be the Weil restriction of E | F qn elliptic curve. Inclusion of a curve C | F q ֒ → W induces a cover map π : C ( F q n ) → E ( F q n ). 1 transfer the DLP from � P � ⊂ E ( F q n ) to Jac C ( F q ) Tr � Jac C ( F q ) C ( F q n ) Jac C ( F q n ) g genus of C π π ∗ s.t. g ≥ n E ( F q n ) Jac E ( F q n ) ≃ E ( F q n ) 2 use index calculus on Jac C ( F q ): → efficient if C is hyperelliptic with small genus g [Gaudry] or has a small degree plane model [Diem] Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 7 / 21

  14. � � � Known attacks of the ECDLP Weil descent and cover attacks Transfer of the ECDLP via cover maps (Weil descent) Let W = W F qn / F q ( E ) be the Weil restriction of E | F qn elliptic curve. Inclusion of a curve C | F q ֒ → W induces a cover map π : C ( F q n ) → E ( F q n ). 1 transfer the DLP from � P � ⊂ E ( F q n ) to Jac C ( F q ) Tr � Jac C ( F q ) C ( F q n ) Jac C ( F q n ) g genus of C π π ∗ s.t. g ≥ n E ( F q n ) Jac E ( F q n ) ≃ E ( F q n ) 2 use index calculus on Jac C ( F q ): → efficient if C is hyperelliptic with small genus g [Gaudry] or has a small degree plane model [Diem] Main difficulty : find a convenient curve C with a genus small enough Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 7 / 21

  15. Known attacks of the ECDLP Weil descent and cover attacks The GHS construction Gaudry-Heß-Smart (binary fields), Diem (odd characteristic case) Given an elliptic curve E | F qn and a degree 2 map E → P 1 , construct a curve C | F q and a cover map π : C → E . Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 8 / 21

  16. Known attacks of the ECDLP Weil descent and cover attacks The GHS construction Gaudry-Heß-Smart (binary fields), Diem (odd characteristic case) Given an elliptic curve E | F qn and a degree 2 map E → P 1 , construct a curve C | F q and a cover map π : C → E . Problem: for most elliptic curves, g is of the order of 2 n Index calculus on Jac C ( F q ) usually slower than generic methods on E ( F q n ) Possibility of using isogenies from E to a vulnerable curve [Galbraith] → increase the number of vulnerable curves Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 8 / 21

  17. Known attacks of the ECDLP Decomposition attacks Decomposition attack Idea from Gaudry and Diem: no transfer, but apply directly index calculus on E ( F q n ) (or Jac H ( F q n )) Principle Factor base: F = { D Q ∈ Jac H ( F q n ) : D Q ∼ ( Q ) − ( O H ) , Q ∈ H ( F q n ) , x ( Q ) ∈ F q } Decomposition of an arbitrary divisor D ∈ Jac H ( F q n ) into ng divisors of the factor base D ∼ � ng i =1 (( Q i ) − ( O H )) Asymptotic complexity in q 2 − 2 / ng as q → ∞ Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 9 / 21

Recommend

F4 traces and index calculus on elliptic curves over extension fields Vanessa VITSE Joint work

F4 traces and index calculus on elliptic curves over extension fields Vanessa VITSE Joint work

F4 traces and index calculus on elliptic curves over extension fields Vanessa VITSE Joint work with Antoine Joux Universit e de Versailles Saint-Quentin, Laboratoire PRISM Elliptic Curve Cryptography, October 20, 2010 Vanessa VITSE (UVSQ)

935 views • 67 slides
Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete Logarithm Problem (ECDLP) Typical DLP: Find a such that a = , given and ECDLP: Find k such that P=kQ, given P and Q How do

1.58k views • 16 slides
On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica Gilles Dequen MIS Laboratory, University of Picardie Jules Verne AfricaCrypt 2020 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based

327 views • 19 slides
Scalar decomposition on elliptic curves GLV, GLS, and beyond Benjamin Smith Laboratoire

Scalar decomposition on elliptic curves GLV, GLS, and beyond Benjamin Smith Laboratoire

Scalar decomposition on elliptic curves GLV, GLS, and beyond Benjamin Smith Laboratoire dInformatique de l Ecole polytechnique (LIX) and INRIA Saclay Ile-de-France BAC May 24, 2013 Smith (INRIA/LIX) Scalar decomposition on

1.92k views • 23 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne Universit es UPMC, INRIA, CNRS LIP6 1/43 General Context Discrete Logarithm Problem (DLP) Given a finite cyclic group ( G = g , +) and h

595 views • 56 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault

Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault

Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault nicolast@exp-math.uni-essen.de University of Toronto / IEM Universitt DuisburgEssen Slide index Discrete Log Problem Large primes Hyperelliptic

927 views • 67 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
DON'T ASK, DON'T TELL THE VIRTUES OF PRIVACY BY DESIGN Eleanor McHugh 1998 PKI elliptic curves

DON'T ASK, DON'T TELL THE VIRTUES OF PRIVACY BY DESIGN Eleanor McHugh 1998 PKI elliptic curves

DON'T ASK, DON'T TELL THE VIRTUES OF PRIVACY BY DESIGN Eleanor McHugh 1998 PKI elliptic curves satellite PSN 1999 -calculus VM 2000 control networks 2001 mobile identity secure documents 2003 ENUM 2006 dotTel hybrid encryption

1.2k views • 60 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
Elliptic factors in Jacobians of hyperelliptic curves with certain automorphism groups Jennifer

Elliptic factors in Jacobians of hyperelliptic curves with certain automorphism groups Jennifer

Elliptic factors in Jacobians of hyperelliptic curves with certain automorphism groups Jennifer Paulhus Grinnell College paulhusj@grinnell.edu www.math.grinnell.edu/ paulhusj My original interest in Jacobian variety decomposition was

343 views • 21 slides
Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School before ECC September 2006 Elliptic curves An elliptic curve E over a field K is given by a Weierstra equation Y 2 + h ( X ) Y = f ( X ) with h, f

416 views • 13 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick joint work with Nuno Freitas (Warwick) AGC 2 T Luminy, 10 June 2019 Overview 1. Elliptic curves, mod p Galois representations, Weil pairing. 2.

954 views • 70 slides
Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Elliptic curves over F q F. Pappalardi Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j -invariant Research School: Algebraic curves over finite fields Points of finite order

581 views • 29 slides
Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves C. Negre and J.M. Robert april 8, 2015 1 / 39 Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic

781 views • 75 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides

More recommend