Elliptic and Hyperelliptic Curves: a Practical Security Comparison - PowerPoint PPT Presentation

Elliptic and Hyperelliptic Curves: a Practical Security Comparison " Joppe W. Bos (Microsoft Research), Craig Costello (Microsoft Research), ! Andrea Miele (EPFL) " " 1/13 "

Motivation and Goal(s) ! ✤ Elliptic curves (standard) and genus 2 hyper-elliptic curves (object of research) over prime fields: similar performance [Gaudry07] [BCHL13] " π G O ( | G |) ✤ Security: Pollard rho Using automorphisms " ≈ 2(# Aut ) Estimate practical speed-up using automorphisms in genus 1 and genus 2 ! 1. Tradeoff: reduced search space vs. more costly iteration " Estimate complexity of the attack on 4 curves (128-bit security) " 2. Implement Pollard rho for genus 1 and genus 2 curves (x86 64-bit) " 3. 2/13 "

Curves used ! NISTp-256 ! BN254 (pairing friendly) ! Genus: 1 ! Genus: 1 ! Field size: 256 bits ! Field size: 254 bits ! #Aut: 2 ! #Aut: 6 ! Theoretical security: 127.8 bits ! Theoretical security: 126.4 bits ! ! Generic-1271 ! GLV4-BK ! Genus: 2 ! Genus: 2 ! Field size: 127 bits ! Field size: 127 bits ! #Aut: 2 ! #Aut: 10 ! Theoretical security: 126.8 bits ! Theoretical security: 125.7 bits ! " " 3/13 "

Elliptic and genus 2 hyperelliptic curves in one slide… ! • • R 1 • Q Q 1 • P 1 • • • P Q 2 • P 2 • • ℓ • R 2 R • ℓ y 2 =x 3 +a 1 x+a 0 ! y 2 =x 5 +b 4 x 4 +b 3 x 3 +b 2 x 2 +b 1 x+b 0 ! #E(F p ) ≈ p " #Jac(C(F p )) ≈ p 2 " Weierstrass coordinates: (x,y) ! Mumford coordinates: (u 1 ,u 0, v 1 ,v 0 ) ! Affine addition: 2 m +1 s +6 a +1 i " Affine addition: 17 m +4 s +48 a+ 1 i " Affine doubling: 2 m +2 s +7 a +1 i " Affine doubling: 19 m +6 s +52 a +1 i " 4/13 "

Pollard’s rho algorithm [P78] ! + f l ( p µ +2 ) ✤ Discrete log: given h in <g> = G p µ +2 p µ +3 + f l ( p µ +1 ) + f l ( p µ +3 ) find integer k such that h =k g . " p µ +1 p µ +4 + f l ( p µ +4 ) + f l ( p µ ) ✤ Ideal rho , random walk: ! p µ p µ +5 + f l ( p µ + λ ) p i =a i g +b i h for i=0,1,2,… ! + f l ( p µ − 1 ) p µ + λ p µ − 1 Expect collision p i = p j (j<i) in ! steps, k = (a i -a j )/(b j -b i ). " π G √ 2 p 3 π | G | µ = λ ≈ 8 + f l ( p 2 ) ✤ r-adding walk : table of random s π | G | p 2 µ + λ ≈ 2 f k =a k g +b k h , 0 ≤ k ≤ r-1. ! + f l ( p 1 ) p 0 =a 0 g, p i = p i-1 + f l(pi-1) for i=1,2,… ! p 1 with 0 ≤ l ( p i ) ≤ r-1 ( p i has index l ( p i )) . " + f l ( p 0 ) p 0 5/13 "

Parallelizable Pollard’s rho [VOW97] ! P ( p i is dp ) = 1 p γ + d ✤ Run m independent adding walks d using the same table. ! p γ +2 Define set of distinguished points + f l ( p γ +1 ) (easy to check property). " p γ +1 + f l ( p γ ) ✤ Each node reports dp’s to central node p γ γ ≈ ( µ + λ ) m that checks for dp collision ( m -fold speed-up if run on m nodes ). " p i, 3 p j, 3 + f l ( p i, 2 ) + f l ( p j, 2 ) p i, 2 p j, 2 ✤ Simultaneous inversion trick [M87]: + f l ( p i, 1 ) + f l ( p j, 1 ) (m) inv =3(m-1) mul +1 inv . ! p i, 1 p j, 1 Extra steps due to dp’s: ≈ dm . " + f l ( p i, 0 ) + f l ( p j, 0 ) p i, 0 p j, 0 6/13 "

Using automorphisms [WZ99],[DGM99] ! ✤ The group of curve automorphisms define equivalence classes of points. The size of an equivalence class is the size of the Aut group " ✤ Idea: search for collision of equivalence classes of size #Aut ! √ � ✤ If #Aut = c the search space is reduce by a factor c ( speed-up) " ✤ Ex., negation map: p ~ -p, search for collision of ±p ( speed-up) " √ � ✤ #Aut for cryptographically interesting curves over prime fields Elliptic curves: min=2, max=6 ! Genus 2 Hyperelliptic curves: min=2, max=10 " 7/13 "

Adding walk with automorphisms ! f 0 = a 0 g+b 0 h " p i " p i " f 1 = a 1 g+b 1 h " … " For 0 ≤ k < ( #Aut)/2 compute ± Φ k (p i +f j ) ~ p i +f j . " ✚ " f j = a j g+b j h " Index " Select one point uniquely. " l(p i )=j " … " function " " f r-1 = a r-1 g+b r-1 h " " p i+1 " " Selection (remark: - (x,y)=(x,-y) on E , -(u 1 ,u 0, v 1 ,v 0 ) =(u 1 ,u 0, -v 1 ,-v 0 ) on Jac(C) ) " #Aut = 2: choose point with odd value in y ( v 1 ) coord. " 1. #Aut > 2: choose ± Φ k (p i +f j ) with least value in x ( u 1 ) and odd value in y ( v 1 ). " 2. 8/13 "

Selected curves: iteration cost ! NISTp-256 ! BN254 ! 2 6 ± ϕ i : (x,y) -> ( ξ i x, ± y), ξ 3 =1 mod p ! - (neg) : (x,y) -> (x,-y) ! Aut: {id, -, - ϕ , ϕ , - ϕ 2 , ϕ 2 } ! Aut: {id,-} ! Regular iteration: 6m ! Regular iteration: 6m ! Aut overhead: negligible " Aut overhead: 1m ! Slowdown factor: 1 ! Slowdown factor: 0.857 ! Generic-1271 ! GLV4-BK ! 2 10 ± ϕ i : (u 1 ,u 0 ,v 1 ,v 0 ) -> ( ξ i u 1 , ξ 2i u 0, ± ξ 4i v 1 , ± v 0 ), ξ 5 =1 mod p ! - (neg) : (u 1 ,u 0 ,v 1 ,v 0 )->(u 1 ,u 0 ,-v 1 ,-v 0 ) ! Aut: {id,-} ! Aut: {id, -, - ϕ , ϕ , …, - ϕ 4 , ϕ 4 } ! Regular iteration: 24m ! Regular iteration: 24m ! Aut overhead: negligible " Aut overhead: 6m + (1/5)m ! Slowdown factor: 1 ! Slowdown factor: 0.795 ! 9/13 "

Fruitless cycles ! 2-cycle example ! ✤ Adding walk with automorphisms: fruitless cycles ! After computing l ( p i − 1 ) = j and p i − 1 + f j assume (1): rep { p i − 1 + f j } = − p i − 1 − f j ✤ Fruitless cycle sizes: all multiples ! − p i − 1 − f j of primes dividing c = #Aut ! p i − 1 p i ✤ The shorter the more likely… " rep ( { p i + f j } ) = p i − 1 Most frequent: 2-cycles, P=1/(cr) ! ✤ The larger r, the less likely are the If (2): l ( p i ) = j then (3): p i +1 = p i − 1 cycles, but will eventually occur… " P ( (1) ) = 1 /c and P ( (2) ) = 1 /r so P ( (3) ) = P ( (1) ) · P ( (2) ) = 1 / ( cr ) 10/13 "

" Cycle reduction, detection and escape ! Detection and escape by doubling a point in the cycle ! ✤ (lcm): After α iterations record point p . After β more iterations check if current point is equal to p . Detects cycles of length divisible by β ! (trail): After α iterations record trail of β points. Look for collision. ! Detects cycles of length divisible by 2 up to β . ! Reduction " ✤ No : just detect and escape more often. Good for SIMD archs [BLS11]. ! Extra table : f’ i for 0 ≤ i<r. If l(p i )=l(p i+1 )=k, set p i+1 =p i +f’ k . P=1/(cr 3 ). ! " ✤ Best combination depends on architecture used… " Analysis of overhead given memory constraints + tests " 11/13 " !

Performance using automorphisms ! Automorphisms " r " #walks " 32 " Without " 2048 " With " 1024 " 2048 " Core-years 1 " Curve " Ideal Updated " Measured " Relative speed-up 1 " speed-up " speed-up " security " 3.946 x 10 24 " NIST CurveP-256 " 0.947 " 128.0 ! 2 2 2 BN254 " 0.857 " 0.790 " 9.486 x 10 23 " 125.9 " 6 6 6 Generic 1271 " 0.940 " 1.736 x 10 24 " 126.8 " 2 2 2 4GLV127-BK " 0.795 " 0.784 " 1.309 x 10 24 " 126.4 " 10 10 10 1 Intel Core i7-3520M (Ivy Bridge), 2893.484 MHz " 12/13 "

Conclusions ! ✤ In all cases automorphisms can be profitably used in practice, but the ideal speed-up is not achieved due to increased iteration complexity. " ✤ Better understanding of the practical trade-off in the case of genus 2 hyperelliptic curves and elliptic curves with #Aut > 2, like BN254. " ✤ Useful analysis when constant factors matter, e.g., solving ECDLP challenges. " 13/13 "