f4 traces and index calculus on elliptic curves over
play

F4 traces and index calculus on elliptic curves over extension - PowerPoint PPT Presentation

Nov 10, 2023 •254 likes •935 views

F4 traces and index calculus on elliptic curves over extension fields Vanessa VITSE Joint work with Antoine Joux Universit e de Versailles Saint-Quentin, Laboratoire PRISM Elliptic Curve Cryptography, October 20, 2010 Vanessa VITSE (UVSQ)

  1. F4 traces and index calculus on elliptic curves over extension fields Vanessa VITSE Joint work with Antoine Joux Universit´ e de Versailles Saint-Quentin, Laboratoire PRISM Elliptic Curve Cryptography, October 20, 2010 Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 1 / 35

  2. Part I Index calculus methods Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 2 / 35

  3. Context Hardness of ECDLP ECDLP Given P ∈ E ( F q ) and Q ∈ � P � , find x such that Q = [ x ] P Specific attacks on few families of curves: Transfer methods transfer to F ∗ q k via pairings: curves with small embedding degree lift to characteristic zero fields: anomalous curves Weil descent: transfer from E ( F q n ) to J C ( F q ) where C is a genus g ≥ n curve Otherwise, only generic attacks Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 3 / 35

  4. Context Trying an index calculus approach Index calculus usually the best attack of the DLP over finite fields and hyperelliptic curves No known equivalent on E ( F p ), p prime Feasible on E ( F p n ) and asymptotically better than Weil descent or generic algorithms Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 4 / 35

  5. Context Trying an index calculus approach Index calculus usually the best attack of the DLP over finite fields and hyperelliptic curves No known equivalent on E ( F p ), p prime Feasible on E ( F p n ) and asymptotically better than Weil descent or generic algorithms Basic outline of index calculus method for DLP 1 define a factor base: F = { P 1 , . . . , P N } 2 relation search: for random ( a i , b i ), try to decompose [ a i ] P + [ b i ] Q as sum of points in F 3 linear algebra step: once k > # F relations found, deduce with sparse algebra techniques the DLP of Q Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 4 / 35

  6. Results Results Original algorithm (Gaudry, Diem) O ( q 2 − 2 Complexity of DLP over E ( F q n ) in ˜ n ) but with hidden constant exponential in n 2 faster than generic methods when n ≥ 3 and log q > C . n sub-exponential complexity when n = Θ( √ log q ) impracticable as soon as n > 4 Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 5 / 35

  7. Results Results Original algorithm (Gaudry, Diem) O ( q 2 − 2 Complexity of DLP over E ( F q n ) in ˜ n ) but with hidden constant exponential in n 2 faster than generic methods when n ≥ 3 and log q > C . n sub-exponential complexity when n = Θ( √ log q ) impracticable as soon as n > 4 Our variant Complexity in ˜ O ( q 2 ) but with a better dependency in n faster than generic methods when n ≥ 5 and log q ≥ 2 ω n faster than Gaudry and Diem’s method when log q ≤ 3 − ω 2 n 3 works for n = 5 Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 5 / 35

  8. Results Comparison of the three attacks of ECDLP over F q n n O (log 2 q ) 16 15 14 13 12 11 [Pollard] [this work] 10 9 � O ( 3 log 2 q ) 8 7 6 [Gaudry-Diem] 5 4 3 2 log 2 q 1 Comparison of Pollard’s rho method, Gaudry and Diem’s attack and our attack for ECDLP over F q n , n ≥ 1. Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 6 / 35

  9. Ingredients Ingredients of index calculus approaches Goal Find at least # F decompositions of random combinations R = [ a ] P +[ b ] Q What kind of “decomposition” over E ( K ) Semaev (2004): consider decompositions in a fixed number of points of F R = [ a ] P + [ b ] Q = P 1 + . . . + P m use the ( m + 1)-th summation polynomial: f m +1 ( x R , x P 1 , . . . , x P m ) = 0 ⇔ ∃ ǫ 1 , . . . , ǫ m ∈ { 1 , − 1 } , R = ǫ 1 P 1 + · · · + ǫ m P m Nagao’s alternative approach with divisors: � � work with f ∈ L ( m + 1)( ∞ ) − ( R ) instead Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 7 / 35

  10. Ingredients Ingredients of index calculus approaches (2) Convenient factor base on E ( F q n ) – Gaudry (2004) Natural factor base: F = { ( x , y ) ∈ E ( F q n ) : x ∈ F q } , # F ≃ q Weil restriction: decompose along a F q -linear basis of F q n  ϕ 1 ( x P 1 , . . . , x P m ) = 0   .  . f m +1 ( x R , x P 1 , . . . , x P m ) = 0 ⇔ ( S R ) .   ϕ n ( x P 1 , . . . , x P m ) = 0  One decomposition trial ↔ resolution of S R over F q Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 8 / 35

  11. Ingredients Ingredients of index calculus approaches (2) Convenient factor base on E ( F q n ) – Gaudry (2004) Natural factor base: F = { ( x , y ) ∈ E ( F q n ) : x ∈ F q } , # F ≃ q Weil restriction: decompose along a F q -linear basis of F q n  ϕ 1 ( x P 1 , . . . , x P m ) = 0   .  . f m +1 ( x R , x P 1 , . . . , x P m ) = 0 ⇔ ( S R ) .   ϕ n ( x P 1 , . . . , x P m ) = 0  One decomposition trial ↔ resolution of S R over F q Additional optimizations symmetrization of the equations to reduce total degree consider a set of representatives of F / ∼ where P ∼ ( − P ) and decompositions of the form R = ± P 1 ± · · · ± P m → only ≃ q / 2 independent relations needed Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 8 / 35

  12. Ingredients Polynomial system solving in finite fields Goal Find solutions of S R in F q More generally: compute V ( I ) where I ⊂ F q [ X 1 , . . . , X n ] ideal of dimension 0 ◮ univariate case is easy: Cantor-Zassenhaus ◮ multivariate case much more complicated Elimination theory Two techniques to find in I a univariate polynomial resultants Gr¨ obner bases Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 9 / 35

  13. Ingredients Gr¨ obner bases: a tool for polynomial system solving The shape lemma For “most” zero-dimensional ideals I ⊂ F q [ X 1 , . . . , X n ], a Gr¨ obner basis for the lexicographic order is G = { X 1 − f 1 ( X n ) , X 2 − f 2 ( X n ) , · · · , X n − 1 − f n − 1 ( X n ) , f n ( X n ) } where deg f i < deg f n and deg f n = deg I . In any case, the GB always contains a univariate polynomial in X n Fast resolution: find roots of univariate polynomial f n and evaluate f n − 1 , . . . , f 1 to compute V ( I ) Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 10 / 35

  14. Ingredients Complexity and choice of monomial order Hardness of GB computations complexity of GB computations is difficult to estimate worst-case upper bounds: ◮ general case: 2 2 O ( n ) (Mayr-Meyer) ◮ dimension 0: d O ( n 3 ) for lex order, d O ( n 2 ) for degrevlex (Caniglia,Lazard) → but performances are much better for average cases Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 11 / 35

  15. Ingredients Complexity and choice of monomial order Hardness of GB computations complexity of GB computations is difficult to estimate worst-case upper bounds: ◮ general case: 2 2 O ( n ) (Mayr-Meyer) ◮ dimension 0: d O ( n 3 ) for lex order, d O ( n 2 ) for degrevlex (Caniglia,Lazard) → but performances are much better for average cases Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 11 / 35

  16. Ingredients Complexity and choice of monomial order Hardness of GB computations complexity of GB computations is difficult to estimate worst-case upper bounds: ◮ general case: 2 2 O ( n ) (Mayr-Meyer) ◮ dimension 0: d O ( n 3 ) for lex order, d O ( n 2 ) for degrevlex (Caniglia,Lazard) → but performances are much better for average cases Strategy and complexity for lex order GB in dimension 0 instead of direct GB computation for lex order of I ⊂ K [ X 1 , . . . , X n ], do: degrevlex order GB computation & changing order algorithm (FGLM) � ω � �� d reg + n ˜ ˜ (deg I ) 3 � � O + O n Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 11 / 35

  17. Three different approaches Back to index calculus Gaudry’s original attack and Diem’s analysis m = n → as many equations as unknowns, S R has total degree 2 n − 1 I ( S R ) has dimension 0 and degree 2 n ( n − 1) Probability of decomposition is ≃ 1 / n ! → need to solve n ! q systems Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 12 / 35

  18. Three different approaches Back to index calculus Gaudry’s original attack and Diem’s analysis m = n → as many equations as unknowns, S R has total degree 2 n − 1 I ( S R ) has dimension 0 and degree 2 n ( n − 1) Probability of decomposition is ≃ 1 / n ! → need to solve n ! q systems Complexity estimates obner tools has complexity in ˜ 2 3 n ( n − 1) � � Each resolution with Gr¨ O Sparse linear algebra in ˜ O ( nq 2 ) “Double large prime” variation → overall complexity in ˜ ( n − 2)!2 3 n ( n − 1) q 2 − 2 / n � � O Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 12 / 35

  19. Three different approaches Back to index calculus Gaudry’s original attack and Diem’s analysis m = n → as many equations as unknowns, S R has total degree 2 n − 1 I ( S R ) has dimension 0 and degree 2 n ( n − 1) Probability of decomposition is ≃ 1 / n ! → need to solve n ! q systems Complexity estimates obner tools has complexity in ˜ 2 3 n ( n − 1) � � Each resolution with Gr¨ O Sparse linear algebra in ˜ O ( nq 2 ) “Double large prime” variation → overall complexity in ˜ ( n − 2)!2 3 n ( n − 1) q 2 − 2 / n � � O = 2 n ( n − 1) . But most solutions not in F q � � Bottleneck: deg I ( S R ) However adding x q − x = 0 not practical for large q Vanessa VITSE (UVSQ) F4 traces and index calculus ECC 2010 12 / 35

Recommend

Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a

Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a

Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a previously unreachable curve over F p 6 Vanessa VITSE Antoine JOUX Universit e de Versailles Saint-Quentin, Laboratoire PRISM Eurocrypt 2012

595 views • 44 slides
Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete Logarithm Problem (ECDLP) Typical DLP: Find a such that a = , given and ECDLP: Find k such that P=kQ, given P and Q How do

1.58k views • 16 slides
On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica Gilles Dequen MIS Laboratory, University of Picardie Jules Verne AfricaCrypt 2020 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based

327 views • 19 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne Universit es UPMC, INRIA, CNRS LIP6 1/43 General Context Discrete Logarithm Problem (DLP) Given a finite cyclic group ( G = g , +) and h

595 views • 56 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault

Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault

Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault nicolast@exp-math.uni-essen.de University of Toronto / IEM Universitt DuisburgEssen Slide index Discrete Log Problem Large primes Hyperelliptic

927 views • 67 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
DON'T ASK, DON'T TELL THE VIRTUES OF PRIVACY BY DESIGN Eleanor McHugh 1998 PKI elliptic curves

DON'T ASK, DON'T TELL THE VIRTUES OF PRIVACY BY DESIGN Eleanor McHugh 1998 PKI elliptic curves

DON'T ASK, DON'T TELL THE VIRTUES OF PRIVACY BY DESIGN Eleanor McHugh 1998 PKI elliptic curves satellite PSN 1999 -calculus VM 2000 control networks 2001 mobile identity secure documents 2003 ENUM 2006 dotTel hybrid encryption

1.2k views • 60 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Deterministic Generation of Elliptic Curves (a.k.a. &quot;NUMS&quot; Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. &quot;NUMS&quot; Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. &quot;NUMS&quot; Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
Elliptic Curves II Reinier Br oker Fields Institute &amp; University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute &amp; University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute &amp; University of Calgary Summer School before ECC September 2006 Elliptic curves An elliptic curve E over a field K is given by a Weierstra equation Y 2 + h ( X ) Y = f ( X ) with h, f

416 views • 13 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick joint work with Nuno Freitas (Warwick) AGC 2 T Luminy, 10 June 2019 Overview 1. Elliptic curves, mod p Galois representations, Weil pairing. 2.

954 views • 70 slides
Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Elliptic curves over F q F. Pappalardi Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j -invariant Research School: Algebraic curves over finite fields Points of finite order

581 views • 29 slides
Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves C. Negre and J.M. Robert april 8, 2015 1 / 39 Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic

781 views • 75 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is

Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is

Curves Over Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is part of the NSF-funded AIM FRG project on Databases of L -functions. This talk had much valuable input from Noam Elkies, John Voight,

567 views • 40 slides
Faster formulas for elliptic curves Hseyin H sl hisil.huseyin@gmail.com

Faster formulas for elliptic curves Hseyin H sl hisil.huseyin@gmail.com

Faster formulas for elliptic curves Hseyin H sl hisil.huseyin@gmail.com www.huseyinhisil.net ECC2010, Redmond Hseyin H sl () October 19, 2010 1 / 36 Faster formulas for elliptic curves (A roadmap for formula-hunters)

825 views • 55 slides

More recommend