Generic attacks and index calculus D. J. Bernstein University of - PDF document

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago

The discrete-logarithm problem p = 1000003. Define p is prime. Easy to prove: Can we find an integer n 2 f 1 ; 2 ; 3 ; : : : ; p � 1 g n mod p = 262682? such that 5 n mod n 7! 5 p Easy to prove: f 1 ; 2 ; 3 ; : : : ; p � 1 g . permutes n So there exists an n mod p = 262682. such that 5 n by brute force. Could find Is there a faster way?

Typical cryptanalytic application: p = 1000003 Imagine standard in the Diffie-Hellman protocol. n , User chooses secret key n mod p = 262682. publishes 5 Can attacker quickly solve the discrete-logarithm problem? n mod p , Given public key 5 n ? quickly find secret key (Warning: This is one way to attack the protocol. Maybe there are better ways.)

Relations to ECC: 1. Some DL techniques also apply to elliptic-curve DL problems. Use in evaluating security of an elliptic curve. 2. Some techniques don’t apply. Use in evaluating advantages of elliptic curves compared to multiplication. 3. Tricky: Some techniques have extra applications to some curves. See Tanja Lange’s talk on Weil descent etc.

Understanding brute force Can compute successively p = 5, 5 1 mod p = 25, 5 2 mod p = 125, : : : , 5 3 mod p = 390625, 5 8 mod p = 953122, : : : , 5 9 mod p = 1. 5 1000002 mod n At some point we’ll find n mod p = 262682. with 5 Maximum cost of computation: � p � 1 mults by 5 mod p ; � p � 1 nanoseconds on a CPU that does 1 mult/nanosecond.

This is negligible work p � 2 20 . for But users can p , standardize a larger making the attack slower. Attack cost scales linearly: � 2 50 mults for p � 2 50 , � 2 100 mults for p � 2 100 , etc. (Not exactly linearly: p . cost of mults grows with But this is a minor effect.)

Computation has a good chance of finishing earlier. Chance scales linearly: 1 = 2 chance of 1 = 2 cost; 1 = 10 chance of 1 = 10 cost; etc. n .” “So users should choose large That’s pointless. We can apply “random self-reduction”: r , say 726379; choose random r mod p = 515040; compute 5 r 5 n mod p as compute 5 n mod � (5 p )) mod p ; (515040 compute discrete log; r mod p � 1; obtain n . subtract

Computation can be parallelized. One low-cost chip can run many parallel searches. Example, 2 6 e : one chip, 2 10 cores on the chip, each 2 30 mults/second? Maybe; see SHARCS workshops for detailed cost analyses. Attacker can run many parallel chips. Example, 2 30 e : 2 24 chips, so 2 34 cores, so 2 64 mults/second, so 2 89 mults/year.

Multiple targets and giant steps Computation can be applied to many targets at once. n 1 mod p , Given 100 DL targets 5 n 2 mod n 100 mod p , : : : , 5 p : 5 n 1 ; n 2 ; : : : ; n 100 Can find all of � p � 1 mults mod p . with Simplest approach: First build a sorted table containing n 1 mod n 100 mod p , : : : , 5 p . 5 Then check table for p , 5 2 mod p , etc. 5 1 mod

Interesting consequence #1: Solving all 100 DL problems isn’t much harder than solving one DL problem. Interesting consequence #2: Solving at least one out of 100 DL problems is much easier than solving one DL problem. When did this computation n i ? find its first � ( p � 1) = 100 mults. Typically

Can use random self-reduction to turn a single target into multiple targets. n mod p : Given 5 r 1 ; r 2 ; : : : ; r 100 . Choose random r 1 5 n mod p , Compute 5 r 2 5 n mod p , etc. 5 Solve these 100 DL problems. � ( p � 1) = 100 mults Typically to find at least one r n mod p � 1, i + n . immediately revealing

Also spent some mults r i mod p : to compute each 5 � lg p mults for each i . r ir 1 i = Faster: Choose r 1 � ( p � 1) = 100. with r 1 mod p ; Compute 5 r 1 5 n mod p ; 5 5 2 r 1 5 n mod p ; 5 3 r 1 5 n mod p ; etc. i . Just 1 mult for each new � 100 + lg p + ( p � 1) = 100 mults n mod n given 5 p . to find

p � p . p Faster: Increase 100 to � 2 p mults Only to solve one DL problem! “Shanks baby-step-giant-step discrete-logarithm algorithm.” p = 1000003, Example: n mod p = 262682. 5 p = 58588. Compute 5 1024 mod Then compute 1000 targets: n mod p = 966849, 5 1024 5 5 2 � 1024 5 n mod p = 579277, 5 3 � 1024 5 n mod p = 579062, : : : , 5 1000 � 1024 5 n mod p = 321705.

Build a sorted table of targets: 2573 = 5 430 � 1024 5 n mod p , 3371 = 5 192 � 1024 5 n mod p , 3593 = 5 626 � 1024 5 n mod p , 4960 = 5 663 � 1024 5 n mod p , 5218 = 5 376 � 1024 5 n mod p , : : : , 999675 = 5 344 � 1024 5 n mod p . p , 5 2 mod p , Look up 5 1 mod p , etc. in this table. 5 3 mod p = 966603; find 5 755 mod 966603 = 5 332 � 1024 5 n mod p in the table of targets; � 1024+ n mod p � 1; so 755 = 332 n = 660789. deduce

Eliminating storage x 0 = 1; Improved method: Define x x p if x 2 3 Z ; i +1 = 5 i mod i x x 2 p if x 2 2 + 3 Z ; i +1 = i i mod n x x p otherwise. i +1 = 5 i mod a n + b i i mod x p i = 5 Then where ( a 0 ; b 0 ) = (0 ; 0) and a ; b a ; b i +1 i +1 ) = ( i i + 1), or ( a ; b a ; 2 b i +1 i +1 ) = (2 i i ), or ( a ; b a ; b i +1 i +1 ) = ( i + 1 i ). ( x i : Search for a collision in x 1 = x 2 ? x 2 = x 4 ? x 3 = x 6 ? x 4 = x 8 ? x 5 = x 10 ? etc. n . Deduce linear equation for

x i ’s enter a cycle, p The � p steps. typically within Example: 1000003, 262682. Modulo 1000003: n = 262682. x 1 = 5 x 2 = 5 2 n = 262682 2 = 626121. x 3 = 5 2 n +1 = 5 � 626121 = 130596. x 4 = 5 2 n +2 = 5 � 130596 = 652980. x 5 = 5 2 n +3 = 5 � 652980 = 264891. x 6 = 5 2 n +4 = 5 � 264891 = 324452. x 7 = 5 4 n +8 = 324452 2 = 784500. x 8 = 5 4 n +9 = 5 � 784500 = 922491. etc.

x 1785 = 5 249847 n +759123 = 555013. x 3570 = 5 388795 n +632781 = 555013. (Cycle length is 357.) Conclude that 249847 n + 759123 � 388795 n + 632781 p � 1), (mod n � 160788 p � 1) = 6). so (mod ( n ’s. Only 6 possible Try each of them. n mod p = 262682 Find that 5 n = 160788 + 3( p � 1) = 6, i.e., for n = 660789. for

p This is “Pollard’s rho method.” � p mults. Optimized: Another method, similar speed: “Pollard’s kangaroo method.” Can parallelize both methods. “van Oorschot/Wiener parallel DL using distinguished points.” mults, Bottom line: With distributed across many cores, � 2 =p have chance n mod n from 5 p . of finding With 2 90 mults (a few years?), � 2 180 =p . have chance p � 2 256 . Negligible if, e.g.,

Factors of the group order ab . Assume 5 has order x , a power of 5: Given a has order b , and 5 a is a power of 5 a . x a . ` = log 5 a x Compute b has order a , and 5 ` is a power of 5 b . x= 5 ` ). m = log 5 x= 5 b ( Compute ` + mb . x = 5 Then

This “Pohlig-Hellman method” ab DL into converts an order- a DL, an order- b DL, an order- and a few exponentiations. p = 1000003, x = 262682: e.g. p � 1 = 6 b where b = 166667. x 6 ) = 160788. Compute log 5 6 ( x= 5 160788 = 1000002. Compute b 1000002 = 3. Compute log 5 b = 5 660789 . x = 5 160788+3 Then p p � a + b mults. Use rho: ab factors further: Better if apply Pohlig-Hellman recursively.

All of the techniques so far apply to elliptic curves. q An elliptic curve over F � q + 1 points has p so can compute ECDL using � q elliptic-curve adds. q . Need quite large If largest prime divisor of number of points q is much smaller than then Pohlig-Hellman method computes ECDL more quickly. q ; Need larger or change choice of curve.

Index calculus Have generated many an + b mod p . group elements 5 n Deduced equations for from random collisions. Index calculus obtains discrete-logarithm equations in a different way. p = 1000003: Example for Can completely factor � 3 = ( p � 3) as � 3 1 = 2 6 5 6 in Q � 3 1 � 2 6 5 6 p ) so (mod � 1) + log 5 3 � so log 5 ( p � 1). 6 log 5 2 + 6 log 5 5 (mod

Can completely factor 62 = ( p + 62) = 3 1 5 1 11 2 19 1 29 1 as 2 1 31 1 � so log 5 2 + log 5 31 log 5 3 + log 5 5 + 2 log 5 11 + p � 1). log 5 19 + log 5 29 (mod Try to completely factor 1 = ( p + 1), 2 = ( p + 2), etc. a= ( p + a ) Find factorization of � 1 ; as product of powers of 2 ; 3 ; 5 ; 7 ; 11 ; 13 ; 17 ; 19 ; 23 ; 29 ; 31 a ’s: for each of the following � 5100, � 4675, � 3128, � 403, � 368, � 147, � 3, 62, 957, 2912, 3857, 6877.

Each complete factorization produces a log equation. Now have 12 linear equations for log 5 2 ; log 5 3 ; : : : ; log 5 31. Free equations: log 5 5 = 1, � 1) = ( p � 1) = 2. log 5 ( By linear algebra compute log 5 2 ; log 5 3 ; : : : ; log 5 31. (If this hadn’t been enough, a ’s.) could have searched more By similar technique obtain discrete log of any target.

p ! 1 , index calculus For scales surprisingly well: � where p � ! 0. cost p 1 = 2 . � Compare to rho: � � Specifically: searching a 2 1 ; 2 ; : : : ; y 2 p lg , with y 2 O ( p lg lg p ), lg y complete factorizations finds � y , into primes and computes discrete logs. (Assuming standard conjectures. Have extensive evidence.)

Latest index-calculus variants use the “number-field sieve” and the “function-field sieve.” q : To compute discrete logs in F 2 lg cost q ) 1 = 3 (lg lg q ) 2 = 3 ). O ((lg For security: q � 2 256 to stop rho; q � 2 2048 to stop NFS. We don’t know any index-calculus methods for ECDL! : : : except for some curves.