index calculus attack for hyperelliptic curves of small
play

Index Calculus Attack for Hyperelliptic Curves of Small Genus - PowerPoint PPT Presentation

Sep 05, 2023 •250 likes •927 views

Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault nicolast@exp-math.uni-essen.de University of Toronto / IEM Universitt DuisburgEssen Slide index Discrete Log Problem Large primes Hyperelliptic

  1. Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thériault nicolast@exp-math.uni-essen.de University of Toronto / IEM – Universität Duisburg–Essen

  2. Slide index Discrete Log Problem Large primes Hyperelliptic Jacobians Algorithms Generic Attacks Running time analysis Attacks for Hyperelliptic Curves Optimizations Index Calculus Comparison Factor Base Memory Nicolas Thériault – The index calculus attack – p.1

  3. The Discrete Log Problem Let C be a nonsingular hyperelliptic curve of genus g with a single point at infinity defined over the finite field F q . Let D 1 , D 2 be two elements of Jac ( C )( F q ) such that D 2 ∈ � D 1 � . The discrete log problem for the pair ( D 1 , D 2 ) on Jac ( C )( F q ) consist in computing the smallest integer λ ∈ N such that D 2 = λD 1 . Nicolas Thériault – The index calculus attack – p.2 [ ⇐ ]

  4. Hyperelliptic Jacobians C is of the form C : Y 2 + h ( X ) Y = f ( X ) with deg( h ) ≤ g and deg( f ) = 2 g + 1 . Jac ( C )( F q ) is the divisor class group, which is isomorphic to the ideal class group. � √ q − 1 � √ q + 1 � 2 g ≤ | Jac ( C )( F q ) | ≤ � 2 g , i.e. | Jac ( C )( F q ) | = q g + O gq g − 1 / 2 � � . Reduced divisors in Jac ( C )( F q ) can be added in O ( g 2 (log q ) 2 ) bit operations (Cantor). Nicolas Thériault – The index calculus attack – p.3 [ ⇐ ]

  5. Hyperelliptic Jacobians To a point P ∈ C ( F q ) we associate the divisor D ( P ) = P − ∞ . Every reduced divisor D ∈ Jac ( C )( F q ) , � k D = i =1 D ( P i ) , can be represented uniquely by a pair of polynomials [ a ( x ) , b ( x )] , a ( x ) , b ( x ) ∈ F q [ x ] , with � k a ( x ) = i =1 ( x − x i ) b ( x i ) = y i and such that deg( b ) < deg( a ) and a ( x ) divides b ( x ) 2 + h ( x ) b ( x ) − f ( x ) . Nicolas Thériault – The index calculus attack – p.3 [ ⇐ ]

  6. Hyperelliptic Jacobians A reduced divisor D = [ a ( x ) , b ( x )] is in Jac ( C )( F q ) if and only if a ( x ) , b ( x ) ∈ F q [ x ] . Nicolas Thériault – The index calculus attack – p.3 [ ⇐ ]

  7. Hyperelliptic Jacobians A reduced divisor D = [ a ( x ) , b ( x )] is in Jac ( C )( F q ) if and only if a ( x ) , b ( x ) ∈ F q [ x ] . To know if the points P i associated to a reduced divisor are in C ( F q ) , we can check if a ( x ) splits completely in F q [ x ] . To find the points P i associated to a reduced divisor, we need to completely factor a ( x ) . Nicolas Thériault – The index calculus attack – p.3 [ ⇐ ]

  8. Hyperelliptic Jacobians A reduced divisor D = [ a ( x ) , b ( x )] is in Jac ( C )( F q ) if and only if a ( x ) , b ( x ) ∈ F q [ x ] . To know if the points P i associated to a reduced divisor are in C ( F q ) , we can check if a ( x ) splits completely in F q [ x ] . To find the points P i associated to a reduced divisor, we need to completely factor a ( x ) . D ( − P ) = − D ( P ) . Nicolas Thériault – The index calculus attack – p.3 [ ⇐ ]

  9. Generic attacks Three main types of attack: Shank’s Baby Step - Giant Step algorithm; Pollard’s ρ method; Pollard’s λ (kangaroo) method. They work for every abelian group. They require �� � O group order group operations to solve the discrete log. Nicolas Thériault – The index calculus attack – p.4 [ ⇐ ]

  10. Attacks for hyperelliptic curves Weil descent attack: Frey / Gaudry, Hess and Smart, for some curves defined over field extensions. Index calculus attack for large genus: Adleman, DeMarrais and Huang Nicolas Thériault – The index calculus attack – p.5 [ ⇐ ]

  11. Attacks for hyperelliptic curves Weil descent attack: Frey / Gaudry, Hess and Smart, for some curves defined over field extensions. Index calculus attack for large genus: Adleman, DeMarrais and Huang Index calculus attack for small genus: Gaudry, for curves of genus > 4 , variation (Harley) for curves of genus > 3 , Nicolas Thériault – The index calculus attack – p.5 [ ⇐ ]

  12. Attacks for hyperelliptic curves Weil descent attack: Frey / Gaudry, Hess and Smart, for some curves defined over field extensions. Index calculus attack for large genus: Adleman, DeMarrais and Huang Index calculus attack for small genus: Gaudry, for curves of genus > 4 , variation (Harley) for curves of genus > 3 , can be improved for curves of genus > 2 . Nicolas Thériault – The index calculus attack – p.5 [ ⇐ ]

  13. Index calculus We want to find a good set of “points” (the factor base) P 1 , P 2 , . . . , P t and “random” linear combinations t � α i D 1 + β i D 2 = c ij P j . j =1 Nicolas Thériault – The index calculus attack – p.6 [ ⇐ ]

  14. Index calculus We want to find a good set of “points” (the factor base) P 1 , P 2 , . . . , P t and “random” linear combinations t � α i D 1 + β i D 2 = c ij P j . j =1 We then find γ i ’s such that for every j s � γ i c ij = 0 . i =1 Nicolas Thériault – The index calculus attack – p.6 [ ⇐ ]

  15. Index calculus This gives us t � s � � � 0 = γ i c ij P j j =1 i =1 Nicolas Thériault – The index calculus attack – p.6 [ ⇐ ]

  16. Index calculus This gives us t � s � � � 0 = γ i c ij P j j =1 i =1 s � t � � � = γ i c ij P j i =1 j =1 Nicolas Thériault – The index calculus attack – p.6 [ ⇐ ]

  17. Index calculus This gives us t � s � � � 0 = γ i c ij P j j =1 i =1 s � t � � � = γ i c ij P j i =1 j =1 s � = γ i ( α i D 1 + β i D 2 ) i =1 Nicolas Thériault – The index calculus attack – p.6 [ ⇐ ]

  18. Index calculus This gives us t � s � � � 0 = γ i c ij P j j =1 i =1 s � t � � � = γ i c ij P j i =1 j =1 s � = γ i ( α i D 1 + β i D 2 ) i =1 � s � � s � � � = γ i α i D 1 + γ i β i D 2 i =1 i =1 Nicolas Thériault – The index calculus attack – p.6 [ ⇐ ]

  19. Index calculus This gives us t � s � � � 0 = γ i c ij P j j =1 i =1 s � t � � � = γ i c ij P j i =1 j =1 s � = γ i ( α i D 1 + β i D 2 ) i =1 � s � � s � � � = γ i α i D 1 + γ i β i D 2 i =1 i =1 = αD 1 + βD 2 Nicolas Thériault – The index calculus attack – p.6 [ ⇐ ]

  20. Index calculus If β � = 0 , we can solve for D 2 : D 2 = − α β D 1 , i.e. − α λ = β s � − γ i α i i =1 = . s � γ i β i i =1 Nicolas Thériault – The index calculus attack – p.6 [ ⇐ ]

  21. Smooth divisors Let P = C ( F q ) , i.e. P is the set of points of C over F q . Let B be a subset of P . Nicolas Thériault – The index calculus attack – p.7 [ ⇐ ]

  22. Smooth divisors Let P = C ( F q ) , i.e. P is the set of points of C over F q . Let B be a subset of P . A divisor is smooth relative to B if it is reduced and it can be written in the form k � D ( P i ) i =1 with the P i ’s in B and k ≤ g . Nicolas Thériault – The index calculus attack – p.7 [ ⇐ ]

  23. Smooth divisors Let P = C ( F q ) , i.e. P is the set of points of C over F q . Let B be a subset of P . A divisor is smooth relative to B if it is reduced and it can be written in the form k � D ( P i ) i =1 with the P i ’s in B and k ≤ g . In this case, B is called the factor base . Nicolas Thériault – The index calculus attack – p.7 [ ⇐ ]

  24. Smooth divisors Let P = C ( F q ) , i.e. P is the set of points of C over F q . Let B be a subset of P . A divisor is smooth relative to B if it is reduced and it can be written in the form k � D ( P i ) i =1 with the P i ’s in B and k ≤ g . In this case, B is called the factor base . A potentially smooth divisor is smooth relative to P . Nicolas Thériault – The index calculus attack – p.7 [ ⇐ ]

  25. Working with the factor base Make use of the equality D ( − P ) = − D ( P ) . Nicolas Thériault – The index calculus attack – p.8 [ ⇐ ]

  26. Working with the factor base Make use of the equality D ( − P ) = − D ( P ) . If P is in the factor base, − P is also in the factor base, but we use only P for the factorization. Example of representation: D ( P 1 )+ D ( − P 29 )+ D ( − P 103 ) = D ( P 1 ) − D ( P 29 ) − D ( P 103 ) Nicolas Thériault – The index calculus attack – p.8 [ ⇐ ]

  27. Working with the factor base Make use of the equality D ( − P ) = − D ( P ) . If P is in the factor base, − P is also in the factor base, but we use only P for the factorization. Example of representation: D ( P 1 )+ D ( − P 29 )+ D ( − P 103 ) = D ( P 1 ) − D ( P 29 ) − D ( P 103 ) The “size” of the factor base is | B | / 2 for the linear algebra. This decreases the running time for the search by 50% and time for the linear algebra by 75% . Nicolas Thériault – The index calculus attack – p.8 [ ⇐ ]

  28. Large primes Given a factor base B ⊂ P , a point P ∈ P is called a large prime if P / ∈ B . Nicolas Thériault – The index calculus attack – p.9 [ ⇐ ]

  29. Large primes Given a factor base B ⊂ P , a point P ∈ P is called a large prime if P / ∈ B . A reduced divisor k � D = D ( P i ) i =1 is said to be almost-smooth if: all but one of the P i ’s are in B ; the remaining P i is a large prime. Nicolas Thériault – The index calculus attack – p.9 [ ⇐ ]

Recommend

L -functions via deformations: from hyperelliptic curves to hypergeometric motives Kiran S.

L -functions via deformations: from hyperelliptic curves to hypergeometric motives Kiran S.

L -functions via deformations: from hyperelliptic curves to hypergeometric motives Kiran S. Kedlaya Department of Mathematics, University of California, San Diego kedlaya@ucsd.edu http://kskedlaya.org/slides/ Arithmetic of Hyperelliptic Curves

708 views • 48 slides
Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve Cryptography Nicolas Thriault ntheriau@fields.utoronto.ca Fields Institute Discrete Logarithms Suppose that G = a , an additive group of order

230 views • 21 slides
Rank and Bias in Families of Hyperelliptic Curves Trajan Hammonds 1 Ben Logsdon 2

Rank and Bias in Families of Hyperelliptic Curves Trajan Hammonds 1 Ben Logsdon 2

Background Hyperelliptic curves with moderately large rank over Q ( T ) Bias Conjecture Acknowledgements Rank and Bias in Families of Hyperelliptic Curves Trajan Hammonds 1 Ben Logsdon 2 thammond@andrew.cmu.edu bcl5@williams.edu Joint with

426 views • 41 slides
Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a

Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a

Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a previously unreachable curve over F p 6 Vanessa VITSE Antoine JOUX Universit e de Versailles Saint-Quentin, Laboratoire PRISM Eurocrypt 2012

595 views • 44 slides
F4 traces and index calculus on elliptic curves over extension fields Vanessa VITSE Joint work

F4 traces and index calculus on elliptic curves over extension fields Vanessa VITSE Joint work

F4 traces and index calculus on elliptic curves over extension fields Vanessa VITSE Joint work with Antoine Joux Universit e de Versailles Saint-Quentin, Laboratoire PRISM Elliptic Curve Cryptography, October 20, 2010 Vanessa VITSE (UVSQ)

935 views • 67 slides
Abel-Jacobi map on complex hyperelliptic curves Pascal Molin CARAMEL, Loria Nancy june 2011

Abel-Jacobi map on complex hyperelliptic curves Pascal Molin CARAMEL, Loria Nancy june 2011

Abel-Jacobi map on complex hyperelliptic curves Pascal Molin CARAMEL, Loria Nancy june 2011 Hyperelliptic curve 2 g + 1 C : y 2 = ( x a i ) i = 1 Riemann surface with two sheets. a i = branch points. color = argument of y

733 views • 28 slides
Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Index Calculus Method Small char Finite Fields 9234 bits Impact on Pairings Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in F 2 4 1223 and F 2 12 367 ) Jens Zumbr agel Institute of

367 views • 32 slides
Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de

Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de

Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de Lorraine, Nancy Joint work with P. Gaudry and P.-J. Spaenlehauer January 25, 2018 CARAMBA /* */ E,C, /* */ c,r, /* */ u,l, e,s, i=5,

907 views • 36 slides
Explicit Coleman integration for hyperelliptic curves Jennifer Balakrishnan 1 Robert Bradshaw 2

Explicit Coleman integration for hyperelliptic curves Jennifer Balakrishnan 1 Robert Bradshaw 2

Explicit Coleman integration for hyperelliptic curves Jennifer Balakrishnan 1 Robert Bradshaw 2 Kiran Kedlaya 1 1 Massachusetts Institute of Technology 2 University of Washington ANTS-IX INRIA Nancy, France Thursday, July 22, 2010 Balakrishnan,

630 views • 41 slides
Elliptic and Hyperelliptic Curves: a Practical Security Comparison &quot; Joppe W. Bos (Microsoft

Elliptic and Hyperelliptic Curves: a Practical Security Comparison &quot; Joppe W. Bos (Microsoft

Elliptic and Hyperelliptic Curves: a Practical Security Comparison &quot; Joppe W. Bos (Microsoft Research), Craig Costello (Microsoft Research), ! Andrea Miele (EPFL) &quot; &quot; 1/13 &quot; Motivation and Goal(s) ! Elliptic curves

314 views • 14 slides
A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd , 2003 M.Katagi, I.Kitamura, T.Akishita, and T. Takagi(*) Sony Corporation (*)Technische Universitaet Darmstadt Introduction Optimization of

229 views • 5 slides
Local heights on hyperelliptic curves Jennifer Balakrishnan MIT, Department of Mathematics E ff

Local heights on hyperelliptic curves Jennifer Balakrishnan MIT, Department of Mathematics E ff

Local heights on hyperelliptic curves Jennifer Balakrishnan MIT, Department of Mathematics E ff ective Methods in p -adic Cohomology Mathematical Institute, University of Oxford Tuesday, March 16, 2010 Jennifer Balakrishnan (MIT) Local heights

309 views • 14 slides
A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica Gilles Dequen MIS Laboratory, University of Picardie Jules Verne AfricaCrypt 2020 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based

327 views • 19 slides
ECC2011 summer school September 1516, 2011 Point counting algorithms on hyperelliptic curves

ECC2011 summer school September 1516, 2011 Point counting algorithms on hyperelliptic curves

ECC2011 summer school September 1516, 2011 Point counting algorithms on hyperelliptic curves F. Morain I. Introduction and motivations Goal: build an effective group of cryptographic strength, resisting all known attacks. Dream: find

834 views • 48 slides
Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete Logarithm Problem (ECDLP) Typical DLP: Find a such that a = , given and ECDLP: Find k such that P=kQ, given P and Q How do

1.58k views • 16 slides
Elliptic factors in Jacobians of hyperelliptic curves with certain automorphism groups Jennifer

Elliptic factors in Jacobians of hyperelliptic curves with certain automorphism groups Jennifer

Elliptic factors in Jacobians of hyperelliptic curves with certain automorphism groups Jennifer Paulhus Grinnell College paulhusj@grinnell.edu www.math.grinnell.edu/ paulhusj My original interest in Jacobian variety decomposition was

343 views • 21 slides
Fast computation of isomorphisms of hyperelliptic curves and explicit descent Reynald Lercier,

Fast computation of isomorphisms of hyperelliptic curves and explicit descent Reynald Lercier,

Fast computation of isomorphisms of hyperelliptic curves and explicit descent Reynald Lercier, Christophe Ritzenthaler and Jeroen Sijsling IRMAR (Rennes), IML (Marseille), IRMAR (Rennes) ANTS, San Diego July 11, 2012 Lercier, Ritzenthaler,

675 views • 18 slides
Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org joint work with Daniel J. Bernstein 10.11.2007 http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange p. 1 Do

787 views • 51 slides
Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08

Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08

Introduction Problems Outlook and Conclusion Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08 Introduction Problems Outlook and Conclusion Outline Introduction Elliptic curves Hashing to

337 views • 30 slides
Projective equivalences of elliptic and hyperelliptic planar curves Juan G. Alc azar , Carlos

Projective equivalences of elliptic and hyperelliptic planar curves Juan G. Alc azar , Carlos

Projective equivalences of elliptic and hyperelliptic planar curves Juan G. Alc azar , Carlos Hermoso Universidad de Alcal a, Alcal a de Henares, Madrid (Spain) CCMA 2019 Juan G. Alc azar , Carlos Hermoso Projective equivalences of

468 views • 27 slides
On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
Complex manifolds of dimension 1 lecture 12: Tilings, hyperelliptic curves, Ananin theorem Misha

Complex manifolds of dimension 1 lecture 12: Tilings, hyperelliptic curves, Ananin theorem Misha

Riemann surfaces, lecture 12 M. Verbitsky Complex manifolds of dimension 1 lecture 12: Tilings, hyperelliptic curves, Ananin theorem Misha Verbitsky IMPA, sala 232 February 10, 2020 1 Riemann surfaces, lecture 12 M. Verbitsky Homotopy

156 views • 11 slides
Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange Eindhoven University Ruhr-Universitt of Technology Bochum Overview Elliptic Curves Hyperelliptic Curves HEC of Genus 2

473 views • 33 slides
Efficient and Cryptographically Secure Addition in the Ideal Class Groups of Hyperelliptic

Efficient and Cryptographically Secure Addition in the Ideal Class Groups of Hyperelliptic

Efficient and Cryptographically Secure Addition in the Ideal Class Groups of Hyperelliptic Curves Diploma thesis Andrey Bogdanov* Scientific advisors: Prof. Dr. Dr. h.c. Gerhard Frey Prof. Dr. Vladimir Anashin Russian State

397 views • 29 slides

More recommend