On the discrete logarithm problem in elliptic curves Claus Diem - PowerPoint PPT Presentation

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves – p.1/37

Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm for the ECDLP over extension fields: Heuristic claim Let n ∈ N , n ≥ 2 be fixed. Then the ECDLP over fields of the form F q n can be solved in an expected time of O ( q 2 − 2 n ) . On the discrete logarithm problem in elliptic curves – p.2/37

Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm for the ECDLP over extension fields: Heuristic claim Let n ∈ N , n ≥ 2 be fixed. Then the ECDLP over fields of the form F q n can be solved in an expected time of O ( q 2 − 2 n ) . He mentioned that I have an L [3 / 4] -algorithm for elliptic curves over some fields. On the discrete logarithm problem in elliptic curves – p.2/37

Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm for the ECDLP over extension fields: Heuristic claim Let n ∈ N , n ≥ 2 be fixed. Then the ECDLP over fields of the form F q n can be solved in an expected time of O ( q 2 − 2 n ) . He mentioned that I have an L [3 / 4] -algorithm for elliptic curves over some fields. On the next day, I claimed: On the discrete logarithm problem in elliptic curves – p.2/37

Some history Claim. There exists a randomized algorithm which takes as input a tuple ( q, n, E/ F q n , A, B ) , where q is a prime power, n a natural number, E/ F q n an elliptic curve and A, B ∈ E ( F q n ) with B ∈ � A � , which computes the DLP with respect to A and B and has the following property: Let us fix a, b ∈ R with 0 < a < b and let us consider all instances with a log 2 ( q ) ≤ n ≤ b log 2 ( q ) . Then restricted to these instances, the algorithm has an expected running time of for D = 4 b + ǫ 2 D · ( n · log 2 ( q )) 3 / 4 � � O . a 3 / 4 On the discrete logarithm problem in elliptic curves – p.3/37

Some history And I continued ... On the discrete logarithm problem in elliptic curves – p.4/37

Some history And I continued ... Please note. 1. I do not have a complete proof of this statement. 2. The algorithm is not practical. On the discrete logarithm problem in elliptic curves – p.4/37

The good (and the bad) news There is now a proven result: On the discrete logarithm problem in elliptic curves – p.5/37

The good (and the bad) news There is now a proven result: For fixed a, b > 0 and instances with a log( q ) 1 / 3 ≤ n ≤ b log( b ) we have an expected time of e O ((log( q n )) 3 / 4 ) . On the discrete logarithm problem in elliptic curves – p.5/37

The good (and the bad) news There is now a proven result: For fixed a, b > 0 and instances with a log( q ) 1 / 3 ≤ n ≤ b log( b ) we have an expected time of e O ((log( q n )) 3 / 4 ) . The algorithm is still not practical. On the discrete logarithm problem in elliptic curves – p.5/37

A preliminary algorithm Let an instance E/ F q n , A, B be given, E in Weierstraß-Form. Let us for simplicity assume that # E ( F q n ) is prime. → P 1 Let k := F q , K := F q n , and let x : E − K be as usual. On the discrete logarithm problem in elliptic curves – p.6/37

A preliminary algorithm 1. Determine N := # E ( K ) . On the discrete logarithm problem in elliptic curves – p.7/37

A preliminary algorithm 1. Determine N := # E ( K ) . 2. Determine some m ≤ n and c ≤ n . 3. Choose some c -dimensional k -vector subspace U of K . 4. Define a so-called factor base F := { P ∈ E ( K ) | x ( P ) ∈ U } Let F = { F 1 , . . . , F k } . On the discrete logarithm problem in elliptic curves – p.7/37

A preliminary algorithm 5. For i = 1 , . . . , k + 1 do Repeat Choose α i , β i ∈ Z /N Z uniformly randomly and try to determine a relation P 1 + · · · + P m = α i A + β i B with P 1 , . . . , P m ∈ F . Until this was successful. Rewrite the relation as k � r i,j F j = α i A + β i B . j =1 On the discrete logarithm problem in elliptic curves – p.8/37

A preliminary algorithm 6. Determine some γ ∈ ( Z /N Z ) k +1 : γR = 0 , γ � = 0 . We have � � ( γ i α i ) a + ( γ i β i ) b = 0 i i and thus b = − � i γ i α i a . � i γ i β i On the discrete logarithm problem in elliptic curves – p.9/37

Relation generation Given C (= αA + βB ) ∈ E ( K ) , we want to find a relation P 1 + · · · + P m = C with P 1 , . . . , P m ∈ F . For this we try to solve systems of multivariate polynomial equations over k . On the discrete logarithm problem in elliptic curves – p.10/37

Relation generation Idea. For P 1 , . . . , P m ∈ E ( K ) , the condition P 1 + · · · + P m = C can be expressed algebraically over K . We try to find relations by solving systems of polynomial equations over k . The space of tuples ( P 1 , . . . , P m ) ∈ F m has mc degrees of freedom over k . The space of points C ∈ E ( K ) has n degrees of freedom over k . On the discrete logarithm problem in elliptic curves – p.11/37

Relation generation Idea. For P 1 , . . . , P m ∈ E ( K ) , the condition P 1 + · · · + P m = C can be expressed algebraically over K . We try to find relations by solving systems of polynomial equations over k . The space of tuples ( P 1 , . . . , P m ) ∈ F m has mc degrees of freedom over k . The space of points C ∈ E ( K ) has n degrees of freedom over k . = ⇒ Let δ := mc − n . Then for fixed C the relations / solutions ( P 1 , . . . , P m ) ∈ F m with P 1 + · · · + P m = C vary in a δ -dimensional space over k . On the discrete logarithm problem in elliptic curves – p.11/37

Relation generation Idea. For P 1 , . . . , P m ∈ E ( K ) , the condition P 1 + · · · + P m = C can be expressed algebraically over K . We try to find relations by solving systems of polynomial equations over k . The space of tuples ( P 1 , . . . , P m ) ∈ F m has mc degrees of freedom over k . The space of points C ∈ E ( K ) has n degrees of freedom over k . = ⇒ Let δ := mc − n . Then for fixed C the relations / solutions ( P 1 , . . . , P m ) ∈ F m with P 1 + · · · + P m = C vary in a δ -dimensional space over k . We want that δ = 0 ... On the discrete logarithm problem in elliptic curves – p.11/37

A new preliminary algorithm 1. Determine N := # E ( K ) . 2. Determine some m ≤ n , let c := ⌈ n m ⌉ and δ := mc − n . We thus have n = mc − δ = ( m − δ ) · c + δ · ( c − 1) . 3. Choose some c -dimensional k -vector subspace U of K and some c − 1 -dimensional k -vector subspace U ′ of U . 4. Define a factor base F := { P ∈ E ( K ) | x ( P ) ∈ U } and also F ′ := { P ∈ E ( K ) | x ( P ) ∈ U ′ } . Let F = { F 1 , F 2 , . . . , F k } . On the discrete logarithm problem in elliptic curves – p.12/37

A new preliminary algorithm 5. For i = 1 , . . . , k + 1 do Repeat Choose α i , β i ∈ Z /N Z uniformly randomly and try to determine a relation P 1 + · · · + P m = α i A + β i B with P 1 , . . . , P δ ∈ F ′ , P δ +1 , . . . , P m ∈ F . Until this was successful. Rewrite the relation as k � r i,j F j = α i A + β i B . j =1 On the discrete logarithm problem in elliptic curves – p.13/37

A new preliminary algorithm 6. Determine some γ ∈ ( Z /N Z ) k +1 : γR = 0 , γ � = 0 . We have � � ( γ i α i ) a + ( γ i β i ) b = 0 i i and thus b = − � i γ i α i a . � i γ i β i On the discrete logarithm problem in elliptic curves – p.14/37

Decomposition We need a procedure to compute relations or “decompositions”. Input. C ∈ E ( K ) . Output. A relation P 1 + · · · + P m = C with P 1 , . . . , P δ ∈ F ′ , P δ +1 , . . . , P m ∈ F , that is, x ( P 1 ) , . . . , x ( P δ ) ∈ U ′ , x ( P δ +1 ) , . . . , x ( P m ) ∈ U . On the discrete logarithm problem in elliptic curves – p.15/37

Decomposition Let P 1 , . . . , P m ∈ E ( K ) . Equivalent are: P 1 + · · · + P m = C On the discrete logarithm problem in elliptic curves – p.16/37

Decomposition Let P 1 , . . . , P m ∈ E ( K ) . Equivalent are: P 1 + · · · + P m = C ( P 1 ) + · · · + ( P m ) + ( − C ) ∼ ( m + 1) · O On the discrete logarithm problem in elliptic curves – p.16/37

Decomposition Let P 1 , . . . , P m ∈ E ( K ) . Equivalent are: P 1 + · · · + P m = C ( P 1 ) + · · · + ( P m ) + ( − C ) ∼ ( m + 1) · O ∃ f ∈ K ( E ) ∗ : ( f ) = ( P 1 )+ · · · +( P m )+( − C ) − ( m +1) · ( O ) . ∃ f ∈ L (( m + 1) · O − ( − C )) : ( f ) = ( P 1 ) + · · · + ( P m ) + ( − C ) − ( m + 1) · ( O ) . On the discrete logarithm problem in elliptic curves – p.16/37

Decomposition Let P 1 , . . . , P m ∈ E ( K ) . Let P 1 , . . . , P m , C, O be distinct. Equivalent are: P 1 + · · · + P m = C ( P 1 ) + · · · + ( P m ) + ( − C ) ∼ ( m + 1) · O ∃ f ∈ K ( E ) ∗ : ( f ) = ( P 1 )+ · · · +( P m )+( − C ) − ( m +1) · ( O ) . ∃ f ∈ L (( m + 1) · O − ( − C )) : ( f ) = ( P 1 ) + · · · + ( P m ) + ( − C ) − ( m + 1) · ( O ) . ∃ f ∈ L (( m + 1) · O − ( − C )) : ∀ i = 1 , . . . , m : f ( P i ) = 0 . On the discrete logarithm problem in elliptic curves – p.16/37