on using torsion points in the elliptic curve index
play

On Using Torsion Points in the Elliptic Curve Index Calculus Gu - PowerPoint PPT Presentation

Dec 10, 2023 •35 likes •595 views

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne Universit es UPMC, INRIA, CNRS LIP6 1/43 General Context Discrete Logarithm Problem (DLP) Given a finite cyclic group ( G = g , +) and h

  1. On Using Torsion Points in the Elliptic Curve Index Calculus Gu´ ena¨ el Renault Sorbonne Universit´ es UPMC, INRIA, CNRS LIP6 1/43

  2. General Context Discrete Logarithm Problem (DLP) Given a finite cyclic group ( G = � g � , +) and h ∈ G , find k such that h = [ k ] g = g + · · · + g k times � √ # G � Generic algorithms O ◮ Baby Step Giant Step, Pollard’s rho, etc. ◮ For any black box group G , optimal complexity (Shoup) Index Calculus can be quasi-polynomial, sub-exponential ◮ sieving + linear algebra ◮ G = ( F × 2 k , × ) ◮ G = ( F × q , × ) , G = ( J C ( F q ) , +) with genus g > 2 ☞ G = E ( F q ) no sub-exponential index calculus algo. in general 2/43

  3. Context ☞ Index calculus algo. adaptation for E ( F q n ) ( n small) Semaev/Gaudry/Diem ( ≈ 2005) (Point Decomposition Problem) Semaev Summation Polynomial Polynomial System Solving ☞ Increasing the efficiency by using the symmetries ☞ Using Symmetries in the Index Calculus for ECDLP (J. Crypto. 2014) (J.-C. Faug` ere, P. Gaudry, L. Huot, G. R.) ☞ Symmetrized Summation Polynomials (Eurocrypt’14) (J.-C. Faug` ere, L. Huot, A. Joux, G. R., V. Vitse) 3/43

  4. Outline PDP in the Index Calculus 1 Polynomial System Solving 2 PoSSo With Symmetries 3 From Torsion Point to Symmetry 4 Characteristic 2 5 New Computational Record: 8th Summation Polynomial 6 Conclusion 7 4/43

  5. Outline PDP in the Index Calculus 1 Polynomial System Solving 2 PoSSo With Symmetries 3 From Torsion Point to Symmetry 4 Characteristic 2 5 New Computational Record: 8th Summation Polynomial 6 Conclusion 7 5/43

  6. Index Calculus for ECDLP Algorithm (Gaudry 2005) Input: P, Q ∈ E ( F q n ) Output: x such that Q = [ x ] P 1. Def. factor base: F = { ( x, y ) ∈ E ( F q n ) | x ∈ F q } 2. Sieving: [ a j ] P ⊕ [ b j ] Q = P 1 ⊕ · · · ⊕ P n , P i ∈ F until having # F + 1 such relations � 3. Linear algebra [ λ j · a j ] P ⊕ [ λ j · b j ] Q = 0 E ( F qn ) j Point Decomposition Problem Given R ∈ E F a factor base of points in E find P 1 , . . . , P n ∈ F such that R = P 1 ⊕ . . . ⊕ P n 6/43

  7. Point Decomposition Problem PDP( n, R, F ) Given R ∈ E F a factor base of points in E find P 1 , . . . , P n ∈ F such that R = P 1 ⊕ . . . ⊕ P n ☞ Modeling the problem as a polynomial system { g 1 , . . . , g s } and solve this system: � ( x i , y i ) ∈ E ( x 1 , y 1 ) ⊕ ( x 2 , y 2 ) ⊕ · · · ⊕ ( x n , y n ) = ( R x , R y ) ☞ The solution has to be found in F 7/43

  8. Algebraic modelling of PDP: Summation polynomials Semaev, 2004, Gaudry, 2005 ☞ Projection of the PDP( n, R = 0 , F = { ( x, y ) ∈ E ( F q n ) | x ∈ F q } ) PDP: g 1 ( , . . . , ) = · · · = g s ( , . . . , ) = 0 Projection π n Summation: f n ( , . . . , ) = 0 8/43

  9. Algebraic modelling of PDP: Summation polynomials Semaev, 2004, Gaudry, 2005 ☞ Projection of the PDP( n, R = 0 , F = { ( x, y ) ∈ E ( F q n ) | x ∈ F q } ) PDP: � g 1 ( x 1 , . . . , x m , y 1 , . . . , y m ) , . . . , g s ( x 1 , . . . , x m , y 1 , . . . , y m ) � π : ( x, y ) → x Elimination (Resultant, Gr¨ obner basis) Summation: � f n ( x 1 , . . . , x n ) � = � g 1 , . . . , g s � ∩ F q n [ x 1 , . . . , x n ] deg x i ( f n ) � 2 n − 2 Characterization f n ( x 1 , ..., x n ) = 0 � n ∃ ( y 1 , ..., y n ) ∈ F q n s.t. ∀ i, P i = ( x i , y i ) ∈ E and P 1 ⊕ · · · ⊕ P n = 0 8/43

  10. Algebraic modelling of PDP: Summation polynomials Semaev, 2004, Gaudry, 2005 ☞ Projection of the PDP( n, R = 0 , F = { ( x, y ) ∈ E ( F q n ) | x ∈ F q } ) PDP: � g 1 ( x 1 , . . . , x m , y 1 , . . . , y m ) , . . . , g s ( x 1 , . . . , x m , y 1 , . . . , y m ) � π : ( x, y ) → x Elimination (Resultant, Gr¨ obner basis) Summation: � f n ( x 1 , . . . , x n ) � = � g 1 , . . . , g s � ∩ F q n [ x 1 , . . . , x n ] deg x i ( f n ) � 2 n − 2 Application in Index Calculus: ( Gaudry 2005 ) Solving PDP( R, F ) with factor base F = { ( x, y ) ∈ E ( F q n ) | x ∈ F q } . � Finding ( x 1 , . . . , x n ) with x i ∈ F q s.t. f n +1 ( x 1 , ..., x n , ( − R ) x ) = 0 ☞ In Weierstrass model R x = ( − R ) x 8/43

  11. From summation polynomials to PoSSo Problem We want to find P 1 , . . . , P n ∈ F = { ( x, y ) ∈ E | x ∈ F q } such that R = P 1 + · · · + P n ⇐ ⇒ P 1 + · · · + P n − R = 0 E � Finding ( x 1 , . . . , x n ) with x i ∈ F q s.t. f n +1 ( x 1 , ..., x n , R x ) = 0 Solving process: Restriction of scalar on sum. polynomial F q n ≃ F q ( ω ) : n dimensional F q -vector space n − 1 � ϕ i ( x 1 , . . . , x n ) · ω i f n +1 ( x 1 , . . . , x n , R x ) = 0 E = i =0 9/43

  12. From summation polynomials to PoSSo Solving process: Restriction of scalar on sum. polynomial F q n ≃ F q ( ω ) : n dimensional F q -vector space n − 1 � ϕ i ( x 1 , . . . , x n ) · ω i f n +1 ( x 1 , . . . , x n , R x ) = 0 E = i =0  S = { ϕ 0 , . . . , ϕ n − 1 } ⊂ F q [ x 1 , . . . , x n ] -  ⇒ - n variables, n equations  solutions in F q - H 1 : The polynomial systems S are zero-dimensional 9/43

  13. Outline PDP in the Index Calculus 1 Polynomial System Solving 2 PoSSo With Symmetries 3 From Torsion Point to Symmetry 4 Characteristic 2 5 New Computational Record: 8th Summation Polynomial 6 Conclusion 7 10/43

  14. Solving 0 -dim polynomial systems Let S = { f 1 , . . . , f n } where f i ∈ K [ x 1 , . . . , x n ] and Deg( f i ) ≤ 2 n − 1 Solving S means here to compute V K ( �S� ) 11/43

  15. Solving 0 -dim polynomial systems Let S = { f 1 , . . . , f n } where f i ∈ K [ x 1 , . . . , x n ] and Deg( f i ) ≤ 2 n − 1 Solving S means here to compute V K ( �S� ) Gr¨ obner basis Since |V K | < ∞ , the Gr¨ obner basis G of �S� w.r.t. lexicographical order with x 1 > . . . > x n then G has a triangular form  h 1 , 1 ( x 1 , . . . , x n ) , . . . , h 1 ,k 1 ( x 1 , . . . , x n )     . . .  h n − 1 , 1 ( x n − 1 , x n ) , . . . , h n − 1 ,k n − 1 ( x n − 1 , x n )    h n ( x n ) ☞ Factoring univariate polynomials over a finite field. 11/43

  16. Solving 0 -dim polynomial systems Let S = { f 1 , . . . , f n } where f i ∈ K [ x 1 , . . . , x n ] and Deg( f i ) ≤ 2 n − 1 Solving S means here to compute V K ( �S� ) ☞ Compute a GB of �S� w.r.t. a lexicographical order. Zero-dim solve 1. Compute GB DRL from S ( F 4 /F 5 ) 2. Compute GB LEX from GB DRL (FGLM) 11/43

  17. Solving 0 -dim polynomial systems Let S = { f 1 , . . . , f n } where f i ∈ K [ x 1 , . . . , x n ] and Deg( f i ) ≤ 2 n − 1 Compute GB DRL from S Compute GB LEX from GB DRL ☞ See K [ x 1 , . . . , x n ] / �S� as a K -ev ☞ Linear alg. on Macaulay mat. m 1 > m 2 > . . . GB DRL ⇒ K -ev B 1   . . . Change of basis  c 1 c 2  t i,j f i i,j . . . i,j B 1 → B 2 K -ev B 2 ⇒ GB LEX ere F 4 , F 5 Faug` ere, Gaudry, Huot, R. ISSAC’14 Faug` � ne nω 2 ( n − 1) nω + n · deg( � S � ) ω � � O ☞ deg( � S � ) = the number of solutions (with multiplicities) ☞ ω represents the linear algebra constant 11/43

  18. On the complexity of computing GB DRL ☞ These results are usually obtain for homogeneous polynomial systems ☞ In order to avoid fall of degree issues, need to consider regular situation Regular sequences A sequence of homogeneous polynomials ( f 1 , . . . , f n ) ⊂ K [ x 1 , . . . , x n ] is said to be regular when f i +1 is a regular element in K [ x 1 , . . . , x n ] / � f 1 , . . . f i � Affine regular sequences A sequence of affine polynomials ( f 1 , . . . , f n ) ⊂ K [ x 1 , . . . , x n ] is said to be regular when the sequence f ( h ) , . . . , f ( h ) of corresponding homogeneous n 1 component of highest degree is regular. ☞ Complexity DRL(pol. sys. affine regular) < DRL(its homogenization) H 2 : The affine polynomial systems S are regular ( H 2 ⇒ H 1 ) 12/43

  19. Outline PDP in the Index Calculus 1 Polynomial System Solving 2 PoSSo With Symmetries 3 From Torsion Point to Symmetry 4 Characteristic 2 5 New Computational Record: 8th Summation Polynomial 6 Conclusion 7 13/43

  20. Invariant Polynomial/System Let be given a polynomial system  f 1 ( x 1 , . . . , x n )     . . . S :  f n − 1 ( x 1 , . . . , x n )    f n ( x 1 , . . . , x n ) σ ∈ G ⊂ GL ( K , n ) , σ · f i = f i ( σ · x ) ☞ Assume all f i are invariant under the action of G . How this assumption can help in solving the polynomial system? 14/43

  21. Invariant ring Definition Let K [ x 1 , . . . , x n ] be a polynomial ring and G ⊂ GL ( K , n ) . K [ x 1 , . . . , x n ] G = { p ∈ K [ x 1 , . . . , x n ] | σ · p = p for all σ ∈ G } We want to efficiently solve  f 1 ( x 1 , . . . , x n )     . . . S :  f n − 1 ( x 1 , . . . , x n )    f n ( x 1 , . . . , x n ) under the assumption f 1 , . . . , f n ∈ K [ x 1 , . . . , x n ] G 15/43

  22. Hironaka decomposition Hilbert’s finiteness theorem Let G ⊂ GL ( K , n ) . Its invariant ring K [ x 1 , . . . , x n ] G is finitely generated. t � K [ x 1 , . . . , x n ] G = η i K [ θ 1 , . . . , θ n ] . i =1 primary invariants θ 1 , . . . , θ n ∈ K [ x 1 , . . . , x n ] G secondary invariants η 1 , . . . , η t ∈ K [ x 1 , . . . , x n ] G ☞ primary invariants are algebraically independent 16/43

Recommend

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
The rational group structure of modular Jacobians with applications to torsion points on elliptic

The rational group structure of modular Jacobians with applications to torsion points on elliptic

The rational group structure of modular Jacobians with applications to torsion points on elliptic curves over number fields Maarten Derickx 1 Algant (Leiden, Bordeaux and Milano) LMFDB Workshop 05-06-2014 Talk will only start after you opened:

861 views • 22 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Torsion points on elliptic curves over number fields of small degree. Several variations of

Torsion points on elliptic curves over number fields of small degree. Several variations of

Introduction Variations of Kamiennys Criterion Results of testing the criterion Summary Torsion points on elliptic curves over number fields of small degree. Several variations of kamiennys criterion Maarten Derickx Mathematisch

226 views • 20 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
= Z r T E ( Q ) rank torsion Rank &lt; , hard to compute!

= Z r T E ( Q ) rank torsion Rank &lt; , hard to compute!

A F AMILY OF R ANK S IX E LLIPTIC C URVES OVER N UMBER F IELDS David Mehrle &amp; Tomer Reiter Carnegie Mellon University August 22, 2014 E LLIPTIC C URVES E : y 2 = x 3 + ax 2 + bx + c Elliptic curve Adding points on E makes group

724 views • 19 slides
Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete Logarithm Problem (ECDLP) Typical DLP: Find a such that a = , given and ECDLP: Find k such that P=kQ, given P and Q How do

1.58k views • 16 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago &amp; energy (gas

1.07k views • 76 slides
Rational Points on an Elliptic Curve Dr. Carmen Bruni University of Waterloo November 11th, 2015

Rational Points on an Elliptic Curve Dr. Carmen Bruni University of Waterloo November 11th, 2015

Rational Points on an Elliptic Curve Dr. Carmen Bruni University of Waterloo November 11th, 2015 Lest We Forget Dr. Carmen Bruni Rational Points on an Elliptic Curve Revisit the Congruent Number Problem Congruent Number Problem Determine

572 views • 31 slides
1 / 25 Elliptic Curve Cryptography EC crypto consists of geometric points with an addition

1 / 25 Elliptic Curve Cryptography EC crypto consists of geometric points with an addition

1 / 25 Elliptic Curve Cryptography EC crypto consists of geometric points with an addition operator. Such a set is a group. Any group element G can be multiplied by an integer n by adding G to itself repeatedly. G + G + + G

363 views • 25 slides
The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985) Schoof: Algorithm to count points on elliptic curves over finite fields. Input: prime power q ; F q such that 6(4

784 views • 47 slides
The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views • 18 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography 16 September 2008 What is an elliptic curve? (1) An elliptic curve E over a field k in Weierstra

298 views • 25 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views • 16 slides
Heegner Points, Stark-Heegner points, and values of L -series Number Theory Section Talk

Heegner Points, Stark-Heegner points, and values of L -series Number Theory Section Talk

Heegner Points, Stark-Heegner points, and values of L -series Number Theory Section Talk International Congress of Mathematicians August 2006, Madrid. Elliptic Curves E = elliptic curve over a number field F L ( E/F, s ) = its Hasse-Weil L

982 views • 39 slides
F4 traces and index calculus on elliptic curves over extension fields Vanessa VITSE Joint work

F4 traces and index calculus on elliptic curves over extension fields Vanessa VITSE Joint work

F4 traces and index calculus on elliptic curves over extension fields Vanessa VITSE Joint work with Antoine Joux Universit e de Versailles Saint-Quentin, Laboratoire PRISM Elliptic Curve Cryptography, October 20, 2010 Vanessa VITSE (UVSQ)

935 views • 67 slides
Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e Montpellier 2 Summer School ECC 2011 Nancy, September 12-16, 2011 Part 2 Elliptic curve arithmetic 1/41 The two facets of an elliptic curve

606 views • 42 slides
Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a

Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a

Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a previously unreachable curve over F p 6 Vanessa VITSE Antoine JOUX Universit e de Versailles Saint-Quentin, Laboratoire PRISM Eurocrypt 2012

595 views • 44 slides
Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Twenty-Three Years of Elliptic Curve Cryptography Alfred Menezes University of Waterloo September 3 2008 1 Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm

300 views • 18 slides
Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic Implementations group: eindhoven.cr.yp.to working closely with the Coding Theory and Cryptology group: www.win.tue.nl/cc/ Next-generation elliptic-curve

456 views • 18 slides

More recommend