the discrete logarithm problem with preprocessing
play

The Discrete Logarithm Problem with Preprocessing Henry - PowerPoint PPT Presentation

Nov 23, 2022 •279 likes •1.63k views

The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford University Eurocrypt 1 May 2018 Tel Aviv, Israel 38 Signatures (DSA and Schnorr) 39 DH key Signatures exchange (DSA and Schnorr) 40

  1. Preliminaries Define a pseudo-random walk on ! : " # ↦ " #%& where ' = Hash " # is a random function " #%& ) " #%& ) %& , " #%∑ + & + " # = - . … If you know the dlog of the endpoint of a walk, you know the dlog of the starting point! 72 [M10, LCH11, BL13]

  2. Preliminaries Define a pseudo-random walk on ! : " # ↦ " #%& where ' = Hash " # is a random function " #%& ) " #%& ) %& , " #%∑ + & + " # = - . … / If you know the dlog of the endpoint of a walk, you know the dlog of the starting point! 73 [M10, LCH11, BL13]

  3. Preliminaries Define a pseudo-random walk on ! : " # ↦ " #%& where ' = Hash " # is a random function " #%& ) " #%& ) %& , " #%∑ + & + " # = - . … / If you know the dlog of the endpoint of a walk, you know the dlog of the starting point! 74 [M10, LCH11, BL13]

  4. Preliminaries Define a pseudo-random walk on ! : " # ↦ " #%& where ' = Hash " # is a random function " #%& ) " #%& ) %& , " #%∑ + & + " # = - . … … / If you know the dlog of the endpoint of a walk, you know the dlog of the starting point! 75 [M10, LCH11, BL13]

  5. Preliminaries Define a pseudo-random walk on ! : " # ↦ " #%& where ' = Hash " # is a random function " #%& ) " #%& ) %& , " #%∑ + & + " # = - . … … / If you know the dlog of the endpoint of a walk, you know the dlog of the starting point! 76 [M10, LCH11, BL13]

  6. Preliminaries Define a pseudo-random walk on ! : " # ↦ " #%& where ' = Hash " # is a random function " #%& ) " #%& ) %& , " #%∑ + & + " # = - . … … / If you know the dlog of the endpoint of a walk, you know the dlog of the starting point! 77 [M10, LCH11, BL13]

  7. Preliminaries Define a pseudo-random walk on ! : " # ↦ " #%& where ' = Hash " # is a random function " #%& ) " #%& ) %& , " #%∑ + & + " # = - . … … / If you know the dlog of the endpoint of a walk, you know the dlog of the starting point! 78 [M10, LCH11, BL13]

  8. Preliminaries Define a pseudo-random walk on ! : " # ↦ " #%& where ' = Hash " # is a random function " #%& ) " #%& ) %& , " #%∑ + & + " # = - . … … / 0 If you know the dlog of the endpoint of a walk, you know the dlog of the starting point! 79 [M10, LCH11, BL13]

  9. Preprocessing phase Length: ! "/$ Build ! "/$ chains of • length ! "/$ • Store dlogs of chain ! "/$ chains endpoints Online phase Walk %(! "/$ ) steps • … … • When you hit a stored point, output the discrete log Advice string 80 [M10, LCH11, BL13]

  10. Preprocessing phase Length: ! "/$ Build ! "/$ chains of • length ! "/$ • Store dlogs of chain ! "/$ chains endpoints Advice: ( %(! "/$ ) bits Online phase Walk %(! "/$ ) steps • … … • When you hit a stored point, output the discrete log Advice string 81 [M10, LCH11, BL13]

  11. Preprocessing phase Length: ! "/$ Build ! "/$ chains of • length ! "/$ • Store dlogs of chain ! "/$ chains endpoints Advice: ( %(! "/$ ) bits Online phase Walk %(! "/$ ) steps • … … • When you hit a stored point, output the discrete log Advice string 82 [M10, LCH11, BL13]

  12. Preprocessing phase Length: ! "/$ Build ! "/$ chains of • length ! "/$ • Store dlogs of chain ! "/$ chains endpoints Advice: ( %(! "/$ ) bits Online phase Walk %(! "/$ ) steps • … … ) * • When you hit a stored point, output the discrete log Advice string 83 [M10, LCH11, BL13]

  13. Preprocessing phase Length: ! "/$ Build ! "/$ chains of • length ! "/$ • Store dlogs of chain ! "/$ chains endpoints Advice: ( %(! "/$ ) bits Online phase Walk %(! "/$ ) steps • … … ) * • When you hit a stored point, output the discrete log Advice string 84 [M10, LCH11, BL13]

  14. Preprocessing phase Length: ! "/$ Build ! "/$ chains of • length ! "/$ • Store dlogs of chain ! "/$ chains endpoints Advice: ( %(! "/$ ) bits Online phase Walk %(! "/$ ) steps • … … ) * • When you hit a stored point, output the discrete log Advice string 85 [M10, LCH11, BL13]

  15. Preprocessing phase Length: ! "/$ Build ! "/$ chains of • length ! "/$ • Store dlogs of chain ! "/$ chains endpoints Advice: ( %(! "/$ ) bits Online phase Walk %(! "/$ ) steps • … … ) * • When you hit a stored point, output the discrete log Advice string 86 [M10, LCH11, BL13]

  16. Preprocessing phase Length: ! "/$ Build ! "/$ chains of • length ! "/$ • Store dlogs of chain ! "/$ chains endpoints Advice: ( %(! "/$ ) bits Online phase Walk %(! "/$ ) steps • … … ) * • When you hit a stored point, output the discrete log Time: ( %(! "/$ ) steps Advice string 87 [M10, LCH11, BL13]

  17. Preprocessing phase Length: ! "/$ Build ! "/$ chains of • length ! "/$ • Store dlogs of chain ! "/$ chains endpoints Advice: ( %(! "/$ ) bits Online phase Walk %(! "/$ ) steps • … … ) * • When you hit a stored point, output the discrete log Time: ( %(! "/$ ) steps Preprocessing time: + Ω(! -/$ ) Advice string 88 [M10, LCH11, BL13]

  18. Generic discrete log 25 256-bi bit ECDL à Without preprocessing: Ω " #/% & '&( ti time à With preprocessing: ) *(" #/, ) & (. ti time Related preprocessing attacks break: • Multiple discrete log problem [This paper] “ • One-round Even-Mansour cipher [FJM14] • Merkle-Damgård hash with random IV [CDGS17] 89

  19. Generic discrete log 25 256-bi bit ECDL à Without preprocessing: Ω " #/% & '&( ti time à With preprocessing: ) *(" #/, ) & (. ti time Related preprocessing attacks break: • Multiple discrete log problem [This paper] • One-round Even-Mansour cipher [FJM14] • Merkle-Damgård hash with random IV [CDGS17] 90

  20. Generic discrete log 256-bi 25 bit ECDL à Without preprocessing: Ω " #/% & '&( ti time à With preprocessing: ) *(" #/, ) & (. ti time Is this dlog attack the best possible?! Related preprocessing attacks break: • Multiple discrete log problem [This paper] • One-round Even-Mansour cipher [FJM14] • Merkle-Damgård hash with random IV [CDGS17] 91

  21. Generic discrete log 25 256-bi bit ECDL à Without preprocessing: Ω " #/% & '&( ti time à With preprocessing: ) *(" #/, ) & (. ti time Related preprocessing attacks break: • Multiple discrete log problem [This paper] • One-round Even-Mansour cipher [FJM14] • Merkle-Damgård hash with random IV [CDGS17] 92

  22. Pairings DH key DDH Signatures exchange (DSA and Schnorr) 93

  23. Pairings DH key DDH Signatures exchange (DSA and Schnorr) Could there exist a generic dlog preprocessing attack with ! = # = $ %/%' ? 94

  24. Pairings DH key DDH Signatures exchange (DSA and Schnorr) Could there exist a generic Preprocessing attacks dlog preprocessing attack with ! = # = $ %/%' ? might make us worry about 256-bit EC groups 95

  25. 96

  26. This talk Background: Preprocessing attacks are relevant • Preexisting ! = # = $ %(' (/* ) generic attack on discrete log Our results: Preprocessing lower-bounds and attacks • The $ %(' (/* ) generic dlog attack is optimal • Any such attack must use lots of preprocessing: Ω(' -/* ) • New $ %(' (/. ) preprocessing attack on DDH-like problem Open questions 97

  27. Th Theorem. [Our paper] Every generic dlog algorithm with preprocessing that: • uses ! bits of group-specific advice, • uses " online time, and • succeeds with probability # , must satisfy: !" $ = & Ω(#)) 98

  28. Th Theorem. [Our paper] Every generic dlog algorithm with preprocessing that: • uses ! bits of group-specific advice, • uses " online time, and • succeeds with probability # , must satisfy: !" $ = & Ω(#)) This bound is tight for the full range of parameters (up to log factors) 99

  29. Th Theorem. [Our paper] Every generic dlog algorithm with preprocessing that: • uses ! bits of group-specific advice, • uses " online time, and • succeeds with probability # , must satisfy: !" $ = & Ω(#)) 100

  30. Th Theorem. [Our paper] Every generic dlog algorithm with preprocessing that: • uses ! bits of group-specific advice, • uses " online time, and • succeeds with probability # , must satisfy: !" $ = & Ω(#)) Shoup’s proof technique (1997) relies on + having no information about the group , when it starts running à Need different proof technique 101

  31. Th Theorem. [Our paper] Every generic dlog algorithm with preprocessing that: • uses ! bits of group-specific advice, • uses " online time, and • succeeds with probability # , must satisfy: !" $ = & Ω(#)) 102

  32. Th Theorem. [Our paper] Every generic dlog algorithm with preprocessing that: • uses + bits of group-specific advice, • uses " online time, and • succeeds with probability ( , must satisfy: +" $ = , Ω(()) Th Theorem. [Our paper] Furthermore, the preprocessing time ! must satisfy !" + " $ = Ω(()) 103

  33. Th Theorem. [Our paper] Every generic dlog algorithm with preprocessing that: • uses + bits of group-specific advice, • uses " online time, and • succeeds with probability ( , must satisfy: +" $ = , Online time ) -// implies Ω(()) Ω() $// ) preprocessing Th Theorem. [Our paper] Furthermore, the preprocessing time ! must satisfy !" + " $ = Ω(()) 104

  34. Th Theorem. [Our paper] Every generic dlog algorithm with preprocessing that: • uses + bits of group-specific advice, • uses " online time, and • succeeds with probability ( , must satisfy: +" $ = , Ω(()) Th Theorem. [Our paper] Furthermore, the preprocessing time ! must satisfy !" + " $ = Ω(()) 105

  35. Reminder: Generic-group model • A group is defined by an injective “l “lab abeling” function !: ℤ $ → 0,1 ∗ • Algorithm has access to a gr group up-op operation on or oracle : * + ! , , ! - ↦ ! , + - , representing (2, 2 3 ), E.g., A dlog algorithm takes as input ! 1 , ! 0 make queries to * + , outputs 0 . 106

  36. We prove the lower bound using an incompressibility argument [Yao90, GT00, DTT10, DHT12, DGK17…] Use ! to compress the mapping ": ℤ % → 0,1 ∗ that defines the group Similar technique used in [DHT12] (Random) Encoder Decoder 4 "(4) 4 "(4) Compressed 1 101 1 101 representation 2 110 2 110 Enc (") ! ! 3 001 3 001 … … • Adv ! uses advice + and online time , such that +, - = /(1) ⇒ Encoder compresses well ⇒ Lower bound on + and , • Random string is incompressible 107

  37. We prove the lower bound using an incompressibility argument [Yao90, GT00, DTT10, DHT12, DGK17…] Use ! to compress the mapping ": ℤ % → 0,1 ∗ that defines the group Similar technique used in [DHT12] (Random) Encoder Decoder 4 "(4) 4 "(4) Compressed 1 101 1 101 representation 2 110 2 110 Enc (") ! ! 3 001 3 001 … … • Adv ! uses advice + and online time , such that +, - = /(1) ⇒ Encoder compresses well ⇒ Lower bound on + and , • Random string is incompressible 108

  38. We prove the lower bound using an incompressibility argument [Yao90, GT00, DTT10, DHT12, DGK17…] Use ! to compress the mapping ": ℤ % → 0,1 ∗ that defines the group Similar technique used in [DHT12] (Random) Encoder Decoder 4 "(4) 4 "(4) Compressed 1 101 1 101 representation 2 110 2 110 Enc (") ! ! 3 001 3 001 … … • Adv ! uses advice + and online time , such that +, - = /(1) ⇒ Encoder compresses well ⇒ Lower bound on + and , • Random string is incompressible 109

  39. We prove the lower bound using an incompressibility argument [Yao90, GT00, DTT10, DHT12, DGK17…] Use ! to compress the mapping ": ℤ % → 0,1 ∗ that defines the group Similar technique used in [DHT12] (Random) Encoder Decoder 4 "(4) 4 "(4) Compressed 1 101 1 101 representation 2 110 2 110 Enc (") ! ! 3 001 3 001 … … Wlog, assume ! is • Adv ! uses advice + and online time , such that +, - = /(1) deterministic ⇒ Encoder compresses well ⇒ Lower bound on + and , • Random string is incompressible 110

  40. We prove the lower bound using an incompressibility argument [Yao90, GT00, DTT10, DHT12, DGK17…] Use ! to compress the mapping ": ℤ % → 0,1 ∗ that defines the group Similar technique used in [DHT12] (Random) Encoder Decoder 4 "(4) 4 "(4) Compressed 1 101 1 101 representation 2 110 2 110 Enc (") ! ! 3 001 3 001 … … • Adv ! uses advice + and online time , such that +, - = /(1) ⇒ Encoder compresses well ⇒ Lower bound on + and , • Random string is incompressible 111

  41. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Encoder & %(&) 1 101 2 110 3 001 4 000 5 1111 … 112

  42. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % & %(&) 1 101 2 110 3 001 4 000 5 1111 … 113

  43. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " & %(&) 1 101 2 110 3 001 4 000 5 1111 … 114

  44. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " & %(&) 1 101 2 110 3 001 4 000 5 1111 … 115

  45. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " st & ' %(') 1 101 2 110 3 001 4 000 5 1111 … 116

  46. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " st & * %(*) 1 101 ! $ (000) 2 110 3 001 4 000 5 1111 … 117

  47. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " st & * %(*) 1 101 ! $ (000) 2 110 3 001 First bitstring in image of % , representing some + , 4 000 5 1111 … 118

  48. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " st & * %(*) 1 101 ! $ (000) 2 110 3 001 4 000 5 1111 … 119

  49. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " st & * %(*) 1 101 ! $ (000) 2 110 3 001 4 000 5 1111 … 120

  50. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " st & * %(*) 1 101 Responses to ! $ ’s ! $ (000) 2 110 queries on 3 001 “000” 4 000 5 1111 … 121

  51. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " st & + %(+) 1 101 Responses to ! $ ’s ! $ (000) 2 110 queries on 3 001 “000” 4 000 ! $ (001) 5 1111 … 122

  52. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " st & + %(+) 1 101 Responses to ! $ ’s ! $ (000) 2 110 queries on 3 001 “000” 4 000 ! $ (001) 5 1111 … 123

  53. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " st & + %(+) 1 101 Responses to ! $ ’s ! $ (000) 2 110 queries on 3 001 “000” Responses 4 000 to ! $ ’s ! $ (001) 5 1111 queries on “001” … 124

  54. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " st & + %(+) 1 101 Responses to ! $ ’s ! $ (000) 2 110 queries on 3 001 “000” Responses 4 000 to ! $ ’s ! $ (001) 5 1111 queries on “001” … … … 125

  55. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " st & , %(,) 1 101 Responses to ! $ ’s ! $ (000) 2 110 queries on 3 001 “000” Run ! $ on + instances, Responses 4 000 for some parameter + to ! $ ’s ! $ (001) 5 1111 queries on “001” … … … 126

  56. a: Use preprocessing dlog adversary ! " , ! $ to build a Pr Proof oof idea: compressed representation of the mapping % . [Yao90, GT00, DHT12] Compressed Encoder representation of % ! " st & , %(,) 1 101 Responses to ! $ ’s ! $ (000) 2 110 queries on 3 001 “000” Run ! $ on + instances, Responses 4 000 for some parameter + to ! $ ’s ! $ (001) 5 1111 queries on “001” … … … Rest of % 127

  57. a: Use preprocessing dlog adversary % & , % ( to build a Pr Proof oof idea: compressed representation of the mapping " . [Yao90, GT00, DHT12] Compressed Decoder representation of " st ) ! "(!) • Run % ( on - instances 110 1 101 111 • Whenever % ( outputs a … 2 110 dlog, we get one value "(!) “for free” 3 001 101 4 000 … 5 1111 … … Rest of " 128

  58. a: Use preprocessing dlog adversary % & , % ( to build a Pr Proof oof idea: compressed representation of the mapping " . [Yao90, GT00, DHT12] Compressed Decoder representation of " st ) ! "(!) • Run % ( on - instances 110 1 101 % ( (000) 111 • Whenever % ( outputs a … 2 110 dlog, we get one value "(!) “for free” 3 001 101 4 000 … 5 1111 … … Rest of " 129

  59. a: Use preprocessing dlog adversary % & , % ( to build a Pr Proof oof idea: compressed representation of the mapping " . [Yao90, GT00, DHT12] Compressed Decoder representation of " st ) ! "(!) • Run % ( on - instances 110 1 101 % ( (000) 111 • Whenever % ( outputs a … 2 110 dlog, we get one value "(!) “for free” 3 001 101 4 000 … 5 1111 … … Rest of " 130

  60. a: Use preprocessing dlog adversary % & , % ( to build a Pr Proof oof idea: compressed representation of the mapping " . [Yao90, GT00, DHT12] Compressed Decoder representation of " st ) ! "(!) • Run % ( on - instances " 2 = ? 110 1 101 % ( (000) 111 • Whenever % ( outputs a … 2 110 dlog, we get one value "(!) “for free” 3 001 101 4 000 … 5 1111 … … Rest of " 131

  61. a: Use preprocessing dlog adversary % & , % ( to build a Pr Proof oof idea: compressed representation of the mapping " . [Yao90, GT00, DHT12] Compressed Decoder representation of " st ) ! "(!) • Run % ( on - instances " 2 = ? 110 1 101 % ( (000) 111 • Whenever % ( outputs a “110” … 2 110 dlog, we get one value "(!) “for free” 3 001 101 4 000 … 5 1111 … … Rest of " 132

  62. a: Use preprocessing dlog adversary % & , % ( to build a Pr Proof oof idea: compressed representation of the mapping " . [Yao90, GT00, DHT12] Compressed Decoder representation of " st ) ! "(!) • Run % ( on - instances " 2 = ? 110 1 101 % ( (000) 111 • Whenever % ( outputs a “110” … 2 110 dlog, we get one value "(!) “for free” 3 001 101 4 000 … 5 1111 … … Rest of " 133

  63. a: Use preprocessing dlog adversary % & , % ( to build a Pr Proof oof idea: compressed representation of the mapping " . [Yao90, GT00, DHT12] Compressed Decoder representation of " st ) ! "(!) • Run % ( on - instances 110 1 101 % ( (000) 111 • Whenever % ( outputs a … 2 110 dlog, we get one value "(!) “for free” 3 001 101 4 000 … 5 1111 … … Rest of " 134

  64. a: Use preprocessing dlog adversary % & , % ( to build a Pr Proof oof idea: compressed representation of the mapping " . [Yao90, GT00, DHT12] Compressed Decoder representation of " st ) ! "(!) • Run % ( on - instances " 5 = ? 110 1 101 % ( (000) 111 • Whenever % ( outputs a … 2 110 dlog, we get one value "(!) “for free” 3 001 101 4 000 … 5 1111 … … Rest of " 135

  65. a: Use preprocessing dlog adversary % & , % ( to build a Pr Proof oof idea: compressed representation of the mapping " . [Yao90, GT00, DHT12] Compressed Decoder representation of " st ) ! "(!) • Run % ( on - instances " 5 = ? 110 1 101 % ( (000) 111 • Whenever % ( outputs a “111” … 2 110 dlog, we get one value "(!) “for free” 3 001 101 4 000 … 5 1111 … … Rest of " 136

Recommend

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute of Technology Discrete logarithm problem. The discrete logarithm problem (DLP) in a finite cyclic group G : for any pair g , h G find a

673 views • 18 slides
On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de Lorraine, Inria Nancy, France joint work with Razvan Barbulescu, Antoine Joux, Emmanuel Thom RICAM Linz, Austria 1/42 Plan Background Recent

598 views • 49 slides
Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J. Bernstein Easy to prove: is prime. University of Illinois at Chicago Can we find an integer 1 2 3

1.24k views • 97 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Discrete Log Problem Discrete Log Problem Given a prime number p Z * x

Discrete Log Problem Discrete Log Problem Given a prime number p Z * x

Discrete Log Problem Discrete Log Problem Given a prime number p Z * x (mod p ) Given a prime number p , Z p , (mod p ) finding x is called the discrete logarithm problem Not every discrete

640 views • 11 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields Christophe Petit, Michiel Kosters, Ange Messeng University of Oxford, University of California Irvine, University of Passau Christophe Petit - PKC2016 -

562 views • 41 slides
Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and Paul Wolfger Graz University of Technology WECC 2014, Chennai, India We solved the discrete logarithm of a 113-bit Koblitz Curve.

572 views • 34 slides
The DLP Problem Consider G, having order n. < >={ i :0 i n-1} is a

The DLP Problem Consider G, having order n. < >={ i :0 i n-1} is a

The Discrete Logarithm Problem Debdeep Mukhopadhyay IIT Kharagpur The DLP Problem Consider G, having order n. < >={ i :0 i n-1} is a cyclic sub-group of G having order n. 1 Cryptographic Utility of DLP For

334 views • 9 slides
A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 , P. Gaudry 2 , N. Heninger 1 , E. Thom e 2 1 U. Penn ; 2 Caramba/Inria/Loria Nov 13rd, 2017 A kilobit hidden SNFS discrete logarithm computation

441 views • 42 slides
Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work with Pierrick Gaudry and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Crypto 2020 Virtual Conference 1/29 The discrete

338 views • 29 slides
The Natural Logarithm Function x n dx = x n +1 Problem: The formula n + 1 + c has one problem

The Natural Logarithm Function x n dx = x n +1 Problem: The formula n + 1 + c has one problem

The Natural Logarithm Function x n dx = x n +1 Problem: The formula n + 1 + c has one problem it doesnt hold for n = 1. 1 On the other hand, we know from the Fundamental Theorem of Calculus that x dx exists everywhere except at

262 views • 10 slides
Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving

Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving

Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving RSA-240, DLP-240, RSA-250 Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thom e, Paul Zimmermann ere de l FB:

466 views • 31 slides
Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey

Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey

Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey Pierrick Gaudry Hamza Jeljeli Emmanuel Thom e Marion Videau Paul Zimmermann CARAMEL project-team, LORIA, INRIA / CNRS / Universit e de

419 views • 22 slides
Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly joint work with Taechan Kim and Yongsu Song) Department of Mathematical Sciences and ISaC-RIM Seoul National University December 13, 2013 1 / 41

557 views • 41 slides
The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics

The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics

The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics University of Essen frey@exp-math.uni-essen.de 1 1 Abstract DL-Systems We want exchange keys sign authenticate (encrypt and decrypt)

410 views • 38 slides
A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan

A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan

ECC, Chennai October 8, 2014 A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 e 2 Emmanuel Thom IMJ-PRG, Paris Loria, Nancy LIP6, Paris R.

606 views • 41 slides
Review - Mathematical Tools & Probability Logarithm Fundamentals of Probability Discrete

Review - Mathematical Tools & Probability Logarithm Fundamentals of Probability Discrete

Mathematical Tools Summation Operator The Natural Review - Mathematical Tools & Probability Logarithm Fundamentals of Probability Discrete & Continuous Random Variable Caio Vigo Features of Probability Distributions Expected

699 views • 50 slides
Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS, Universit de Lorraine, Inria JNCF CIRM November 2014 1/81 Plan Presentation of the problems Cryptographic background Primality,

919 views • 88 slides
Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore

Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore

Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team Ecole Polytechnique / LIX Asiacrypt 2015 Conference, Auckland, New Zealand, November 30 Aurore Guillevic

711 views • 51 slides
Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental

Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental

Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental Mathematics University of Duisburg-Essen frey@exp-math.uni-essen.de 1 1 Abstract DL-Systems We want exchange keys sign authenticate

841 views • 53 slides
Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work with Pierrick Gaudry and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France February 26th, 2020 Northeastern University, Boston

657 views • 40 slides
PKC 2000 18-20 january 2000 - Melbourne - Australia The Composite Discrete Logarithm and

PKC 2000 18-20 january 2000 - Melbourne - Australia The Composite Discrete Logarithm and

Public Key Cryptography PKC 2000 18-20 january 2000 - Melbourne - Australia The Composite Discrete Logarithm and Secure Authentication David Pointcheval Dpartement d Informatique ENS - CNRS David.Pointcheval@ens.fr

266 views • 13 slides

More recommend