Non-generic attacks on elliptic curve DLPs

Transcription

1 Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

2 Motivation Motivation The cliché: Elliptic curve discrete logarithms are as hard as possible. Idealistically: elliptic curves are used as approximations of black-box cyclic abelian groups. But There s nothing black-box about a smooth plane cubic. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

3 Motivation Parameter selection What parameters does E/F q have? Base field, q = p n. Exploit field structure? Isomorphism class, j(e)... Exploit the geometry? plus a choice of twist Attack the twist? Isogeny class, t = #E(F q ) (q + 1). Exploit order? What are the bad choices of q, t, j, N? Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

4 Equivalence classes Equivalence classes Generic DLP algorithms: looking for collisions in a search space. If we can divide points into equivalence classes with a fast comparison test: Shrink the search space = faster DLP. Equivalence classes of size c = DLP in O( N/c) For example: automorphism orbits would work... But the automorphism group is too small to gain much. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

5 Subfield curves Equivalence classes Suppose E is a subfield curve: ie, E is defined over F p, but we use a prime-order subgroup of E(F q ) with q = p n, n > 1. Why would you do this anyway? Easier to work out the cardinality, and small coefficients (being in F p )) may speed up arithmetic... E(F p ) E(F q ) is a nontrivial subgroup, so N #E(F q )/#E(F p ). E/F p has a Frobenius endomorphism π : (x, y) (x p, y p ) So we can split #E(F q ) into equivalence classes: P Q P = π e (Q). Classes have size n = the DLP runs n times faster. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

6 Equivalence classes So: If you re using an extension field, don t use a subfield curve. Q: Are other curves defined over extension fields ok? Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

7 Weil descent Weil descent Suppose E is defined over an extension field: E/F q n, n > 1. E is a one-dimensional object over a degree-n field. Think of the complex numbers: C is a line (one-dimensional) over a quadratic extension R( 1), but can also visualise it as R 2. In the same way: the one-dimensional vector space F q n is isomorphic to the n-dimensional vector space F n q. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

8 Weil descent Weil descent / Restriction of scalars Weil descent is a direct tradeoff of dimension vs degree. The Weil restriction W of E is an n-dimensional algebraic group over F q (not F q n) whose F q -points correspond to F q n-points of E. The Weil restriction always exists, and doesn t weaken E in itself. But if we re lucky, we might be able to transform all (or part) of W into the Jacobian of a higher-genus curve, which we can attack using index calculus. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

9 Weil descent Weil descent of an elliptic curve Let s try n = 3, with q = 2 e for some e and F q 3 = F q [θ]/(θ 3 + θ + 1). F q 3 = ψ 0 = 1, ψ 1 = θ 2, ψ 2 = θ 4 F q Any elliptic curve over F q 3 is = to one in the form E/F q 3 : y 2 + xy = x 3 + (b 0 ψ 0 + b 1 ψ 1 + b 2 ψ 2 ). Equations for Weil restriction W: substitute x = x 0 ψ 0 + x 1 ψ 1 + x 2 ψ 2, y = y 0 ψ 0 + y 1 ψ 1 + y 2 ψ 2, get 3 equations over F q by collecting coefficients of the ψ i. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

10 Explicit Weil restriction Weil descent So: Weil restriction W of E : y 2 + xy = x 3 + (b 0 ψ 0 + b 1 ψ 1 + b 2 ψ 2 ) is defined in (x 0, x 1, x 2, y 0, y 1, y 2 )-space by the three equations x0 3 + x 0 2x2 + x0x x0y1 + x0y2 + x x1x x1y0 + x1y2 + x x2y0 + x2y1 x0 3 + x 0 2x1 + x0x x0y1 + x0y2 + x 1 2x2 + x1x x1y0 + x1y1 + x x2y0 + x2y2 + y y b2 + b0 x0 2x1 + x 0 2x2 + x0x x0x x0y0 + x0y2 + x x1y1 + x1y2 + x x2y0 + x2y1 + y y b2 + b1 To get a curve in W, intersect with (say) x 0 = u, x 1 = u, x 2 = u: C : ( y uy 0 = u 3 + b 0, y uy 1 = u 3 + b 1, y uy 2 = u 3 + b 2 ) Irreducible unless b 0 = b 1 = b 2 (so β F q ). Eliminate y 1, y 2, put v = y 0 : C : v 8 + u 7 v + u 12 + u 10 + u 9 + b 0 u 6 + b 2 2u 4 + b 4 1. It may not be obvious, but C is hyperelliptic of genus 3. Desingularize C C = explicit isogeny Φ : W Jac( C). Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

11 Weil descent Discrete logarithms on the Weil restriction Start with a DLP instance in E(F q 3) Q = (x Q, y Q ) = [m](x P, y P ) = [m]p Weil-restricting, we get a DLP instance in W(F q ): (x Q 0, x Q 1, x Q 2, y Q 0, y Q 1, y Q 2 ) = [m](x P 0, x P 1, x P 2, y P 0, y P 1, y P 2 ) ; map through Φ to get a DLP instance in Jac(C): [ 3 ] [ i=1 (uq i, v Q 3 ] i ) D 0 = m i=1 (up i, vi P ) D 0 Solve DLP instance using index calculus in Jac( C) in time Õ(q4/3 ) Beats Õ(q3/2 ) using generic methods in E(F q 3). Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

12 Weil descent Gaudry Hess Smart In more generality: Theorem (Gaudry Hess Smart, 2000) Let n 4 be fixed. Write q = 2 e. As e, we can solve the DLP in E(F q n) for a significant proportion of all elliptic curves E/F q n in time O(q 2+ɛ ). For comparison: generic attacks require time O(q n/2 ). Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

13 Reductions So: In practice, use F p or F p 2, or F 2 n (with n prime) Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

14 Pairings Using pairings to move DLPs Suppose E is an elliptic curve over F p such that E(F p ) contains a subgroup G of large prime order N. Let k be the embedding degree with respect to N and p so k is the smallest integer such that N divides p k 1. We have a pairing e : E[N] E[N] µ N F p k which we can use to move the DLP from G into F p k. If k is small enough, we can solve the DLP in F p k faster than we can solve it in G. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

15 Pairings Menezes Okamoto Vanstone (MOV) Reduction Input A point P in E(F p ) of prime order N, and a point Q in P. Output An integer m such that Q = [m]p. 1 Compute the embedding degree k for N and p. 2 Compute a point S E(F p k ) such that e N (P, S) 1. Randomly chosen S succeeds with overwhelming probability. 3 Set z 1 = e N (P, S) and z 2 = e N (Q, S). 4 Compute an integer m such that z m 1 = z 2 in F p k, using index calculus (ie, solve the DLP in F p k ). 5 Return m. Index calculus in F p k is subexponential in k log p. The whole algorithm is subexponential if k is small (polynomial in log p). Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

16 Pairings Balasubramanian Koblitz Luckily, a low embedding degree basically never happens by accident. Theorem (Balasubramanian and Koblitz (1998)) Let (p, E) be a randomly chosen pair consisting of a B-bit prime p and an elliptic curve E/F p such that N = #E(F p ) is prime. The probability that N (p k 1) for some k (log p) 2 is less than c B9 log 2 B 2 B for some effectively computable constant c > 0. Noteworthy exceptions: pairing-friendly curves, including all supersingular elliptic curves. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

17 Pairings So: Don t use pairing-friendly curves for ordinary DLP-based systems. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

18 Mapping into the additive group Mapping into the additive group DLPs in the additive group are really fast: they re just (modular) division. When can we map an ECDLP instance into (F p, +)? If E(F p ) is cyclic of prime order N, then a homomorphism E(F p ) (F p, +) is only nontrivial if N = p. This can happen (p is certainly in the Hasse interval): we call these trace-1 curves anomalous curves. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

19 Mapping into the additive group Homomorphisms into the additive group Suppose E is defined over F p, and that #E(F p ) = p. Several approaches to mapping E(F p ) into (F p, +) (Semaev, Smart, Araki Satoh, Rück...) We follow Semaev s approach: an additive version of the Tate pairing gives a homomorphism E(F p ) Ω 1 (E) = (F p, +). (recall that Ω 1 (E) = regular differentials on E). Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

20 Rück s approach Mapping into the additive group Suppose #E(F p ) = p. If P is in E(F p ) then [p]p = O E, so p((p) (O E )) = (f P ) for some f P in F p (E) (Miller function!) Serre: the differential df P /f P is regular at O E. Expand at O E with local parameter t = x y (t(o E) = 0 with mult. 1): df P f P = (a 0 + a 1 t + a 2 t 2 + )dt Product rule for differentials + Algebra of Miller functions = P f P a 0 is a homomorphism! Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

21 Mapping into the additive group Solving DLPs on anomalous curves To solve a DLP instance Q = [m]p on an anomalous curve E/F p : 1 Compute a 0 (P) and a 0 (Q) using Miller loops Don t compute f P, f Q : build up the a 0 values using a double-and-add loop 2 Then m a 0 (Q)/a 0 (P) (mod p). The number of E(F p )-operations is linear in log p. This reduction is easy to implement! Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

22 Mapping into the additive group So: NEVER use anomalous curves. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

23 Attacking the twist Diffie Hellman key exchange 1 A and B public fix a group G and a generator X 0 G. 2 A and B choose secret multipliers s A, s B Z/(#G). 3 A computes X A := [s A ]X 0 and makes it public; B computes X B := [s B ]X 0 and makes it public. 4 A and B compute the shared secret [s A s B ]X 0 = [s A ]X B = [s B ]X A. G can be a set, not a group; scalars s A and s B an abelian semigroup acting on G. Need a hard DHP (given X 0, [s A ]X 0, [s B ]X 0, find [s A s B ]X 0 ) Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

24 Attacking the twist Diffie Hellman / Montgomery Consider the curve E : y 2 = x(x 2 + Ax + 1) over F p. x([ 1]P) = x(p) for all P in E(F q ) Can compute [m] x(p) = x([m]p) in terms of x(p) and A: no need for y-coordinates This is a good move for Diffie Hellman implementations save a lot of time, and a bit of space Something funny: The x-coordinate maps [m] work (and compose properly) for any input x, not just x(p) for P E(F p )! In this case: Garbage In Garbage Out... Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

25 Attacking the twist Diffie Hellman / Montgomery The curve: E : y 2 = x(x 2 + Ax + 1) over F p. Quadratic twist: E : By 2 = x(x 2 + Ax + 1), where B is a nonsquare in F p. Every α in F p satisfies one of: 1 (α, 0) E[2](F p ) and (α, 0) E [2](F p ) 2 α = x(p) for some P E(F p ) \ E[2](F p ) 3 α = x(p ) for some P E (F p ) \ E [2](F p ) = #E(F p ) + #E (F p ) = 2(p + 1). Even if E has a strong group order, E can be weak Fouque Réal Lercier Vallette attack: sneak in α = x(p ), where P is a point on the quadratic twist, then solve the DHP on the twist instead. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

26 Attacking the twist So: Avoid curves with insecure twists. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27

27 Isogenies Extending attacks with isogenies If E/F p is weak and E E is a computable F p -isogeny, then E should be weak, too. Anomalous curves Isogeny invariant: no gain. The entire isogeny class t = 1 is already weak. Pairing-friendly curves Isogeny invariant: no gain. Pairing-friendliness is a function of the group order and the field, not curve geometry Twist security Isogeny invariant: no gain. Weil descent Amenability is not isogeny-invariant. Starting from a strong curve and exploring its isogeny graph, we may land on a weak curve. (Galbraith Hess Smart) Subfield curves Not isogeny invariant. Avoid isogeny classes corresponding to subfield-curve traces. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/ / 27