On Generating Coset Representatives of P GL 2 (F q ) in P GL 2 (F q 2)

Transcription

1 On Generating Coset Representatives of P GL 2 F q in P GL 2 F q 2 Jincheng Zhuang 1,2 and Qi Cheng 3 1 State Key Laboratory of Information Security Institute of Information Engineering Chinese Academy of Sciences, Beijing , China 2 State Key Laboratory of Mathematical Engineering and Advanced Computing Wuxi , China zhuangjincheng@iieaccn 3 School of Computer Science The University of Oklahoma Norman, OK 73019, USA qcheng@ouedu Abstract There are q 3 +q right P GL 2F q cosets in the group P GL 2F q 2 In this paper, we present a method of generating all the coset representatives, which runs in time Õq3, thus achieves the optimal time complexity up to a constant factor Our algorithm has applications in solving discrete logarithms and finding primitive elements in finite fields of small characteristic Keywords: Projective linear group, Cosets, Discrete logarithm, Primitive elements 1 Introduction The discrete logarithm problem DLP over finite fields underpins the security of many cryptographic systems Since 2013, dramatic progresses have been made to solve the DLP when the characteristic is small [18, 15, 5, 16, 6, 17, 7, 19, 10, 9, 8, 3, 4, 20, 11, 21, 12, 13, 1, 2] Particularly, for a finite field F q n, Joux [19] proposed the first algorithm with heuristic running time at most q n1/4+o1 Subsequently, Barbulescu, Gaudry, Joux and Thomé[3] proposed the first algorithm with heuristic quasi-polynomial running time q log no1 In [20], these algorithms are coined as Frobenius representation algorithms One key component of algorithms in [19] and [3] is the relation generation, which requires enumerating the cosets of P GL 2 F q in P GL 2 F q d, where d is a small integer, eg d = 2 [19] Huang and Narayanan [14] have applied Joux s relation generation method for finding primitive elements of finite fields of small characteristic There is another method of generating relations, see [7] Recall that for a given finite field F q, the projective general linear group P GL 2 F q = GL 2 F q /E, where E is the subgroup of GL 2 F q consisting of

2 non-zero scalar matrices Following the notion in [3], we denote P q as a set of the right cosets of P GL 2 F q in P GL 2 F q 2, namely, P q = {P GL 2 F q t t P GL 2 F q 2} Note that the cardinality of P q is q 3 + q It was shown in [3] that the matrices in the same right coset produce the same relation In [19], Joux suggested two ways to generate relations: the first is to investigate the structure of cosets of P GL 2 F q in P GL 2 F q 2, and the second is to use hash values to remove duplicate relations The second approach needs to enumerate the elements in P GL 2 F q 2 that has cardinality about q 6, hence has time complexity at least q 6 It may not be the most time-consuming part inside a subexponential algorithm However, if we want a more efficient algorithm to compute the discrete logarithms of elements, or to construct a primitive element, this complexity can be a bottleneck In this paper, we develop the first approach to generate cosets representatives efficiently 11 Our result In this work, we give an almost complete characterization of P q The case of determining left cosets is similar Our main result is the following: Theorem 1 There exists a deterministic algorithm that runs in time Õq3 and computes a set S P GL 2 F q 2 such that 1 S q 3 + 2q 2 q + 2; 2 P q = {P GL 2 F q t t S} Here we follow the convention that uses the notation Õfq to stand for Ofq log O1 fq Note that the time complexity of our algorithm is optimal up to a constant factor, since the P q has size q 3 + q 2 A Preliminary Classification We deduce our main result by two steps Firstly, we describe a preliminary classification Then, we deal with the dominating case In this section, the main technical tool we use is the fact that the following operations on a matrix over F q 2 will not change the membership in a right coset of P GL 2 F q in P GL 2 F q 2: Multiply the matrix by an element in F q 2 ; Multiply a row by an element in F q; Add a multiple of one row with an element in F q into another row; Swap two rows Proposition 1 Let g be an element in F q 2 \ F q Each right coset of P GL 2 F q in P GL 2 F q 2 is equal to P GL 2 F q t, where t is one of the following four types: 2

3 1 b I, where b, c F c 1 q 2 \ F q, bc 1 1 b1 II, where b g d 2 g 1, d 2 F q, b 1 d III, where c F c d q, d F 2 q IV, where c F c d q 2, d F q 2 a b Proof Let be a representative of a right coset of P GL c d 2 F q in P GL 2 F q 2 If any of a, b, c, d is zero, then we divide them by the other non-zero element in the same row, and swap rows if necessary, we will find a representative of type III or IV So we may assume that none of the entries are zero Dividing the whole matrix by a, we can assume a = 1 Consider the nonsingular matrix 1 b 1 + b 2 g, c 1 + c 2 g d 1 + d 2 g where b i, c i, d i F q for 1 i 2 We distinguish the following cases Note that we may also assume c 1 = 0, since we can add the multiple of the first row with c 1 into the second We start with the matrix 1 b1 + b 2 g c 2 g d 1 + d 2 g where c 2 0 Case 1 b 2 0 Subtracting d2 b 2 times the first row from the second row, the matrix becomes d2 b 2 1 b 1 + b 2 g + c 2 g d 1 b1d2 b 2 We can assume that d 1 b1d2 b 2 0 The matrix is in the same coset with a matrix of type I since we can divide the second row by d 1 b1d2 b 2, and b 2 and c 2 are not zero Case 2 b 2 = 0 We will assume b 1 0 After subtracting d1 b 1 times the first row from the second row, the matrix becomes Assume d 2 0 d1 b 1 1 b 1 + c 2 g d 2 g 1 If d 1 = 0, then the matrix can be reduced to type II by dividing the second row by c 2 3

4 2 If d 1 0, adding the product of the second row with b1 d 1 into the first row, we get b1c 2 d 1 g b 1 + b1d2 d 1 g d1 b 1 + c 2 g d 2 g Dividing all the entries in the matrix by g, we get b 1c 2 b 1d 2 d 1 d 1 + b 1 g 1 c 2 d1 b 1 g 1 d 2 Dividing the first row by b1c2 d 1 to type I, since b1d2 d 1 and the second row by d 2, the matrix is reduced + b 1 g 1 and c 2 d1 b 1 g 1 are in F q 2 \ F q There are only Oq 2 many possibilities for Case II Next, we simplify cases III and IV further As a conclusion, we can see that there are only Oq 2 many possibilities in Case III and IV as well Proposition 2 Let = c d c 1 + c 2 g d 1 + d 2 g be one representative of a right coset of P GL 2 F q in P GL 2 F q 2, where c 1, c 2, d 1, d 2 F q Then it belongs to P GL 2 F q t, where t is of the following two types: 0 1 III-a:, where d g d 2 g 2 F q 0 1 III-b:, where c 1 + c 2 g d 2 g 2 F q, d 2 F q Proof There are two cases to consider 1 Assume c 1 = 0 Subtracting the second row by the first row times d 1, we get 0 1 c 2 g d 2 g Since c 2 0, after dividing the second row by c 2, the matrix is reduced to type III-a 2 Assume c 1 0 Subtracting the second row by the first row times d 1, we get 0 1 c 1 + c 2 g d 2 g Dividing the second row by c 1, we get c 2 g d2 c 1 g Thus the matrix is reduced to type III-b, which completes the proof 4

5 Similarly, we have the following proposition Proposition 3 Let = c d c 1 + c 2 g d 1 + d 2 g be one representative of a right coset of P GL 2 F q in P GL 2 F q 2 Then it belongs to P GL 2 F q t, where t is of the following two types: 1 0 IV-a:, where c c 2 g g 2 F q 1 0 IV-b:, where c c 2 g 1 + d 2 g 2 F q, d 2 F q 3 The dominating case In this section, we show how to reduce the cardinality of type I in Proposition 1 from Oq 4 to Oq 3, which is the main case of representative of cosets The following proposition shows that if 1 b 1 b A 1 =, A c 1 2 = c 1 are of type I and b q b c c q = b q b 1 bcq c, c q b c q = 1 b c q b c q, then A 1 and A 2 are in the same coset Note that the first value is in F q Considering parameters of the above special format is inspired by the equations appeared in [19] Proposition 4 Fix v F q and w F q 2 Suppose that we solve the equations { x q x y y q = v, 1 xy q y y q = w, 1 under conditions x, y F q 2 \ F q and xy 1, and find two pairs of solutions b, c, b, c, then A 1 and A 2 are in the same right coset of P GL 2 F q in P GL 2 F q 2, where A 1 = 1 b, A c 1 2 = 1 b Proof The proof consists of two steps Firstly, we will parametrize the variety corresponding to solutions of x, y s to equations 1 Then we will deduce the desired result c 1 5

6 Note that x, y are in F q 2, we have x q2 = x and y q2 = y From equations 1, it follows that w q = 1 xyq y y q q = 1 xq y y q y So wq v = 1 xq y x x q and y wq v = xy 1 x x q Thus y wq v q+1 = xy 1xq y q 1 x q xx x q = 1 xyq 1 x q y x q xx x q y yq x q x, which equals wq v q+1 1 v Besides, we have vy + w + w q = yx xq y y q Hence equations 1 imply the following + 1 xyq y y q + xq y 1 y y q = x {y wq v q+1 = wq v q+1 1 v F q, x = vy + w + w q 2 Let γ be one of the q + 1-th roots of wq v q+1 1 v Suppose that c = wq v + ζ 1γ, c = wq v + ζ 2γ, where ζ 1, ζ 2 are two distinct q + 1-th roots of unity, and It follows that A 1 = w q v + ζ 1γ 1 Since A 2 is not singular, we deduce Thus, A 1 A 1 2 = = b = vc + w + w q = w vζ 1 γ, b = vc + w + w q = w vζ 2 γ 1 w vζ 1 γ 1 w vζ, A 2 = 2 γ w q v + ζ 2γ 1 A 1 2 = 1 deta 2 1 vζ1 γ w wq deta 2 1 deta 2 m11 m 12 m 22 1 w + vζ 2 γ wq v ζ 2γ 1 v + ζ 2γ + 1 vζ 1 γ ζ 2 γ ζ 1 γ ζ 2 γ vζ 2 γ w wq v + ζ 1γ + 1 6

7 Note that m 12 = v, m 11 m 22 = w q + w They imply that m12 and m11 m22 F q It remains to prove m11 F q Let δ = m11 Note that F q δ F q δ = δ q m 11 m q 21 = mq 11 m 11 m q 21 F q Since γ q+1 = wq v q+1 1 v = wq+1 v v, we have wq+1 2 v = vγ q Hence m 11 = w q ζ 1 γ + vζ 1 γζ 2 γ wζ 2 γ vγ q+1 Thus m 11 m q 21 = γq+1 {w q + w wζ q 1 ζ 2 + w q ζ 1 ζ q 2 + vζ 2γ + ζ q 2 γq vζ 1 γ + ζ q 1 γq } Since γ q+1 F q, w q + w F q, wζ q 1 ζ 2 + w q ζ 1 ζ q 2 F q, ζ 2 γ + ζ q 2 γq F q, ζ 1 γ + ζ q 1 γq F q, we deduce m 11 m q 21 F q, which implies m11 F q and m22 F q Thus A 1 A 1 2 = ζ 1γ ζ 2 γ m11 deta 2 P GL 2 q, v 1 m22 which implies that A 1 and A 2 are in the same right coset of P GL 2 F q in P GL 2 F q 2 This completes the proof Remark 1 Following a similar approach, it can be shown that A 1 and A 2 are also in the same left coset of P GL 2 F q in P GL 2 F q 2 The map sending x to x q+1 is a group endomorphism from F q 2 to F q Observe that wq v q+1 1 v is in F q If it is not zero, then y wq v q+1 = wq v q+1 1 v 3 has q + 1 distinct solutions in F q 2 Out of these solutions, at most two of them satisfy vy + w + w q y = 1 because the degree on y is two All the other solutions satisfy xy 1 Lemma 2 Of all the solutions of equation 3, at most two of them are in F q 7

8 Proof The number of solution in F q is equal to the degree of gcdy q y, y w q v q+1 wq v q v And y wq v q+1 wq v q v =y q w wq y vq v wq v q v y w wq y vq v wq v q v The last polynomial has degree 2 mod y q y We observe that vy + w + w q is in F q if and only if y is in F q Thus we have Corollary 3 Suppose that q 4, and wq v q+1 1 v 0 There must exist one solution of equation 2 that satisfy x, y F q 2 \ F q and xy 1 Remark 2 To list all coset representatives of type I in Proposition 1, one can find one pair of b, c F q 2 \ F q F q 2 \ F q for every v, w F q F q 2 by solving equations 2 Assume that q 4 In order to solve equations 2, one can build a table indexed by elements in F q In the entry of index α F q, we store 5 distinct q + 1-th roots of α in F q 2 The table will be built in advance, in time at most Õq2 For given v F q and w F q 2, one can find y F q 2 satisfying equation 3 and x as vy + w + w q in time log O1 q such that xy 1 and x, y F q 2 \F q since there are at most 4 such pairs from the discussion above Thus, determining the dominating case can be done in time Õq3 4 Concluding remarks We summarise our algorithm in Algorithm 1 Based on the discussions above, the number of representatives of type I, II, III and IV is no more than q 3 q 2, q 2 3q + 2, q 2 + q and q 2 + q respectively, thus the total number of representatives of all four types counting repetitions is no more than q 3 + 2q 2 q + 2 From Remark 2, we can see that the time complexity is Õq3 Hence Theorem 1 follows 5 Acknowledgements We are indebted to anonymous reviewers and Robert Granger for helpful comments The research is partially supported by China 973 Program No 2011CB and the Strategic Priority Research Program of the Chinese Academy of Sciences No XDA and the Open Project Program of the State Key Laboratory of Mathematical Engineering and Advanced Computing for Jincheng Zhuang, and by China 973 Program No 2013CB and by US NSF No CCF for Qi Cheng 8

9 References 1 Gora Adj, Alfred Menezes, Thomaz Oliveira, and Francisco Rodríguez-Henríquez Computing discrete logarithms in F and F using Magma In Arithmetic of Finite Fields - 5th International Workshop, WAIFI 2014, pages 3 22, Gora Adj, Alfred Menezes, Thomaz Oliveira, and Francisco Rodríguez-Henríquez Weakness of F and F for discrete logarithm cryptography Finite Fields and Their Applications, 32: , Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, and Emmanuel Thomé A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic In Advances in Cryptology - EUROCRYPT 2014, pages 1 16, Qi Cheng, Daqing Wan, and Jincheng Zhuang Traps to the BGJT-algorithm for discrete logarithms LMS Journal of Computation and Mathematics Special issue for ANTS 2014, 17: , Faruk Göloglu, Robert Granger, Gary McGuire, and Jens Zumbrägel Discrete logarithms in GF NMBRTHRY list, 19/2/ Faruk Göloglu, Robert Granger, Gary McGuire, and Jens Zumbrägel Discrete logarithms in GF NMBRTHRY list, 11/4/ Faruk Göloglu, Robert Granger, Gary McGuire, and Jens Zumbrägel On the function field sieve and the impact of higher splitting probabilities In Ran Canetti and Juan A Garay, editors, CRYPTO, volume 8043 of Lecture Notes in Computer Science, pages Springer, Faruk Göloglu, Robert Granger, Gary McGuire, and Jens Zumbrägel Solving a 6120-bit DLP on a desktop computer In Selected Areas in Cryptography - SAC 2013, pages , Robert Granger, Thorsten Kleinjung, and Jens Zumbrägel Discrete logarithms in GF NMBRTHRY list, 31/1/ Robert Granger, Thorsten Kleinjung, and Jens Zumbrägel Discrete logarithms in the Jacobian of a genus 2 supersingular curve over GF2 367 NMBRTHRY list, 30/1/ Robert Granger, Thorsten Kleinjung, and Jens Zumbrägel Breaking a 128-bit secure supersingular binary curve-or how to solve discrete logarithms in F and F In Advances in Cryptology-CRYPTO 2014, pages , Robert Granger, Thorsten Kleinjung, and Jens Zumbrägel On the powers of 2 Cryptology eprint Archive, Report 2014/300, Robert Granger, Thorsten Kleinjung, and Jens Zumbrägel On the discrete logarithm problem in finite fields of fixed characteristic arxiv: v1, Ming-Deh Huang and Anand Kumar Narayanan Finding primitive elements in finite fields of small characteristic In Proc 11th Int Conf on Finite Fields and Their Applications, Topics in Finite Fields, AMS Contemporary Mathematics Series, Antoine Joux Discrete logarithms in GF NMBRTHRY list, 11/2/ Antoine Joux Discrete logarithms in GF NMBRTHRY list, 22/3/ Antoine Joux Discrete logarithms in GF NMBRTHRY list, 21/5/ Antoine Joux Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields In Thomas Johansson and Phong Q Nguyen, editors, EUROCRYPT, volume 7881 of Lecture Notes in Computer Science, pages Springer, Antoine Joux A new index calculus algorithm with complexity L1/4+o1 in small characteristic In Selected Areas in Cryptography - SAC 2013, pages ,

10 20 Antoine Joux and Cécile Pierrot Improving the polynomial time precomputation of frobenius representation discrete logarithm algorithms - simplified setting for small characteristic finite fields In Advances in Cryptology - ASIACRYPT 2014, pages , Thorsten Kleinjung Discrete logarithms in GF NMBRTHRY list, 17/10/

11 Algorithm 1 Algorithm of generating right coset representatives of P GL 2 F q in P GL 2 F q 2 Input: A prime power q 4 and an element g F q 2 F q Output: A set S including all right coset representatives of P GL 2F q in P GL 2F q 2 1: for α F q do 2: R[α] 3: end for 4: for β F q 2 do 5: α β q+1 6: if the cardinality of R[α] is < 5 then 7: R[α] R[α] {β} 8: end if 9: end for Now R[α] is a set consisting of at most 5 q + 1-th root of α 10: S Initialize S 11: for v, w F q F q 2 do Adding elements of type I in Proposition 1 12: α wq v q+1 1 v 13: for r R[α] do 14: y wq v 15: x vy + w + w q 16: if xy 1 and x F q and y F q then 1 x 17: S S { } y 1 18: break 19: end if 20: end for 21: end for 22: for b 1, d 2 F q F q do Adding elements of type II in Proposition 1 23: if b 1 d 2 then 1 b1 24: S S { } g d 2g 25: end if 26: end for 27: for d 2 F q do Adding elements of type III in Proposition : S S { } g d 2g 29: end for 30: for c 2, d 2 F q F q do : S S { } 1 + c 2g d 2g 32: end for 33: for c 2 F q do Adding elements of type IV in Proposition : S S { } c 2g g 35: end for 36: for c 2, d 2 F q F q do : S S { } c 2g 1 + d 2g 38: end for 39: return S; 11