Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Transcription

1 Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

2 Ciphering a message Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

3 The discrete log problem Given G and g, h G, ask What is α such that g α = h? If exponentiation is fast but the DLP is hard, this is a good problem for cryptography. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

4 Cryptography using DLP Preparation of receiver: Fix G, g G and k Z Publish G, g and h = g k Encryption of m by sender: Choose y Send c 1 = g y and c 2 = mh y Decryption by receiver: c 2 c k 1 = mh y g ky = mg ky g ky = m. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

5 The DLP and elliptic curves The group G is going to be E(F q ) for some elliptic curve, in which case g and h are points on E and we are trying to find an integer k with kg = h. One way of attacking a discrete log problem is simple brute force: try all possible values of k until one works. This is impractical when the answer k can be an integer of several hundred digits, which is a typical size used in cryptography. Therefore, better techniques are needed. One might wonder why elliptic curves are used in cryptographic situations. The reason is that elliptic curves provide security equivalent to classical systems while using fewer bits. For example, it is estimated that a key size of 4096 bits for RSA gives the same level of security as 313 bits in an elliptic curve system. This means that implementations of elliptic curve cryptosystems require smaller chip size, less power consumption, etc. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

6 Diffie-Hellman Key Exchange 1. Alice and Bob agree on an elliptic curve E over a finite field F q such that the discrete logarithm problem is hard in E(F q ). They also agree on a point P E(F q ) such that the subgroup generated by P has large order (usually, the curve and point are chosen so that the order is a large prime). 2. Alice chooses a secret integer a, computes P a = ap, and sends P a to Bob. 3. Bob chooses a secret integer b, computes P b = bp, and sends P b to Alice. 4. Alice computes ap b = abp. 5. Bob computes bp a = bap. 6. Alice and Bob use some publicly agreed on method to extract a key from abp. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

7 Diffie-Hellman Key Exchange For example, they could use the last 256 bits of the x-coordinate of abp as the key. Or they could evaluate a hash function at the x-coordinate. The only information that the eavesdropper Eve sees is the curve E, the finite field F q, and the points P, ap, and bp. She therefore needs to solve the following: DIFFIE-HELLMAN PROBLEM Given P, ap,and bp in E(F q ), compute abp. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

8 The Index-Calculus Let p be a prime and let g be primitive root mod p, which means that g is a generator for the cyclic group F p. In other words, every h 0 (mod p) can be written in the form h g k for some integer k that is uniquely determined mod p 1. Let k = L(h) denote the discrete logarithm of h with respect to g and p, so Suppose we have h 1 and h 2. Then g L(h) h (mod p). g L(h 1h 2 ) h 1 h 2 g L(h 1)+L(h 2 ) (mod p), which implies that L(h 1 h 2 ) L(h 1 ) + L(h 2 ) (mod p 1). Therefore, L changes multiplication into addition, just like the classical logarithm function. The index calculus is a method for computing values of the discrete log function L. The idea is to compute L(l) for several small primes l, then use this information to compute L(h) for arbitrary h. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

9 The Index-Calculus Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

10 The Index-Calculus Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

11 The Index-Calculus Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

12 The Index-Calculus The choice of the size of the factor base B is important. If B is too small, then it will be very hard to find powers of g that factor with primes in B. If B is too large, it will be easy to find relations, but the linear algebra needed to solve for the logs of the elements of B will be enormous. An example that was completed in 2001 by A. Joux and R. Lercier used the first 1 million primes to compute discrete logs mod a 120-digit prime. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

13 Baby Step - Giant Step We have elements P, Q G cyclic of order N, and we are trying to find k Z such that kp = Q. The Baby Step - Giant Step developed by Shanks goes as follows: Fix an integer m N and compute mp. Make and store a list of ip for 0 i < m. Compute the points Q jmp for j = 0, 1,..., m 1 until one matches an element from the stored list. If ip = Q jmp, we have Q = kp with k i + jm(mod (N)). we did not need to know the exact order N of G. We only required an upper bound for N. Therefore, for elliptic curves over F q, we could use this method with m 2 q q. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

14 Baby Step - Giant Step Example Let G = E(F 41 ), where E : y 2 = x 3 + 2x + 1. Let P = (0, 1) and Q = (30, 40). We know #G 54, so we let m = 8. The points ip for 1 i 7 are (0, 1), (1, 39), (8, 23), (38, 38), (23, 23), (20, 28), (26, 9). We calculate Q jmp for j = 0, 1, 2 and obtain (30, 40), (9, 25), (26, 9), at which point we stop since this third point matches 7P. Since j = 2 yielded the match, we have Therefore, k = 23. (30, 40) = ( )P = 23P. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

15 Pollard s ρ (Same time that Baby - Step, Giant - Step, but very little storage needed) Let G be a finite group of order N. Choose a function f : G G that behaves rather randomly. Then start with a random element P 0 and compute the iterations P i+1 = f (P i ). Since G is a finite set, there will be some indices i 0 < j 0 such that P i0 = P j0. Then P i0 +l = P j0 +l for all l 0. Therefore, the sequence P i is periodic with period j 0 i 0. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

16 Pollard s ρ (Same time that Baby - Step, Giant - Step, but very little storage needed) Let G be a finite group of order N. Choose a function f : G G that behaves rather randomly. Then start with a random element P 0 and compute the iterations P i+1 = f (P i ). Since G is a finite set, there will be some indices i 0 < j 0 such that P i0 = P j0. Then P i0 +l = P j0 +l for all l 0. Therefore, the sequence P i is periodic with period j 0 i 0. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

17 Pollard s ρ If f is a randomly chosen random function, then we expect to find a match with j 0 at most a constant times N. A naive implementation of the method stores all the points P i until a match is found. This takes around N storage, which is similar to Baby Step, Giant Step. However, it is possible to do much better at the cost of a little more computation. The key idea is that once there is a match for two indices differing by d, all subsequent indices differing by d will yield matches. This is just the periodicity mentioned above. Therefore, we can compute pairs (P i, P 2i ) for i = 1, 2,..., but only keep the current pair. The problem remains of how to choose a suitable function f. Besides having f act randomly, we need to be able to extract useful information from a match. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

18 Pollard s ρ Divide G into s disjoint subsets S 1, S 2,..., S s of approximately the same size. Choose 2s random integers a i, b i mod N. Let M i = a i P + b i Q. Finally, define f (g) = g + M i if g S i. Choose random integers a 0, b 0 and let P 0 = a 0 P + b 0 Q be the starting point for the random walk. While computing the points P j, we also record how these points are expressed in terms of P and Q. If P j = u j P + v j Q and P j+1 = P j + M i, then P j+1 = (u j + a i )P + (v j + b i )Q, so (u j+1, v j+1 ) = (u j, v j ) + (a i, b i ). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

19 Pollard s ρ When we find a match P j0 = P i0, then we have u j0 P + v j0 Q = u i0 P + v i0 Q, hence (u i0 u j0 )P = (v j0 v i0 )Q. If gcd(v j0 v i0, N) = d, we have k (v j0 v i0 ) 1 (u i0 u j0 )(mod N/d). This gives us d choices for k. Usually, d will be small, so we can try all possibilities until we have Q = kp. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

20 Pollard s ρ Let G = E(F 1093 ), with E : y 2 = x 3 + x + 1. We take s = 3 and P = (0, 1) and Q = (413, 959). The order of P is We want to find k such that kp = Q. Let P 0 = 3P + 5Q, M 0 = 4P + 3Q, M 1 = 9P + 17Q, and M 2 = 19P + 6Q. Let f : E(F 1093 ) E(F 1093 ) be defined by f (x, y) = (x, y) + Mi if x i(mod 3). If we compute P 0, P 1 = f (P 0 ), P 2 = f (P 1 ),..., we obtain... Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

21 Pollard s ρ P 0 = (326, 69), P 1 = (727, 589), P 2 = (560, 365), P 3 = (1070, 260), P 4 = (473, 903), P 5 = (1006, 951), P 6 = (523, 938),..., P 57 = (895, 337), P 58 = (1006, 951), P 59 = (523, 938),... The sequence starts repeating at P 5 = P 58. We find that P 5 = 88P + 46Q and P 58 = 685P + 620Q. Therefore, = P 58 P 5 = 597P + 574Q. Since P has order 1067 and (mod 1067), we get Q = 499P, so k = 499. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

22 The Pohlig-Hellman Method Let P, Q be elements in a group G and we want to find an integer k with Q = kp. We also know the order N of P and we know the prime factorization N = i of N. The idea of Pohlig-Hellman is to find k (mod q e i i ) for each i, then use the Chinese Remainder theorem to combine these and obtain k(mod N). Let q be a prime, and let q e be the exact power of q dividing N. Write k in its base q expansion as q e i i k = k 0 + k 1 q + k 2 q with 0 k i < q. We evaluate k (mod q e ) by successively determining k 0, k 1,..., k e 1. The procedure is as follows. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

23 The Pohlig-Hellman Method ( ) 1. Compute T = {j N q P 0 j q 1}. ( ) 2. Compute N q Q. This will be an element k N 0 q P of T. 3. If e = 1, stop. Otherwise, continue. 4. Let Q 1 = Q k 0 P. 5. Compute N q 2 Q 1. This will be an element k 1 ( N q P ) of T. 6. If e = 2, stop. Otherwise, continue. 7. Suppose we have computed k 0, k 1,..., k r 1, and Q 1,..., Q r Let Q r = Q r 1 k r 1 q r 1 P. 9. Determine k r such that N q r+1 Q r = k r ( N q P ). 10. If r = e 1, stop. Otherwise, return to step (7). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

24 The Pohlig-Hellman Method Then Why does this work? We have k k 0 + k 1 q k e 1 q e 1 (mod q e ). N q Q = N q (k N 0 + k 1 q +...)P = k 0 q P + (k N 1 + k 2 q +...)NP = k 0 q P, since NP =. Therefore, step (2) finds k 0. Then Q 1 = Q k 0 P = (k 1 q + k 2 q )P, so N q 2 Q 1 = (k 1 + k 2 q +...) N q P = = k 1 N q P + (k 2 + k 3 q +...)NP = k 1 N q P. Therefore, we find k 1. Similarly, the method produces k 2, k 3,... We have to stop after r = e 1. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

25 The Pohlig-Hellman Method Example. Let G = E(F 599 ), where E : y 2 = x Let P = (60, 19) and Q = (277, 239). P has order N = 600. We want to solve Q = kp for k. The factorization of N is 600 = We will compute k mod 8, mod 3, and mod 25, then recombine to obtain k mod 600. k mod 8. We compute T = {, (598, 0)}. Since ( ) N (N/2)Q = = 0 2 P, we have k 0 = 0. Therefore, Q 1 = Q 0P = Q. Since (N/4)Q 1 = 150Q 1 = (598, 0) = 1 N 2 P, we have k 1 = 1. Therefore, Q 2 = Q P = (35, 243). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

26 The Pohlig-Hellman Method Example. (Cont.) Since (N/8)Q 2 = 75Q 2 = = 0 N 2 P, we have k 2 = 0. Therefore, k = (mod 8). k mod 3. We have k 2 (mod 3). k mod 25. We have k = (mod 25). We now have the simultaneous congruences x 2 (mod 8) x 2 (mod 3) x 16 (mod 25). These combine to yield k 266 (mod 600), so k = 266. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

27 The MOV Attack One strategy for attacking a discrete logarithm problem is to reduce it to an easier discrete logarithm problem. This can often be done with pairings such as the Weil pairing, which reduce a discrete logarithm problem on an elliptic curve to one in the multiplicative group of a finite field. The MOV attack, named after Menezes, Okamoto, and Vanstone, uses the Weil pairing to convert a discrete log problem in E(F q ) to one in F q m. Since discrete log problems in finite fields can be attacked by index calculus methods, they can be solved faster than elliptic curve discrete log problems, as long as the field F q m is not much larger than F q. For supersingular curves, we can usually take m = 2, so discrete logarithms can be computed more easily for these curves than for arbitrary elliptic curves. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

28 The CM method Let E be an elliptic curve over a finite field F q. The number of points #E(F q ) = q + 1 t, where t is the trace of the Frobenius endormopshim φ q that satisfies φ 2 q tφ q + q = 0. The endomorphism ring End(E) Q is an imaginary quadratic field if E is not supersingular (otherwise it is a definite quaternion algebra). Let us write K = Q( d) = End(E) Q with d 0, 1 mod 4 and d or d/4 square-free. Then Disc(K) = d. On the other hand, φ q = a + b + 2 with: t = 2a + b, and q = a 2 + ab + b 2 2 /4 b 2 /4 Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

29 The CM method The lattice Λ = 1, τ with τ = + 2 defines an elliptic curve C/Λ with CM by End(E) = O K. The j invariant associated to it is j(q) = 1 q q q q q , where q = exp(2πiτ). This number is an algebraic integer (Shimura). Definition The Hilbert polynomial associated to an order O K is H O (x) = (x j(e)). Theorem (Shimura) The polynomial H O (x) Z[x]. E has CM by O Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29

30 The CM method Let us take q = 59 and let us construct an elliptic curve with 48 = t points. We have t = 12, and we can take = 23 and a = 29 and b = 2. H 23 (X ) = X X X Modulo 59, we have H 23 (x) = (x 20)(x 42)(x 44). We take j = 20 and we get E : y 2 = x x This is the right twist. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29