AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction

Transcription

1 J. Al. Math. & Comuting Vol. 20(2006), No. 1-2, AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES BYEONG-KWEON OH, KIL-CHAN HA AND JANGHEON OH Abstract. In this aer, we slightly imrove the Baby-ste Giant-ste for certain ellitic curves. This method gives the running time imrovement of 200% in recomutation (Baby-ste) and requires half as much storage as the original Baby-ste Giant-ste method. AMS Mathematics Subject Classification : 11T71, 94A60 Key words and hrases : Crytograhy, baby-ste giant-ste algorithm, ellitic curve, Legendre symbol 1. Introduction Ellitic Curve Crytosystems (ECC) have gained much attention as a oular and ractical scheme since they rovide security equivalent to classical ublic key crytosystems while using fewer bits. The security of most ECC deend on the difficulty of solving the discrete logarithm roblem for ellitic curves. For any finite cyclic grou G with generator g and an element b of G, the Discrete Logarithm Problem (DLP) is to find the smallest integer k so that g k = b. The comlexity of the DLP is quite different in the tyes of grous. The first grou G used in contemorary crytograhy is the multilicative grou Z of non-zero integers modulo a rime. In this case, the fastest algorithm for solving this roblem is the index calculus method, whose comlexity is ex( (ln )lnln) [3]. In Z, the index calculus deends heavily on the fact that integers can be written as roducts of rimes, which is all the index calculus method wants. But the grou of oints on an ellitic curve modulo a rime has no such notion of smoothness. Although there are a few cases where index calculus techniques can be used in the jacobians of higher genus curves to solve DLP on certain ellitic curves[1],[2],[7], it is not clear how generally their methods aly. Therefore Baby-ste Giant-ste method[5] and the Pollard ρ and λ Received March 13, Revised Setember 7, Corresonding author. This work was suorted by grant R from the Basic Research Program of the Korea Science & Engineering Foundation c 2006 Korean Society for Comutational & Alied Mathematics. 485

2 486 Byeong-Kweon Oh, Kil-Chan Ha and Jangheon Oh methods[4] seem to be the best algorithms for arbitrary ellitic curves. All three of these algorithms have comlexity O( ). Baby-ste Giant-ste method runs in aroximately the same time as Pollard s ρ and λ methods, but it has a disadvantage. It requires a lot of storage( n where n is the order of grou). In this aer, we slightly imrove the Babyste Giant-ste for certain ellitic curves. This method gives the running time imrovement of 200% in recomutation(baby-ste) and requires half as much storage as the original Baby-ste Giant-ste method. 2. Imroved Baby-ste Giant-ste method We begin with restating the DLP for certain ellitic curves. Let K be a finite field F with >3. Then an ellitic curve E over K can be transformed to a form of y 2 = x 3 + ax + b (a, b K). The DLP for ellitic curves E over K is to find m Z such that Q = mp for any given P, Q E(K). In this section we describe an imroved Baby-ste Giant-ste method for ellitic curves with a 0,b = 0 and show that how this method works. From now on we assume that a 0 and b =0. To exlain how this algorithm(table 1) work, we first define a ma α : E(K) K /K 2 by α(o ) 1, α((0, 0)) a, α((x, y)) x mod K 2, where K is the multilicative set of non-zero elements of K and K 2 is the set of quadratic residues in K. Then it can be easily checked that the ma α is a homomorhism(see.85 in [8]). Theorem 1. The ma α defined above is surjective. Proof. We may assume that a is a square in K. First we rove the theorem in the case of 3 mod 4. We claim that x 2 +a is a non-square for some non-zero x. Suose that x 2 + a is a square for all x K. Then {x 2 + a x K = {y 2 y K since x 2 + a is not zero for any x K. Hence (x 2 + a) = y 2, which y K imlies a 0 mod. This roves the claim. If x 2 + a is a non-square for a non-square x 1, then y 2 = x 1 (x a) has a solution y 1. Hence (x 1,y 1 ) E(K) for some non-square x 1.Ifx 2 + a is a non-square for a square x 0, then y 2 = x 0 (x a) has a solution y 0. Note that x 0 is a non-square since -1 is a non-square in the case of 3 mod 4. This comletes the roof when 3 mod 4.

3 An imroved baby-ste-giant-ste method 487 Table 1. Imroved baby-ste giant-ste algorithm Inut : the order n of E(K), P =(x P,y P ),Q=(x Q,y Q ) E(K) Outut: m Z for which Q = mp (Precomutation: Baby-ste) 1. Choose an even number u = n + δ selecting aroriate δ =0 or 1; 2. Φ O (where O is the oint of infinity in E(K)); for (i =0to(u/2) 1){ store (Φ,i) in a Table A; Φ Φ+2P ; (Main comutation: Giant-ste) 3. Calculate the Legendre symbol α =( xq ); if (α is equal to 1) { Q Q P ; t 1; else{ Q Q; t 0; 4. Ψ up ;Φ Q; for (j =0tou 1){ if (Φ is the first comonent of a air (Φ,i) in Table A){ m 2i + ju + t; write Log of Q is 2i + ju + t and exit; Φ Φ +Ψ; write Error ; Next we assume that =1+4k for some integer k. Since 1 and a are squares, x 2 + a = x 2 c 2 for some c K. We comute ( x 2 ) + a x + c x c t +2c t t +2c t 1 t K t K = ( ) 1+2ct 1 = ( ) x +1 t K = 1+ ( ) x = 1.

4 488 Byeong-Kweon Oh, Kil-Chan Ha and Jangheon Oh Note that the number of x for ( x2 +a ) = 0 is two. Therefore the number of x for ( x2 +a ) = 1 and ( x2 +a ) = 1 should be 2k 1 and 2k, resectively. However the number of squares in K is 2k. So there are at least two non-square x s for ( x2 +a )= 1or0, which comletes the roof. Let P =(x P,y P ),Q =(x Q,y Q )beine(k), and m be an integer such that Q = mp. Since α is an homomorhism, we see that x m P x Q mod K 2. Hence ( ) m ( ) xp xq =. Suose that x P is a non-square in K. By Theorem 1, half of x P s are nonsquares. Then m is an even integer when x Q is a square, an odd integer when x Q is a non-square. If x Q is a non-square, then we solve (m 1)P = Q P instead of mp = Q(see ste 3 of Table 1). Hence we may assume that m is an even number when we solve the ellitic curve discrete logarithm roblem mp = Q. Hence when we comute the table of Baby-stes in ste 2 of Table 1, we need only to comute and store (2iP, i) for even integers 0 2i <u. Since u 2 >n, the answer m satisfies 0 m<u 2 and so we get 0 r, q < u. When i = r/2 ((r 1)/2, resectively) and j = q for ( xq )=1((xQ )= 1), resectively), the if-condition of ste 4 of Table 1 is true, so there is a match. The order n of E(K), which is needed as an inut of the roosed algorithm, can be relaced as an uer bound of the order. We state a formula(see.185 in [6]) for the order n of E(K). Remark 1. When 2D, the number of oints E of the ellitic curve y 2 = x 3 Dx over K is given by the following formula. E = +1 if 3 mod 4, (( ) ) ( D D E =+1 j π π π 4 ) j(π) if 1 mod 4, 4 where (. π ) 4 is the 4th-ower residue symbol, = πj(π) is in Z[i], and j is a comlex conjugation. So the ellitic curve of the form y 2 = x 3 + ax is suersingular, which should be avoided in ECC, if 3 mod Conclusion A slight imrovement of the Baby-ste Giant-ste has been made for ellitic curves of the form y 2 = x 3 + ax (a F ) by comuting and storing only the oints 2iP for even integer 0 2i <uand checking whether Q jup =2iP or (Q P ) jup =2iP

5 An imroved baby-ste-giant-ste method 489 according to the value of Legendre symbol ( xq ). Consequently we have reduced comutation and storage by 50% in Baby-ste. References 1. S.D. Galbraith and N.P. Smart, A crytograhic alication of Weil descent, In Crytograhy and coding, Lecture Notes in Comut. Sci., 1746(1999), P. Gaudry, F. Hess, and N.P. Smart, Construtive and destructive facets of Weil descent on ellitic curves, J. Crytology, 15(2002), A.J. Menezes, P.C. van Oorschot,and S.A. Vanstone, Handbook of alied crytograhy, CRCPress Series on Discrete Mathematics and its Alications,(CRC Press, Boca Raton, FL, 1997) 4. J.M. Pollard, Monte Carlo methods for index comutation (mod ), Math. Com., 32(1978), D. Shanks, Class number, a theory of factorization, and genera, Proc. Symos. Pure Math., 20(1971), J.H. Silverman, Advanced Toics in the Arithmetic of Ellitic Curves, Graduate Texts in Math., (Sringer-Verlag, 1994) 7. J.H. Silverman and J. Suzuki, Ellitic curve discrete logarithms and the index calculus, In Advances in crytology-asiacript 98, Lecture Notes in Comut. Sci., 1514(1998), J.H. Silverman and J. Tate, Rational oints on Ellitic Curves, Undergraduate Texts in Math., (Sringer-Verlag, 1982) Kil-Chan Ha received his BS from Seoul National University and Ph. D at Seoul National University under the direction of Seung-Hyeok Kye. He worked as a senior researcher at National Security Research Institute(NSRI) from 1999 to 2002, and in 2002 he joined the faculty of Sejong University. His research interests include design and analysis of crytograhic algorithms and quantum information theory. Byeong-Kweon Oh received his BS from Seoul National University and Ph. D at Seoul National University under the direction of Myung-Hwan Kim. Since 1999, he has been at Korea Institute for Advanced Study(KIAS) as a research fellow. Currently, he is an assistant rofessor at Sejong University. His research interest focus on reresentations of integral quadratic forms and crytograhy. Jangheon Oh received his BS and MS from Seoul National University and Ph. D at the Ohio State University under the direction of Warren Sinnott. Since 2000 he has been at Sejong University. His research area is algebraic number theory. He is articularly interest in roblems related with Iwasawa theory and ellitic curves. Deartment of Alied Mathematics, Sejong University, Seoul , Korea {kcha,bkoh,oh@sejong.ac.kr