On the distribution of the elliptic curve power generator

Size: px

Start display at page:

Download "On the distribution of the elliptic curve power generator"

Lorin Holt
5 years ago
Views:

1 On the distribution of the elliptic curve power generator László Mérai Eötvös Loránd University Budapest László Mérai (Budapest) On the elliptic curve power generator / 16

2 Elliptic curves E(F q ) = {(x, y) : y 2 = x 3 + a 1 x + a 2 } { }, a 1, a 2 F q (E(F p ), +) is an Abelian group. Adding: (x P, y P ) + (x Q, y Q ): x = ( yp y Q x P x Q ) 2 xp x Q y = y P + y P y Q x P x Q (x P x) Doubling: 2(x P, y P ): ( ) 2 x = 2x P 3x 2 P +A 2z P y = y P + 3x2 P +A (x 2z P P x) y P Discrete logarithm problem: given P, np E(F p ) find n! fff László Mérai (Budapest) On the elliptic curve power generator / 16

3 Elliptic curves E(F q ) = {(x, y) : y 2 = x 3 + a 1 x + a 2 } { }, a 1, a 2 F q (E(F p ), +) is an Abelian group. Adding: (x P, y P ) + (x Q, y Q ): x = ( yp y Q x P x Q ) 2 xp x Q y = y P + y P y Q x P x Q (x P x) Doubling: 2(x P, y P ): ( ) 2 x = 2x P 3x 2 P +A 2z P y = y P + 3x2 P +A (x 2z P P x) y P Discrete logarithm problem: given P, np E(F p ) find n! fff László Mérai (Budapest) On the elliptic curve power generator / 16

4 Elliptic curves E(F q ) = {(x, y) : y 2 = x 3 + a 1 x + a 2 } { }, a 1, a 2 F q (E(F p ), +) is an Abelian group. Adding: (x P, y P ) + (x Q, y Q ): x = ( yp y Q x P x Q ) 2 xp x Q y = y P + y P y Q x P x Q (x P x) Doubling: 2(x P, y P ): ( ) 2 x = 2x P 3x 2 P +A 2z P y = y P + 3x2 P +A (x 2z P P x) y P Discrete logarithm problem: given P, np E(F p ) find n! fff László Mérai (Budapest) On the elliptic curve power generator / 16

5 Elliptic curves E(F q ) = {(x, y) : y 2 = x 3 + a 1 x + a 2 } { }, a 1, a 2 F q Applications: Public key cryptosystem Digital signature Generating pseudorandom sequences,... Doubling: 2(x P, y P ): ( ) 2 x = 2x P 3x 2 P +A 2z P László Mérai (Budapest) On the elliptic curve power generator / 16

6 Elliptic curves E(F q ) = {(x, y) : y 2 = x 3 + a 1 x + a 2 } { }, a 1, a 2 F q Applications: Public key cryptosystem Digital signature Generating pseudorandom sequences,... Doubling: 2(x P, y P ): ( ) 2 x = 2x P 3x 2 P +A 2z P Discrete logarithm problem: given P, np E(F p ) find n! fff László Mérai (Budapest) On the elliptic curve power generator / 16

7 Sequences generated by elliptic curve Let P n E(F q ) be a sequence of points. We study the distribution of points P n = (x n, y n ), (x n, y n F q ) László Mérai (Budapest) On the elliptic curve power generator / 16

8 Sequences generated by elliptic curve Let P n E(F q ) be a sequence of points. We study the distribution of points P n = (x n, y n ), (x n, y n F q ) Importance: We may get a good pseudorandom generator. Helps us to trust the hardness of discrete logarithm problem. László Mérai (Budapest) On the elliptic curve power generator / 16

9 Sequences generated by elliptic curve Let P n E(F q ) be a sequence of points. We study the distribution of points P n = (x n, y n ), (x n, y n F q ) Importance: We may get a good pseudorandom generator. Helps us to trust the hardness of discrete logarithm problem. A negative result would help us to attack this problem. László Mérai (Budapest) On the elliptic curve power generator / 16

10 Pseudorandomness of sequences - Discrepancy Let (u n ) [0, 1) be a sequence. For a positive integer s, the discrepancy D s (N) of the points is defined by (u n,..., u n+s 1 ), n = 1,..., N D s (N) = sup B [0,1) s N(B) N B, where N(B) is the number of points which hit the box B = [a 1, b 1 ) [a s, b s ) and the supremum is taken over all such boxes B. László Mérai (Budapest) On the elliptic curve power generator / 16

11 Pseudorandomness of sequences - Discrepancy Let (u n ) [0, 1) be a sequence. For a positive integer s, the discrepancy D s (N) of the points is defined by (u n,..., u n+s 1 ), n = 1,..., N D s (N) = sup B [0,1) s N(B) N B, where N(B) is the number of points which hit the box B = [a 1, b 1 ) [a s, b s ) and the supremum is taken over all such boxes B. We can apply the discrepancy to the sequence xn p P n = (x n, y n ) E(F p ) where László Mérai (Budapest) On the elliptic curve power generator / 16

12 Pseudorandomness of sequences - Measures of pseudorandomness Let E N = (e 1,..., e N ) {+1, 1} N binary sequence. The well-distribution measure W (E N ) is t W (E N ) = max a,b,t e a+jb j=1 László Mérai (Budapest) On the elliptic curve power generator / 16

13 Pseudorandomness of sequences - Measures of pseudorandomness Let E N = (e 1,..., e N ) {+1, 1} N binary sequence. The well-distribution measure W (E N ) is t W (E N ) = max a,b,t e a+jb The correlation measure C l (E N ) of order l is M C l (E N ) = max e n+d1... e n+dl M,d 1,...,d l n=1 j=1 László Mérai (Budapest) On the elliptic curve power generator / 16

14 Pseudorandomness of sequences - Measures of pseudorandomness Let E N = (e 1,..., e N ) {+1, 1} N binary sequence. The well-distribution measure W (E N ) is t W (E N ) = max a,b,t e a+jb The correlation measure C l (E N ) of order l is M C l (E N ) = max e n+d1... e n+dl M,d 1,...,d l We can apply this measures by transforming P n to a binary sequence: { +1, if xn {0, 1,..., p 1 P n = (x n, y n) } 2 1, otherwise ( ) ( ) x P n = (x n, y n) np, (Here is the Legendre symbol.) p n=1 László Mérai (Budapest) On the elliptic curve power generator / 16 j=1

15 Sequences generated by elliptic curve Elliptic curve linear congruential generator, EC-LCG: Let P, P 0 E(F q ) and the sequence U n (n N) generated by the rule U n = U n 1 + P = np + P 0 László Mérai (Budapest) On the elliptic curve power generator / 16

16 Sequences generated by elliptic curve Elliptic curve linear congruential generator, EC-LCG: Let P, P 0 E(F q ) and the sequence U n (n N) generated by the rule U n = U n 1 + P = np + P 0 Given consecutive elements U n, U n+1 one can easily compute P. We can consider the sequence f (U n) F q with secret f F q(e). Due to the simple structure, the generator is well-understood. László Mérai (Budapest) On the elliptic curve power generator / 16

17 Sequences generated by elliptic curve Elliptic curve linear congruential generator, EC-LCG: Let P, P 0 E(F q ) and the sequence U n (n N) generated by the rule U n = U n 1 + P = np + P 0 Given consecutive elements U n, U n+1 one can easily compute P. We can consider the sequence f (U n) F q with secret f F q(e). Due to the simple structure, the generator is well-understood. Elliptic curve power generator, EC-PG: Let Q E(F q ) and fix an integer e. The sequence W n (n N) generated by the rule W n = ew n 1 = e n Q László Mérai (Budapest) On the elliptic curve power generator / 16

18 Sequences generated by elliptic curve Elliptic curve linear congruential generator, EC-LCG: Let P, P 0 E(F q ) and the sequence U n (n N) generated by the rule U n = U n 1 + P = np + P 0 Given consecutive elements U n, U n+1 one can easily compute P. We can consider the sequence f (U n) F q with secret f F q(e). Due to the simple structure, the generator is well-understood. Elliptic curve power generator, EC-PG: Let Q E(F q ) and fix an integer e. The sequence W n (n N) generated by the rule W n = ew n 1 = e n Q To compute e from consecutive elements W n, W n+1 one may need to solve the discrete logarithm problem. To compute an element W n from the some previous ones one may need to solve the Diffie-Helmann problem. László Mérai (Budapest) On the elliptic curve power generator / 16

19 Elliptic curve linear congruential generator, EC-LCG Discrepancy bounds: Hess, Shparlinski: Let u n = x(ng) p [0, 1). Then the discrepancy of (u n+1,..., u n+s ) is D s (t) t 1 p 1/2+ε, (Here t is the order of G.) László Mérai (Budapest) On the elliptic curve power generator / 16

20 Elliptic curve linear congruential generator, EC-LCG Discrepancy bounds: Hess, Shparlinski: Let u n = x(ng) p [0, 1). Then the discrepancy of (u n+1,..., u n+s ) is D s (t) t 1 p 1/2+ε, (Here t is the order of G.) Bounds on the pseudorandom measures of binary case: ) Chen; Mérai: Let e n = {+1, 1}, then ( f (ng) p W (E N ), C l (E N ) p 1/2+ε. László Mérai (Budapest) On the elliptic curve power generator / 16

21 Elliptic curve linear congruential generator, EC-LCG Discrepancy bounds: Hess, Shparlinski: Let u n = x(ng) p [0, 1). Then the discrepancy of (u n+1,..., u n+s ) is D s (t) t 1 p 1/2+ε, (Here t is the order of G.) Bounds on the pseudorandom measures of binary case: ) Chen; Mérai: Let e n = {+1, 1}, then ( f (ng) p W (E N ), C l (E N ) p 1/2+ε. Liu, Wang, Zhand; Mérai: { +1, if f (ng) {0, 1,..., p 1 Let e n = 2 } 1, otherwise, then W (E N ), C l (E N ) p 1/2+ε. László Mérai (Budapest) On the elliptic curve power generator / 16

22 Elliptic curve power generator, EC-PG Discrepancy bound: Banks, Friedlander, Garaev, Shparlinski: Let u n = x(en G) p [0, 1). Then its discrepancy: D 1 (N) N 2/3 T 5/9 p 1/18+ε Here T is the multiplicative order of e modulo G. László Mérai (Budapest) On the elliptic curve power generator / 16

23 Elliptic curve power generator, EC-PG Discrepancy bound: Banks, Friedlander, Garaev, Shparlinski: Let u n = x(en G) p [0, 1). Then its discrepancy: D 1 (N) N 2/3 T 5/9 p 1/18+ε Here T is the multiplicative order of e modulo G. Remarks: ( ) There are no non-trivial bound on discrepancy even of x(e n G) p, x(en+1 G) p! Except for some trivial examples, e.g. e = 2. László Mérai (Budapest) On the elliptic curve power generator / 16

24 Elliptic curve power generator, EC-PG Discrepancy bound: Main result: Let u n = f (en G) p Then for an f F p (E). D 1 (N) deg f N 2/3 T 5/9 p 1/18+ε László Mérai (Budapest) On the elliptic curve power generator / 16

25 Elliptic curve power generator, EC-PG Discrepancy bound: Main result: Let u n = f (en G) p Then for an f F p (E). D 1 (N) deg f N 2/3 T 5/9 p 1/18+ε Remarks: ( ) Discrepancy bound on f (e n G) p, f (en+1 G) p,..., f (en+s 1 G) p can be also given just small e: D s (N) deg f e 2(s 1) N 2/3 T 5/9 p 1/18+ε László Mérai (Budapest) On the elliptic curve power generator / 16

26 Exponential sums over elliptic curves The discrepancy bounds immediately follow from exponential sum estimates. Kohel, Shparlinski: Let H E(F q) and ψ be an additive character of F q. If f is not constant, then ψ(f (Q)) 2 deg f q 1/2 Q H László Mérai (Budapest) On the elliptic curve power generator / 16

27 Exponential sums over elliptic curves The discrepancy bounds immediately follow from exponential sum estimates. Kohel, Shparlinski: Let H E(F q) and ψ be an additive character of F q. If f is not constant, then ψ(f (Q)) 2 deg f q 1/2 Q H Lange, Shparlinski: Let H E(F q) and ψ be an additive character of F q. If 1 d 1 < < d s D, then ( s ) ψ c i x(d i Q) s D 2 q 1/2 Q H i=1 László Mérai (Budapest) On the elliptic curve power generator / 16

28 Exponential sums over elliptic curves The discrepancy bounds immediately follow from exponential sum estimates. Kohel, Shparlinski: Let H E(F q) and ψ be an additive character of F q. If f is not constant, then ψ(f (Q)) 2 deg f q 1/2 Q H Lange, Shparlinski: Let H E(F q) and ψ be an additive character of F q. If 1 d 1 < < d s D, then ( s ) ψ c i x(d i Q) s D 2 q 1/2 Q H i=1 Banks, Friedlander, Garaev, Shparlinski: Let Q E(F p) and e be an integer of order T modulo G, then N e p(x(e n Q)) N 1/3 T 5/9 p 1/18+ε n=1 László Mérai (Budapest) On the elliptic curve power generator / 16

29 Exponential sums over elliptic curves A new bound: Let H E(F q ), ψ be an additive character of F q. If f F q (E) is not constant and 1 d 1 < < d s D, then ( s ) ψ c i f (d i Q) s deg f D 2 q 1/2 Q H i=1 László Mérai (Budapest) On the elliptic curve power generator / 16

30 Exponential sums over elliptic curves Let F (Q) = s c i f (d i Q) i=1 László Mérai (Budapest) On the elliptic curve power generator / 16

31 Exponential sums over elliptic curves Let F (Q) = s c i f (d i Q) i=1 In order to prove the theorem it is enough to show: F(Q) is not constant. It can be shown that there is at least one pole: László Mérai (Budapest) On the elliptic curve power generator / 16

32 Exponential sums over elliptic curves Let F (Q) = s c i f (d i Q) i=1 In order to prove the theorem it is enough to show: F(Q) is not constant. It can be shown that there is at least one pole: deg F s deg f D 2 László Mérai (Budapest) On the elliptic curve power generator / 16

33 Exponential sums over elliptic curves Let F (Q) = s c i f (d i Q) i=1 In order to prove the theorem it is enough to show: F(Q) is not constant. It can be shown that there is at least one pole: We can order the poles of f (d i Q) by their orders, and there is an (almost) unique maximum element. deg F s deg f D 2 László Mérai (Budapest) On the elliptic curve power generator / 16

34 Thank you! László Mérai (Budapest) On the elliptic curve power generator / 16

Construction of pseudorandom binary lattices using elliptic curves

Construction of pseudorandom binary lattices using elliptic curves László Mérai Abstract In an earlier paper Hubert, Mauduit and Sárközy introduced and studied the notion of pseudorandomness of binary