Calcul d indice et courbes algébriques : de meilleures récoltes

Size: px

Start display at page:

Download "Calcul d indice et courbes algébriques : de meilleures récoltes"

Lewis Bishop
5 years ago
Views:

1 Calcul d indice et courbes algébriques : de meilleures récoltes Alexandre Wallet ENS de Lyon, Laboratoire LIP, Equipe AriC Alexandre Wallet De meilleures récoltes dans le calcul d indice 1 / 35

2 Today: Discrete Logarithm Problem over curves Index-calculus New results on harvesting A sieving approach for smooth harvesting for all curves improve a general method Complexity improvements for decomposition harvesting hyperelliptic curves over F q n, q = 2 k new practical computations Alexandre Wallet De meilleures récoltes dans le calcul d indice 2 / 35

3 1 Discrete Logarithm Problem over curves DLP, Index Calculus Curves as groups 2 Smooth harvesting and new results 3 Decomposition harvesting and new results 4 Impact of improvements Alexandre Wallet De meilleures récoltes dans le calcul d indice 3 / 35

4 Discrete Logarithm Problem (DLP) Let g, h = [x] g (G, +), with x Z. Compute x. Is this a hard problem? Classic Generic group: yes For some groups: no Cryptography: yes Quantum NO Today s groups: Class groups of algebraic curves J Fq (C) (and elliptic curves) Alexandre Wallet De meilleures récoltes dans le calcul d indice 4 / 35

5 Hardness of Curve-DLP Generic #G p prime; n = log 2 p Index Calculus Transfer attacks Alexandre Wallet De meilleures récoltes dans le calcul d indice 5 / 35

6 Situation for elliptic curves For cryptography: elliptic curves (genus g = 1) Elliptic curves over prime fields over extension fields Generic "Decomposition" Transfer Attacks Other curves Finite field Alexandre Wallet De meilleures récoltes dans le calcul d indice 6 / 35

7 Index-Calculus Inputs Preprocessing: select factor base F = {f 1,..., f N } G. Harvesting Linear Algebra Output Alexandre Wallet De meilleures récoltes dans le calcul d indice 7 / 35

8 A good F must be: easy to enumerate not too big, not too small a set of small elements There are standard choices. New choices: open problem Today s target: harvesting in Index-Calculus for curves Motivations: Algorithmic Number Theory Computational Algebraic Geometry Cryptography Compute discrete logs in abelian varieties. How efficient can we be? Transfer attacks Alexandre Wallet De meilleures récoltes dans le calcul d indice 8 / 35

9 Algebraic curves Algebraic curve of genus g over a field K: C : P (x, y) = 0, for some P K[X, Y ]. g = 1: elliptic: Y 2 = X 3 + AX + B, A, B K g = 2: hyperelliptic: Y 2 + h 1 (X)Y = X h 1 K[X], deg h 1 2 g 3: hyperelliptic: Y 2 + h 1 (X)Y = X 2g h 1 K[X], deg h 1 g Non-hyperelliptic (all the rest). Alexandre Wallet De meilleures récoltes dans le calcul d indice 9 / 35

10 Class group and its arithmetic Example: g = 1, C elliptic curve Line through P 1, P 2 : f(x, y) = 0 Line has 3 zeros and a triple pole at O. P 1 + P 2 + P 3 3O 0 Addition: (P 1 O) + (P 2 O) ([ P 3 ] O) point at infinity P 1 P 2 O P 3 P 3 Alexandre Wallet De meilleures récoltes dans le calcul d indice 10 / 35

11 Class group and its arithmetic Example: g = 1, C elliptic curve Line through P 1, P 2 : f(x, y) = 0 Line has 3 zeros and a triple pole at O. P 1 + P 2 + P 3 3O 0 Addition: (P 1 O) + (P 2 O) ([ P 3 ] O) point at infinity P 1 P 2 O P 3 P 3 Curve C, class group J (C). It is a quotient group. Its elements are reduced divisors. A reduced divisor is a formal sum: D = k P i ko, i=1 for some P 1,..., P k C, k g. Alexandre Wallet De meilleures récoltes dans le calcul d indice 10 / 35

12 point at infinity O Another example: g = 2, C hyperelliptic Cubic through P 1,..., P 4 : f(x, y) = 0 In J (H) : P 1 + +P 6 6O = 0 P 5 P 6 P 2 P 4 P 1 P 6 P 3 P 5 Addition: (P 1 + P 2 2O) }{{} + (P 3 + P 4 2O) [ P 5 ] + [ P 6 ] 2O }{{}}{{} D 1 + D 2 D 3 Alexandre Wallet De meilleures récoltes dans le calcul d indice 11 / 35

13 1 Discrete Logarithm Problem over curves 2 Smooth harvesting and new results The main idea New approach: harvesting by sieving Timings 3 Decomposition harvesting and new results 4 Impact of improvements Alexandre Wallet De meilleures récoltes dans le calcul d indice 12 / 35

14 Smooth harvesting Assume C is non-hyperelliptic ( g 3) K = F q, for q = p d, p prime C : C(x, y) = 0, [Diem 08] deg C g + 1 In example: deg C = 6 Factor base F = { P = (x, y) C(F q ) } (rational points) Preprocessing: enumerate F. Alexandre Wallet De meilleures récoltes dans le calcul d indice 13 / 35

15 Smooth harvesting Assume C is non-hyperelliptic ( g 3) K = F q, for q = p d, p prime C : C(x, y) = 0, [Diem 08] deg C g + 1 In example: deg C = 6 Factor base F = { P = (x, y) C(F q ) } (rational points) Alexandre Wallet De meilleures récoltes dans le calcul d indice 13 / 35

16 Smooth harvesting Assume C is non-hyperelliptic ( g 3) K = F q, for q = p d, p prime C : C(x, y) = 0, [Diem 08] deg C g + 1 In example: deg C = 6 Factor base F = { P = (x, y) C(F q ) } (rational points) Alexandre Wallet De meilleures récoltes dans le calcul d indice 13 / 35

17 Smooth harvesting Assume C is non-hyperelliptic ( g 3) K = F q, for q = p d, p prime C : C(x, y) = 0, [Diem 08] deg C g + 1 In example: deg C = 6 Factor base F = { P = (x, y) C(F q ) } (rational points) Alexandre Wallet De meilleures récoltes dans le calcul d indice 13 / 35

18 Smooth harvesting Assume C is non-hyperelliptic ( g 3) K = F q, for q = p d, p prime C : C(x, y) = 0, [Diem 08] deg C g + 1 In example: deg C = 6 Factor base F = { P = (x, y) C(F q ) } (rational points) Alexandre Wallet De meilleures récoltes dans le calcul d indice 13 / 35

19 Smooth harvesting Assume C is non-hyperelliptic ( g 3) K = F q, for q = p d, p prime C : C(x, y) = 0, [Diem 08] deg C g + 1 In example: deg C = 6 Factor base F = { P = (x, y) C(F q ) } (rational points) Alexandre Wallet De meilleures récoltes dans le calcul d indice 13 / 35

20 Smooth harvesting Assume C is non-hyperelliptic ( g 3) K = F q, for q = p d, p prime C : C(x, y) = 0, [Diem 08] deg C g + 1 In example: deg C = 6 Factor base F = { P = (x, y) C(F q ) } (rational points) Alexandre Wallet De meilleures récoltes dans le calcul d indice 13 / 35

21 Cost of smooth harvesting Input: C(X, Y ) in F q [X, Y ], F rational points Output: A relation. A) Do: 1- Select P 1, P 2 F at random. 2- Compute their line Y = λx + µ. C(X, λx + µ) 3- Compute F (X) = (X x 1)(X x. 2) 4- Compute roots x i s of F in F q. While #{roots} < g 1. B) y i λx i + µ for 1 i g 1. Cost analysis: deg C = g inversion, 3 multiplications evaluation g 2 log q Success probability: 1 (g 1)! 2g multiplications C) Output {(x 1, y 1 ),..., (x g 1, y g 1 )}. R(F) (g 1)!g 2 log q Alexandre Wallet De meilleures récoltes dans le calcul d indice 14 / 35

22 A sieving approach to harvesting No sieve Sieve Theory Practice Hope to find good lines Root finding at random VS Parametrize lines, keep only the good ones Store results of cheap computations Existing approach [SS 14]: restricted to hyperelliptic, rely on sort, backtracking Our result: V.Vitse, A.W., Improved sieving on algebraic curves, LatinCrypt 2015 all curve types, adaptable to balanced variants VS [SS 14]: skip computations, better memory efficiency, no sorting. Alexandre Wallet De meilleures récoltes dans le calcul d indice 15 / 35

23 Illustration for non-hyperelliptic curves C : C(x, y) = 0, genus g 3. [Diem 08]: deg C g + 1 Factor base F = {P, P 1, P 2,... }. First round of sieving: fix P = (x P, y P ). Slope of a line through P : λ P (P i ) = y i y P x i x P (cheap) Loop over F, compute λ P (P i ) s: λ P (P 1 ) λ P (P 2 ) λ P (P 3 )... T = [ ] P 4 P 3 Alexandre Wallet De meilleures récoltes dans le calcul d indice 16 / 35 P 2

24 Illustration for non-hyperelliptic curves C : C(x, y) = 0, genus g 3. [Diem 08]: deg C g + 1 Factor base F = {P, P 1, P 2,... }. First round of sieving: fix P = (x P, y P ). Slope of a line through P : λ P (P i ) = y i y P x i x P (cheap) Loop over F, compute λ P (P i ) s: λ P (P 1 ) λ P (P 2 ) λ P (P 3 )... T = [ ] P 4 P 3 Alexandre Wallet De meilleures récoltes dans le calcul d indice 16 / 35 P 2

25 Illustration for non-hyperelliptic curves C : C(x, y) = 0, genus g 3. [Diem 08]: deg C g + 1 Factor base F = {P, P 1, P 2,... }. First round of sieving: fix P = (x P, y P ). Slope of a line through P : λ P (P i ) = y i y P x i x P (cheap) Loop over F, compute λ P (P i ) s: λ P (P 1 ) λ P (P 2 ) λ P (P 3 )... T = [ ] P 4 P 3 Alexandre Wallet De meilleures récoltes dans le calcul d indice 16 / 35

26 Illustration for non-hyperelliptic curves C : C(x, y) = 0, genus g 3. [Diem 08]: deg C g + 1 Factor base F = {P, P 1, P 2,... }. First round of sieving: fix P = (x P, y P ). Slope of a line through P : λ P (P i ) = y i y P x i x P (cheap) Loop over F, compute λ P (P i ) s: λ P (P 1 ) λ P (P 2 ) λ P (P 3 )... T = [ ] P 4 Alexandre Wallet De meilleures récoltes dans le calcul d indice 16 / 35

27 Illustration for non-hyperelliptic curves C : C(x, y) = 0, genus g 3. [Diem 08]: deg C g + 1 Factor base F = {P, P 1, P 2,... }. First round of sieving: fix P = (x P, y P ). Slope of a line through P : λ P (P i ) = y i y P x i x P (cheap) Loop over F, compute λ P (P i ) s: λ P (P 1 ) λ P (P 2 ) λ P (P 3 )... T = [ ] λ P (P i ) = λ P (P j ) P, P i, P j lined up. Alexandre Wallet De meilleures récoltes dans le calcul d indice 16 / 35

28 Illustration for non-hyperelliptic curves C : C(x, y) = 0, genus g 3. [Diem 08]: deg C g + 1 Factor base F = {P, P 1, P 2,... }. First round of sieving: fix P = (x P, y P ). Slope of a line through P : λ P (P i ) = y i y P x i x P (cheap) Loop over F, compute λ P (P i ) s: λ P (P 1 ) λ P (P 2 ) λ P (P 3 )... T = [ ] λ P (P i ) = λ P (P j ) P, P i, P j lined up. When T[λ i ] = g : relation Alexandre Wallet De meilleures récoltes dans le calcul d indice 16 / 35

29 Analysis For one loop: O(q) multiplications + O(q) storage. Expect q g! relations. Harvesting in g!q. Previous approach: (g 1)!q(g 2 log q) Speed-up g log q. Relations management: Loop on P uses all lines through P. No duplicate relations. Sieving = time/memory trade-off. Alexandre Wallet De meilleures récoltes dans le calcul d indice 17 / 35

30 Timings Genus 3, degree 4 Genus 4, degree 5 Genus 5, degree 6 Genus 7, degree 7 q Diem Sieving Ratio Diem Sieving Ratio Diem Sieving Ratio Diem Sieving Ratio Implementation in Magma; CPU Intel c Core i5@2.00ghz processor. Time to collect relations, expressed in seconds. Alexandre Wallet De meilleures récoltes dans le calcul d indice 18 / 35

31 1 Discrete Logarithm Problem over curves 2 Smooth harvesting and new results 3 Decomposition harvesting and new results Extension fields and restriction of scalars Polynomial System Solving New results for binary hyperelliptic curves 4 Impact of improvements Alexandre Wallet De meilleures récoltes dans le calcul d indice 19 / 35

32 Factor bases over an extension field Let C be a curve of genus g, with defining equation in F q n[x, Y ]. F q n = F q + F q t + + F q t n 1 Small elements : points with coordinates in a subspace of F q n. A candidate: F = {P = (x, y) C : x F q, y F q n}. [Gaudry 09, Nagao 10, Diem 11] Alexandre Wallet De meilleures récoltes dans le calcul d indice 20 / 35

33 Factor bases over an extension field Let C be a curve of genus g, with defining equation in F q n[x, Y ]. F q n = F q + F q t + + F q t n 1 Small elements : points with coordinates in a subspace of F q n. A candidate: F = {P = (x, y) C : x F q, y F q n}. [Gaudry 09, Nagao 10, Diem 11] Want: P P m = 0, with D i F meaning: find curve f s.t. f(x i, y i ) = 0 Fix m: good f s space of dim = m g = d. a 1,..., a d : symbolic coordinates. D 12 R 1 D 11 D 21 D 22 R 2 Goal: find values for a i s s.t. f is good. Alexandre Wallet De meilleures récoltes dans le calcul d indice 20 / 35

34 Projection of a relation (x, y) F iff x F q project on x-line to restrict coordinate space. R(x) := Symbolic resultant (in y) of f(x, y) and C s equation. R(x) = x m + j<m R j(a 1,..., a d ) }{{} xj, F q n[a 1,..., a d ] Property: R(x i ) = 0. D 12 R 1 D 11 D 21 D 22 R 2 All x i s F q implies all R j (a 1,..., a d ) s F q. Alexandre Wallet De meilleures récoltes dans le calcul d indice 21 / 35

35 Restriction of scalars 1 The base field is F q n = F q + F q t + + F q t n 1 coeff λ F q n: λ = λ 1 + λ 2 t + + λ n t n 1 R j (a 1,..., a d ) New variables: a i = a i1 + a i2 t + + a i,n t n 1 R j1 (a) + R j2 (a) t + + R jn (a) t n 1 R j (a 1,..., a d ) F q R j2 (a) = 0. R jn (a) = 0 polynomial system over F q. 1 [Gaudry 09, Nagao 10, Diem 11] Alexandre Wallet De meilleures récoltes dans le calcul d indice 22 / 35

36 Gröbner bases and relation cost Original System F4 or F5 algo Degree order FGLM algo Lex order Root finding Solutions If C has genus g, m = ng implies d = (n 1)g. n(n 1)g equations and variables Alexandre Wallet De meilleures récoltes dans le calcul d indice 23 / 35

37 Gröbner bases and relation cost Original System F4 or F5 algo Degree order FGLM algo Lex order Root finding Solutions If C has genus g, m = ng implies d = (n 1)g. n(n 1)g equations and variables Main parameter: #solutions (in F q n) Above process runs in Õ( ω ) Relations when solutions are in F q. Cost analysis if C hyperelliptic = 2 n(n 1)g Success probability: 1 (ng)! R(F) (ng)! 2 ωn(n 1)g Alexandre Wallet De meilleures récoltes dans le calcul d indice 23 / 35

38 Reducing the number of solutions = 2 n(n 1)g is quickly huge. Can be reduced by exploiting structural properties (e.g. symmetries) before running algorithms. Examples: x 1 + x 2 + x 3 = a x 1x 2 + x 1x 3 + x 2x 3 = b x 1x 2x 3 = c 6 solutions. { x 2 2xy + y 2 = a x 2 + y x a = b 4 solutions. using symmetries removing powers x 2 2xy + y 2 = (x y) 2 e 1 = a e 2 = b e 3 = c 1 solution. { y = x + a x 2 = b 2 solutions. Alexandre Wallet De meilleures récoltes dans le calcul d indice 24 / 35

39 Situation Known reductions for elliptic curves (g = 1): [FGHR 14, FHJRV 14, GG 14] Summation polynomials and symmetries Our results: J-C. Faugère, A.W., The Point Decomposition Problem in Hyperelliptic Curves. Designs, Codes and Cryptography [to be published] If q = 2 n, reduction of for hyperelliptic curves of all genus g. Practical harvesting on a meaningul curve (#J (H) 184 bits prime). Alexandre Wallet De meilleures récoltes dans le calcul d indice 25 / 35

40 1 Discrete Logarithm Problem over curves 2 Smooth harvesting and new results 3 Decomposition harvesting and new results Extension fields and restriction of scalars Polynomial System Solving New results for binary hyperelliptic curves 4 Impact of improvements Alexandre Wallet De meilleures récoltes dans le calcul d indice 26 / 35

41 Shape of the resultant H : y 2 + h 1 (x)y = h 0 (x) hyperelliptic of genus g over F q n, with q = 2 k d 1 d 2 Good f s: f(x, y) = a i x i + y i=0 }{{} i=0 a i+d1+1x j }{{} p(x) q(x) with { d 1 = m 2 d 2 = m 2g 1 2 Then : R(x) = p(x) 2 + q(x) 2 h 0 (x) + p(x)q(x)h 1 (x) Alexandre Wallet De meilleures récoltes dans le calcul d indice 27 / 35

42 Shape of the resultant H : y 2 + h 1 (x)y = h 0 (x) hyperelliptic of genus g over F q n, with q = 2 k d 1 d 2 Good f s: f(x, y) = a i x i + y i=0 }{{} i=0 a i+d1+1x j }{{} p(x) q(x) with { d 1 = m 2 d 2 = m 2g 1 2 Then : R(x) deg = m Monomials in a i s: = p(x) 2 + q(x) 2 h 0 (x) deg = m a 2 i only + p(x)q(x)h 1 (x) deg m a i a j, i j In Char = 2, equations coming from the head of R can be squares. Alexandre Wallet De meilleures récoltes dans le calcul d indice 27 / 35

43 Results h 1 (x) = x deg h1 + + a t x t, where 0 t deg h 1 g. Number of squares in R: For L = deg h 1 t, R x m has g L square coefficients. Corollary: We can find (n 1)(g L) square equations in the systems. Additional results: any system contains a subsystem of n 1 equations in n 1 variables. it is determined whp.: solve it before solving the remaining equations. Alexandre Wallet De meilleures récoltes dans le calcul d indice 28 / 35

44 Analysis of the new number of solutions Genericity assumption: systems behave like regular systems of dimension 0 over F q n. Before: #vars = (n 1)ng #eqs = (n 1)ng Eqs have deg = 2 = 2 n(n 1)g Now (after presolving): (n 1)(ng 1) eqs and vars (n 1)(g L) linear eqs remaining have deg = 2 = 2 (n 1)((n 1)g+L 1) 2 (n 1)((n 1)g 1) 2 (n 1)(ng 1) factor 2 (n 1)(g+1) 2n 1 Alexandre Wallet De meilleures récoltes dans le calcul d indice 29 / 35

45 1 Discrete Logarithm Problem over curves 2 Smooth harvesting and new results 3 Decomposition harvesting and new results 4 Impact of improvements Experimental timings Comparisons to recent records Alexandre Wallet De meilleures récoltes dans le calcul d indice 30 / 35

46 Impact in experiments Table: Average time 2 to find one relation. Parameters: g = 2, q = 2 15, curves with L = 0. n Approach # solutions Time, one system Time, one relation 3 classic sec days ours sec. 21 seconds 4 classic 2 24 ours hours NB: Success probability = 1 (ng)! 2 Computations with Magma 2.19 Alexandre Wallet De meilleures récoltes dans le calcul d indice 31 / 35

47 Expected nops for meaningful parameters Parameters: g = 2, L = 0, q = 2 31, n = 3. (NB: base field is F 2 93). C such that #J (C) p prime, with log p = 184 bits. Table: Comparisons of possible algorithms Algorithm estimated nops ρ-pollard 2 92 Index-calculus Harvesting Linear algebra Smooth Decomposition, old ( = 2 12 ) Decomposition, ours ( = 2 6 ) NB: Cost of harvesting #F ω (ng)! Alexandre Wallet De meilleures récoltes dans le calcul d indice 32 / 35

48 Practical comparisons With dedicated implementation 3, we find 1 relation in 2.3 sec. in avg. Table: Comparison with a recent record computation #rels harvesting matrix size, density #linalg. log p [KDL+ 17] months 2 24, our work days 2 28, : [KDL+ 17] Computation of a 768 bits prime field discrete logarithm, EuroCrypt 2017 : Size after filtering. [KDL+ 17] use a dedicated filtering. : linear algebra is done modulo p 3 FGb and code gen., Sparse FGLM, NTL Alexandre Wallet De meilleures récoltes dans le calcul d indice 33 / 35

49 Perspectives and open problems Decomposition harvesting: (ongoing work) (A) Reductions for elliptic curves use summation polynomials. analog notion for other curves? [FW 17]: a possible approach, but limited efficiency. Improvements? (B) There are lots of symmetries (automorphisms) in higher genus class groups. Can we exploit them? Open problems: (C) Is there any choice of factor base for elliptic curve over F p? (D) New families of curves with subexponential Index-calculus? (E) Can we find better than Index-calculus? Alexandre Wallet De meilleures récoltes dans le calcul d indice 34 / 35

50 Thank you :) Alexandre Wallet De meilleures récoltes dans le calcul d indice 35 / 35

The point decomposition problem in Jacobian varieties

The point decomposition problem in Jacobian varieties Alexandre Wallet ENS Lyon, Laboratoire LIP, Equipe AriC 1 / 38 1 Generalities Discrete Logarithm Problem Short State-of-the-Art for curves About Index-Calculus