The point decomposition problem in Jacobian varieties

Transcription

1 The point decomposition problem in Jacobian varieties Jean-Charles Faugère2, Alexandre Wallet1,2 1 2 ENS Lyon, Laboratoire LIP, Equipe AriC UPMC Univ Paris 96, CNRS, INRIA, LIP6, Equipe PolSys 1 / 19

2 1 Generalities Discrete Logarithm Problem Short State-of-the-Art for curves About Index-Calculus 2 Harvesting and Decomposition attacks 3 Degree reduction and practical computations 4 Conclusion 2 / 19

3 Discrete Logarithm Problem (DLP) Let g, h = [x] g (G, +), with x Z. Compute x. Is this a hard problem? Classic Generic group: yes For some groups: no Cryptography: yes Quantum NO Security basis for Diffie-Hellman, El-Gamal, Digital Signatures,... Today s groups: Elliptic curves E(F q ) Jacobian of algebraic curves J Fq (C) 3 / 19

4 Computing Discrete Logs exp. time Generic alg. lower bound: DLP ON CURVES : genus : #Field Index Calculus "Small genus" Decomposition Baby-steps Giant-steps -Pollard subexp. time ~ [G'00], [D'07] [GTTD'07] "Large genus" [G'09,D'11],[N'10] [GTTD'07] "Large degree" poly. time [ADH'99], [EGS'02] [EGTT'13] 4 / 19

5 Situation for elliptic curves For cryptography: mostly elliptic curves (g = 1) Elliptic curves over prime fields over extension fields Generic only Decomposition attacks Transfer attacks Higher genus Finite field 5 / 19

6 About Index-Calculus : algebraic curve : Jacobian variety of Inputs 1) Select Factor base too small: harvesting too hard trade-off [GTTD'07] too big: linear algebra too long Harvesting 2) Find relations: T sparse matrix + easy to enumerate + elements should be "small" Several techniques Today: over done by solving polynomial systems Linear Algebra 1) Compute s.t. (aka: Decomposition attacks) Complexity 2) Use to retrieve linalg ~ well-known Discrete Logarithm harvest. ~ x Find 1 relation What about this? 6 / 19

7 Today s target: harvesting in Index-Calculus for curves over F q n. Motivations: Algorithmic Number Theory Computational Algebraic Geometry Cryptography Compute discrete logs in abelian varieties. How efficient can we be? Transfer attacks! 7 / 19

8 1 Generalities 2 Harvesting and Decomposition attacks What is a relation? How to find a relation? Complexity and Polynomial System Solving 3 Degree reduction and practical computations 4 Conclusion 8 / 19

9 Algebraic curves, Jacobian varieties, group law C : P(x, y) = 0, for some P F q [X, Y ], algebraic curve of genus g. g = 1: elliptic: y 2 = x 3 + Ax + B, A, B F q g = 2: hyperelliptic: y 2 + h 1 (x)y = x h 1 F q [x], deg h 1 2 g 3: hyperelliptic: y 2 + h 1 (x)y = x 2g h 1 F q [x], deg h 1 g Non-hyperelliptic (all the rest). 9 / 19

10 Algebraic curves, Jacobian varieties, group law C : P(x, y) = 0, for some P F q [X, Y ], algebraic curve of genus g. Fix a point O. J (C): Jacobian variety J (C) is a quotient group. Its elements are reduced divisors. In practice, a reduced divisor is D = k P i ko. i=1 for some P 1,..., P k C, k g Ex: g = 1, E elliptic, point at infinity O P 3 Line through P 1, P 2 : f (x, y) = 0. In J (E) : P 1 + P 2 +P 3 3O = 0, so that (P 1 O) + (P 2 O) = ([ P 3 ] O). P 1 P 2 P 3 9 / 19

11 Algebraic curves, Jacobian varieties, group law C : P(x, y) = 0, for some P F q [X, Y ], algebraic curve of genus g. Fix a point O. J (C): Jacobian variety J (C) is a quotient group. Its elements are reduced divisors. In practice, a reduced divisor is D = k P i ko. i=1 for some P 1,..., P k C, k g Ex: g = 2, H hyperelliptic, point at infinity O Cubic through P 1,..., P 4 : f (x, y) = 0 In J (H) : P 1 + +P 6 6O = 0 P 5 P 6 P 4 so that: (P 1 + P 2 2O) }{{} + (P 3 + P 4 2O) }{{} D 1 + D 2 = [ P 5 ] + [ P 6 ] 2O }{{} D 3 P 2 P 1 P 6 P 3 P 5 9 / 19

12 Geometry of relations Point m-decomposition Problem (PDP m ) Let H be a curve of genus g, R J (H) and F J (H). Find, if possible, D 1,..., D m F s.t. R = D D m. Harvesting = solving multiple PDP m instances, for some fixed m. 10 / 19

13 Geometry of relations Point m-decomposition Problem (PDP m ) Let H be a curve of genus g, R J (H) and F J (H). Find, if possible, D 1,..., D m F s.t. R = D D m. Harvesting = solving multiple PDP m instances, for some fixed m. Let R = i (x R i, y Ri ) go J (H). R = i,j (x D ij, y Dij ) mgo f (x, y) s.t.: f (x Ri, y Ri ) = f (x Dij, y Dij ) = 0. Such f s form a linear space of finite dim: f Span(f 1,..., f d ) f = d a i f i i=1 Goal: find (a i ) i d. 10 / 19

14 Geometry of relations Point m-decomposition Problem (PDP m ) Let H be a curve of genus g, R J (H) and F J (H). Find, if possible, D 1,..., D m F s.t. R = D D m. Harvesting = solving multiple PDP m instances, for some fixed m. Let R = i (x R i, y Ri ) go J (H). R = i,j (x D ij, y Dij ) mgo f (x, y) s.t.: Ex: g = 2 and m = 2 D i = D i1 + D i2 2O. f (x Ri, y Ri ) = f (x Dij, y Dij ) = 0. Such f s form a linear space of finite dim: f Span(f 1,..., f d ) f = d a i f i i=1 Goal: find (a i ) i d. R 1 R 2 10 / 19

15 Geometry of relations Point m-decomposition Problem (PDP m ) Let H be a curve of genus g, R J (H) and F J (H). Find, if possible, D 1,..., D m F s.t. R = D D m. Harvesting = solving multiple PDP m instances, for some fixed m. Let R = i (x R i, y Ri ) go J (H). R = i,j (x D ij, y Dij ) mgo f (x, y) s.t.: Ex: g = 2 and m = 2 D i = D i1 + D i2 2O. f (x Ri, y Ri ) = f (x Dij, y Dij ) = 0. Such f s form a linear space of finite dim: f Span(f 1,..., f d ) f = d a i f i i=1 Goal: find (a i ) i d. D 12 R 1 D 11 D 21 D 22 R 2 10 / 19

16 Solving PDP m [G 09], [N 10], [D 11] Goal: Find (a i ) i d in a smart way Assume base field is F q n = Span Fq (1, t,..., t n 1 ) 11 / 19

17 Solving PDP m [G 09], [N 10], [D 11] Goal: Find (a i ) i d in a smart way Assume base field is F q n = Span Fq (1, t,..., t n 1 ) Restriction of scalars Write x = j x j t j, x j F q, x = (x 1,..., x n): (x, y) H ( x, ȳ) W where W: Weil Restriction of H over F q Factor base: F = {P O : P H, x(p) F q} = W {x j = 0} j>0 11 / 19

18 Solving PDP m [G 09], [N 10], [D 11] Goal: Find (a i ) i d in a smart way Assume base field is F q n = Span Fq (1, t,..., t n 1 ) Restriction of scalars Write x = j x j t j, x j F q, x = (x 1,..., x n): (x, y) H ( x, ȳ) W where W: Weil Restriction of H over F q Factor base: F = {P O : P H, x(p) F q} = W {x j = 0} j>0 Decomposition Polynomial DP R Resy (H, f ) DP R (x) = (x xri ) = xm + m 1 N i ((a i ))x i i=0 If f describes R = i,j (x ij, y ij ) mo: DP R (x ij ) = 0, i m, j n 1 Write N i ((a i )) = j 0 N ij ((ā i ))t j : D 1,..., D m F DP R (x) F q[x] N ij ((ā i )) = 0, i, j > 0 11 / 19

19 Solving PDP m [G 09], [N 10], [D 11] Goal: Find (a i ) i d in a smart way Assume base field is F q n = Span Fq (1, t,..., t n 1 ) Restriction of scalars Write x = j x j t j, x j F q, x = (x 1,..., x n): (x, y) H ( x, ȳ) W where W: Weil Restriction of H over F q Factor base: F = {P O : P H, x(p) F q} = W {x j = 0} j>0 Decomposition Polynomial DP R Resy (H, f ) DP R (x) = (x xri ) = xm + m 1 N i ((a i ))x i i=0 If f describes R = i,j (x ij, y ij ) mo: DP R (x ij ) = 0, i m, j n 1 Write N i ((a i )) = j 0 N ij ((ā i ))t j : D 1,..., D m F DP R (x) F q[x] N ij ((ā i )) = 0, i, j > 0 Finding relations solving Polynomial systems. For m = ng, {N ij (ā i ) = 0} i m,j>0 is generally 0-dimensional. 11 / 19

20 Solving 0-dimensional systems with Gröbner Bases tools Original System DRL Basis F4, F5 Change order FGLM Univariate Solving n variables s equations : degree of regularity D: #solutions O(s ( ) n+ ω) O(nD ω ) ω: lin. alg. exponent 12 / 19

21 Solving 0-dimensional systems with Gröbner Bases tools Original System DRL Basis F4, F5 Change order FGLM Univariate Solving n variables s equations : degree of regularity D: #solutions O(s ( ) n+ ω) O(nD ω ) In PDP ng setting F q n, genus g = Õ(D1/n ) D = 2 n(n 1)g 1 relation costs O((ng)!D ω ) + Proba that all roots of DP R in F q 1/(ng)! D is the main complexity parameter. Can we reduce it? 12 / 19

22 Situation Known reductions: [FGHR 14], [FHJRV 14], [GG 14] Uses Summation polynomials and symmetries (invariant theory) Higher genus: No reduction known before only for g = 1 (elliptic curves). Ex: g = 2, n = 3, log q = 15 Find 1 relation 12 days. Contributions 1 : Reduction of D for hyperelliptic curves of all genus, if q = 2 n. Practical harvesting on a meaningul curve (#J (H) 184 bits prime). 1 J-C. Faugère, A.W., The Point Decomposition Problem in Hyperelliptic Curves. Designs, Codes and Cryptography [In revision] 13 / 19

23 1 Generalities 2 Harvesting and Decomposition attacks 3 Degree reduction and practical computations Structure of DP R Degree reduction Impact, comparisons 4 Conclusion 14 / 19

24 Structure of DP R in even characteristic, part 1 H : y 2 + h 1 (x)y = h 0 (x) hyperelliptic of genus g over F 2 kn, fix R J (H). m 1 DP R (x) = x m + N i (a)x i & i, deg N i (a) = 2. i=0 With F 2 kn = Span F2 k (tj ) j n 1, N i (a) = j N ij(ā)t j. Reminder: solving PDP ng = solving {N ij (ā) = 0} j>0,i ng over F 2 k. 15 / 19

25 Structure of DP R in even characteristic, part 1 H : y 2 + h 1 (x)y = h 0 (x) hyperelliptic of genus g over F 2 kn, fix R J (H). m 1 DP R (x) = x m + N i (a)x i & i, deg N i (a) = 2. i=0 With F 2 kn = Span F2 k (tj ) j n 1, N i (a) = j N ij(ā)t j. Reminder: solving PDP ng = solving {N ij (ā) = 0} j>0,i ng over F 2 k. N i (a) square j, N ij (ā) squares replace quadratic eqs by linear eqs Proposition: Number of squares Let h 1 (x) = s i=t α ix i, and let L = s t + 1 be the length of h 1 (x). There are exactly g L 1 squares among the N i (a). Consequence: (n 1)(g L 1) replacements in {N ij (ā) = 0} j>0,i ng. Find n 1 more if α s F 2 k. 15 / 19

26 Structure of DP R in even characteristic, part 2 In H : y 2 + h 1 (x)y = h 0 (x), we usually have h 1 (x) monic. Proposition: N m 1 is univariate Let a = (a 1,..., a d ). Then N m 1 (a d ) = a d 2 + a d + λ for some λ F 2 kn. Rewrite: N m 1 (a d ) = a 2 d,0 + a d,0 + λ 0 + j 1 a2 d,j t2j + j 1 (a d,j + λ j )t j = N m 1,0 (ā d ) + j 1 N m 1,j(a d,1,..., a d,n 1 )t j. Proposition: presolving {N m 1,j (a d,1,..., a d,n 1 )} j 1 is 0-dimensional and has a solution in F 2 k whp. Consequence: determines n 1 vars in the full system, removes n 1 eqs. 16 / 19

27 Analysis of degree reduction Base field F 2 kn, m = ng. Implies d = (n 1)g. Let L be the length of h 1. Genericity assumption: PDP ng systems behave like regular systems of dimension 0. Before reduction: #ā = n(n 1)g #eqs = n(n 1)g Eqs have deg = 2 d old = 2 n(n 1)g After reduction: n 1 determined vars (n 1)(g L 1) linear eqs remaining have deg = 2 d new = 2 (n 1)((n 1)g+L 2) 2 (n 1)((n 1)g 1) d new 2 (n 1)(ng 1) factor 2 (n 1)(g+1) d old d new 2 n 1 17 / 19

28 Impact of the reduction For g = 2, n = 3, d old = 2 12 = 4096, d new = 2 6 = 64. Toy-example for one PDP 6 instance: fields tool time for d old time for d new ratio F 2 45 F 2 15 Magma s 0.029s H with L h1 = 1, over F 2 93 = F and #J (H) = 2 3 p, with log p = 184. #cores tool old this work C 30 years 7 days 8000 (optimized 2 ) unfeasible practical comparison with recent DL over 768 bits finite field: #rels harvesting time matrix size matrix density log p #linalg. [KDL+ 17] months our work days F5 with code gen., Sparse-FGLM [FM 11], NTL lib. 18 / 19

29 Conclusion Target: harvesting in Index-Calculus for hyperelliptic curves over F q n. Results: degree reduction if q = 2 k for hyperelliptics practical, meaningful computations in genus 2 Questions: What about q odd? What about non-hyperelliptics? Reduction of F s size? Merci! 19 / 19