Non-generic attacks on elliptic curve DLPs

Similar documents
Fast, twist-secure elliptic curve cryptography from Q-curves

Discrete Logarithm Computation in Hyperelliptic Function Fields

Mappings of elliptic curves

Explicit Complex Multiplication

Explicit isogenies and the Discrete Logarithm Problem in genus three

Constructing Abelian Varieties for Pairing-Based Cryptography

Hyperelliptic curves

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Elliptic Curve Cryptography

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

SM9 identity-based cryptographic algorithms Part 1: General

Definition of a finite group

On the complexity of computing discrete logarithms in the field F

L-Polynomials of Curves over Finite Fields

Constructing Pairing-Friendly Elliptic Curves for Cryptography

Advanced Constructions in Curve-based Cryptography

Cover and Decomposition Index Calculus on Elliptic Curves made practical

Isogenies in a quantum world

Problème du logarithme discret sur courbes elliptiques

No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition

Counting points on elliptic curves over F q

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction

Pairings for Cryptographers

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

Introduction to Elliptic Curve Cryptography. Anupam Datta

On Partial Lifting and the Elliptic Curve Discrete Logarithm Problem

Pairing-Friendly Elliptic Curves of Prime Order

Elliptic Curve Discrete Logarithm Problem

Aspects of Pairing Inversion

Finite Fields and Elliptic Curves in Cryptography

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

A gentle introduction to isogeny-based cryptography

A gentle introduction to elliptic curve cryptography

Katherine Stange. ECC 2007, Dublin, Ireland

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

ElGamal type signature schemes for n-dimensional vector spaces

Computing the endomorphism ring of an ordinary elliptic curve

8 Elliptic Curve Cryptography

Ate Pairing on Hyperelliptic Curves

WEIL DESCENT ATTACKS

A brief overwiev of pairings

An introduction to supersingular isogeny-based cryptography

Selecting Elliptic Curves for Cryptography Real World Issues

190 R. Harasawa, J. Shikata, J. Suzuki, and H. Imai generally requires an exponential time in log q to solve it (V. Miller [15], and J. Silverman and

Public-key Cryptography and elliptic curves

Comparing the MOV and FR Reductions in Elliptic Curve Cryptography

14 Ordinary and supersingular elliptic curves

Asymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)

Computing the image of Galois

Scalar multiplication in compressed coordinates in the trace-zero subgroup

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

Extending the GHS Weil Descent Attack

A Note on Scalar Multiplication Using Division Polynomials

Introduction to ECC. Nigel Smart. January 17, Nigel Smart Introduction to ECC Slide 1

Optimal curves of genus 1, 2 and 3

Introduction to Elliptic Curves

Constructing genus 2 curves over finite fields

Identifying supersingular elliptic curves

You could have invented Supersingular Isogeny Diffie-Hellman

Generation Methods of Elliptic Curves

Elliptic Curve Cryptography with Derive

Discrete Logarithm Problem

Introduction to Elliptic Curve Cryptography

The Discrete Logarithm Problem on the p-torsion Subgroup of Elliptic Curves

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition

Hyperelliptic Curve Cryptography

of elliptic curves dened over F 2 155, the probability of nding one where the GHS attac is applicable is negligible. In this paper we extend the GHS a

Point counting and real multiplication on K3 surfaces

Solving Elliptic Curve Discrete Logarithm Problems Using Weil Descent

ECC mod 8^91+5. especially elliptic curve 2y^2=x^3+x for cryptography Andrew Allen and Dan Brown, BlackBerry CFRG, Prague, 2017 July 18

COMPRESSION FOR TRACE ZERO SUBGROUPS OF ELLIPTIC CURVES

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Elliptic and Hyperelliptic Curve Cryptography

Faster Compact DiffieHellman: Endomorphisms on the x-line

Elliptic Curve Cryptosystems

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Optimal TNFS-secure pairings on elliptic curves with even embedding degree

ELLIPTIC CURVES OVER FINITE FIELDS

Public-key Cryptography: Theory and Practice

Igusa Class Polynomials

Cyclic Groups in Cryptography

Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms

Weil pairing. Algant: Regensburg and Leiden Elliptic curves and Weil conjectures seminar, Regensburg. Wednesday 22 nd June, 2016.

ABHELSINKI UNIVERSITY OF TECHNOLOGY

Constructing Families of Pairing-Friendly Elliptic Curves

ON THE ASYMPTOTIC EFFECTIVENESS OF WEIL DESCENT ATTACKS

Class invariants by the CRT method

FINITE GROUPS AND EQUATIONS OVER FINITE FIELDS A PROBLEM SET FOR ARIZONA WINTER SCHOOL 2016

Optimised versions of the Ate and Twisted Ate Pairings

Pairings for Cryptography

The Application of the Mordell-Weil Group to Cryptographic Systems

Counting points on elliptic curves: Hasse s theorem and recent developments

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago

An Introduction to Elliptic Curve Cryptography

Introduction to Arithmetic Geometry

Genus 2 Curves of p-rank 1 via CM method

Transcription:

Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 1 / 27

Motivation Motivation The cliché: Elliptic curve discrete logarithms are as hard as possible. Idealistically: elliptic curves are used as approximations of black-box cyclic abelian groups. But There s nothing black-box about a smooth plane cubic. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 2 / 27

Motivation Parameter selection What parameters does E/F q have? Base field, q = p n. Exploit field structure? Isomorphism class, j(e)... Exploit the geometry? plus a choice of twist Attack the twist? Isogeny class, t = #E(F q ) (q + 1). Exploit order? What are the bad choices of q, t, j, N? Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 3 / 27

Equivalence classes Equivalence classes Generic DLP algorithms: looking for collisions in a search space. If we can divide points into equivalence classes with a fast comparison test: Shrink the search space = faster DLP. Equivalence classes of size c = DLP in O( N/c) For example: automorphism orbits would work... But the automorphism group is too small to gain much. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 4 / 27

Subfield curves Equivalence classes Suppose E is a subfield curve: ie, E is defined over F p, but we use a prime-order subgroup of E(F q ) with q = p n, n > 1. Why would you do this anyway? Easier to work out the cardinality, and small coefficients (being in F p )) may speed up arithmetic... E(F p ) E(F q ) is a nontrivial subgroup, so N #E(F q )/#E(F p ). E/F p has a Frobenius endomorphism π : (x, y) (x p, y p ) So we can split #E(F q ) into equivalence classes: P Q P = π e (Q). Classes have size n = the DLP runs n times faster. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 5 / 27

Equivalence classes So: If you re using an extension field, don t use a subfield curve. Q: Are other curves defined over extension fields ok? Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 6 / 27

Weil descent Weil descent Suppose E is defined over an extension field: E/F q n, n > 1. E is a one-dimensional object over a degree-n field. Think of the complex numbers: C is a line (one-dimensional) over a quadratic extension R( 1), but can also visualise it as R 2. In the same way: the one-dimensional vector space F q n is isomorphic to the n-dimensional vector space F n q. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 7 / 27

Weil descent Weil descent / Restriction of scalars Weil descent is a direct tradeoff of dimension vs degree. The Weil restriction W of E is an n-dimensional algebraic group over F q (not F q n) whose F q -points correspond to F q n-points of E. The Weil restriction always exists, and doesn t weaken E in itself. But if we re lucky, we might be able to transform all (or part) of W into the Jacobian of a higher-genus curve, which we can attack using index calculus. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 8 / 27

Weil descent Weil descent of an elliptic curve Let s try n = 3, with q = 2 e for some e and F q 3 = F q [θ]/(θ 3 + θ + 1). F q 3 = ψ 0 = 1, ψ 1 = θ 2, ψ 2 = θ 4 F q Any elliptic curve over F q 3 is = to one in the form E/F q 3 : y 2 + xy = x 3 + (b 0 ψ 0 + b 1 ψ 1 + b 2 ψ 2 ). Equations for Weil restriction W: substitute x = x 0 ψ 0 + x 1 ψ 1 + x 2 ψ 2, y = y 0 ψ 0 + y 1 ψ 1 + y 2 ψ 2, get 3 equations over F q by collecting coefficients of the ψ i. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 9 / 27

Explicit Weil restriction Weil descent So: Weil restriction W of E : y 2 + xy = x 3 + (b 0 ψ 0 + b 1 ψ 1 + b 2 ψ 2 ) is defined in (x 0, x 1, x 2, y 0, y 1, y 2 )-space by the three equations x0 3 + x 0 2x2 + x0x 1 2 + x0y1 + x0y2 + x 1 3 + x1x 2 2 + x1y0 + x1y2 + x 2 3 + x2y0 + x2y1 x0 3 + x 0 2x1 + x0x 1 2 + x0y1 + x0y2 + x 1 2x2 + x1x 2 2 + x1y0 + x1y1 + x 2 3 + x2y0 + x2y2 + y 1 2 + y 2 2 + b2 + b0 x0 2x1 + x 0 2x2 + x0x 1 2 + x0x 2 2 + x0y0 + x0y2 + x 1 3 + x1y1 + x1y2 + x 2 3 + x2y0 + x2y1 + y 0 2 + y 1 2 + b2 + b1 To get a curve in W, intersect with (say) x 0 = u, x 1 = u, x 2 = u: C : ( y 2 2 + uy 0 = u 3 + b 0, y 2 0 + uy 1 = u 3 + b 1, y 2 1 + uy 2 = u 3 + b 2 ) Irreducible unless b 0 = b 1 = b 2 (so β F q ). Eliminate y 1, y 2, put v = y 0 : C : v 8 + u 7 v + u 12 + u 10 + u 9 + b 0 u 6 + b 2 2u 4 + b 4 1. It may not be obvious, but C is hyperelliptic of genus 3. Desingularize C C = explicit isogeny Φ : W Jac( C). Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 10 / 27

Weil descent Discrete logarithms on the Weil restriction Start with a DLP instance in E(F q 3) Q = (x Q, y Q ) = [m](x P, y P ) = [m]p Weil-restricting, we get a DLP instance in W(F q ): (x Q 0, x Q 1, x Q 2, y Q 0, y Q 1, y Q 2 ) = [m](x P 0, x P 1, x P 2, y P 0, y P 1, y P 2 ) ; map through Φ to get a DLP instance in Jac(C): [ 3 ] [ i=1 (uq i, v Q 3 ] i ) D 0 = m i=1 (up i, vi P ) D 0 Solve DLP instance using index calculus in Jac( C) in time Õ(q4/3 ) Beats Õ(q3/2 ) using generic methods in E(F q 3). Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 11 / 27

Weil descent Gaudry Hess Smart In more generality: Theorem (Gaudry Hess Smart, 2000) Let n 4 be fixed. Write q = 2 e. As e, we can solve the DLP in E(F q n) for a significant proportion of all elliptic curves E/F q n in time O(q 2+ɛ ). For comparison: generic attacks require time O(q n/2 ). Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 12 / 27

Reductions So: In practice, use F p or F p 2, or F 2 n (with n prime) Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 13 / 27

Pairings Using pairings to move DLPs Suppose E is an elliptic curve over F p such that E(F p ) contains a subgroup G of large prime order N. Let k be the embedding degree with respect to N and p so k is the smallest integer such that N divides p k 1. We have a pairing e : E[N] E[N] µ N F p k which we can use to move the DLP from G into F p k. If k is small enough, we can solve the DLP in F p k faster than we can solve it in G. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 14 / 27

Pairings Menezes Okamoto Vanstone (MOV) Reduction Input A point P in E(F p ) of prime order N, and a point Q in P. Output An integer m such that Q = [m]p. 1 Compute the embedding degree k for N and p. 2 Compute a point S E(F p k ) such that e N (P, S) 1. Randomly chosen S succeeds with overwhelming probability. 3 Set z 1 = e N (P, S) and z 2 = e N (Q, S). 4 Compute an integer m such that z m 1 = z 2 in F p k, using index calculus (ie, solve the DLP in F p k ). 5 Return m. Index calculus in F p k is subexponential in k log p. The whole algorithm is subexponential if k is small (polynomial in log p). Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 15 / 27

Pairings Balasubramanian Koblitz Luckily, a low embedding degree basically never happens by accident. Theorem (Balasubramanian and Koblitz (1998)) Let (p, E) be a randomly chosen pair consisting of a B-bit prime p and an elliptic curve E/F p such that N = #E(F p ) is prime. The probability that N (p k 1) for some k (log p) 2 is less than c B9 log 2 B 2 B for some effectively computable constant c > 0. Noteworthy exceptions: pairing-friendly curves, including all supersingular elliptic curves. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 16 / 27

Pairings So: Don t use pairing-friendly curves for ordinary DLP-based systems. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 17 / 27

Mapping into the additive group Mapping into the additive group DLPs in the additive group are really fast: they re just (modular) division. When can we map an ECDLP instance into (F p, +)? If E(F p ) is cyclic of prime order N, then a homomorphism E(F p ) (F p, +) is only nontrivial if N = p. This can happen (p is certainly in the Hasse interval): we call these trace-1 curves anomalous curves. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 18 / 27

Mapping into the additive group Homomorphisms into the additive group Suppose E is defined over F p, and that #E(F p ) = p. Several approaches to mapping E(F p ) into (F p, +) (Semaev, Smart, Araki Satoh, Rück...) We follow Semaev s approach: an additive version of the Tate pairing gives a homomorphism E(F p ) Ω 1 (E) = (F p, +). (recall that Ω 1 (E) = regular differentials on E). Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 19 / 27

Rück s approach Mapping into the additive group Suppose #E(F p ) = p. If P is in E(F p ) then [p]p = O E, so p((p) (O E )) = (f P ) for some f P in F p (E) (Miller function!) Serre: the differential df P /f P is regular at O E. Expand at O E with local parameter t = x y (t(o E) = 0 with mult. 1): df P f P = (a 0 + a 1 t + a 2 t 2 + )dt Product rule for differentials + Algebra of Miller functions = P f P a 0 is a homomorphism! Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 20 / 27

Mapping into the additive group Solving DLPs on anomalous curves To solve a DLP instance Q = [m]p on an anomalous curve E/F p : 1 Compute a 0 (P) and a 0 (Q) using Miller loops Don t compute f P, f Q : build up the a 0 values using a double-and-add loop 2 Then m a 0 (Q)/a 0 (P) (mod p). The number of E(F p )-operations is linear in log p. This reduction is easy to implement! Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 21 / 27

Mapping into the additive group So: NEVER use anomalous curves. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 22 / 27

Attacking the twist Diffie Hellman key exchange 1 A and B public fix a group G and a generator X 0 G. 2 A and B choose secret multipliers s A, s B Z/(#G). 3 A computes X A := [s A ]X 0 and makes it public; B computes X B := [s B ]X 0 and makes it public. 4 A and B compute the shared secret [s A s B ]X 0 = [s A ]X B = [s B ]X A. G can be a set, not a group; scalars s A and s B an abelian semigroup acting on G. Need a hard DHP (given X 0, [s A ]X 0, [s B ]X 0, find [s A s B ]X 0 ) Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 23 / 27

Attacking the twist Diffie Hellman / Montgomery Consider the curve E : y 2 = x(x 2 + Ax + 1) over F p. x([ 1]P) = x(p) for all P in E(F q ) Can compute [m] x(p) = x([m]p) in terms of x(p) and A: no need for y-coordinates This is a good move for Diffie Hellman implementations save a lot of time, and a bit of space Something funny: The x-coordinate maps [m] work (and compose properly) for any input x, not just x(p) for P E(F p )! In this case: Garbage In Garbage Out... Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 24 / 27

Attacking the twist Diffie Hellman / Montgomery The curve: E : y 2 = x(x 2 + Ax + 1) over F p. Quadratic twist: E : By 2 = x(x 2 + Ax + 1), where B is a nonsquare in F p. Every α in F p satisfies one of: 1 (α, 0) E[2](F p ) and (α, 0) E [2](F p ) 2 α = x(p) for some P E(F p ) \ E[2](F p ) 3 α = x(p ) for some P E (F p ) \ E [2](F p ) = #E(F p ) + #E (F p ) = 2(p + 1). Even if E has a strong group order, E can be weak Fouque Réal Lercier Vallette attack: sneak in α = x(p ), where P is a point on the quadratic twist, then solve the DHP on the twist instead. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 25 / 27

Attacking the twist So: Avoid curves with insecure twists. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 26 / 27

Isogenies Extending attacks with isogenies If E/F p is weak and E E is a computable F p -isogeny, then E should be weak, too. Anomalous curves Isogeny invariant: no gain. The entire isogeny class t = 1 is already weak. Pairing-friendly curves Isogeny invariant: no gain. Pairing-friendliness is a function of the group order and the field, not curve geometry Twist security Isogeny invariant: no gain. Weil descent Amenability is not isogeny-invariant. Starting from a strong curve and exploring its isogeny graph, we may land on a weak curve. (Galbraith Hess Smart) Subfield curves Not isogeny invariant. Avoid isogeny classes corresponding to subfield-curve traces. Smith (INRIA/LIX) Non-generic ECDLP Leuven, 11/09/2013 27 / 27

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback