Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Similar documents
Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

Elliptic Curve Cryptography with Derive

One can use elliptic curves to factor integers, although probably not RSA moduli.

Elliptic Curve Cryptosystems

Public-key Cryptography and elliptic curves

8 Elliptic Curve Cryptography

The Elliptic Curve in https

Points of High Order on Elliptic Curves ECDSA

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Introduction to Elliptic Curve Cryptography. Anupam Datta

Discrete Logarithm Problem

Lecture Notes, Week 6

MATH 158 FINAL EXAM 20 DECEMBER 2016

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Elliptic Curve Cryptography

9 Knapsack Cryptography

Public-key Cryptography and elliptic curves

Lecture 1: Introduction to Public key cryptography

CPSC 467b: Cryptography and Computer Security

Arithmétique et Cryptographie Asymétrique

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

Lecture 7: ElGamal and Discrete Logarithms

Public-Key Cryptosystems CHAPTER 4

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Elliptic Curves: Theory and Application

Discrete Logarithm Problem

Discrete Logarithm Computation in Hyperelliptic Function Fields

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Elliptic curves: Theory and Applications. Day 3: Counting points.

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Introduction to Cryptography. Lecture 8

Cryptography IV: Asymmetric Ciphers

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

Chapter 8 Public-key Cryptography and Digital Signatures

Elliptic Curve Cryptography

Attacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP)

Non-generic attacks on elliptic curve DLPs

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

CPSC 467b: Cryptography and Computer Security

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

10 Public Key Cryptography : RSA

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

Public Key Algorithms

Other Public-Key Cryptosystems

Constructing Abelian Varieties for Pairing-Based Cryptography

CPSC 467: Cryptography and Computer Security

Constructing Pairing-Friendly Elliptic Curves for Cryptography

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

1 Number Theory Basics

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

On the complexity of computing discrete logarithms in the field F

ElGamal type signature schemes for n-dimensional vector spaces

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Discrete logarithm and related schemes

CRYPTOGRAPHY AND NUMBER THEORY

Elliptic Curve Computations (1) View the graph and an elliptic curve Graph the elliptic curve y 2 = x 3 x over the real number field R.

Information Security

Math/Mthe 418/818. Review Questions

Mathematics of Cryptography

Ti Secured communications

Definition of a finite group

An Introduction to Pairings in Cryptography

Asymmetric Encryption

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

APA: Estep, Samuel (2018) "Elliptic Curves" The Kabod 4( 2 (2018)), Article 1. Retrieved from vol4/iss2/1

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography

Introduction to Elliptic Curve Cryptography

Elliptic Curve Cryptology. Francis Rocco

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

CIS 551 / TCOM 401 Computer and Network Security

Introduction to Modern Cryptography. Benny Chor

Applied Cryptography and Computer Security CSE 664 Spring 2018

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM

Practice Assignment 2 Discussion 24/02/ /02/2018

Isogenies in a quantum world

SM9 identity-based cryptographic algorithms Part 1: General

Public Key Encryption

CPSC 467b: Cryptography and Computer Security

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Fast, twist-secure elliptic curve cryptography from Q-curves

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Constructing genus 2 curves over finite fields

Public-Key Encryption: ElGamal, RSA, Rabin

Explicit Complex Multiplication

arxiv: v3 [cs.cr] 15 Jun 2017

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Finite Fields and Elliptic Curves in Cryptography

Katherine Stange. ECC 2007, Dublin, Ireland

10 Modular Arithmetic and Cryptography

Elliptic Curve Discrete Logarithm Problem

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

CONTEMPORARY CRYPTOSYSTEMS

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Course Business. Homework 3 Due Now. Homework 4 Released. Professor Blocki is travelling, but will be back next week

14 Diffie-Hellman Key Agreement

Transcription:

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 / 29

Ciphering a message Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 2 / 29

The discrete log problem Given G and g, h G, ask What is α such that g α = h? If exponentiation is fast but the DLP is hard, this is a good problem for cryptography. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 3 / 29

Cryptography using DLP Preparation of receiver: Fix G, g G and k Z Publish G, g and h = g k Encryption of m by sender: Choose y Send c 1 = g y and c 2 = mh y Decryption by receiver: c 2 c k 1 = mh y g ky = mg ky g ky = m. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 4 / 29

The DLP and elliptic curves The group G is going to be E(F q ) for some elliptic curve, in which case g and h are points on E and we are trying to find an integer k with kg = h. One way of attacking a discrete log problem is simple brute force: try all possible values of k until one works. This is impractical when the answer k can be an integer of several hundred digits, which is a typical size used in cryptography. Therefore, better techniques are needed. One might wonder why elliptic curves are used in cryptographic situations. The reason is that elliptic curves provide security equivalent to classical systems while using fewer bits. For example, it is estimated that a key size of 4096 bits for RSA gives the same level of security as 313 bits in an elliptic curve system. This means that implementations of elliptic curve cryptosystems require smaller chip size, less power consumption, etc. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 5 / 29

Diffie-Hellman Key Exchange 1. Alice and Bob agree on an elliptic curve E over a finite field F q such that the discrete logarithm problem is hard in E(F q ). They also agree on a point P E(F q ) such that the subgroup generated by P has large order (usually, the curve and point are chosen so that the order is a large prime). 2. Alice chooses a secret integer a, computes P a = ap, and sends P a to Bob. 3. Bob chooses a secret integer b, computes P b = bp, and sends P b to Alice. 4. Alice computes ap b = abp. 5. Bob computes bp a = bap. 6. Alice and Bob use some publicly agreed on method to extract a key from abp. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 6 / 29

Diffie-Hellman Key Exchange For example, they could use the last 256 bits of the x-coordinate of abp as the key. Or they could evaluate a hash function at the x-coordinate. The only information that the eavesdropper Eve sees is the curve E, the finite field F q, and the points P, ap, and bp. She therefore needs to solve the following: DIFFIE-HELLMAN PROBLEM Given P, ap,and bp in E(F q ), compute abp. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 7 / 29

The Index-Calculus Let p be a prime and let g be primitive root mod p, which means that g is a generator for the cyclic group F p. In other words, every h 0 (mod p) can be written in the form h g k for some integer k that is uniquely determined mod p 1. Let k = L(h) denote the discrete logarithm of h with respect to g and p, so Suppose we have h 1 and h 2. Then g L(h) h (mod p). g L(h 1h 2 ) h 1 h 2 g L(h 1)+L(h 2 ) (mod p), which implies that L(h 1 h 2 ) L(h 1 ) + L(h 2 ) (mod p 1). Therefore, L changes multiplication into addition, just like the classical logarithm function. The index calculus is a method for computing values of the discrete log function L. The idea is to compute L(l) for several small primes l, then use this information to compute L(h) for arbitrary h. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 8 / 29

The Index-Calculus Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 9 / 29

The Index-Calculus Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 10 / 29

The Index-Calculus Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 11 / 29

The Index-Calculus The choice of the size of the factor base B is important. If B is too small, then it will be very hard to find powers of g that factor with primes in B. If B is too large, it will be easy to find relations, but the linear algebra needed to solve for the logs of the elements of B will be enormous. An example that was completed in 2001 by A. Joux and R. Lercier used the first 1 million primes to compute discrete logs mod a 120-digit prime. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 12 / 29

Baby Step - Giant Step We have elements P, Q G cyclic of order N, and we are trying to find k Z such that kp = Q. The Baby Step - Giant Step developed by Shanks goes as follows: Fix an integer m N and compute mp. Make and store a list of ip for 0 i < m. Compute the points Q jmp for j = 0, 1,..., m 1 until one matches an element from the stored list. If ip = Q jmp, we have Q = kp with k i + jm(mod (N)). we did not need to know the exact order N of G. We only required an upper bound for N. Therefore, for elliptic curves over F q, we could use this method with m 2 q + 1 + 2 q. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 13 / 29

Baby Step - Giant Step Example Let G = E(F 41 ), where E : y 2 = x 3 + 2x + 1. Let P = (0, 1) and Q = (30, 40). We know #G 54, so we let m = 8. The points ip for 1 i 7 are (0, 1), (1, 39), (8, 23), (38, 38), (23, 23), (20, 28), (26, 9). We calculate Q jmp for j = 0, 1, 2 and obtain (30, 40), (9, 25), (26, 9), at which point we stop since this third point matches 7P. Since j = 2 yielded the match, we have Therefore, k = 23. (30, 40) = (7 + 2 8)P = 23P. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 14 / 29

Pollard s ρ (Same time that Baby - Step, Giant - Step, but very little storage needed) Let G be a finite group of order N. Choose a function f : G G that behaves rather randomly. Then start with a random element P 0 and compute the iterations P i+1 = f (P i ). Since G is a finite set, there will be some indices i 0 < j 0 such that P i0 = P j0. Then P i0 +l = P j0 +l for all l 0. Therefore, the sequence P i is periodic with period j 0 i 0. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 15 / 29

Pollard s ρ (Same time that Baby - Step, Giant - Step, but very little storage needed) Let G be a finite group of order N. Choose a function f : G G that behaves rather randomly. Then start with a random element P 0 and compute the iterations P i+1 = f (P i ). Since G is a finite set, there will be some indices i 0 < j 0 such that P i0 = P j0. Then P i0 +l = P j0 +l for all l 0. Therefore, the sequence P i is periodic with period j 0 i 0. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 15 / 29

Pollard s ρ If f is a randomly chosen random function, then we expect to find a match with j 0 at most a constant times N. A naive implementation of the method stores all the points P i until a match is found. This takes around N storage, which is similar to Baby Step, Giant Step. However, it is possible to do much better at the cost of a little more computation. The key idea is that once there is a match for two indices differing by d, all subsequent indices differing by d will yield matches. This is just the periodicity mentioned above. Therefore, we can compute pairs (P i, P 2i ) for i = 1, 2,..., but only keep the current pair. The problem remains of how to choose a suitable function f. Besides having f act randomly, we need to be able to extract useful information from a match. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 16 / 29

Pollard s ρ Divide G into s disjoint subsets S 1, S 2,..., S s of approximately the same size. Choose 2s random integers a i, b i mod N. Let M i = a i P + b i Q. Finally, define f (g) = g + M i if g S i. Choose random integers a 0, b 0 and let P 0 = a 0 P + b 0 Q be the starting point for the random walk. While computing the points P j, we also record how these points are expressed in terms of P and Q. If P j = u j P + v j Q and P j+1 = P j + M i, then P j+1 = (u j + a i )P + (v j + b i )Q, so (u j+1, v j+1 ) = (u j, v j ) + (a i, b i ). Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 17 / 29

Pollard s ρ When we find a match P j0 = P i0, then we have u j0 P + v j0 Q = u i0 P + v i0 Q, hence (u i0 u j0 )P = (v j0 v i0 )Q. If gcd(v j0 v i0, N) = d, we have k (v j0 v i0 ) 1 (u i0 u j0 )(mod N/d). This gives us d choices for k. Usually, d will be small, so we can try all possibilities until we have Q = kp. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 18 / 29

Pollard s ρ Let G = E(F 1093 ), with E : y 2 = x 3 + x + 1. We take s = 3 and P = (0, 1) and Q = (413, 959). The order of P is 1067. We want to find k such that kp = Q. Let P 0 = 3P + 5Q, M 0 = 4P + 3Q, M 1 = 9P + 17Q, and M 2 = 19P + 6Q. Let f : E(F 1093 ) E(F 1093 ) be defined by f (x, y) = (x, y) + Mi if x i(mod 3). If we compute P 0, P 1 = f (P 0 ), P 2 = f (P 1 ),..., we obtain... Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 19 / 29

Pollard s ρ P 0 = (326, 69), P 1 = (727, 589), P 2 = (560, 365), P 3 = (1070, 260), P 4 = (473, 903), P 5 = (1006, 951), P 6 = (523, 938),..., P 57 = (895, 337), P 58 = (1006, 951), P 59 = (523, 938),... The sequence starts repeating at P 5 = P 58. We find that P 5 = 88P + 46Q and P 58 = 685P + 620Q. Therefore, = P 58 P 5 = 597P + 574Q. Since P has order 1067 and 574 1597 499(mod 1067), we get Q = 499P, so k = 499. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 20 / 29

The Pohlig-Hellman Method Let P, Q be elements in a group G and we want to find an integer k with Q = kp. We also know the order N of P and we know the prime factorization N = i of N. The idea of Pohlig-Hellman is to find k (mod q e i i ) for each i, then use the Chinese Remainder theorem to combine these and obtain k(mod N). Let q be a prime, and let q e be the exact power of q dividing N. Write k in its base q expansion as q e i i k = k 0 + k 1 q + k 2 q 2 +... with 0 k i < q. We evaluate k (mod q e ) by successively determining k 0, k 1,..., k e 1. The procedure is as follows. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 21 / 29

The Pohlig-Hellman Method ( ) 1. Compute T = {j N q P 0 j q 1}. ( ) 2. Compute N q Q. This will be an element k N 0 q P of T. 3. If e = 1, stop. Otherwise, continue. 4. Let Q 1 = Q k 0 P. 5. Compute N q 2 Q 1. This will be an element k 1 ( N q P ) of T. 6. If e = 2, stop. Otherwise, continue. 7. Suppose we have computed k 0, k 1,..., k r 1, and Q 1,..., Q r 1. 8. Let Q r = Q r 1 k r 1 q r 1 P. 9. Determine k r such that N q r+1 Q r = k r ( N q P ). 10. If r = e 1, stop. Otherwise, return to step (7). Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 22 / 29

The Pohlig-Hellman Method Then Why does this work? We have k k 0 + k 1 q +... + k e 1 q e 1 (mod q e ). N q Q = N q (k N 0 + k 1 q +...)P = k 0 q P + (k N 1 + k 2 q +...)NP = k 0 q P, since NP =. Therefore, step (2) finds k 0. Then Q 1 = Q k 0 P = (k 1 q + k 2 q 2 +...)P, so N q 2 Q 1 = (k 1 + k 2 q +...) N q P = = k 1 N q P + (k 2 + k 3 q +...)NP = k 1 N q P. Therefore, we find k 1. Similarly, the method produces k 2, k 3,... We have to stop after r = e 1. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 23 / 29

The Pohlig-Hellman Method Example. Let G = E(F 599 ), where E : y 2 = x 3 + 1. Let P = (60, 19) and Q = (277, 239). P has order N = 600. We want to solve Q = kp for k. The factorization of N is 600 = 2 3 3 5 2. We will compute k mod 8, mod 3, and mod 25, then recombine to obtain k mod 600. k mod 8. We compute T = {, (598, 0)}. Since ( ) N (N/2)Q = = 0 2 P, we have k 0 = 0. Therefore, Q 1 = Q 0P = Q. Since (N/4)Q 1 = 150Q 1 = (598, 0) = 1 N 2 P, we have k 1 = 1. Therefore, Q 2 = Q 1 1 2 P = (35, 243). Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 24 / 29

The Pohlig-Hellman Method Example. (Cont.) Since (N/8)Q 2 = 75Q 2 = = 0 N 2 P, we have k 2 = 0. Therefore, k = 0 + 1 2 + 0 4 +... 2 (mod 8). k mod 3. We have k 2 (mod 3). k mod 25. We have k = 1 + 3 5 16(mod 25). We now have the simultaneous congruences x 2 (mod 8) x 2 (mod 3) x 16 (mod 25). These combine to yield k 266 (mod 600), so k = 266. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 25 / 29

The MOV Attack One strategy for attacking a discrete logarithm problem is to reduce it to an easier discrete logarithm problem. This can often be done with pairings such as the Weil pairing, which reduce a discrete logarithm problem on an elliptic curve to one in the multiplicative group of a finite field. The MOV attack, named after Menezes, Okamoto, and Vanstone, uses the Weil pairing to convert a discrete log problem in E(F q ) to one in F q m. Since discrete log problems in finite fields can be attacked by index calculus methods, they can be solved faster than elliptic curve discrete log problems, as long as the field F q m is not much larger than F q. For supersingular curves, we can usually take m = 2, so discrete logarithms can be computed more easily for these curves than for arbitrary elliptic curves. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 26 / 29

The CM method Let E be an elliptic curve over a finite field F q. The number of points #E(F q ) = q + 1 t, where t is the trace of the Frobenius endormopshim φ q that satisfies φ 2 q tφ q + q = 0. The endomorphism ring End(E) Q is an imaginary quadratic field if E is not supersingular (otherwise it is a definite quaternion algebra). Let us write K = Q( d) = End(E) Q with d 0, 1 mod 4 and d or d/4 square-free. Then Disc(K) = d. On the other hand, φ q = a + b + 2 with: t = 2a + b, and q = a 2 + ab + b 2 2 /4 b 2 /4 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 27 / 29

The CM method The lattice Λ = 1, τ with τ = + 2 defines an elliptic curve C/Λ with CM by End(E) = O K. The j invariant associated to it is j(q) = 1 q + 744 + 196884q + 21493760q2 + 864299970q 3 + 20245856256q 4 +..., where q = exp(2πiτ). This number is an algebraic integer (Shimura). Definition The Hilbert polynomial associated to an order O K is H O (x) = (x j(e)). Theorem (Shimura) The polynomial H O (x) Z[x]. E has CM by O Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 28 / 29

The CM method Let us take q = 59 and let us construct an elliptic curve with 48 = 1 + 59 t points. We have t = 12, and we can take = 23 and a = 29 and b = 2. H 23 (X ) = X 3 + 3491750X 2 5151296875X + 12771880859375. Modulo 59, we have H 23 (x) = (x 20)(x 42)(x 44). We take j = 20 and we get E : y 2 = x 3 + 14x + 14. This is the right twist. Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 29 / 29

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback