Discrete Logarithm Computation in Hyperelliptic Function Fields

Similar documents
Non-generic attacks on elliptic curve DLPs

Elliptic Curve Discrete Logarithm Problem

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Cover and Decomposition Index Calculus on Elliptic Curves made practical

Elliptic Curve Cryptography

Problème du logarithme discret sur courbes elliptiques

Discrete Logarithm Problem

SM9 identity-based cryptographic algorithms Part 1: General

Elliptic Curve Cryptography with Derive

On the complexity of computing discrete logarithms in the field F

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction

Foundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE

Alternative Models: Infrastructure

Lecture 6: Cryptanalysis of public-key algorithms.,

Finite Fields and Elliptic Curves in Cryptography

Solving Elliptic Curve Discrete Logarithm Problems Using Weil Descent

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

Cyclic Groups in Cryptography

Attacking the Elliptic Curve Discrete Logarithm Problem. Matthew Musson. Thesis submitted in partial fulfillment of the requirements of the degree

Implementing Pairing-Based Cryptosystems

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

Calcul d indice et courbes algébriques : de meilleures récoltes

Katherine Stange. ECC 2007, Dublin, Ireland

A variant of the F4 algorithm

A quasi polynomial algorithm for discrete logarithm in small characteristic

of elliptic curves dened over F 2 155, the probability of nding one where the GHS attac is applicable is negligible. In this paper we extend the GHS a

190 R. Harasawa, J. Shikata, J. Suzuki, and H. Imai generally requires an exponential time in log q to solve it (V. Miller [15], and J. Silverman and

Hidden pairings and trapdoor DDH groups. Alexander W. Dent Joint work with Steven D. Galbraith

ElGamal type signature schemes for n-dimensional vector spaces

Ate Pairing on Hyperelliptic Curves

Hyperelliptic curves

Hyperelliptic Curves and Cryptography

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

WEIL DESCENT ATTACKS

Comparing the MOV and FR Reductions in Elliptic Curve Cryptography

Extending the GHS Weil Descent Attack

A brief overwiev of pairings

The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem

Public-key Cryptography and elliptic curves

Constructing Abelian Varieties for Pairing-Based Cryptography

Explicit isogenies and the Discrete Logarithm Problem in genus three

Background of Pairings

A gentle introduction to elliptic curve cryptography

No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Design of Hyperelliptic Cryptosystems in Small Characteristic and a Software Implementation over F 2

On the evaluation of modular polynomials

The number field sieve in the medium prime case

PAIRINGS ON HYPERELLIPTIC CURVES. 1. Introduction

Weil pairing. Algant: Regensburg and Leiden Elliptic curves and Weil conjectures seminar, Regensburg. Wednesday 22 nd June, 2016.

On Partial Lifting and the Elliptic Curve Discrete Logarithm Problem

The point decomposition problem in Jacobian varieties

Summation polynomials and the discrete logarithm problem on elliptic curves

A Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups

The Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms

The Application of the Mordell-Weil Group to Cryptographic Systems

Isogenies in a quantum world

Elliptic Curve Discrete Logarithm Problem over Small Degree Extension Fields

Definition of a finite group

Scalar multiplication in compressed coordinates in the trace-zero subgroup

Arithmétique et Cryptographie Asymétrique

The point decomposition problem in Jacobian varieties

ON THE ASYMPTOTIC EFFECTIVENESS OF WEIL DESCENT ATTACKS

A Dierential Power Analysis attack against the Miller's Algorithm

Elliptic Curves, Factorization, and Cryptography

GENERATORS OF JACOBIANS OF GENUS TWO CURVES

Evaluation Report on the ECDSA signature scheme

Computing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.

Optimal TNFS-secure pairings on elliptic curves with even embedding degree

Elliptic and Hyperelliptic Curve Cryptography

Recent Advances in Identity-based Encryption Pairing-free Constructions

Genus 2 Curves of p-rank 1 via CM method

Introduction to ECC. Nigel Smart. January 17, Nigel Smart Introduction to ECC Slide 1

Basic Algorithms in Number Theory

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security

Introduction to Elliptic Curves

ECC mod 8^91+5. especially elliptic curve 2y^2=x^3+x for cryptography Andrew Allen and Dan Brown, BlackBerry CFRG, Prague, 2017 July 18

Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms

An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves

The Discrete Logarithm Problem on the p-torsion Subgroup of Elliptic Curves

REMARKS ON THE NFS COMPLEXITY

Constructive and Destructive Facets of Weil Descent on Elliptic Curves

A Las Vegas algorithm to solve the elliptic curve discrete logarithm problem

Breaking pairing-based cryptosystems using η T pairing over GF (3 97 )

The State of Elliptic Curve Cryptography

Decomposed Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field

Computing Elliptic Curve Discrete Logarithms with the Negation Map

Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019

COMPRESSION FOR TRACE ZERO SUBGROUPS OF ELLIPTIC CURVES

Selecting Elliptic Curves for Cryptography Real World Issues

Summation polynomial algorithms for elliptic curves in characteristic two

Evaluating Large Degree Isogenies between Elliptic Curves

Project: Supersingular Curves and the Weil Pairing in Elliptic Curve Cryptography

arxiv: v1 [cs.cr] 6 Apr 2015

Fast, twist-secure elliptic curve cryptography from Q-curves

Pairings for Cryptography

Math/Mthe 418/818. Review Questions

Discrete logarithms: Recent progress (and open problems)

Transcription:

Discrete Logarithm Computation in Hyperelliptic Function Fields Michael J. Jacobson, Jr. jacobs@cpsc.ucalgary.ca UNCG Summer School in Computational Number Theory 2016: Function Fields Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 1 / 18

Introduction The Discrete Logarithm Problem Definition Let G be a finite cyclic group with generator g. Given h G, the discrete logarithm problem (DLP) is to find x mod G with h = g x. Examples: For G = Z/nZ, the DLP is easy (modular inversion) For G = F q, number field sieve (q prime) and function field sieve (q = 2 n ) solve the DLP in subexponential time. What about G = Cl 0 (F )? Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 2 / 18

Introduction Is the DLP Hard in Cl 0 (F )? For function fields of genus 1 or 2 best-known attacks are generic (except for special cases). Thus, as hard as possible Cl 0 (F ) q g/2 operations. Consequence: can use small finite field (eg. elliptic curve F = F q with q 2 256 gives the same security as F p with p 2 3072 ) Two basic approaches to solving the DLP: 1 solve it in the given group (via generic or specific algorithm), 2 find an explicit isomorphism between the given group and a group with easier DLP (like Z/nZ). Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 3 / 18

Generic Methods Pollard-rho Generic Methods Obvious upper bound for group of order N is O(N). Generic algorithms (like Pollard-rho) yield a slightly better but still exponential run-time. Pollard-rho: expected run-time O( N) based on birthday paradox. Works for any group. Also Pollard-λ (kangaroo) variant, which makes use of upper and lower bounds on the discrete logarithm x. Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 4 / 18

Generic Methods Pollard-rho Pollard-rho Given P, Q G, assume Q = xp. Construct a random walk in the group f : G G : Compute P 0 = a 0 P + b 0 Q for a 0, b 0 Z. Define a partition of G into sets S j (should be 20 sets) and M j = a j P + b j Q for fixed a j, b j Z. Set f (R) = R + M j if R S j. For i 1, define P i = f (P i 1 ). Note that if P i 1 = u i 1 P + v i 1 Q S j then P i = (u i 1 + a j )P + (v i 1 + b j )Q. Can maintain the (u i, v i ) modulo G. Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 5 / 18

Generic Methods Pollard-rho Pollard-rho, cont. Compute and store the P i and (u i, v i ) until P i = P j for some i j. Then: u i P + v i Q = u j P + v j Q (u i u j )P = (v j v i )Q = (v j v i )xq. This implies u i u j x(v j v i ) (mod G ) and if gcd(v j v i, G ) = 1 we have x (u i u j )(v j v i ) 1 (mod G ). Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 6 / 18

Generic Methods Pollard-rho Improvements Low memory variant: only store (P i, P 2i ), compute until P i = P 2i. Only required to store 2 points on the curve. Parallelization: m processors yields speed-up of m Automorphisms: if G has an efficiently computable automorphism of order l, then we can speed up by a factor of l. Idea: perform random walk on equivalence classes with respect to the automorphism effectively reduces size of the group by a factor of l DLP requires O( G /l) operations. If G has such an automorphism, it must be chosen larger to compensate for this attack. Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 7 / 18

Generic Methods Pohlig-Hellman Pohlig-Hellman Assume that G = m i=1 pe i i, p i distinct primes. Idea: solve the DLP modulo each p e i i, use CRT to compute x. run-time bounded by O((log G ) p max ) group operations where p max is the largest prime dividing G. Point is that G should be prime or almost prime to resist this attack. Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 8 / 18

Generic Methods Pohlig-Hellman Pohlig-Hellman: Idea Let Q = xp and observe that x z 0 + z 1 p i + z 2 p 2 i + + z ei 1p e i 1 i (mod p e i i ). Compute z j given z 0,..., z j 1 by solving DLP in a subgroup of order p i. To compute z 0 : Solve the DLP for P 0 = ( G /p i )P and Q 0 = ( G /p i )Q. The order of P 0 and Q 0 in P is p i, so Q 0 = z 0 P 0 and we can compute z 0 in O( p i ) operations. Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 9 / 18

Generic Methods Pohlig-Hellman Computing z 1 given z 0 Compute P 1 = G (Q z pi 2 0 P) and solve Q 1 = z 1 P 0 (order p i subgroup). Works because Q 1 = G p 2 i (Q z 0 P) = G pi 2 (x z 0 )P ( ) G = (x z 0 ) pi 2 P ( ) G = (z 0 + z 1 p i z 0 ) pi 2 P ( ) G = z 1 P p i = z 1 P 0. Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 10 / 18

Generic Methods Pohlig-Hellman Computing z j given z 0,..., z j 1 Compute z j by solving Q j = z j P 0 (again in a group of order p i ) where In total: Q j = G ( = p j+1 i ( Q z 0 P z 1 p i P z 2 p 2 i P z j 1 p j 1 i x z 0 z 1 p i z 2 p 2 i z j 1 p j 1 i = (z j p j i ) G P = z j P 0. p j+1 i ) G P p j+1 i ) P must solve m i=1 e i log 2 G instances of DLPs complexity of each is bounded by O( p max ) where p max is the largest prime dividing G. Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 11 / 18

Function Fields with Easier DLP Notation: Subexponential Function Notation: L x [α, β] = O(exp(β(log x) α (log log x) 1 α )). L x [0, β] = O(exp(β log log x)) = O(log β x) polynomial time L x [1, β] = O(x β ) exponential 0 < α < 1 subexponential Example (factoring N): self-initializing quadatic sieve: L N [1/2, 1] bit operations number field sieve: L N [1/3, 64/9] bit operations Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 12 / 18

Function Fields with Easier DLP Index Calculus Define a factor base FB = {p G p has some distinguishing property}. Idea: Want FB to generate all of G Want a significant portion of G to be efficiently expressed as linear combinations of elements in FB ( smooth with respect to FB). Apply Pollard-rho random walk, yielding P i = u i P + v i Q G. Find m = FB + c smooth P j = FB i=1 e ip i, and record v j = (e 1,..., e FB ). Solve M z T = 0 T where M = [ v 1 T... v M T ] Implies m j=1 z jp j = 0 : can solve for x after substituting P j = u j P + v j Q Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 13 / 18

Function Fields with Easier DLP Index Calculus: Running Time Can be faster than generic methods provided that: 1 can find a suitable factor base (high smoothness probability), 2 easy way to represent group elements over the factor base. Examples: Enge/Gaudry (2002): high-genus hyperelliptic curves with g log q): running time L N [1/2, β] Gaudry/Thomé/Thériault/Diem (2007): Õ(q 2 2/g ) (faster than Pollard-rho for g 3 as q ) Doesn t seem to work for genus 1 and 2 Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 14 / 18

Function Fields with Easier DLP Weil and Tate-Lichtenbaum Pairings If q has order k modulo G, then the DLP in Cl 0 (F q ) reduces to the DLP in F q k Menezes/Okamoto/Vanstone (1991, genus 1), Frey/Rück (1994, genus g hyperelliptic): complexity L q k [1/3, β], better than generic if k is small Eg. Tate-Lichtenbaum pairing: let G = n q 1 and E be an elliptic curve over F q such that E has a point of order n. Then τ n : E(F q )[n] E(F q )/ne(f q ) µ n F q k is a non-degenerate Galois-invariant bilinear pairing. Compute DLP x by computing τ n (P, P) and τ n (P, Q) = τ n (P, P) x, and solving DLP in F q k. Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 15 / 18

Function Fields with Easier DLP Weil Descent Suppose E is a non-supersingular curve defined over a binary field F 2 m with m = dl. Frey (1998), Gaudry/Hess/Smart (2002): map the ECDLP to the DLP in a Jacobian variety of a curve of larger genus (usually d) defined over F 2 l. In some cases, can use subexponential discrete logarithm algorithms to solve DLP. J./Menezes/Stein (2001): E.g. for q = 2 155 = 2 5 31, can solve elliptic curve DLP by reducing to DLP on genus 31 hyperelliptic curve over F 2 5. Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 16 / 18

Function Fields with Easier DLP Other Attacks Anomalous Curves: If F = F p n and G = p, then G = Z + p DLP easily solved given an efficiently computable isomorphism Araki, Satoh, Semaev (1997): polynomial time for genus 1 Rück (1999): polynomial time for genus g Summation Polynomials: Semaev (2004): express P = P 1 +... P k algebraically, solve multivariate system of equations to find decompositions of points P Ongoing work, but does not (yet?) seem to be efficient in practice Low-degree C a,b curves Enge/Gaudry/Thomé (2011) : L q g [1/3, β] (heuristic) if n g α and d g 1 α for α [1/3, 2/3] Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 17 / 18

Function Fields with Easier DLP Summary DLP believed hard for groups that are: Avoid: large (Pollard-rho), prime-order (Pohlig-Hellman) Cl 0 (F ) of genus 1 or 2 hyperelliptic function fields (index-calculus) Anomolous curves: defined over F p n and G = p) MOV/Frey-Rück: small embedding degree (q k 1 (mod G ) for small k), including supersingular curves Weil descent: q = p m, m composite genus > 2 Mike Jacobson (University of Calgary) Discrete Logarithm Computation June 3, 2016 18 / 18

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback