0.8cm Discrete logarithms on elliptic curvesasilverb/CryptoDay_16_11_10_Slides/... · 3 Discrete...

Discrete logarithms on elliptic curves

Michiel Kosters (UC, Irvine)

November 10, 2016, Irvine

Contents

1: Discrete logarithms2: Elliptic curves3: Discrete logarithms on elliptic curves

1 Discrete logarithms

Diffie-Hellman protocol

Problem: How can two parties create a common secret withoutever meeting in person? This common secret can then be used as aprivate key to ensure safe communication.

Diffie-Hellman key exchange (DH): Publicly pick a cyclic groupG with generator g of order n. One hasG = {e = g0, g1, g2, . . . , gn−1}.

Diffie-Hellman protocol

Problem: How can two parties create a common secret withoutever meeting in person? This common secret can then be used as aprivate key to ensure safe communication.

Diffie-Hellman key exchange (DH): Publicly pick a cyclic groupG with generator g of order n. One hasG = {e = g0, g1, g2, . . . , gn−1}.

Diffie-Hellman protocol 2

Discrete logarithm problem (DLP): Let G be a cyclic groupwith generator g. Let h ∈ G. Find an x ∈ Z such that gx = h.

Weakness DH: If one can solve DLP in G, one can solve DH.

Diffie-Hellman protocol 2

Discrete logarithm problem (DLP): Let G be a cyclic groupwith generator g. Let h ∈ G. Find an x ∈ Z such that gx = h.

Weakness DH: If one can solve DLP in G, one can solve DH.

In practice

What group order to pick?

Pohlig-Hellman algorithm: One can translate DLP to DLP ingroups of prime order. First, one uses Chinese remainder theoremto reduce to prime power case. Then one uses a p-adic expansionand finds all the coefficients.

Main message: Use groups of large prime order.

What group order to pick?

Pohlig-Hellman algorithm: One can translate DLP to DLP ingroups of prime order. First, one uses Chinese remainder theoremto reduce to prime power case. Then one uses a p-adic expansionand finds all the coefficients.

Main message: Use groups of large prime order.

Generic algorithms

Let G = 〈g〉 be a cyclic group of size N . One can solve DLP usingthe following algorithms.

• trivial algorithm, O(N) group operations;• baby-step giant-step algorithm, O(

√N) group operations;

• Pollard’s ρ algorithm, O(√N) group operations.

All these algorithms are considered exponential time algorithms.But for specific groups, faster algorithms might exist. Hence it isimportant to pick a good group.

Generic algorithms

Let G = 〈g〉 be a cyclic group of size N . One can solve DLP usingthe following algorithms.

• trivial algorithm, O(N) group operations;• baby-step giant-step algorithm, O(

√N) group operations;

• Pollard’s ρ algorithm, O(√N) group operations.

All these algorithms are considered exponential time algorithms.But for specific groups, faster algorithms might exist. Hence it isimportant to pick a good group.

Which group to use?

• (Z/nZ,+);• cyclic subgroup of F∗q ;• cyclic subgroup of E(Fq), where E is an elliptic curve over Fq;• cyclic subgroups coming from hyperelliptic curves;• . . . .

Last talk today will probably motivate why E(Fq) is not a badchoice.

Which group to use?

• (Z/nZ,+);• cyclic subgroup of F∗q ;• cyclic subgroup of E(Fq), where E is an elliptic curve over Fq;• cyclic subgroups coming from hyperelliptic curves;• . . . .

Last talk today will probably motivate why E(Fq) is not a badchoice.

2 Elliptic curves

Definition elliptic curve

Let Fq be a finite field of cardinality q = pn. Fixa1, a2, a3, a4, a6 ∈ Fq. Consider the equation (Weierstrass form)

E : Y 2 + a1XY + a3Y = X3 + a2X2 + a4X + a6

We call such an equation an elliptic curve over Fq.

We set

E(Fq) = {(x, y) ∈ F2q : y2 + a1xy + a3y = x3 + a2x

2 + a4x+ a6} t {∞}.

If p 6= 2, 3, an elliptic curve can be written in an easier way:

E : Y 2 = X3 +AX +B.

E : Y 2 + a1XY + a3Y = X3 + a2X2 + a4X + a6

We set

2 + a4x+ a6} t {∞}.

E : Y 2 = X3 +AX +B.

E : Y 2 + a1XY + a3Y = X3 + a2X2 + a4X + a6

We set

2 + a4x+ a6} t {∞}.

E : Y 2 = X3 +AX +B.

Elliptic curve group law 1

Fact: E(Fq) is a finite abelian group with ∞ as identity element.

For (x1, y1) + (x2, y2) = (x3, y3) according to the following rules(Silverman, The Arithmetic of Elliptic Curves):

Fact: E(Fq) is a finite abelian group with ∞ as identity element.

For (x1, y1) + (x2, y2) = (x3, y3) according to the following rules(Silverman, The Arithmetic of Elliptic Curves):

It is hard to check that E(Fq) is a group directly this way(mathematicians show that E(Fq) is isomorphic to another group,the Picard group).

The fact that the group law has complicated formulas, makes thempartially insecure (bugs, different cases to consider etc.)! Somepeople use different models with better group laws.

It is hard to check that E(Fq) is a group directly this way(mathematicians show that E(Fq) is isomorphic to another group,the Picard group).

The fact that the group law has complicated formulas, makes thempartially insecure (bugs, different cases to consider etc.)! Somepeople use different models with better group laws.

Elliptic curves group law 3

Consider an elliptic curve over R. Addition is as follows:

For Fq, do the algebraic analogue!

Elliptic curves group law 3

Consider an elliptic curve over R. Addition is as follows:

For Fq, do the algebraic analogue!

Elliptic curve group structure

Theorem (Hasse).Let E/Fq be an elliptic curve. Then:

|#E(Fq)− (q + 1)| ≤ 2√q.

Furthermore, E(Fq) ∼= Z/mZ× Z/m′Z.

Elliptic curve group structure

Theorem (Hasse).Let E/Fq be an elliptic curve. Then:

|#E(Fq)− (q + 1)| ≤ 2√q.

Furthermore, E(Fq) ∼= Z/mZ× Z/m′Z.

3 Discrete logarithms onelliptic curves

Three regimes

The DLP over elliptic curves is called ECDLP (elliptic curvediscrete logarithm problem).

Suppose we want to use elliptic curves over Fq with q = pn for sayDiffie-Hellman. If we want to increase our group size, we must haveq →∞ by Hasse.

Four regimes:• {Fpi

: i = 1, 2, . . .} where pi is prime and goes to infinity;• {Fqi : i = 1, 2, . . .} where q is a fixed prime power;• {Fqni

: i = 1, 2, . . .} where n is fixed and qi →∞;• {Fp

: i = 1, 2, . . .} where both pi and ni go to ∞.

Different regimes have different types of attacks on ECDLP.

Three regimes

Four regimes:

• {Fpi: i = 1, 2, . . .} where pi is prime and goes to infinity;

• {Fqi : i = 1, 2, . . .} where q is a fixed prime power;• {Fqni

Three regimes

Four regimes:

• {Fpi: i = 1, 2, . . .} where pi is prime and goes to infinity;

• {Fqi : i = 1, 2, . . .} where q is a fixed prime power;• {Fqni

Attack using pairings 1

Theorem (Menezes-Okamoto-Vanstone 1993).Let E/Fq be an elliptic curve. Let P ∈ E(Fq) of prime order N .Let d be the smallest integer such that qd ≡ 1 (mod N). Assumethat gcd(q − 1, N) = 1. Then there is a polynomial-time algorithmthat reduces the ECDLP in 〈P 〉 to the DLP in F∗qd .

• DLP in F∗qd is fast: people have solved DLP in F∗36·509 !

• But, d is big, usually O(N), making it not so useful.• Some easy cases (supersingular): assume p ≥ 5 and

#E(Fp) = p+ 1. Then one has d = 2, so not safe!

Theorem (Menezes-Okamoto-Vanstone 1993).Let E/Fq be an elliptic curve. Let P ∈ E(Fq) of prime order N .Let d be the smallest integer such that qd ≡ 1 (mod N). Assumethat gcd(q − 1, N) = 1. Then there is a polynomial-time algorithmthat reduces the ECDLP in 〈P 〉 to the DLP in F∗qd .

• DLP in F∗qd is fast: people have solved DLP in F∗36·509 !

• But, d is big, usually O(N), making it not so useful.• Some easy cases (supersingular): assume p ≥ 5 and

#E(Fp) = p+ 1. Then one has d = 2, so not safe!

Sketch of attackLet Q ∈ 〈P 〉. Suppose we want to find Q = [m]P .One has a Weil pairing

e : E[N ](Fqd)× E[N ](Fqd)→ F∗qd .

One can find T ∈ E[N ](Fqd) such that e(P, T ) has order N .One then has

e(Q,T ) = e([m]P, T ) = e(P, T )m ∈ F∗qd .

So one can find m by solving DLP in F∗qd .

Anomalous curves

Theorem (Semaev, Satoh-Araki, Smart 1998).Let p ≥ 3 and let E/Fp be an elliptic curve satisfying #E(Fp) = p.Then one can solve ECDLP in E(Fp) efficiently.

Such a curve with E(Fp) = p is called anomalous.

Sketch of attackLift the DLP problem to a DLP problem of a curve E′ over Qp.Then use an ‘analytic’ logarithm map to compute the discretelogarithm.

Anomalous curves

Theorem (Semaev, Satoh-Araki, Smart 1998).Let p ≥ 3 and let E/Fp be an elliptic curve satisfying #E(Fp) = p.Then one can solve ECDLP in E(Fp) efficiently.

Such a curve with E(Fp) = p is called anomalous.

Sketch of attackLift the DLP problem to a DLP problem of a curve E′ over Qp.Then use an ‘analytic’ logarithm map to compute the discretelogarithm.

Elliptic curves over Qp

Theorem (K.-Pannekoek 2016).Let E/Qp be an elliptic curve given by a Weierstrass equation

Y 2 + a1XY + a3Y = X3 + a2X2 + a4X + a6,

with ai ∈ pZp for each i. One has E0(Qp) ∼=ZpZp, unless one is in

one of the four special cases:

(i) p = 2 and a1 + a3 ≡ 2 (mod 4);(ii) p = 3 and a2 ≡ 6 (mod 9);(iii) p = 5 and a4 ≡ 10 (mod 25);(iv) p = 7 and a6 ≡ 14 (mod 49).

In all special cases one has E0(Qp) ∼=Zp Zp × Z/pZ.

Isogenies

Suppose you want to solve DLP on E(Fq). Assume that ECDLPon E′(Fq) is easy and that we have an isogeny E′ → E. Then wecan lift our ECDLP problem to the easy one in E′(Fq). This wouldsolve our problem.

Solving ECDLP (simplified index calculus)

Given E/Fqn elliptic curve, P ∈ E(Fqn) and Q ∈ 〈P 〉.

Main steps for solving ECDLP (index calculus). First fix m ∈ Z≥2.

1. Factor base: Construct a factor base B ⊆ E(Fqn);2. Relation search (repeat about |B| times): pick a, b ∈ Z random

and write aP + bQ = b1 + . . .+ bm with bi ∈ B;3. Linear algebra: Use linear algebra on relations from 2 to find c

with Q = [c]P .

We must pick m, B. For example, the larger B, the harder thelinear algebra and the more relations we need, but it might beeasier to find relations.

One chooses these parameters based on the complexity of therelation search. Hence it is important to study this step.

Solving ECDLP (simplified index calculus)

Given E/Fqn elliptic curve, P ∈ E(Fqn) and Q ∈ 〈P 〉.

Main steps for solving ECDLP (index calculus). First fix m ∈ Z≥2.

1. Factor base: Construct a factor base B ⊆ E(Fqn);2. Relation search (repeat about |B| times): pick a, b ∈ Z random

and write aP + bQ = b1 + . . .+ bm with bi ∈ B;3. Linear algebra: Use linear algebra on relations from 2 to find c

with Q = [c]P .

We must pick m, B. For example, the larger B, the harder thelinear algebra and the more relations we need, but it might beeasier to find relations.

One chooses these parameters based on the complexity of therelation search. Hence it is important to study this step.

Summation polynomials 1

Usually, one takes a vector basis of the formB = {P ∈ E(Fqn) : x(P ) ∈ V }.

Theorem (Semaev 2004).Given r ∈ Z≥2, there exists Sr ∈ Fqn [X1, . . . , Xr] with the followingproperty. For b1, . . . , br ∈ Fqn one has Sr(b1, . . . , br) = 0 if andonly if there exist P1, . . . , Pr ∈ E(Fqn) with x(Pi) = bi such thatP1 + . . .+ Pr =∞.

Summation polynomials 2

b2 =a21 + 4a2,

b4 =a1a3 + 2a4,

b6 =a23 + 4a6,

b8 =a21a6 − a1a3a4 + a2a23 + 4a2a6 − a24.

Then one can put

S3 = (X21X

22 +X2

1X23 +X2

2X23 )− 2(X2

1X2X3 +X1X22X3 +X1X2X

− b2(X1X2X3)− b4(X1X2 +X1X3 +X2X3)− b6(X1 +X2 +X3)− b8,and for r ≥ 4 one sets

Sr = ResX (Sr−1(X1, . . . , Xr−2, X), S3(Xr−1, Xr, X)) .

Some positive results for some regimes

Heuristically using Grobner basis (Gaudry 2008): the case Fqn

where q →∞ and n fixed can be done in time O((qn)2/n−2/n2

).Later, a proof was given by Diem.

Theorem (Diem 2012).Let (qi)i∈Z≥0

, (ni)i∈Z≥0be sequences such that qi →∞, ni →∞

and ni/ log(qi)2 → 0 as i→∞. Then one can solve ECDLP on

E(Fqnii

) in expected time (qnii )o(1).

The result of Diem uses an algorithm of Rojas in the area of toricvarieties to solve the ‘decomposition of points’. The hardest part ofthe paper is to show that the decompositions behave as they areexpected to behave.

Some positive results for some regimes

Heuristically using Grobner basis (Gaudry 2008): the case Fqn

where q →∞ and n fixed can be done in time O((qn)2/n−2/n2

).Later, a proof was given by Diem.

Theorem (Diem 2012).Let (qi)i∈Z≥0

, (ni)i∈Z≥0be sequences such that qi →∞, ni →∞

and ni/ log(qi)2 → 0 as i→∞. Then one can solve ECDLP on

E(Fqnii

) in expected time (qnii )o(1).

The result of Diem uses an algorithm of Rojas in the area of toricvarieties to solve the ‘decomposition of points’. The hardest part ofthe paper is to show that the decompositions behave as they areexpected to behave.

Change of regime

Let us now focus on the case Fqn where q is small and fixed, andwe let n→∞. We will discuss the method of Weil-descent.

Let V be an Fq-subspace of Fqn and take as a factor base

B = {P ∈ E(Fqn) : x(P ) ∈ V }.

Change of regime

Let us now focus on the case Fqn where q is small and fixed, andwe let n→∞. We will discuss the method of Weil-descent.

Let V be an Fq-subspace of Fqn and take as a factor base

B = {P ∈ E(Fqn) : x(P ) ∈ V }.

Relation search

Suppose we want to decompose aP + bQ = b1 + . . .+ bm.

Set f =∏

v∈V (X − v) ∈ k[X].

Consider the following system in k[X1, . . . , Xm]:

F = {Sm+1(X1, . . . , Xm, x(aP + bQ)), f(X1), . . . , f(Xm)}.

Solving this system allows one to obtain relations: if the systemhas a solution, then one can try all corresponding points andobtain a possible decomposition (often one finds decompositionsover bigger fields).

Problems when using generic Grobner basis algorithm:

1. f(Xi) has high degree;2. Sm+1 has high degree and is hard to compute.

Relation search

Suppose we want to decompose aP + bQ = b1 + . . .+ bm.

Set f =∏

v∈V (X − v) ∈ k[X].

Consider the following system in k[X1, . . . , Xm]:

F = {Sm+1(X1, . . . , Xm, x(aP + bQ)), f(X1), . . . , f(Xm)}.

Solving this system allows one to obtain relations: if the systemhas a solution, then one can try all corresponding points andobtain a possible decomposition (often one finds decompositionsover bigger fields).

Problems when using generic Grobner basis algorithm:1. f(Xi) has high degree;2. Sm+1 has high degree and is hard to compute.

Weil descent

We have F ⊂ Fqn [X1, . . . , Xm]. Using Weil descent we canconstruct a system

F ′ ⊆ Fq[Xij : i = 1, . . . ,m, j = 1, . . . , n] = S.

such that solutions of F ′ over Fq correspond to solutions of F overk. After Weil descent, the f(Xi) become linear polynomials.

Construction of Weil descent of one polynomialg ∈ Fqn [X1, . . . , Xm]:

• Fix basis α1, . . . , αn of Fqn/Fq and substituteXi =

∑nj=1 αjXij

• Write

g(X1, . . . , Xm) =

n∑i=1

[g]iαi

where [g]i ∈ S (and we reduce modulo Xqij −Xij).

The set {[g]1, . . . , [g]n} is the Weil descent of {g}.

Weil descent

We have F ⊂ Fqn [X1, . . . , Xm]. Using Weil descent we canconstruct a system

F ′ ⊆ Fq[Xij : i = 1, . . . ,m, j = 1, . . . , n] = S.

such that solutions of F ′ over Fq correspond to solutions of F overk. After Weil descent, the f(Xi) become linear polynomials.

Construction of Weil descent of one polynomialg ∈ Fqn [X1, . . . , Xm]:

• Fix basis α1, . . . , αn of Fqn/Fq and substituteXi =

∑nj=1 αjXij

• Write

g(X1, . . . , Xm) =

n∑i=1

[g]iαi

where [g]i ∈ S (and we reduce modulo Xqij −Xij).

The set {[g]1, . . . , [g]n} is the Weil descent of {g}.

Example of Weil descent

Consider S = S3(X,Y, x(P )) for some specific curve F24 . Onespecific Weil descent looks like (with some vector spaceconstraints):

[S]1 =X2X4 +X2 +X3 + 1,

[S]2 =X2X4 +X1 +X3 + 1,

[S]3 =X2X3 +X1X4 +X2X4 +X1 +X2 +X3 +X4 + 1,

[S]4 =X1X3 +X2X3 +X1X4 +X1 +X2 +X3 +X4.

Splitting trick

2015 (Semaev, Karabina, Huang–Petit–Shinohara–Takagi, Yeo):Instead of considering the system F which involves Sm+1, one canintroduce a system with more variables which only involve (many)S3 polynomials and the f(Xi) - one essentially removes the Res inmaking Sr.

Idea: P1 + P2 + P3 + P4 =∞ is almost the same as:

P1 + P2 +Q1 =∞−Q1 + P3 + P4 =∞.

So instead of {S4(X1, X2, X3, X4)} one can consider{S3(X1, X2, Y1), S3(Y1, X3, X4)}, where Y1 is unrestricted (nosubspace constraints). One can easily generalize this for r > 4.

Splitting trick

2015 (Semaev, Karabina, Huang–Petit–Shinohara–Takagi, Yeo):Instead of considering the system F which involves Sm+1, one canintroduce a system with more variables which only involve (many)S3 polynomials and the f(Xi) - one essentially removes the Res inmaking Sr.

Idea: P1 + P2 + P3 + P4 =∞ is almost the same as:

P1 + P2 +Q1 =∞−Q1 + P3 + P4 =∞.

So instead of {S4(X1, X2, X3, X4)} one can consider{S3(X1, X2, Y1), S3(Y1, X3, X4)}, where Y1 is unrestricted (nosubspace constraints). One can easily generalize this for r > 4.

Weil descent and splitting trick

If one combines Weil descent and the splitting trick, one obtains asystem F ′′ of low degree, but with a lot of variables.

One can easily write down this system and give it to a computer tosolve the system!

A very very brief introduction to Grobner basis

Let k be a field and let G = {g1, . . . , gt} ⊂ k[X1, . . . , Xs] = R andlet I be the ideal generated by G. Put a monomial order ≤ on R.

A Grobner basis for G with respect to ≤ is a finite subset of I suchthat the leading term ideal generated by this set is the same as theone of I.

Facts:

• a Grobner basis can be computed using Buchberger’salgorithm (or F4, F5);

• Grobner bases have many practical applications (solvingpolynomial systems, ideal membership, . . . );

The complexity of solving a system using Grobner basis algorithmsdepends on the so-called degree of regularity of the system(maximal degree seen in computation using the degrevlex order).

First fall degree assumption

From now on: q = 2.

Definition.Let G = {g1, . . . , gt} ⊂ F2n [X1, . . . , Xs] = R. The first fall degreedff of G is the smallest d such that there exist h1, . . . , ht ∈ R withmaxi(deg(higi)) = d and 0 ≤ deg(

∑i higi) < d.

Conjecture (Petit–Quisquater 2012, Semaev 2015,(Karabina 2015),. . . ).The degree of regularity of F ′ (respectively F ′′) is ‘close’ to the firstfall degree of F ′ (respectively F ′′).

This conjecture leads to sub-exponential algorithms for ECDLPsince the first fall degree can be bounded!

First fall degree assumption

From now on: q = 2.

Definition.Let G = {g1, . . . , gt} ⊂ F2n [X1, . . . , Xs] = R. The first fall degreedff of G is the smallest d such that there exist h1, . . . , ht ∈ R withmaxi(deg(higi)) = d and 0 ≤ deg(

∑i higi) < d.

Conjecture (Petit–Quisquater 2012, Semaev 2015,(Karabina 2015),. . . ).The degree of regularity of F ′ (respectively F ′′) is ‘close’ to the firstfall degree of F ′ (respectively F ′′).

This conjecture leads to sub-exponential algorithms for ECDLPsince the first fall degree can be bounded!

Problems with first fall degree conjecture 0

• The notion of first fall degree does not behave very well undercertain operations and the definition feels a bit artificial.

• It is unclear in which generality the first fall degree conjectureshould hold and it unclear what close would really mean. Whyonly for F2n?

• Artificial problem: Grobner basis algorithms in Magma are notopen source, and it is hard to read off the first fall degree!Hence, not enough experiments have been done.

Let l be a finite field. Set (a1, a2, a3, a4, a6) = (0, 0, 0, 0, 0) (thisgives a singular curve).For the corresponding summation polynomial one has: forx1, . . . , xr ∈ l∗ one has Sr(1/x21, . . . , 1/x

2r) = 0 iff there is a solution

to ±x1 ± . . .± xr = 0.Assume char(l) 6= 2. The latter is equivalent to checking if there isa subset of {x1, . . . , xr} summing to x1+...+xr

Theorem (Folklore).Fix a prime p ≥ 3. Given a subset S of G = (Z/pZ)n and t ∈ G, itis NP-complete to determine if there is a subset of S summing to t.

It is NP-complete to check if Sr(1/x21, . . . , 1/x2r) is 0 or not, and

one can do this if one can solve systems similar to F ′ and F ′′. Forthe system F ′′ with certain first fall degree conjectures, this wouldlead to P = NP.

Consider the system F ′ (or F ′′) when m = 2: this is the Weildescent of S3(X1, X2, x) together with subspace constraints(n′ = n/2).Previously:

n First fall degree Degree of regularity Random12 ≤ 4 3 416 ≤ 4 3 518 ≤ 4 4 520 ≤ 4 4 524 ≤ 4 4 630 ≤ 4 4 –40 ≤ 4 expected : 4 –

Consider the system F ′ (or F ′′) when m = 2: this is the Weildescent of S3(X1, X2, x) together with subspace constraints(n′ = n/2).Now:

n First fall degree Degree of regularity Random12 2 3 416 2 3 518 2 4 520 2 4 524 2 4 630 2 4 –40 2 5 –

The gap between the degree of regularity and the first fall degreeseems to increase: doubt on sub-exponential estimates.

Example of fall degree

Consider S = S3(X,Y, x(P )) for some specific curve F24 . Undersome basis one has (including subspace constraints):

[S]1 =X2X4 +X2 +X3 + 1,

[S]2 =X2X4 +X1 +X3 + 1,

[S]3 =X2X3 +X1X4 +X2X4 +X1 +X2 +X3 +X4 + 1,

[S]4 =X1X3 +X2X3 +X1X4 +X1 +X2 +X3 +X4.

One has:

[S]1 + [S]2 = X1 +X2.

First fall degree is 2.

Example of fall degree

Consider S = S3(X,Y, x(P )) for some specific curve F24 . Undersome basis one has (including subspace constraints):

[S]1 =X2X4 +X2 +X3 + 1,

[S]2 =X2X4 +X1 +X3 + 1,

[S]3 =X2X3 +X1X4 +X2X4 +X1 +X2 +X3 +X4 + 1,

[S]4 =X1X3 +X2X3 +X1X4 +X1 +X2 +X3 +X4.

One has:

[S]1 + [S]2 = X1 +X2.

First fall degree is 2.

Explaining first fall degree 1Using CFT:

Theorem (Lenstra-K. 2013).Let E/F2n be an elliptic curve given byY 2 + a1XY + a3Y = X3 + a2X

2 + a4X + a6. Assume that E isordinary (a1 6= 0). Then we have a surjective group morphism

E(F2n) → F2

∞ 7→ 0

P 7→ TrF2n/F2

(x(P ) + a2

)with kernel 2E(F2n).

It is a morphism: if P1 + P2 + P3 =∞, then we getx1 + x2 + x3 = λ2 + a1λ+ a2 and this gives

x1 + a2a21

+x2 + a2a21

+x3 + a2a21

Explaining first fall degree 1Using CFT:

Theorem (Lenstra-K. 2013).Let E/F2n be an elliptic curve given byY 2 + a1XY + a3Y = X3 + a2X

2 + a4X + a6. Assume that E isordinary (a1 6= 0). Then we have a surjective group morphism

E(F2n) → F2

∞ 7→ 0

P 7→ TrF2n/F2

(x(P ) + a2

)with kernel 2E(F2n).

It is a morphism: if P1 + P2 + P3 =∞, then we getx1 + x2 + x3 = λ2 + a1λ+ a2 and this gives

x1 + a2a21

+x2 + a2a21

+x3 + a2a21

Explaining first fall degree 2

Corollary (K.-Yeo 2014).Assume that E is ordinary. Let P ∈ E(F2n) \ E(F2n)[2] and setT = S3(X1, X2, x(P )) ∈ F2n [X1, X2]. Set b = a1(a1x(P ) + a3) ∈ k∗.Let α1, . . . , αn be a basis of F2n over F2. Then one has∑

TrF2n/F2

)[T ]j =TrF2n/F2

(x(P ) + a2

n∑j=1

TrF2n/F2

)· (X1j +X2j) .

The [T ]j have usually degree 2, whereas the right hand side isusually of degree 1: degree fall.

Big question

How does the degree of regularity grow as a function of the variousparameters for the systems F ′ and F ′′? It seems to grow slowerthan random similar systems. If slow enough, this approach givesgood algorithms for ECDLP.

Currently, we do not understand the situation. Estimating thecomplexity of a Grobner basis algorithm in general is very hard. Italso seems to be too hard to do experiments at the moment. Newideas are needed!

Big question

How does the degree of regularity grow as a function of the variousparameters for the systems F ′ and F ′′? It seems to grow slowerthan random similar systems. If slow enough, this approach givesgood algorithms for ECDLP.

Currently, we do not understand the situation. Estimating thecomplexity of a Grobner basis algorithm in general is very hard. Italso seems to be too hard to do experiments at the moment. Newideas are needed!

One slide about prime fields

What about E(Fp)?

(K.-Petit, 2015) One can construct systems similar to Weil descentif p− 1 is smooth. The systems unfortunately seem to be hard tosolve.

It seems that E(Fp) is still completely safe from any practical pointof view.

One slide about prime fields

What about E(Fp)?

(K.-Petit, 2015) One can construct systems similar to Weil descentif p− 1 is smooth. The systems unfortunately seem to be hard tosolve.

It seems that E(Fp) is still completely safe from any practical pointof view.

Thanks for your attention.

0.8cm Discrete logarithms on elliptic curvesasilverb/CryptoDay_16_11_10_Slides/... · 3 Discrete...

Documents

Transcript of 0.8cm Discrete logarithms on elliptic curvesasilverb/CryptoDay_16_11_10_Slides/... · 3 Discrete...