Reductions of Problems related to Discrete Logarithms · PDF fileI Use DH-oracle and square...

The ProblemsElliptic Curves

ReductionsPairings and inversion

Reductions of Problems related to DiscreteLogarithms

Frederik VercauterenESAT/COSIC - K.U. Leuven

Frederik Vercauteren ESAT/COSIC - K.U. Leuven Reductions of Problems related to Discrete Logarithms



The Problems

Elliptic Curves

Reductions

Pairings and inversion




Outline

The Problems

Elliptic Curves

Reductions





DLP, CDH & DDH

I Let (G, ·) be a finite cyclic group G = 〈g〉 of order |G|I Discrete Logarithm Problem (DLP) :

Given h ∈ G find x with h = gx (DLP(g,h) → x)

I Computational Diffie-Hellman Problem (CDH) :Given a = gx and b = gy find c = gxy (CDH(g,a,b) → c).

I Decisional Diffie-Hellman Problem (DDH) :Given a = gx , b = gy and c = gz , determine if

gxy = gz or equivalently xy ≡ z mod |G|

(DDH(g,a,b, c) → true/false)




DLP & CRT

I Mostly called Pohlig-Hellman algorithm . . .I Let |G| =

∏ri=0 pei

i , then can compute DLP using CRT byprojection onto subgroups of order pi

I If h = gx , the can compute xi,0 ≡ x mod pi by solving

h|G|/pi =(

g|G|/pi)xi,0

I Write x ≡∑ei

j=0 xi,jpji mod pei

i , then can compute xi,k via

(h · g−(xi,0+···+xi,k−1pk−1

i ))|G|/pk+1

i=

(g|G|/pi

)xi,k




DLP & CRT

I DLP in subgroups of order pi via exhaustive searchI Complexity then is in group operations

O(∑

ei(log |G|+ pi))

I If G is B-smooth, i.e. all pi ≤ B then

O(log |G|2 +B

log Blog |G|)

I If |G| is smooth, then DLP is easy




Reductions

I Let A and B be two computational problems. Then A issaid to polytime reduce to B, written A ≤P B if

I There is an algorithm which solves A using an algorithmwhich solves B.

I This algorithm runs in polynomial time if the algorithm for Bdoes.

I Assume we have an oracle (or efficient algorithm) to solveproblem B.

I We then use this oracle to give an efficient algorithm forproblem A.




Trivial Reduction I: CDH ≤P DLP

I Given gx and gy we wish to find gxy .I First compute y = DLP(g,gy ) using the oracle.I Then compute (gx)y = gxy .I So CDH is no harder than DLP, i.e. CDH ≤P DLP.




Trivial Reduction II: DDH ≤P CDH

I Given elements gx , gy and gz , determine if gz = gxy .I Using the oracle to solve CDH, compute

gxy = CDH(g,gx ,gy ).

I Then check whether gxy = gz .I So DDH is no harder than CDH, i.e. DDH ≤P CDH.




Trivial Reduction III: I-DHP ≤P CDH

I-DHP: given g,gx compute gx−1, where x−1 is computed

modulo |G|.I I-DHP ≤P CDH with log2 n DH-calls:I Recall: x−1 ≡ xϕ(|G|)−1 mod |G|I Use DH-oracle and square and multiplyI CDH(g,gx ,gx) = gx2

and CDH(g,gxs,gx t

) = gxs+t

Alternatively:I I-DHP ≤P CDH with one DH call:I Let h = gx , then g = hx−1

, so

DHP(h,g,g) = hx−1·x−1= gx−1




Reductions: DLP ≤P CDH

I Assume first that |G| = q a prime.I Implicit representations (i.e. computing in exponent):

Explicit Implicitx gx

y gy

x + y mod q gx · gy

x · y mod q CDH(g,gx ,gy )

I CDH-oracle enables us to compute implicitly over Fq,+, ·or an algebraic group H defined over Fq.




Crazy idea I: DLP ≤P CDH by den Boer

I Assume that q − 1 is smooth, so DLP in F∗q is easy

I Since x is determined modulo q, we can write

x ≡ αs mod q

for α a generator modulo qI Goal: compute s instead of xI Using Pohlig-Hellman + exhaustive search in the exponentI Limitation: q − 1 smooth




Crazy idea II: DLP ≤P CDH by Maurer-Wolf

I den Boer: only one choice F∗q for each q

I Maurer-Wolf: DH-oracle combined with other auxiliarygroups H over Fq

I Works as long as x or x + e for some known e can be usedas “coordinate” of element in H (strongly algebraic group)

I Embed x in element β of HI Compute log s of β wrt known generator α ∈ HI Recover β and thus x by computing αs




Outline

The Problems

Elliptic Curves

Reductions





Elliptic Curves

I Let Fq,+, · be a finite field with q > 3 a large prime.I Elliptic curve E over field Fq is defined by

y2 = x3 + ax + b a,b ∈ Fq

I The set of Fq-rational points E(Fq) is defined as

E(Fq) = {(x , y) ∈ Fq × Fq | y2 = x3 + ax + b} ∪ {O}

I O is called point at infinity

There exists an addition law on E and the set E(Fq) is a group




Addition Law on Elliptic Curves

−6 −4 −2 0 2 4 6

−4

−2

0

2

4

P ⊕ Q

QP

R

L′

L

−6 −4 −2 0 2 4 6

−4

−2

0

2

4

2P

P

L′

L

R

Adding two points Doubling a pointy2 = x3 − 7x + 6




Addition Law on Elliptic CurvesBy definition: three points on a line sum to zero!

Let P1 ⊕ P2 = P3, with Pi = (xi , yi) ∈ EI If x1 = x2 and y1 + y2 = 0, then P1 ⊕ P2 = O,I Else

x1 6= x2

{λ = (y2 − y1)/(x2 − x1)ν = (y1x2 − y2x1)/(x2 − x1)

x1 = x2

{λ = (3x2

1 + a)/2y1

ν = (−x31 + ax1 + 2b)/2y1

The point P3 = P1 ⊕ P2 is given by

x3 = λ2 − x1 − x2

y3 = −λx3 − ν




Elliptic Curves over Finite Fields

��

�

�

�

�

�

�

�

�

��

��

��

��

��

��

��

��

��

��

��

��

��

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

The elliptic curve y2 = x3 + x + 3 mod23




Number of Points on Elliptic Curve

I With probability 1/2 we have x3 + ax + b is square in Fq, ·and then 2 solutions.

I Expect to find roughly p solutions . . .I Theorem (Hasse):

#E(Fq) = q + 1− t with |t | ≤ 2√

p .

I Ruck: for every n ∈ [q + 1− 2√

q,q + 1 + 2√

q] existscyclic elliptic curve over Fq of order n




Outline

The Problems

Elliptic Curves

Reductions





Crazy idea II: DLP ≤P CDH by Maurer-Wolf

I Auxiliary group = elliptic curveI Find E/Fq with |E(Fq)| smooth and E(Fq) cyclicI Let E(Fq) = 〈P〉 with P = (u, v)

I By calling DH-oracle, find e such that

R = (x + e)3 + a(x + e) + b

is square in F∗q

I Can be tested by computing R(q−1)/2 in exponentI Construct point Q = (x + e, y) in implicit representationI Compute dlog s of Q wrt P in implicit representationI Recover Q by computing [s]P and thus x + e = x(Q)




Reductions: DLP ≤P CDH by Maurer-Wolf

I Let G be finite cyclic group with |G| = qI Given elliptic curve E(Fq) with B-smooth |E(Fq)|, i.e. all

prime factors pi | |E(Fq)| are pi < B.I Given a DH oracle for G, then can compute DLP in G using

I O( (log q)2

log B ) calls to the DH oracle for G

I O( Blog B (log q)2) field operations in Fq





I To obtain polynomial equivalence, need curve with verysmooth order

I Let ν(q) be minimum of largest prime factor of all integersn in the interval

[q + 1− 2√

q,q + 1 + 2√

q]

I Ruck: exists elliptic curve E/Fq with |E(Fq)| ν(q)-smoothI Not much is known about smoothness in short intervalsI However: for every u, number of n1/u smooth integers < n

nu(1+o(u))u





I Smoothness assumption: ν(q) is log(q)O(1)

I Conclusion: for all groups G of prime order q, there existsan elliptic curve E/Fq such that DLP ≤P CDH

I Practice: not really need polynomial time equivalence,weaker result is already sufficient

I Idea: DLP well studied problem, so complexity wellunderstood

I Example: DLP in E/Fp prime order q requires O(√

q)




Hardness of EC-CDH

I Maurer-Wolf implies CDLP ≤ NDH · CCDH + NMuls, thus

CCDH ≥ CDLP − NMuls

NDH

I Given auxiliary curve E ′/Fq with |E ′(Fq)| = p1p2p3 andpi ' q1/3, then best algorithm to solve CDH takes

O(

√q

(log q)2 )




Outline

The Problems

Elliptic Curves

Reductions





Reductions: CDH ≤P DDH?

I Computational Diffie-Hellman Problem (CDH) :Given a = gx and b = gy find c = gxy (CDH(g,a,b) → c).

I Decisional Diffie-Hellman Problem (DDH) :Given a = gx , b = gy and c = gz , determine if

gxy = gz or equivalently xy ≡ z mod |G|

(DDH(g,a,b, c) → true/false)I Already shown that DDH ≤P CDHI Can we prove that CDH ≤P DDH?




Reductions: CDH ≤P DDH?

I No, since exist groups where DDH is easy, but not CDHI Take E/Fq supersingular elliptic curve and r | |E(Fq)|, then

exists bilinear map (aka pairing)

e : E(Fq)[r ]× E(Fq)[r ] → µr : (P,Q) 7→ e(P,Q)

I Can prove that µr ⊂ Fq6 and map can be computed inpolynomial time

I To solve DDH in E(Fq)[r ] given (P, xP, yP, zP) simply

e(P, zP) = e(xP, yP)




Pairing Inversion

I Suppose need to solve CDH in E(Fq)[r ], i.e. given xP, yPcompute xyP

I Using pairing, compute e(P,P)xy = solution to CDH but inwrong group!

I If efficiently computable isomorphism φ : µr → E(Fq)[r ]exists, with φ(e(P,P)) = P, then φ(e(xP, yP)) = xyP

I Inverse of isomorphisms e(·,P) or e(P, ·)I How hard is pairing inversion?




Pairing Inversion

I Satoh: hardness result for polynomial expressionsI Let E be an ordinary elliptic curve over Fp, with r |E(Fp)

I Given any isomorphism φ : µr → E(Fp)[r ], the polynomialP ∈ Fp[z] with

P(γ) = x(φ(γ)) for γ ∈ µr \ {1}

satisfies:I deg P = (r − 1)/5 (always)I for 58% of pairs (E , r), none of the coefficients of P

vanishes




Pairing Inversion

I Pairings can have extremely simple form.I Let E : y2 = x3 + 4 over Fp with p = 41761713112311845269, then

t = −1, r = 715827883, k = 31 and D = −3.I Let y − λ(Q)x − ν(Q) with λ = 3x2

Q/(2yQ) andν = (−x3

Q + 8)/(2yQ) be the tangent at Q.I The function

(Q,P) 7→(yP − λ(Q)xP − ν(Q)

)(pk−1)/r

defines a non-degenerate pairing on G2 ×G1.I Pairing inversion = inverting exponentiation (pk − 1)/r




Hidden Root Problem

I Let Fq be a finite field and x ∈ Fq secretI Fix n a positive integer with n|(q − 1)

I Oracle: input (a,b) ∈ F2q returns

ξa,b = (ax + b)n

I Goal: recover x by querying oracleI Let s = (q − 1)/n, then for each query obtain log2 s bits

informationI After roughly logs q queries, unique solution xI Example: Legendre symbol n = (q − 1)/2 and s = 2




Hidden Root Problem over Extension Fields

I Let q = pk for prime some prime p and k > 1I Fix representation Fpk = Fp[θ]/(f (θ)) where f ∈ Fp[x ] is an

irreducible polynomial of degree kI Consider the map

ψ : Fpk → (Fp)k : a =k−1∑i=0

aiθi 7→ [a0, . . . ,ak−1]

I Since p-th powering linear operation, can easily computematrix F such that ψ(ap) = Fψ(a)t





I Write exponent n as n =∑k−1

i=0 cipi −∑k−1

i=0 dipi whereci ,di ∈ N≥0.

I Each equation ξa,b = (ax + b)n then leads to

k−1∏i=0

(apixpi

+ bpi)ci = ξa,b

k−1∏i=0

(apixpi

+ bpi)di .

I System of k non-linear equations in k unknowns of degree

D = max{k−1∑i=0

ci ,

k−1∑i=0

di}





I Can be solved in time (D + k

D

)ω

with ω ≤ 3 time for matrix multiplication exponent.I For tiny D this is doable in practiceI Very few n have tiny DI Crucial observation: no need to work with n itself, can also

use a multiple of n (but not of pk − 1)





I Howto automagically find best multiple of n?I Consider lattice L ⊂ Zk spanned by the rows

L :=

n 0 0 · · · 0−p 1 0 · · · 0−p2 0 1 · · · 0

......

. . .−pk−1 0 . . . 0 1

.

I V ∈ L corresponds to multiple < V , [1,p, · · · ,pk−1] >

I Shortest vector in L gives best possible multiple





I Algorithm works well for all divisors of (pk − 1)/Φk (p)

I Φk is k -th cyclotomic polynomialI Unfortunately, does not include exponent appearing in

extremely simple pairingI Possible to define pairing of the form

e : G2 ×G1 → µr : (Q,P) 7→ fS,Q(P)(pk−1)/Φk (p)

but then function fS,Q too complicated (roughly degree r )




Conclusions

I Maurer-Wolf: CDH ≡P DLP when given good auxiliaryelliptic curves

I Practice: obtain bounds on hardness of CDH using easy tofind curves

I DDH <P CDH in groups with bilinear pairingI Pairing inversion would give easy CDH and thus DLPI So far: only negative results . . .


Reductions of Problems related to Discrete Logarithms · PDF fileI Use DH-oracle and square...

Documents

Transcript of Reductions of Problems related to Discrete Logarithms · PDF fileI Use DH-oracle and square...