Curves, Codes, and Cryptography Copyright C 2011 by Christiane Peters
Total Page:16
File Type:pdf, Size:1020Kb
Curves, Codes, and Cryptography Copyright c 2011 by Christiane Peters. Printed by Printservice Technische Universiteit Eindhoven. Cover: Starfish found in Bouldin Creek, Austin, Texas. Fossils originate from the late Cretaceous, about 85 million years ago. Picture taken by Laura Hitt O’Connor at the Texas Natural Science Center, Austin, Texas. Design in cooperation with Verspaget & Bruinink. CIP-DATA LIBRARY TECHNISCHE UNIVERSITEIT EINDHOVEN Peters, Christiane Curves, Codes, and Cryptography / by Christiane Peters. – Eindhoven: Technische Universiteit Eindhoven, 2011. Proefschrift. – ISBN 978-90-386-2476-1 NUR 919 Subject heading: Cryptology 2000 Mathematics Subject Classification: 94A60, 11Y16, 11T71 Curves, Codes, and Cryptography PROEFSCHRIFT ter verkrijging van de graad van doctor aan de Technische Universiteit Eindhoven, op gezag van de rector magnificus, prof.dr.ir. C.J. van Duijn, voor een commissie aangewezen door het College voor Promoties in het openbaar te verdedigen op dinsdag 10 mei 2011 om 16.00 uur door Christiane Pascale Peters geboren te Paderborn, Duitsland Dit proefschrift is goedgekeurd door de promotoren: prof.dr. T. Lange en prof.dr. D.J. Bernstein Fur¨ meine Eltern Angelika und Jurgen¨ Peters Thanks I would like to thank many people for their support and company during my Ph.D. studies. First of all, I am most grateful to my supervisors Tanja Lange and Daniel J. Bernstein. I thank Tanja for giving me the opportunity to come to Eindhoven to do research and to get to know the (crypto) world. I thank Tanja and Dan for letting me participate in great projects such as working on Edwards curves in cryptographic and number-theoretic settings, and for helping me find my way into the world of code-based cryptography. I am grateful for their patience and never-ending support. I highly value their many comments and sug- gestions on papers, proposals, and, of course, on my thesis. I very much enjoyed our discussions, the sessions with Dan as our “marketing department”, and especially their hospitality at both their homes in Utrecht and Chicago. I want to express my gratitude to Arjeh Cohen, Nicolas Sendrier, Paul Zimmermann, Andries Brouwer, Henk van Tilborg, and Johannes Buchmann for agreeing to serve on my Ph.D. committee and for reading this manuscript and giving many valuable comments. I also thank Relinde Jurrius, Peter Schwabe, and Henk van Tilborg for careful proofreading and many comments on this thesis. A big thanks also to Jan-Willem Knopper for his LaTex support. I want to thank my co-authors Daniel J. Bernstein, Peter Birkner, Marc Joye, Tanja Lange, Ruben Niederhagen, Peter Schwabe, and Henk van Tilborg for their fruitful collaboration. I am very grateful for getting the opportunity to go on several research visits. I very much enjoyed the discussions at INRIA Nancy with the (former) CACAO team and in particular with Paul Zimmermann who encouraged me to look into Suyama constructions for Edwards curves leading to the beautiful and highly efficient twisted Edwards curves. I thank David Lubicz and Emmanuel Mayer for inviting me to Rennes for lecturing on Edwards curves and a hiking tour to Mont St Michel. I want to thank Nicolas Sendrier for the invitation to INRIA Rocquencourt to discuss information-set-decoding bounds and the FSB hash function. I thank Johannes Buchmann and Pierre-Louis Cayrel for inviting me to Darmstadt for interesting and motivating discussions. I am very glad that I got to know Laura Hitt O’Connor with whom I had a great time during her stay in Eindhoven in February 2008 and during the ECC conferences. I am very grateful that she found the time to take starfish pictures for me. vii viii I had a great time in Eindhoven and I am going to miss many people here. The coding and cryptology group at TU/e was like a second family for me. After all the travelling I always looked forward to joining the next tea break to catch up with the wonderful people working here. Henk van Tilborg is the heart of the group. I am almost glad that I will leave before he does because I cannot imagine being at TU/e without having Henk around for a chat, a heated discussion, or a bike ride along the Boschdijk after work. I would like to thank him for all his support and help. Unfortunately, I had to see Anita Klooster leave our group. I am still touched by her trying to protect me from everything she thought could do any harm to me. It was always a pleasure dropping by her office. I thank Rianne van Lieshout for taking over from Anita. I very much enjoyed the many chats I had with her. I would like to thank Peter Birkner, Ga¨etan Bisson, Dion Boesten, Mayla Brus`o, Elisa Costante, Yael Fleischmann, ¸Ci¸cek Guven,¨ Maxim Hendriks, Sebastiaan de Hoogh, Tanya Ignatenko, Ellen Jochemsz, Relinde Jurrius, Mehmet Kiraz, Jan- Willem Knopper, Mikkel Kroigaard, Peter van Liesdonk, Michael Naehrig, Ruben Niederhagen, Jan-Jaap Osterwijk, Jing Pan, Bruno Pontes Soares Rocha, Reza Reza- eian Farashahi, Peter Schwabe, Andrey Sidorenko, Antonino Simone, Daniel Triv- ellato, Meilof Veeningen, Rikko Verrijzer, Jos´eVillegas, and Shona Yu for their company. In particular, I want to thank my “Ph.D. siblings” Peter, Ga¨etan, and Michael for a great time, especially when travelling together. When being “at home” I very much enjoyed the company of my island mates Peter and Sebastiaan. I also enjoyed the conversations with many other people on the 9th and 10th floor, espe- cially Bram van Asch, Jolande Matthijsse, and Nicolas Zannone. I am very happy having found great friends in Eindhoven. Let me mention ¸Ci¸cek and Tanır, Carmen and Iman, Mayla and Antonino, Shona, Peter vL, Jeroen and Bianca, my “German” connection Daniela, Andreas, Matthias, Stephan, Trea and Christoph, and my “sportmaatjes” Siebe, Ruth, and Marrit. I also want to thank my faithful friends from Paderborn and Bielefeld, Annika, Birthe, Imke, Jonas, Julia, Peter, and Tommy, who all found the way to Eindhoven. Finally, I want to thank my parents and my brother Thomas for their love, encour- agement, and endless support. Contents Introduction 1 I Elliptic-curve cryptography using Edwards curves 7 1 Edwards curves and twisted Edwards curves 9 1.1 Preliminaries . 10 1.1.1 Theclock ............................. 10 1.1.2 Edwardscurves .......................... 11 1.2 TwistedEdwardscurves . .. .. .. .. 13 1.2.1 Introduction of twisted Edwards curves . 13 1.2.2 The twisted Edwards addition law . 14 1.2.3 Projective twisted Edwards curves . 15 1.2.4 TheEdwardsgroup........................ 17 1.2.5 Points of small order on E E,a,d .................. 18 1.2.6 Montgomery curves and twisted Edwards curves . 21 1.3 Arithmetic on (twisted) Edwards curves . 25 1.3.1 Inversion-freeformulas . 25 1.3.2 DoublingontwistedEdwardscurves . 25 1.3.3 Clearing denominators in projective coordinates . 26 1.3.4 Inverted twisted Edwards coordinates . 26 1.3.5 Extendedpoints.......................... 27 1.3.6 Tripling on Edwards curves . 28 1.3.7 Quintupling on Edwards curves . 28 2 Analyzing double-base elliptic-curve single-scalar multiplication 31 2.1 Fast addition on elliptic curves . 32 2.1.1 Jacobiancoordinates . 32 2.1.2 Morecoordinatesystems . 33 2.2 Double-base chains for single-scalar multiplication . 34 2.2.1 Single-base scalar multiplication . 34 2.2.2 Double-base scalar multiplication . 35 2.2.3 Sliding window . 36 2.2.4 Computingachain ........................ 36 ix x Contents 2.3 Optimizing double-base elliptic-curve single-scalar multiplication . 37 2.3.1 Parameterspace ......................... 38 2.3.2 Experimentsandresults . 38 3 ECM using Edwards curves 45 3.1 TheElliptic-CurveMethod(ECM) . 46 3.1.1 Pollard’s (p 1)-method..................... 46 3.1.2 Stage1ofECM..........................− 47 3.1.3 SpeedupsinEECM-MPFQ . 49 3.2 Edwardscurveswithlargetorsion . 50 3.2.1 Elliptic curves over the rationals . 50 3.2.2 Torsion group Z/12Z ....................... 51 3.2.3 Torsion group Z/2Z Z/8Z ................... 53 × 3.2.4 Impossibility results . 55 3.3 Edwards curves with large torsion and positive rank . 58 3.3.1 TheAtkin–Morainconstruction . 58 3.3.2 TheSuyamaconstruction . 59 3.4 Edwards curves with small parameters, large torsion, and positive rank 60 3.4.1 Torsion group Z/12Z ....................... 61 3.4.2 Torsion group Z/2Z Z/8Z ................... 61 × 3.5 Theimpactoflargetorsion ....................... 62 3.5.1 Impact of torsion for 20-bit and 30-bit primes . 62 3.5.2 Review of methods of estimating the success probability . 66 II Code-based cryptography 69 4 Linear codes for cryptography 71 4.1 Linearcodes................................ 72 4.1.1 Basicconcepts........................... 72 4.1.2 Thegeneraldecodingproblem . 73 4.1.3 ClassicalGoppacodes . .. .. .. .. 75 4.2 Code-based public-key cryptography . 77 4.2.1 TheMcEliececryptosystem . 78 4.2.2 TheNiederreitercryptosystem. 79 4.2.3 Securityofcode-basedcryptography . 80 4.2.4 Attacking the McEliece cryptosystem . 81 5 Collision decoding 83 5.1 Information-set-decoding algorithms . 84 5.1.1 Lee–Brickell’s algorithm . 84 5.1.2 Stern’s algorithm . 85 5.2 A successful attack on the original McEliece parameters . ... 87 5.2.1 Speeding up Gaussian elimination . 89 5.2.2 Speeding up list building and collision handling . 92 Contents xi 5.2.3 Analysis of the number of iterations and comparison . 93 5.2.4 Breaking the original McEliece parameters . 96 5.2.5 Defending the McEliece cryptosystem . 98 5.3 Collision decoding: recent developments . 99 5.3.1 Fixed-distancedecoding . .100 5.3.2 Thebirthdayspeedup . .100 5.4 Decodingcomplexitycomparison . .102 5.4.1 Motivationandbackground . .102 5.4.2 Asymptotic cost of the Lee–Brickell algorithm . 103 5.4.3 Complexity of Stern’s algorithm . 106 5.4.4 Implications for code-based cryptography .