Journal of Computer Science 10 (8): 1575-1581, 2014 ISSN: 1549-3636 © 2014 Science Publications doi:10.3844/jcssp.2014.1575.1581 Published Online 10 (8) 2014 (http://www.thescipub.com/jcs.toc) A VARIANT OF POLLARD’S RHO ATTACK ON ELLIPTIC CURVE CRYPTOSYSTEMS Siham Ezzouak, Mohammed Elamrani and Abdelmalek Azizi Department of Mathematics and Computer Science, Faculty of Science, University Mohammed First, Oujda, BP 60000, Morocco Received 2014-02-18; Revised 2014-04-05; Accepted 2014-04-09 ABSTRACT Elliptic Curve cryptosystems appear to be more secure and efficient when requiring small key size to implement than other public key cryptosystems. Its security is based upon the difficulty of solving Elliptic Curve Discrete Logarithm Problem (ECDLP). This study proposes a variant of generic algorithm Pollard’s Rho for finding ECDLP using cycle detection with stack and a mixture of cycle detection and random walks. The Pollard’s Rho using cycle detection with stack requires less iterations than Pollard’s Rho original in reaching collision. Random walks allow the iteration function to act randomly than the original iteration function, thus, the Pollard rho method performs more efficiently. In practice, the experiment results show that the proposed methods decreases the number of iterations and speed up the computation of discrete logarithm problem on elliptic curves. Keywords: Cycle Detection, Discrete Logarithm Problem, Elliptic Curve, Pollard Rho Method, Random Walk 1. INTRODUCTION new cycle detection proposed by (Nivasch, 2004) and the random walks proposed by Teske. After that, we analyze Elliptic curves over finite fields have been proposed the running time and implement the new algorithm. The by Diffie-Hellman to implement key passing scheme and remainder of this study is proceded as follow: Section 2 elliptic curves variants for digital signature. The security introduces some basic definitions for the elliptic curves, of this cryptosystem is linked to the difficulty to solve Floyd’s algorithm and Pollard’s Rho algorithm. Section elliptic curve discrete logarithm problem and if this 3 describes how Pollard’s Rho algorithm may be problem is resolved the cryptosystem is broken. modified using Nivash’s cycle detection instead of Although there are several attacks against this Floyd’s algorithm. We explain how to introduce random cryptosystem such as Baby-Step Giant-Step (Shanks, walks on the modified Pollard’s Rho and the algorithms 1971), Pollard’s Rho method and its parallelized variant, are compared in section 4. their complexity is the square root of the prime order of the generating point used (Harrison, 2010). Up to now, 2. BACKGROUND Pollard’s Rho method is known as the best method to resolve the discrete logarithm problem on general This section introduces the elliptic curve groups, specifically elliptic curve. Hence automorphism cryptosystem, Floyd finding cycle algorithm Floyd of the group (Duursma et al ., 1990), parallelization (1962) and Pollard’s Rho method (Pollard, 1978). The (Oorschot and Wiener, 1999), iteration function (Teske, Pollard’s Rho method uses iteration function to build 1998; 2001) or cycle detection (Brent, 1980; Cheon et al ., sequence of elements and it uses cycle detection to 2012) are used to improve this attack. In this study, we try find match or collision. The match leads to the to introduce a variant of Pollard’s Rho attack using the solution of ECDLP. In fact, this method is based on a Corresponding Author: Siham Ezzouak, Department of Mathematics and Computer Science, Faculty of Science, University Mohammed First, Oujda, BP 60000, Morocco Science Publications JCS 1575 Siham Ezzouak et al . / Journal of Computer Science 10 (8): 1575-1581, 2014 random walk and the Birthday Paradox which states find the integer l ∈[0, n-1] such that Q = lP. The that in a a set of 23 randomly chosen people, the integer d is called the discrete logarithm of Q to the chance that at least two of them share the same base P, denoted l = log PQ. birthday is greater than 50%. Then, if random objects This problem is considered as hard mathematical are selected with replacement from n objects, one may problem like the Integer Factorisation Problem (IFP) and expect πn / 2 rounds before an object is picked twice. the logarithm problem in multiplicative group of finite 2.1. Elliptic Curve Cryptosystem field (DLP). All methods, proposed up to now which solve ECDLP, require exponential running time. The addition rule of the group of elliptic curves is easy to be implemented. Therefore, algebraic formulas 2.2. Floyd’s Cycle-finding Algorithm for the group law can be derived from the geometric Instead of comparing each new Y i to all previous description. A general elliptic curve E over finite field K 2 3 2 ones and stores all elements until obtaining collision, It is has the form y +axy+by = x +cx +dx+e where a, b, c, d better to choose Floyd’s algorithm Floyd (1962) in order and e are in K. The addition operation is defined over to minimize the memory requirement and running time. elliptic curves with the inclusion of a point O called In fact, one computes pairs (Y , Y ) of points for i = point at infinity or identity. i 2i 1,2,3... until finding Y = Y . After computing a new Let p be a prime with p>3. Elliptic curves can be i 2i pair, the previous pair can be discarded, thus the storage implemented over fields of characteristic 2 and 3 and requirements are negligible. enjoy many optimizations, but su ffer from specialized discrete log attacks Coppersmith (1984) and should Theorem 1 generally be avoided. Let Fp = GF(p) the Galois Field over 3 2 Knuth (1969) [exercises 6-7] for a periodic p and a, b ∈ F and satisfy the condition 4a +27b mod(p) p sequence Y , Y , Y ,…, there exists an i>0 such that ≠ 0 then an elliptic curve over the Galois field E( F )(a,b) is 0 1 2 p Y = Y and the smallest such i lies in the range defined by equation y 2 = x3+ax+b mod(p) where x ∈ F . i 2i p µ≤i≤µ+λ. µ and λ are the preperiod and the period of Let P = (x 1, y1) and Q = (x 2, y2) be two points in the the sequence Y respectively. elliptic curve E( Fp)(a, b), to compute the sum R = (x 3, y3) i of points P and Q we use explicit formulas: If we suppose that the sequence is generated by random function then the expected value of µ and λ is • If P = O then R = Q close to πn / 8 . As a consequence, µ+λ is • If Q = O then R = P around πn / 2 . • Otherwise 2.3. Pollard’s Rho Algorithm - If x1 ≠ x2 put λ -1 = (y 1-y2) (x 1-x2) then The idea of Pollard is that three possibilities are λ2 x3 = -x1-x2 chosen in a random manner and the resulting sequence λ y3 = (x 1-x3)-y1 is sufficiently complicated to be regarded as a random -If x = x and y = -y then R = O 1 2 1 2 mapping. Let us start with random point R 0 and build - If x = x and y ≠ y so P = Q put 1 2 1 2 the sequence R i with the iteration function f until the λ=(3x2 + A)(y + y)− 1 then 1 1 2 collision occurs. In fact, E( Fp) is finite, the sequence 2 x3 = λ –x1-x2 Ri become periodic after some iterations so there will λ y3 = (x 1-x3)-y1 be some indices i<j such that R i = R j, j-i is the period and R i,R i+1 ,R i+2 ,…,Rj form a loop. For cycle detection, The most expensive step is the division in the Floyd’s method is used. The original Pollard’s Rho computation of λ. method on elliptic curves is detailed bellow: Definition 1 • Split E( Fp) into three disjoint sets S 1, S 2 and S 3 of Hankerson et al . (2004) The Elliptic Curve Discrete roughly equal size Logarithm Problem (ECDLP) is: • Let R 0 = a 0P + b 0Q with a 0 and b 0 two random Given an elliptic curve E defined over a finite field integers in ]0, n[ and the iterative function f was Fp, a point P ∈ E( Fp) of order n and a point Q ∈〈P〉, defined as: Science Publications 1576 JCS Siham Ezzouak et al . / Journal of Computer Science 10 (8): 1575-1581, 2014 P+ RifR ∈ S 3: j ← 0 i i 1 4: R 0← a0P+b 0Q f(R)= R+ = 2R ifR ∈ S i i1 i i2 ≠ + ∈ 5: for all j such that R j R2j do Q RifRi i S 3 6: (R j+1 , aj+1 , bj+1 ) ← f(R j), f(a j, bj) 7: (R 2(j+1) , a2(j+1) , b2(j+1) ) ←f(f(R 2j )), f(f(a 2j , b2j )) The sequence a i and b i can be computed as follow: 8: j ← j + 1 9: if R j = R 2j and b j ≠ b2j then + ∈ (ai 1,b)ifR i i1 S a− a ← 2 j j (a ,b )= (2a,2b)ifR ∈ S 10: l mod(n) i1i1+ + i i i 2 b− b + ∈ j 2 j (a,bii 1)ifR i3 S 11: else if b j = b 2j then 12: a0 ← random ∈]0; n[ • Compute R and R and compare them until a match j 2j 13: b0 ← random ∈]0; n[ is found using the iteration function f 14: j ← 0 a− a • If R = R , then l= 2 j j (mod n) with b ≠ b .