Algorithms for the Elliptic Curve Discrete Logarithm and the Approximate Common Divisor Problem

Algorithms for the Elliptic Curve Discrete Logarithm and the Approximate Common Divisor Problem

Algorithms for the Elliptic Curve Discrete Logarithm and the Approximate Common Divisor Problem Shishay Welay Gebregiyorgis A Thesis Submitted in Fulfillment of the Requirements for the Degree of Doctor of Philosophy in Mathematics The University of Auckland January 2016 Abstract Public key cryptosystems such as Diffie-Hellman key exchange and homomorphic encryption over the integers are based on the assumption that the Discrete Logarithm Problem (DLP) and the Approximate Common Divisor (ACD) problem are hard respectively. These computational assumptions can be tested by developing improved algorithms to solve them. The DLP for elliptic curves defined over certain finite fields is believed to be hard. The best current algorithm for this problem is Pollard rho. The most promising new idea for attacking the DLP over these curves is the index calculus algorithm, since it solves the DLP for finite fields in subexponential time. It is important to understand this class of algorithms. We study the index calculus algorithm based on summation polynomials. This reduces the DLP to solving systems of multivariate polynomial equations. We explain recent research on exploiting symmetries arising from points of small order. The use of such symmetries can be used to speed up solving the system of polynomial equations, and hence speed up the algorithm. We give an improved index calculus algorithm for solving the DLP for binary elliptic curves. Despite our improved ideas, our experiments suggest that Pollard rho is still the best algorithm for the DLP in practice. We discuss and analyse a new idea called the “splitting technique”, which does not make use of symmetries. We finally suggest a new definition of the factor base to bring the probability of finding a relation close to 1. To extend the notion of symmetries we investigate the use of an automorphism of elliptic curves defined over a field of characteristic 3 to speed up the index calculus algorithm. Our finding is that an automorphism speeds up the algorithm, but not to the extent that we would wish. Finally we review, compare and precisely analyse some existing algorithms to solve the ACD problem. Our experiments show that the Cohn-Heninger algorithm is slower than the orthogonal lattice based ap- proach. We propose a preprocessing of the ACD instances to speed up these algorithms. We explain that the preprocessing does not seem to threaten the ACD problem in practice. Acknowledgements I like to thank to my PhD supervisor Steven Galbraith for supporting me during my three years stay in the University of Auckland. He did not only supervise me but also he taught me how to be an independent self confident researcher. Above all, special appreciation goes to him for our collaborative work in my first published paper on the results in Chapter 3. I also like to thank Arkadii Slinko, Ben Martin, Igor Klep for their comments and suggestions. My work has been supported by the University of Auckland. The University of Auckland did not only provide me materials needed for my PhD program but also for awarding me a University of Auckland Doctoral Scholarship. So I really like to thank to all staff in this great University. Finally huge thanks goes to my family for supporting me in all ways. All the work is dedicated to my amazing family. Contents 1 Cryptography and Computational Assumptions3 1.1 Cryptography..........................................4 1.2 The integer factorization problem and RSA cryptosystem...................5 1.3 Integer factorization algorithms.................................6 1.3.1 Pollard p − 1 algorithm................................6 1.3.2 The elliptic curve factorization method........................7 1.3.3 The quadratic sieve factorization method.......................7 1.4 The discrete logarithm problem and Elgamal cryptosystem..................8 1.5 Algorithms for solving the discrete logarithm problem.................... 10 1.5.1 The baby-step-giant-step algorithm.......................... 10 1.5.2 The Pohlig-Hellman algorithm............................. 10 1.5.3 The Pollard rho algorithm............................... 11 1.5.4 The index calculus method............................... 11 2 Elliptic Curves and Summation Polynomials 13 2.1 Computational algebraic geometry............................... 14 2.1.1 Ideals and affine varieties................................ 14 2.1.2 Grobner¨ basis...................................... 16 2.1.3 Invariant theory..................................... 18 2.1.4 Solving polynomial systems with symmetries using Grobner¨ basis.......... 20 2.2 Elliptic curves.......................................... 22 2.2.1 Elliptic curve definition................................. 22 2.2.2 Elliptic curve representation.............................. 25 2.2.3 The elliptic curve discrete logarithm problem (ECDLP)................ 27 2.3 Summation polynomials.................................... 30 2.3.1 Summation polynomials definition........................... 31 2.3.2 Weil descent of an elliptic curve............................ 31 2.3.3 The index calculus algorithm.............................. 32 2.3.4 Resolution of polynomial systems using symmetries................. 38 3 Index Calculus Algorithm to Solve the DLP for Binary Edwards Curve 40 3.1 Summation polynomials of binary Edwards curve....................... 41 3.1.1 Factor base definition.................................. 43 3.1.2 Weil descent of binary Edwards curve......................... 44 3.2 Symmetries to speed up resolution of polynomial systems.................. 45 1 3.2.1 The action of symmetric group............................. 45 3.2.2 The action of a point of order 2............................ 45 3.2.3 The action of points of order 4............................. 46 3.3 Index calculus algorithm.................................... 47 3.4 Breaking symmetry in the factor base............................. 50 3.5 Grobner¨ basis versus SAT solvers comparison......................... 51 3.6 Experimental results...................................... 52 3.7 Splitting method to solve DLP for binary curves........................ 57 4 The DLP for Supersingular Ternary Curves 60 4.1 Elliptic curve over a field of characteristic three........................ 60 4.2 Automorphisms and resolution of point decomposition problem............... 61 4.3 Invariant rings under the automorphism and symmetric groups................ 62 5 The Approximate Common Divisor Problem and Lattices 65 5.1 Lattices and computational assumptions............................ 66 5.1.1 Algorithms to solve CVP and SVP........................... 68 5.1.2 Solving Knapsack problem............................... 70 5.2 Algorithms to solve the approximate common divisor problem................ 71 5.2.1 Exhaustive search.................................... 73 5.2.2 Simultaneous Diophantine approximation....................... 74 5.2.3 Orthogonal vectors to common divisors (NS-Approach)............... 76 5.2.4 Orthogonal vectors to error terms (NS*-Approach).................. 80 5.2.5 Multivariate polynomial equations method (CH-Approach).............. 82 5.3 Comparison of algorithms for the ACD problem........................ 85 5.3.1 Experimental observation............................... 87 5.4 Pre-processing of the ACD samples.............................. 88 2 Chapter 1 Cryptography and Computational Assumptions Contents 1.1 Cryptography........................................4 1.2 The integer factorization problem and RSA cryptosystem................5 1.3 Integer factorization algorithms..............................6 1.3.1 Pollard p − 1 algorithm...............................6 1.3.2 The elliptic curve factorization method.......................7 1.3.3 The quadratic sieve factorization method......................7 1.4 The discrete logarithm problem and Elgamal cryptosystem...............8 1.5 Algorithms for solving the discrete logarithm problem.................. 10 1.5.1 The baby-step-giant-step algorithm......................... 10 1.5.2 The Pohlig-Hellman algorithm............................ 10 1.5.3 The Pollard rho algorithm.............................. 11 1.5.4 The index calculus method.............................. 11 Secure cryptosystems are built using computational problems that are believed to be hard. The RSA and Diffie-Hellman key exchange are based on the assumption that the integer factorization and discrete logarithm problems are hard respectively. If we can break the underlying assumption, then the cryptosystem is not secure any more. In this regard, we are interested in trying to solve the underlying hard computational problems of cryptosystems. If the computational problem is intrinsically easy, we can provide an algorithm to solve the problem in polynomial time. If however the computational problem is intrinsically difficult, we would wish to show that there is no algorithm that solves the problem. The lack of proof showing that there is no efficient algorithm to solve the underlying hard computational problems in many cryptosytems is our motivation for our research. We test computational assumptions by developing improved algorithms to solve them. We give a summary of the existing algorithms to solve the integer factorization and discrete logarithm problems. 3 1.1 Cryptography Cryptography deals with securing communication channels, electronic transactions, sensitive data and other critical information such as medical records. It is concerned with designing a cyptosystem or a cryp- tographic system that is capable

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    101 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us