Random self-reducibility and bit security of the ... - Semantic Scholar

Random self-reducibility and bit security of the elliptic curve Diffie–Hellman secret keys Dimitar Jetchev and Ramarathnam Venkatesan Abstract We prove that if one can predict the least significant bit of the Diffie–Hellman secret keys for elliptic curves with non-negligible advantage on a polynomial fraction of all curves over a given finite field Fp , then one can compute the entire Diffie–Hellman secret on a polynomial fraction of all curves over the same finite field. Our method combines rapid mixing properties of certain isogeny graphs, results due to Boneh and Shparlinski and a new refinement of H. Lenstra’s lower bounds on the size of an isogeny classes corresponding to almost all traces of the Frobenius. 1. Introduction 1.1 Statement of the problem The Diffie–Hellman protocol for key exchange is based on the hardness of computing the function DHg (g u , g v ) = g uv , where g is a generator of the multiplicative group of a finite field Fp and u and v are integers in [1, p − 1] ([MvOV96]). A natural question is whether one can guess some of the bits of g uv given g, g u , g v . It is unknown if predicting partial information with significant advantage over a random guess will lead to a compromise of the Diffie–Hellman function. √ Boneh and Venkatesan (see [BV96] and [Shp03]) have shown that if one is able to compute 5 log p bits of g uv for any input, one can compute the entire secret. Such results substantiate the security of a block cipher which uses as a key some of the bits of the secret g uv (yet, practical implementations will apply a secure hash function as a good measure). Thus, it is important to know that the partial bits are not computable or predictable with any significant advantage. In addition, the methods used in the results can be used to attack cryptographic systems which reveal some information about g uv to the attacker ([Ngu01], [Shp01], [GVS02], [NS02], [HGNS03], [NS03]). The analogous problem for elliptic curves studies the bit security of the following function: Diffie–Hellman function: Let E be an elliptic curve over Fp and let P ∈ E be a point of prime order q. We define the Diffie–Hellman function as DHE,P (uP, vP ) = uvP, where u, v are integers in [1, q − 1]. Moreover, we often refer to the triple (P, uP, vP ) as a Diffie– Hellman triple. Here, some partial results are known. Boneh and Shparlinksi (see [BS01]) have shown that given a polynomial time algorithm A which predicts the least significant bit of the x-coordinate of the secret uvP with non-negligible advantage for a δ-fraction of the curves E 0 in the isomorphism class of E, then one can solve the Diffie–Hellman problem on E; here, the oracle A is parametrized : it 2000 Mathematics Subject Classification Keywords:

Dimitar Jetchev and Ramarathnam Venkatesan takes as input an elliptic curve E 0 which is isomorphic over Fp to E and a Diffie–Hellman triple (P, uP, vP ) on E 0 (Fp ) and returns a single bit. If one considers a prediction oracle that works on a single curve E, some partial results are known using Gr¨obner bases ([JJV07]). The general problem would be to consider a parametrized oracle A(E, P, uP, vP ) which predicts the least significant bit of the Diffie–Hellman secret uvP , where E is a curve from a non-negligible set G (i.e., a polynomial (in log p) fraction of all elliptic curves defined over Fp ) and (P, uP, vP ) is a Diffie–Hellman triple for E. One encounters extra challenges in this more general setting. First, the set G may be scattered arbitrarily over all (exponentially many in log p) isogeny classes, where each isogeny class contains exponentially many isomorphism classes with each isomorphism class containing exponentially many individual elliptic curves. Second, relating the difficulty of computing the Discrete Log or Diffie–Hellman functions within each isogeny class is itself a nontrivial task: having an explicit isogeny (an algebraic group homomorphism) from an elliptic curve E to another curve E 0 in the same class would achieve this task. By Tate’s theorem such maps exist if and only if E and E 0 have the same number of points. But these isogenies can have large degrees and it can take O(p3/2 ) steps to compute them. Finally, if the curves are in different isogeny classes, it is impossible to reduce the Diffie–Hellman problem for one of them to the same problem for the other one via an algerbraic map due to Tate’s theorem. We show that such an algorithm A is unlikely to exist by proving that its existence implies the existence of a set G0 of polynomial (in log p) fraction of all elliptic curves over Fp , so that one can solve the Diffie–Hellman problem for every E 0 in G0 . Our approach is based on the distribution of the curves in G among the isogeny and isomorphism classes. Lenstra’s theorem on approximate equidistribution of isogeny classes over the Hasse interval (see [Len87, Thm.1.9]) gives upper and lower bounds. Lenstra’s lower bound do not apply to the entire interval, but only to the middle part of it. We refine Lenstra’s results in order to apply to larger ranges in the Hasse intervals. Moreover, the result depends on random self-reducibility arguments for the Diffie–Hellman problem as in [JMV05] (under the Generalized Riemann Hypothesis), and make use of the theorem of Boneh and Shparlinski for isomorphism classes, in addition to the above refinement. To motivate the problem of random self-reducibility for the Diffie–Hellman function, we recall the common cryptographic practice of using randomly generated elliptic curves and then examining the group order (i.e., check its smoothness) to decide whether to leave the curve or discard it (e.g., NIST). Thus, the question of whether a Diffie–Hellman oracle applies to a random elliptic curves is highly relevant for practical security. Finally, there are two important advantages of our results. First, if we consider the distribution of the curves in G only over isomorphism classes and look for a similar result, it is not clear how to identify the class of curves that will be assumed to be hard; however, in our case, we can identify these curves by their traces. Second, thanks to Tate’s isogeny theorem, curves of different traces will have to be dealt with differently (unless we resort to some non-algebraic methods) and thus, a natural result to look for would be the following: if the parametrized oracle works on a polynomial fraction of all curves of trace t, then one can solve the problem on all elliptic curves in the isogeny class corresponding to t. This is what we prove and it is akin to the claims about DLOG over finite fields, where we have the notion of random self-reducibility as well. Yet, we hope for no reductions across different characteristics. We show that for almost all trace values, such a property holds. 1.2 Notation and preliminaries Throughout the whole paper, p will be a prime number and ε˜ > 0 will be a fixed real number. We will be considering the Diffie–Hellman problem for elliptic curves E over Fp and triples (P, uP, vP ), where P is a point of prime order q > (log p)2+˜ε and u, v ∈ [1, q − 1] (which is a reasonable cryptographic assumption). We make this assumption since an isogeny φ : E → E 0 of prime degree 2

Bit security ` 6 (log p)2+˜ε will preserve the order of P and we will need this technical assumption for what follows. We say that an algorithm B computes the Diffie–Hellman function if B(E, P, uP, vP ) = uvP holds with probability at least 1 − 1/p (here, the probability is taken over the random bits used by B). Moreover, if z is a non-negative integer then LSB(z) denotes the least significant bit of z. If x ∈ Fp then LSB(x) is defined to be LSB(z) where z is the unique integer in [0, p − 1], such that z ≡ x mod p. If Q ∈ E(Fp ) then x(Q) and y(Q) denote the x and y-coordinates of Q, respectively. √ Finally, if t is an integer with |t| 6 2 p, then one can write t2 − 4p uniquely as dπ c2π , where dπ is negative and square-free. We call cπ the conductor of t. Advantage: We say that an algorithm A which takes as input E, a point P ∈ E(Fp ) of prime order q > and two multiples uP and vP (here, u, v ∈ [1, q − 1]) has advantage ε if AdvE,P (A) := Pr[A(E, P, uP, vP ) = LSB(x(uvP ))] − a,b

1 > ε. 2

1.3 The main results For each prime p let Γp be the set of all elliptic curves y 2 = x3 + ax + b with a, b ∈ Fp . Theorem 1.1. Let G ⊂ Γp , such that |G| = δ|Γp | for some 0 < δ 6 1 with 1/δ = O((log p)c ) for some constant c > 0. Assume that there exists ε > 0 and a t-time algorithm A which outputs a single bit and which satisfies the following property: for any E ∈ G and any point P of prime order q > (log p)2+˜ε , AdvE,P (A) > ε. There exists a constant c˜ (independent of p), a subset C|Γp | and an algorithm B running in time t · T (log p, 1/ε) G0 ⊆ Γp with |G0 | > 3(c+1) (log p) 2 (log log p)4 for some polynomial T independent of p, such that B computes the entire Diffie–Hellman secret DHE,P (uP, vP ) for any E ∈ G0 and any Diffie–Hellman triple (P, uP, vP ) for E(Fp ). We also show that for almost all values of trace t in the Hasse interval, Diffie-Hellman problem on the set of elliptic curves with trace t is random self- reducible. This serves to provide the amplification of the hard-instances in each isogeny class so that the existence of an algorithm to guess the least significant bits of the Diffie-Hellman secrets is less plausible. 2. Counting elliptic curves Assume p > 5. Let Γp = {Ea,b : (a, b) ∈ Fp × Fp , 4a3 + 27b2 6= 0}. Then |Γp | = p(p − 1) since the number of all pairs (a, b), such that 4a3 + 27b2 = 0 is equal to p. Indeed, any such pair is parametrized by a = −3c2 and b = 2c3 for some c ∈ Fp and each such c is uniquely determined from (a, b). 2.1 Isomorphism classes Two elliptic curves Ea,b and Ea0 ,b0 are isomorphic over Fp if there exists an element u ∈ F× p , such that a0 = u4 a and b0 = u6 b. To count the isomorphism classes of elliptic curves, we observe that the p−1 number of curves E 0 ∈ Γp isomorphic to a given curve E ∈ Γp is exactly . In particular, # AutFp (E) this gives us the formula X 1 = p, # AutFp (E) E

3

Dimitar Jetchev and Ramarathnam Venkatesan where the sum is taken over a set of representatives for the isomorphism classes of the curves in Γp . 2.2 Isogeny classes Tate’s isogeny theorem (see [Tat66]) states that two elliptic curves E1 , E2 over Fp are isogenous if √ and only if #E1 (Fp ) = #E2 (Fp ). For any E ∈ Γ we have the Hasse bound |p + 1 − #E(Fp )| 6 2 p. √ For an integer N satisfying |p + 1 − N | 6 2 p consider the isogeny class CN = {Ea,b ∈ Γ : #E(Fp ) = N }. √ √ Our goal is to provide upper and lower bounds on the size of CN for any N ∈ [p+1−2 p, p+1+2 p]. 2.3 Lenstra’s upper bound Lemma 2.1. Let S be a set of isogeny classes C ⊂ Γp of elliptic curves. There exists an effectively computable constant cu , such that X |C| 6 cu |S|p3/2 (log p)(log log p)2 . C∈S

Proof. This is an immediate consequence of [Len87, Prop.1.9(a)] and the fact that the weighted cardinality in the sense of [Len87] of each Fp -isomorphism class is either 2p, 3p or 6p (being 2p for almost all isomorphism classes). 2.4 Refining Lenstra’s lower bound We need a refinement of the lower bound established by Lenstra in [Len87, Prop.1.9(b)] on the size of a collection of isogeny classes. The weighted number of elliptic curve (up to isomorphism) in the isogeny class CN with p + 1 − N = t is equal to the Kronecker class number H(t2 −4p) of t2 −4p ([Deu41],[Len87, pp.654–655]). For a fixed integer ∆ < 0, ∆ ≡ 0, 1 mod 4, the Kronecker class number H(∆) is the weighted number of equivalence classes of binary quadratic forms of discriminant ∆ (the weight of a quadratic form is defined to be the number of automorphisms of the form). Let ∆0 = ∆/c2π be the fundamental discriminant and let χ0 be the quadratic character associated to ∆0 . Using an analytic class number formula, one expresses H(∆) in terms of the special value L(1, χ0 ) of the L-function of the character χ0 and the discriminant ∆. Thus, a lower bound for H(∆) would follows from a lower bound on the special value of the above L-function. The following result is proved in [Len87, Prop.1.8]: Lemma 2.2. (i) There exists an effectively computable positive constant c0 , such that for each z ∈ Z>0 , there exists ∆∗ = ∆∗ (z), such that H(∆) > c0

|∆|1/2 , log z

for each ∆ which satisfies |∆| 6 z, ∆ < 0, ∆ ≡ 0, 1 mod 4 and ∆0 6= ∆∗ . (ii) Assume the Generalized Riemann Hypothesis. There exists an effectively computable constant c00 > 0, such that for each z ∈ Z>0 |∆|1/2 , log log z for each ∆ which satisfies |∆| 6 z, ∆ < 0 and ∆ ≡ 0, 1 mod 4. H(∆) > c00

The following refinement of Lenstra’s Proposition 1.9(b) is necessary for our argument: Proposition 2.3. Let 0 < µ < 1 and let Sµ be a set of integers N which satisfy |p + 1 − N | 6 √ 2 p (1 − µ). Let wS = #0 {E : E elliptic curve over Fp , #E(Fp ) ∈ Sµ }/∼ =Fp , 4

Bit security where #0 means the weighted cardinality. (i) There exists an effectively computable constant c1 > 0, such that wS > c1 (|S| − 2)

µ1/2 p1/2 . log p

(ii) Assume the Generalized Riemann Hypothesis. Then there exists an effectively computable constant c01 > 0, such that wS > c01 |S|

µ1/2 p1/2 . log log p

Proof. One can express wS =

X

H(t2 − 4p).

t,p+1−t∈S

i) We apply Lemma 2.2 with z = 4p to get that there exists a constant c0 > 0, such that H(∆) > |∆|1/2 c0 unless ∆0 = ∆∗ . As in the proof of Lenstra’s Proposition 1.9(b), there are at most two log p values of t, for which the fundamental discriminant of t2 − 4p is equal to ∆∗ . Hence, it remains to estimate |t2 − 4p| from below to obtain a lower estimate on wS . But if 1 + p − t ∈ Sδ then |t2 − 4p| > 4p − 4p(1 − µ)2 = 8µp − 4µ2 p > 8µp − 4µp = 4µp. Thus, |t2 − 4p|1/2 > 2µ1/2 p1/2 . Hence, if c1 = c0 then c1 (|S| − 2)

µ1/2 p1/2 log p

ii) The second part follows similarly except that we use the lower bound under the Generalized Riemann Hypothesis for the Kronecker class number H(∆) established in Lemma 2.2(ii). 3. Isogeny graphs We recall two constructions (see [JMV05]) for isogeny graphs for ordinary and supersingular elliptic √ curves, respectively. Let N be a positive integer satisfying |p + 1 − N | 6 2 p and consider the isogeny class CN ⊂ Γ over Fp . Let SN = CN / ∼ denote the isogeny class of curves in CN up to isomorphism (i.e., we identify two elliptic curves Ea,b , Ea0 ,b0 ∈ CN if they are isomorphic over Fp ). 3.1 Ordinary isogeny classes and isogeny volcanoes 1. Ordinary isogeny classes. To understand the structure of the isogeny class SN one looks at the endomorphism rings of the elliptic curves (up to isomorphism) inside this class. For any curve E ∈ CN the endomorphism ring End(E) is an order in a quadratic imaginary field (see [Sil92, §III.9]). Let π : E → E be the Frobenius endomorphism. The characteristic polynomial of π is X 2 − Tr(E)X + p = 0, where Tr(E) = p + 1 − N . It depends only on the class SN , so we regard π as an algebraic integer. The following theorem is proved in [Koh96, §4.2] (see also [JMV05, Thm.2.1]) Theorem 3.1 (Kohel). Let E and E 0 be two elliptic curves over Fp which are isogenous over Fp and let K denote the quadratic imaginary field containing the order End(E) and OK be the maximal order. i) The orders End(E) and End(E 0 ) both satisfy Z[π] ⊆ End(E), End(E 0 ) ⊆ OK . ii) The following are equivalent: (a) End(E) = End(E 0 ) 5

Dimitar Jetchev and Ramarathnam Venkatesan (b) There exist two isogenies φ : E → E 0 and ψ : E 0 → E of relatively prime degree, both defined over Fp . (c) [OK : End(E)] = [OK : End(E 0 )]. iii) Let φ : E → E 0 be an isogeny from E to E 0 of prime degree ` defined over Fp . Then either End(E) contains End(E 0 ) or End(E 0 ) contains End(E) with index `. iv) Let ` be a prime which divides exactly one of [OK : End(E)] and [OK : End(E 0 )]. Then every isogeny φ : E → E 0 has degree a multiple of `. 2. Isogeny volcanoes. A convenient visualization of the elliptic curves in an isogeny class together with the isogenies between them is given in [FM02]. Following [FM02] and [Gal99] we distinguish between three types of isogenies φ : E → E 0 of prime degree `: i) φ is horizontal if End(E) = End(E 0 ); ii) φ is up if [End(E 0 ) : End(E)] = `; iii) φ is down if [End(E) : End(E 0 )]. One could then compute the number of horizontal, up and down isogenies of a given prime degree coming out of a particular ordinary elliptic curve E in terms the degree and the Legendre symbol. The result (see [FM02, §2.1] and [Gal99, §11.5] for proofs) is summarized in the following Proposition 3.2. Let E be an ordinary elliptic √ curve over Fp , with endomorphism ring End(E) contained in the quadratic imaginary field Q( −D) for some discriminant D > 0. Let ` be a prime different from p and let cπ = [OK : Z[π]] and cE = [OK : End(E)]. Then   D i) Assume ` - cE . Then there are exactly 1 + horizontal isogenies φ : E → E 0 of degree `. ` (a) If ` - cπ , there are no otherisogenies E → E 0 of degree ` over Fp .  D (b) If ` | cπ then there are ` − down isogenies of degree ` ` ii) Assume ` | cE . Then there is one up isogeny E → E 0 of degree `. cπ (a) If ` then there are no other isogenies of degree ` over Fp . cE cπ (b) If ` | then there are ` down isogenies of degree `. cE 3.2 Isogeny graphs in the ordinary case and rapid mixing 1. Construction. Fix some isogeny class CN and the corresponding set of Fp -isomorphism classes SN . Following [JMV05, §2.1] we define an isogeny graph to be a graph G whose vertices consists of all elements of SN which belong to a fixed level of the isogeny volcano for SN . Two isogenies φ : E1 → E2 and φ0 : E1 → E2 are said to be equivalent if there exists an automorphism α ∈ Aut(E2 ), such that φ0 = αφ (see also [Gro87, Prop.2.3]). The edges of the graph are then equivalence classes of horizontal isogenies over Fp between elliptic curve representatives of the nodes in the graph, which have prime degrees less than the bound (log p)2+δ for some fixed δ > 0. The degree bound is chosen in such a way that it is small enough to allow the isogenies to be computed and large enough to allow the graph to be connected and to have rapid mixing properties. The graph G is known to be isomorphic to a graph H whose vertices are elliptic curves C/a with complex multiplication by the order O corresponding to the level for G in the isogeny volcano (here, a ⊂ O is an ideal) and whose edges are isogenies of the form C/a → C/ab−1 , where b ⊂ O is an invertible prime ideal satisfying N (b) 6 (log p)2+δ ([Gal99, §3], [GHS02], [JMV05, §2.1]). The graph H has an alternative description as the Cayley graph of the Picard group Pic(O) of the 6

Bit security order O, where the vertices are the ideal classes [a] ∈ Pic(O) and the two classes [a1 ] and [a2 ] are connected by an edge if and only if there exists a prime ideal b of norm at most (log p)2+δ , such that [a1 b] = [a2 ]. 2. Expansion properties. Let k be a positive integer. Consider a sequence of graphs {Gh } with h → ∞, each of which is k-regular, such that Gh has h vertices. Let Ah be the adjacency matrix of Gh . Since Gh is k-regular, the vector vh consisting of 1’s in each coordinate is an eigenvectors for Ah with eigenvalue λtriv = k which we refer to as the trivial eigenvalue. Definition 3.3. The sequence {Gh } is called a sequence of expander graphs if there exists a constant 0 < c < 1, such that for any h and any nontrivial eigenvalue λ of Ah , |λ| 6 cλtriv . In particular, no other eigenvalue of Gh is equal to λtriv which means that the graph Gh must be connected. The main application of expander graphs is to prove the rapid mixing of random walks. The property could be summarized in the following proposition which will be used in our particular application (see [JMV05, Prop.3.1] for a proof): Proposition 3.4. Let G be a k-regular graph with h vertices. Assume that any non-trivial eigenvalue of G satisfies the bound |λ| 6 cλtriv . Let S be any set of vertices of G, and let x be any vertex log 2h/|S|1/2 in G. Then a random of any length at least starting at x will land in S with probability log 1/c |S| |S| = . at least 2h 2|G| For the particular isogeny graphs of ordinary elliptic curves, one can bound the nontrivial eigenvalues via character sums estimates under the Generalized Riemann Hypothesis. The following result follows from [JMV05, §4]: Proposition 3.5. Let m = (log p)2+δ for some fixed δ > 0 and let e = #O× . (i) The above Cayley graph of Pic(O) has eigenfunctions equal to the characters of χ of Pic(O) with corresponding eigenvalues the character sums X X λχ = χ(a). p6m a⊂O,N a=p

(ii) Let D < 0 and let O be an order of discriminant D. The trivial eigenvalue λtriv is approximately m equal to . If χ is a nontrivial character of the Picard group Pic(O), then under the Generalized log m Riemann Hypothesis, λχ = O(m1/2 log |mD|). Remark 1. Propositions 3.4 and 3.5 show the following: suppose that S is a set of isomorphism classes of curves on a single level of the volcano, such that |G|/|S| is polynomial in log p and such that one can compute the Diffie–Hellman function on any class in S in time polynomial in log p. Then there is a random polynomial time reduction of the computation of the Diffie–Hellman function on an arbitrary curve E whose isomorphism class is in G to the Diffie–Hellman function on a curve with isomorphism class in S and hence, one can compute the Diffie–Hellman secret on any curve E of that level with high probability in time polynomial in log p. Indeed, a random walk with length polynomial in log p will connect E to a curve in S with high probability. Since any step in this random walk is an isogeny which is computable in time polynomial in log p then the resulting composition of isogenies and its dual are computable in time polynomial in log p (even if the degree of the composition is large). Finally, if (P, uP, vP ) is an instance of the Diffie–Hellman problem on E and φ : E → E 0 is an isogeny to a curve E 0 whose isomorphism class 7

Dimitar Jetchev and Ramarathnam Venkatesan is in S, then one can consider the instance (φ(P ), uφ(P ), vφ(P )) on E 0 and compute the Diffie– Hellman function there to obtain uvφ(P ). After applying the dual isogeny we obtain the point duvP , where d is the degree of the composition (which polynomial in log p). Finally, since we are in a prime-order subgroup, we compute e, such that de is congruent to 1 modulo the group order. The point ed(uvP ) = uvP is the desired point. 3.3 Isogeny graphs in the supersingular case For completeness, we also discuss the graphs for isogeny classes of supersingular elliptic curves. We follow the exposition in [JMV05, App.A]. These supersingular graphs were first considered in [Iha66] and [Mes86]. Their expansion properties were shown much later by Pizer ([Piz90], [Piz98]). Given a prime p, the supersingular elliptic curves are always defined Fp2 . According to [Mes86], all isomorphism classes of supersingular elliptic curves belong to the same isogeny class. This means that we can ignore supersingular curves in our argument for the main theorem. Yet, we will mention the isogeny graphs since they turn out to be expander graphs as well. 4. Predicting LSB within an isomorphism class It was shown in [BS01] that within an isomorphism class of elliptic curves, predicting the least significant bit on a nonnegligible fraction of elliptic curves is at least as hard as computing the entire secret. For any elliptic curve E : y 2 = x3 + ax + b and any λ ∈ F× p we denote by Eλ the isomorphic curve y 2 = X 3 + aλ4 x + bλ6 and by φλ : E → Eλ the isomorphism (x, y) 7→ (λ2 x, λ3 x). The result is summarized as follows: Theorem 4.1 (Boneh-Shparlinski). Let 0 < ε, δ < 1. Let p be a prime and E0 be an elliptic curve over Fp . Let P ∈ E0 be a point of prime order. Suppose that there is a t-time algorithm A, such that AdvE,P (A) > ε. Then the Diffie–Hellman function DH(P, uP, vP ) on E0 can be computed in expected time t · T (log p, 1/ε, 1/δ), where T is a fixed polynomial independent of p and E0 . 5. Random self-reducibility We introduce the appropriate formal definition of random self-reducibility. Intuitively, we would like to prove that a good algorithm for the Diffie–Hellman function in the average case would imply a good algorithm in the worst case. 5.1 Smooth isogeny classes and random self-reducibility Definition 5.1. Let B be a positive real number. An isogeny class is called B-smooth if its conductor cπ is B-smooth, i.e., if any prime divisor of cπ is at most B. Let R be a fixed polynomial. Consider the following properties on a set S of isomorphism classes of elliptic curves: i) There exists a subset S 0 ⊆ S of elliptic curves with |S|/|S 0 | 6 R(log p). ii) There exists an algorithm A which computes A(E 0 , P, uP, vP ) = uvP whenever E 0 ∈ S 0 and (P, uP, vP ) is a Diffie–Hellman triple for E 0 . Definition 5.2. A set of isogeny classes S satisfying i) and ii) is called random self-reducible with respect to R if for each quadruple (E, Q, uQ, vQ) with E ∈ C and a Diffie–Hellman triple (Q, uQ, vQ) for E, one can compute uvQ with expected T (log p) queries to A on elliptic curves E 00 8

Bit security whose isomorphism classes are uniformly randomly distributed among all classes in S. Here, T is a polynomial which is independent of p and C. We first show that horizontal levels in the isogeny volcanoes with sufficiently many curves on which the Diffie–Hellman problem is solvable are random self-reducible: Lemma 5.3. Let G be the isogeny graph corresponding to a particular level of the isogeny volcano for an isogeny class C. Assume that the set of vertices V (G) satisfies i) and ii). Then V (G) is random self-reducible. Proof. Let E be any elliptic curve and (P, uP, vP ) - any Diffie–Hellman triple for E. We will show how to connect this instance to an instance on an elliptic curve E 0 with a random isomorphism class in the same level. Let S 0 ⊂ V (G) be the distinguished set from i) and let µ = |S 0 |/|V (G)|. Let v0 be log 2|V (G)| the isomorphism class of E. We will use the fact that G is an expander graph. Let τ > , c|S|1/2 where c is the eigenvalue bound for G (see Proposition 3.4). 1 We repeat the following procedure m = log δ times: µ i) Consider a random walk v0 , v1 , . . . , vτ on G of length τ . Let φ be the composition of isogenies b Let d be the degree of chosen along the walk. Let the composition of the dual isogenies be φ. −1 φ. Compute e = d modulo q (recall that q is the prime order of the original point P ). ii) Pick a random curve E 0 with in the isomorphism class corresponding to the vertex vτ . iii) Query the orale on E 0 and the image of points P, uP, vP under φ chosen in the random walk in step i). b iv) If the oralce returns Q on E 0 , return eφ(Q) ∈ E(Fp ). Note that each of the above steps runs in time O((log p)8+4˜ε τ ). By Proposition 3.4, the probaµ bility of failure is Pr[vτ ∈ / S 0 ] 6 1 − . Thus, in m runs the probability that none of the end points 2 of the random walk is in S 0 is at most O(1/p). Thus, the construction produces a list of solutions. We call this list L(P, uP, vP ). Even though many walks lead to different curves, all elements in L(P, uP, vP ) are in E. To obtain a unique solution, we compute B = L(P, (u + r)P, vP ) for random r ∈ [1, q − 1] as in the method of Shoup (see [Sho97]). We check if A and −rvP + B have a unique common element, and if so, output it. Else, we report a failure. The analysis is as in [Sho97]. The next lemma proves reducibility of the Diffie–Hellman problem for a whole isogeny class (not just a single level). The idea is that for smooth conductors, one can deterministically connect an arbitrary curve to a curve whose level has sufficiently many curves on which one can solve the Diffie– Hellman problem. Then, one uses the previous result (random self-reducibility) for this particular level. Lemma 5.4. Let r > 0 be any real constant and assume that an isogeny class C satisfies i) and ii) and is (log p)r -smooth. Assuming the Generalized Riemann Hypothesis, any instance of the Diffie–Hellman problem on any curve E whose isomorphism class is in C can be computed in time polynomial in log p. Proof. First, by the Pigeonhole principle, there exists an isogeny graph G (corresponding to a 1 -fraction of curves on which one can solve the particular level of the volcano) with at least R(log p) Diffie–Hellman problem in time polynomial in log p. Let E be any isomorphism class in the isogeny class C. Since the volcano is connected, we can deterministically connect E to a curve E 0 via a chain of isogenies whose degrees are at most (log p)r via Kohel’s explicit construction (hence, computable 9

Dimitar Jetchev and Ramarathnam Venkatesan in polynomial time since cπ is (log p)r -smooth). Since cπ 6 4p, the number of these isogenies is also polynomial in log p (indeed, any vertical isogeny has degree at least two, so 2m 6 cπ 6 4p, where m is the number of levels in the volcano). Let φ : E → E 0 be the explicitly computable isogeny connecting E to E 0 . Any instance (E, P, uP, vP ) of the Diffie–Hellman problem on E can be reduced to an instance (E 0 , φ(P ), uφ(P ), vφ(P )) on E 0 . Indeed, if one computes uvφ(P ) then one applies the dual isogeny to get the point duvP ∈ E(Fp ), where d = deg(φ), then eduvP = uvP , where e ≡ d−1 mod q. Finally, since V (G) satisfies i) and ii) then G is random self-reducible, i.e., one can solve the Diffie–Hellman instance on (E 0 , φ(P ), uφ(P ), vφ(P )). Remark 2. Most of the isogeny classes C will have conductor gap cπ = 1. This means that each such class will be random self-reducible for the Diffie–Hellman problem. For the classes for which the volcano has multiple levels, only certain levels will be random self-reducible. This is why one needs to connect the original curve to a curve in an appropriate level in a deterministic way and then use random walks on that particular level to sample curves in almost uniformly random classes. 6. Proof of Theorem 1.1 6.1 Notation Let A be the algorithm from Theorem 1.1 and ε be the corresponding advantage. An elliptic curve is called LSB-predictable, if for any point P of prime order q > (log p)2+˜ε , AdvE,P (uP, vP ) > ε (in other words, A predicts the least significant bit of the Diffie–Hellman function for E with advantage ε - the number from the statement of Theorem 1.1). More generally, if S is any set of elliptic curves and 0 < δ 0 < 1 is a real number then we refer to S as δ 0 -predictable if at δ 0 |S| elliptic curves in S are LSB-predictable. Throughout the whole section, we denote by H the Hasse interval, that is, the set of all integers √ t, such that |t| 6 2 p. 6.2 Most of the isogeny classes are smooth Let B be an integer. The following lemma will shows that almost all of the isogeny classes are B-smooth. The latter will be useful in applying the tunneling argument and Lemma 5.4. Lemma 6.1. The number of traces  Hasse interval H, such that the isogeny class correspond t in the 4 ing to t is B-smooth is at least 1 − |H|. B √ Proof. Fix a prime r, such that B < r < p and consider the solutions of the congruence t2 ≡ 4p

mod r2

√ 2 for t in  the Hasse   interval (i.e., |t| 6 2 p). First of all, the congruence t ≡ 4p mod r has exactly 4p 2 + 1 solution. Each such solution t lifts uniquely to a solutions t˜ modulo s2 by Hensel’s r lemma since the derivative f (x) = x2 − 4p does not vanish at any such t. Thus,  Z ∞ X 2  4p  X 4 4 4 Pr √ [cπ (t) is not B − smooth] 6 + 1 < < ds = 2 2 2 s B t,|t|62 p √ s √ s B s B |G| = δ|Γp | 2 C∈Sδ/2

C ∈S / δ/2

We combine this with Lemma 2.1 to obtain  Xδ X  X X δ δ |C| = |C| + 1− |C| 6 δ|Γp | 6 |C| + 2 2 2 C C∈Sδ/2 C∈Sδ/2 C ∈S / δ/2   δ δ 6 |Γp | + 1 − cu |Sδ/2 |p3/2 (log p)(log log p)2 . 2 2 Thus,  |Γp | δ/2 |H| , |Sδ/2 | > > c01 c+1 3/2 2 1 − δ/2 cu p (log p)(log log p) (log p) (log log p)2 for some constant c01 > 0 (since δ = O((log p)c )). Hence,   4 |H| |R ∩ Sδ/2 | = |R| + |Sδ/2 | − |R ∪ Sδ/2 | > 1 − |H| + c01 − |H| (log p)c+2 (log p)c+1 (log log p)2 |H| > c1 , c+1 (log p) (log log p)2 

for some constant c1 , independent of p. This proves the lemma. 6.4 Predictable isomorphism classes within a predictable isogeny class Lemma 6.3. Let 0 < β < 1, such that 1/β = O((log p)c ), let C be a β-predictable isogeny class of elliptic curves. There exists a constant 0 < c2 < 1, such that the number of β/2-predictable isomor|S| phism classes of elliptic curve inside C is at least c2 , where S is the set of Fp -isomorphism (log p)c classes of elliptic curves within the class C. Proof. Let Tβ/2 denote the set of β/2-predictable isomorphism classes within C. Each isomorphism class I ⊂ C, I ∈ Tβ/2 contains at most p/2 LSB-predictable elliptic curves and each isomorphism β class I ∈ / Tβ/2 contains at most |I| LSB-predictable elliptic curves. Thus, 2   X X Xβ X β β β (2 − β)p β|C| 6 |I| + |I| = |I| + 1− |I| 6 |C| + |Tβ/2 |. 2 2 2 2 4 I⊂C,I∈Tβ/2

I⊂C,I ∈T / β/2

I⊂C

I⊂C,I∈Tβ/2

Thus,  |Tβ/2 | > 2

β 1 − β/2



11

|C| |S| > c2 , p (log p)c

Dimitar Jetchev and Ramarathnam Venkatesan for some constant c2 > 0 independent of p (since 1/β = O((log p)c )). 6.5 Proof of Theorem 1.1 Finally, we prove our main result: (Proof of Theorem 1.1). According to Lemma 6.2, there exists a constant c1 (independent of p), |H| such that at least c1 isogeny classes are (log p)c+2 -smooth and are simultane(log p)c+1 (log log p)2 c1 |H| √ . ously δ/2-predictable. Let 0 < µ < 1 be the real number defined by 2 pµ = · c+1 4 (log p) (log log p)2 We will apply our refinement of Lenstra’s lemma with this particular µ. Indeed, let U be the set of all √ isogeny classes which are (log p)c+2 -smooth and δ/2-predictable,  and which satisfy |t| 6 2 p(1 − µ). c1 |H| The number of possible traces of these classes is at least n = · . Since we 2 (log p)c+1 (log log p)2 have assumed the Generalized Riemann Hypothesis, Proposition 2.3(ii) implies that #0 {E : the isogeny class of E is in U }/∼ =Fp > n

µ1/2 p1/2 p , > c˜ 3 log log p (log p) 2 (c+1) (log log p)4

for some constant c˜ independent of p. Let G0 := {E : the isogeny class of E is in U } Since the weighted cardinality of each isogeny class is p/2, p/4 or p/6, we obtain that there exists a constant c˜0 (independent of p), such that |G0 | > c˜0

|Γp | (log p)

3 (c+1) 2

(log log p)4

.

We claim that G0 satisfies the properties of the theorem. Indeed, by Lemma 6.3 applied to β = δ/2 we obtain that each isogeny class in U contains a polynomial fraction of δ/4-predictable isomorphism classes. The result of Boneh and Shparlinski then implies that one can compute the Diffie–Hellman full secrets on each of these isomorphism classes in time t · Q(log p) where Q is some polynomial (since 1/δ is polynomial in log p). Finally, applying Lemma 5.4 we obtain that one can solve the Diffie–Hellman problem on any E ∈ G0 in time t · T (log p), where T is some polynomial which is independent of p. That completes the proof. References BS01

D. Boneh and I. Shparlinski, One the unpredictability of bits of elliptic curve Diffie-Hellman scheme, Proceedings of Crypto’2001 2139 (2001), 201–212.

BV96

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes, Lecture Notes in Computer Science 1109 (1996), 129–142.

Deu41

M. Deuring, Die Typen der Multiplikatorenringe elliptischer Funktionenkorpen, Abh. Math. Sem. Hansischen Univ., vol. 14, 1941, pp. 197–272.

FM02

M. Fouquet and F. Morain, Isogeny volcanoes and the SEA algorithm, Algorithmic number theory (Sydney, 2002), Lecture Notes in Comput. Sci., vol. 2369, Springer, Berlin, 2002, pp. 276–291.

Gal99

S. D. Galbraith, Constructing isogenies between elliptic curves over finite fields, LMS J. Comput. Math. 2 (1999), 118–138 (electronic).

GHS02

S. D. Galbraith, F. Hess, and N. P. Smart, Extending the GHS Weil descent attack, Advances in cryptology—EUROCRYPT 2002 (Amsterdam), Lecture Notes in Comput. Sci., vol. 2332, Springer, Berlin, 2002, pp. 29–44.

12

Bit security Gro87

B. H. Gross, Heights and the special values of L-series, Number theory (Montreal, Que., 1985), CMS Conf. Proc., vol. 7, Amer. Math. Soc., Providence, RI, 1987, pp. 115–187. GVS02 M. I. Gonzalez Vasco and I. Shparlinski, Security of the most significant bits of the Shamir message passing scheme., Math. Comput. 71 (2002), no. 237, 333–342. HGNS03 N. Howgrave-Graham, P. Q. Nguyen, and I. Shparlinski, Hidden number problem with hidden multipliers, timed-release crypto, and noisy exponentiation., Math. Comput. 72 (2003), no. 243, 1473–1485. Iha66 Y. Ihara, Discrete subgroups of PL(2, k℘ ), Algebraic Groups and Discontinuous Subgroups (Proc. Sympos. Pure Math., Boulder, Colo., 1965), Amer. Math. Soc., Providence, R.I., 1966, pp. 272–278. JJV07 D. Jao, D. Jetchev., and R. Venkatesan, On the security of certain partial Diffie–Hellman secrets, to appear in INDOCRYPT (2007). JMV05 D. Jao, S. D. Miller, and R. Venkatesan, Do all elliptic curves of the same order have the same difficulty of discrete log?, ASIACRYPT, 2005, pp. 21–40. Koh96 D. Kohel, Endomorphism ring of elliptic curves over finite fields., University of California, Berkeley, Ph.D. thesis, (1996). Len87 H. W. Lenstra, Factoring integers with elliptic curves, Ann. of Math 126 (1987), no. 2, 649–673. Mes86 J.-F. Mestre, La m´ethode des graphes. Exemples et applications, Proceedings of the international conference on class numbers and fundamental units of algebraic number fields (Katata) (1986), 217–242. MvOV96 A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of applied cryptography, CRC Press, Inc., Boca Raton, FL, USA, 1996. Ngu01 P. Q. Nguyen, The dark side of the hidden number problem: Lattice attacks on DSA, Proc. Workshop on Cryptography and Computational Number Theory (2001), 321–330. NS02 P. Q. Nguyen and I. Shparlinski, The insecurity of the digital signature algorithm with partially known nonces., J. Cryptology 15 (2002), no. 3, 151–176. , The insecurity of the elliptic curve digital signature algorithm with partially known nonces., NS03 Des. Codes Cryptography 30 (2003), no. 2, 201–217. Piz90 A. K. Pizer, Ramanujan graphs and Hecke operators, Bull. Amer. Math. Soc. (N.S.) 23 (1990), no. 1, 127–137. Piz98 , Ramanujan graphs, Computational perspectives on number theory (Chicago, IL, 1995), AMS/IP Stud. Adv. Math., vol. 7, Amer. Math. Soc., Providence, RI, 1998, pp. 159–178. Sho97 V. Shoup, Lower bounds for discrete logarithms and related problems, Lect. Notes in Comp. Sci, vol. 1233, Springer-Verlag, Berlin, 1997, pp. 256–266. Shp01 I. Shparlinski, On the generalized hidden number problem and bit security of XTR., AAECC, 2001, pp. 268–277. Shp03 , Cryptographic applications of analytic number theory: Complexity lower bounds and pseudorandomness, PCS, vol. 22, Birkhuser, 2003. Sil92 J. H. Silverman, The arithmetic of elliptic curves, Springer-Verlag, New York, 1992, Corrected reprint of the 1986 original. Tat66 J. Tate, Endomorphisms of abelian varieties over finite fields, Invent. Math. 2 (1966), 134–144.

Dimitar Jetchev [email protected] Department of Mathematics, University of California at Berkeley, Berkeley, CA 94720 Ramarathnam Venkatesan [email protected] Microsoft Research, One Microsoft Way, Redmond, WA 98052

13