and equivalent hard problems for elliptic divisibility sequences. Katherine Stange1 and Kristin Lauter2. 1Department of Mathematics, Harvard University and.
The elliptic curve discrete logarithm problem and equivalent hard problems for elliptic divisibility sequences Katherine Stange1 and Kristin Lauter2 1
Department of Mathematics, Harvard University and 2 Microsoft Research, Redmond, Washington
Arithm´etique, g´eom´etrie, cryptographie et th´eorie des codes, Marseille, France, April 2nd, 2009 -1cm1cm K. Stange and K. Lauter — ECDLP and hard problems for sequences
1/19
The following work is joint with Kristin Lauter and performed at Microsoft Research.
K. Stange and K. Lauter — ECDLP and hard problems for sequences
2/19
Division polynomials Consider a point P = (x, y) and its multiples on an elliptic curve E : y 2 = x3 + Ax + B. Then � � φn (P ) ωn (P ) [n]P = , Ψn (P )2 Ψn (P )3 where Ψ1 = 1,
Ψ2 = 2y, 4
Ψ3 = 3x + 6Ax2 + 12Bx − A2 , Ψ4 = 4y(x6 + 5Ax4 + 20Bx3 − 5A2 x2 − 4ABx − 8B 2 − A3 ), Ψm+n Ψm−n Ψ21 = Ψm+1 Ψm−1 Ψ2n − Ψn+1 Ψn−1 Ψ2m . 2
Can be defined analytically: Ψn (x) = σ(nx)/σ(x)n . Anything satsifying this recurrence relation I’ll call an elliptic divisibility sequence. In particular, if we evaluate at P , we get the elliptic divisibility sequence associated to E and P . K. Stange and K. Lauter — ECDLP and hard problems for sequences
3/19
Division polynomials and sequences over finite fields I
The point P will always have finite order, say n. The associated sequence will have Wn = 0.
Example E : y 2 + y = x3 + x2 − 2x over F5 . P = (0, 0) has order 9. The associated sequence is 0, 1, 1, 2, 1, 3, 4, 3, 2, 0, 3, 2, 1, 2, 4, 3, 4, 4, 0, 1, 1, 2, 1, 3, 4, . . .
K. Stange and K. Lauter — ECDLP and hard problems for sequences
4/19
Translation properties
Theorem (Ward / Swart / Ayad) Let W be an elliptic divisibility sequence such that W (1) = 1, W (2)W (3) 6= 0. Let r ∈ Z be such that W (r) = 0. Then there exist a, b such that 2
W (n + kr) = W (n)ank bk .
Example (E : y 2 + y = x3 + x2 − 2x, P = (0, 0) over F5 ) 0, 1, 1, 2, 1, 3, 4, 3, 2, 0, 3, 2, 1, 2, 4, 3, 4, 4, 0, 1, 1, 2, 1, 3, 4, . . . 2 W (9k + n) ≡ W (n)4nk 2k mod 5 W (10) ≡ 3W (1) mod 5 k = 2 : W (18 + n) ≡ W (n)42n 24 ≡ W (n) mod 5
K. Stange and K. Lauter — ECDLP and hard problems for sequences
5/19
Discrete logarithm problem
Problem Let E be an elliptic curve over a finite field K = Fq . Suppose one is given points P, Q ∈ E(K) such that Q ∈ hP i. Determine k such that Q = [k]P .
K. Stange and K. Lauter — ECDLP and hard problems for sequences
Elliptic curve discrete logarithm problem
6/19
EDS Discrete Log
Problem (Width s EDS Discrete Log) Given an elliptic divisibility sequence W and terms W (k), W (k + 1), . . ., W (k + s − 1), determine k. First posed by Rachel Shipsey: I
Reduced it to F∗q discrete logarithm problem.
I
Used the solution to give an attack on ECDLP in case ord(P ) = q − 1.
I
Gave algorithms for computing a block of seven terms at position a + b from blocks at position a and b.
I
One might attempt generic discrete log attacks for groups, e.g. Pollard ρ.
K. Stange and K. Lauter — ECDLP and hard problems for sequences
Sequence problems
7/19
Hard problems for EDS Let E be an elliptic curve over a finite field K = Fq . Suppose one is given points P, Q ∈ E(K) such that Q ∈ hP i, Q 6= O, and ord(P ) ≥ 4.
Problem (EDS Association) Determine WE,P (k) for the value of 0 < k < ord(P ) such that Q = [k]P .
Problem (EDS Residue) Determine the quadratic residuosity of WE,P (k) for the value of 0 < k < ord(P ) such that Q = [k]P . I
The smallest positive value of k such that [k]P = Q will be called the minimal multiplier.
K. Stange and K. Lauter — ECDLP and hard problems for sequences
Sequence problems
8/19
Perfect periodicity I
An elliptic divisibility sequence which is periodic with respect to its rank of apparition is perfectly periodic.
Theorem (Lauter,S.) Suppose (q − 1, ord(P )) = 1. Define φ : E → Fq by � φ(P ) =
WE,P (q − 1) WE,P (q − 1 + ord(P ))
�
1 ord(P )2
.
Then W (n) = φ([n]P )is a perfectly periodic elliptic divisibility sequence, and furthermore, 2 φ([n]P ) = φ(P )n −1 WE,P (n).
K. Stange and K. Lauter — ECDLP and hard problems for sequences
Relating the problems
9/19
Relating hard problems perfectly periodic
not perfectly periodic
[k]P
� B
}} > }}}}}} } } }}}}} (log q)3 }}}}} }} }} }}}}}}(log q)2 } }} } }}}}}} } ~ }}}} }
� � �
E
� �
� ECDLP � �
E
E
W idth 3 EDS Discrete Log
� E
� E
E
� E
B
�
� E
B
�
{φ([i]P )}k+2 Ei=k E
B
�
E" ��
k
B
EDS B Association B B B B B B!
k+2 {WE,P < (i)}i=k
y yyyy y y y yy yy (log q)3 yyyyy y yy yy yyyyyF∗q DLP y yy yy yyyyy y yyyyy |y
K. Stange and K. Lauter — ECDLP and hard problems for sequences
Relating the problems
10/19
[k]P → {φ([i]P )}k+2 i=k I
[k]P �
z: : z: z: tt vv~ ~ tttt t
{φ([i]P )}k+2 i=k K
K
K
�
K
� �
K
K
Perfectly periodic case.
K%
{W9 E,P (i)}k+2 i=k
r rrrrrr r r r � K% � rrrrrrr yr �
k
I
Use � φ(P ) =
WE,P (q − 1) WE,P (q − 1 + ord(P ))
�
1 ord(P )2
I
Use Shipsey algorithms to calculate W to distance q.
I
(log q)3 time.
K. Stange and K. Lauter — ECDLP and hard problems for sequences
Relating the problems
.
11/19
{φ([i]P )}k+2 i=k → [k]P I
t tt 6> 6> tt:z :z :z t zt :z
{φ([i]P )}k+2 i=k K
K
K
[k]P � � � �
K
K
K
Perfectly periodic case.
K%
{W9 E,P (i)}k+2 i=k
r rrrrrr r r r � K% � rrrrrrr yr �
k
I
Use x(P ) − x([k]P ) =
I
φ([k + 1]P )φ([k − 1]P ) φ([k]P )2
(log q)2 time.
K. Stange and K. Lauter — ECDLP and hard problems for sequences
Relating the problems
12/19
k → {WE,P (i)}k+2 i=k I
[k]P
t tt : tttttt t zt tt t
�
K
�
{φ([i]P )}k+2 i=k K
K
K%
� �
K
K
K
Non-perfectly periodic case.
K%
{W5= 5= E,P (i)}k+2 i=k
� ��
k
9y 9y rr y9 9y rrrr yrrr
I
Use Shipsey algorithms to calculate terms.
I
(log q)3 time.
K. Stange and K. Lauter — ECDLP and hard problems for sequences
Relating the problems
13/19
{WE,P (i)}k+2 i=k → k I
[k]P
t tt : tttttt t zt tt t
{φ([i]P )}k+2 i=k K
K
K
� � � �
K
K
K
Non-perfectly periodic case.
K%
{W9 E,P (i)}k+2 i=k
r rrry9 y9 r r 9 y � K% � rru} ry9 y9 u} �
k
I
Use
WE,P (k + 1) φ([k + 1]P ) = φ(P )2k+1 . φ([k]P ) WE,P (k)
(which is from φ([k]P ) = φ(P )k F∗q
2 −1
WE,P (k) with k, k + 1).
I
This
discrete log can be solved in sub-exponential time.
I
(This is a different method than Shipsey; similar result.)
K. Stange and K. Lauter — ECDLP and hard problems for sequences
Relating the problems
14/19
Relating hard problems II perfectly periodic
� A � � �
D
D
D
W idth 3 EDS Discrete Log
�
� ECDLP � �
D
� D
D
� D
A
�
� D
A
�
� D
A
�
{φ([i]P )}k+2 i=k D
not perfectly periodic
[k]P
}} > }}}}}} } } }}}}}} } 3 } (log q) } } }} }} }}}}}}(log q)2 } } }}}}}} } } ~}}}}}}
�
D! ��
k
EDS
A Association A Quotient A A A A A WE,P (k+1)
