>> Unknown Speaker: The next speaker is Vanessa Vitse... about discrete log of elliptic curves on various things.

advertisement
>> Unknown Speaker: The next speaker is Vanessa Vitse from Versailles who's going to talk
about discrete log of elliptic curves on various things.
>> Vanessa Vitse: Thank you. So, first of all, I would like to thank the organizers for inviting
me to this very nice conference. So in this talk I'm going to present you on index calculus
methods on the elliptic curves over extension fields and also a very useful algorithm which
computes F4 traces and which will be really efficient for index calculus approach.
So in the first part of this talk I will give you some background on the index calculus methods, so
we are mainly interested in the classical elliptic curve discrete logarithm problem.
So we consider an elliptic curve defined over a finite field and we take a rational point on this
elliptic curve and usually P is as a large prime order. And we take a point Q and the subgroup
generated by P, the goal is to find the X such that Q is equal to X times P.
So of course to tackle this problem you can always use the generic algorithms such as Baby-Step
Giant-Step or Pollard's rho. But what is interesting with these elliptic curves is that you usually
only have these generic algorithms.
We have seen, however, that under -- in the first day of this conference that in some cases you
can also try to transfer the DLP on the elliptic curve to a group where it's weaker. So this is what
we do when we consider transfer methods.
For example, we can try to transfer this DLP on finite fields. So using a pairing you can transfer
the DLP on the subgroup generated by P to the [inaudible] group of finite field, which is FQ 3
power K, where K is the embedding degree [inaudible] this group generated by P.
And so this famous [inaudible] will work only when K is relatively small, which is not usually
the case for a random elliptic curve. We know that K is usually of the order of Q for a random
curve. So this will work only for a very specific family -- very specific families of curves, sorry.
For example, [inaudible] curves.
Although you can also try to lift the DLP as the elliptic curve to characteristic zero fields. For
example, the p-adic number fields. And in this case, again, the attack work for very specific
families of curves only when the curve has a subgroup which is a power of the characteristic
base field.
For example, from the [inaudible] curve, that is the curve which have the cardinality equals to
the characteristic, you have a polynomial algorithm, so this is really efficient, but really specific.
When the curve is defined over an extension of a field, you can also try to make a transfer of the
Weil descents to the Jacobian of a curve, which is defined E of Q.
The problem again here is that the genus of this curve is usually exponential, and so these kinds
of attacks will work, again, only for very specific families. So we -- except from this transfer
method we only have generic attacks.
And what we would do -- would like to do during this talk is to make some analysis of what we
have on finite fields or hyperelliptic curves; that is, use an index calculus method.
So as far as we know, we don't have any equivalent for the moment on elliptic of defined over
prime field. But the good news is that it's already visible when the curve is defined over an
extension of the finite field. And these methods are usually asymptotically better than Weil
descent or generic algorithms.
So recall here the basic outline of this index calculous method in a slightly different way of the -than the precomputation [inaudible].
So first we define a factor base which consists of some points in the curve. And then we have a
stage of relation search during which we try to decompose one combination of the base point P
and the target point Q into a sum of points in the factor base.
And once we have collected enough independent relations, at least the cardinality of the factor
base, we deduce with linear algebra techniques the DLP of the point Q in the base P.
So the results that we have here come first from Gaudry and Diem. For a curve defined over FQ
3 power N, we have the complexity for N fixed, which is in factor of Q square minus 2 over N as
Q goes to the infinity. So this is better than generic methods assuming N is greater than 3.
And [inaudible] proved rigorously that this algorithm is sub-exponential as soon as N equals
[inaudible] the square root of log Q.
But unfortunately the constants that are not written here are -- don't -- exponential is a square of
N as N goes to the infinity. And in fact this method won't be applicable as soon as N is greater
than 4.
So that's why we have proposed with [inaudible] Andrew a variance which seems to be
[inaudible] as Q goes to the infinity because it's in sub-2 of Q square. But in fact it's better -- it's
better dependency in N.
So we still are faster than generic methods as soon as N is greater than 5. And what is interesting
here is that this method will work on base field -- on a field which has an extension equal to 5, a
degree of extension equal to 5.
So asymptotically we can see also that our method is more efficient than generic algorithm or
Gaudry and Diem approach. As soon as N is between the logarithm of Q and the [inaudible] root
of the logarithm of Q as N and Q goes to the infinity.
>>: [inaudible] previous slide.
>> Vanessa Vitse: Sorry?
>>: The previous slide said the [inaudible] what was it?
>> Vanessa Vitse: Oh, I'm sorry, I didn't -- yeah. This constant omega comes from the
multiplication of the matrices, so it's [inaudible].
>>: [inaudible] stay on the 3 [inaudible].
>> Vanessa Vitse: Yeah. If you're not on the -- yeah. That's a good question. It's equal to 3
actually. You get something in N square there. So you're -- on this figure you just have the
square of the logarithm of Q.
So now I'll go deeper into details about these index calculus methods. So our goal here is to
collect at least the cardinality [inaudible] decomposition of random combination of the base
point and the [inaudible] points. So at this point we need to define what kind of decomposition
we can do on elliptic curve and what kind of factor base we should consider, because this is not
really obvious.
And in fact the first question was answered by Semaev in 2004. He had this clever idea to
consider decomposition here in a fixed number of points of the factor base. And by doing that
you can actually use the group law that you have on the elliptic curve to have this equivalence
here. Namely, R is decomposable as a sum of M points. As soon as the X coordinates of these
points is roots -- roots of what we call here the M plus 1th Semaev's summation polynomial.
So this is interesting because we [inaudible] decomposition search into a resolution of a
polynomial.
So this works on -- on any kinds of curves. You can define the curve over any kind of field.
And this will always work because you only use the group law.
I will talk about Nagao's alternative approach later in this talk, just to say at this point that
instead of considering decomposition into a finite number of points, you can also consider the
function that are vanishing in these points. So we'll see later on how it works.
So at this point didn't have -- didn't have, sorry, the convenient factor base and [inaudible]
proposed to consider elliptic curve defined over extension field. This is a nice idea because then
it's really natural to consider for the factor base the elements that have an X coordinate lining in
FQ.
And so the cardinality of this factor base here is Q, so we need to collect at least Q
decomposition. And to solve -- to find the roots of [inaudible] polynomial here, what we do is a
sort of Weil restriction. So we see -- simply we see FQ to the power of N as a vector space of
dimension N over FQ. And we look at each coordinates of this polynomial in this vector space.
So we get N equations in the variable XPR and with coefficients depending only on the X
coordinate of the point R and the coefficient of the curve.
So each time we want to try a decomposition, we will need so solve this kind of polynomial
system over FQ.
We can have also some additional optimization here. We see that we have inherent symmetry in
our problem. We consider decomposition into N points. This is symmetric. So we can reduce
the total degree of this polynomial system by exposing the symmetries. And we can also
diminish the number of elements in the factor base by considering this quotient here by the
natural [inaudible] that we have on elliptic curves. By doing that we get only a Q over 2
independent relations to compute.
So as we see here, the main difficulty is to solve the polynomial system to get decomposition.
So we are interested -- we are focusing on a slightly more general problem. Namely, we will
consider the computation of the [inaudible] of an ideal in dimension 0. And we discuss this later.
But you know that for the univariate case when N is equal to 1, we have polynomial algorithms
such as Cantor-Zassenhaus. So the univariate case is real easy. Although the -- sorry. But the
multivariate case is much more complicated.
And what we do in general to solve this problem is we -- is that we use elimination theory. So
we try to find in the ideal a univariate polynomial, and from the solution of this univariate
polynomial we did use the elements of the [inaudible] of R.
So at this point we can use two techniques, either resultants or Grobner bases. And since
Grobner bases are really efficient, I will focus on this right now.
The main result is the -- we are using here is the shape lemma which tells us that if you compute
the Grobner bases for the lexicographic order, you will get a set of representatives of the ideal
which has this shape here with a univariate polynomial in the last variable, which is of degree -degree of the ideal.
So I say this is for most 0 dimensional ideals. If you consider a general case, you can be assured
that you have always a search univariate polynomial in the last variables.
So the idea here is really simple. Once you get lexicographic basis, you find the solution by
finding the roots of the last polynomial and then you evaluate [inaudible] polynomials to get the
[inaudible] of I.
So of course since we know that solving multivariate polynomials is an NP-hard problem is
general, computing such Grobner bases will be very difficult.
The complexity of such computations will be difficult to estimate, but we have worst-case upper
bounds. For example, in the general case we have the research from Mayr and Meyer who tells
us it's doubly exponential in the number of variables.
And in dimension 0, you see here that if you compute the Grobner bases for the lexicographic
order, you have a complexity which is indeed 3 power bigger of N cubed where D is a degree of
the polynomials and the number of variables. And it's on -- it's D three powers [inaudible] N
squared for degree [inaudible] the reverse lexicographic order.
So maybe you will see what's the point of this. For computing a lexicographic order basis in
dimension 0, we will prefer to compute first degrevlex Grobner bases and then use a changing
order algorithm to get the solutions, the lexicographical Grobner bases.
So I can give some sharper points on the complexity of these two steps. So here for the
degrevlex Grobner bases computation, we consider the number of polynomials that we can have
in N variables up to degree D reg. So D right here means the degree of regularity of the ideal.
You can understand it as a larger degree which to [inaudible] the computation of the Grobner
bases [inaudible]. So consider this number of [inaudible] with omega where omega is the
constant using the matrix multiplication.
The changing order is in the degree of the ideal to the power of 3. You can use, for example, the
[inaudible] algorithm to do that in dimension 0.
So now we are able to analyze the original attack of Gaudry -- on Gaudry's algorithm [inaudible].
So the idea here is to consider decomposition into exactly N points where N is the degree of the
extension of the base field.
So by doing that we get as many equations as unknowns and a total degree of the polynomial
system which is 2 3 power N minus 1 after symmetrization. [inaudible] has proved rigorously
that this [inaudible] is of dimension 0 and of total degree -- of degrees, sorry, 2 3 power N times
N minus 1, which somehow corresponds to the basis 0N.
And the probability of getting one decomposition is then about -- around, sorry, 1 over a factor
N. So we need to solve at least factor N [inaudible] Q systems since the factor base has a
probability of equal to Q.
Concerning the complexity of this attack, since the ideal has a very large degree here, 2 3 power
N times N minus 1, the most difficult part comes from the FGLM algorithm. So the dominating
complexity for each trial -- each decomposition trial here is in the degree of the ideal to the
power of 3.
As we need to repeat this factor N times Q times, we will get complexity for N fixed which is in
factor of Q here.
The linear algebra step will be in N times Q square because we are looking of a vector in the
kernel of very sparse matrix which has only [inaudible] and which is of size Q pair times Q.
So at this point it's quite natural to want to make a balance between the two steps, and this is
what Gaudry has done. He applies a double large prime variation [inaudible] to get the
complexity which is in the factor of Q square minus 2 over N. So we can also deduce the
complexity in N, which is as this shape.
And at this point I would like to mention that this rebalance is not always necessary. If you
consider fields [inaudible] defined over fields for N equal to 4 or 5 with not too large Q and just
a Q useful for the cryptographic applications, this will rebalancement -- this rebalance, sorry,
won't be necessary. In fact, the first part of the algorithm will be the most costly. So it's not
really interesting in the practical application.
Okay. So, as I've said, the degree of the ideal is really large. And this is quite a bottleneck here
in this approach. We could hope to doing something later by saying that most of solutions are in
fact -- in the algebraic [inaudible] of FQ are not in FQ. But, yeah, to get only solution FQ, what
we could do is to add in the ideal, the equation for the base field.
But unfortunately this won't be -- this won't work because Q is too large in practice to get any
benefit from this. So we're kind of stuck with this very large degree here. That's why -- okay. I
haven't made an example. I listed one example before of this Gaudry's approach, just to finish
the presentation here.
So we consider a curve defined over this small field here, which has a prime cardinality. We
take two points, two random points on this curve, so we know that's related by some [inaudible]
of the prime number here.
And we take a random combination of these two points and we consider the fourth [inaudible]
dimension polynomial of [inaudible] to get decomposition of this point R.
So this polynomial has this shape. It's full. I mean, it's here in three variables if you're
symmetrizing the three first variables up to degree 4 here, and you have exactly 35 monomials,
that all the monomials that you can construct up to this degree.
So this is a very full polynomial. You do your restriction, your Weil restriction, you get this, this
system here. You compute the Grobner bases of the corresponding ideal with a lexicographic
order and you get what's expected, what is expected with the shape lemma. That is a univariate
polynomial here which has a degree 3 power 3 times 3 minus 1, which is 64.
So we consider these solutions, as I have explained. And here we get two solutions. So we
see -- we try to see if the corresponding polynomial has some -- is [inaudible] and has all its
roots lying in the base field. If it's true, it gives us -- it will give us -- it will maybe give us
decomposition.
So look at what we have here. The first roots give this polynomial which is irreducible over the
base field. So we don't get any relation from this. And the second root give us this polynomial
which is [inaudible] over the base field.
So we look at X coordinates coming from these roots, and we see if we get points on the curve
corresponding to this X coordinate. In this case it's working. So we get this relation here.
We assume that we need to collect at least Q over 2 relations, so in this case it's 54 relations.
And after that we can deduce the linear algebra of the discrete logarithm of Q in the base P.
So this was a little example. And I told you that instead of considering here this Semaev's
summation polynomial we can -- could also try to apply Nagao's approach. So in this case what
we do is that we consider the function that are vanishing in the point R and at most three over
points.
So this is the vector space considered in [inaudible] theorem. We -- it's of the dimension 3 so we
can get a basis of this vector space which is really generated by these three functions here.
So what -- we are looking for a function which is in this vector space, so which has this shape
after normalization at the infinity. So it only depends on the constant lambda -- on two constant
lambda and mu here.
And we are looking for the roots of this function. And we only want the roots corresponding to
the three points in which it's vanishing. So what we do is we first get rid of the Weil variable
and then we divide by the monomial X minus XR to get rid of the point R. And we get this
polynomial of degree 3 which has coefficients depending on the two constant lambda and mu.
We want this polynomial to be split over F1 and then 1 and to have all its roots lying in the base
field. So this gives us our polynomial conditions. Namely, we want to find lambda and mu in
this field such that these coefficients are in the base field. After doing sort of Weil restriction,
we will get three variables coming from each of these variables. And here we need to have the
last two components to vanish. So this gives us a six -- a polynomial with six variables and six
equations, which is quadratic in lambda and mu here.
So instead of having a Semaev's summation polynomial, we need to solve this polynomial, this
polynomial system here, which is quadratic and is variable in six equations.
And actually you can show with Grobner bases computation that this is slower than the original
attack on the case of elliptic curves.
So this approach in fact won't be relevant for the elliptic case. But of course it has some
practical interests. First of all, it's applicable on hyperelliptic curves where the Semaev's doesn't
work. We don't have any equivalent of Semaev's there. And also it can give us a way to
compute the symmetrized summation polynomial in the case of elliptic curves.
What you do in this case is you identify the coefficients with elementary symmetric polynomials.
You perform an elimination of the variables and the mu and then you get directly the
symmetrized summation polynomial. So this is also interesting.
So now, as I said, the main bottleneck from this first approach is the degree of the ideal involved
for each decomposition trial. What we try to do here with [inaudible] Andrew is to lessen this
degree. So what we do is we decompose in N minus 1 points instead of N points. By doing that
we get an inverted domain system which is generically of dimension -- of degree, sorry, 0 or
exceptionally 1 when there is a solution. So this is what we wanted.
And price to pay in return is that we need much more decomposition trial before getting 1. We
will need actually a factorial N minus 1 times Q trials before getting one relation.
So in practice this won't be a problem because we are very efficient to solve the polynomial
systems involved. First we will see that we only need a degrevlex Grobner bases computation,
and there won't be any need to change the order here. And second of all -- I'm sorry, and,
secondly, we can also try to -- we will also apply, sorry, our F4 algorithm or variants of the F4
algorithm which take benefit of the fact that we need to solve always the same systems, the same
polynomial system that has exactly the same shape from one trial decomposition to another.
So with these two facts we will get good results. And to convince you that this method is quite
simple and simpler than the first one, I will illustrate this on the same field with the same curve.
So I take a new random combination of the base point P and Q and in this case since I want to
decompose it only, I don't need two points. I will only use the first symmetrized summation -Semaev's summation polynomial. I can write it completely here. So you -- after a Weil
restriction you get this ideal. And when computing the degrevlex Grobner bases, you get these
representatives of the ideal.
And you see here that is already solved in S1 and S2. You have mainly two case at this point.
Either you get 1 for the Grobner bases or you get a Grobner bases which is already solved
because the degree of the ideal is 0 or 1 exceptionally.
So we consider the corresponding symmetrized polynomial. We get these two solutions here so
we are very lucky because we get the solution, a decomposition of this point R.
So then the remainder of the algorithm is exactly the same as Grobner's one. To summarize,
what we have seen for this index calculus method, I put all the complexity on these slides and a
picture of polynomial systems. So for Gaudry and Nagao we see that we decompose in exactly
the same number of points and that corresponding ideal is of the same degree.
So the main difference is [inaudible] of the polynomial system. Here we get quadratic system
with this number of equation and variables. Here we have only N equation and then variables of
degree 2 to the power N minus 1. And this makes quite a difference with the complexity of the
resolution of the polynomial system. We see here in the exponents of 2 that this gives us almost
twice the exponent that we have here. So this is much stronger.
For our variance, we decompose in N minus 1 points, so we get a degree of the ideal which is 0
almost in all cases. We have to try much more decomposition to get Q relations. But the
complexity here is quite better than the one we have here. It might be -- appears to you -- appear
to you that it's almost the same. But in fact having omega again 3 and the N minus 1 -- sorry, N
minus 2 against N times N minus 1 is quite a difference in practice. And in a way this is just
[inaudible] we think that we can do some things.
So now the second part of my talk I will -- I will mainly speak about F4 traces computation and
the algorithm that we can use to speed up the computation of the Grobner bases.
Maybe it's time to define you what the Grobner bases is. So just to understand the algorithms, I
give the definition here. So we consider an ideal a multivariates ideal. And we said that a set of
representative of this ideal is the Grobner bases when we -- when the initial ideal of I is equal to
the ideal generated by the leading monomials of these polynomials here.
So this is a Grobner bases. And the main results for computing them comes from Buchberger's
Ph.D. thesis. So he considers mainly two operation on the polynomials. The first one is the
S-polynomial. It's a combination of two polynomials such that you can solve the leading
monomial. And we also have a reduction of a polynomial with respect to a list of polynomials
which is somehow the equivalent of the classical division polynomial in one variable.
The main result is that this set of polynomials is a Grobner bases if and only if the remainder of
all the [inaudible] the S-polynomials that you can compute is equal to 0.
So having this result is quite easy to get an algorithm which computes the Grobner bases. What
you do is you start from the set of representative of your ideal. You consider all the
S-polynomial that you can do with these polynomials. You compute the rest -- the remainder,
sorry, with respect to the current basis and each time is different from 0 you put it -- you add it to
your base.
By doing that you increase the corresponding initial ideal. So as we are in [inaudible] ring here
at some points we are going with stop. And when it stop you get your Grobner bases.
>>: What's the function -- sorry, I'm just trying to trace through this. How does the S part of it
depend on the definition of the ideal? So this is [inaudible] GS is a Grobner bases basis for ideal
I, does S depend on I?
>> Vanessa Vitse: Yeah. So this is representative of your ideal [inaudible]. And this is specific
set of representatives. They all verify this condition. And if they all verify this condition, then
it's the Grobner bases of your ideal.
>>: So that polynomial S is the same for every ideal I [inaudible].
>> Vanessa Vitse: Yeah. Yeah. This definition depends only on the two polynomials you put
here.
>>: So how can you [inaudible] the subset of G1 up to GS and then it would still satisfy these
conditions, but it wouldn't by a Grobner bases because it's not [inaudible] not for the whole ideal.
>> Vanessa Vitse: What you do at the -- sorry. The first part of the algorithm is you're
[inaudible] from a set of representative of your ideal.
>>: You have to have a complete set to start.
>> Vanessa Vitse: Yeah. You take, for example, F1, FR, and then you compute all the
S-polynomials that you can do with the [inaudible] of these polynomials, and you compute the
remain, yeah. This is an iterative algorithm, yeah.
Okay. So we have an efficient way to implement this Buchberger's algorithm which is due to -which is an algorithm due to [inaudible] which is called F4, and the main idea here is to use
linear algebra techniques to reduce at once a large number of S-polynomials. So we are not
doing this one by one. But we take a large number of S-polynomials to reduce them at once.
So to select, you need to define a selection strategy to do that. So, for example, in practice we
usually consider the S-polynomial having the lowest total degree. And what you do is you
construct sort of Macaulay-style matrix. You put in the matrix all the multiples that are involved
here in your S-polynomials. So you put in this matrix all these multiples, and you also put the
polynomials that are useful for computing the remainder by the current basis, the current base.
So you have this huge matrix. You perform a reduced [inaudible] form and you get then the
reduction of all your S-polynomials with respect to your current base.
So this is a very efficient algorithm. But there is still one problem with this algorithm, which is
the same with the Buchberger's one. It's that most of the time you are computing reduction to 0
of your S-polynomials. Despite Buchberger's criteria, you will get lots of reductions to 0. So
that's why [inaudible] proposed in 2004 -- in 2002, sorry, elaborate criterion which tell us a priori
to skip a given S-polynomial. So we have some signature condition of this on the polynomials
and we check if the signature will verify the criteria, the criterion. And if it's not, we skip the
reduction.
There is one drawback, there is one drawback for this F5 algorithm. Namely, you won't be able
to compute any kind of -- you won't be authorized to reduce any polynomials that you want. So
during the computation you will have some incomplete polynomial reduction and, even worse,
we will have some redundant polynomials that can you rid of -- get rid of.
So what we would like to do here for our index calculus method is not to take these [inaudible]
algorithms but instead make -- take advantage of the fact that we have many, many polynomial
system with the same shape to solve and use this information to get rid of these S-polynomials
that are reducing to 0. So we would like to have a sort of F5 criteria that allows us to skip these
unnecessary reductions.
So here is the outline of our variant. You have two separate routines, first a routine that you run
on the first system. So you consider a classical F4 algorithm. You construct during this
algorithm a list of all the multiples that are involved in your computation. And each time you
have a reduction to 0, you remove from that list a well-chosen multiple.
Then for the subsequent system, you will use the second routine, the F4Remake algorithm which
use this precomputed list to compute the Grobner bases. So instead of having a queue of
untreated S-polynomials, you would pick directly from that list the relevant multiples that you
need for your Grobner bases computation.
So, in fact, this idea is not really new. People are working on Grobner bases over a rational field
can sometimes use a reduction modulo several primes and make the computation of the Grobner
bases modulo these different primes and get the original Grobner bases by using a Chinese
remainder theorem. They do that because when you compute directly the Grobner bases over the
rational you get very large coefficients and you want to avoid that. So we can do this kind of
reduction here.
And of course when you do that your reduction over several primes P you will have a lot of time
the same computation of your Grobner bases. So that's why Traverso has proposed in '88 a
precise definition of these Grobner bases for the Buchberger algorithm in the case of rational
numbers. Well, unfortunately for us this analysis is not precise enough to give us good results in
the case of -- in the situation that we have in index calculus methods.
So what I would like to do here in this part of the talk is to give a precise analysis of the behavior
of these F4 variants.
So I need to introduce some terminology here. I will introduce the notion of parametric family
of polynomials. So this is simply polynomials that have coefficients which are depending on
some parameters. And we consider instances of this parametric family as some specialization of
these parameters. And we would like to know when F4Remake will compute successfully the
Grobner bases of these instances over our first parametric family.
So I will define the generic -- what I call generic behavior here in the following way. So I
assume that I am able to compute at least theoretically Grobner bases of the parametric family
with the F4 algorithm. At least theoretically.
And I will say that the instance behaved generically during the computation. As soon as we have
exactly the same number of iterations during the course of the algorithm and that we have at each
step exactly the same leading monomials and some critical -- some S-polynomials.
It's clear that if our instance verified this generic behavior as the generic behavior, in this case the
F4Remake algorithm will compute successfully the Grobner bases. If we have run the first
sub-routine on the generic system, then for other generic system we will get a Grobner bases
with F4Remake.
So now that we have this terminology, I would like to give you an algebraic condition for this
generic behavior and estimate the probability that F4Remake computes the right Grobner bases.
So I will assume that until the step I minus 1 the instance behave generically. And at step I I
focus on the two matrices construct by F4 algorithm. So I have the matrix MG for the
parametric system and the matrix M for the instance.
So if I have S leading monomials in my ideal at this step, what I do in the [inaudible] matrix is
that up to -- I extension some of the column and some of the row to get here a triangular matrix.
So we put on the first columns the currents corresponding to the leading monomials.
And we put one polynomial on the first rows that are corresponding to these -- that have these
leading monomials. So we get a matrix which has this size here, this shape here.
Okay. Sorry. So it's quite difficult to explain. So for the instance we have a specialization for
the parameters. But since the polynomials are already normalized at this point, we get exactly
the same shape for the first part of the matrix.
So if I perform reduced row echelon form on the first part of the matrix, I get exactly the same
shape for the parametric family and for the instance.
Okay. Now I will like to focus on this sub-matrix here. I would like to make a reduced row
echelon form on this matrix and to see what's happening for the instance. So I select the columns
corresponding to the pivots in green here. I put them -- sorry. I put them on the left part of this
matrix. And I perform a reduced row echelon form. I get this shape for the matrix here.
For the instance, I don't know if after specialization I don't have any cancellation of the
corresponding pivots. But if you don't have any cancellation of this coefficient, you will be
certain that you will have exactly the same shape for the instance. So you will have generic
behavior for the instance in this case.
So we have -- I have now my generic condition that the system behaves generically at step I if
and only if this matrix here is a full rank. This is quite a simple idea.
And to get the probability that this will actually work, I will do some heuristic assumption. I will
suppose that these matrices are the uniformly distributed coefficient over FQ.
So at this point I would like to remember how we have constructed our systems. We consider
random combination of two points, the base point P and the [inaudible] point Q. And we
suppose here that the group law is mixing up sufficiently the coordinates to learn something that
is really random for the X coordinate of R.
Since our polynomial have coefficients only depending on this X coordinate, I will suppose that
we are sufficiently close to the uniform distribution to make this heuristic assumption.
So now it's really easy to estimate that at least to give an upper bound for the probability that the
matrices have full rank, I can give this problem here. And since we have N steps during the
computation, I have the probability that the system behaves generically which is greater than CQ
3 power N step here.
And as you see, when Q goes to the infinity, this probability is really close to 1. So when Q is
large enough we will have very good results.
So here I give the experimental results for an elliptic curve defined over a degree extension equal
to 5.
I suppose that I have run a precomputation over an 8-bit field. And this computation has been
done in about nine seconds. And now I look at what's happening when, for example, I consider
an elliptic curve defined for P having 32 bits.
The probability of failure here is very low because P is really large, it's about this. And if I look
at the timings given by F4Remake in this case, we get the Grobner bases computation done in
less than 8.5 seconds, which is three times faster than the classical F4 algorithm on the same
implementation of course.
For comparison I also give the timing for Magma which is considered as the best implementation
of this algorithm for the moment, and we see that it's much faster in this case.
So it's fair here to want to compare our variant to the F5 algorithm, since both algorithms are
considering no reductions to 0. And as I said at the beginning of the second part of the talk, the
problem with F5 is that it's computing many redundant polynomials that we cannot avoid
because of this f5 criterion.
And after an implementation of this algorithm on my computer, I get about 17,000 labeled
polynomials at the end of the computation of the Grobner bases against only 2700, about -800,
with the F4 variants or the classical F4 algorithm.
So we see at this point that it's not possible that this F5 algorithm could be faster than our variant
in this case.
Okay. So finally I will give you an application of this stuff to cryptography, and we will
consider here an application to the static Diffie-Hellman problem, which is a [inaudible] problem
of the family of Diffie-Hellman problem.
So the main observation here is that once we have a way to decompose it to the factor base, it's
quite admittedly that we get -- sorry -- that we get an algorithm that is able to solve
oracle-assisted [inaudible] of the static Diffie-Hellman problem.
So this has been discovered independently by [inaudible]. So maybe I should recall you what I
call an oracle-assisted static Diffie-Hellman problem. You consider a finite group G and a secret
integer D. And during the learning phase you are allowed to ask an oracle any multiplication by
D that you want for any point in the group G. And after this learning phase you are given a
previously unseen challenge X and you are asked to compute D times X.
Okay. So if you have a way to decompose into this factor base, you have a way to solve this
problem. What you do is during the learning phase you ask the oracle of the multiplication of
the elements in the factor base by the secret integer D. And after this learning phase you will
decompose X in the factor base and then deduce the multiplication of X by the secret D.
Of course, as we have seen, it's not clear that X is decomposable in the factor base. So what we
do here is we multiply by a random integer, X, and at some point this [inaudible] here will be
decomposable in the factor base.
So when you get the decomposition, what you do next is the multiplication by the inverse of
[inaudible] the order of the group and then you get of course the decomposition of your point X.
So for this application here, the first remark is that we don't need any linear algebra steps, we
only need one decomposition. So the second part of the classical index calculus method is
unnecessary. And the other remark here is that we need during the learning phase to do Q over 2
oracle queries, which is quite a lot.
And to palliate this problem, Granger has proposed a nice idea. What he does is a technique a la
Harley to balance the two stages by reducing somehow artificially the factor base. You take
some elements only of the factor base, so you increase -- you decrease the probability of
decomposition but you want to have -- you will have less workhorse queries to do.
So this part is joint work with [inaudible] Granger and was announced in the NMBRTHRY list.
So a nice application here of our algorithms is to consider this standard curve proposed in the
IPSEC protocol. This is the Oakley well-known group 3 curve. So this curve is defined over the
finite field F2 3 power 155. This is really nice because this extension here is of the -- can be
seen as extension of degree 5.
And what we do here is -- as we can decompose it into five points, we [inaudible], sorry, we
aren't able to compute the decomposition into five points because the Grobner bases computation
here is too hard. So what we do is our variation of decomposition. We decompose -- we
decompose, sorry, in four points. So we get a polynomial system that has this shape. It's
composed of five polynomials that have a total degree equal to 8 in four variables. And to get
one relation we will need to test about 50 variants of decomposition.
So we do this with Magma, for example, to see how long it takes. Each decomposition takes
about one second with Magma, which is not good enough for a good attack here. But with our
variants and dedicated optimization we are able to go down to about 20 or 23 milliseconds,
which is good timing. If you have access to 8,000 processors, you can do the attack in less than
two weeks. So this is somehow a feasible attack. Yeah.
That will be the end of my talk.
[applause]
>> Unknown Speaker: Thank you very much. Are there questions? Yes.
>>: [inaudible] numbers on the Y axis but no numbers on the X axis, no Q. What can I think
about the numbers there?
>> Vanessa Vitse: The first chart?
>>: [inaudible] colors --
>> Vanessa Vitse: Yeah, yeah, going back to this. At the beginning. Sorry. Hmm. Is there a
way to go -- oh, yeah. Here? Yeah, because it's for a very large value of Q, so it's [inaudible]
I'm looking at an [inaudible] behavior here. So is that answering your question?
>>: Maybe you already said this, so in practice what values of N [inaudible] examples of 3 and
5. How much can you push that?
>> Vanessa Vitse: Actually for index calculus methods we haven't any results for attacking the
DLP. We have only practical implementation for the oracle-assisted static Diffie-Hellman
problem. So for the oracle-assisted static Diffie-Hellman problem, the best we can do is N equal
to 5 case.
>>: How long would it take you to get the oracle assistance?
>> Vanessa Vitse: That's a good question. Suppose that you have to ask something like a smart
card or a chip. Or I don't really know. But it will be a very long time. It's just -- I feel. Yeah.
In some ways you can parallelize this computation so it will be very long. I can't give you any
timings, but ->>: I do that field, so I was [inaudible] have an attack.
>> Vanessa Vitse: Uh-huh.
>>: So far nothing is better than the square root attack.
>> Vanessa Vitse: Yeah. Actually you're right. We can do anything better than the square root
attack. So this is always interesting, yeah. Yeah.
>> Unknown Speaker: Any more questions? No? So let's thank all the speakers on this session
again.
[applause]
Download