>> Unknown Speaker: The next speaker is Vanessa Vitse from Versailles who's going to talk about discrete log of elliptic curves on various things. >> Vanessa Vitse: Thank you. So, first of all, I would like to thank the organizers for inviting me to this very nice conference. So in this talk I'm going to present you on index calculus methods on the elliptic curves over extension fields and also a very useful algorithm which computes F4 traces and which will be really efficient for index calculus approach. So in the first part of this talk I will give you some background on the index calculus methods, so we are mainly interested in the classical elliptic curve discrete logarithm problem. So we consider an elliptic curve defined over a finite field and we take a rational point on this elliptic curve and usually P is as a large prime order. And we take a point Q and the subgroup generated by P, the goal is to find the X such that Q is equal to X times P. So of course to tackle this problem you can always use the generic algorithms such as Baby-Step Giant-Step or Pollard's rho. But what is interesting with these elliptic curves is that you usually only have these generic algorithms. We have seen, however, that under -- in the first day of this conference that in some cases you can also try to transfer the DLP on the elliptic curve to a group where it's weaker. So this is what we do when we consider transfer methods. For example, we can try to transfer this DLP on finite fields. So using a pairing you can transfer the DLP on the subgroup generated by P to the [inaudible] group of finite field, which is FQ 3 power K, where K is the embedding degree [inaudible] this group generated by P. And so this famous [inaudible] will work only when K is relatively small, which is not usually the case for a random elliptic curve. We know that K is usually of the order of Q for a random curve. So this will work only for a very specific family -- very specific families of curves, sorry. For example, [inaudible] curves. Although you can also try to lift the DLP as the elliptic curve to characteristic zero fields. For example, the p-adic number fields. And in this case, again, the attack work for very specific families of curves only when the curve has a subgroup which is a power of the characteristic base field. For example, from the [inaudible] curve, that is the curve which have the cardinality equals to the characteristic, you have a polynomial algorithm, so this is really efficient, but really specific. When the curve is defined over an extension of a field, you can also try to make a transfer of the Weil descents to the Jacobian of a curve, which is defined E of Q. The problem again here is that the genus of this curve is usually exponential, and so these kinds of attacks will work, again, only for very specific families. So we -- except from this transfer method we only have generic attacks. And what we would do -- would like to do during this talk is to make some analysis of what we have on finite fields or hyperelliptic curves; that is, use an index calculus method. So as far as we know, we don't have any equivalent for the moment on elliptic of defined over prime field. But the good news is that it's already visible when the curve is defined over an extension of the finite field. And these methods are usually asymptotically better than Weil descent or generic algorithms. So recall here the basic outline of this index calculous method in a slightly different way of the -than the precomputation [inaudible]. So first we define a factor base which consists of some points in the curve. And then we have a stage of relation search during which we try to decompose one combination of the base point P and the target point Q into a sum of points in the factor base. And once we have collected enough independent relations, at least the cardinality of the factor base, we deduce with linear algebra techniques the DLP of the point Q in the base P. So the results that we have here come first from Gaudry and Diem. For a curve defined over FQ 3 power N, we have the complexity for N fixed, which is in factor of Q square minus 2 over N as Q goes to the infinity. So this is better than generic methods assuming N is greater than 3. And [inaudible] proved rigorously that this algorithm is sub-exponential as soon as N equals [inaudible] the square root of log Q. But unfortunately the constants that are not written here are -- don't -- exponential is a square of N as N goes to the infinity. And in fact this method won't be applicable as soon as N is greater than 4. So that's why we have proposed with [inaudible] Andrew a variance which seems to be [inaudible] as Q goes to the infinity because it's in sub-2 of Q square. But in fact it's better -- it's better dependency in N. So we still are faster than generic methods as soon as N is greater than 5. And what is interesting here is that this method will work on base field -- on a field which has an extension equal to 5, a degree of extension equal to 5. So asymptotically we can see also that our method is more efficient than generic algorithm or Gaudry and Diem approach. As soon as N is between the logarithm of Q and the [inaudible] root of the logarithm of Q as N and Q goes to the infinity. >>: [inaudible] previous slide. >> Vanessa Vitse: Sorry? >>: The previous slide said the [inaudible] what was it? >> Vanessa Vitse: Oh, I'm sorry, I didn't -- yeah. This constant omega comes from the multiplication of the matrices, so it's [inaudible]. >>: [inaudible] stay on the 3 [inaudible]. >> Vanessa Vitse: Yeah. If you're not on the -- yeah. That's a good question. It's equal to 3 actually. You get something in N square there. So you're -- on this figure you just have the square of the logarithm of Q. So now I'll go deeper into details about these index calculus methods. So our goal here is to collect at least the cardinality [inaudible] decomposition of random combination of the base point and the [inaudible] points. So at this point we need to define what kind of decomposition we can do on elliptic curve and what kind of factor base we should consider, because this is not really obvious. And in fact the first question was answered by Semaev in 2004. He had this clever idea to consider decomposition here in a fixed number of points of the factor base. And by doing that you can actually use the group law that you have on the elliptic curve to have this equivalence here. Namely, R is decomposable as a sum of M points. As soon as the X coordinates of these points is roots -- roots of what we call here the M plus 1th Semaev's summation polynomial. So this is interesting because we [inaudible] decomposition search into a resolution of a polynomial. So this works on -- on any kinds of curves. You can define the curve over any kind of field. And this will always work because you only use the group law. I will talk about Nagao's alternative approach later in this talk, just to say at this point that instead of considering decomposition into a finite number of points, you can also consider the function that are vanishing in these points. So we'll see later on how it works. So at this point didn't have -- didn't have, sorry, the convenient factor base and [inaudible] proposed to consider elliptic curve defined over extension field. This is a nice idea because then it's really natural to consider for the factor base the elements that have an X coordinate lining in FQ. And so the cardinality of this factor base here is Q, so we need to collect at least Q decomposition. And to solve -- to find the roots of [inaudible] polynomial here, what we do is a sort of Weil restriction. So we see -- simply we see FQ to the power of N as a vector space of dimension N over FQ. And we look at each coordinates of this polynomial in this vector space. So we get N equations in the variable XPR and with coefficients depending only on the X coordinate of the point R and the coefficient of the curve. So each time we want to try a decomposition, we will need so solve this kind of polynomial system over FQ. We can have also some additional optimization here. We see that we have inherent symmetry in our problem. We consider decomposition into N points. This is symmetric. So we can reduce the total degree of this polynomial system by exposing the symmetries. And we can also diminish the number of elements in the factor base by considering this quotient here by the natural [inaudible] that we have on elliptic curves. By doing that we get only a Q over 2 independent relations to compute. So as we see here, the main difficulty is to solve the polynomial system to get decomposition. So we are interested -- we are focusing on a slightly more general problem. Namely, we will consider the computation of the [inaudible] of an ideal in dimension 0. And we discuss this later. But you know that for the univariate case when N is equal to 1, we have polynomial algorithms such as Cantor-Zassenhaus. So the univariate case is real easy. Although the -- sorry. But the multivariate case is much more complicated. And what we do in general to solve this problem is we -- is that we use elimination theory. So we try to find in the ideal a univariate polynomial, and from the solution of this univariate polynomial we did use the elements of the [inaudible] of R. So at this point we can use two techniques, either resultants or Grobner bases. And since Grobner bases are really efficient, I will focus on this right now. The main result is the -- we are using here is the shape lemma which tells us that if you compute the Grobner bases for the lexicographic order, you will get a set of representatives of the ideal which has this shape here with a univariate polynomial in the last variable, which is of degree -degree of the ideal. So I say this is for most 0 dimensional ideals. If you consider a general case, you can be assured that you have always a search univariate polynomial in the last variables. So the idea here is really simple. Once you get lexicographic basis, you find the solution by finding the roots of the last polynomial and then you evaluate [inaudible] polynomials to get the [inaudible] of I. So of course since we know that solving multivariate polynomials is an NP-hard problem is general, computing such Grobner bases will be very difficult. The complexity of such computations will be difficult to estimate, but we have worst-case upper bounds. For example, in the general case we have the research from Mayr and Meyer who tells us it's doubly exponential in the number of variables. And in dimension 0, you see here that if you compute the Grobner bases for the lexicographic order, you have a complexity which is indeed 3 power bigger of N cubed where D is a degree of the polynomials and the number of variables. And it's on -- it's D three powers [inaudible] N squared for degree [inaudible] the reverse lexicographic order. So maybe you will see what's the point of this. For computing a lexicographic order basis in dimension 0, we will prefer to compute first degrevlex Grobner bases and then use a changing order algorithm to get the solutions, the lexicographical Grobner bases. So I can give some sharper points on the complexity of these two steps. So here for the degrevlex Grobner bases computation, we consider the number of polynomials that we can have in N variables up to degree D reg. So D right here means the degree of regularity of the ideal. You can understand it as a larger degree which to [inaudible] the computation of the Grobner bases [inaudible]. So consider this number of [inaudible] with omega where omega is the constant using the matrix multiplication. The changing order is in the degree of the ideal to the power of 3. You can use, for example, the [inaudible] algorithm to do that in dimension 0. So now we are able to analyze the original attack of Gaudry -- on Gaudry's algorithm [inaudible]. So the idea here is to consider decomposition into exactly N points where N is the degree of the extension of the base field. So by doing that we get as many equations as unknowns and a total degree of the polynomial system which is 2 3 power N minus 1 after symmetrization. [inaudible] has proved rigorously that this [inaudible] is of dimension 0 and of total degree -- of degrees, sorry, 2 3 power N times N minus 1, which somehow corresponds to the basis 0N. And the probability of getting one decomposition is then about -- around, sorry, 1 over a factor N. So we need to solve at least factor N [inaudible] Q systems since the factor base has a probability of equal to Q. Concerning the complexity of this attack, since the ideal has a very large degree here, 2 3 power N times N minus 1, the most difficult part comes from the FGLM algorithm. So the dominating complexity for each trial -- each decomposition trial here is in the degree of the ideal to the power of 3. As we need to repeat this factor N times Q times, we will get complexity for N fixed which is in factor of Q here. The linear algebra step will be in N times Q square because we are looking of a vector in the kernel of very sparse matrix which has only [inaudible] and which is of size Q pair times Q. So at this point it's quite natural to want to make a balance between the two steps, and this is what Gaudry has done. He applies a double large prime variation [inaudible] to get the complexity which is in the factor of Q square minus 2 over N. So we can also deduce the complexity in N, which is as this shape. And at this point I would like to mention that this rebalance is not always necessary. If you consider fields [inaudible] defined over fields for N equal to 4 or 5 with not too large Q and just a Q useful for the cryptographic applications, this will rebalancement -- this rebalance, sorry, won't be necessary. In fact, the first part of the algorithm will be the most costly. So it's not really interesting in the practical application. Okay. So, as I've said, the degree of the ideal is really large. And this is quite a bottleneck here in this approach. We could hope to doing something later by saying that most of solutions are in fact -- in the algebraic [inaudible] of FQ are not in FQ. But, yeah, to get only solution FQ, what we could do is to add in the ideal, the equation for the base field. But unfortunately this won't be -- this won't work because Q is too large in practice to get any benefit from this. So we're kind of stuck with this very large degree here. That's why -- okay. I haven't made an example. I listed one example before of this Gaudry's approach, just to finish the presentation here. So we consider a curve defined over this small field here, which has a prime cardinality. We take two points, two random points on this curve, so we know that's related by some [inaudible] of the prime number here. And we take a random combination of these two points and we consider the fourth [inaudible] dimension polynomial of [inaudible] to get decomposition of this point R. So this polynomial has this shape. It's full. I mean, it's here in three variables if you're symmetrizing the three first variables up to degree 4 here, and you have exactly 35 monomials, that all the monomials that you can construct up to this degree. So this is a very full polynomial. You do your restriction, your Weil restriction, you get this, this system here. You compute the Grobner bases of the corresponding ideal with a lexicographic order and you get what's expected, what is expected with the shape lemma. That is a univariate polynomial here which has a degree 3 power 3 times 3 minus 1, which is 64. So we consider these solutions, as I have explained. And here we get two solutions. So we see -- we try to see if the corresponding polynomial has some -- is [inaudible] and has all its roots lying in the base field. If it's true, it gives us -- it will give us -- it will maybe give us decomposition. So look at what we have here. The first roots give this polynomial which is irreducible over the base field. So we don't get any relation from this. And the second root give us this polynomial which is [inaudible] over the base field. So we look at X coordinates coming from these roots, and we see if we get points on the curve corresponding to this X coordinate. In this case it's working. So we get this relation here. We assume that we need to collect at least Q over 2 relations, so in this case it's 54 relations. And after that we can deduce the linear algebra of the discrete logarithm of Q in the base P. So this was a little example. And I told you that instead of considering here this Semaev's summation polynomial we can -- could also try to apply Nagao's approach. So in this case what we do is that we consider the function that are vanishing in the point R and at most three over points. So this is the vector space considered in [inaudible] theorem. We -- it's of the dimension 3 so we can get a basis of this vector space which is really generated by these three functions here. So what -- we are looking for a function which is in this vector space, so which has this shape after normalization at the infinity. So it only depends on the constant lambda -- on two constant lambda and mu here. And we are looking for the roots of this function. And we only want the roots corresponding to the three points in which it's vanishing. So what we do is we first get rid of the Weil variable and then we divide by the monomial X minus XR to get rid of the point R. And we get this polynomial of degree 3 which has coefficients depending on the two constant lambda and mu. We want this polynomial to be split over F1 and then 1 and to have all its roots lying in the base field. So this gives us our polynomial conditions. Namely, we want to find lambda and mu in this field such that these coefficients are in the base field. After doing sort of Weil restriction, we will get three variables coming from each of these variables. And here we need to have the last two components to vanish. So this gives us a six -- a polynomial with six variables and six equations, which is quadratic in lambda and mu here. So instead of having a Semaev's summation polynomial, we need to solve this polynomial, this polynomial system here, which is quadratic and is variable in six equations. And actually you can show with Grobner bases computation that this is slower than the original attack on the case of elliptic curves. So this approach in fact won't be relevant for the elliptic case. But of course it has some practical interests. First of all, it's applicable on hyperelliptic curves where the Semaev's doesn't work. We don't have any equivalent of Semaev's there. And also it can give us a way to compute the symmetrized summation polynomial in the case of elliptic curves. What you do in this case is you identify the coefficients with elementary symmetric polynomials. You perform an elimination of the variables and the mu and then you get directly the symmetrized summation polynomial. So this is also interesting. So now, as I said, the main bottleneck from this first approach is the degree of the ideal involved for each decomposition trial. What we try to do here with [inaudible] Andrew is to lessen this degree. So what we do is we decompose in N minus 1 points instead of N points. By doing that we get an inverted domain system which is generically of dimension -- of degree, sorry, 0 or exceptionally 1 when there is a solution. So this is what we wanted. And price to pay in return is that we need much more decomposition trial before getting 1. We will need actually a factorial N minus 1 times Q trials before getting one relation. So in practice this won't be a problem because we are very efficient to solve the polynomial systems involved. First we will see that we only need a degrevlex Grobner bases computation, and there won't be any need to change the order here. And second of all -- I'm sorry, and, secondly, we can also try to -- we will also apply, sorry, our F4 algorithm or variants of the F4 algorithm which take benefit of the fact that we need to solve always the same systems, the same polynomial system that has exactly the same shape from one trial decomposition to another. So with these two facts we will get good results. And to convince you that this method is quite simple and simpler than the first one, I will illustrate this on the same field with the same curve. So I take a new random combination of the base point P and Q and in this case since I want to decompose it only, I don't need two points. I will only use the first symmetrized summation -Semaev's summation polynomial. I can write it completely here. So you -- after a Weil restriction you get this ideal. And when computing the degrevlex Grobner bases, you get these representatives of the ideal. And you see here that is already solved in S1 and S2. You have mainly two case at this point. Either you get 1 for the Grobner bases or you get a Grobner bases which is already solved because the degree of the ideal is 0 or 1 exceptionally. So we consider the corresponding symmetrized polynomial. We get these two solutions here so we are very lucky because we get the solution, a decomposition of this point R. So then the remainder of the algorithm is exactly the same as Grobner's one. To summarize, what we have seen for this index calculus method, I put all the complexity on these slides and a picture of polynomial systems. So for Gaudry and Nagao we see that we decompose in exactly the same number of points and that corresponding ideal is of the same degree. So the main difference is [inaudible] of the polynomial system. Here we get quadratic system with this number of equation and variables. Here we have only N equation and then variables of degree 2 to the power N minus 1. And this makes quite a difference with the complexity of the resolution of the polynomial system. We see here in the exponents of 2 that this gives us almost twice the exponent that we have here. So this is much stronger. For our variance, we decompose in N minus 1 points, so we get a degree of the ideal which is 0 almost in all cases. We have to try much more decomposition to get Q relations. But the complexity here is quite better than the one we have here. It might be -- appears to you -- appear to you that it's almost the same. But in fact having omega again 3 and the N minus 1 -- sorry, N minus 2 against N times N minus 1 is quite a difference in practice. And in a way this is just [inaudible] we think that we can do some things. So now the second part of my talk I will -- I will mainly speak about F4 traces computation and the algorithm that we can use to speed up the computation of the Grobner bases. Maybe it's time to define you what the Grobner bases is. So just to understand the algorithms, I give the definition here. So we consider an ideal a multivariates ideal. And we said that a set of representative of this ideal is the Grobner bases when we -- when the initial ideal of I is equal to the ideal generated by the leading monomials of these polynomials here. So this is a Grobner bases. And the main results for computing them comes from Buchberger's Ph.D. thesis. So he considers mainly two operation on the polynomials. The first one is the S-polynomial. It's a combination of two polynomials such that you can solve the leading monomial. And we also have a reduction of a polynomial with respect to a list of polynomials which is somehow the equivalent of the classical division polynomial in one variable. The main result is that this set of polynomials is a Grobner bases if and only if the remainder of all the [inaudible] the S-polynomials that you can compute is equal to 0. So having this result is quite easy to get an algorithm which computes the Grobner bases. What you do is you start from the set of representative of your ideal. You consider all the S-polynomial that you can do with these polynomials. You compute the rest -- the remainder, sorry, with respect to the current basis and each time is different from 0 you put it -- you add it to your base. By doing that you increase the corresponding initial ideal. So as we are in [inaudible] ring here at some points we are going with stop. And when it stop you get your Grobner bases. >>: What's the function -- sorry, I'm just trying to trace through this. How does the S part of it depend on the definition of the ideal? So this is [inaudible] GS is a Grobner bases basis for ideal I, does S depend on I? >> Vanessa Vitse: Yeah. So this is representative of your ideal [inaudible]. And this is specific set of representatives. They all verify this condition. And if they all verify this condition, then it's the Grobner bases of your ideal. >>: So that polynomial S is the same for every ideal I [inaudible]. >> Vanessa Vitse: Yeah. Yeah. This definition depends only on the two polynomials you put here. >>: So how can you [inaudible] the subset of G1 up to GS and then it would still satisfy these conditions, but it wouldn't by a Grobner bases because it's not [inaudible] not for the whole ideal. >> Vanessa Vitse: What you do at the -- sorry. The first part of the algorithm is you're [inaudible] from a set of representative of your ideal. >>: You have to have a complete set to start. >> Vanessa Vitse: Yeah. You take, for example, F1, FR, and then you compute all the S-polynomials that you can do with the [inaudible] of these polynomials, and you compute the remain, yeah. This is an iterative algorithm, yeah. Okay. So we have an efficient way to implement this Buchberger's algorithm which is due to -which is an algorithm due to [inaudible] which is called F4, and the main idea here is to use linear algebra techniques to reduce at once a large number of S-polynomials. So we are not doing this one by one. But we take a large number of S-polynomials to reduce them at once. So to select, you need to define a selection strategy to do that. So, for example, in practice we usually consider the S-polynomial having the lowest total degree. And what you do is you construct sort of Macaulay-style matrix. You put in the matrix all the multiples that are involved here in your S-polynomials. So you put in this matrix all these multiples, and you also put the polynomials that are useful for computing the remainder by the current basis, the current base. So you have this huge matrix. You perform a reduced [inaudible] form and you get then the reduction of all your S-polynomials with respect to your current base. So this is a very efficient algorithm. But there is still one problem with this algorithm, which is the same with the Buchberger's one. It's that most of the time you are computing reduction to 0 of your S-polynomials. Despite Buchberger's criteria, you will get lots of reductions to 0. So that's why [inaudible] proposed in 2004 -- in 2002, sorry, elaborate criterion which tell us a priori to skip a given S-polynomial. So we have some signature condition of this on the polynomials and we check if the signature will verify the criteria, the criterion. And if it's not, we skip the reduction. There is one drawback, there is one drawback for this F5 algorithm. Namely, you won't be able to compute any kind of -- you won't be authorized to reduce any polynomials that you want. So during the computation you will have some incomplete polynomial reduction and, even worse, we will have some redundant polynomials that can you rid of -- get rid of. So what we would like to do here for our index calculus method is not to take these [inaudible] algorithms but instead make -- take advantage of the fact that we have many, many polynomial system with the same shape to solve and use this information to get rid of these S-polynomials that are reducing to 0. So we would like to have a sort of F5 criteria that allows us to skip these unnecessary reductions. So here is the outline of our variant. You have two separate routines, first a routine that you run on the first system. So you consider a classical F4 algorithm. You construct during this algorithm a list of all the multiples that are involved in your computation. And each time you have a reduction to 0, you remove from that list a well-chosen multiple. Then for the subsequent system, you will use the second routine, the F4Remake algorithm which use this precomputed list to compute the Grobner bases. So instead of having a queue of untreated S-polynomials, you would pick directly from that list the relevant multiples that you need for your Grobner bases computation. So, in fact, this idea is not really new. People are working on Grobner bases over a rational field can sometimes use a reduction modulo several primes and make the computation of the Grobner bases modulo these different primes and get the original Grobner bases by using a Chinese remainder theorem. They do that because when you compute directly the Grobner bases over the rational you get very large coefficients and you want to avoid that. So we can do this kind of reduction here. And of course when you do that your reduction over several primes P you will have a lot of time the same computation of your Grobner bases. So that's why Traverso has proposed in '88 a precise definition of these Grobner bases for the Buchberger algorithm in the case of rational numbers. Well, unfortunately for us this analysis is not precise enough to give us good results in the case of -- in the situation that we have in index calculus methods. So what I would like to do here in this part of the talk is to give a precise analysis of the behavior of these F4 variants. So I need to introduce some terminology here. I will introduce the notion of parametric family of polynomials. So this is simply polynomials that have coefficients which are depending on some parameters. And we consider instances of this parametric family as some specialization of these parameters. And we would like to know when F4Remake will compute successfully the Grobner bases of these instances over our first parametric family. So I will define the generic -- what I call generic behavior here in the following way. So I assume that I am able to compute at least theoretically Grobner bases of the parametric family with the F4 algorithm. At least theoretically. And I will say that the instance behaved generically during the computation. As soon as we have exactly the same number of iterations during the course of the algorithm and that we have at each step exactly the same leading monomials and some critical -- some S-polynomials. It's clear that if our instance verified this generic behavior as the generic behavior, in this case the F4Remake algorithm will compute successfully the Grobner bases. If we have run the first sub-routine on the generic system, then for other generic system we will get a Grobner bases with F4Remake. So now that we have this terminology, I would like to give you an algebraic condition for this generic behavior and estimate the probability that F4Remake computes the right Grobner bases. So I will assume that until the step I minus 1 the instance behave generically. And at step I I focus on the two matrices construct by F4 algorithm. So I have the matrix MG for the parametric system and the matrix M for the instance. So if I have S leading monomials in my ideal at this step, what I do in the [inaudible] matrix is that up to -- I extension some of the column and some of the row to get here a triangular matrix. So we put on the first columns the currents corresponding to the leading monomials. And we put one polynomial on the first rows that are corresponding to these -- that have these leading monomials. So we get a matrix which has this size here, this shape here. Okay. Sorry. So it's quite difficult to explain. So for the instance we have a specialization for the parameters. But since the polynomials are already normalized at this point, we get exactly the same shape for the first part of the matrix. So if I perform reduced row echelon form on the first part of the matrix, I get exactly the same shape for the parametric family and for the instance. Okay. Now I will like to focus on this sub-matrix here. I would like to make a reduced row echelon form on this matrix and to see what's happening for the instance. So I select the columns corresponding to the pivots in green here. I put them -- sorry. I put them on the left part of this matrix. And I perform a reduced row echelon form. I get this shape for the matrix here. For the instance, I don't know if after specialization I don't have any cancellation of the corresponding pivots. But if you don't have any cancellation of this coefficient, you will be certain that you will have exactly the same shape for the instance. So you will have generic behavior for the instance in this case. So we have -- I have now my generic condition that the system behaves generically at step I if and only if this matrix here is a full rank. This is quite a simple idea. And to get the probability that this will actually work, I will do some heuristic assumption. I will suppose that these matrices are the uniformly distributed coefficient over FQ. So at this point I would like to remember how we have constructed our systems. We consider random combination of two points, the base point P and the [inaudible] point Q. And we suppose here that the group law is mixing up sufficiently the coordinates to learn something that is really random for the X coordinate of R. Since our polynomial have coefficients only depending on this X coordinate, I will suppose that we are sufficiently close to the uniform distribution to make this heuristic assumption. So now it's really easy to estimate that at least to give an upper bound for the probability that the matrices have full rank, I can give this problem here. And since we have N steps during the computation, I have the probability that the system behaves generically which is greater than CQ 3 power N step here. And as you see, when Q goes to the infinity, this probability is really close to 1. So when Q is large enough we will have very good results. So here I give the experimental results for an elliptic curve defined over a degree extension equal to 5. I suppose that I have run a precomputation over an 8-bit field. And this computation has been done in about nine seconds. And now I look at what's happening when, for example, I consider an elliptic curve defined for P having 32 bits. The probability of failure here is very low because P is really large, it's about this. And if I look at the timings given by F4Remake in this case, we get the Grobner bases computation done in less than 8.5 seconds, which is three times faster than the classical F4 algorithm on the same implementation of course. For comparison I also give the timing for Magma which is considered as the best implementation of this algorithm for the moment, and we see that it's much faster in this case. So it's fair here to want to compare our variant to the F5 algorithm, since both algorithms are considering no reductions to 0. And as I said at the beginning of the second part of the talk, the problem with F5 is that it's computing many redundant polynomials that we cannot avoid because of this f5 criterion. And after an implementation of this algorithm on my computer, I get about 17,000 labeled polynomials at the end of the computation of the Grobner bases against only 2700, about -800, with the F4 variants or the classical F4 algorithm. So we see at this point that it's not possible that this F5 algorithm could be faster than our variant in this case. Okay. So finally I will give you an application of this stuff to cryptography, and we will consider here an application to the static Diffie-Hellman problem, which is a [inaudible] problem of the family of Diffie-Hellman problem. So the main observation here is that once we have a way to decompose it to the factor base, it's quite admittedly that we get -- sorry -- that we get an algorithm that is able to solve oracle-assisted [inaudible] of the static Diffie-Hellman problem. So this has been discovered independently by [inaudible]. So maybe I should recall you what I call an oracle-assisted static Diffie-Hellman problem. You consider a finite group G and a secret integer D. And during the learning phase you are allowed to ask an oracle any multiplication by D that you want for any point in the group G. And after this learning phase you are given a previously unseen challenge X and you are asked to compute D times X. Okay. So if you have a way to decompose into this factor base, you have a way to solve this problem. What you do is during the learning phase you ask the oracle of the multiplication of the elements in the factor base by the secret integer D. And after this learning phase you will decompose X in the factor base and then deduce the multiplication of X by the secret D. Of course, as we have seen, it's not clear that X is decomposable in the factor base. So what we do here is we multiply by a random integer, X, and at some point this [inaudible] here will be decomposable in the factor base. So when you get the decomposition, what you do next is the multiplication by the inverse of [inaudible] the order of the group and then you get of course the decomposition of your point X. So for this application here, the first remark is that we don't need any linear algebra steps, we only need one decomposition. So the second part of the classical index calculus method is unnecessary. And the other remark here is that we need during the learning phase to do Q over 2 oracle queries, which is quite a lot. And to palliate this problem, Granger has proposed a nice idea. What he does is a technique a la Harley to balance the two stages by reducing somehow artificially the factor base. You take some elements only of the factor base, so you increase -- you decrease the probability of decomposition but you want to have -- you will have less workhorse queries to do. So this part is joint work with [inaudible] Granger and was announced in the NMBRTHRY list. So a nice application here of our algorithms is to consider this standard curve proposed in the IPSEC protocol. This is the Oakley well-known group 3 curve. So this curve is defined over the finite field F2 3 power 155. This is really nice because this extension here is of the -- can be seen as extension of degree 5. And what we do here is -- as we can decompose it into five points, we [inaudible], sorry, we aren't able to compute the decomposition into five points because the Grobner bases computation here is too hard. So what we do is our variation of decomposition. We decompose -- we decompose, sorry, in four points. So we get a polynomial system that has this shape. It's composed of five polynomials that have a total degree equal to 8 in four variables. And to get one relation we will need to test about 50 variants of decomposition. So we do this with Magma, for example, to see how long it takes. Each decomposition takes about one second with Magma, which is not good enough for a good attack here. But with our variants and dedicated optimization we are able to go down to about 20 or 23 milliseconds, which is good timing. If you have access to 8,000 processors, you can do the attack in less than two weeks. So this is somehow a feasible attack. Yeah. That will be the end of my talk. [applause] >> Unknown Speaker: Thank you very much. Are there questions? Yes. >>: [inaudible] numbers on the Y axis but no numbers on the X axis, no Q. What can I think about the numbers there? >> Vanessa Vitse: The first chart? >>: [inaudible] colors -- >> Vanessa Vitse: Yeah, yeah, going back to this. At the beginning. Sorry. Hmm. Is there a way to go -- oh, yeah. Here? Yeah, because it's for a very large value of Q, so it's [inaudible] I'm looking at an [inaudible] behavior here. So is that answering your question? >>: Maybe you already said this, so in practice what values of N [inaudible] examples of 3 and 5. How much can you push that? >> Vanessa Vitse: Actually for index calculus methods we haven't any results for attacking the DLP. We have only practical implementation for the oracle-assisted static Diffie-Hellman problem. So for the oracle-assisted static Diffie-Hellman problem, the best we can do is N equal to 5 case. >>: How long would it take you to get the oracle assistance? >> Vanessa Vitse: That's a good question. Suppose that you have to ask something like a smart card or a chip. Or I don't really know. But it will be a very long time. It's just -- I feel. Yeah. In some ways you can parallelize this computation so it will be very long. I can't give you any timings, but ->>: I do that field, so I was [inaudible] have an attack. >> Vanessa Vitse: Uh-huh. >>: So far nothing is better than the square root attack. >> Vanessa Vitse: Yeah. Actually you're right. We can do anything better than the square root attack. So this is always interesting, yeah. Yeah. >> Unknown Speaker: Any more questions? No? So let's thank all the speakers on this session again. [applause]