Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Philosophy

>> Kristin Lauter: Okay. So since we're running... we'll have just a very short break before Francois Morain's...

advertisement 
>> Kristin Lauter: Okay. So since we're running a little late, after Victor's talk
we'll have just a very short break before Francois Morain's talk. So now I'm very
pleased to introduce Victor Miller from Center for Communications Research.
He's one of the two co-inventors of elliptic curve cryptography and he'll speak to
us on elliptic curves cryptography and computation.
>> Victor Miller: Okay. Thank you, Kristin. And all the organizers. Really
pleased to be here. It's hard to believe it's 25 years. Anyway, so this is a sort of
a personal story about my own Odyssey with this and some of my own
background. But I couldn't resist, even though I hope I don't get into copyright
trouble, this I thought was one of my favorite cartoons in the New Yorker. And
this is sort of and indication of always pushing on to the limits. But my own
background is as a number theorist. And I think it's appropriate in many ways,
especially for me.
I mean, Serge Lang was my mathematical mentor as an undergraduate, and, in
fact, I realize now that when I was a freshman in college I took a course from him
which could be described as freshman mathematics for prospective PhDs. And
in his second week he gave us all and assignment which I now recognize was
one have the key lemmas that Tate used in his proof of the existence of the
quadratic, quadraticity of the Neron-Tate height, but of course he didn't mention
elliptic curves at all. But they were always there in the background.
And for anyone who new Serge or heard of him this quote is very appropriate.
It's possible to write endlessly about elliptic curves. This is not a threat. And
given that Lang published something like 60 books this is not an idle threat
either.
Anyway, but a large part of the motivation of well, most number theorists, I
certainly can't speak for all, are really solutions of Diophantine equations. I
mean, basically where all of, you know, sometimes you take very long detours
but basically a lot of the original motivating problems are you have a particular
Diophantine equation and you want to find the solutions or find all the solutions or
describe them or something, and of course the most infamous example is
Fermat's Last Theorem, which, you know, Andre Weil said was his sort of
motivation for years in studying number theory.
And there's another thing I mean which Professor Frey touched on is that it's sort
of very interesting what happened to qualitative number theory. In the 19th
Century, up until the 20th Century, the sort of prime piece of number theory at
least was really caught up with computation. I mean, it really wasn't enough for
people to just show that solutions existed. You really had to find them or at least
make a decent attempt to find them.
But I think what happened, and this is pure speculation on my part, is as the
problems got harder and harder and beyond the realm of human computation,
people started, you know, concentrating on sort of a more generally ex-terrible
things. But I think the idea of explicitly computing these things was always in the
back of the mind in everybody. And even if it was suppressed. I know Professor
Birch told me many years ago that you would be surprised to see some of the
people who really were computers in secret. For example, I think that he
mentioned that Andre Weil did a lot of explicit computation in secret but then
carefully suppressed it in his papers.
>>: [inaudible].
>> Victor Miller: Or maybe it was [inaudible]. It might have been. But for
whatever sociological reason this happened, I think what happened is that when
computing machines came into being this actually made some of these
computations which were clearly seemed to be impossible now conceivable.
And I think people got back to thinking about the kind of motivation that people
had in the 19th Century because now it was actually possible to do it.
I mean as a sideline, you could look at the whole field that's been generated, you
know, with Grobner basis computations. I mean basically, you know, this would
have thrilled a lot of the people who worked in invariants in the 19th Century
because now it's actually possible to compute -- make some of these
horrendously hard computations which were clearly beyond any hand capacity.
So and as I said, for elliptic curves, well these slides originally -- but elliptic
curves were until about maybe 25 or 30 years ago, if one looked at actually
absolute numbers of people who looked at it a relatively arcane field.
I was a graduate student at Harvard, which was one of the centers of this, and it
was easy to lose perspective when you were surrounded by some of the world's
experts. But when you realized that was actually a significant percentage of all
the people in the world who really knew, you know, anything serious about the
field.
And as I said, well, if any case, before 1985, it was virtually unheard of in the
crypto and theoretical computer science community. They were maybe like one
or two people, you know, who didn't study as number theorists, who may have
heard of it.
And as I said, I just made a count -- this is certainly a vague thing. So
mathematical reviews up to 1984, if I look for papers or articles or books with
elliptic curve in the title there were only about 200. And now there are well,
actually I should update this. Now there were at least 2000. So it's very clear
that there's been a lot more.
Now, part of it has been the number theoretic, and part of it has just been the fact
that I'll -- and I'll test it, the fact that elliptic curve cryptography and other things
came into being is obviously motivated a lot of people who sort of, you know,
came in from outside of number theory and a lot of, you know, engineering work
which is good work but now things are not so obscure and I just did a Google
search for the phrase elliptic curve cryptography, and admittedly a lot of them are
redundant, but it yielded 83 pages of hits. So that's quite a lot.
Well, here's Karl Weierstrass who was mentioned. And basically so elliptic
curves, as Professor Frey said, in a simple minded way you could think of just
the set of solutions to this equation Y squared equals X cubed plus AX plus B,
which is usually called a short Weierstrass equation. And in general, any sort of
cubic curve, as long as it doesn't have, you know, singularities, is such -- such a
curve and as long as you actually have a point you can put it in in Weierstrass
Form. And as is pointed out, and I'll show this set has a natural geometric group
law, which respects the field of definition. And that's important.
It means if you take two points and you add them and their coordinates are in a
particular field, then so is there sum. And the Weierstrass -- where Weierstrass
gets in the act there is he actually came up with what's called the Weierstrass P
function, which virtually everybody takes a course in complex analysis learns
about. And my -- one of my favorite Professors Lipton used to say it's not very
hard, the hardest thing about the Weierstrass P function is actually writing the
Weierstrass P. [laughter].
But -- and it's the only doubly-periodic complex function. So any time you give a
talk on elliptic curves it seems to be mandatory to put up a picture that somehow
resembles this. There are many variants on it. And you can see if you have P
and Q that you have a third point of intersections, this is a cubic curve which we
call P star Q and then you reflect it through some other point and you get the
sum.
In fact, that was -- anyway, so here is Niels Henrik Abel which -- who basically
studied -- his study were the periods of certain integrals of algebraic functions.
And basically he studied what today would of course are called Abelian varieties,
which are sort of multi-dimensional generalization of elliptic curves when you get
to higher -- when G is bigger than 1, when there are more than 2 periods things
get a little more complicated. You have to talk about things called polarizations
and Riemann forms and whatnot, but I won't talk about that here.
Elliptic curves are complicated enough. So -- and Abelian varieties also have a
group law, and, in fact, the interesting thing is their group is commutative,
otherwise known as Abelian groups, but it's sort of a coincidence that they're -what?
>>: [inaudible].
>> Victor Miller: Well, they were both named after him, but it's a coincidence that
there were two things named after him that just happened to coincide. And
elliptic curves over the rational numbers, that was again pointed out by Professor
Frey is the set of solutions always forms a finitely generated group, a set of
solutions over a number field or over more generally what's called a global field.
And there's even a professor, and I use that actually in the technical terms in
computation to find generators. And very often it's quite efficient. It's known
descent but, in fact, it's not even known to terminate in many cases. The
termination of this procedure in some ways is actually measured by part of the
Tate-Shafarevich group which was mentioned by Professor Frey and in particular
if the Tate-Shafarevich group is finite or at least a certain local part of the group
is finite, then, in fact, this procedure will terminate. But it's not known in all cases.
And as I said, there's -- as was mentioned, there's a size function which is called
the Weil height, which is the logarithm of the maximum of the numerator and
denominator which roughly measures the number of bits in a point. In other
words, if you were to actually write down these points in ordinary ways as -- with
rational numbers and think of how many bits would you need to write down the
numerator and denominators, that would be roughly measured, you know, up to
maybe a constant factor by this Weil height.
And there's something which is also mentioned called the Tate height, which
could be considered sort of the smoothing of the Weil height and the Tate height
has much nicer mathematical properties in that it's a non-degenerate quadratic -positive definite quadratic form as was also mentioned. And so the points also
as Professor Frey mentioned, if you tensor the set of points with the reels, this
actually sticks them inside a really vector space and the points on the elliptic
curve actually form a lattice.
And here are people in case they haven't seen them are Louis Mordell and Andre
Weil. And I will say that I actually saw Professor Mordell once just a few years
before he died when he spoke at Harvard, and someone asked him about the
Mordell-Weil theorem, and he actually seemed to take a little umbrage about that
and said he never wrote anything with Professor Weil in his life.
Mordell originally proved his theorem in about 1922, I think, or 1920, thereabouts,
over the rationals. Andre Weil basically was assigned the generalization of this
as his thesis topic. Actually he was assigned much more. And this is what he
proved in his thesis in the late 1920s. And in a sense this actually -- this problem
motivated him for a large part of the rest of his career because he was very
dissatisfied with the foundations of algebraic and arithmetic geometry which he
encountered in doing this.
So, in fact, this actually caused him to, you know, rewrite about 25 years later
when he came out with his foundations of algebraic geometry which was the
be-all and end-all before [inaudible] came long.
And here is my graduate advisory Barry Mazur who proved, among other things,
as was alluded to that a folklore conjecture that at no point on and elliptic curve
over the rational says order more than 12. I mean, more specifically since
Professor Frey mentioned the modular curves, he basically showed that
Professor Frey mentioned that the modular curves X1 of N parameterizes pairs
of elliptic curves and points of order N and there was a folklore conjecture that
people have noticed that there were only a finite list of N for which X1 of N had
genus 0, that is could have possible infinite number of points. And so the folklore
conjecture was those were exactly the N through which there was a point of
order N on an elliptic curve. And that was what Mazur proved.
And here is John Tate. Well, two pictures. The first one was in 1969 taken at a
conference at Oxford. There was a very large group picture which had a lot of
the pictures of a lot of the players there. And here is John Tate today who is still
quite active and working on things. And so as was mentioned, in the beginning I
mean in the history of computing, computing around elliptic curves has been
there from almost the beginning. So in 1952, Emil Artin, on the left, asked John
von Neumann to do a calculation on the EDSAC computer which I think was at
Los Alamos about cubic Gauss sums related to the distribution of the number of
points Y squared is X cubed plus ->>: ENIAC.
>> Victor Miller: Oh, ENIAC, not EDSAC. Sorry about that. Okay. Yes. Thank
you. Yes. It was ENIAC. The EDSAC computer was the one that Bryan Birch
used, I think. On the ENIAC computer by cubic Gauss sums. And so basically
people were thinking about elliptic curves and computation from -- well, I mean
from long before that, but as soon as computers came along it seemed to be the
prime thing.
And I mean one of the problems with this is there is sort of a problem with the
misleading law of small numbers that before you could compute these things,
you could compute essentially the -- each of these Gauss sums involved -- have
absolute value square root of P and there was a question about how the angles
were distributed, which could be considered a forerunner of one of the questions
that Professor Frey was talking about which related to the Sato-Tate conjecture,
even though this has a CM curve so it's not the usual case. And the problem is I
think that it was just too difficult to compute many examples by hand, and it
wasn't clear how indicative the data were. So Arton wanted more data to look at.
And here are Bryan Birch and Peter Swinnerton-Dyer back at the 1969
conference. And as was mentioned, they formulated their important conjecture
only after extensive computer calculations. And show then and now. And here -here they are now. Well, of course you can see Professor Birch right here.
And actually as a sideline there are sort of two quotes. Carl Ludwig Siegel said
in one of his letters I think to Mordell the phrase that number theory is a beautiful
garden.
And Hendrik Lenstra in a talk back around the year 2000 I would say said that oil
was discovered in the garden. [laughter]. So, in fact, here were the drillers.
So in 1976, Diffie and Hellman proposed the first public key protocol. And so it
said let P be a large prime. And the nonzero elements of a finite field FP form a
cyclic group. This is sort of an old theorem in number theory that when you study
-- when you take a first course in number theory, this is one of the first things that
you -- or one of the early things that you prove is the theorem of the primitive
root.
And the security of their idea depends on the difficulty of solving the following
problem: If I have given you P and G, which is some primitive root and G to the
A and G to the B, find G to the AB. And that's known as the DHP or
Diffie-Hellman Problem. And Diffie and Hellman speculated in their paper that
the only way they could think -- well, there was an obvious way of solving it, is
they could reduce it to the problem of solving what's the discrete log or
sometimes known as the index problem. So given the primitive root G and G to
the A find A.
Of course it's not immediately obvious there might not be another method of
doing that. But I'll comment on that later. And soon this was generalized to work
over any finite field, especially over F2 to the N. F2 to the N was very popular
because people in coding theory used those sort of fields as their bread and
butter. And there, in fact, were lots of hardware and circuits and whatnot already
built to do a fast computation in those things. So it seemed to make sense to use
them. And here where Marty Hellman and Whit Diffie around the time when they
invented it.
And here they are today. Actually Whit hasn't changed that much. Marty sort of
looks like a banker now. So here is the idea. So the attacks on discrete
logarithmic problem first Hellman and one of his PhD students Steven Pohlig
accomplished a paper about a year or two later which among other things
noticed that you only need to solve the problem in a cyclic group of prime order.
That basically if you had group extensions that you only needed to solve the
problem in each of the pieces and that it was easy to put them back together.
And so basically in the original problem security depends on the largest prime
divisor Q of P minus 1. Or if you're working in a field F2 to the N of, you know, 2
to the N minus 1.
And it was also known by procedure Dan Shanks dubbed the baby step giant
step method that you could always solve this problem in general in time did I go
O square root of Q. And they speculated that this was the best that you could
do.
So in some sense they were right and in some sense they were wrong. I'll get to
that later. Because it turns out unknown to them because a lot of things in
number theory are somewhat obscure to the outside community, AE Western
and JCP Miller in 1965 published a book called the Table of Indices in Primitive
Roots. And in the appendix of the book they be outlined a procedure for actually
finding -- solving the -- what would be called the discrete logarithm problem for
large, you know, when you had large prime fields which would be better than this
sort of square root of P method.
I will say that they outlined the procedure, and they didn't analyze it precisely in
the current way that people think about analyzing complexity. But and, in fact, it
was so obscure that Len Adelman was unaware of it and he independently
rediscovered the idea in about 1978 and published a paper where here he
actually did analyze it fairly precisely, and he needed some heuristics, but
basically the running time was big O of X squared of Q log P log log P. And, in
fact, what happened is after Adelman's paper Hellman and another one of his
colleagues, Reynieri, saw that you could do a similar thing when you're working
in discrete logs of F2 to the N.
And, in fact, so -- so this is where this sort of hit me -- I was working at IBM
research at the time and there was a paper by Fuji-Hara, Blake, Mullin and
Vanstone, at least one of them is here, Scott, and they gave a significant
speedup of the Hellman and Reynieri paper. And this -- well, first of all, here was
Dan Shanks. And here's Len Adelman. Not here.
And basically I would say at the time -- I've been a friend of Don Coppersmith
since graduate school and have been a colleague of his first at IBM and now
where I work now at CCR. And in 1983, Fuji-Hara came to IBM and gave a talk
on the paper that I just mentioned with a very picturesque title how to rob a bank.
The reason for this title was that the discrete logarithm system was -- and the
Diffie-Hellman system was so attractive that the Federal Reserve Bank of
California had decide to use the -- a system based on the difficulty discrete
logarithm to secure their financial transactions. And they were going to use it
over the field F2 to the 127. 2 to the 127 was attractive because two to the 127
minus 1 is a Mersenne prime. So, in fact, the divisor of the multiplicative group is
as big as it possibly could be.
And not only that, Hewlett-Packard was very obligingly manufacturing some
hardware to do very fast arithmetic in that field, you know, for that use. And they
of course were going to sell it to other people, you know, as a good crypto
system.
And so Fuji-Hara's talk piqued Don's interest. Well, here's Don Coppersmith, for
people who don't know him. And here is Fuji-Hara, Blake, Mullin and Vanstone.
And basically, the idea is related to a problem of subexponential time factoring of
integers. And Professor Frey mentioned that smooth numbers -- and this is sort
of a very key player in this. So this first idea came about -- I mean, some people
may dispute the history whether this was the first. There was a program called
CFRAC, standing for continued fraction and a paper by Morrison and Brillhart.
And Brillhart coined the term Factor Base.
And basically this was a method using continued fraction expansion of quadratic
irrationalities, I won't get that this, to sort of come up with heuristically good sets
of numbers which could be used in this sort of general procedure for factor base,
which I'll outline in a sense. And Rich Schroeppel is sitting right there. Has
something called the Linear Sieve.
I think historically Maurice Krachick [phonetic] back in the 1930s or 1920s
actually had some ideas like this. But it wasn't clear how far he could go
because there really weren't any decent computing machines at the time. So you
had to do all this by hand or, you know, if you were DH Lehmer, you know, you
would build your own machines.
And Carl Pomerance coined the term smooth and the quadratic sieve and
actually I got a dispute from Ari and Lenstra about this and the notation which are
called L functions. This is the one thing I find very confusing because for number
theorists L functions means a particular thing, which is already mentioned, and
the people who are sort of in this field then used this other thing, and they talk
about L functions there, and this is endlessly causing me confusion when people
are talking about L functions and I have to remember what context they're using
it.
But in any case, why they used L I don't know. But the notation was come up I
think Hendrik Lenstra came up with an earlier version of this notation without the
first parameter A but basically the notation L sub-X of A semicolon B is just
exponential B log X to the A log log X to the 1 minus A.
And the interesting thing about this function is this sort of interpolates between
exponential running time and polynomial running time when the first parameter A
is 1 you have fully exponential and when it's zero you have polynomial and which
is sort of the holy grail. And basically what happened is that the original factor
base at least by heuristics got A equal to a half.
And so basically where this function really ends up coming -- coming into play is
there have been a lot of analyzing the probability that random integer factors into
small primes. And this actually was a series of papers going back probably from
the 1930s or 1940s up to the present. It got a lot more impetus when suddenly it
had a real, you know, killer application, so to speak, but anyway, here's John
Brillhart at the same conference at Oxford and here's Rich Schroeppel who's
sitting right there, in fact. And here's Carl Pomerance who also was in graduate
school with me.
So basically after Fuji-Hara's talk, Don started thinking seriously about discrete
log problem and we basically would talk about this a few times a week. And he
sort of taught me a lot about his insights and the intricacies of the index calculus.
The index calculus was a term coined by Andrew Odlyzko to describe a whole
family of algorithms. So this algorithm was still an L of one-half algorithm but it -it had a better constant than the original algorithm. Constant is good because
the constant was in the exponential factor.
But the whole idea is Don figured out an algorithm which was L of one-third. And
this made an immense difference. And basically Fuji-Hara's estimate in his talk
was that after doing a precomputation in those days -- of course the computers in
those days were sort of pitiful by today's standards. In those days he estimated
that it would take about a nine-month precomputation, and then they would be
able to solve individual discrete logs in maybe about a day or two after doing this
precomputation.
Don's innovation basically changed the precomputation to about 40 minutes on
our current mainframe computer at IBM. And individual discrete logs were
solved in about five seconds. So this effectively torpedoed the actual system that
the Federal Reserve Bank was going to use. And 10 years later basically, based
on what in retrospect a very similar idea is Dan Gordon devised a one-third
algorithm which worked over the finite field of P elements.
And here is Dan Gordon who now works at my west coast branch. And so
there's a question of were help you Hellman and Pohlig right about discrete
logarithms? So the answer is yes and no. For the original problem as stated, no.
I mean, I've already said that there are these much better algorithms in these
square root algorithms and yet -- but the point is you needed to use some
specific property, which was smoothness to make the attacks work.
So it turned out that Igor Nechaev and then later generalized by Victor Shoup
showed that if you had a black box group, so basically a black box group is one
in which the elements of the group are just as far as you can tell just random bit
strings and you can ask a black box saying tell me what the product of these two
elements are, or you can ask, you know, are these two equal or, you know,
calculate the inverse.
So in other words, basically this is sort of an abstract version of saying that you're
only using the fact that it's a group, and you're not using anything very specific
about what the actual bits mean.
And basically they showed that if you had such a group that the best that you
could possibly do to solve a discrete logarithm problem was time -- I should call
that theta of square root of Q. So in other words, you had to take at least square
root of Q time, and, in fact, Shoup generalized this saying suppose you could use
randomness and you're only satisfied with having a positive fraction of the
answers, you know, in a certain amount of time. In other words, you would
compute a certain amount of time and if you didn't get the answer by then you
would just give up.
He based showed that it was still square root of Q. You really couldn't do any
better, that there weren't any positive fraction of lucky points, so to speak. But
what about discrete -- the Diffie-Hellman problem, which really is the original
problem. So Ueli Maurer and later Dan Boneh and Dick Lipton gave strong
evidence that it was no harder than the discrete algorithm problem. And
basically to do that, they actually ended up using elliptic curves in a very
interesting way, which I won't go into. See, here's Victor Shoup, and here's Ueli
Maurer, Dan Boneh, and Dick Lipton.
So first of all, my own background was in graduate school that that's what I
worked on. I worked on elliptic curves and modular forms. And so I was sort of
in a good position and primed for this, so to speak.
So when I visited Andrew Odlyzko and Jeff Lagarias at Bell Labs in August 1983,
they showed me a preprint of a paper by Rene Schoof, which has already been
alluded to, giving a polynomial time algorithm for counting points on elliptic curve
over FP.
Now, of course having a background in elliptic curves I immediately appreciated
this. I will say, as a sideline, that it was difficult to get the theoretical computer
science community to appreciate this stuff early because this had been actually
submitted to the press tee just Fox Conference, and it had been rejected. I know
Lagarias told me that he was on the program committee and he was rather upset
about this. You're shaking your head, Rene.
>>: [inaudible].
>> Victor Miller: What?
>>: I don't think it was Jeff Lagarias.
>> Victor Miller: No, okay. All right. Well, anyway, this is what Jeff Lagarias told
me. But anyway, but shortly thereafter I saw a paper by Hendrik Lenstra, who is
Rene's advisor or one of his advisors, which use elliptic curves to factor integers
in time L of one-half, and again because I already had a quite substantial
background in elliptic curves, I immediately appreciated the ideas. And so this
combined with Don's attack on discrete log over F2 to the N got me thinking of
using elliptic curves for discrete logarithm. And there's really a good reason for
that. Not just because I know about elliptic curves but -- well, so anyway, here's
Andrew Odlyzko and Jeff Lagarias. Here's Rene, who is sitting right there. And
here is Hendrik Lenstra, sort of a characteristic pose. [laughter].
And so basically at the time it wasn't knew. I mean many people realized in the
abstract that the whole protocol only needed some sorted of gadget where you
could do associative multiplication. That was certainly not new with me. The real
question is why would you want to do it in any other sort of group? So when you
start thinking systematically, you know, as I said, finite fields mostly have index
calculus type attacks. So what other than kinds of groups are there?
So the good candidates are things called algebraic groups. And algebraic
groups, without going into all the definitions, are roughly things where the -- you
can actually write down the group law and calculate them by calculating rational
functions of points in some vector space which have other properties which
usually satisfy some series of equations.
And the idea is that such a things are sort of inherently roughly efficient to
calculate because calculating polynomials of a small degree is pretty efficient.
And then there's a general theorem in the field by Claude Chevalley which
basically says -- without getting into the technical points, that algebraic groups
are extensions of matrix groups by Abelian varieties. And so combined with the
thing that Pohlig and Hellman noticed, since you have extension immediately, it
means that any secrete log that you would do in any sort of algebraic group sort
of can be solved by either solving it, you know, going down to some sort of matrix
group or going down to an Abelian variety and putting them together.
So in some sense, if you're in a matrix group, if you're in a subgroup of a matrix
group, they've already been attacked by finite fields, since basically you look at
the characteristic polynomial of something and basically what you really end up
doing to find the discrete log is you end up reducing it to a discrete log in an
extension field of the -- of the finite field.
So in some sense, those have been taken care of. I mean, one would have to
analyze, you know, exactly how much it's costing you to go to the extension field.
So it seemed obvious to analyze the idea in Abelian varieties. And so and here's
Claude Chevalley.
And so here is the idea of the index calculus without getting into all the details.
So given a primitive root of a prime, denote by, you know, X is will go sub-G of A
the actual discrete log, the integer in 0 to P minus 1, satisfying G to the X equals
A, and you choose a factor base of the first K primes. Here K is some parameter
which you're going to choose later to optimize things. And the whole idea is that
you do first a preprocessing step to find the logarithms of base G of each of the
things in the factor base. And I'll describe how to do that later.
And then once you -- to solve your original problem you use the result of a table
that you've calculated in the first case to actually find the answer to the general
case.
And here's how you do it. So in the preprocessing step, you basically choose a
random Y and you calculate Z equals G to the Y.
Now, the nice thing about that, since you've chosen Y and you have Z, you
already know the answer to the discrete log of Z because you've chosen it.
And so the whole idea is you then -- Z is a residue mod P but you just treat it as
an integer. You do lifting. And you see if that lift factors into primes in F only.
You know, it either does or it doesn't.
If it does, we have an equation like that, Z equals P1 to the E1 times PK to the
EK and then you reduce that equation mod P and you take logs. Well, the whole
idea you know the log of Z because you've generated it, and you know the E1s,
you know the exponents. And the only thing you don't know are the unknowns of
logs of G of P1. But that is a linear equation. It's a linear equation in Z mod P
minus 1.
So the whole idea in solving linear equations if you have enough linear
equations, you know, essentially the same number of linear equations as
unknowns, you can solve them.
And so the whole idea is that you could keep doing this at random until you get
enough linear equations and then you solve them. And you know, there's a lot of
details which I've swept under the rug.
But the individual logs are very similar. So you choose a random Y and you look
at Z equals A times G to the Y. A is the guy that you're trying to take the log of.
And you treat Z as an integer. You do the same thing. And if it does, you know,
if it factors like that, then basically you have an equation like that and you notice
that everything in that equation is known except log sub-G of A. The things on
the right-hand side are known because that's what you've calculated in the
preprocessing step. And so there's a whole question is, you know, as I said, if it
does, you know -- so the question is how likely is that to factor? And that's where
the smooth numbers come in.
And so basically you can sort of see heuristically, even though not quantitatively
that the bigger K is, the more likely you are to factor that way. And where the
whole -- this whole L function comes in is this actually quantitatively measures
how likely it is to factor. And but what happens if you increase K, your linear
system gets bigger and the bigger linear system you have, the more costly it is to
solve. So there is -- there's a certain tradeoff on one side, you know. So
basically the whole idea is that once you've actually quantitatively figured out how
much it cost, you then have a slight optimization problem to find the optimal value
of K to make the tradeoff on the two sides equal, and basically the optimal value
once you sort of plug in everything and you go through everything, you end up
with L sub-P of one-half C for some constant C. The standard C that you get is
square root of two. There are other tricks that you can use that get the constant
C down to slightly above one.
And the Coppersmith and Gordon methods can be thought of in a very vague
overview way of using a very clever choice of probability. In other words, instead
of -- see, over there you've chosen Y completely at random. So they used an
idea where it's possible in some clever way to bias the choice of Y so that you
get your probability of succeeding in that factorization up. That again sweeps a
lot of things under the rug, but that can be thought of as what's going on. And
basically what happens is that after they balance everything, they change the
one-half there to one-third which is a very substantial change.
So the natural thing was, and this was the case 25 years ago, and it's still the
case today. The best known algorithms for doing discrete logs over, you know,
finite fields over the multiplicative group of finite fields are still based on the idea
of a factor base. There's something called the number field sieve and there are
various variants of it. But basically that's the best you can seem to be able to do.
And so it seemed natural to see what would happen if you tried to do the same
sort of thing over elliptic curves? And so the obvious thing to do is to do exactly
the same thing. You choose random points, you multiply -- you know, by taking a
fixed point and multiplying them by a random thing and then lifting them. But
when you talk about lifting them, you immediately run into a problem. So
basically also as alluded to by Professor Frey, because the -- because the
number -- if you have E as an elliptic curve over the rationals, that because the
set of solutions in the ration also is finitely generated, this, you know, combined
with the properties of the Tate, you know, the [inaudible] Tate height, this actually
shows that the number of points of the given height grows very, very weakly, you
know, compared to what happens in the multiplicative group, you know, of the
rationals.
And basically so the number of points whose number of bits are polynomial in log
P I think I had too many logs there, are big O of log P to the C for some -- for
some constant C which is related to the rank of the curve. And the point is that
that's just a minuscule fraction of the total number of points that you have in -- in
E of FP. So there are roughly P points there. And so that's -- there are just far
too few points to even have a decent chance of even writing down the points
upstairs, no matter how you might lift them.
And so there's a lot of other details. And, in fact, I analyzed, you know, the
details of this in my '85 paper.
So the other advantage of elliptic curves is as also as pointed out, there are a lot
of them over FP of different sizes. And so basically this gives you a lot more
chances to deal with other things. So basically Crypto '85 and afterwards, I
corresponded with Odlyzko in forming my ideas and the day I finally convinced
him with enough details he told me that he had just received a letter from Neal
Koblitz who I think was in Moscow at the time, sort of, you know, outlining a
similar thing.
So this really was, in a sense, virtually simultaneous. And at Crypto that year,
the talk immediately preceding mine was given by Nelson Stephens, who was
Professor Birch's first student I think, on exposition of Lenstra's factoring method.
Because again, elliptic curves were a completely new thing for the crypto
community. So this was sort of a mysterious thing. So they got a double dose of
elliptic curves.
And after my talk, Len Adelman, Kevin McCurley asked that I give them and
impromptu exposition of the theory of elliptic curves. Because they immediately
were struck by the fact that there was something to this. And the next year Len
and Ming-Deh Huang asked that I give them a similar talk about Abelian
varieties, which eventually let to their random polynomial time algorithm for
primality proving using Abelian varieties.
And I corresponded extensively with Ron Rivest's PhD student Burt Kaliski when
he was working on his thesis about elliptic curves. And he was the first to
implement my algorithm for the Weil pairing. So here is Neal. What happened
here? Okay. And here's Nelson Stephens. Then in 1969 and now. And here is
Kevin McCurley in two characteristic poses. [laughter]. Back in his hippy days
and back in his -- you know, now that he's a big deal at Google, now he can be
like Caesar, I guess.
Here is Ming-Deh Huang. And Burt Kaliski. There were a few weak cases,
which I didn't notice. So Alfred Menezes, Okamoto and Vanstone, well, at least
two of them are here, used the Weil pairing, which I'll talk about in just a second,
in a case that I missed, supersingular curves, more generally what's called low
embedding degree.
And later Gerhard Frey and Hans-Georg Ruck used the Tate pairing, which is
closely related to the Weil pairing, with curves with P minus 1 points.
And Nigel smart, Igor Semaev, Takakazu Satoh and Kiyomichi Araki
for curves with P points. Those were mentioned. Here's Menezes, Okamoto and
Vanstone. Here's Gerard Frey and Hans-Georg Ruck and Nigel Smart.
And primality proving. Well, Shafi Goldwasser who is here and her student, Joe
Kilian, gave a polynomial size certificate for primality of a positive fraction of
primes using elliptic curves. This was -- am I wrong about [inaudible] that's the
way I understood it.
This was sort of one of the did I go outstanding problems in complexity is are -- it
was known that you could prove that a -- that P was prime, prime in random
polynomial time or if you assume various extender Riemann hypotheses, but the
question was was it done in polynomial time or could you even give -- so
basically this was, you know, one of the first chinks in this. And later, late Oliver
Atkin and Francois Morain generalized this to all curves even though this actually
depended on a certain reasonable conjecture which seems to be true. And I
guess Francois will speak about this in more generality. And even though this
didn't relate to elliptic curves, in 2002, Agrawal, Kayal and Saxena gave a
deterministic polynomial time algorithm, not using elliptic curves. Well, here is
Shafi and Joe. And here is Oliver at the '69 conference and just a few years ago.
And here is Francois. And here is A, K, and S.
And then I said, you know, so why compute the Weil pairing? So is Weil pairing
is something that, well, given the name, was first introduced by -- in its current
form by Andre Weil sometimes in the mid 1940s. And basically it's a bilinear
alternating Galois equivariant, non-degenerate pairing.
Basically if bilinear and alternating should be clear, Galois equivariant really just
means that if you start with your inputs in a particular field that your output ends
up in that field too. And basically it's used in a lot of places in elliptic curves in
particular the place algorithmically where it's mostly used, it's used in descent
calculations to find a basis of the Mordell-Weil group.
However, in that case, the N that you're computing with is usually pretty small.
So it was never seemed to be necessary to come up with a really efficient
algorithm to calculate the thing, since N was usually like 2, in which case it was -it was sort of obvious what the answer was.
But what about when N was big? So I started thinking about this. So basically
the other motivation was in Schoof's paper at the very end he put out sort of a
challenge saying well, we've given a algorithm to calculated the number of points
on the elliptic curve over the finite field but what about the group structure. The
group structure as was pointed out by Professor Frey is always a subgroup of Z
mod N cross Z mod N. So there's a real question of it's a particular group. You
know, what does this structure look like?
So what happened in December 1984, I gave a talk at IBM about elliptic curve
cryptography. Basically by then I had sort of firmed up my ideas. And Professor
Manuel Blum was in the audience and challenged me because I claimed that
these should be more difficult than ordinary discrete logs. So he said well, why
don't you give a reduction? And I thought, well that's a reasonable question.
And so what would be needed would be some easily computable homomorphism
from the multiplicative group of the finite field elliptic curve group. And I thought
about that. And the only thing that I knew that really related those two was the
Weil pairing. And -- well, there was two questions. Could I compute it quickly?
And then much to my horror, I found out it went the wrong way. It would seem to
give a reduction in a way that I didn't want.
But it turned out -- you know, so after an initial, you know, square, I thought about
it more specifically and realized that it really wasn't a -- it really didn't destroy
elliptic curve cryptography at all, because the degree of the extension field that
you'd have to compute in would almost all the time have to be immense. In fact,
it would have to be almost as big as P. So, in other words, you would actually
have to write down points that had P bits where P was, say, a -- you know, was a
round size 2 to the 150th. So that clearly was completely impossible.
So I breathed a sigh of relief. But I went back to saying well, actually, can I
compute this?
So the problem is that if you take the original definitions you need to evaluate a
function on the curve of very high degree of essentially degree N. And remember
here, N is going to be roughly about the same size as P. So in theory, you know,
the classical way you learn about it is in Riemann-Roch you essentially reduce
this so linear algebra and say all you -- quote, all you have to do is to finds the
coefficients of this rational function. But the degree of the rational function was
about N. So it's clear that that approach was going nowhere.
So after thinking about it for a while, you could see that you could use the
process of quickly computing a multiple of point to give an algorithm which took
place in big O of log P. And I wrote up the paper in '85 and the paper was sort of
widely circulated and as an unpublished manuscript. And I actually submitted it
to the Fox Conference with other things, but that was also rejected. And an
expanded version I finally published in the Journal of Cryptology.
So here was Manuel Blum.
And as far as the group structure, so the whole idea is an abstract group it's
known -- I mean, this has been known for a while that the group is isomorphic to
Z mod DZ cross Z mod DEZ for some positive integers D and E. And so to find
the group structure, the specific problem is given E over FP, find D and E.
And by Schoof's algorithm, we can finds D squared E, which is the order of the
group, very quickly. And the Weil pairing lets us find D and E. The whole idea is
the Weil pairing, since it's non-degenerate, if I give you a pair of points, the Weil
pairing can quickly determine whether or not the pair of points generate the
whole group, and then if it does, it actually gets you D.
Well, once you have D and you have D squared E, you also have E. So that
does it. But one of the things is you need to factor the GCD of P minus 1 and the
number of points in the curve. And most of the time that's going to be small. But,
in fact, the latter problem was analyzed by just a few years ago by Friedlander,
Pomerance and Shparlinski, who are over here. And so here's the thing.
So in 1984, Adi Shamir proposed something called Identity Based Encryption.
And so this was just a sort of paper exercise at the time. Because he had no
idea how to implement this practically. And in 2000, Joux gave the first steps
toward realizing this, and he used my Weil pairing algorithm to do this. And then
finally in the next year, Boneh and Franklin gave the first fully functional version,
also using the Weil pairing. And so now it turns out pairing based cryptography
is now a really burgeoning subfield -- actually it says hundreds of papers. I
should modify that. I think thousands of papers now I find amazing. So here is
Adi Shamir. And here is Antoine Joux. And here is Dan Boneh again and Matt
Franklin.
And basically elliptic curve cryptography is now used in many standards. And
even the NSA has the case for elliptic curve cryptography.
And it's used in Blackberries, Windows Media Player, standards for biometric
data on passports. I even was told the US Federal Aviation Administration had at
least -- I don't know if it ever come to pass, was going to use it in some sort of
collision avoidance system and a host of things. I've completely lost track of
what's going on.
So basically I would say -- and another cartoon from the New Yorker. And ask,
you know, how's everything going? And no talk on public key cryptography
would be complete without Alice and Bob. [laughter]. And here's my version of
Alice and Bob. So okay.
[applause].
>> Kristin Lauter: We have time for a quick question if anyone has any
questions.
>>: Where is Victor now and then?
>> Victor Miller: Where is [laughter].
>> Victor Miller: Where is Victor now and then? [laughter].
>>: A picture.
>> Victor Miller: Oh, I don't know. Well, nobody -- nobody uses Victor you know
as the players. I mean, they have used Eve, they have used I don't know,
Quinton for a quantum. I don't know, you know. I'm anonymous.
>>: [inaudible].
>> Victor Miller: Huh?
>>: Verifier.
>> Victor Miller: Verifier. That's true, Victor the verifier. All right.
>> Kristin Lauter: Okay. So I think we're going to take a little more than a
five-minute break before Francois' talk.
[applause]
Related documents
RANKIN-SELBERG L–FUNCTIONS AND THE REDUCTION OF CM ELLIPTIC CURVES
RANKIN-SELBERG L–FUNCTIONS AND THE REDUCTION OF CM ELLIPTIC CURVES
MATH 655 Supplementary Homework Fall 2012
MATH 655 Supplementary Homework Fall 2012
COMPUTER PROBLEMS: DAY 10 (1) Find the first 10,000 pythagorean triples.
COMPUTER PROBLEMS: DAY 10 (1) Find the first 10,000 pythagorean triples.
MA342J: Introduction to Modular Forms Tutorial 5, April 5
MA342J: Introduction to Modular Forms Tutorial 5, April 5
Download
advertisement