Expander Graphs, GRH, and the
Elliptic Curve Discrete Logarithm
Stephen D. Miller
Rutgers University
Joint work with
David Jao and Ramarathnam Venkatesan
Microsoft Research Cryptography and Anti-Piracy Group
http://www.math.rutgers.edu/~sdmiller
Brief Overview
Many cryptographic applications are based on the discrete
logarithm.
Important example: DLOG on elliptic curves.
Is it always equally hard? Are there “good curves” and
“bad curves”?
Main result: in some situations curves have equivalent
difficulty.
Mathematical content: proof/techniques use
•
•
•
•
•
Elliptic Curves
Expander Graphs
Modular Forms
L-functions
Generalized Riemann Hypothesis
Motivating Example: Microsoft Product Key
•
When Windows or Microsoft office are
installed, the user is required to enter a 25digit alphanumeric antipiracy code.
•
This code (“key”) must be short.
•
The computer must be able to quickly
recognize whether or not this is a valid key,
without giving away any clue as to how to
manufacture additional valid keys.
•
Otherwise thieves would copy the software
CDs and illegally resell them with new
codes. Key=CA$H.
•
Future attacks will be faster. How can one
keep the key short, yet still keep up with the
attackers?
•
This requires new methods and
cryptosystems. Serious mathematics
involved in design.
Cryptography
• Mathematical Methods to hide information.
• Based on the difficulty of some underlying
mathematical problem.
• Well-known problems include:
–
–
–
–
Pre-computer age: guessing keys, inverting ax+b (mod n).
Factoring (RSA).
Discrete Logarithm.
Braid group conjugacy problem.
….. But a good problem is just the start –
implementation matters, too!
Other factors
A good cryptosystem needs more than just a hard problem behind it.
• It’s rare to reduce the cryptosystem directly to the
underlying problem, for example…
• Hypothetically: RSA might be easier than factoring.
Some desired attributes:
• Speed of encryption and decryption.
• Use of a large state space – without having to store
it all.
• Short “keys” (passwords).
• Stability against foreseen attacks. Leave no trace.
Example of a difficult underlying problem:
Discrete Logarithm on (Z/pZ)*, p prime.
(Z/pZ)* is abstractly isomorphic to Z/(p-1)Z.
14
13
12
15
12
10
17
Z/18Z
0
9
~
7
2
6
3
4
5
11
15
17
10
(Z/19Z)*
1
k ! 2k
18
Powers of 2
2
8
1
3
5
11
16
6
This sequence
appears to be fairly
random
9
14
4
8
16
13
7
For example, p=19: (Z/19Z)* ' Z/18Z is generated by powers of 2.
Example of a difficult underlying problem:
Discrete Logarithm on (Z/pZ)*, p prime.
Given p, y, and a generator g of (Z/pZ)*, solve gx = y for x.
(In other words, explicitly invert the previous isomorphism.)
• Difficult because the values of gx are very scattered (mod p) as x varies.
• Very important that p-1 have a large prime factor
(otherwise can use Chinese remainder theorem to “bootstrap” from easier cases).
• Methods exist which are much faster than simply guessing. Some use the
structure of Z.
• Possibly harder for more abstract incarnations of the same group. Different
representations do not necessarily have equivalent DLOG problems.
– Example: (Z/pZ)* is abstractly isomorphic to Z/(p-1)Z.
DLOG is very easy on the cyclic groups Z/mZ :
can easily solve ax=b (mod m), if a and m are relatively prime.
… especially when the generator a is 1 (tautological).
A cryptosystem using DLOG:
Diffie-Hellman key exchange
A method for two users to share a common
password (without revealing it to the public)
Sees g, gx, gy – but cannot compute
gxy without solving DLOG
1. Agree on Group G, generator g
g
2. Alice picks exponent
x at random.
x
Sends Bob gx
g
3. Bob picks exponent y at random.
Sends Alice gy y
g
4. Both Alice and Bob have common password key
gxy = (gx)y = (gy)x
DLOG on other abstract groups?
• Introduced because of subexponential attacks on
DLOG over (Z/nZ)*.
• Idea: Find an isomorphic group where the
structure of the integers is not as apparent.
• Also want computation to be efficient, e.g. by
polynomial operations (rules out many abstract
choices).
• Elliptic Curves: the set of solutions to an equation
of the form
E : y 2 = x3 + a x + b
over a finite field satisfies these criteria.
What’s an elliptic curve?
More or less, the solutions to an equation of the form
E : y2 = x 3 + a x + b
But over what field? What are x and y?
Over C, E is isomorphic to C/,
where  is a lattice ½ C (A torus).
In fact, the set of solutions always has an abelian group law.
Number Theory: study solutions over Fp = Z/pZ
or more generally over Fq
Brief History of Elliptic Curve Cryptography
• Introduced by V. Miller and N. Koblitz circa 1985.
• Bit-for-bit gives very strong cryptography, compared to
e.g. RSA.
• RSA, EC, etc: backbone of $2 billion/year industry.
• Drawbacks:
– Elliptic curves are not well understood by mathematicians or
cryptographers.
– Perhaps danger of hidden attacks possibly outweighs
benefits of use (?).
• Therefore it is crucial to understand various risks.
Many mathematically interesting challenges remain.
How are elliptic curves selected?
Essentially: known pitfalls are avoided, with limited understanding.
• Unlike DLOG on (Z/nZ)*, there can be
many elliptic curves having the same order.
• Elliptic curves over finite fields can be
– “supersingular”: have subexponential attacks.
– “ordinary”: so far, no subexponential attacks.*
• Want E(Fq) to be prime, or at least have a
large prime factor. E(Fq) should be a cyclic
group.
Are any other factors important?
Perhaps some curves are better
than others?
• Widely thought that ordinary curves are superior
to supersingular curves.
• National Institute of Standards and Technology
(NIST) – Part of US Department of Commerce.
– Proposed a family of convenient curves to serve as
standards for Elliptic Curve Cryptography.
– Some users fear these curves are cryptographically
weak.
– How can the consumer know they have a good curve
or not? Is my neighbor’s stronger?
Settling this “conspiracy theory” is an important practical question, no matter the outcome
Example of a NIST curve
NIST P-192
• Characteristic p =
62771017353866807638357894232076664160
83908700390324961279
• Elliptic curve E: y2 = x3 - 3x +
24551555460089438177402939151974517847
69108058161191238065 over Fp
• Number of points = #E =
62771017353866807638357894231760590137
67194773182842284081 (a prime)
Important Notion: Isogeny Class
•
An isogeny is a nontrivial algebraic map between two elliptic curves. It is a
group homomorphism.
Examples:
1. Map any E to itself by z ! 2z
2. map C/Z[i] ! C/Z[2i] by z ! 2z
3. map C/Z[i] ! C/Z[i] by z ! iz
(called an endomorphism)
(called complex multiplication “CM”)
•
Tate’s Isogeny Theorem: two elliptic curves over Fq with the same number
of points are isogenous over Fq (isogenies exist between them in both
directions).
•
Related to commensurability.
•
Isogenies give an explicit reduction between DLOG on different curves if
they each have the same number of prime points. (Identical cyclic groups.)
•
So because of Tate’s theorem, the selection problem can be reinterpreted:
is isogeny class a fine enough invariant for curve selection? Or is more
needed?
Notions of Level, Conductor (technical)
•
Given an elliptic curve E over Fq, let End(E) denote the endomorphisms of E
( = isogenies + trivial, zero map)
which are defined over the algebraic closure of Fq.
•
For an ordinary elliptic curve, End(E) is an order in some imaginary quadratic
number field K = Q(p-d).
•
This field K is an invariant of the isogeny class
(called the “Complex Multiplication Field”)
•
Orders are always of the form OD = Z+cOK, where
integers in K (solutions to monic integral polynomials).
•
The discriminant of the order OD is related to the discriminant d of K by
Curves for a given constant value of c form levels.
•
Isogenies can therefore be of two forms:
OK is the ring of algebraic
D=c2d.
– They can preserve D (“horizontal”).
– Or they can change D (“vertical”).
•
Supersingular curves all lie on the same level (by definition), so this is really an
issue pertaining to ordinary curves.
Levels of curves
Statement of Theorem
Jao, M-, Venkatesan (2004): Assuming the
Generalized Riemann Hypothesis (GRH),
the DLOG problem on isogeneous elliptic
curves is “random reducible” in the
following sense:
Given any algorithm A that solves DLOG on
some -fraction of curves in a level, one can
probabilistically solve DLOG on any curve in
the same level with polylog(q)/ queries to A
with random inputs.
Without assuming GRH, but the weaker Lindelöf hypothesis: subexponentially many
instead of polynomially many.
Applications to NIST Curves
All NIST and IPSec international standards
elliptic curves have cmax = 1
(except NIST P-256 which has cmax = 3)
(and the NIST K family of Koblitz
curves, which a priori have large cmax )
cmax is a measure of how hard it is to reduce DLOG on a curve to other curves over
Fq which have the same number of points.
Since it is small, this means that the NIST and IPSec curves (aside from the K
curves) lie on the simplest levels. Their DLOG problems are therefore random
reducible to all other typical curves on those levels.
Hence their DLOGs are no easier or harder than those for
typical curves. No “Conspiracy”.
Method of proof uses “Isogeny Graphs”
•
Low degree isogenies between elliptic
curves provide explicit polynomial time
reductions between the curves they
connect.
•
An “isogeny graph” is a graph whose
vertices represent all the elliptic curves
on a given level, and whose edges
represent low degree isogenies (of
degree (log q)2+,  > 0).
•
Mixing Hypothesis: suppose that the
random walk on this graph mixes
rapidly (i.e. after polylog(q) steps one
reaches any vertex with uniform
probability up to a small error).
This is proven using GRH.
Then by computing random low degree
isogenies, DLOG can be explicitly
reduced between any two curves on
that level.
•
•
Therefore DLOG has uniform difficulty
on this level (assuming the Mixing
Hypothesis).
Various Elliptic Curves on
the same level
Arrows represent equivalences between
DLOG on different curves
Application: generating random
isogenies, studying mixing
These applications of GRH
and expander graphs are
used in estimating the
security of the upcoming
Windows Longhorn product
key algorithm (2006).
Also, solidifies earlier heuristic
cryptographic arguments
which relied upon rapid
mixing of the random walk
(Kohel, Galbraith et al).
Brief Review of Graph Theory
• Definitions: A graph  is a collection of vertices
V, and (undirected) edges E connecting the
vertices.
• A k-regular graph has exactly k edges meeting
at each vertex.
• Adjacency operator A on L2(V) averages the
function over its neighbors
A: f(x) ! y~x f(y)
• The constant functions on V are
eigenfunctions with the trivial eigenvalue  = k.
Expander Graphs
• Graphs for which the random walk mixes rapidly
(=uniformly distributed up to small error). Assume
degree k is relatively small compared to the size of the
graph |V| -- e.g. k = (log|V|)power.
• If all nontrivial eigenvalues of A satisfy
|| < k – 1/(log k)r
for some r, then the random walk mixes in (log k)r+1 steps.
Can serve as definition of “expander”.
• “Optimal” bound is || < 2(k-1)1/2, known as the
Ramanujan bound.
• Isogeny graphs are close to being “Ramanujan graphs”
Can have
|| = O(k1/2+).
Brief History of Expander Graphs
• Originally shown to exist by counting methods
Pinsker: There are far more graphs than there are
non-expander graphs.
• Margulis (70s, 80s), Lubotzky-Phillips-Sarnak (1986)
give first constructions.
• LPS “Ramanujan graphs” use the (known) Ramanujan
conjectures in their proof. The Ramanujan conjectures
in number theory are a statement about optimal
cancellation in random sums.
• Other constructions: Reingold-Vadhan-Wigderson “ZigZag”, algebraic geometry. Have algebraic flavor.
The Isogeny Graphs are Expanders
• Supersingular case: essentially already
observed by Ihara, Mestre, and Pizer.
Relies on (known) Ramanujan conjectures
as well, properties of Brandt matrices.
• Ordinary case (JMV): construction of
isogeny graphs is a new method of
constructing expanders with small degree
k = (log|V|)power. Relies conditionally on
the (unproven) Generalized Riemann
Hypothesis “GRH”.
“GRH Graphs”
New, conditional construction of expander graphs.
• Let Q be a large integer.
• Let S = { primes p < (log Q)B , p - Q } , for B > 2.
• Define the graph  to have
– vertices V=(Z/QZ)*.
– edges connecting v to pv, for each v 2 V and p 2 S.
– ( is the Cayley graph of the group (Z/QZ)* with respect to
the generating set S).
• Theorem – Assuming GRH,  is an expander: its
nontrivial eigenvalues satisfy the bound
|| = O(k1/2+1/B).
Conclusions (Assuming GRH)
• DLOG has roughly equivalent difficulty on elliptic
curves over Fq whose endomorphism rings are
“comparable” in size.
• There is a random polynomial time reduction
(equivalence) between the DLOG problems on
such elliptic curves.
• NIST and IPSec international standards curves
were not chosen as to foist cryptographically
weak curves upon an unsuspecting public.
• Method gives a new elementary construction of
expander graphs.