Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
A Random Walk TalkSteven Galbraith
Auckland University, NZ.
Joint work with
I Raminder Ruprai
I John Pollard
I Mark Holmes
Thanks to
I Tanja Lange
I Pierrick Gaudry
Steven Galbraith A Random Walk Talk
Advertisement: Mathematics of Public Key Cryptography
I’m (still) writing a book called “Mathematics of Public KeyCryptography”.
Some chapters available here:
http://www.isg.rhul.ac.uk/~ sdg/crypto-book/crypto-book.html
Please send me comments/corrections/suggestions.
Steven Galbraith A Random Walk Talk
Outline of this talk
The talk will be a random walkwith new results and random thoughtsand Pollard’s kangaroos (not snarks)jumping down the line.
While Tanja Lange knits some socksI’ll show the birthday paradoxand keeping an eye on the clocksI’ll finish right on time.
Steven Galbraith A Random Walk Talk
Goals of this talk
I Advertise some open problems.
I Present a generalisation of the birthday paradox.
I Sketch some new algorithms for variants of the DLP.
I Finish right on time.
Steven Galbraith A Random Walk Talk
Algorithms for Computational Problems
Many problems in cryptography (for example, DLP) havealgorithms to solve them of the following types:
I Exhaustive search.“O(N) operations”.
I Time/memory tradeoff.“O(√
N) operations and O(√
N) storage”.
I Low memory randomised algorithm.“expected O(
√N) operations”.
Steven Galbraith A Random Walk Talk
Example
Consider the DLP in a group of prime order r : Given g , h to find asuch that h = ga.(I will write all groups multiplicatively in this talk.)
I Exhaustive search: O(r) group operations.
I Baby-step-giant-step: O(√
r) group operations and storage ofO(√
r) group elements.
I Pollard rho: expected O(√
r) group operations.Precisely, following van Oorschot and Wiener (i.e., usingdistinguished points), (1 + ε)
√πr/2 ≈ 1.25
√r group
operations.
I I’m interested in the constant.
Steven Galbraith A Random Walk Talk
Pollard row
Steven Galbraith A Random Walk Talk
Open Question
Low Hamming weight DLP: Given g , h,w to find 0 ≤ a < r , if itexists, such that h = ga and the Hamming weight of a is ≤ w .Let N =
(blog2(r)c+1w
).
I Time/memory tradeoff in O(√
N) group operations andstorage.
I Van Oorschot and Wiener have a general method to transforma time/memory tradeoff into a low memory algorithm, but itonly gives an algorithm with expected cN3/4 group operations.
I It is an open problem to give a low memory algorithm for thisproblem with expected running time of O(N1/2) groupoperations.
Steven Galbraith A Random Walk Talk
Clopen Question
Finding isogenies in the supersingular isogeny graph (graph of`-isogenies for a single prime `).E.g., finding collisions in the Charles-Goren-Lauter hash function.Let N be the size of the isogeny graph.
I Time/memory tradeoff in O(√
N) isogeny computations andstorage (G.).
I For ordinary elliptic curves there is a low memory algorithmfor this problem due to G.-Hess-Smart.(Some recent tricks by Anton Stolbunov.)
I A variant of the algorithm applies in the supersingular case,but there are some difficulties with the random walks.There should be an algorithm with complexity O(
√N) but it
is unclear what the precise running time should be.
Steven Galbraith A Random Walk Talk
The DLP in an Interval
I Given g , h,N find a, if it exists, such that h = ga and0 ≤ a < N.
I This problem does arise in practice (pseudorandom generatorby Gennaro, decryption in the Boneh-Goh-Nissim scheme,analysis of the static/strong Diffie-Hellman problem, etc).
I Pollard kangaroo method using distinguished points (vanOorschot and Wiener 1996/1999) solves problem in averagecase expected (1 + ε)2
√N group operations.
I Important: kangaroo method is not analysed using thebirthday paradox.
I 10 years pass . . .
Steven Galbraith A Random Walk Talk
Improved DLP in an Interval
Two ways to improve:
I Pollard 3 or 4 kangaroos method ≈ 1.71√
N.(Trick is to start wild kangaroos at both h and h−1.)
I Gaudry-Schost algorithm (cockroaches).
Steven Galbraith A Random Walk Talk
Gaudry-Schost Algorithm
I A way to tackle constrained problems using the birthdayparadox.
I One has a “tame set” T and a “wild set” W and seekscollisions in T ∩W .
I Basic idea for DLP in an interval:
T = {ga : 0 ≤ a < N}, and W = {hga : −N/2 < a < N/2}.
Then N/2 ≤ #(T ∩W ) ≤ N.
I This gives an algorithm with average case expected runningtime of (1 + ε)2.08
√N group operations – worse than Pollard
kangaroo.
I There are some inconvenient aspects: e.g., boundaries of Tand W .
Steven Galbraith A Random Walk Talk
Gaudry-Schost Algorithm
I The Gaudry-Schost algorithm (as with Pollard rho andkangaroo) is fundamentally different from the time/memorytradeoff.
I Time/memory tradeoff: Sets S1,S1 with #Si ≈√
N and#(S1 ∩ S2) = 1.
I Gaudry-Schost: Sets S1,S2 with #Si ≈ N and#(S1 ∩ S2) ≥ cN for some constant.
I There is great flexibility in the choice of sets.
I Combining smaller sets with the Pollard 4 kangaroo idea givesan algorithm for the DLP in an interval with average caseexpected time of 1.48
√N group operations (beating Pollard’s
1.71√
N).
Steven Galbraith A Random Walk Talk
A Variant of the Birthday Paradox
I To analyse the Gaudry-Schost algorithm one needs a variantof the birthday paradox.
I Placing balls of two colours (equally likely) into N urns, theexpected number of samples to get a collision is
√πN.
I Example: The expected number of people in a room,containing an equal number of boys and girls, to have a boyand a girl with the same birthday is 33.86 (compare with23.94 for any pair having the same birthday).
I Puzzle: In my hotel there is a meeting of the “boys born inJanuary” club, and a meeting of the “random girls” club.How many of each should I put in a room until I expect a boyand girl with the same birthday?
I What happens as the number of days in a year →∞ butJanuary is still about 1/12 of the days?
Steven Galbraith A Random Walk Talk
Equivalence Classes
I Many groups have efficiently computable automorphisms ψ.For example, the map ψ : g 7→ g−1 is easy for elliptic curvesand the torus T2.
I A very Canadian idea (Gallant-Lambert-Vanstone andWiener-Zuccherato) for solving the DLP is to define a randomwalk on G/ψ (sets of orbits in the group G under ψ).
I For Pollard rho, using equivalence classes with respect toinversion “should” speed-up the algorithm by a factor of
√2.
I A catch: lots of nasty little cycles in the pseudorandom walks.Handling these adds a significant overhead.
I All recent records for the ECDLP have not used equivalenceclasses (except for the case of Koblitz curves).
I See very nice papers by permutations of the authors Bos,Kaihara, Kleinjung and A. K. Lenstra.
Steven Galbraith A Random Walk Talk
DLP in an Interval Using Equivalence Classes
I It seems impossible to combine Pollard’s kangaroo algorithmwith equivalence classes.
I Consider DLP in an interval: g , h,N to find n, if it exists,such that h = gn and −N/2 ≤ n ≤ N/2.
I Define the tame set
T = {{ga, g−a} : −N/2 ≤ a ≤ N/2}
and
W = {{hga, (hga)−1} = {gn+a, g−(n+a)} : −N/2 ≤ a ≤ N/2}.
I We have #T ≈ N/2, but #W and #(T ∩W ) depend on n.
I Further subtlety: if one chooses a unique representative foreach class, one finds that sampling elements hga where a ischosen uniformly in −N/2 ≤ a ≤ N/2 does not necessarilycorrespond to sampling uniformly in W .
Steven Galbraith A Random Walk Talk
A Generalisation of the Birthday Paradox
(Building on work of Selivanov.)Theorem (G.-Holmes. beta version)Let C ∈ N. Balls will be chosen of colour 1 ≤ c ≤ C withprobability qc .Let N ∈ N (we consider this as variable). A ball of colour1 ≤ c ≤ C is assigned to urn 1 ≤ a ≤ N with probability qc,a.Suppose that some technical conditions hold.Let
AN =C∑
c=1
qc
C∑c ′=1,c ′ 6=c
qc ′
(N∑
a=1
qc,aqc ′,a
) .
Then the expected number of trials before an urn contains balls ofat least 2 different colours is√
π
2AN+ O(N1/4)
as N →∞.Steven Galbraith A Random Walk Talk
The answer to the puzzle
I Puzzle: In my hotel there is a meeting of the “boys born inJanuary” club, and a meeting of the “random girls” club.How many of each should I put in a room until I expect a boyand girl with the same birthday?
I What happens as the number of days in a year →∞ butJanuary is still about 1/12 of the days?
I 12 times more girls than boys? 6 times? 4 times? 3 times?Twice as many? The same number of each?
I Asymptotically, take an equal number of boys and girls!
Steven Galbraith A Random Walk Talk
DLP in an Interval Using Equivalence Classes
Theorem: (G.-Ruprai; PKC 2010) There is an algorithm to solvethe DLP in an interval of size N in groups with fast inversionwhich requires (ignoring the troubles with cycles) average expected(1 + ε)1.36
√N group operations.
Possibly can be slightly improved.
Steven Galbraith A Random Walk Talk
Higher Dimensional Versions
I The original Gaudry-Schost algorithm was introduced forsolving problems like: Given g1, g2, h,N1,N2 find (a1, a2) if itexists such that
h = ga11 ga2
2
and0 ≤ a1 ≤ N1, 0 ≤ a2 ≤ N2.
I Applications: point counting on hyperelliptic curves, hardessunderlies protocols of Brands, solving such problems is neededfor a result of Cramer, Gennaro and Schoenmakers, solvingvariants of the DLP corresponding to Frobenius expansionsand the GLV method.
I Let N = N1N2. G.-Ruprai (Cirencester 2009) show one cansolve the 2-dim DLP in 2.36
√N group operations.
Steven Galbraith A Random Walk Talk
Higher Dimensional Versions
I One can consider equivalence classes in this setting.This is still work-in-progress.
I Using equivalence classes under +/− in the 2-dim case itseems the average expected complexity could be as low as1.383
√N group operations (again, ignoring cycles).
This is a big speed up over 2.36√
N .
Steven Galbraith A Random Walk Talk
Conclusion
I The Gaudry-Schost algorithm is a really useful idea whichperhaps can be used to solve some currently unsolvedproblems.
I We have used it to combine the DLP in an interval (orhigher-dimensional box) with equivalence classes.
I We have developed a powerful generalisation of the birthdayparadox which will be a useful tool when working with theGaudry-Schost algorithm.
Steven Galbraith A Random Walk Talk