D Log Powerpoint

7/30/2019 D Log Powerpoint

1/26

Expander Graphs, GRH, and the

Elliptic Curve Discrete Logarithm

Stephen D. MillerRutgers University

Joint work with

David Jao and Ramarathnam VenkatesanMicrosoft Research Cryptography and Anti-Piracy Group

http://www.math.rutgers.edu/~sdmiller


2/26

Many cryptographic applications are based on the discrete

logarithm.

Important example: DLOG on elliptic curves.

Is it always equally hard? Are there good curves andbad curves?

Main result:in some situations curves have equivalentdifficulty.

Mathematical content: proof/techniques use Elliptic Curves Expander Graphs Modular Forms L-functions Generalized Riemann Hypothesis

Brief Overview


3/26

Motivating Example: Microsoft Product Key

When Windows or Microsoft office areinstalled, the user is required to enter a 25-digit alphanumericantipiracycode.

This code (key) must be short. The computer must be able to quickly

recognize whether or not this is a valid key,without giving awayany clue as to how tomanufacture additional valid keys.

Otherwise thieves would copy the software

CDs and illegally resell them with newcodes. Key=CA$H.

Future attacks will be faster. How can onekeep the key short, yet still keep up with theattackers?

This requires new methods and

cryptosystems. Serious mathematicsinvolved in design.


4/26

Cryptography

Mathematical Methods to hide information.

Based on the difficulty ofsome underlyingmathematical problem.

Well-known problems include:

Pre-computer age: guessing keys, inverting ax+b (mod n).

Factoring (RSA).

Discrete Logarithm.

Braid group conjugacy problem.

.. But a good problem is just the start

implementation matters, too!


5/26

Other factorsA good cryptosystem needs more than just a hard problem behind it.

Its rare to reduce the cryptosystem directly to theunderlying problem, for example

Hypothetically: RSA might be easier than factoring.

Some desired attributes: Speed of encryption and decryption.

Use of a large state space without having to storeit all.

Short keys (passwords).

Stability against foreseen attacks. Leave no trace.


6/26

Example of a difficult underlying problem:Discrete Logarithm on (Z/pZ)*, p prime.

1415

16

17

0

1

2

34 5

6

7

8

9

10

11

1213

(Z/pZ)* is abstractly isomorphic toZ/(p-1)Z.

For example, p=19: (Z/19Z)*'Z/18Z is generated by powers of 2.

612

5

10

1

2

4

816 13

7

14

9

18

17

15

113

(Z/19Z)*Z/18ZPowers of 2

This sequenceappears to be fairly

random

~k ! 2k


7/26


8/26

A cryptosystem using DLOG:Diffie-Hellman key exchange

A method for two users to share a common

password (without revealing it to the public)

1. Agree on Group G, generator g

2. Alice picks exponent x at random.Sends Bob gx

3. Bob picks exponent y at random.Sends Alice gy

4.Both Alice and Bob have common password key

gxy = (gx)y = (gy)x

Sees g, gx, gy

but cannot computegxy without solving DLOG

gx

g

gy


9/26

DLOG on other abstract groups?

Introduced because ofsubexponentialattacks onDLOG over (Z/nZ)*.

Idea: Find an isomorphic group where thestructure of the integers is not as apparent.

Also want computation to be efficient, e.g. bypolynomial operations (rules out many abstractchoices).

Elliptic Curves: the set of solutions to an equationof the form

E : y2 = x3 + a x + b

over a finite field satisfies these criteria.


10/26

Whats an elliptic curve?

More or less, the solutions to an equation of the form

E : y2 = x3 + a x + b

But overwhat field? What are x and y?

OverC, E is isomorphic to C/,where is a lattice C(A torus).

In fact, the set ofsolutions always has an abelian group law.

Number Theory: study solutions over Fp = Z/pZor more generally overFq


11/26

Brief History of Elliptic Curve Cryptography

Introduced by V. Miller and N. Koblitz circa 1985.

Bit-for-bit gives very strong cryptography, compared toe.g. RSA.

RSA, EC, etc: backbone of $2 billion/year industry.

Drawbacks: Elliptic curves are not well understood by mathematicians or

cryptographers. Perhaps danger of hidden attacks possibly outweighs

benefits of use (?).

Therefore it is crucial to understand various risks.

Many mathematically interesting challenges remain.


12/26

How are elliptic curves selected?

Unlike DLOG on (Z/nZ)*, there can bemany elliptic curves having the same order.

Elliptic curves over finite fields can be supersingular: have subexponential attacks.

ordinary: so far, no subexponential attacks.*

Want E(Fq) to be prime, or at least have alarge prime factor. E(Fq)should be a cyclicgroup.

Essentially: known pitfalls are avoided, with limited understanding.

Are any other factors important?


13/26

Perhaps some curves are betterthan others?

Widely thought that ordinary curves are superiorto supersingular curves.

National Institute of Standards and Technology

(NIST) Part of US Department of Commerce. Proposed a family of convenient curves to serve as

standards for Elliptic Curve Cryptography.

Some users fear these curves are cryptographically

weak. How can the consumer know they have a good curve

or not? Is my neighbors stronger?

Settling this conspiracy theory is an important practical question, no matter the outcome


14/26

Example of a NIST curve

NIST P-192 Characteristic p =

6277101735386680763835789423207666416083908700390324961279

Elliptic curve E: y2 = x3 - 3x +

2455155546008943817740293915197451784769108058161191238065 overFp

Number of points = #E =6277101735386680763835789423176059013767194773182842284081 (a prime)


15/26

Important Notion: Isogeny Class

An isogenyis a nontrivial algebraic map between two elliptic curves. It is agroup homomorphism.

Examples:1. Map any E to itself by z! 2z (called an endomorphism)2. map C/Z[i] !C/Z[2i] by z ! 2z

3. map C/Z[i] !C/Z[i] by z ! iz (called complex multiplication CM)

Tates Isogeny Theorem: two elliptic curves overFq with the same numberof points are isogenous overFq(isogenies exist between them in bothdirections).

Related to commensurability.

Isogenies give an explicit reduction between DLOG on different curves ifthey each have the same number of prime points. (Identical cyclic groups.)

So because of Tates theorem, the selection problem can be reinterpreted:

is isogeny class a fine enough invariant for curve selection? Or is moreneeded?


16/26

Notions of Level, Conductor (technical)

Given an elliptic curve E overFq, let End(E) denote the endomorphisms of E( = isogenies + trivial, zero map)which are defined over the algebraic closure ofFq.

For an ordinaryelliptic curve, End(E) is an order in some imaginary quadraticnumber field K = Q(p-d).

This field K is an invariant of the isogeny class(called the Complex Multiplication Field)

Orders are always of the formOD = Z+cOK, whereOK is the ring of algebraicintegers in K (solutions to monic integral polynomials).

The discriminant of the orderOD is related to the discriminant d ofK by D=c2d.Curves for a given constant value ofc form levels.

Isogenies can therefore be of two forms: They can preserve D (horizontal). Or they can change D (vertical).

Supersingular curves all lie on the same level (by definition), so this is really anissue pertaining to ordinary curves.

Levels of curves


17/26

Statement of Theorem

Jao, M-, Venkatesan (2004):Assuming theGeneralized Riemann Hypothesis (GRH),the DLOG problem on isogeneous ellipticcurves is random reducible in the

following sense:Given any algorithmA that solves DLOG onsome -fraction of curves in a level, one can

probabilistically solve DLOG on any curve inthe same level with polylog(q)/ queries toAwith random inputs.

Without assuming GRH, but the weakerLindelf hypothesis: subexponentially many

instead ofpolynomially many.


18/26

Applications to NIST Curves

All NIST and IPSec international standardselliptic curves have cmax = 1

(except NIST P-256 which has cmax =

3)(and the NIST K family of Koblitzcurves, which a priorihave large cmax )cmaxis a measure of how hard it is to reduce DLOG on a curve to other curves overFq which have the same number of points.

Since it is small, this means that the NIST and IPSec curves (aside from the Kcurves) lie on the simplest levels. Their DLOG problems are therefore randomreducible to all other typical curves on those levels.

Hence their DLOGs are no easier or harder than those fortypical curves. No Conspiracy.


19/26

Method of proof uses Isogeny Graphs

Low degree isogenies between elliptic

curves provide explicit polynomial timereductions between the curves theyconnect.

An isogeny graph is a graph whosevertices represent all the elliptic curveson a given level, and whose edgesrepresent low degree isogenies (of

degree (log q)2+, > 0). Mixing Hypothesis: suppose that the

random walk on this graph mixesrapidly (i.e. afterpolylog(q) steps onereaches any vertex with uniformprobability up to a small error).

This is proven using GRH. Then by computing random low degreeisogenies, DLOG can be explicitlyreduced between any two curves onthat level.

Therefore DLOG has uniform difficultyon this level (assuming the Mixing

Hypothesis).

Various Elliptic Curves on

the same level

Arrows represent equivalences betweenDLOG on different curves


20/26

Application: generating randomisogenies, studying mixing

These applications of GRHand expander graphs areused in estimating thesecurity of the upcoming

Windows Longhorn productkey algorithm (2006).

Also, solidifies earlier heuristiccryptographic arguments

which relied upon rapidmixing of the random walk(Kohel, Galbraith et al).


21/26

Brief Review of Graph Theory

Definitions: A graph is a collection ofvertices V, and (undirected) edgesEconnecting the vertices.

A k-regulargraph has exactly kedges meetingat each vertex.

Adjacency operatorA on L2(V) averages thefunction over its neighbors

A: f(x)!y~xf(y)

The constant functions on V areeigenfunctions with the trivialeigenvalue= k.


22/26

Expander Graphs

Graphs for which the random walkmixes rapidly(=uniformly distributed up to small error). Assumedegreek is relatively small compared to the size of thegraph |V| -- e.g. k = (log|V|)power.

If all nontrivialeigenvalues of A satisfy|| < k 1/(log k)r

for some r, then the random walk mixesin (log k)r+1 steps.Can serve as definition of expander.

Optimal bound is || < 2(k-1)1/2, known as theRamanujan bound.

Isogeny graphs are close to being Ramanujan graphs

Can have || = O(k1/2+).


23/26

Brief History of Expander Graphs

Originally shown to exist by counting methodsPinsker: There are far more graphs than there arenon-expander graphs.

Margulis (70s, 80s), Lubotzky-Phillips-Sarnak (1986)

give first constructions.

LPS Ramanujan graphs use the (known) Ramanujanconjectures in their proof. The Ramanujan conjecturesin number theory are a statement about optimal

cancellation in random sums.

Other constructions: Reingold-Vadhan-Wigderson Zig-Zag, algebraic geometry. Have algebraic flavor.


24/26

The Isogeny Graphs are Expanders

Supersingular case:essentially alreadyobserved by Ihara, Mestre, and Pizer.Relies on (known) Ramanujan conjectures

as well, properties of Brandt matrices.

Ordinary case (JMV):construction ofisogeny graphs is a new method ofconstructing expanders with small degreek = (log|V|)power. Relies conditionally onthe (unproven) Generalized Riemann

Hypothesis GRH.


25/26

GRH Graphs

Let Q be a large integer.

Let S = { primes p < (log Q)B , p-Q } , for B > 2.

Define the graph to have

vertices V=(Z/QZ)*. edges connecting v to pv, for each v 2 V and p 2 S. ( is the Cayley graph of the group (

Z/Q

Z)* with respect to

the generating set S).

TheoremAssuming GRH, is an expander: itsnontrivial eigenvalues satisfy the bound

|| = O(k1/2+1/B).

New, conditional construction of expander graphs.


26/26

Conclusions (Assuming GRH)

DLOG has roughly equivalent difficulty on ellipticcurves overFqwhose endomorphism rings arecomparable in size.

There is a random polynomial time reduction

(equivalence) between the DLOG problems onsuch elliptic curves.

NIST and IPSec international standards curves

were not chosen as to foist cryptographicallyweak curves upon an unsuspecting public.

Method gives a new elementary construction ofexpander graphs.

Documents

D Log Powerpoint