12 research outputs found
Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem
International audienceWe propose an index calculus algorithm for the discrete logarithm problem on general abelian varieties of small dimension. The main difference with the previous approaches is that we do not make use of any embedding into the Jacobian of a well-suited curve. We apply this algorithm to the Weil restriction of elliptic curves and hyperelliptic curves over small degree extension fields. In particular, our attack can solve an elliptic curve discrete logarithm problem defined over GF(q^3) in heuristic asymptotic running time O~(q^(4/3)); and an elliptic problem over GF(q^4) or a genus 2 problem over GF(q^2) in heuristic asymptotic running time O~(q^(3/2))
A New Method for Geometric Interpretation of Elliptic Curve Discrete Logarithm Problem
In this paper, we intend to study the geometric meaning of the discrete
logarithm problem defined over an Elliptic Curve. The key idea is to reduce the
Elliptic Curve Discrete Logarithm Problem (EC-DLP) into a system of equations.
These equations arise from the interesection of quadric hypersurfaces in an
affine space of lower dimension. In cryptography, this interpretation can be
used to design attacks on EC-DLP. Presently, the best known attack algorithm
having a sub-exponential time complexity is through the implementation of
Summation Polynomials and Weil Descent. It is expected that the proposed
geometric interpretation can result in faster reduction of the problem into a
system of equations. These overdetermined system of equations are hard to
solve. We have used F4 (Faugere) algorithms and got results for primes less
than 500,000. Quantum Algorithms can expedite the process of solving these
over-determined system of equations. In the absence of fast algorithms for
computing summation polynomials, we expect that this could be an alternative.
We do not claim that the proposed algorithm would be faster than Shor's
algorithm for breaking EC-DLP but this interpretation could be a candidate as
an alternative to the 'summation polynomial attack' in the post-quantum era
Discrete logarithm computations over finite fields using Reed-Solomon codes
Cheng and Wan have related the decoding of Reed-Solomon codes to the
computation of discrete logarithms over finite fields, with the aim of proving
the hardness of their decoding. In this work, we experiment with solving the
discrete logarithm over GF(q^h) using Reed-Solomon decoding. For fixed h and q
going to infinity, we introduce an algorithm (RSDL) needing O (h! q^2)
operations over GF(q), operating on a q x q matrix with (h+2) q non-zero
coefficients. We give faster variants including an incremental version and
another one that uses auxiliary finite fields that need not be subfields of
GF(q^h); this variant is very practical for moderate values of q and h. We
include some numerical results of our first implementations
Point compression for the trace zero subgroup over a small degree extension field
Using Semaev's summation polynomials, we derive a new equation for the
-rational points of the trace zero variety of an elliptic curve
defined over . Using this equation, we produce an optimal-size
representation for such points. Our representation is compatible with scalar
multiplication. We give a point compression algorithm to compute the
representation and a decompression algorithm to recover the original point (up
to some small ambiguity). The algorithms are efficient for trace zero varieties
coming from small degree extension fields. We give explicit equations and
discuss in detail the practically relevant cases of cubic and quintic field
extensions.Comment: 23 pages, to appear in Designs, Codes and Cryptograph
Solving multivariate polynomial systems and an invariant from commutative algebra
The complexity of computing the solutions of a system of multivariate
polynomial equations by means of Gr\"obner bases computations is upper bounded
by a function of the solving degree. In this paper, we discuss how to
rigorously estimate the solving degree of a system, focusing on systems arising
within public-key cryptography. In particular, we show that it is upper bounded
by, and often equal to, the Castelnuovo Mumford regularity of the ideal
generated by the homogenization of the equations of the system, or by the
equations themselves in case they are homogeneous. We discuss the underlying
commutative algebra and clarify under which assumptions the commonly used
results hold. In particular, we discuss the assumption of being in generic
coordinates (often required for bounds obtained following this type of
approach) and prove that systems that contain the field equations or their fake
Weil descent are in generic coordinates. We also compare the notion of solving
degree with that of degree of regularity, which is commonly used in the
literature. We complement the paper with some examples of bounds obtained
following the strategy that we describe
Making Password Authenticated Key Exchange Suitable For Resource-Constrained Industrial Control Devices
Connectivity becomes increasingly important also for small embedded systems such as typically found in industrial control installations. More and more use-cases require secure remote user access increasingly incorporating handheld based human machine interfaces, using wireless links such as Bluetooth. Correspondingly secure operator authentication becomes of utmost importance. Unfortunately, often passwords with all their well-known pitfalls remain the only practical mechanism.
We present an assessment of the security requirements for the industrial setting, illustrating that offline attacks on passwords-based authentication protocols should be considered a significant threat. Correspondingly use of a Password Authenticated Key Exchange protocol becomes desirable. We review the signif-icant challenges faced for implementations on resource-constrained devices.
We explore the design space and shown how we succeeded in tailoring a partic-ular variant of the Password Authenticated Connection Establishment (PACE) protocol, such that acceptable user interface responsiveness was reached even for the constrained setting of an ARM Cortex-M0+ based Bluetooth low-energy transceiver running from a power budget of 1.5 mW without notable energy buffers for covering power peak transients
On the complexity of computing Gr\"obner bases for weighted homogeneous systems
Solving polynomial systems arising from applications is frequently made
easier by the structure of the systems. Weighted homogeneity (or
quasi-homogeneity) is one example of such a structure: given a system of
weights , -homogeneous polynomials are polynomials
which are homogeneous w.r.t the weighted degree
. Gr\"obner bases for weighted homogeneous systems can be
computed by adapting existing algorithms for homogeneous systems to the
weighted homogeneous case. We show that in this case, the complexity estimate
for Algorithm~\F5 \left(\binom{n+\dmax-1}{\dmax}^{\omega}\right) can be
divided by a factor . For zero-dimensional
systems, the complexity of Algorithm~\FGLM (where is the
number of solutions of the system) can be divided by the same factor
. Under genericity assumptions, for
zero-dimensional weighted homogeneous systems of -degree
, these complexity estimates are polynomial in the
weighted B\'ezout bound .
Furthermore, the maximum degree reached in a run of Algorithm \F5 is bounded by
the weighted Macaulay bound , and this bound is
sharp if we can order the weights so that . For overdetermined
semi-regular systems, estimates from the homogeneous case can be adapted to the
weighted case. We provide some experimental results based on systems arising
from a cryptography problem and from polynomial inversion problems. They show
that taking advantage of the weighted homogeneous structure yields substantial
speed-ups, and allows us to solve systems which were otherwise out of reach
Semi-regular sequences and other random systems of equations
The security of multivariate cryptosystems and digital signature schemes
relies on the hardness of solving a system of polynomial equations over a
finite field. Polynomial system solving is also currently a bottleneck of
index-calculus algorithms to solve the elliptic and hyperelliptic curve
discrete logarithm problem. The complexity of solving a system of polynomial
equations is closely related to the cost of computing Groebner bases, since
computing the solutions of a polynomial system can be reduced to finding a
lexicographic Groebner basis for the ideal generated by the equations. Several
algorithms for computing such bases exist: We consider those based on repeated
Gaussian elimination of Macaulay matrices. In this paper, we analyze the case
of random systems, where random systems means either semi-regular systems, or
quadratic systems in n variables which contain a regular sequence of n
polynomials. We provide explicit formulae for bounds on the solving degree of
semi-regular systems with m > n equations in n variables, for equations of
arbitrary degrees for m = n+1, and for any m for systems of quadratic or cubic
polynomials. In the appendix, we provide a table of bounds for the solving
degree of semi-regular systems of m = n + k quadratic equations in n variables
for 2 <= k; n <= 100 and online we provide the values of the bounds for 2 <= k;
n <= 500. For quadratic systems which contain a regular sequence of n
polynomials, we argue that the Eisenbud-Green-Harris Conjecture, if true,
provides a sharp bound for their solving degree, which we compute explicitly.Comment: 27 pages, 4 table
The Point Decomposition Problem over Hyperelliptic Curves: toward efficient computations of Discrete Logarithms in even characteristic
International audienceComputing discrete logarithms is generically a difficult problem. For divisor class groups of curves defined over extension fields, a variant of the Index-Calculus called Decomposition attack is used, and it can be faster than generic approaches. In this situation, collecting the relations is done by solving multiple instances of the Point m-Decomposition Problem (PDP). An instance of this problem can be modelled as a zero-dimensional polynomial system. Solving is done with Gröbner bases algorithms, where the number of solutions of the system is a good indicator for the time complexity of the solving process. For systems arising from a PDP context, this number grows exponentially fast with the extension degree. To achieve an efficient harvesting, this number must be reduced as much as as possible. Extending the elliptic case, we introduce a notion of Summation Ideals to describe PDP m instances over higher genus curves, and compare to Nagao's general approach to PDP solving. In even characteristic we obtain reductions of the number of solutions for both approaches, depending on the curve's equation. In the best cases, for a hyperelliptic curve of genus , we can divide the number of solutions by . For instance, for a type II genus 2 curve defined over whose divisor class group has cardinality a near-prime 184 bits integer, the number of solutions is reduced from 4096 to 64. This is enough to build the matrix of relations in around 7 days with 8000 cores using a dedicated implementation