21 research outputs found
Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem
International audienceWe propose an index calculus algorithm for the discrete logarithm problem on general abelian varieties of small dimension. The main difference with the previous approaches is that we do not make use of any embedding into the Jacobian of a well-suited curve. We apply this algorithm to the Weil restriction of elliptic curves and hyperelliptic curves over small degree extension fields. In particular, our attack can solve an elliptic curve discrete logarithm problem defined over GF(q^3) in heuristic asymptotic running time O~(q^(4/3)); and an elliptic problem over GF(q^4) or a genus 2 problem over GF(q^2) in heuristic asymptotic running time O~(q^(3/2))
The Point Decomposition Problem over Hyperelliptic Curves: toward efficient computations of Discrete Logarithms in even characteristic
International audienceComputing discrete logarithms is generically a difficult problem. For divisor class groups of curves defined over extension fields, a variant of the Index-Calculus called Decomposition attack is used, and it can be faster than generic approaches. In this situation, collecting the relations is done by solving multiple instances of the Point m-Decomposition Problem (PDP). An instance of this problem can be modelled as a zero-dimensional polynomial system. Solving is done with Gröbner bases algorithms, where the number of solutions of the system is a good indicator for the time complexity of the solving process. For systems arising from a PDP context, this number grows exponentially fast with the extension degree. To achieve an efficient harvesting, this number must be reduced as much as as possible. Extending the elliptic case, we introduce a notion of Summation Ideals to describe PDP m instances over higher genus curves, and compare to Nagao's general approach to PDP solving. In even characteristic we obtain reductions of the number of solutions for both approaches, depending on the curve's equation. In the best cases, for a hyperelliptic curve of genus , we can divide the number of solutions by . For instance, for a type II genus 2 curve defined over whose divisor class group has cardinality a near-prime 184 bits integer, the number of solutions is reduced from 4096 to 64. This is enough to build the matrix of relations in around 7 days with 8000 cores using a dedicated implementation
The Discrete Logarithm Problem in Finite Fields of Small Characteristic
Computing discrete logarithms is a long-standing algorithmic problem, whose hardness forms the basis for numerous current public-key cryptosystems. In the case of finite fields of small characteristic, however, there has been tremendous progress recently, by which the complexity of the discrete logarithm problem (DLP) is considerably reduced.
This habilitation thesis on the DLP in such fields deals with two principal aspects. On one hand, we develop and investigate novel efficient algorithms for computing discrete logarithms, where the complexity analysis relies on heuristic assumptions. In particular, we show that logarithms of factor base elements can be computed in polynomial time, and we discuss practical impacts of the new methods on the security of pairing-based cryptosystems.
While a heuristic running time analysis of algorithms is common practice for concrete security estimations, this approach is insufficient from a mathematical perspective. Therefore, on the other hand, we focus on provable complexity results, for which we modify the algorithms so that any heuristics are avoided and a rigorous analysis becomes possible. We prove that for any prime field there exist infinitely many extension fields in which the DLP can be solved in quasi-polynomial time.
Despite the two aspects looking rather independent from each other, it turns out, as illustrated in this thesis, that progress regarding practical algorithms and record computations can lead to advances on the theoretical running time analysis -- and the other way around.Die Berechnung von diskreten Logarithmen ist ein eingehend untersuchtes algorithmisches Problem, dessen Schwierigkeit zahlreiche Anwendungen in der heutigen Public-Key-Kryptographie besitzt. FĂŒr endliche Körper kleiner Charakteristik sind jedoch kĂŒrzlich erhebliche Fortschritte erzielt worden, welche die KomplexitĂ€t des diskreten Logarithmusproblems (DLP) in diesem Szenario drastisch reduzieren.
Diese Habilitationsschrift erörtert zwei grundsÀtzliche Aspekte beim DLP in Körpern kleiner Charakteristik. Es werden einerseits neuartige, erheblich effizientere Algorithmen zur Berechnung von diskreten Logarithmen entwickelt und untersucht, wobei die Laufzeitanalyse auf heuristischen Annahmen beruht. Unter anderem wird gezeigt, dass Logarithmen von Elementen der Faktorbasis in polynomieller Zeit berechnet werden können, und welche praktischen Auswirkungen die neuen Verfahren auf die Sicherheit paarungsbasierter Kryptosysteme haben.
WĂ€hrend heuristische LaufzeitabschĂ€tzungen von Algorithmen fĂŒr die konkrete Sicherheitsanalyse ĂŒblich sind, so erscheint diese Vorgehensweise aus mathematischer Sicht unzulĂ€nglich. Der Aspekt der beweisbaren KomplexitĂ€t fĂŒr DLP-Algorithmen konzentriert sich deshalb darauf, modifizierte Algorithmen zu entwickeln, die jegliche heuristische Annahme vermeiden und dessen Laufzeit rigoros gezeigt werden kann. Es wird bewiesen, dass fĂŒr jeden Primkörper unendlich viele Erweiterungskörper existieren, fĂŒr die das DLP in quasi-polynomieller Zeit gelöst werden kann.
Obwohl die beiden Aspekte weitgehend unabhĂ€ngig voneinander erscheinen mögen, so zeigt sich, wie in dieser Schrift illustriert wird, dass Fortschritte bei praktischen Algorithmen und Rekordberechnungen auch zu Fortentwicklungen bei theoretischen LaufzeitabschĂ€tzungen fĂŒhren -- und umgekehrt
Pairings in Cryptology: efficiency, security and applications
Abstract
The study of pairings can be considered in so many diïżœerent ways that it
may not be useless to state in a few words the plan which has been adopted,
and the chief objects at which it has aimed. This is not an attempt to write
the whole history of the pairings in cryptology, or to detail every discovery,
but rather a general presentation motivated by the two main requirements
in cryptology; eïżœciency and security.
Starting from the basic underlying mathematics, pairing maps are con-
structed and a major security issue related to the question of the minimal
embedding ïżœeld [12]1 is resolved. This is followed by an exposition on how
to compute eïżœciently the ïżœnal exponentiation occurring in the calculation
of a pairing [124]2 and a thorough survey on the security of the discrete log-
arithm problem from both theoretical and implementational perspectives.
These two crucial cryptologic requirements being fulïżœlled an identity based
encryption scheme taking advantage of pairings [24]3 is introduced. Then,
perceiving the need to hash identities to points on a pairing-friendly elliptic
curve in the more general context of identity based cryptography, a new
technique to efficiently solve this practical issue is exhibited.
Unveiling pairings in cryptology involves a good understanding of both
mathematical and cryptologic principles. Therefore, although ïżœrst pre-
sented from an abstract mathematical viewpoint, pairings are then studied
from a more practical perspective, slowly drifting away toward cryptologic
applications
Quantum algorithms for algebraic problems
Quantum computers can execute algorithms that dramatically outperform
classical computation. As the best-known example, Shor discovered an efficient
quantum algorithm for factoring integers, whereas factoring appears to be
difficult for classical computers. Understanding what other computational
problems can be solved significantly faster using quantum algorithms is one of
the major challenges in the theory of quantum computation, and such algorithms
motivate the formidable task of building a large-scale quantum computer. This
article reviews the current state of quantum algorithms, focusing on algorithms
with superpolynomial speedup over classical computation, and in particular, on
problems with an algebraic flavor.Comment: 52 pages, 3 figures, to appear in Reviews of Modern Physic
On general multi-quadratic function field extensions in the GHS attack
To date, elliptic curves offer the most efficient cryptographic solution. Particularly efficient among elliptic curves, are those defined over binary composite finite fields, such as GF ((2 r ) n ). These curves were no longer considered secure when, in 1998, Gerhard Frey innovated a concept which paved the road for the GHS attack. The idea behind the GHS attack is to map the Discrete Logarithm Problem (DLP) over such a curve to an equivalent DLP over the jacobian of another curve, defined over the smaller field GF (2 r ). In this thesis, we study the theoretical structure of the GHS attack for elliptic curves defined over fields of arbitrary characteristics. We study the GHS attack using general quadratic extensions for elliptic curves defined over composite fields of even characteristic and we estimate the genus of resulting function field. We also implement the GHS attack and present some computational results. Keywords . GHS Attack, Elliptic Curve Cryptography, Function Field
Theory and Practice of Cryptography and Network Security Protocols and Technologies
In an age of explosive worldwide growth of electronic data storage and communications, effective protection of information has become a critical requirement. When used in coordination with other tools for ensuring information security, cryptography in all of its applications, including data confidentiality, data integrity, and user authentication, is a most powerful tool for protecting information. This book presents a collection of research work in the field of cryptography. It discusses some of the critical challenges that are being faced by the current computing world and also describes some mechanisms to defend against these challenges. It is a valuable source of knowledge for researchers, engineers, graduate and doctoral students working in the field of cryptography. It will also be useful for faculty members of graduate schools and universities
Flat Surfaces
Various problems of geometry, topology and dynamical systems on surfaces as
well as some questions concerning one-dimensional dynamical systems lead to the
study of closed surfaces endowed with a flat metric with several cone-type
singularities. Such flat surfaces are naturally organized into families which
appear to be isomorphic to the moduli spaces of holomorphic one-forms.
One can obtain much information about the geometry and dynamics of an
individual flat surface by studying both its orbit under the Teichmuller
geodesic flow and under the linear group action. In particular, the Teichmuller
geodesic flow plays the role of a time acceleration machine (renormalization
procedure) which allows to study the asymptotic behavior of interval exchange
transformations and of surface foliations.
This long survey is an attempt to present some selected ideas, concepts and
facts in Teichmuller dynamics in a playful way.Comment: (152 pages; 51 figures) Based on the lectures given by the author at
the Les Houches School "Number Theory and Physics" in March of 2003 and at
the workshop on dynamical systems in ICTP, Trieste, in July 2004. See
"Frontiers in Number Theory, Physics and Geometry. Volume 1: On random
matrices, zeta functions and dynamical systems'', P.Cartier; B.Julia;
P.Moussa; P.Vanhove (Editors), Springer-Verlag (2006) for the entire
collection (including, in particular, the complementary lectures of J.-C.
Yoccoz). For a short version see the paper "Geodesics on Flat Surfaces",
arXiv.math.GT/060939