A Cryptographic Attack: Finding the Discrete Logarithm on Elliptic Curves of Trace One

Bradley, Tatiana

01 January 2015

The crux of elliptic curve cryptography, a popular mechanism for securing data, is an asymmetric problem. The elliptic curve discrete logarithm problem, as it is called, is hoped to be generally hard in one direction but not the other, and it is this asymmetry that makes it secure. This paper describes the mathematics (and some of the computer science) necessary to understand and compute an attack on the elliptic curve discrete logarithm problem that works in a special case. The algorithm, proposed by Nigel Smart, renders the elliptic curve discrete logarithm problem easy in both directions for elliptic curves of so-called "trace one." The implication is that these curves can never be used securely for cryptographic purposes. In addition, it calls for further investigation into whether or not the problem is hard in general.

elliptic curve

cryptography

trace one

cryptanalysis

discrete logarithm

Number Theory

The Discrete Logarithm Problem in Finite Fields of Small Characteristic / Das diskrete Logarithmusproblem in endlichen Körpern kleiner Charakteristik

Zumbrägel, Jens

14 March 2017

Computing discrete logarithms is a long-standing algorithmic problem, whose hardness forms the basis for numerous current public-key cryptosystems. In the case of finite fields of small characteristic, however, there has been tremendous progress recently, by which the complexity of the discrete logarithm problem (DLP) is considerably reduced. This habilitation thesis on the DLP in such fields deals with two principal aspects. On one hand, we develop and investigate novel efficient algorithms for computing discrete logarithms, where the complexity analysis relies on heuristic assumptions. In particular, we show that logarithms of factor base elements can be computed in polynomial time, and we discuss practical impacts of the new methods on the security of pairing-based cryptosystems. While a heuristic running time analysis of algorithms is common practice for concrete security estimations, this approach is insufficient from a mathematical perspective. Therefore, on the other hand, we focus on provable complexity results, for which we modify the algorithms so that any heuristics are avoided and a rigorous analysis becomes possible. We prove that for any prime field there exist infinitely many extension fields in which the DLP can be solved in quasi-polynomial time. Despite the two aspects looking rather independent from each other, it turns out, as illustrated in this thesis, that progress regarding practical algorithms and record computations can lead to advances on the theoretical running time analysis -- and the other way around. / Die Berechnung von diskreten Logarithmen ist ein eingehend untersuchtes algorithmisches Problem, dessen Schwierigkeit zahlreiche Anwendungen in der heutigen Public-Key-Kryptographie besitzt. Für endliche Körper kleiner Charakteristik sind jedoch kürzlich erhebliche Fortschritte erzielt worden, welche die Komplexität des diskreten Logarithmusproblems (DLP) in diesem Szenario drastisch reduzieren. Diese Habilitationsschrift erörtert zwei grundsätzliche Aspekte beim DLP in Körpern kleiner Charakteristik. Es werden einerseits neuartige, erheblich effizientere Algorithmen zur Berechnung von diskreten Logarithmen entwickelt und untersucht, wobei die Laufzeitanalyse auf heuristischen Annahmen beruht. Unter anderem wird gezeigt, dass Logarithmen von Elementen der Faktorbasis in polynomieller Zeit berechnet werden können, und welche praktischen Auswirkungen die neuen Verfahren auf die Sicherheit paarungsbasierter Kryptosysteme haben. Während heuristische Laufzeitabschätzungen von Algorithmen für die konkrete Sicherheitsanalyse üblich sind, so erscheint diese Vorgehensweise aus mathematischer Sicht unzulänglich. Der Aspekt der beweisbaren Komplexität für DLP-Algorithmen konzentriert sich deshalb darauf, modifizierte Algorithmen zu entwickeln, die jegliche heuristische Annahme vermeiden und dessen Laufzeit rigoros gezeigt werden kann. Es wird bewiesen, dass für jeden Primkörper unendlich viele Erweiterungskörper existieren, für die das DLP in quasi-polynomieller Zeit gelöst werden kann. Obwohl die beiden Aspekte weitgehend unabhängig voneinander erscheinen mögen, so zeigt sich, wie in dieser Schrift illustriert wird, dass Fortschritte bei praktischen Algorithmen und Rekordberechnungen auch zu Fortentwicklungen bei theoretischen Laufzeitabschätzungen führen -- und umgekehrt.

diskretes Logarithmusproblem

endliche Körper

Kryptologie

discrete logarithm problem

finite fields

cryptology

ddc:510

rvk:SK 230

Pokročilé metody hledání diskrétního logaritmu / Advanced techniques for calculations of discrete logarithm

Matocha, Vojtěch

January 2013

Let G be a finite cyclic group. Solving the equation g^x = y for a given generator g and y is called the discrete logarithm problem. This problem is at the core of many modern cryptographic transformations. In this paper we provide a survey of algorithms to attack this problem, including the function field sieve, the fastest known algorithm applicable to the multiplicative group of a finite field. We also discuss the index calculus algorithm and some techniques improving its performance: the Coppersmith's algorithm and the polynomial sieving. The most important contribution of this paper is a C-language implementation of the function field sieve and its application to real inputs.

Síto v číselném tělese pro diskrétní logaritmus / Number Field Sieve for Discrete Logarithm

Godušová, Anna

January 2016

Many of today's cryptographic systems are based on the discrete logarithm problem, e.g. the Diffie-Hellman protocol. The number field sieve algorithm (NFS) is the algorithm solving the problem of factorization of integers, but latest works show, it can be also applied to the discrete logarithm problem. In this work, we study the number field sieve algorithm for discrete logarithm and we also compare the NFS for discrete logarithm with the NFS for factoriza- tion. Even though these NFS algorithms are based on the same principle, many differences are found. 1

Analýza útoků na asymetrické kryptosystémy / Analysis of attacks on asymmetric cryptosystems

Tvaroh, Tomáš

January 2011

This thesis analyzes various attacks on underlying computational problem of asymmetric cryptosystems. First part introduces two of the most used problems asymmetric cryptography is based on, which are integer factorization and computation of discrete logarithm. Algorithms for solving these problems are described and for each of them there is a discussion about when the use of this particular algorithm is appropriate and when it isn't. In the next part computational problems are related to algorithms RSA and ECC and it is shown, how solving the underlying problem enables us to crack the cypher. As a part of this thesis an application was developed that measures the efficiency of described attacks and by providing easy-to-understand enumeration of algorithm's steps it can be used to demonstrate how the attack works. Based on the results of performed analysis, most secure asymmetric cryptosystem is selected along with some recommendations regarding key pair generation.

MODERN CRYPTOGRAPHY

Lopez, Samuel

01 June 2018

We live in an age where we willingly provide our social security number, credit card information, home address and countless other sensitive information over the Internet. Whether you are buying a phone case from Amazon, sending in an on-line job application, or logging into your on-line bank account, you trust that the sensitive data you enter is secure. As our technology and computing power become more sophisticated, so do the tools used by potential hackers to our information. In this paper, the underlying mathematics within ciphers will be looked at to understand the security of modern ciphers. An extremely important algorithm in today's practice is the Advanced Encryption Standard (AES), which is used by our very own National Security Agency (NSA) for data up to TOP SECRET. Another frequently used cipher is the RSA cryptosystem. Its security is based on the concept of prime factorization, and the fact that it is a hard problem to prime factorize huge numbers, numbers on the scale of 2^{2048} or larger. Cryptanalysis, the study of breaking ciphers, will also be studied in this paper. Understanding effective attacks leads to understanding the construction of these very secure ciphers.

Cryptography

Data Encryption Standard

Advanced Encryption Standard

RSA

Discrete Logarithm Problem

Information Security

Number Theory

Vyhledávací složitost diskrétního logaritmu / On search complexity of discrete logarithm

Václavek, Jan

January 2021

In this thesis, we study the discrete logarithm problem in the context of TFNP - the complexity class of search problems with a syntactically guaranteed existence of a solution for all instances. Our main results show that suitable variants of the discrete logarithm problem, which we call Index and DLog, are complete for the classes PPP and PWPP, respectively. Additionally, our reductions provide new structural insights into PWPP by establishing two new PWPP-complete problems. First, the problem Dove, a relaxation of the PPP-complete problem Pigeon. Dove is the first PWPP-complete problem not defined in terms of an explicitly shrinking function. Second, the problem Claw, a total search problem capturing the computational complexity of breaking claw-free permuta- tions. In the context of TFNP, the PWPP-completeness of Claw matches the known intrinsic relationship between collision-resistant hash functions and claw-free permuta- tions established in the cryptographic literature. 1

Special Linear Systems on Curves and Algorithmic Applications

Kochinke, Sebastian

14 March 2017

Seit W. Diffie und M. Hellman im Jahr 1976 ihren Ansatz für einen sicheren kryptographischen Schlüsselaustausch vorgestellten, ist der sogenannte Diskrete Logarithmus zu einem zentrales Thema der Kryptoanalyse geworden. Dieser stellt eine Erweiterung des bekannten Logarithmus auf beliebige endliche Gruppen dar. In der vorliegenden Dissertation werden zwei von C. Diem eingeführte Algorithmen untersucht, mit deren Hilfe der diskrete Logarithmus in der Picardgruppe glatter, nichthyperelliptischer Kurven vom Geschlecht g > 3 bzw. g > 4 über endlichen Körpern berechnet werden kann. Beide Ansätze basieren auf der sogenannten Indexkalkül-Methode und benutzen zur Erzeugung der dafür benötigten Relationen spezielle Linearsysteme, welche durch Schneiden von ebenen Modellen der Kurve mit Geraden erzeugt werden. Um Aussagen zur Laufzeit der Algorithmen tätigen zu können, werden verschiedene Sätze über die Geometrie von Kurven bewiesen. Als zentrale Aussage wird zum einem gezeigt, dass ebene Modelle niedrigen Grades effizient berechnet werden können. Zum anderen wird bewiesen, dass sich bei genügend großem Grundkörper die Anzahl der vollständig über dem Grundkörper zerfallenden Geraden wie heuristisch erwartet verhällt. Für beide Aussagen werden dabei Familien von Kurven betrachtet und diese gelten daher uniform für alle glatten, nichthyperelliptischen Kurven eines festen Geschlechts. Die genannten Resultate führen schlussendlich zu dem Beweis einer erwarteten Laufzeit von O(q^(2-2/(g-1))) für den ersten der beiden Algorithmen, wobei q die Anzahl der Elemente im Grundkörper darstellt. Der zweite Algoritmus verbessert dies auf eine heuristische Laufzeit in O(q^(2-2/(g-2))), imdem er Divisoren von höherem Spezialiätsgrad erzeugt. Es wird bewiesen, dass dieser Ansatz für einen uniform gegen 1 konvergierenden Anteil an glatten, nichthyperelliptischen Kurven eines festen Geschlechts über Grundkörpern großer Charakteristik eine große Anzahl an Relationen erzeugt. Wiederum werden zum Beweis der zugrundeliegenden geometrischen Aussagen Familien von Kurven betrachtet, um so die Uniformität zu gewährleisten. Beide Algorithmen wurden zudem implementiert. Zum Abschluss der Arbeit werden die Ergebnisse der entsprechenden Experimente vorgestellt und eingeordnet.

Diskreter Logarithmus

Indexkalkül

Linearsystem

Brill-Noether

Algebraische Kurve

Discrete Logarithm

Index Calculus

linear system

Brill-Noether

Algebraic Curve

ddc:500

Algebraic Tori in Cryptography

Alexander, Nicholas Charles

January 2005

Communicating bits over a network is expensive. Therefore, cryptosystems that transmit as little data as possible are valuable. This thesis studies several cryptosystems that require significantly less bandwidth than conventional analogues. The systems we study, called torus-based cryptosystems, were analyzed by Karl Rubin and Alice Silverberg in 2003 [RS03]. They interpreted the XTR [LV00] and LUC [SL93] cryptosystems in terms of quotients of algebraic tori and birational parameterizations, and they also presented CEILIDH, a new torus-based cryptosystem. This thesis introduces the geometry of algebraic tori, uses it to explain the XTR, LUC, and CEILIDH cryptosystems, and presents torus-based extensions of van Dijk, Woodruff, et al. [vDW04, vDGP⁺05] that require even less bandwidth. In addition, a new algorithm of Granger and Vercauteren [GV05] that attacks the security of torus-based cryptosystems is presented. Finally, we list some open research problems.

Mathematics

cryptography

compression

finite field

extension field

discrete logarithm problem

tori

torus

algebraic

Rubin

Silverberg

Granger

Vercauteren

XTR

LUC

CEILIDH

Algebraic Tori in Cryptography

Alexander, Nicholas Charles

January 2005

Communicating bits over a network is expensive. Therefore, cryptosystems that transmit as little data as possible are valuable. This thesis studies several cryptosystems that require significantly less bandwidth than conventional analogues. The systems we study, called torus-based cryptosystems, were analyzed by Karl Rubin and Alice Silverberg in 2003 [RS03]. They interpreted the XTR [LV00] and LUC [SL93] cryptosystems in terms of quotients of algebraic tori and birational parameterizations, and they also presented CEILIDH, a new torus-based cryptosystem. This thesis introduces the geometry of algebraic tori, uses it to explain the XTR, LUC, and CEILIDH cryptosystems, and presents torus-based extensions of van Dijk, Woodruff, et al. [vDW04, vDGP⁺05] that require even less bandwidth. In addition, a new algorithm of Granger and Vercauteren [GV05] that attacks the security of torus-based cryptosystems is presented. Finally, we list some open research problems.

Mathematics

cryptography

compression

finite field

extension field

discrete logarithm problem

tori

torus

algebraic

Rubin

Silverberg

Granger

Vercauteren

XTR

LUC

CEILIDH