Comparisons

We have implemented the index calculus algorithms and several variations described in section 4.2 including original index calculus, index calculus with reduced factor base, index calculus with single large prime, index calculus with double large primes. In order to implement these algorithms we use the C++ library NTL [31] to manipulate the operations over finite field. NTL (Number Theory Library) is a high-performance, portable C++ library providing data structures and algorithms for manipulating signed, arbitrary length integers, and for vectors, matrices, and polynomials over the integers and over finite fields.

We ran our programs on the computer with 1800 MHz CPU and 1G ram to generate the results in Table 4.2.

Table 4.2 Running time (seconds) of hyperelliptic index calculus

Genus g 2 3 4

Field size q = |F_q| 2¹¹ 2¹³ 2¹⁵ 2¹¹ 2¹³ 2¹⁵ 2¹¹ 2¹³ Original index calculus 68 3760 >3days 110 5261 >3days 1136 10321 with reduced factor base 6 34 403 93 891 10595 830 6374 with 1 large prime 2 9 18 22 533 665 248 2677 with 2 large primes － － － 17 301 458 191 1813

From Table 4.2 we can realize the following facts.

When the original index calculus is applied to small genus HCDLP, using a relative large factor base reduce the time to obtain a smooth relation but result in a large linear system which becomes dominating the running time. By using a reduced factor base to balance the search time and the time of solving linear system, the index calculus algorithm with reduced factor base solves HCDLP in a much shorter time.

And the large prime variations can further improve the index calculus algorithm.

Chapter 5

A Fast Algorithm for Genus 2 HCDLP

5.1 Introduction

For genus 2 hyperelliptic curves, the index calculus algorithm is asymptotically slower than Pollard’s rho method. In this chapter, we present a faster algorithm for solving genus 2 HCDLP. A comparison of the time complexity can be found in Table 4.1. The bottleneck of the index calculus algorithms is due to its linear algebra part. Hence the idea of our algorithm is to use a graph method to find the relation of D1 and D2 such that

(

_{k k}

) (

1 _{k k}

)

2 0

kγ α D + kγ β D =

∑ ∑

without the linear

algebra part.

We choose the factor base as all the prime divisors with degree of a-polynomial being 1, which can be constructed by finding all the rational points on C in the base field. For a genus g=2 hyperelliptic curve C over Fq, if a reduced divisor is smooth then it can be represented by the sum of at most 2 points in C(Fq). By Lemma 4.1, the probability to get a smooth divisor is 1 1

! 2 g = .

Example 5.1 gives examples of all the cases that would appear in our algorithm.

Example 5.1

Let C be a hyperelliptic curve of genus 2 over Fq. Let Pi be the points of C(Fq)

(a) Let R1= P1+P2-2∞, R2= P2+P3-2∞, R3= P3+P4-2∞.

Then we can get a relation of P1 and P4 by R1-R2+R3= P1+ P4-2∞.

(b) Let R1= P1+P2-2∞, R2= P2+P3-2∞, R3= P3+P4-2∞, R4= P4+P1-2∞.

Then R1-R2+R3-R4 = 0

(c) Let R1= P1+P2-2∞, R2= P2+P3-2∞, R3= P3+P1-2∞.

Then R1-R2+R3=2P1-2∞, R1+R2-R3=2P2-2∞, -R1+R2+R3=2P3-2∞,

In this case, we can not get a relation

∑

γ_iR_i =0, but we can get relations of any one of the points.

(d) Let R1= P1+P2-2∞, R2= P2+P3-2∞, R3= P3+P1-2∞, R4= P2+P4-2∞, R5= P4+P5-2∞, R6= P5+P2-2∞.

Then (R2-R3+R1)- (R4-R5+R6)=(2P2-2∞)- (2P2-2∞)=0.

(e) Let R1= P1+P2-2∞, R2= P2+P3-2∞, R3= P3+P1-2∞, R4= P3 -∞.

Then -R1+R2+R3-2R4 = 0

The following figure shows that we can use the graph for finding cycles to get a relation

∑

γ_iR_i =0^.

(a) A path

(b) A cycle of even length (c) A cycle of odd length

(d) A component containing 2 cycles (e) A component containing 2 cycles

Figure 5.1 Possible sub-graphs appear in our algorithm

From the example above, we can realize some facts:

1. Case (a): If there is a path from vertex Pi to Pj then we can compute a relation for Pi and Pj.

2. Case (b): If there is a cycle of even length then we can compute a relation R such that R=

∑

γ_iR_i =0 for some γi.

3. Case (c): If there is a cycle of odd length then we can compute a relation of any one of the points.

4. Case (d), (e): If there is a connected component containing 2 odd length cycles P1

By regarding these edges in the graph as a smooth relation found in the relation search, it isn’t hard to imagine that a new algorithm for solving genus 2 HCDLP can be designed with the graph.

5.2 The algorithm

Our algorithm first uses a pseudo random walk to create random reduced divisors of the form Ri=αiD1+βiD2. Then, create a graph G with |F| vertices corresponding to the elements in the factor base F, each edge specifying a relation written as the sum of the points. Initially the graph G contains no edges. If Ri is smooth then write Ri as the sum of at most 2 points in C(Fq), and then add the corresponding edge between these two points in the edge. Notice that if Ri is written as Ri=cPj-c∞ where c=1 or 2 and some Pj∈C(Fq) then it is an edge of self-loop of the point Pj.

The data structure of the graph can be implemented as an array to represent trees with a union-find algorithm. In other words, we only need to record the parent node of each element in the array. To test if adding an edge (Pi, Pj) would create a cycle, we can traverse the trees from vertices Pi and Pj to see if they have the same root. If adding an edge would create an even length cycle then we get a relation

( )

1

( )

2 0

i i i i i i

R=

∑

γ R =

∑

γ α D +

∑

γ β D = for some γi such that the discrete logarithm of D2=λD1 can be computed as ^{i i}

i i

λ γ α

= −

∑

γ β

∑

. If adding an edge would create an odd length cycle then we can compute a relation R=cPi-c∞ where Pi is the root of the tree as the case (c) in Example 5.1. Hence we can store such information of odd length cycles (including self-loop) in the roots of the trees without creating

cycles in the graph G. If later we have another odd length cycle within the same tree then we can compute a relation S=dPi-d∞. With the information of the root Pi, the relations R and S, we can compute dR-cS=0 which implies the discrete logarithm.

Here is our algorithm in detail.

Algorithm 5.1 A faster algorithm for genus 2 HCDLP

Input: A hyperelliptic curve C of small genus g=2 over Fq,

a divisor D1 in JC(F_q) with know order n = ord(D1), and a divisor D2∈<D1>.

Output: An integer λ sucht that D2=λD1. 1. /* Build the factor base F */

For each xi∈ , solve vF_q ²+h(xi)v=f(xi) to find yi∈ such that (xF_q i, yi) in C(Fq), and store Pi= (xi, yi) in F.

2. /* Initialization of the random walk */

For j from 1 to 20, select aj and bj at random in [0, n-1], and compute Tj := ajD1 + bjD2.

Select α and β at random in [0, n-1] and compute R := αD1 +βD2. GÅempty graph

3. /* Main loop */

While G contains no even length cycles

or no component with 2 odd length cycles do 3.1 RÅR+Tj for some randomly chosen j, update α and β.

3.2 If R is smooth and R=cPi-c∞ for some Pi in F, c=1 or 2

Use the relations in the path from Pi to the root of the tree containing Pi

to get a relation of the root.

If there already exists a relation of the root then go to step 4.

3.3 If R is smooth and R=Pi+Pj-2∞ for some Pi and Pj in F

Traverse the trees from Pi and Pj to find the roots Pri and Prj respectively.

3.3.1 If Pri≠Prj then combine these two trees

Use the relations in the path PriÆPiÆPjÆPrj to get a relation R’ of Pri

and Prj. Combine these 2 trees by adding an edge (Pri, Prj) and making Pri as the parent node of Prj. If there is a relation of Prj

(self-loop of Prj), we also update it as a relation of Pri. If there already exists a relation of Pri then go to step 4.

3.3.2 If Pri=Prj then a cycle is found

If the cycle is of even length then go to step 4.

Else (the cycle is of odd length, store as self-loop of the root)

Use the relations in the cycle PriÆPiÆPjÆPrj to obtain a relation of Pri.

If there already exists a relation of Pri then go to step 4.

4. Obtain a relation of

( ∑

γ α_{i i}

)

D1+

( ∑

γ β_{i i}

)

D2 =0 by using the relations in an even length cycle or 2 self-loops of the same point.

Return ^{i i}

i i

λ γ α

= −

∑

γ β

∑

^{mod n.}

To implement this algorithm we can use an array of #F=O(q) elements. Each element in the array contains a point Pi in C(Fq) and a link to the parent node Pj with associated relation of the form R=αD1+βD2(=Pi+ Pj-2∞). The link is nil before such a relation appears in the pseudo random walk. Hence this algorithm requires O(q) storage space.

5.3 Time complexity

In order to analyze the time complexity of this algorithm, we refer to Flajolet, Knuth and Pittel’s work [8], which provides comprehensive knowledge of the cycle appearance in random graphs. We quote some of their results in [8].

Definition 5.1 (Uniform model)

The uniform model is a procedure to enrich an initially empty graph on the vertices {1,2,…,n}. At each step we generate an ordered pair <x, y>, where x and y are uniformly distributed between 1 and n, and all n² pairs are equally likely. The (undirected edge) x－y is then added to the graph. In this way we obtain a multi-graph, which may have duplicate edges or self-loops x－x.

A bicyclic component in a graph is a component with more than one cycle.

Corollary 5.1 (Expected time) [8]

In the uniform model, the first cycle appears at the expected time 3

m≈ steps. n

And at this time, the expected cycle length is of order

1

n , and the size of the 6

component containing the first cycle will be

1

n2

θ^⎛_⎜ ^⎞_⎟

⎝ ⎠. The waiting time for the first bicyclic component is approximately

2n .

The graph constructed in our algorithm can be viewed as the uniform model with

|F|=O(q) vertices. At each step of pseudo random walk, the relation R=αD1+βD2 is smooth with probability 1

2. In other words, it is half chance to add an edge into the graph at each step. By Corollary 5.1, the first bicyclic component will appear in the graph after about

2q edges have been added. This requires about q steps of the pseudo random walk. Hence, we conclude our algorithm solving the genus 2 HCDLP in expected time of O(q) Jacobian operations.

A practical comparison between Pollard’s method and our algorithm is given in section 5.4.

5.4 Computational comparison

In this section, we implement our algorithm for solving genus 2 HCDLP, and use the implementation of Pollard’s rho algorithm by Niels Lubbes [23] to be the comparison. We execute both programs on the same computer to generate the following results. The comparison between our algorithm and Pollard’s rho algorithm are showed in Table 5.1, and the results are averages from 10 times running the tests.

Table 5.1 Comparison between Pollard’s rho and our algorithm

genus 2

Field size q = |Fq| 2¹¹ 2¹³ 2¹⁷ 2¹⁹

Average time (sec)

1.238 5.502 113.391 827.459

Average iterations 923.4 2642.8 50239.5 236119.6 Pollard’s Average iterations 699.4 2350.4 40222 137832 Average number of

smooth divisors

351.4 1169.2 20222.3 74338.8

Graph size 1024 4071 65792 261993

As we can see in Table 5.1, the average number of iterations in our algorithm needed for solving genus 2 HCDLP is less than the average number of iterations in Pollard’s rho algorithm, and the running time of our algorithm is also less than the running time of Pollard’s algorithm. For example, in the case of base field GF(2¹⁹), Pollard’s rho algorithm takes 827.459 seconds to run 236119.6 iterations in average for solving the given HCDLP, and it meets 2.2 useless collisions before the solution is found. While running our algorithm in the same case, it takes only 80.809 seconds to solve the given HCDLP. After 137832 iterations in average there are 74338.8 smooth divisors which can be added in the graph, and then average 2.9 cycles are found. The rate of 74338.8

0.539

137832 ≈ is about a half chance to get a smooth divisor as in Lemma 4.1. And the graph size dividing the number of edges

74338.8

0.284

261993 ≈ is less than the expected time estimated in Corollary 5.1.

Chapter 6

Conclusion and Future Research

6.1 Summary

We introduced the additive group Jacobian on a hyperelliptic curve and Cantor’s algorithm for computing group law in Chapter 3. For a hyperelliptic curve of genus g over finite field Fq, the group order of Jacobian is ( )O q^g . And the group order of a elliptic curve over finite field Fq is ( )O q . Therefore, the advantage of hyperelliptic curves over elliptic curves is that a smaller base field can be used in order to obtain the same level of security. But the disadvantage is that there exists an algorithm, the hyperelliptic index calculus algorithm, solving HCDLP in subexponential time complexity when the genus becomes large enough. Hence, the small genus hyperelliptic curves are preferred for constructing a hyperelliptic curve cryptosystem. According to Table 4.1, we can extend Table 1.1 to the following Table 6.1.

In Chapter 4, we described several variations of hyperelliptic index calculus algorithm. The settings of test data are given in section 4.3. And a computational comparison between these variations is shown in Table 4.2.

We also proposed a better algorithm for solving genus 2 HCDLP in Chapter 5.

The implementation results can be found in section 5.4. In Table 5.1, detailed comparisons between our algorithm and Pollard’s rho algorithm are given. It is shown that our algorithm is faster than Pollard’s rho algorithm in practice.

Table 6.1 Suggested key size for hyperelliptic curve cryptography.

Minimum size (bits) of public keys HECC

Security

(bits) ECC

Genus 2 Genus 3 Genus 4 Genus 5

80 160 80 60 54 50 112 224 112 84 75 70 128 256 128 96 86 80 192 382 192 144 128 120 256 512 256 192 171 160

6.2 Future work

There are several interesting topics for further research.

1. Solving large sparse linear system over finite field:

This is one of the crucial parts in the index calculus algorithm. An improvement of the algorithm for solving large sparse linear system over finite field implies an improvement of the index calculus algorithm.

2. Reduce the space requirement

The disadvantage of our algorithm compared with Pollard’s rho method is the space requirement. It takes O(q) memory space in our algorithm.

Perhaps, there are other methods which can save the space requirement.

3. Algorithm design:

Design a systematic index calculus algorithm which can extensively use more large primes without much overhead. And analyze how many large primes is the optimal value for collecting enough smooth relations.

Bibliography

[1] L. Adleman, J. DeMarrais and M. Huang, “A Subexponential Algorithm for Discrete Logarithms over the Rational Subgroup of the Jacobians of Large Genus Hyperelliptic Curves over Finite Fields,” Algorithmic Number Theory, LNCS 877 (1994), 28-40.

[2] D. Cantor, “Computing in the Jacobian of a Hyperelliptic Curve,” Mathematics of Computation, 48 (1987), 95-101.

[3] David G. Cantor and Hans Zassenhaus, “A New Algorithm for Factoring Polynomials Over Finite Fields,” Mathematics of Computation, 36:587-592, 1981.

[4] H. Cohen and G. Frey, Handbook of Elliptic and Hyperelliptic Curve Cryptography, Chapman & Hall/CRC, 2006.

[5] D. Coppersmith, “Solving Linear Equations over GF(2) via Block Wiedemann Algorithm,” Math. Comp., 62(205):333-350, 1994.

[6] A. Enge, “Computing Discrete Logarithms in High-genus Hyperelliptic Jacobians in Provably Subexponential Time,” Math. Comp., 71, no. 238, pp. 729-742, 2002.

[7] A. Enge and P. Gaudry, “A General Framework for Subexponential Discrete Logarithm Algorithms”, Acta Arithmetica, 102 (2002), 83-103.

[8] P. Flajolet, D. Knuth and B. Pittel, “The First Cycles in an Evolving Graph,”

Discrete Math., 75:167-215, 1989.

[9] R. Flassenberg and S. Paulu, “Sieving in function fields,” Experimental Mathematics, 8, No. 4, 339-349, 1999.

[10] John B. Fraleigh, A First Course in Abstract Algebra, seventh edition, Addison-Wesley, 2003.

[11] W. Fulton, Algebraic Curves, Benjamin, New York, 1969.

[12] S.D. Galbraith and N.P. Smart, “A Cryptographic Application of Weil Descent,”

Cryptography and Coding, 7th IMA Conference. LNCS 1746, pp. 191–200.

Springer-Verlag, Berlin, 1999.

[13] P. Gaudry, “An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves,” Advances in Cryptology－EUROCRYPT 2000, LNCS 1807 (2000), 19-34.

[14] P. Gaudry and R. Harley, “Counting Points on Hyperelliptic Curves over Finite Fields,” Algorithmic Number Theory－ANSI-IV, LNCS 1838 (2000), 313-332.

[15] P. Gaudry, F. Hess, and N. Smart, “Constructive and Destructive Facets of Weil Descent on Elliptic Curves,” Journal of Cryptology, 15:19-46, 2002.

[16] P. Gaudry and E. Thomé, “A Double Large Prime Variation for Small Genus Hyperelliptic Index Calculus,” Crypto ePrint Archive, Report 2004/153.

[17] C. Guyot, K. Kaveh, V.M. Patankar, “Explicit Algorithm for The Arithmetic on The Hyperelliptic Jacobians of Genus 3,” Journal of Ramanujan Mathematical Society, 19 (2004), No.2, 119-159.

[18] M. Jacobson and A. van der Poorten, “Computational Aspects of NUCOMP,”

Algorithmic Number Theory－ANTS-IV, LNCS 2369 (2002), 120-133.

[19] N. Koblitz, “Elliptic Curve Cryptosystems,” Mathematics of Computation, 48 (1987), 203-209.

[20] N. Koblitz, “Hyperelliptic Cryptosystems,” Journal of Cryptology, 1 (1989), 139-150.

[21] B. A. LaMacchia and A. M. Odlyzko, “Solving Large Sparse Linear Systems over Finite Fields,” In A. J. Menezes and S. A. Vanstone, editors, Advances in Cryptology, volume 537 of Lecture Notes in Comput. Sci., pages 109–133.

Springer–Verlag, 1990. Proc. Crypto ’90, Santa Barbara, August 11–15, 1988.

[22] T. Lange, “Efficient Arithmetic on Genus 2 Hyperelliptic Curves over Finite

[23] Niels Lubbes, “The Hyperelliptic Curve Discrete Logarithm Problem,” Master’s thesis, Universiteit van Amsterdam, 2004.

[24] A. Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, 1993.

[25] A. Menezes, Y. Wu and R. Zuccherato, “An Elementary Introduction to Hyperelliptic Curves” appendix in Algebraic Aspects of Cryptography by N.

Koblitz, Springer-Verlag, 1998, 155-178.

[26] V. Muller, A. Stein, and C. Thiel, “Computing Discrete Logarithms in Real Quadratic Congruence Function Fields of large genus,” Math. Comp., 68(226):807–822, 1999.

[27] D. Mumford, Tata Lectures on Theta II, Birkhauser, Boston, 1984.

[28] K. Nagao, “Improvement of Thériault Algorithm of Index Calculus for Jacobian of Hyperelliptic Curves of Small Genus,” Cryptology ePrint Achieve, Report 2004/161.

[29] J. Pelzl, T. Wollinger, and C. Paar, “Low cost security: Explicit formulae for genus-4 hyperelliptic curves,” In M. Matsui and R. Zuccherato, editors, Selected Areas in Cryptography -- SAC 2003, volume 3006 of LNCS, pages 1--16.

Springer-Verlag, 2004.

[30] Sakai, Y., and K. Sakurai, “On the Practical Performance of Hyperelliptic Curve Cryptosystems in Software Implementation,” IECE Trans. Fundamentals, vol.

E83-A, No. 4, April 2000.

[31] Victor Shoup, NTL: A Library for doing Number Theory, available on web http://shoup.net/ntl/.

[32] N. Thériault, “Index Calculus Attack for Hyperelliptic Curves of Small Genus,”

Advances in Cryptology－ASIACRYPT 2003, LNCS 2894 (2003), 75-92.

[33] D. H. Wiedemann, “Solving Sparse Linear Equations over Finite Fields,” IEEE

Trans. Inform. Theory, IT-32(1):54-62, 1986.

在文檔中 超橢圓曲線密碼攻擊之研究 (頁 57-0)