7/30/2019 D Log Powerpoint
1/26
Expander Graphs, GRH, and the
Elliptic Curve Discrete Logarithm
Stephen D. MillerRutgers University
Joint work with
David Jao and Ramarathnam VenkatesanMicrosoft Research Cryptography and Anti-Piracy Group
http://www.math.rutgers.edu/~sdmiller
7/30/2019 D Log Powerpoint
2/26
Many cryptographic applications are based on the discrete
logarithm.
Important example: DLOG on elliptic curves.
Is it always equally hard? Are there good curves andbad curves?
Main result:in some situations curves have equivalentdifficulty.
Mathematical content: proof/techniques use Elliptic Curves Expander Graphs Modular Forms L-functions Generalized Riemann Hypothesis
Brief Overview
7/30/2019 D Log Powerpoint
3/26
Motivating Example: Microsoft Product Key
When Windows or Microsoft office areinstalled, the user is required to enter a 25-digit alphanumericantipiracycode.
This code (key) must be short. The computer must be able to quickly
recognize whether or not this is a valid key,without giving awayany clue as to how tomanufacture additional valid keys.
Otherwise thieves would copy the software
CDs and illegally resell them with newcodes. Key=CA$H.
Future attacks will be faster. How can onekeep the key short, yet still keep up with theattackers?
This requires new methods and
cryptosystems. Serious mathematicsinvolved in design.
7/30/2019 D Log Powerpoint
4/26
Cryptography
Mathematical Methods to hide information.
Based on the difficulty ofsome underlyingmathematical problem.
Well-known problems include:
Pre-computer age: guessing keys, inverting ax+b (mod n).
Factoring (RSA).
Discrete Logarithm.
Braid group conjugacy problem.
.. But a good problem is just the start
implementation matters, too!
7/30/2019 D Log Powerpoint
5/26
Other factorsA good cryptosystem needs more than just a hard problem behind it.
Its rare to reduce the cryptosystem directly to theunderlying problem, for example
Hypothetically: RSA might be easier than factoring.
Some desired attributes: Speed of encryption and decryption.
Use of a large state space without having to storeit all.
Short keys (passwords).
Stability against foreseen attacks. Leave no trace.
7/30/2019 D Log Powerpoint
6/26
Example of a difficult underlying problem:Discrete Logarithm on (Z/pZ)*, p prime.
1415
16
17
0
1
2
34 5
6
7
8
9
10
11
1213
(Z/pZ)* is abstractly isomorphic toZ/(p-1)Z.
For example, p=19: (Z/19Z)*'Z/18Z is generated by powers of 2.
612
5
10
1
2
4
816 13
7
14
9
18
17
15
113
(Z/19Z)*Z/18ZPowers of 2
This sequenceappears to be fairly
random
~k ! 2k
7/30/2019 D Log Powerpoint
7/26
7/30/2019 D Log Powerpoint
8/26
A cryptosystem using DLOG:Diffie-Hellman key exchange
A method for two users to share a common
password (without revealing it to the public)
1. Agree on Group G, generator g
2. Alice picks exponent x at random.Sends Bob gx
3. Bob picks exponent y at random.Sends Alice gy
4.Both Alice and Bob have common password key
gxy = (gx)y = (gy)x
Sees g, gx, gy
but cannot computegxy without solving DLOG
gx
g
gy
7/30/2019 D Log Powerpoint
9/26
DLOG on other abstract groups?
Introduced because ofsubexponentialattacks onDLOG over (Z/nZ)*.
Idea: Find an isomorphic group where thestructure of the integers is not as apparent.
Also want computation to be efficient, e.g. bypolynomial operations (rules out many abstractchoices).
Elliptic Curves: the set of solutions to an equationof the form
E : y2 = x3 + a x + b
over a finite field satisfies these criteria.
7/30/2019 D Log Powerpoint
10/26
Whats an elliptic curve?
More or less, the solutions to an equation of the form
E : y2 = x3 + a x + b
But overwhat field? What are x and y?
OverC, E is isomorphic to C/,where is a lattice C(A torus).
In fact, the set ofsolutions always has an abelian group law.
Number Theory: study solutions over Fp = Z/pZor more generally overFq
7/30/2019 D Log Powerpoint
11/26
Brief History of Elliptic Curve Cryptography
Introduced by V. Miller and N. Koblitz circa 1985.
Bit-for-bit gives very strong cryptography, compared toe.g. RSA.
RSA, EC, etc: backbone of $2 billion/year industry.
Drawbacks: Elliptic curves are not well understood by mathematicians or
cryptographers. Perhaps danger of hidden attacks possibly outweighs
benefits of use (?).
Therefore it is crucial to understand various risks.
Many mathematically interesting challenges remain.
7/30/2019 D Log Powerpoint
12/26
How are elliptic curves selected?
Unlike DLOG on (Z/nZ)*, there can bemany elliptic curves having the same order.
Elliptic curves over finite fields can be supersingular: have subexponential attacks.
ordinary: so far, no subexponential attacks.*
Want E(Fq) to be prime, or at least have alarge prime factor. E(Fq)should be a cyclicgroup.
Essentially: known pitfalls are avoided, with limited understanding.
Are any other factors important?
7/30/2019 D Log Powerpoint
13/26
Perhaps some curves are betterthan others?
Widely thought that ordinary curves are superiorto supersingular curves.
National Institute of Standards and Technology
(NIST) Part of US Department of Commerce. Proposed a family of convenient curves to serve as
standards for Elliptic Curve Cryptography.
Some users fear these curves are cryptographically
weak. How can the consumer know they have a good curve
or not? Is my neighbors stronger?
Settling this conspiracy theory is an important practical question, no matter the outcome
7/30/2019 D Log Powerpoint
14/26
Example of a NIST curve
NIST P-192 Characteristic p =
6277101735386680763835789423207666416083908700390324961279
Elliptic curve E: y2 = x3 - 3x +
2455155546008943817740293915197451784769108058161191238065 overFp
Number of points = #E =6277101735386680763835789423176059013767194773182842284081 (a prime)
7/30/2019 D Log Powerpoint
15/26
Important Notion: Isogeny Class
An isogenyis a nontrivial algebraic map between two elliptic curves. It is agroup homomorphism.
Examples:1. Map any E to itself by z! 2z (called an endomorphism)2. map C/Z[i] !C/Z[2i] by z ! 2z
3. map C/Z[i] !C/Z[i] by z ! iz (called complex multiplication CM)
Tates Isogeny Theorem: two elliptic curves overFq with the same numberof points are isogenous overFq(isogenies exist between them in bothdirections).
Related to commensurability.
Isogenies give an explicit reduction between DLOG on different curves ifthey each have the same number of prime points. (Identical cyclic groups.)
So because of Tates theorem, the selection problem can be reinterpreted:
is isogeny class a fine enough invariant for curve selection? Or is moreneeded?
7/30/2019 D Log Powerpoint
16/26
Notions of Level, Conductor (technical)
Given an elliptic curve E overFq, let End(E) denote the endomorphisms of E( = isogenies + trivial, zero map)which are defined over the algebraic closure ofFq.
For an ordinaryelliptic curve, End(E) is an order in some imaginary quadraticnumber field K = Q(p-d).
This field K is an invariant of the isogeny class(called the Complex Multiplication Field)
Orders are always of the formOD = Z+cOK, whereOK is the ring of algebraicintegers in K (solutions to monic integral polynomials).
The discriminant of the orderOD is related to the discriminant d ofK by D=c2d.Curves for a given constant value ofc form levels.
Isogenies can therefore be of two forms: They can preserve D (horizontal). Or they can change D (vertical).
Supersingular curves all lie on the same level (by definition), so this is really anissue pertaining to ordinary curves.
Levels of curves
7/30/2019 D Log Powerpoint
17/26
Statement of Theorem
Jao, M-, Venkatesan (2004):Assuming theGeneralized Riemann Hypothesis (GRH),the DLOG problem on isogeneous ellipticcurves is random reducible in the
following sense:Given any algorithmA that solves DLOG onsome -fraction of curves in a level, one can
probabilistically solve DLOG on any curve inthe same level with polylog(q)/ queries toAwith random inputs.
Without assuming GRH, but the weakerLindelf hypothesis: subexponentially many
instead ofpolynomially many.
7/30/2019 D Log Powerpoint
18/26
Applications to NIST Curves
All NIST and IPSec international standardselliptic curves have cmax = 1
(except NIST P-256 which has cmax =
3)(and the NIST K family of Koblitzcurves, which a priorihave large cmax )cmaxis a measure of how hard it is to reduce DLOG on a curve to other curves overFq which have the same number of points.
Since it is small, this means that the NIST and IPSec curves (aside from the Kcurves) lie on the simplest levels. Their DLOG problems are therefore randomreducible to all other typical curves on those levels.
Hence their DLOGs are no easier or harder than those fortypical curves. No Conspiracy.
7/30/2019 D Log Powerpoint
19/26
Method of proof uses Isogeny Graphs
Low degree isogenies between elliptic
curves provide explicit polynomial timereductions between the curves theyconnect.
An isogeny graph is a graph whosevertices represent all the elliptic curveson a given level, and whose edgesrepresent low degree isogenies (of
degree (log q)2+, > 0). Mixing Hypothesis: suppose that the
random walk on this graph mixesrapidly (i.e. afterpolylog(q) steps onereaches any vertex with uniformprobability up to a small error).
This is proven using GRH. Then by computing random low degreeisogenies, DLOG can be explicitlyreduced between any two curves onthat level.
Therefore DLOG has uniform difficultyon this level (assuming the Mixing
Hypothesis).
Various Elliptic Curves on
the same level
Arrows represent equivalences betweenDLOG on different curves
7/30/2019 D Log Powerpoint
20/26
Application: generating randomisogenies, studying mixing
These applications of GRHand expander graphs areused in estimating thesecurity of the upcoming
Windows Longhorn productkey algorithm (2006).
Also, solidifies earlier heuristiccryptographic arguments
which relied upon rapidmixing of the random walk(Kohel, Galbraith et al).
7/30/2019 D Log Powerpoint
21/26
Brief Review of Graph Theory
Definitions: A graph is a collection ofvertices V, and (undirected) edgesEconnecting the vertices.
A k-regulargraph has exactly kedges meetingat each vertex.
Adjacency operatorA on L2(V) averages thefunction over its neighbors
A: f(x)!y~xf(y)
The constant functions on V areeigenfunctions with the trivialeigenvalue= k.
7/30/2019 D Log Powerpoint
22/26
Expander Graphs
Graphs for which the random walkmixes rapidly(=uniformly distributed up to small error). Assumedegreek is relatively small compared to the size of thegraph |V| -- e.g. k = (log|V|)power.
If all nontrivialeigenvalues of A satisfy|| < k 1/(log k)r
for some r, then the random walk mixesin (log k)r+1 steps.Can serve as definition of expander.
Optimal bound is || < 2(k-1)1/2, known as theRamanujan bound.
Isogeny graphs are close to being Ramanujan graphs
Can have || = O(k1/2+).
7/30/2019 D Log Powerpoint
23/26
Brief History of Expander Graphs
Originally shown to exist by counting methodsPinsker: There are far more graphs than there arenon-expander graphs.
Margulis (70s, 80s), Lubotzky-Phillips-Sarnak (1986)
give first constructions.
LPS Ramanujan graphs use the (known) Ramanujanconjectures in their proof. The Ramanujan conjecturesin number theory are a statement about optimal
cancellation in random sums.
Other constructions: Reingold-Vadhan-Wigderson Zig-Zag, algebraic geometry. Have algebraic flavor.
7/30/2019 D Log Powerpoint
24/26
The Isogeny Graphs are Expanders
Supersingular case:essentially alreadyobserved by Ihara, Mestre, and Pizer.Relies on (known) Ramanujan conjectures
as well, properties of Brandt matrices.
Ordinary case (JMV):construction ofisogeny graphs is a new method ofconstructing expanders with small degreek = (log|V|)power. Relies conditionally onthe (unproven) Generalized Riemann
Hypothesis GRH.
7/30/2019 D Log Powerpoint
25/26
GRH Graphs
Let Q be a large integer.
Let S = { primes p < (log Q)B , p-Q } , for B > 2.
Define the graph to have
vertices V=(Z/QZ)*. edges connecting v to pv, for each v 2 V and p 2 S. ( is the Cayley graph of the group (
Z/Q
Z)* with respect to
the generating set S).
TheoremAssuming GRH, is an expander: itsnontrivial eigenvalues satisfy the bound
|| = O(k1/2+1/B).
New, conditional construction of expander graphs.
7/30/2019 D Log Powerpoint
26/26
Conclusions (Assuming GRH)
DLOG has roughly equivalent difficulty on ellipticcurves overFqwhose endomorphism rings arecomparable in size.
There is a random polynomial time reduction
(equivalence) between the DLOG problems onsuch elliptic curves.
NIST and IPSec international standards curves
were not chosen as to foist cryptographicallyweak curves upon an unsuspecting public.
Method gives a new elementary construction ofexpander graphs.
Top Related