Elliptic curves in Nemo Jean Kieffer ´ Ecole normale sup´ erieure de Paris & INRIA

August 3, 2017

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

1

Motivation

2

An example in isogeny-based cryptography Background Computations

3

The EllipticCurves module Contents Further development

4

Conclusion

Conclusion

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

1

Motivation

2

An example in isogeny-based cryptography Background Computations

3

The EllipticCurves module Contents Further development

4

Conclusion

Conclusion

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Key exchange from hard homogeneous spaces Let G be an abelian group acting on a set X with some given point x0 . If the action is easy to compute (polynomial time), hard to invert (exponential time), then there is an analogue of the Diffie–Hellman key exchange (Couveignes 2006). x0 b

a

public a ? x0

b ? x0 a

b (ab) ? x0

shared secret

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

The Couveignes–Rostovtsev–Stolbunov scheme Question Where can we find such an action?

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

The Couveignes–Rostovtsev–Stolbunov scheme Question Where can we find such an action? Answer (Couveignes 2006, Rostovtsev–Stolbunov 2006) Use the action of a class group on a set of isogenous elliptic curves.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

The Couveignes–Rostovtsev–Stolbunov scheme Question Where can we find such an action? Answer (Couveignes 2006, Rostovtsev–Stolbunov 2006) Use the action of a class group on a set of isogenous elliptic curves. Goals Explain what this means Describe the computations needed Discuss our EllipticCurves module in Nemo.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

1

Motivation

2

An example in isogeny-based cryptography Background Computations

3

The EllipticCurves module Contents Further development

4

Conclusion

Conclusion

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Elliptic curves over k Elliptic curves over a field k are algebraic curves, e.g. E : y 2 = x 3 + ax + b. They have an abelian group structure. The j-invariant j(E ) = 1728

4a3 4a3 + 27b 2

classifies such curves up to isomorphism. Isogenies are nonzero morphisms. Our isogenies will be defined over k. If an isogeny is given by rational fractions of degree `, it is called an `-isogeny.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Complex multiplication From now on, k = Fp is a prime finite field. Let E /Fp be an ordinary elliptic curve. The ring End(E ) is isomorphic to an order in a quadratic number field. The Frobenius endomorphism is a distinguished element in End(E ).

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Complex multiplication From now on, k = Fp is a prime finite field. Let E /Fp be an ordinary elliptic curve. The ring End(E ) is isomorphic to an order in a quadratic number field. The Frobenius endomorphism is a distinguished element in End(E ). Ideals of O modulo principal ideals form the class group of O. Isogenies of degree ` starting from E correspond to ideals in O of norm `. For example, in the generic case, there are either zero or two isogenies of degree ` with domain E .

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Action of the class group

Proposition There is an action of the class group on a set of elliptic curves. Ideals of norm ` act as `-isogenies. This action is simply transitive. Therefore, in our setting, isogeny graphs are just Cayley graphs of a certain group.

Conclusion

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Our isogeny graphs Isogeny graph over F173 with isogenies of degree 3 (blue) and 7 (red): 36 162 117 2 134 167 116 This graph is much larger for cryptographic uses.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Representing isogenies

Let E /k be an elliptic curve, and ` 6= p be an odd prime. Giving the following is equivalent: An isogeny E → E 0 of degree ` Its kernel, which is a cyclic subgroup of E of order ` A polynomial of degree `−1 in x defining the kernel. 2 If we know this kernel polynomial, we can easily find E 0 using V´elu’s formulas.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Representing ideals

We do not compute directly in the class group. Instead, we use the following representation of ideals: If the ideal l has norm `, we have a natural surjection O/`O → O/lO ' Z/`Z. The ideal ` is determined by the tuple (`, v ), where v is the image of the Frobenius under this surjection. We call v a Frobenius eigenvalue.

Conclusion

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

General algorithm Problem Given E /Fp and a prime `, how can we compute the action of an ideal (`, v ) on E ?

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

General algorithm Problem Given E /Fp and a prime `, how can we compute the action of an ideal (`, v ) on E ? Idea The j-invariant we want is one of the two roots of a polynomial equation, called modular equation: Φ` (j(E ), Y ) = 0.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

General algorithm Problem Given E /Fp and a prime `, how can we compute the action of an ideal (`, v ) on E ? Idea The j-invariant we want is one of the two roots of a polynomial equation, called modular equation: Φ` (j(E ), Y ) = 0. Algorithm Let E be a curve and (`, v ) be an ideal. compute and solve this equation: find j1 , j2 compute the kernel polynomial K (x) of E → j1 check if the Frobenius acts on it as scalar mult. by v : ? (x p , y p ) = [v ] · (x, y ) mod K (x) and curve equation.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Kernel computation Question How can we compute the kernel polynomial K (x) of φ : E → j1 ?

Conclusion

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Kernel computation Question How can we compute the kernel polynomial K (x) of φ : E → j1 ? Idea (Elkies) The rational fraction defining φ satisfies a simple differential equation. K (x) appears as the denominator.

Conclusion

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Kernel computation Question How can we compute the kernel polynomial K (x) of φ : E → j1 ? Idea (Elkies) The rational fraction defining φ satisfies a simple differential equation. K (x) appears as the denominator. Algorithm (Bostan–Morain–Salvy–Schost 2008) Compute power series solutions of this ODE up to a certain precision with a Newton iteration Recover K (x) using the Berlekamp–Massey rational reconstruction algorithm.

Conclusion

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Using V´elu’s formulas Problem Given E /Fp and a prime ` 6= p, how can we compute the curves linked to E by an `-isogeny? Finding roots of modular polynomials is costly : Φ` (X , Y ) has degree ` + 1 in both variables.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Using V´elu’s formulas Problem Given E /Fp and a prime ` 6= p, how can we compute the curves linked to E by an `-isogeny? Finding roots of modular polynomials is costly : Φ` (X , Y ) has degree ` + 1 in both variables. Another solution Suppose that K is a subgroup of order ` in E whose points are defined over Fp . Look for `-torsion points over Fp to find K , using scalar multiplications Compute the curve E /K using V´elu’s formulas. The isogeny E → E /K has degree `.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Using V´elu’s formulas (2) The previous condition may be relaxed when allowing field extensions. But. . .

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Using V´elu’s formulas (2) The previous condition may be relaxed when allowing field extensions. But. . . Using V´elu’s formulas is only efficient with small-degree extensions.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Using V´elu’s formulas (2) The previous condition may be relaxed when allowing field extensions. But. . . Using V´elu’s formulas is only efficient with small-degree extensions. Using efficient arithmetic on curves is important (use other models than Weierstrass equations)

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Using V´elu’s formulas (2) The previous condition may be relaxed when allowing field extensions. But. . . Using V´elu’s formulas is only efficient with small-degree extensions. Using efficient arithmetic on curves is important (use other models than Weierstrass equations) Not every curve satisfies the previous conditions for many `’s and small d’s: we have to look for adequate curves.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Using V´elu’s formulas (2) The previous condition may be relaxed when allowing field extensions. But. . . Using V´elu’s formulas is only efficient with small-degree extensions. Using efficient arithmetic on curves is important (use other models than Weierstrass equations) Not every curve satisfies the previous conditions for many `’s and small d’s: we have to look for adequate curves. In practice, we have to use both the general algorithm and V´elu’s formulas.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

1

Motivation

2

An example in isogeny-based cryptography Background Computations

3

The EllipticCurves module Contents Further development

4

Conclusion

Conclusion

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

What we would like to do For the general method: Define elliptic curves over finite fields and general rings Define isogenies, scalar multiplication and isomorphisms Have a database of modular polynomials Find roots of polynomials over finite fields BMSS: ODEs in power series with Newton iterations and Berlekamp–Massey.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

What we would like to do For the general method: Define elliptic curves over finite fields and general rings Define isogenies, scalar multiplication and isomorphisms Have a database of modular polynomials Find roots of polynomials over finite fields BMSS: ODEs in power series with Newton iterations and Berlekamp–Massey. For V´elu’s formulas: Define points on elliptic curves and arithmetic operations with efficient models Extensions of finite fields.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

What we would like to do For the general method: Define elliptic curves over finite fields and general rings Define isogenies, scalar multiplication and isomorphisms Have a database of modular polynomials Find roots of polynomials over finite fields BMSS: ODEs in power series with Newton iterations and Berlekamp–Massey. For V´elu’s formulas: Define points on elliptic curves and arithmetic operations with efficient models Extensions of finite fields.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Three ways to compute scalar multiplications

Conclusion

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Three ways to compute scalar multiplications

Sol. 1 (Nemo)

Sol. 3 (Sage)

E = Weierstrass(...) Fext, = FiniteField(p, d, "alpha") Eext = base extend(E, Fext) P = rand(Eext) pˆd * P

E = EllipticCurve(...) Fext = FiniteField(p**d, "alpha") Eext = E.base extend(Fext) P = Eext.random element() C = p**d C * P

Sol. 2 (Nemo) E = Montgomery(...) Fext, = FiniteField(p, d, "alpha") Eext = base extend(E, Fext) P = randXonly(Eext) pˆd * P

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Timing results t (s) 2

Nemo (generic)

1.75

Sage

1.5 1.25 1 0.75

Nemo (Montgomery)

0.5 0.25 0

1

2

3

4

5

6

7

8

9

10

d

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Further possible development Around the previous algorithms: Call (system) PARI to compute the cardinality of curves over finite fields Have access to FLINT’s root finding algorithms modulo p Have a decent system to handle field extensions Have p-adic numbers to compute isogenies in small characteristic? Connections with Hecke to be able to compute in endomorphism rings?

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Further possible development

This module may also become useful to people learning about elliptic curves and elliptic curve cryptography: Implement other models for curves Add pairings ...

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

1

Motivation

2

An example in isogeny-based cryptography Background Computations

3

The EllipticCurves module Contents Further development

4

Conclusion

Conclusion

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Conclusion We implemented Couveigne’s proposal, but the heavy computations needed makes it uncompetitive in practive when compared with other cryptosystems.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Conclusion We implemented Couveigne’s proposal, but the heavy computations needed makes it uncompetitive in practive when compared with other cryptosystems. In order to use V´elu’s formulas, we have to look for adequate curves, and this requires lots of computational power.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Conclusion We implemented Couveigne’s proposal, but the heavy computations needed makes it uncompetitive in practive when compared with other cryptosystems. In order to use V´elu’s formulas, we have to look for adequate curves, and this requires lots of computational power. With the best curve we found so far, aiming at 128-bit security, we reduced the computing time from 880 to 360 seconds. Better curves would bring further improvement.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Conclusion

Conclusion We implemented Couveigne’s proposal, but the heavy computations needed makes it uncompetitive in practive when compared with other cryptosystems. In order to use V´elu’s formulas, we have to look for adequate curves, and this requires lots of computational power. With the best curve we found so far, aiming at 128-bit security, we reduced the computing time from 880 to 360 seconds. Better curves would bring further improvement. The EllipticCurves module is able to perform these computations.

Motivation

An example in isogeny-based cryptography

The EllipticCurves module

Thank you!

Conclusion

Elliptic curves in Nemo - GitHub

Aug 3, 2017 - The ring End(E) is isomorphic to an order in a quadratic number field. The Frobenius endomorphism is a .... Question. How can we compute the kernel polynomial K(x) of φ : E → j1 ? Idea (Elkies). The rational fraction defining φ satisfies a simple differential equation. K(x) appears as the denominator.

565KB Sizes 27 Downloads 375 Views

Recommend Documents

Heron Triangles and Elliptic curves
Mar 8, 1998 - Elliptic Curves, Heron Triangles, rational medians. 1 Introduction. A triangle with ..... Table 1: Sporadic Heron-2-median triangles. 5 Conclusion.

Heron Triangles and Elliptic curves - CiteSeerX
Mar 8, 1998 - We will call any rational sided triangle with rational area a Heron triangle. In [BR 97] the authors present numerical evidence supporting the ...

FAMILIES OF ELLIPTIC CURVES IN P3 AND ...
Even though this can be done by hand, computer calculations with [M2] turn out to be ... filtration and the support property have to be fulfilled. Bridgeland's main ...

pdf-83\elliptic-curves-number-theory-and-cryptography-second ...
There was a problem loading more pages. pdf-83\elliptic-curves-number-theory-and-cryptography- ... tics-and-its-applications-by-lawrence-c-washington.pdf.

Elliptic curves, Factorization and Primality Testing
Now we can define a projective K curve using projective coordinates, F(x, y, z) = 0, where. F(x, y, z) is a homogeneous .... curve has a single point with z = 0, equivalent to (0,1,0); so for simplicity one can think of the affine curve .... and if (

pdf-83\elliptic-curves-number-theory-and-cryptography-second ...
(DISCRETE MATHEMATICS AND ITS. APPLICATIONS) BY LAWRENCE C. WASHINGTON. DOWNLOAD EBOOK : ELLIPTIC CURVES: NUMBER THEORY AND. CRYPTOGRAPHY, SECOND EDITION (DISCRETE MATHEMATICS AND ITS. APPLICATIONS) BY LAWRENCE C. WASHINGTON PDF. Page 1 of 9 ...

TORSION POINTS ON ELLIPTIC CURVES OVER ... - Semantic Scholar
the paper with an application to torsion points rational over abelian extensions of F. ...... If the word “admissible” in Theorem 2.17 is replaced by “non-isotrivial”, the ...... they are pairwise non-isomorphic; a common theme of the next pr

TORSION POINTS ON ELLIPTIC CURVES OVER ... - Semantic Scholar
introduce our setup once and for all at the beginning of the paper. ...... they are pairwise non-isomorphic; a common theme of the next proposition and of the ...

Nemo: a computer algebra package for Julia - GitHub
Jul 12, 2017 - Antic. ▷ Singular kernel (via Singular.jl). Generic algorithms: ▷ Residue rings. ▷ Fraction fields. ▷ Dense univariate polynomials. ▷ Sparse distributed multivariate polynomials. ▷ Dense linear algebra. ▷ Power series : a

Rational Curves in Positive Characteristic - UiO - DUO
Nov 17, 2014 - reader should be able to read most pages of one of the three texts: ...... is preserved under base change, one can show that a variety X over k,.

finding nemo vectors.pdf
Page 1 of 1. finding nemo vectors.pdf. finding nemo vectors.pdf. Open. Extract. Open with. Sign In. Main menu. Displaying finding nemo vectors.pdf.

Elliptic Curves_poster.pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Elliptic ...

Rational Curves in Positive Characteristic - UiO - DUO
Nov 17, 2014 - For instance in the study of higher dimensional varieties, one is especially interested in free and ... we prove when it is Fano, and we discuss its moduli space of rational curves of a given degree. ... constraints on the degree of a

Finding nemo 1
THE PHONE 2002. ... two beside- Notethe word softly and noteits reappearance whemthe poet describes the Second Voice The other isasofter voice, As soft ... PDF File: Whisky In Your Pocket: A New Edition Of Wallace Milroy's The Origin 2.

Watch Little Nemo Adventures In Slumberland (1989) Full Movie ...
Watch Little Nemo Adventures In Slumberland (1989) Full Movie Online.pdf. Watch Little Nemo Adventures In Slumberland (1989) Full Movie Online.pdf. Open.

Little-Nemo-In-Slumberland-So-Many-Splended-Sundays.pdf ...
Little-Nemo-In-Slumberland-So-Many-Splended-Sundays.pdf. Little-Nemo-In-Slumberland-So-Many-Splended-Sundays.pdf. Open. Extract. Open with. Sign In.

algebraic curves
Jan 28, 2008 - The image of F under ˜ϕ is written F(s1,...,sn). The ring R[X1,... ..... So any algebraic set V may be written as V = V1 ∪···∪Vm, Vi irreducible. To.

The finding nemo
King james version. audio bible.Thefinding nemo.Pdf-poli-hindi. ... Heroes of. mythology.Thefinding nemo.Thefinding nemo.Crack pes 201.Pinnacle 12 upgrade.

Finding Nemo WS.pdf
Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Finding Nemo WS.pdf. Finding Nemo WS.pdf. Open. Extract.

Elliptic Curve Cryptography for MUD in CDMA - IJRIT
IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, ... Access is a form of access scheme that has been widely used in 3G cellular ... Anyone with a radio receiver can eavesdrop on a wireless network, and ...

Elliptic Curve Cryptography for MUD in CDMA - IJRIT
wireless systems. ... Anyone with a radio receiver can eavesdrop on a wireless network, and therefore widely ... One main advantage of ECC is its small key size.

Fast Elliptic Curve Cryptography in OpenSSL - Research at Google
for unnamed prime and/or characteristic-2 curves (the OpenSSL elliptic curve library supports ..... ietf.org/html/draft-bmoeller-tls-falsestart-00. 11. ECRYPT II.