G - 16th workshop on Elliptic Curve Cryptography
G - 16th workshop on Elliptic Curve Cryptography
G - 16th workshop on Elliptic Curve Cryptography
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Project Report <strong>on</strong> Solving Discrete<br />
Logarithm Problems with Auxiliary Input<br />
ECC 2012 @ Queretaro, Mexico<br />
Yumi Sakemi (FUJITSU Laboratories Ltd, Japan)<br />
Joint work with Goichiro Hanaoka(AIST), Tetsuya Izu,<br />
Masahiko Takenaka and Masaya Yasuda (FUJITSU Laboratories Ltd.)<br />
October 29th, 2012<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
ECC and ECDLP<br />
• <strong>Elliptic</strong> <strong>Curve</strong> Cryptosystems (ECC)<br />
• One of the standardized public key cryptosystem<br />
• <strong>Elliptic</strong> <strong>Curve</strong> Discrete Logarithm Problem (ECDLP)<br />
• G: a point <strong>on</strong> an elliptic curve<br />
• G = 〈G〉: an additive cyclic group generated by G with prime order r<br />
• ECDLP: a problem to find x from G and xG<br />
• Best algorithms for solving ECDLP are square-root methods.<br />
• ECDLP is infeasible If r > 2 160<br />
BSGS method[Shanks71] r-method [Pollard78]<br />
Time 2√r √pr/2<br />
Space 2√r (√pr/2)/q<br />
How to find a soluti<strong>on</strong> Deterministic Probabilistic<br />
Implementati<strong>on</strong> Easy Hard<br />
Storage size Large Less<br />
1<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Pairing-based Cryptosystems<br />
• New schemes have been c<strong>on</strong>structed with pairings<br />
• Identity-based encrypti<strong>on</strong>(IBE), broadcast encrypti<strong>on</strong>, ...<br />
• To assure the security of such cryptosystems,<br />
a lot of new mathematical problems have been introduced<br />
B<strong>on</strong>eh-Franklin<br />
IBE<br />
[BF01]<br />
BDHP<br />
CDHP<br />
L-BDEP<br />
DHBDHP<br />
L-BDHIP<br />
DDHP<br />
L-SDHP<br />
SDDHIP<br />
B<strong>on</strong>eh-Gentry-Waters<br />
Broadcast encrypti<strong>on</strong><br />
[BGW05]<br />
DHIP<br />
L-SFP<br />
SXDHP<br />
L-sSDHP<br />
WDHP<br />
L-BDHEP<br />
DLINP<br />
2<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
ECDLPwAI (ECDLP with Auxiliary Input)<br />
• ECDLP with Auxiliary Input [EUROCRYPT 06]<br />
• Input: G, xG, x d G ∈ G, d|(r-1)<br />
• Output: x ∈ Z/rZ<br />
• Che<strong>on</strong>’s Algorithm [EUROCRYPT 06]<br />
• An efficient algorithm for solving ECDLPwAI<br />
• Uses BSGS method or ρ-method as a subroutine<br />
• Time Complexity: T = O( √r/d + √d ) ← depending <strong>on</strong> d<br />
• d≒√r → T = O( 4 √r )<br />
• Eg: when 160-bit elliptic curve is used,<br />
• Solving ECDLP requires 2 80<br />
• Solving ECDLPwAI ( by Che<strong>on</strong>’s algorithm) requires ≧ 2 40<br />
3<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Implicati<strong>on</strong> to pairing-based cryptosystems<br />
Solving ECDLPwAI implies breaking some cryptosystems<br />
DHBDHP<br />
CDHP<br />
BDHP<br />
L-BDHEP<br />
DDHP<br />
SDDHIP<br />
L-BDEP<br />
L-BDHIP<br />
DHIP<br />
L-SFP<br />
SXDHP<br />
L-sSDHP<br />
WDHP<br />
L-SDHP<br />
DLINP<br />
4<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Implicati<strong>on</strong> to ECDLP<br />
• Che<strong>on</strong>’ algorithm can solve ECDLP in ECC which static DH<br />
Oracle is available in<br />
• ElGamal Encrypti<strong>on</strong> Scheme [ElGamal84]<br />
• Ford-Kaliski Key Retrieval Scheme [FK00]<br />
G, xG<br />
P<br />
d Oracle Calls<br />
G, xG, x d G<br />
Che<strong>on</strong>’s algorithm<br />
√d + √r/d<br />
xP<br />
Static DH<br />
Oracle<br />
The ECDLP can be solved<br />
by Che<strong>on</strong>’s algorithm<br />
in this framework<br />
x<br />
5<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Motivati<strong>on</strong> of Our Project<br />
• Records for solving mathematical problems<br />
• For solving ECDLPwAI, there are little experimental results.<br />
• For solving old mathematical problems, there are many theoretical and<br />
experimental results.<br />
Mathematical problem<br />
Algorithm<br />
【Theoretical】<br />
Record<br />
【Practical】<br />
Factorizati<strong>on</strong> Problem Number Field Sieve 768-bit (Dec, 2009)<br />
DLP Functi<strong>on</strong> Field Sieve 923-bit (Jun, 2012)<br />
ECDLP Square Root Method 112-bit (Jul, 2009)<br />
• Motivati<strong>on</strong><br />
To evaluate the infeasibility of ECDLPwAI<br />
by implementing Che<strong>on</strong>’s algorithm<br />
6<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Outline of Our Project<br />
r<br />
-bit<br />
160-bit<br />
Chapter 4<br />
Chapter 3<br />
128-bit<br />
Chapter 1<br />
Chapter 2<br />
60-bit<br />
Solved by<br />
Jao, Yoshida<br />
[Pairing09]<br />
BSGS<br />
7<br />
r<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Che<strong>on</strong>’s Algorithm<br />
• Input: G, G 1 =xG, G d =x d G ∈ G, d|(r-1)<br />
• Output: x ∈ Z/rZ<br />
• Approach<br />
• Instead of finding x directly, find an integer k such that x = ζ k for a<br />
generator ζ∈ (Z/rZ)*<br />
• Che<strong>on</strong>’s algorithm finds k1, k2 such that k = k1 + k2 (r-1)/d in two steps<br />
• Procedures<br />
• Find k1 such that G d = ζ d<br />
k1<br />
G (for ζ d = ζ d )<br />
• Set e ← (r-1)/d, G e ← ζ -k1 G 1<br />
• Find k2 such that G e = ζ e<br />
k2<br />
G for (for ζ e = ζ e )<br />
• Output x = ζ k for k = k1 + k2×e<br />
Step 1<br />
Step 2<br />
8<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Baby-step Giant-step Method (BSGS method)<br />
• Approach ( Shanks, 1971 [Shanks71])<br />
• Let m = √r, soluti<strong>on</strong> x = ym + z ( 0≦y, z < m )<br />
• y and z are uniquely determined<br />
• Let G1=xG, then G1 = yG’+zG ⇒ y and z satisfy G1-zG = yG’<br />
• Instead of finding x directory, find y and z such that G1-zG = yG’<br />
• Generate following two DBs and found points satisfy G1-zG = yG’ by<br />
comparing am<strong>on</strong>g two DBs<br />
• Baby-step: G1, G1-G, G1-2G, …, G1-(m-1)G<br />
• Giant-step: 0, G’, 2G’, …, (m-1)G’<br />
• Complexity<br />
• Time complexity: 2√r<br />
Space Complexity: 2√r<br />
9<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Baby-step Giant-step Method<br />
• Find x = 96 (unknown) from G and xG (with r = 100)<br />
• Exhaustive search requires 50 evaluati<strong>on</strong>s (<strong>on</strong> average)<br />
• BSGS method <strong>on</strong>ly requires at most 20 evaluati<strong>on</strong>s<br />
Giant-step<br />
(j×10G)<br />
0G<br />
10G<br />
20G<br />
30G<br />
40G<br />
50G<br />
60G<br />
70G<br />
80G<br />
90G<br />
Baby-step (xG-iG)<br />
95G 93G 91G 89G 87G<br />
96G 94G 92G 90G 88G<br />
Collisi<strong>on</strong><br />
xG = iG + j×√r G<br />
(0 ≦ i, j
Applying BSGS Method <strong>on</strong> Step 1<br />
• Set G d ← x d G, d1 = √(r-1)/d、0 ≦ u1, v1 < d1<br />
• Find k1 such that ζ<br />
-u1<br />
d G d = ζ<br />
v1×d1<br />
d G for k1 = u1 + v1×d1<br />
Baby-step<br />
ζ d<br />
-u1<br />
G d<br />
Giant-step<br />
ζ d<br />
v1×d1<br />
G<br />
d1<br />
G d = ζ d<br />
k1<br />
G<br />
= ζ d<br />
u1 + v1×d1<br />
G<br />
Search space<br />
Collisi<strong>on</strong><br />
d1<br />
11<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Kozaki-Kutsuma-Matsuo’s method<br />
• KKM (Kozaki-Kutsuma-Matsuo’s) method [KKM07]<br />
• Che<strong>on</strong>’s algorithm iterates scalar multiplicati<strong>on</strong>s for same point<br />
• In the case of ECDLP, KKM method is not required<br />
⇒next point is calculated by <strong>on</strong>ly <strong>on</strong>e group operati<strong>on</strong><br />
• sP = s 0 P + s 1 nP + s 2 n 2 P+s 3 n 3 P = T(s 0 ,0)+T(s 1 ,1)+T(s 2 ,2)+T(s 3 3)<br />
O( log r )-group operati<strong>on</strong>s A few group operati<strong>on</strong>s<br />
T(i,j) 1 2 ・・・ n-1<br />
0 P 2 P ・・・ (n-1) P<br />
1 n P 2n P ・・・ (n-1)n P<br />
2 n 2 P 2n 2 P ・・・ (n-1)n 2 P<br />
3 n 3 P 2n 3 P ・・・ (n-1)n 3 P<br />
12<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Comparis<strong>on</strong> between two DBs<br />
• After generating points, two DBs need to be compared<br />
index<br />
Baby-step<br />
index<br />
Giant-step<br />
0x0000<br />
0x0001<br />
0x0002<br />
0x0003<br />
・<br />
Element Data<br />
collisi<strong>on</strong>!!<br />
0x0000<br />
0x0001<br />
0x0002<br />
0x0003<br />
・<br />
Element Data<br />
k1<br />
0x(d1-1)<br />
0x(d1-1)<br />
13<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Our Approach: Bucket-sorting<br />
0x0000<br />
0x0001<br />
0x0002<br />
0x0003<br />
Upper 8-bit in Element Data<br />
000000 Data 0x0000 000001 Data<br />
0x0001<br />
#=2 (log d1) /2 6<br />
・<br />
0x0002<br />
0x0003<br />
・<br />
0x0000<br />
0x0001<br />
0x0002<br />
0x0003<br />
・<br />
000010 Data<br />
...<br />
Compare<br />
#=2 (log d1) /2 6<br />
0x0000<br />
0x0001<br />
0x0002<br />
0x0003<br />
・<br />
000000 Data<br />
0x0000<br />
0x0001<br />
0x0002<br />
0x0003<br />
・<br />
000001 Data<br />
0x0000<br />
0x0001<br />
0x0002<br />
0x0003<br />
・<br />
000010 Data<br />
...<br />
• Our approach requires O( n log n/64 ) ≒ (log d1) log (log d1)/64<br />
• Parallel processi<strong>on</strong> is possible<br />
14<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Target <strong>Elliptic</strong> <strong>Curve</strong> Parameters<br />
•Target: TinyTate library [TinyTate07]<br />
•Pairing-based cryptographic library for embedded devices<br />
• Parameters<br />
•E/GF(p256): y 2 = x 3 + x (Supersingular)<br />
•p256 = 3778160688 9598235856 7455764726 5839472148<br />
1625071533 3029839574 7614203820 7746163 (256-bit)<br />
•#E = 3778160688 9598235856 7455764726 5839472148<br />
1625071533 3029839574 7614203820 7746164 (256-bit)<br />
•r = 1701411885 3107163264 4604909702 696927233 (128-bit)<br />
•d = 1268213655 0675316736 (64-bit) ← Ideal for adversaries<br />
•d1 = 3662760472 (32-bit)<br />
•d2 = 3561198752 (32-bit)<br />
15<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
1 PC is used<br />
16<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Experimental Results: BSGS method<br />
Required Time<br />
Required<br />
Storage Size<br />
Step 1 65.6 hours 246 Gbyte<br />
Step 2 65.8 hours 246 Gbyte<br />
Total 131.4 hours max 246 Gbyte<br />
CPU<br />
Intel® Core i7 2.93 GHz<br />
(4 cores)<br />
OS Ubuntu 10.04<br />
Language<br />
Library<br />
C<br />
GMP<br />
17<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Estimati<strong>on</strong>s: BSGS method<br />
r<br />
DB<br />
Generati<strong>on</strong><br />
Collisi<strong>on</strong><br />
Search<br />
Total<br />
Required<br />
storage<br />
size<br />
128-bit 6 days 17 hours 7 days 288 GB<br />
132-bit 11 days 35 hours 13 days 576 GB<br />
136-bit 22 days 74 hours 25 days 1152 GB<br />
140-bit 45 days 6 days 51 days 2304 GB<br />
• Required times is not problematic when r becomes larger<br />
• However, required storage size will be bey<strong>on</strong>d 2TB if r is 140-<br />
bit<br />
• In such a case, BSGS method will not work<br />
18<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Chapter 2<br />
r<br />
-bit<br />
160-bit<br />
Chapter 4<br />
Chapter 3<br />
128-bit<br />
Chapter 1<br />
Chapter 2<br />
60-bit<br />
Solved by<br />
Jao, Yoshida<br />
[Pairing09]<br />
BSGS<br />
19<br />
r<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
-method <strong>on</strong> Step1<br />
• Step1 of Che<strong>on</strong>’s algorithm<br />
• Find partial soluti<strong>on</strong> k1 such that G d =ζ d<br />
k1<br />
G (, ζ d =ζ d )<br />
• Approach ( Pollard, 1978 [Pollard78])<br />
• Instead of finding k1, find u and v such that ζ du G d = ζ dv G anyway<br />
⇒ since ζ d<br />
k1<br />
G = ζ d<br />
v-u<br />
G, k1 = v-u<br />
• u and v can be probabilistically found by generating ζ di G d and ζ dj G by<br />
random-walk (RW) functi<strong>on</strong> F<br />
• F: ζ d<br />
i+1<br />
P =F(ζ di P )<br />
• Notice<br />
• a collisi<strong>on</strong> such thatζ d<br />
i1<br />
G d =ζ d<br />
i2<br />
G d or ζ d<br />
j1<br />
G =ζ d<br />
j2<br />
G can not find u and v<br />
• In ECDLP, such a collisi<strong>on</strong> can find the soluti<strong>on</strong>s<br />
• Complexity (based <strong>on</strong> the birthday paradox)<br />
• Time complexity: 2√pd<br />
Space Complexity: √pd<br />
20<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Applying ρ-method <strong>on</strong> Step 1<br />
• For obtaining k1 , step1 finds u and v such that ζ du G d = ζ dv G<br />
• From an initial point G d , pointsζ du G d are randomly generated<br />
by using the random-walk functi<strong>on</strong> F(G d )<br />
G d<br />
21<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Applying ρ-method <strong>on</strong> Step 1 (c<strong>on</strong>t’d)<br />
• For obtaining k1, step1 finds u and v such that ζ du G d = ζ dv G<br />
• Similarly, from an initial point G, points are ζ dj G randomly<br />
generated by using the random-walk functi<strong>on</strong> F(G)<br />
G<br />
22<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Applying ρ-method <strong>on</strong> Step 1 (c<strong>on</strong>t’d)<br />
• If we find collided points such that ζ du G d = ζ dv G in blue points<br />
and red points, the partial soluti<strong>on</strong> value k1=v-u is obtained<br />
G d<br />
collisi<strong>on</strong>!!<br />
G<br />
k1<br />
23<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Distinguished element technique<br />
• Idea<br />
• Only store distinguished element in DB<br />
• Distinguished element : the x coordinates is divisible by a certain integer q<br />
• Space complexity can be reduced to (√pd/2)/q<br />
• There exists collisi<strong>on</strong>s <strong>on</strong> distinguished elements<br />
G d<br />
collisi<strong>on</strong>!!<br />
G<br />
k1<br />
24<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Problems in ρ-method<br />
• Problem1: RW functi<strong>on</strong> F(G d ) outputs same points in DB for G d<br />
• Problem2: RW functi<strong>on</strong> F(G d ) does not output next points<br />
• These problems also exist in RW functi<strong>on</strong> F(G)<br />
G d<br />
Since the number of points does not increase<br />
we can not find a collisi<strong>on</strong><br />
collisi<strong>on</strong>!!<br />
G<br />
k1<br />
25<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Causes of Problems<br />
• Since RW functi<strong>on</strong> randomly generates points, a collisi<strong>on</strong> is<br />
occurred in points generated by G d<br />
• Problem1: a collisi<strong>on</strong> occurred in distinguished elements generated by G d<br />
• Problem2: a collisi<strong>on</strong> occurred in undistinguished elements generated by G d<br />
• This collisi<strong>on</strong> is called fruitless cycle<br />
G d<br />
We can not find a collisi<strong>on</strong><br />
collisi<strong>on</strong>!!<br />
G<br />
collisi<strong>on</strong>!!<br />
k1<br />
26<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Required features for r-method<br />
If a collisi<strong>on</strong> in points by G d is detected, reset the initial point<br />
• How to detect<br />
• Problem1:<br />
• If RW functi<strong>on</strong> F(G d ) outputs same point, a collisi<strong>on</strong> in distinguished elements by<br />
G d can be detected<br />
• Problem2<br />
• If RW functi<strong>on</strong> F(G d ) does not output in some intervals, fruitless cycle can be<br />
detected<br />
27<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Target <strong>Elliptic</strong> <strong>Curve</strong> Parameters<br />
•Target: TinyTate library [TinyTate07]<br />
•Pairing-based cryptographic library for embedded devices<br />
•Parameters<br />
•E/GF(p256): y 2 = x 3 + x (Supersingular)<br />
•p256 = 3778160688 9598235856 7455764726 5839472148<br />
1625071533 3029839574 7614203820 7746163 (256-bit)<br />
•#E = 3778160688 9598235856 7455764726 5839472148<br />
1625071533 3029839574 7614203820 7746164 (256-bit)<br />
•r = 1701411885 3107163264 4604909702 696927233 (128-bit)<br />
•d = 1268213655 0675316736 (64-bit) ← Ideal for adversaries<br />
•q = 2 18<br />
Same as 1st experiment<br />
28<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Experimental Results: ρ-method<br />
Required Time<br />
(single core)<br />
Required<br />
Storage Size<br />
Step 1 68.2 hours 0.5 Mbyte<br />
Step 2 67.2 hours 0.5 Mbyte<br />
Total 135.4 hours max 0.5 Mbyte<br />
CPU<br />
Intel® Core i7 2.93 GHz<br />
(4 cores)<br />
OS Ubuntu 10.04<br />
Language<br />
Library<br />
C<br />
GMP<br />
29<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Comparis<strong>on</strong> with BSGS method<br />
Required Time of<br />
ρ-method<br />
Required Time of<br />
BSGS method<br />
Step 1 68.2 hours 65.6 hours<br />
Step 2 67.2 hours 65.8 hours<br />
Total 135.4 hours 131.4 hours<br />
Required storage size<br />
of ρ-method<br />
Required storage size<br />
of BSGS method<br />
Step 1 0.5 M byte 246 G byte<br />
Step 2 0.5 M byte 246 G byte<br />
30<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Chapter 3<br />
r<br />
-bit<br />
160-bit<br />
Chapter 4<br />
Chapter 3<br />
128-bit<br />
Chapter 1<br />
Chapter 2<br />
60-bit<br />
Solved by<br />
Jao, Yoshida<br />
[Pairing09]<br />
BSGS<br />
31<br />
r<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Difficulties of solving 160-bit ECDLPwAI<br />
• For solving 160-bit ECDLPwAI, time complexity become too large<br />
• Estimated cost becomes 1,440 days <strong>on</strong> a single core<br />
• Solving system for large scale parameters<br />
• Parallelizati<strong>on</strong><br />
• High scalability<br />
• Many PCs are easily added to the system<br />
32<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Parallelizati<strong>on</strong><br />
G d<br />
G<br />
z d G d<br />
collisi<strong>on</strong>!!<br />
z d G<br />
DB#1<br />
comparing<br />
DB#2<br />
…<br />
…<br />
z ld G d<br />
k1<br />
z ld G<br />
33<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Problem in Parallelizati<strong>on</strong><br />
• Problem: a collisi<strong>on</strong> is occurred in <strong>on</strong>e side of DB<br />
⇒ If detect a collisi<strong>on</strong> in <strong>on</strong>e side of DB, reset the initial points<br />
G d<br />
# of points does not increase<br />
G<br />
collisi<strong>on</strong>!!<br />
We can not find a collisi<strong>on</strong><br />
z d G<br />
z d G d<br />
DB#1<br />
compare<br />
DB#2<br />
…<br />
…<br />
z ld G d<br />
z ld G<br />
34<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Grand Design of the Solving System<br />
Proxy<br />
(Every<strong>on</strong>e can access)<br />
Server<br />
The<br />
Internet<br />
DB<br />
Organizer<br />
DB<br />
Proxy<br />
Laboratory “A"<br />
Proxy<br />
Univ. “B"<br />
Proxy<br />
Cloud Computing<br />
resourses<br />
Clients<br />
…<br />
Clients<br />
…<br />
…<br />
Clients<br />
…<br />
35<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
C<strong>on</strong>structi<strong>on</strong> of the solving system<br />
• Features of solving system<br />
1. Parallelizati<strong>on</strong> of RW functi<strong>on</strong>s is available<br />
2. It is easy to add clients<br />
3. Our system can be used for solving ECDLP<br />
Solving System #1 for "G d for Step 1"<br />
Solving System #2 for "G for Step 1"<br />
Client 1<br />
for G d<br />
Client 1<br />
for G<br />
Client 2<br />
for z d G d<br />
…<br />
Server#1<br />
DB#1<br />
DB<br />
Matching<br />
Tool<br />
DB#2<br />
Server#2<br />
Client 2<br />
for z d G<br />
Client N<br />
for z Nd G d<br />
Client N<br />
for z Nd G<br />
Collided Points<br />
36<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Target <strong>Elliptic</strong> <strong>Curve</strong> Parameters<br />
•BN(Barreto-Naehrig) curve [BN05]<br />
•Ordinary pairing-friendly elliptic curve<br />
•G: 160-bit prime order r<br />
• r = 146150162449679026514544738099497<br />
1188499300027613<br />
•d = 2×3×12132793×135993458106516349 (84-bit)<br />
•(r-1)/d =2×164442871007×448873741399 (77-bit)<br />
37<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Our System for Solving ECDLPwAI<br />
• Although any computing resources can be joined to the system,<br />
but we <strong>on</strong>ly used our PCs<br />
38<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Experimental Result<br />
• We have successfully solved ECDLPwAI <strong>on</strong> an elliptic curve with<br />
160-bit in 25 days ( 1,314 core days )<br />
Step CPU(Hz)<br />
# of # of Time core<br />
PCs cores [days] ×days<br />
1 Q9450 (2.66GHz) 8 32 7 224<br />
Q9450 (2.66GHz) 8 32 18 576<br />
Q9450 (3.00GHz) 8 32 13 416<br />
X3460 (2.80GHz) 10 80 1 80<br />
2<br />
Pentium D<br />
9 18 1 18<br />
(3.40GHz)<br />
subtotal max 162 1090<br />
Total 1314<br />
*Hyper-Threading is used<br />
39<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Chapter 4<br />
r<br />
-bit<br />
160-bit<br />
Chapter 4<br />
Chapter 3<br />
128-bit<br />
Chapter 1<br />
Chapter 2<br />
60-bit<br />
Solved by<br />
Jao, Yoshida<br />
[Pairing09]<br />
BSGS<br />
40<br />
r<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
M<strong>on</strong>etary Cost Estimati<strong>on</strong><br />
• Cost for solving ECDLPwAI of 160-bit is 1,314 core×days<br />
⇒ $2,810 in Amaz<strong>on</strong> EC2<br />
• If we can invest $1,000,000<br />
⇒ ECDLPwAI of 204 bit order is solved<br />
In PKC2012,<br />
it was estimated to 192-bit<br />
Amaz<strong>on</strong> EC2 becomes cheaper :-)<br />
41<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
If we can use super computer K …<br />
160-bit ECDLPwAI ⇒ 1 minutes !!<br />
42<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Impact <strong>on</strong> cryptographic schemes<br />
• B<strong>on</strong>eh, Gentry, and Waters’ Broadcast Encrypti<strong>on</strong> Scheme<br />
[BGW05]<br />
• The security of this scheme is assured by the infeasibility of L-BDHE problem<br />
• Key C<strong>on</strong>structi<strong>on</strong><br />
• Secret key:<br />
x ∈Z/rZ is a random number<br />
• Public key:<br />
ECDLPwAI<br />
pk = ( G, xG, …, x L G, x L+2 G, …, x 2L G, V ) (L : # of receiver)<br />
• Applying Che<strong>on</strong>’s algorithm<br />
• If d ≦ 2L, Che<strong>on</strong>’s algorithm can be applied to L-BDHE problem<br />
43<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
160-bit curve case<br />
log 2 d<br />
80<br />
# of receiver should be<br />
chosen smaller than 2 80<br />
Solvable range<br />
within $2,810<br />
Solved<br />
40<br />
6<br />
Selectable range<br />
of parameter d<br />
0 log 2 r<br />
80 160<br />
44<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
160-bit curve case<br />
log 2 d<br />
102<br />
80<br />
58<br />
# of receiver should be<br />
chosen smaller than 2 58<br />
Solvable range<br />
within $2,810<br />
Solvable range<br />
within $1,000,000<br />
Solved<br />
40<br />
6<br />
Selectable range<br />
of parameter d<br />
0 log 2 r<br />
80 160 204<br />
45<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Feedback to protocol with static DH Oracle<br />
• E.g: 160-bit elliptic curve<br />
• Since our system is available for Che<strong>on</strong>’s algorithm whose complexity is 2 41 ,<br />
the number of oracle calls becomes 2 80<br />
• It is difficult to execute 2 80 oracle calls<br />
G, xG<br />
P<br />
2 80 Oracle Calls<br />
G, xG, x d G<br />
Che<strong>on</strong>’s algorithm<br />
2 40 +2 40<br />
xP<br />
Static DH<br />
Oracle<br />
x<br />
46<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Feedback to protocol with static DH Oracle<br />
• E.g: 160-bit elliptic curve<br />
• Che<strong>on</strong>’s algorithm whose complexity is 2 51 can be executed with $1,000,000<br />
• The number of queries can be reduced to d=2 58<br />
G, xG<br />
P<br />
2 58 Oracle Calls<br />
G, xG, x d G<br />
Che<strong>on</strong>’s algorithm<br />
2 19 +2 51<br />
xP<br />
Static DH<br />
Oracle<br />
In this framework, the 160-bit ECDLP<br />
could be solved<br />
in the not-so distant future<br />
x<br />
47<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Summary of Our Project<br />
Yao-Yoshida<br />
[Pairing 09]<br />
Char<br />
Size of r<br />
BSGS<br />
(1 core)<br />
ρ<br />
(1 core)<br />
p 60-bit - 3 hours<br />
Izu-Takenaka-Yasuda<br />
[WAIS 10/AINA 11]<br />
3 83-bit 14 hours 11.5 hours<br />
S-Izu-Takenaka-Yasuda<br />
[WISTP 11/WISA11]<br />
p 128-bit 131.4 hours 135.4 hours<br />
S-Hanaoka-Izu-<br />
Takenaka-Yasuda<br />
[PKC 12]<br />
p 160-bit -<br />
1314 days<br />
(25 actual<br />
days )<br />
48<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
Future Works<br />
• Compare the fruitless cycles of r-method for ECDLP and that for ECDLPwAI<br />
• Evaluate securities of pairing-based cryptographies with other mathematical<br />
problems experimentally<br />
CDHP<br />
BDHP<br />
DDHP<br />
DHBDHP<br />
L-BDHEP<br />
SDDHIP<br />
L-BDEP<br />
L-BDHIP<br />
DHIP<br />
L-SFP<br />
SXDHP<br />
L-sSDHP<br />
WDHP<br />
L-SDHP<br />
DLINP<br />
• Brake the record for solving ECDLP by using our solving system<br />
49<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
50<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
References<br />
[BN05] P. Barreto and M. Naehrig, “Pairing-friendly <strong>Elliptic</strong> <strong>Curve</strong>s of Prime Order”,<br />
SAC 2005, LNCS 3897, pp. 319-331, Springer, 2006.<br />
[BF01]<br />
D. B<strong>on</strong>eh and M. Franklin, “Identity-based Encrypti<strong>on</strong> from the Weil Pairing”,<br />
CRYPTO 2001, LNCS 2139, pp. 213-229, Springer, 2001.<br />
[BGW05] D. B<strong>on</strong>eh, C. Gentry, and B. Waters, “Collusi<strong>on</strong> Resistant Broadcast Encrypti<strong>on</strong><br />
with Short Ciphertext and Private Keys”, CRYPTO 2005, LNCS 3621, pp. 258-<br />
275, Springer, 2005.<br />
[ElGamal84] T. El-Gamal, “ A public-key cryptosystem and a signature scheme based <strong>on</strong><br />
discrete logarithms”,CRYPTO 1984, LNCS196, Springer-Verlag, pp. 10-18,<br />
1985.<br />
[FK00]<br />
W. Ford and B. Kaliski, “Server-assisted generati<strong>on</strong> of a str<strong>on</strong>g secret from a<br />
password”, Nineth internati<strong>on</strong>al <str<strong>on</strong>g>workshop</str<strong>on</strong>g> <strong>on</strong> enabling technologies - wet ice<br />
2000, IEEE Press, 2000.<br />
[EUROCRYPT06] J.H. Che<strong>on</strong>, “Security Analysis of Str<strong>on</strong>g Diffie-Hellman Problem”,<br />
EUROCRYPT 2006, LNCS 4004, pp. 1-11, Springer, 2006.<br />
[AINA11] T. Izu, M. Takenaka, and M. Yasuda, “Experimental Analysis of Che<strong>on</strong>’s<br />
Algorithm against Pairing-Friendly <strong>Curve</strong>s”, AINA 2011, pp. 90-96, IEEE<br />
Computer Science, 2011.<br />
51<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
References<br />
[WAIS10] T. Izu, M. Takenaka, and M. Yasuda, “Experimental Results <strong>on</strong> Che<strong>on</strong>’s<br />
Algorithm”, WAIS 2010, pp. 625-630 in the proceedings of ARES 2010, IEEE<br />
Computer Science, 2010.<br />
[Pairing09] D. Jao and K Yoshida, “B<strong>on</strong>eh-Boyen Signatures and the Str<strong>on</strong>g<br />
Diffie-Hellman Problem”, Pairing 2009, LNCS 5671, pp. 1-16, Springer, 2009.<br />
[KKM07] S. Kozaki, T. Kutsuma, and K. Matsuo, “Remarks <strong>on</strong> Che<strong>on</strong>’s Algorithms for<br />
Pairing-related Problems”, Pairing 2007, LNCS 4575, pp. 302-316, Springer,<br />
2007.<br />
[TinyTate07] L. Oliveira, J. Lopez, and R. Dahab, “TinyTate: Identity-Based Encrypti<strong>on</strong><br />
for Sensor Networks”, IACR Cryptology ePrint Archive, Report 2007/020, 2007.<br />
[Pollard78] J. Pollard, “M<strong>on</strong>te Carlo Methods for Index Computati<strong>on</strong> (mod p)”, Math.<br />
Comp., vol. 32, pp. 918-924, 1978.<br />
[PKC12] Y. Sakemi, G. Hanaoka, T. Izu, M. Takenaka, and M. Yasuda, “Solving a discrete<br />
logarithm problem with auxiliary input <strong>on</strong> a 160-bit elliptic curve”, PKC 2012,<br />
LNCS 7293 pp. 595-608, Springer, 2012.<br />
[WISA11] Y. Sakemi, T. Izu, M. Takenaka, and M. Yasuda, “Solving a DLP with Auxiliary<br />
Input with the -algorithm”, WISA 2011, LNCS 7115, pp. 98-107, Springer, 2012.<br />
[WISTP11] Y. Sakemi, T. Izu, M. Takenaka, and M. Yasuda, “Solving DLP with Auxiliary<br />
Input over an <strong>Elliptic</strong> <strong>Curve</strong> Used in TinyTate Library”, WISTP 2011, LNCS 6633,<br />
pp. 116-127, Springer, 2011.<br />
52<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.
References<br />
[Shanks71] D. Shanks, “Class Number, a Theory of Factorizati<strong>on</strong>, and Genera”, Proc. of<br />
Symp. Math. Soc., vol. 20, pp. 41-440, 1971.<br />
53<br />
Copyright 2012 FUJITSU LABORATORIES Ltd.