1. No category

lecture 2

Discrete Logarithm
In this section we will see several methods to attack the discrete
logarithm problem.
Index Calculus. We want to solve y = b x (mod p). Select a basis
B = {2,
random we get
QAtai,n
Q3,a.i,1. . , pn } of small primes.
x
x
n
1
b = pi (mod p), . . . , b = pi (mod p), B-smooth.
Discrete Logarithm
In this section we will see several methods to attack the discrete
logarithm problem.
Index Calculus. We want to solve y = b x (mod p). Select a basis
B = {2,
random we get
QAtai,n
Q3,a.i,1. . , pn } of small primes.
x
x
n
1
b = pi (mod p), . . . , b = pi (mod p), B-smooth.
Solve


x1 =
Pn
i=1 ai,1 logb (pi )
...

Pn

xn =
i=1 ai,n logb (pi )
Discrete Logarithm
In this section we will see several methods to attack the discrete
logarithm problem.
Index Calculus. We want to solve y = b x (mod p). Select a basis
B = {2,
random we get
QAtai,n
Q3,a.i,1. . , pn } of small primes.
x
x
n
1
b = pi (mod p), . . . , b = pi (mod p), B-smooth.
Solve


x1 =
Pn
i=1 ai,1 logb (pi )
...

Pn

xn =
i=1 ai,n logb (pi )
Find l such that b l y =
Q
bi p i is B smooth.
Discrete Logarithm
In this section we will see several methods to attack the discrete
logarithm problem.
Index Calculus. We want to solve y = b x (mod p). Select a basis
B = {2,
random we get
QAtai,n
Q3,a.i,1. . , pn } of small primes.
x
x
n
1
b = pi (mod p), . . . , b = pi (mod p), B-smooth.
Solve


x1 =
Pn
i=1 ai,1 logb (pi )
...

Pn

xn =
i=1 ai,n logb (pi )
Q
Find l such that b l y = bi p i is B smooth.
P
log y = bi logb (pi ) − l
Discrete Logarithm
Example: p = 1217, b = 3. Solve 3x ≡ 37 (mod p).
Discrete Logarithm
Example: p = 1217, b = 3. Solve 3x ≡ 37 (mod p).
Select B = {2, 3, 5, 7, 11, 13}.
31 = 3 (mod p)
324 = −22 · 7 · 13 (mod p)
325 = 53 (mod p)
330 = −2 · 52 (mod p)
354 = −5 · 11 (mod p)
387 = 13 (mod p)
Discrete Logarithm
Example: p = 1217, b = 3. Solve 3x ≡ 37 (mod p).
Select B = {2, 3, 5, 7, 11, 13}.
31 = 3 (mod p)
324 = −22 · 7 · 13 (mod p)
325 = 53 (mod p)
330 = −2 · 52 (mod p)
354 = −5 · 11 (mod p)
387 = 13 (mod p)
log3 (−1) = 608, log3 (2) = 216,log3 (3) = 1,
log3 (5) = 819,log3 (7) = 113,log3 (11) = 1059,log3 (13) = 87
Discrete Logarithm
Example: p = 1217, b = 3. Solve 3x ≡ 37 (mod p).
Select B = {2, 3, 5, 7, 11, 13}.
31 = 3 (mod p)
324 = −22 · 7 · 13 (mod p)
325 = 53 (mod p)
330 = −2 · 52 (mod p)
354 = −5 · 11 (mod p)
387 = 13 (mod p)
log3 (−1) = 608, log3 (2) = 216,log3 (3) = 1,
log3 (5) = 819,log3 (7) = 113,log3 (11) = 1059,log3 (13) = 87
316 37 ≡ 23 · 7 · 11 (mod p).
Hence, 3588 ≡ 37 (mod p).
Discrete Logarithm
Remarks.
B can not be too big, neither too small.
√
The expected time is exp( 2 log p log log p). Exponential
√
algorithms are p = exp( 12 log p).
Discrete Logarithm
Remarks.
B can not be too big, neither too small.
√
The expected time is exp( 2 log p log log p). Exponential
√
algorithms are p = exp( 12 log p).
Index Calculus over finite fields Fq , q = p n , p small, n large.
Given b, generator of F∗q , and y ∈ F∗q , solve b x = y .
Discrete Logarithm
Remarks.
B can not be too big, neither too small.
√
The expected time is exp( 2 log p log log p). Exponential
√
algorithms are p = exp( 12 log p).
Index Calculus over finite fields Fq , q = p n , p small, n large.
Given b, generator of F∗q , and y ∈ F∗q , solve b x = y .
Fq = Fp [x]/f (x), degf (x) = n, irreducible.
The elements are polynomials p ∈ Fp [x] of degree less than n.
Note that b 0 = b (q−1)/(p−1) is a generator of F∗p .
Discrete Logarithm
B={Monic irreducible polynomials of degree up to m, p1 , . . . , pk }
Discrete Logarithm
B={Monic irreducible polynomials of degree up to m, p1 , . . . , pk }
Q a
Choose integers ti and compute b ti = ci = j pj i,j to be B
smooth.
Discrete Logarithm
B={Monic irreducible polynomials of degree up to m, p1 , . . . , pk }
Q a
Choose integers ti and compute b ti = ci = j pj i,j to be B
smooth.
Factor ci , by repeteadly dividing by the elements of B, or other
method. (Berlekamp algorithm.)
Discrete Logarithm
B={Monic irreducible polynomials of degree up to m, p1 , . . . , pk }
Q a
Choose integers ti and compute b ti = ci = j pj i,j to be B
smooth.
Factor ci , by repeteadly dividing by the elements of B, or other
method. (Berlekamp algorithm.)
P
ti = i ai,j log(pj )
Discrete Logarithm
B={Monic irreducible polynomials of degree up to m, p1 , . . . , pk }
Q a
Choose integers ti and compute b ti = ci = j pj i,j to be B
smooth.
Factor ci , by repeteadly dividing by the elements of B, or other
method. (Berlekamp algorithm.)
P
ti = i ai,j log(pj )
Q
select t so that b t y = Pi ci p i is B smooth, and solve the
logarithm by log (y ) = ci log(pi ) − t.
Discrete Logarithm
B={Monic irreducible polynomials of degree up to m, p1 , . . . , pk }
Q a
Choose integers ti and compute b ti = ci = j pj i,j to be B
smooth.
Factor ci , by repeteadly dividing by the elements of B, or other
method. (Berlekamp algorithm.)
P
ti = i ai,j log(pj )
Q
select t so that b t y = Pi ci p i is B smooth, and solve the
logarithm by log (y ) = ci log(pi ) − t. For m prime there are
k = (p m − p)/m irreducible polynomials of degree m. The choice
of m depends on p and n. p = 2, n = 127, then m = 17 and
k = 16510. Note that 2127 − 1 is a Mersenne prime
Discrete Logarithm
B={Monic irreducible polynomials of degree up to m, p1 , . . . , pk }
Q a
Choose integers ti and compute b ti = ci = j pj i,j to be B
smooth.
Factor ci , by repeteadly dividing by the elements of B, or other
method. (Berlekamp algorithm.)
P
ti = i ai,j log(pj )
Q
select t so that b t y = Pi ci p i is B smooth, and solve the
logarithm by log (y ) = ci log(pi ) − t. For m prime there are
k = (p m − p)/m irreducible polynomials of degree m. The choice
of m depends on p and n. p = 2, n = 127, then m = 17 and
k = 16510. Note that 2127 − 1 is a Mersenne prime
For q = p n , k long bit it is expected to be as difficult as factoring
a k bit number. Coppersmith invented a faster algorithm for p = 2
and, today, it seems to be polynomial for small characteristic.
Discrete Logarithm
general attacks
The previous attacks work whenever we have a convenient basis B.
Every integer can be factored as product of primes. Now, we work
in an group of order N, and we want to find 1 < x < N − 1 from
the equation y = xb, knowing y and b.
Discrete Logarithm
general attacks
The previous attacks work whenever we have a convenient basis B.
Every integer can be factored as product of primes. Now, we work
in an group of order N, and we want to find 1 < x < N − 1 from
the equation y = xb, knowing y and b.
Baby step Giant step.
Discrete Logarithm
general attacks
The previous attacks work whenever we have a convenient basis B.
Every integer can be factored as product of primes. Now, we work
in an group of order N, and we want to find 1 < x < N − 1 from
the equation y = xb, knowing y and b.
Baby step√Giant step.
Take m > N and compute all the multiples 0 ≤ j ≤ m yj = jb
and store them in D. (Baby steps)
Now compute Yk = y − kmb for 0 ≤ k ≤ m. (Giant steps)
Discrete Logarithm
general attacks
The previous attacks work whenever we have a convenient basis B.
Every integer can be factored as product of primes. Now, we work
in an group of order N, and we want to find 1 < x < N − 1 from
the equation y = xb, knowing y and b.
Baby step√Giant step.
Take m > N and compute all the multiples 0 ≤ j ≤ m yj = jb
and store them in D. (Baby steps)
Now compute Yk = y − kmb for 0 ≤ k ≤ m. (Giant steps)
When Yk = yj ∈ D x = j + mk.
Discrete Logarithm
general attacks
The previous attacks work whenever we have a convenient basis B.
Every integer can be factored as product of primes. Now, we work
in an group of order N, and we want to find 1 < x < N − 1 from
the equation y = xb, knowing y and b.
Baby step√Giant step.
Take m > N and compute all the multiples 0 ≤ j ≤ m yj = jb
and store them in D. (Baby steps)
Now compute Yk = y − kmb for 0 ≤ k ≤ m. (Giant steps)
When Yk = yj ∈ D x = j + mk.
We do not need to know N, but only an upper bound.
Discrete Logarithm
general attacks
The previous attacks work whenever we have a convenient basis B.
Every integer can be factored as product of primes. Now, we work
in an group of order N, and we want to find 1 < x < N − 1 from
the equation y = xb, knowing y and b.
Baby step√Giant step.
Take m > N and compute all the multiples 0 ≤ j ≤ m yj = jb
and store them in D. (Baby steps)
Now compute Yk = y − kmb for 0 ≤ k ≤ m. (Giant steps)
When Yk = yj ∈ D x = j + mk.
We do not need to know N, but only an upper bound.
√
√
It runs in N steps and needs N storage.
Discrete Logarithm
general attacks
Example: Take the elliptic curve y 2 = x 3 + 2x + 1 on F41 and
P = (0, 1), Q = (30, 40)
Discrete Logarithm
general attacks
Example: Take the elliptic curve y 2 = x 3 + 2x + 1 on F41 and
P = (0, 1), Q = (30, 40)
The order is at most 56, so we take m = 8.
We store {(0, 1), (1, 39), (8, 23), (38, 38), (23, 23), (20, 28), (26, 9)}
and compute Q − 8jP to find that Q − 16P = (26, 9).
We conclude that Q = 23P.
Discrete Logarithm
general attacks
Baby step Giant step can be used to find the order of a point P in
an elliptic curve over Fq
Select m > q 1/4 and let Q = (q + 1)P.
Store the points Pj = jP for 0 ≤ j ≤ m
Compute the point Qk = Q − 2mkP for −m ≤ k ≤ m and stop
when Qk = ±Pj . There exist a match by writing on base 2m.
Discrete Logarithm
general attacks
Baby step Giant step can be used to find the order of a point P in
an elliptic curve over Fq
Select m > q 1/4 and let Q = (q + 1)P.
Store the points Pj = jP for 0 ≤ j ≤ m
Compute the point Qk = Q − 2mkP for −m ≤ k ≤ m and stop
when Qk Q
= ±Pj . There exist a match by writing on base 2m.
Let M = pi . If M/pi P = ∞, change M by M/pi . Repeat until
M/pi P 6= O for all i. Then M is the order. (The order of P
divides M so M = M/d · d).
Discrete Logarithm
general attacks
Example: y 2 = x 3 − 10x + 21 over F557 , and P = (2, 3)
Discrete Logarithm
general attacks
Example: y 2 = x 3 − 10x + 21 over F557 , and P = (2, 3)
Q = 558P = (418, 33), m = 5.
We store {(2, 3), (58, 164), (44, 294), (56, 339), (132, 364)} and
compute Q + 10P = (2, 3). Hence, the order of P divides
558 + 9 = 567 = 34 · 7.
Discrete Logarithm
general attacks
Example: y 2 = x 3 − 10x + 21 over F557 , and P = (2, 3)
Q = 558P = (418, 33), m = 5.
We store {(2, 3), (58, 164), (44, 294), (56, 339), (132, 364)} and
compute Q + 10P = (2, 3). Hence, the order of P divides
558 + 9 = 567 = 34 · 7.
567/3P = 189P = ∞ but 63P = (38, 535) and 27P = (136, 360).
The order of the point is 189.
Discrete Logarithm
general attacks
Example: y 2 = x 3 − 10x + 21 over F557 , and P = (2, 3)
Q = 558P = (418, 33), m = 5.
We store {(2, 3), (58, 164), (44, 294), (56, 339), (132, 364)} and
compute Q + 10P = (2, 3). Hence, the order of P divides
558 + 9 = 567 = 34 · 7.
567/3P = 189P = ∞ but 63P = (38, 535) and 27P = (136, 360).
The order of the point is 189.
Note that |E (F557 | = 567.
Discrete Logarithm
general attacks
Pollard’s ρ method.
Discrete Logarithm
general attacks
Pollard’s ρ method.
Improves the storage.
Discrete Logarithm
general attacks
Pollard’s ρ method.
Improves the storage.
To solve Q = xP, Take a function f that behaves randomly.
Consider a random element of the group P0 and let Pi+1 = f (Pi )
Discrete Logarithm
general attacks
Pollard’s ρ method.
Improves the storage.
To solve Q = xP, Take a function f that behaves randomly.
Consider a random element of the group P0 and let Pi+1 = f (Pi )
Discrete Logarithm
general attacks
√
In less than N steps there will be a match f (Pj0 ) = f (Pi0 ). Then
f (Pj0 +1 ) = f (Pi0 +1 ).
Discrete Logarithm
general attacks
√
In less than N steps there will be a match f (Pj0 ) = f (Pi0 ). Then
f (Pj0 +1 ) = f (Pi0 +1 ).
If j0 − i0 = d, then f (Pj ) = f (Pi ) for all j − i = d. Hence, we just
consider f (P2i ) = f (Pi ) without storage. Notice that
(P2(i+1) ) = f (f (P2i )).
Discrete Logarithm
general attacks
What do we do with the match?
Discrete Logarithm
general attacks
What do we do with the match?
Take a small integer s, s = 20. Divide the group into s sets
G1 , . . . , Gs . Choose 2s random integers ai , bi and let
Mi = ai P + bi Q, and f (R) = R + Mi
Discrete Logarithm
general attacks
What do we do with the match?
Take a small integer s, s = 20. Divide the group into s sets
G1 , . . . , Gs . Choose 2s random integers ai , bi and let
Mi = ai P + bi Q, and f (R) = R + Mi
f (Pi ) = ui P + vi Q is a linear combination of P and Q. So, when
there is a match, (uj − ui )P = (vj − vi )Q. We have
u −u
x ≡ vjj −vii (mod Nd ), where d = (vj − vi , N).
Discrete Logarithm
general attacks
What do we do with the match?
Take a small integer s, s = 20. Divide the group into s sets
G1 , . . . , Gs . Choose 2s random integers ai , bi and let
Mi = ai P + bi Q, and f (R) = R + Mi
f (Pi ) = ui P + vi Q is a linear combination of P and Q. So, when
there is a match, (uj − ui )P = (vj − vi )Q. We have
u −u
x ≡ vjj −vii (mod Nd ), where d = (vj − vi , N).
If N is prime, d = 1 or trivial and we start again.
Discrete Logarithm
general attacks
Example:
Discrete Logarithm
general attacks
Example:
y 2 = x 3 + x + 1. s = 3, P = (0, 1), Q = (413, 959).
ord(P) = 1067. We want to solve Q = xP.
Discrete Logarithm
general attacks
Example:
y 2 = x 3 + x + 1. s = 3, P = (0, 1), Q = (413, 959).
ord(P) = 1067. We want to solve Q = xP.
P0 = 3P + 5Q, M0 = 4P + 3Q, M1 = 9p + 17Q, M2 = 19P + 6Q.
Take f ((R1 , R2 )) = R + Mi if R1 ≡ i (mod 3).
Discrete Logarithm
general attacks
Example:
y 2 = x 3 + x + 1. s = 3, P = (0, 1), Q = (413, 959).
ord(P) = 1067. We want to solve Q = xP.
P0 = 3P + 5Q, M0 = 4P + 3Q, M1 = 9p + 17Q, M2 = 19P + 6Q.
Take f ((R1 , R2 )) = R + Mi if R1 ≡ i (mod 3).
Note that if f (Pi ) = ∞, ui P = −vi Q.
Discrete Logarithm
general attacks
Example:
y 2 = x 3 + x + 1. s = 3, P = (0, 1), Q = (413, 959).
ord(P) = 1067. We want to solve Q = xP.
P0 = 3P + 5Q, M0 = 4P + 3Q, M1 = 9p + 17Q, M2 = 19P + 6Q.
Take f ((R1 , R2 )) = R + Mi if R1 ≡ i (mod 3).
Note that if f (Pi ) = ∞, ui P = −vi Q.
P1 = (727, 589), P2 = (560, 365), P3 = (1070, 260), P4 =
(473, 903), P5 = (1006, 951), · · · , P58 = (1006, 951). We compute
the coefficients to find
P5 = 88P + 46Q = 685P + 620Q = P58 . Hence,
597P + 574Q = ∞. 1067 = 11 · 97, 574 = 2 · 7 · 41, so
x = 597 · 574−1 (mod 1067) = 499.
Discrete Logarithm
general attacks
Silver- Pohlig-Hellman method: Suppose that N is a product of
small prime factors. From y = xb we will find x modulo each
prime factor p|N.
P
x = i xi p i . Compute {rj,p = j Np b} for 0 ≤ j ≤ p − 1. Then
N
N
p y = rx0 ,p . y1 = y − x0 b. p 2 y1 = rx1 ,p . Continue inductively.
Discrete Logarithm
general attacks
Silver- Pohlig-Hellman method: Suppose that N is a product of
small prime factors. From y = xb we will find x modulo each
prime factor p|N.
P
x = i xi p i . Compute {rj,p = j Np b} for 0 ≤ j ≤ p − 1. Then
N
N
p y = rx0 ,p . y1 = y − x0 b. p 2 y1 = rx1 ,p . Continue inductively.
Only for small prime factors.
Discrete Logarithm
general attacks
Example: Find log2 28 in F∗37 .
36 = 22 · 32 , {rj,2 } = {1, −1} , {rj,3 } = {1, 26, 10}.
2836/2 (mod 37) = 1 and 2836/4 (mod 37) = −1, x ≡ 2 (mod 4).
2836/3 (mod 37) = 26 and (28/2)36/9 (mod 37) = 10.
x ≡ 7 (mod 9).
Hence, x ≡ 34 (mod 36) and 234 = 28 (mod 37)
Discrete Logarithm
general attacks
Example: Consider y 2 = x 3 + 1 over F599 and let
P = (60, 19), Q = (277, 239). We compute the order by the
previous method, to obtain ord(P) = 600 = 23 · 3 · 52 . We want to
find solve the equation Q = xP.
Discrete Logarithm
general attacks
Example: Consider y 2 = x 3 + 1 over F599 and let
P = (60, 19), Q = (277, 239). We compute the order by the
previous method, to obtain ord(P) = 600 = 23 · 3 · 52 . We want to
find solve the equation Q = xP.
x (mod 8) The list is {O, (598, 0)}. On the other hand,
300Q = ∞, so x0 = 0, and Q1 = Q
Discrete Logarithm
general attacks
Example: Consider y 2 = x 3 + 1 over F599 and let
P = (60, 19), Q = (277, 239). We compute the order by the
previous method, to obtain ord(P) = 600 = 23 · 3 · 52 . We want to
find solve the equation Q = xP.
x (mod 8) The list is {O, (598, 0)}. On the other hand,
300Q = ∞, so x0 = 0, and Q1 = Q
150Q1 = (598, 0), so x1 = 1 and Q2 = Q1 − 1 · 2 · P = (35, 243)
Discrete Logarithm
general attacks
Example: Consider y 2 = x 3 + 1 over F599 and let
P = (60, 19), Q = (277, 239). We compute the order by the
previous method, to obtain ord(P) = 600 = 23 · 3 · 52 . We want to
find solve the equation Q = xP.
x (mod 8) The list is {O, (598, 0)}. On the other hand,
300Q = ∞, so x0 = 0, and Q1 = Q
150Q1 = (598, 0), so x1 = 1 and Q2 = Q1 − 1 · 2 · P = (35, 243)
75Q2 = ∞, so x2 = 0 and x ≡ 2 (mod 8).
Discrete Logarithm
general attacks
Example: Consider y 2 = x 3 + 1 over F599 and let
P = (60, 19), Q = (277, 239). We compute the order by the
previous method, to obtain ord(P) = 600 = 23 · 3 · 52 . We want to
find solve the equation Q = xP.
x (mod 8) The list is {O, (598, 0)}. On the other hand,
300Q = ∞, so x0 = 0, and Q1 = Q
150Q1 = (598, 0), so x1 = 1 and Q2 = Q1 − 1 · 2 · P = (35, 243)
75Q2 = ∞, so x2 = 0 and x ≡ 2 (mod 8).
x (mod 3). (3x 4 + 6Ax 2 + 12Bx − A2 )
Discrete Logarithm
general attacks
Example: Consider y 2 = x 3 + 1 over F599 and let
P = (60, 19), Q = (277, 239). We compute the order by the
previous method, to obtain ord(P) = 600 = 23 · 3 · 52 . We want to
find solve the equation Q = xP.
x (mod 8) The list is {O, (598, 0)}. On the other hand,
300Q = ∞, so x0 = 0, and Q1 = Q
150Q1 = (598, 0), so x1 = 1 and Q2 = Q1 − 1 · 2 · P = (35, 243)
75Q2 = ∞, so x2 = 0 and x ≡ 2 (mod 8).
x (mod 3). (3x 4 + 6Ax 2 + 12Bx − A2 ) The list is
{O, (0, 1), (0, 598)}. On the other hand, 200Q = (0, 598) so
x0 = 2 and x ≡ 2 (mod 3).
Discrete Logarithm
general attacks
Example: Consider y 2 = x 3 + 1 over F599 and let
P = (60, 19), Q = (277, 239). We compute the order by the
previous method, to obtain ord(P) = 600 = 23 · 3 · 52 . We want to
find solve the equation Q = xP.
x (mod 8) The list is {O, (598, 0)}. On the other hand,
300Q = ∞, so x0 = 0, and Q1 = Q
150Q1 = (598, 0), so x1 = 1 and Q2 = Q1 − 1 · 2 · P = (35, 243)
75Q2 = ∞, so x2 = 0 and x ≡ 2 (mod 8).
x (mod 3). (3x 4 + 6Ax 2 + 12Bx − A2 ) The list is
{O, (0, 1), (0, 598)}. On the other hand, 200Q = (0, 598) so
x0 = 2 and x ≡ 2 (mod 3).
x (mod 25). The list is
{O, (84, 179), (491, 134), (491, 465), (84, 420)}. On the other
hand, 120Q = (84, 179) so x0 = 1 and Q1 = Q − P = (130, 129).
Discrete Logarithm
general attacks
Example: Consider y 2 = x 3 + 1 over F599 and let
P = (60, 19), Q = (277, 239). We compute the order by the
previous method, to obtain ord(P) = 600 = 23 · 3 · 52 . We want to
find solve the equation Q = xP.
x (mod 8) The list is {O, (598, 0)}. On the other hand,
300Q = ∞, so x0 = 0, and Q1 = Q
150Q1 = (598, 0), so x1 = 1 and Q2 = Q1 − 1 · 2 · P = (35, 243)
75Q2 = ∞, so x2 = 0 and x ≡ 2 (mod 8).
x (mod 3). (3x 4 + 6Ax 2 + 12Bx − A2 ) The list is
{O, (0, 1), (0, 598)}. On the other hand, 200Q = (0, 598) so
x0 = 2 and x ≡ 2 (mod 3).
x (mod 25). The list is
{O, (84, 179), (491, 134), (491, 465), (84, 420)}. On the other
hand, 120Q = (84, 179) so x0 = 1 and Q1 = Q − P = (130, 129).
24Q1 = (491, 465), so x1 = 3 and x ≡ 16 (mod 25).
Discrete Logarithm
general attacks
Example: Consider y 2 = x 3 + 1 over F599 and let
P = (60, 19), Q = (277, 239). We compute the order by the
previous method, to obtain ord(P) = 600 = 23 · 3 · 52 . We want to
find solve the equation Q = xP.
x (mod 8) The list is {O, (598, 0)}. On the other hand,
300Q = ∞, so x0 = 0, and Q1 = Q
150Q1 = (598, 0), so x1 = 1 and Q2 = Q1 − 1 · 2 · P = (35, 243)
75Q2 = ∞, so x2 = 0 and x ≡ 2 (mod 8).
x (mod 3). (3x 4 + 6Ax 2 + 12Bx − A2 ) The list is
{O, (0, 1), (0, 598)}. On the other hand, 200Q = (0, 598) so
x0 = 2 and x ≡ 2 (mod 3).
x (mod 25). The list is
{O, (84, 179), (491, 134), (491, 465), (84, 420)}. On the other
hand, 120Q = (84, 179) so x0 = 1 and Q1 = Q − P = (130, 129).
24Q1 = (491, 465), so x1 = 3 and x ≡ 16 (mod 25).
By the Chinese remainder theorem we get x = 266.
Discrete Logarithm
general attacks
MOV attack. We want to solve the discrete logarithm problem on
an elliptic curve E /Fq , of characteristic p.
Discrete Logarithm
general attacks
MOV attack. We want to solve the discrete logarithm problem on
an elliptic curve E /Fq , of characteristic p.
Is based on the Weil pairing eN (P, Q), a primitive N-th root of
unity if P, Q is a base of the N torsion, (N, p)=1.
Discrete Logarithm
general attacks
MOV attack. We want to solve the discrete logarithm problem on
an elliptic curve E /Fq , of characteristic p.
Is based on the Weil pairing eN (P, Q), a primitive N-th root of
unity if P, Q is a base of the N torsion, (N, p)=1.
Proposition. Let E /Fq be supersingular, a = 0, and N a positive
integer. If P ∈ E [N] ∩ E (Fq ) then E [N] ∈ E (Fq2 )
Discrete Logarithm
general attacks
MOV attack. We want to solve the discrete logarithm problem on
an elliptic curve E /Fq , of characteristic p.
Is based on the Weil pairing eN (P, Q), a primitive N-th root of
unity if P, Q is a base of the N torsion, (N, p)=1.
Proposition. Let E /Fq be supersingular, a = 0, and N a positive
integer. If P ∈ E [N] ∩ E (Fq ) then E [N] ∈ E (Fq2 )
Proof. N|q + 1 and φq2 = −q so φq2 (P) = −qP = P.
Discrete Logarithm
general attacks
MOV attack. We want to solve the discrete logarithm problem on
an elliptic curve E /Fq , of characteristic p.
Is based on the Weil pairing eN (P, Q), a primitive N-th root of
unity if P, Q is a base of the N torsion, (N, p)=1.
Proposition. Let E /Fq be supersingular, a = 0, and N a positive
integer. If P ∈ E [N] ∩ E (Fq ) then E [N] ∈ E (Fq2 )
Proof. N|q + 1 and φq2 = −q so φq2 (P) = −qP = P.
Lemma. There exist an x such that Q = xP if and only if
NQ = ∞ and eN (P, Q) = 1.
Discrete Logarithm
general attacks
MOV attack. We want to solve the discrete logarithm problem on
an elliptic curve E /Fq , of characteristic p.
Is based on the Weil pairing eN (P, Q), a primitive N-th root of
unity if P, Q is a base of the N torsion, (N, p)=1.
Proposition. Let E /Fq be supersingular, a = 0, and N a positive
integer. If P ∈ E [N] ∩ E (Fq ) then E [N] ∈ E (Fq2 )
Proof. N|q + 1 and φq2 = −q so φq2 (P) = −qP = P.
Lemma. There exist an x such that Q = xP if and only if
NQ = ∞ and eN (P, Q) = 1.
Proof. One implication is trivial. For the other, take R such that
< P, R >= E [N]. Then, Q = aP + bR and 1 = eN (Q, P) = ζ b .
So N|b and x = a
Discrete Logarithm
general attacks
MOV attack.
• Choose a random T ∈ E (Fq2 ) and compute its order M. Then,
T1 = M/dT has order d for d = (M, N).
Discrete Logarithm
general attacks
MOV attack.
• Choose a random T ∈ E (Fq2 ) and compute its order M. Then,
T1 = M/dT has order d for d = (M, N).
• eN (Q, T1 ) = eN (P, T1 )x . Solve in Fq2 to obtain x (mod d).
Discrete Logarithm
general attacks
MOV attack.
• Choose a random T ∈ E (Fq2 ) and compute its order M. Then,
T1 = M/dT has order d for d = (M, N).
• eN (Q, T1 ) = eN (P, T1 )x . Solve in Fq2 to obtain x (mod d).
• Repeat until get x (mod N).

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz