Generic attacks and index calculus. D. J. Bernstein University of Illinois at Chicago

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago

The discrete-logarithm problem Define Ô = 1000003. Easy to prove: Ô is prime. Can we find an integer Ò ¾ 1 2 3 Ô 1 such that 5Ò mod Ô = 262682? Easy to prove: Ò 5Ò mod Ô permutes 1 2 3 Ô 1. So there exists an Ò such that 5Ò mod Ô = 262682. Could find Ò by brute force. Is there a faster way?

Typical cryptanalytic application: Ô Imagine standard = 1000003 in the Diffie-Hellman protocol. User chooses secret key Ò, publishes 5Ò mod Ô = 262682. Can attacker quickly solve the discrete-logarithm problem? 5Ò Given public key mod Ô, quickly find secret key Ò? (Warning: This is one way to attack the protocol. Maybe there are better ways.)

Relations to ECC: 1. Some DL techniques also apply to elliptic-curve DL problems. Use in evaluating security of an elliptic curve. 2. Some techniques don t apply. Use in evaluating advantages of elliptic curves compared to multiplication. 3. Tricky: Some techniques have extra applications to some curves. See Tanja Lange s talk on Weil descent etc.

Understanding brute force Can compute successively 5 1 mod Ô = 5, 5 2 mod Ô = 25, 5 3 mod Ô = 125,, 5 8 mod Ô = 390625, 5 9 mod Ô = 953122,, 5 1000002 mod Ô = 1. At some point we ll find Ò with 5Ò mod Ô = 262682. Maximum cost of computation: Ô 1 mults by 5 mod Ô; Ô 1 nanoseconds on a CPU that does 1 mult/nanosecond.

This is negligible work for Ô 2 20. But users can standardize a larger Ô, making the attack slower. Attack cost scales linearly: 2 50 mults for Ô 2 50, 2 100 mults for Ô 2 100, etc. (Not exactly linearly: cost of mults grows with Ô. But this is a minor effect.)

Computation has a good chance of finishing earlier. Chance scales linearly: 1 2 chance of 1 2 cost; 1 10 chance of 1 10 cost; etc. So users should choose large Ò. That s pointless. We can apply random self-reduction : choose random Ö, say 726379; 5Ö compute mod Ô = 515040; 5Ö Ò compute 5 mod Ô as (5Ò (515040 mod Ô)) mod Ô; compute discrete log; subtract Ö mod Ô 1; obtain Ò.

Computation can be parallelized. One low-cost chip can run many parallel searches. Example, 2 6 e: one chip, 2 10 cores on the chip, each 2 30 mults/second? Maybe; see SHARCS workshops for detailed cost analyses. Attacker can run many parallel chips. Example, 2 30 e: 2 24 chips, so 2 34 cores, so 2 64 mults/second, so 2 89 mults/year.

Multiple targets and giant steps Computation can be applied to many targets at once. Given 100 DL targets 5Ò 1 mod Ô, 5Ò 2 mod Ô,, 5Ò 100 mod Ô: Can find all of Ò 1 Ò 2 Ò 100 with Ô 1 mults mod Ô. Simplest approach: First build a sorted table containing 5Ò 1 mod Ô,, 5Ò 100 mod Ô. Then check table for 5 1 mod Ô, 5 2 mod Ô, etc.

Interesting consequence #1: Solving all 100 DL problems isn t much harder than solving one DL problem. Interesting consequence #2: Solving at least one out of 100 DL problems is much easier than solving one DL problem. When did this computation find its first Ò? Typically (Ô 1) 100 mults.

Can use random self-reduction to turn a single target into multiple targets. Given 5Ò mod Ô: Choose random Ö 1 Ö 2 Ö 100. Compute 5Ö 1 5Ò mod Ô, 5Ö 2 5Ò mod Ô, etc. Solve these 100 DL problems. Typically (Ô 1) 100 mults to find at least one Ö + Ò mod Ô 1, immediately revealing Ò.

Also spent some mults to compute each 5Ö mod Ô: lgô mults for each. Faster: Choose Ö = Ö 1 with Ö 1 (Ô 1) 100. Compute 5Ö 1 mod Ô; 5Ö 1 5Ò mod Ô; 5 2Ö 15Ò mod Ô; 5 3Ö 15Ò mod Ô; etc. Just 1 mult for each new. 100 + lgô + (Ô 1) 100 mults to find Ò given 5Ò mod Ô.

Faster: Increase 100 to Ô Ô. Only 2 Ô Ô mults to solve one DL problem! Shanks baby-step-giant-step discrete-logarithm algorithm. Example: Ô = 1000003, 5Ò mod Ô = 262682. Compute 5 1024 mod Ô = 58588. Then compute 1000 targets: 5 1024 5Ò mod Ô = 966849, 5 2 1024 5Ò mod Ô = 579277, 5 3 1024 5Ò mod Ô = 579062,, 5 1000 1024 5Ò mod Ô = 321705.

Build a sorted table of targets: 2573 = 5 430 1024 5Ò mod Ô, 3371 = 5 192 1024 5Ò mod Ô, 3593 = 5 626 1024 5Ò mod Ô, 4960 = 5 663 1024 5Ò mod Ô, 5218 = 5 376 1024 5Ò mod Ô,, 999675 = 5 344 1024 5Ò mod Ô. Look up 5 1 mod Ô, 5 2 mod Ô, 5 3 mod Ô, etc. in this table. 5 755 mod Ô = 966603; find 966603 = 5 332 1024 5Ò mod Ô in the table of targets; so 755 = 332 1024+Ò mod Ô 1; deduce Ò = 660789.

Eliminating storage Improved method: Define Ü 0 = 1; Ü +1 = 5Ü mod Ô if Ü ¾ 3Z; Ü +1 = Ü 2 mod Ô if Ü ¾ 2 + 3Z; Ü +1 = 5ÒÜ mod Ô otherwise. Then Ü = 5 Ò+ mod Ô where ( 0 0 ) = (0 0) and ( +1 +1) = ( + 1), or ( +1 +1) = (2 2 ), or ( +1 +1) = ( + 1 ). Search for a collision in Ü : Ü 1 = Ü 2? Ü 2 = Ü 4? Ü 3 = Ü 6? Ü 4 = Ü 8? Ü 5 = Ü 10? etc. Deduce linear equation for Ò.

The Ü s enter a cycle, typically within Ô Ô steps. Example: 1000003, 262682. Modulo 1000003: Ü 1 = 5Ò = 262682. Ü 2 = 5 2Ò = 262682 2 = 626121. Ü 3 = 5 2Ò+1 = 5 626121 = 130596. Ü 4 = 5 2Ò+2 = 5 130596 = 652980. Ü 5 = 5 2Ò+3 = 5 652980 = 264891. Ü 6 = 5 2Ò+4 = 5 264891 = 324452. Ü 7 = 5 4Ò+8 = 324452 2 = 784500. Ü 8 = 5 4Ò+9 = 5 784500 = 922491. etc.

Ü 1785 = 5 249847Ò+759123 = 555013. Ü 3570 = 5 388795Ò+632781 = 555013. (Cycle length is 357.) Conclude that 249847Ò + 759123 388795Ò + 632781 (mod Ô 1), so Ò 160788 (mod (Ô 1) 6). Only 6 possible Ò s. Try each of them. Find that 5Ò mod Ô = 262682 for Ò = 160788 + 3(Ô 1) 6, i.e., for Ò = 660789.

This is Pollard s rho method. Optimized: Ô Ô mults. Another method, similar speed: Pollard s kangaroo method. Can parallelize both methods. van Oorschot/Wiener parallel DL using distinguished points. Bottom line: With mults, distributed across many cores, have chance 2 Ô of finding Ò from 5Ò mod Ô. With 2 90 mults (a few years?), have chance 2 180 Ô. Negligible if, e.g., Ô 2 256.

Factors of the group order Assume 5 has order. Given Ü, a power of 5: 5 has order, and Ü is a power of 5. Compute = log 5 Ü. 5 has order, and Ü 5 is a power of 5. Compute Ñ = log 5 (Ü 5 ). Then Ü = 5 +Ñ.

This Pohlig-Hellman method converts an order- DL into an order- DL, an order- DL, and a few exponentiations. e.g. Ô = 1000003, Ü = 262682: Ô 1 = 6 where = 166667. Compute log 5 6(Ü 6 ) = 160788. Compute Ü 5 160788 = 1000002. Compute log 5 1000002 = 3. Then Ü = 5 160788+3 = 5 660789. Use rho: Ô + Ô mults. Better if factors further: apply Pohlig-Hellman recursively.

All of the techniques so far apply to elliptic curves. An elliptic curve over FÕ has Õ + 1 points so can compute ECDL using Ô Õ elliptic-curve adds. Need quite large Õ. If largest prime divisor of number of points is much smaller than Õ then Pohlig-Hellman method computes ECDL more quickly. Need larger Õ; or change choice of curve.

Index calculus Have generated many group elements 5 Ò+ mod Ô. Deduced equations for Ò from random collisions. Index calculus obtains discrete-logarithm equations in a different way. Example for Ô = 1000003: Can completely factor 3 (Ô 3) as 3 1 2 6 5 6 in Q so 3 1 2 6 5 6 (mod Ô) so log 5 ( 1) + log 5 3 6 log 5 2 + 6 log 5 5 (mod Ô 1).

Can completely factor 62 (Ô + 62) as 2 1 31 1 3 1 5 1 11 2 19 1 29 1 so log 5 2 + log 5 31 log 5 3 + log 5 5 + 2 log 5 11 + log 5 19 + log 5 29 (mod Ô 1). Try to completely factor 1 (Ô + 1), 2 (Ô + 2), etc. Find factorization of (Ô + ) as product of powers of 1 2 3 5 7 11 13 17 19 23 29 31 for each of the following s: 5100, 4675, 3128, 403, 368, 147, 3, 62, 957, 2912, 3857, 6877.

Each complete factorization produces a log equation. Now have 12 linear equations for log 5 2 log 5 3 log 5 31. Free equations: log 5 5 = 1, (Ô log 5 ( 1) = 1) 2. By linear algebra compute log 5 2 log 5 3 log 5 31. (If this hadn t been enough, could have searched more s.) By similar technique obtain discrete log of any target.

For Ô ½, index calculus scales surprisingly well: cost Ô where 0. Compare to rho: Ô 1 2. Specifically: searching ¾ 1 2 Ý 2, with lgý ¾ Ç( Ô lgôlg lgô), finds Ý complete factorizations into primes Ý, and computes discrete logs. (Assuming standard conjectures. Have extensive evidence.)

Latest index-calculus variants use the number-field sieve and the function-field sieve. To compute discrete logs in FÕ: lg cost ¾ Ç((lgÕ) 1 3 (lg lgõ) 2 3 ). For security: Õ 2 256 to stop rho; Õ 2 2048 to stop NFS. We don t know any index-calculus methods for ECDL! except for some curves.