This document summarizes research on using elliptic curve cryptography based on imaginary quadratic orders. It shows that for elliptic curves over a finite field Fq, if q satisfies certain conditions, the elliptic curve discrete logarithm problem can be reduced to the discrete logarithm problem over the finite field Fp2. This allows the elliptic curve discrete logarithm problem to potentially be solved faster. It then provides examples of how to construct "weak curves" that satisfy the necessary conditions.
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Elliptic Curve Weak Class Identification for Reducing ECDLP
1. Elliptic Curve Weak Class
Identification for the Security
of Cryptosystem
Intan Muchtadi,
Ahmad Muchlis and Fajar Yuliawan
Algebra Research Group,
Institut Teknologi Bandung (ITB),
Indonesia
2. Elliptic Curve
In 1985 both Koblitz and Miller independently
suggested the use of Elliptic Curves in the
development of a new type of public key cipher.
An Elliptic Curve is a simple equation of the form:
y2 = x3 +ax+b
a,b in F of characteristic p ≠ 2,3 and 4a3 + 27b2 ≠ 0
8. Multiples in Elliptic Curves 1
The interest in Elliptic Curve Addition is the
process of adding a point to itself.
That is given a point P find the point P+P or 2P.
This is done by drawing a line tangent to P and
reflecting the point at which it intercepts the
curve
P can be added to itself k times resulting in a
point W = kP.
11. Discrete Logarithm Problem
1. A and B agree on a finite group G
and some fixed element g.
2. A selects an integer x at random and
transmits b = gx to B.
3. B selects an integer y at random and
transmits c = gy to A.
4. A determines k = cx , B determines k =
by , k is then used as the secret key.
12. Elliptic Curve Cryptography
Based on the discrete logarithm
problem applied to Abelian group
E(Fp) formed by the points of an
elliptic curve over a finite field
E(Fp)={(x,y)∈(Fp)²:y²=x³+ax+b}∪{O}
13. Elliptic Curve Cryptosystem
There are several ways in which the ECDLP
can be imbedded in a cipher system.
One method begins by selecting an Elliptic Curve
and a point P on the curve and a secret number
d which will be the private key.
The public key is P and Q where Q = dP
A message is encrypted by converting the
plaintext into a number m, selecting a random
number k, and finding a point M on the curve
where the difference of the x and the y co-
ordinates equals m.
the ciphertext consists of two points on the curve:
(C1,C2) = (kP, M + kQ)
14. Decipher
The secret key, d is used to decipher
the ciphertext
Multiply the first point by d and subtract
the result from the second point:
M = C2-dC1= M+kQ –dkP= M + kdP - dkP
15. Elliptic Curve Security
The security of the Elliptic Curve
algorithm is based on the fact that it is
very difficult (as difficult as factoring)
to solve the Elliptic Curve Discrete
Logarithm Problem:
Given two points P and Q where Q = kP,
find the value of k
17. Maximal Orders and
Non-maximal Orders
If Δ is squarefree, then OΔ is the maximal order of
the quadratic number field Q(√Δ) and Δ is called a
fundamental discriminant.
The non-maximal order of conductor p>1 with (non-
fundamental) discriminant Δp=Δp² is denoted by OΔp.
Assume that the conductor p is prime.
Let IΔ = The group of invertible OΔ-ideals and
PΔ = The set of principal OΔ-ideals.
The class group of OΔ = Cl(Δ) = IΔ/PΔ is a finite
abelian group with neutral element OΔ
The class number of OΔ = h(Δ) = | Cl(Δ)|.
18. Imaginary Quadratic Orders
In 1988 Buchmann and William use the
class groups of imaginary quadratic
orders Cl∆ for the construction of
cryptosystem.
19. Reducing the DLP
Huhnlein et al showed that for totally
non-maximal imaginary quadratic
orders (i.e., h∆ =1), the DLP can be
reduced to the DLP in some finite field.
20. Problem
Can we find a condition for elliptic
curves such that the DLP for those
curves can be reduced to the DLP of
some finite fields?
21. The 1st Relation
If E is an elliptic curve over Fq, then
endomorphism ring of E is an
imaginary quadratic order O∆ if and
only if |E(Fq)| ≠ q+1.
Moreover, there exists a π ∈ O∆ such
that |E(Fq)| = q + 1 – (π + π ), where π
is the conjugate of π, and π is the
Frobenius endomorphism
π(x,y) = (xq,yq) for all (x,y) ∈ E(Fq).
22. Consequence
If q satisfies 4q=m²-Δn², for some
m,n∈Z, then π =±(m+n√Δ)/2,
As π²-tπ +q=0, we get t = π + π =±m.
Therefore |E(Fq)| = q +1 ± m
If m=1, then |E(Fq)| = q or q+2.
The case |E(Fq)|=q is
cryptographycally weak
We consider the case where |E(Fq)|
=q+2.
23. The Result: Reducing the ECDLP
Main Theorem
Let q be a prime satisfies 4q=1-Δn², for
some n∈Z, such that p=q+2 is also a
prime, and let E be an elliptic curve
over Fq with |E(Fq)|=p.
Then the DLP in E(Fq) can be reduced to
the DLP in Fp² as additive group.
27. The proof
E(Fq) ≈ O∆ /(π-1) O∆
↑
O∆ /pO∆ ≈ Fp2
given G and P∈E(Fq) with P=[m]G,
compute the corresponding elements α+(π-1) O∆ and γ+(π-1)
O∆ ∈ O∆ /(π-1) O∆
compute the corresponding α +pO∆ and γ +pO∆ ∈ O∆ /pO∆
compute the corresponding elements in Fp²
Then compute the discrete logarithm there or determine that
it does not exist.
28. Conclusion
For q a prime satisfies 4q=1-Δn², for
some n∈Z, such that p=q+2 is also a
prime, the ECDLP in E(Fq) whose order
is p can be reduced to the DLP in finite
field of order p² as additive group.
29. Question of Existence
How to construct such
cryptographically weak curves.
Answer
By using the construction of
anomalous elliptic curves (i.e. where |
E(Fq)|=q).
30. Recall
If q satisfies 4q=m²-Δn², for some
m,n∈Z, then π =±(m+n√Δ)/2,
As π²-tπ +q=0, we get t = π + π =±m.
Therefore |E(Fq)| = q +1 ± m
If m=1, then |E(Fq)| = q or q+2.
31. Construction of Anomalous Curves
(based on [Leprevost et al])
Step 1 :
Choose ∆ < 0 a fundamental
discriminant of an imaginary quadratic
field K = Q(√∆) such that order of K has
class number 1.
∆ ∈ {-3, -4, -7, -8, -11, -19, -43, -67, -163} [Cox,
Theorem 7.30]
32. Step 1(contd)
Choose an odd prime q such that
4q = 1- ∆n2 for an integer n.
We can show that
1. -∆ ≡ 3 mod 8 (∆ ∈ {-3, -11, -19, -43, -67,
-163} )
2. q = - ∆u(u+1)+ (- ∆+1)/4 for some
integer u
33. Step 2
OK = O∆=Z[(∆ + √∆)/2
Let j(OK) be the j-invariant of OK. For
class number = 1 the j-invariant is given
as following ∆ j(O )k
-3 0
-11 -323
-19 -963
-43 -9603
-67 -52803
-163 -6403203
[Cox, p.261]
34. Step 3
Choose an elliptic curve over
L=K(j(OK)) with j-invariant j0 = j(OK) :
Since j(E) = 1728(4a3/(4a3+27b2)), then we
can choose
E: y2 = x3 + ax + b
where a=3j0/(1728-j0) and b=2j0/(1728-j0)
35. Step 4
Reduce E to
E : y2 = x3 + [a]x + [b]
over Fq
We can show that |E(Fq)|∈{q,q+2}
If |E(Fq)|=q+2, a prime, then we’re
done.
36. Step 5
If |E(Fq)|=q, define
E’:y2=x3+d2[a]x+d3[b],
where d ∈ Fq a non-quadratic element.
|E’(Fq)| = q+2
If q+2 is prime, then we’re done.
37. Problem
It’s not easy to find a prime q such that
4q = 1- ∆n2 for an integer n
q+2 is also a prime
42. Next?
Find examples of “weak curves”, i.e
twin primes that satisfy the condition in
the Main Theorem.
Does the result in this work have any
relevance to the ECDLP for elliptic
curves whose endomorphism ring is a
totally non-maximal order?
43. References
[1] H.Baier (2002), Efficient algorithms for generating elliptic
curves over finite fields suitable for use in cryptography, PhD
Dissertation.
[2] I. F. Blake, G. Seroussi, and N. P. Smart (2000), Elliptic curves in
cryptography, volume 265 of London Mathematical Society
Lecture Note Series,Cambridge University Press, Cambridge.
[3] I. F. Blake, G. Seroussi, and N. P. Smart (2005), Advances in
elliptic curve cryptography, volume 317 of London
Mathematical Society Lecture Note Series, Cambridge
University Press, Cambridge.
[4]J.Buchmann dan H.C.Williams (1988), A key exchange system
based on imaginary quadratic field, Journal of Cryptology, 1,
107-118.
44. References (contd)
[5] J. Buchmann (2004), Introduction to cryptography, Springer.
[6] H. Cohen and G. Frey (2006), Handbook of elliptic and hyper
elliptic curve cryptography, Hall and Chapman, Taylor and
Francis Group.
[7] D. A. Cox (1989), Primes of the forms x2 + ny2, John Wiley and
Sons, New York.
[8] W. Diffie and M. Hellman (1976), New directions in
cryptography, IEEE Transactions on Information Theory, 22,
472-492.
[9] A. Enge (2001), Elliptic curves and their applications to
cryptography : an introduction, Kluwer Academic Publishers.
[10] D.Hankerson, A.J. Menezes, S. Vanstone (2004), Guide to
elliptic curve cryptography, Springer-Verlag, New York.
45. References (contd)
[11] D.Huhnlein, M.J. Jacobson, S. Paulus and T.Takagi (1998), A
cryptosystem based on non-maximal imaginary quadratic
order with fast decryption, in Advances in Cryptology, LNCS
1403, Springer, 294-307.
[12] D.Huhnlein, M.J. Jacobson, D. Weber (2003), Towards
Practical Non-Interactive Public-Key Cryptosystems Using Non-
Maximal Imaginary Quadratics Orders, Designs, Codes and
Cryptography, 30, Issue 3, 281-299.
[13] D.Huhnlein, T.Takagi (1999), Reducing logarithms in totally
non-maximal imaginary quadratic orders to logarithms in nite
elds, ASIACRYPT, 219-231.
[14] N.Koblitz (1987), Elliptic curve cryptosystem, Mathematics of
Computation 48, 203-209.
46. References (contd)
[15] H.W.Lenstra (1996), Complex multiplication structure of
elliptic curves, Journal of Number Theory, 56, No. 2, 227-241.
[16] F. Leprevost, J.Monnerat, S. Varrette, S.Vaudenay (2005),
Generating anomalous elliptic curves, Information Processing
Letters, 93, 225-230.
[17] K. S. McCurley (1988), A Key Distribution System Equivalent to
Factoring, Journal of Cryptology 1, 95-105.
[18] V.S. Miller (1986), Use of elliptic curve in cryptography, in
Advances in Cryptology - CRYPTO '85, Springer-Verlag, LNCS
218, 417-426.
[19] J.H. Silverman (1986), The arithmetic of elliptic curves,
Springer-Verlag, NewYork.
[20] L.C. Washington (2008) Elliptic curves, number theory and
cryptography,Chapman and Hall/CRC, Taylor and Francis
Group.