Research on Attacking a Special Elliptic Curve Discrete Logarithm Problem

Weng, Jiang; Dou, Yunqi; Ma, Chuangui

doi:https://doi.org/10.1155/2016/5361695

Mathematical Problems in Engineering

On this page

Abstract Introduction Experimental Results Conclusion Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2016 | Article ID 5361695 | https://doi.org/10.1155/2016/5361695

Research on Attacking a Special Elliptic Curve Discrete Logarithm Problem

Jiang Weng,^1,2Yunqi Dou,¹and Chuangui Ma³

Academic Editor: Nazrul Islam

Received17 Dec 2015

Revised15 May 2016

Accepted31 May 2016

Published28 Jun 2016

Abstract

Cheon first proposed a novel algorithm for solving discrete logarithm problem with auxiliary inputs. Given some points , an attacker can solve the secret key efficiently. In this paper, we propose a new algorithm to solve another form of elliptic curve discrete logarithm problem with auxiliary inputs. We show that if some points and a multiplicative cyclic group are given, where is a prime, is the order of . The secret key can be solved in group operations by using storage.

1. Introduction

Let be an elliptic curve over a finite field , where and is prime. Given points to find an integer , if it exists, such that . The computational problem is called elliptic curve discrete logarithm problem (ECDLP). This problem is the fundamental building block for elliptic curve cryptography (ECC) and pairing-based cryptography and has been a major area of research in computational number theory and cryptography for several decades.

The security of elliptic curve cryptography is based on the difficulty of the ECDLP. Like any other discrete logarithm problem, ECDLP can be solved by generic algorithms such as the Baby-Step Giant-Step method [1] and Pollard rho method [2]. At present, parallelized Pollard rho algorithm [3] is the fastest general-purpose method for solving the ECDLP. So far, Pollard rho method has been implemented on a variety of accelerator platforms including FPGAs, Playstation 3 Cell Processors, and GPUs.

Many bilinear maps were applied to establish efficient cryptographic schemes, whose security relies on the infeasibility of newly proposed mathematical problems such as Bilinear Diffie-Hellman Problem (BDHP) [4], Strong Diffie-Hellman Problem (SDHP) [5], Bilinear Diffie-Hellman Inversion Problem (BDHIP) [6], and Bilinear Diffie-Hellman Exponent Problem (BDHEP) [7].

A variant of the Diffie-Hellman problem introduced by Boneh and Boyen [5] is to compute that when given . Problems of this type (including the simpler case of being given ) are sometimes called discrete logarithm problems with auxiliary inputs.

In Eurocrypt 2006, Cheon [8, 9] first proposed an algorithm for solving discrete logarithm problem with auxiliary inputs (DLP-wAI). Auxiliary inputs are some additional information which is provided for solving DLP, such that some elements () instead of only two elements ().

Let be an additive cyclic group generated by an element of prime order . The time complexity of Cheon’s algorithm is with storage in the case of . In particular, when , it only needs in time and space. Cheon also presents a variant for the case when . The idea of Cheon’s algorithm is to embed a discrete logarithm from to an auxiliary group (or ) for (or case, resp.).

In 2009, Satoh [10] proposed a possible generation of Cheon’s algorithm when is a divisor of when , where is the th cyclotomic polynomial. Although Satoh described the algorithm in the context of general linear groups, essentially Satoh’s algorithm used embedding from to an auxiliary group . In the case of , Satoh’s algorithm reduced the number of input data pieces by the half of Cheon’s original algorithm. However, the efficiency of the algorithm was not well-studied. Kim [11, 12] studied Satoh’s generalization of the algorithm for solving the DLP-wAI. The result showed that the complexity of Satoh’s algorithm was not faster than Cheon’s algorithm when and . One of the main problems when using this mapping is the occurrence of high degree polynomials.

In 2012, Kim and Hee [13] proposed a new approach to solve the DLP-wAI focusing on the behavior of the function mapping rather than embedding the secret key to an auxiliary group. Kim’s algorithm reduced solving DLP-wAI into finding a polynomial whose substitution polynomial has many absolutely irreducible factors. In case, the complexity of Kim’s algorithm is with auxiliary elements, where is the number of pairs such that , while Cheon’s algorithm required auxiliary elements for the same problem. However, it would be more difficult to design such a polynomial with small value sets.

Sakemi et al. [14] investigated useful techniques for speeding up Cheon’s algorithm and demonstrated that it is possible to solve 160-bit DLP-wAI over a pairing-friendly elliptic curve within a practical time.

In this paper, we introduce a new algorithm for solving ECDLP-wAI. If are given, specify that is a prime number and that is the Euler totient function and that is a generator of multiplicative cyclic group with order ; we can solve by using group operations and storage.

The rest of this paper is organized as follows. In Section 2, we describe Cheon’s algorithm. We define a group partition and show how group elements can be represented with only a few elements in Sections 3 and 4. In Section 5, we propose an algorithm for the ECDLP-wAI and analyze the complexity. Then our experimental results are reported in Section 6. Finally, we conclude this paper in Section 7.

2. Preliminary

In this section we introduce some notations and concepts used throughout this paper.

2.1. Discrete Logarithm Problem with Auxiliary Inputs

The DLP-wAI was first proposed by Cheon in [8, 9] as a variant of DLP. Let be an additive cyclic group generated by the base point of prime order . The DLP-wAI in is to solve from some additional information such as for some integer .

Cheon proposed two types ( and case) of DLP-wAI. Both of the two algorithms transform the discrete logarithm in into an auxiliary group, and solving the DLP in the auxiliary group is more efficient than original group.

We now sketch the technique due to Brown and Gallant [15] for solving ECDLP instances , where has order and . Fix of order equal to , so that has order . Since has order modulo dividing , we have for some integer . Writing and with we have . Hence one can compute a list of values and a list of values and find in steps the matching pair . Writing we have . To find a we write and note that for some . By a similar method based on one computes in steps and hence computes . Overall we compute in group operations.

The case is that are given for a positive divisor of . This case maps to and the subgroup of with order as the auxiliary group. We give Cheon’s algorithm with case as follows:

Algorithm 1. Input: , ; Output: : () Find a generator , () Set , () , , () Find , such that , () , () Set , () , , () Find , such that , () , () Output .

The secret key can be recovered in time complexity by using storage. In the extreme case where there is a factor with , then one can solve the ECDLP in steps, which is much efficient than that for solving DLP in general groups (which requires ).

The case is that are given for a positive divisor of . This case maps to , where , and the subgroup of with order as the auxiliary group. We give Cheon’s algorithm with case as follows:

Algorithm 2. Input: let , , a quadratic nonresidue of , and a root of in , , , and ; Output: : () Find a generator , () Set , , () , , () , , , and , () Find , such that , () , () Set , () , , () Find , such that , () , () , () Output .

The secret key can be recovered in time complexity by using storage.

3. Partitions of Group Elements

In this section, we introduce a representation of a multiplicative subgroup and then give a group action on . For more information about group theory, one refers to [16, 17].

3.1. Multiplicative Cyclic Subgroup of Construction

A representation of the subgroup can help to analyze the structure of the subgroup. In this paper, we introduce a new representation for multiplicative subgroup of , where is an odd prime.

Let be a subset of . The greatest common divisor of all integers is denoted by , where belongs to . We define a subset of by , where , is an even integer, and is an odd prime number.

Lemma 3. Let . Thus is a multiplicative subgroup of .

Proof. Let , ; then . Since and , this means . So .
Let ; we assume . Since and , then there exists such that is the inverse of .
It is closed under multiplication and inversion. Therefore is a multiplicative subgroup of .

Since is an even integer, every element of is as form so that , where .

3.2. Group Action

Definition 4 (see [16]). An action of group on a set is a function (usually denoted by such that for all , satisfies: where is a unit element of . When such an action is given, we say that acts on set .

Since there may be many different actions of group on given set , the notation is ambiguous. A group action on a set induces a partition of this set, which is called the orbit of the set under this group action.

Let be a group that acts on a set . The relation on defined by for some is an equivalence relation. The equivalence classes of the equivalence relation are called the orbits of the set under this group action; usually the orbit of is denoted as .

A group action of on a set induces a partition of via the equivalence relation defined by for some . The equivalence classes are called orbits of under the action of ; usually the orbit of is denoted as . We define the set of fixed points of under the action of by for all and the set of nonfixed points by . Hence all elements of group can be represented by only two types of elements, fixed points and nonfixed points.

We define the action of subgroup on such that satisfies for all and . This map induces a set that is called a -orbit of . In particular, , for every is a subgroup of , which is the set of fixed points.

Let be a primitive element in ; then is a generator of a cyclic group. Obviously, the fixed point set is generated by , where and .

By using this group action on , we can efficiently partition . Thus the elements of can be represented with only a few subsets.

4. A Group Represented by Disjoint Orbits

In this section, we introduce how to partition group elements by disjoint orbits.

4.1. A Group Partition

Let , where is an index set, are distinct odd prime numbers, and each . We choose a prime divisor of with , denoted as . Let . It is equivalent to . We generate a set that is defined by .

Proposition 5. Let be a multiplicative subgroup of . Thus the order of is , where denotes Euler’s totient function.

Let be prime; then . We note that and , where . Obviously, is a complete residue modulo for . Thus, there exists unique such that . So all the elements of can be expressed by . Thus we know that .

Proposition 6. Let be a multiplicative subgroup of . If , then is a cyclic group.

Proof. We define a map , where is a multiplicative cyclic group of order . The map is defined by for every .
Let and , where :Hence ; it implies that the map is a group-homomorphism for the multiplicative structures on and . In order to prove the map is bijective, we only need to prove the map is injective.
If , then for all and . Suppose ; then . Since , we have . This is a contradiction. Therefore, the map is injective. It is natural that is bijective. Hence the groups and are isomorphism (written as ).
Therefore the group is a cyclic group.

Then we need to find a generator of . Since is a cyclic group and , the homomorphism maps the generator of to the generator of . Let be a generator of ; then . The following proposition implies that are all the distinct elements for , where is a generator of .

Proposition 7. Let be defined as above and a generator of ; then all elements in the same orbit are distinct for every .

Proof. Suppose that for , . Writing this as , we know . Since , where , notice that ; we have . However, ; this is a contradiction. Thus are distinct for , .

Let be a generator of a cyclic group of fixed point. In the following we mainly discuss the relation between and under the condition for all and , where is a fixed point and is a nonfixed point.

Proposition 8. Let be a multiplicative subgroup of and a generator of fixed point for . If , then any two orbits and are disjoint for , .

Proof. Any two orbits and are disjoint for , . It is equivalent to . Suppose that for some . This means that and , where . Since and for , the order of divides both and . Then it divides , from which it follows that must be equal to . This is a contradiction, so and are disjoint. On the other hand, if , there is natural .

From the above discussion, we conclude that two orbits and are identical or disjoint. Therefore, group elements can be expressed by disjoint orbits. We may divide the group into two classes, the nonfixed points (denoted as ) and the fixed points (denoted as ). The group can be expressed by , where denotes the disjoint union.

The nonfixed points part behaves just like an extended orbit. can be partitioned by the disjoint union of distinct , such as where we choose as a nonfixed point representative element, and is a fixed point.

The above discussion gives a decomposition of group elements as union of distinct orbits, which we call the orbit decomposition formula. Furthermore, we can take these elements as the different representatives for distinct orbits. Obviously, any two orbits and are one-to-one correspondence, where . Thus any two orbits have the same cardinality.

Hence, the cardinality of can be expressed by for . The order of can be expressed by for a non-fixed point and a fixed point .

Example 9. Let ; define a map for and . We consider a group partition method on . Then we have disjoint orbits of length . Since there is one-to-one correspondence between any two orbits, the group can be divided as follows:So the cardinality of every orbit is . We have fixed points and note that . Obviously, can be represented as . Thus can be partitioned by .

5. A Special Polynomial Construction

In [13], Kim and Hee proposed a fast multipoint evaluation method to solve DLP-wAI focusing on the behavior of function mapping between the finite fields rather than using embedding for auxiliary groups. This method reduced solving DLP-wAI into finding a polynomial whose substitution polynomial has many absolutely irreducible factors.

In this section, we construct a polynomial having the same value for the elements in the same orbit. We define a function bywhere . It implies that are all distinct elements and that this sequence is repeated for further powers. Furthermore, we define the equivalence relation on as follows:where is a fixed point and are the representatives of distinct orbits.

This relation partitions the group into different equivalence classes, and each class contains elements. Obviously, any two equivalence classes, that is, and , have one-to-one correspondence for all and .

Proposition 10. Let be multiplicative subgroup of and a generator of fixed point. Then we have and , where , , and .

Proof. One has for all ; the orbit generated by satisfies for all .

5.1. The Proposed Algorithm

Theorem 11. Let be an additive cyclic group of prime order with a generator . Let be a multiplicative subgroup of with . Suppose that a generator of and are given. Then can be computed in time group operations by using storage for elements of .

Proof. Let be an additive cyclic group generated by an element of prime order . Polynomial has the same value for all elements in an orbit, and it is to say that , where and .
Given , we first compute . Then we randomly choose a nonfixed element from and evaluate at . There exist nonnegative integers such that .
If we take , can be expressed in a unique manner as , where . This implies that Since is unknown value, in practice, we search for integers and that satisfyIn order to find such , we use Baby-Step Giant-Step [1] method. We construct a lookup table, which contains all the pairs for , and we sort the table by the first component. Then we compute for each and compare with the lookup table in order to identify coincidence. Note that the terms in both sides of (7) can be computed by repeated elliptic curve scalar multiplication. Thus, we can determine a pair of that satisfies (7) in group operations by using storage for elements of . Then can be found.
There is or equivalently . Since the th power of any point is still in the same orbit, there exists an integer such that . We compute and compare with in , where . This gives .

We briefly describe this method in Algorithm 12. The algorithm is probabilistic, in which satisfies for our attack. Since all elements of group can be represented by fixed point and nonfixed point, the probability that a random element is a nonfixed point is , which is sufficiently large.

Algorithm 12 (a new algorithm to ECDLP with auxiliary inputs). Consider the following: Input: let , , and a primitive element in , ; Output: : () Set , () [Step 1] Compute , () Randomly choose and compute , () [Step 2] , () Find , such that , () In case of failure, return to line 3 until , () [Step 3] Find such that , () Output

In summary, if and multiplicative group are given, the proposed algorithm computes approximately in group operations with storage in .

6. Experimental Results

This section describes our experimental results of our new algorithm for an elliptic curve. We successfully solved ECDLP-wAI by our implementation in a group with 61-bit order.

6.1. Parameters

We use an addition cyclic group with order on an elliptic curve defined over a binary finite field . Concrete values of these parameters are summarized in the following:(i) ,(ii) ,(iii) ,(iv) , where denotes the number of points in . In the implementation of our new algorithm, we use the following parameters: (i),(ii),(iii),(iv), , ,(v) and .

Here, is chosen to minimize the time complexity of our algorithm. The element is chosen as the generator of the multiplicative group . A base point is randomly chosen from points in with order . Given the coordinate of , the corresponding values for and are as follows:

6.2. Results

In this experiment, we randomly choose an element .

Step 1. We compute and as follows:

Step 2. We search for the integer such that It is equivalent to searching for integer , such that We establish two databases and . To establish database , we have to compute and store the following points:In order to reduce the storage space, we use the point compression technique as [18]. Each point is digested as , so each point needs bytes.
Thus, bytes (≈235.2 Mbytes) is required for , and about hours is required in total (on Pentium® Dual-Core CPU E5700 3.00 GHz). To establish database ,were computed and stored. With the same space saving technique, bytes (≈235.2 Mbytes) was required for , and hours was required in total.
Then, a collision between two databases and was searched by a naive method. Since databases are small, the time for comparison is negligible. Collisions and were found. Thus, a solution can be found.

Step 3. To find , we have known an integer that satisfies ; it is equivalent to for . Locate from the set to find such that . Finally, we succeed in finding a solution for .

7. Conclusion

In this paper, we propose a new ECDLP-wAI and give an algorithm to solve the ECDLP efficiently. When given some points and multiplicative cyclic group , our new algorithm can recover the secret key in group operations by using storage, where is a generator of and is the order of . This algorithm can be used to attack these cryptographic schemes that admit an oracle returning th power of its secret key upon an arbitrary input.

Competing Interests

The authors declare that they have no competing interests.

Acknowledgments

This work is supported by the National Natural Science Foundation of China (nos. 61309016, 61379150, and 61103230), Fundamental Research Funds for the Central Universities (no. JB140302), and the National Cryptology Development Project of China (no. MMJJ201201004).

References

D. Shanks, “Class number, a theory of factorization and genera,” in Proceedings of the Symposia in Pure Mathematics, vol. 20, pp. 415–440, 1971.
View at: Google Scholar
J. M. Pollard, “Monte carlo methods for index computations (mod p),” Mathematics of Computation, vol. 32, no. 143, pp. 918–924, 1978.
View at: Google Scholar | MathSciNet
P. C. Van Oorschot and M. J. Wiener, “Parallel collision search with cryptanalytic applications,” Journal of Cryptology, vol. 12, no. 1, pp. 1–28, 1999.
View at: Publisher Site | Google Scholar | MathSciNet
D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” SIAM Journal on Computing, vol. 32, no. 3, pp. 586–615, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
D. Boneh and X. Boyen, “Short signatures without random oracles,” in Advances in Cryptology—EUROCRYPT 2004, pp. 56–73, Springer, Berlin, Germany, 2004.
View at: Google Scholar
D. Boneh and X. Boyen, “Efficient selective-id secure identity-based encryption without random oracles,” in Advances in Cryptology—EUROCRYPT 2004, pp. 223–238, Springer, Berlin, Germany, 2004.
View at: Google Scholar
D. Boneh, C. Gentry, and B. Waters, “Collusion resistant broadcast encryption with short ciphertexts and private keys,” in Advances in Cryptology—CRYPTO 2005, V. Shoup, Ed., vol. 3621 of Lecture Notes in Computer Science, pp. 258–275, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar
J. H. Cheon, “Security analysis of strong diffie-hellman problem,” in Advances in Cryptology—EUROCRYPT 2006, vol. 4004, pp. 1–11, Springer, Berlin, Germany, 2006.
View at: Google Scholar
J. H. Cheon, “Discrete logarithm problems with auxiliary inputs,” Journal of Cryptology, vol. 23, no. 3, pp. 457–476, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
T. Satoh, “On generalization of Cheon's algorithm,” IACR Cryptology ePrint Archive 2009:58, 2009.
View at: Google Scholar
T. Kim, Integer factorization and discrete logarithm with additional in-formation [Ph.D. thesis], Seoul National University, 2011.
M. Kim, J. H. Cheon, and I.-S. Lee, “Analysis on a generalized algorithm for the strong discrete logarithm problem with auxiliary inputs,” Mathematics of Computation, vol. 83, no. 288, pp. 1993–2004, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
T. Kim and C. J. Hee, “A new approach to discrete logarithm problem with auxiliary inputs,” IACR Cryptology ePrint Archive 2012:609, 2012.
View at: Google Scholar
Y. Sakemi, G. Hanaoka, T. Izu, M. Takenaka, and M. Yasuda, “Solving a discrete logarithm problem with auxiliary input on a 160-bit elliptic curve,” in Public Key Cryptography—PKC 2012, M. Fischlin, J. Buchmann, and M. Manulis, Eds., vol. 7293 of Lecture Notes in Computer Science, pp. 595–608, Springer, New York, NY, USA, 2012.
View at: Publisher Site | Google Scholar
D. R. L. Brown and R. P. Gallant, “The static Diffie-Hellman problem,” Cryptology ePrint Archive Report 2004/306, 2004, https://eprint.iacr.org/2004/306.
View at: Google Scholar
T. W. Hungerford, Algebra, Graduate Texts in Mathematics, 1980.
S. Lang, Algebra, Graduate Texts in Mathematics, Springer, New York, NY, USA, 3rd edition, 2002.
T. Izu, M. Takenaka, and M. Yasuda, “Experimental results on Cheon's algorithm,” in Proceedings of the 5th International Conference on Availability, Reliability, and Security (ARES '10), pp. 625–628, IEEE, February 2010.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2016 Jiang Weng et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

2059

Downloads

931

Citations