a random walk talk - centre de recherches mathématiques · steven galbraith a random walk talk....

A Random Walk TalkSteven Galbraith

Auckland University, NZ.

Joint work with

I Raminder Ruprai

I John Pollard

I Mark Holmes

Thanks to

I Tanja Lange

I Pierrick Gaudry

Steven Galbraith A Random Walk Talk

Advertisement: Mathematics of Public Key Cryptography

I’m (still) writing a book called “Mathematics of Public KeyCryptography”.

Some chapters available here:

http://www.isg.rhul.ac.uk/~ sdg/crypto-book/crypto-book.html

Please send me comments/corrections/suggestions.


Outline of this talk

The talk will be a random walkwith new results and random thoughtsand Pollard’s kangaroos (not snarks)jumping down the line.

While Tanja Lange knits some socksI’ll show the birthday paradoxand keeping an eye on the clocksI’ll finish right on time.


Goals of this talk

I Advertise some open problems.

I Present a generalisation of the birthday paradox.

I Sketch some new algorithms for variants of the DLP.

I Finish right on time.


Algorithms for Computational Problems

Many problems in cryptography (for example, DLP) havealgorithms to solve them of the following types:

I Exhaustive search.“O(N) operations”.

I Time/memory tradeoff.“O(√

N) operations and O(√

N) storage”.

I Low memory randomised algorithm.“expected O(

√N) operations”.


Example

Consider the DLP in a group of prime order r : Given g , h to find asuch that h = ga.(I will write all groups multiplicatively in this talk.)

I Exhaustive search: O(r) group operations.

I Baby-step-giant-step: O(√

r) group operations and storage ofO(√

r) group elements.

I Pollard rho: expected O(√

r) group operations.Precisely, following van Oorschot and Wiener (i.e., usingdistinguished points), (1 + ε)

√πr/2 ≈ 1.25

√r group

operations.

I I’m interested in the constant.


Pollard row


Open Question

Low Hamming weight DLP: Given g , h,w to find 0 ≤ a < r , if itexists, such that h = ga and the Hamming weight of a is ≤ w .Let N =

(blog2(r)c+1w

).

I Time/memory tradeoff in O(√

N) group operations andstorage.

I Van Oorschot and Wiener have a general method to transforma time/memory tradeoff into a low memory algorithm, but itonly gives an algorithm with expected cN3/4 group operations.

I It is an open problem to give a low memory algorithm for thisproblem with expected running time of O(N1/2) groupoperations.


Clopen Question

Finding isogenies in the supersingular isogeny graph (graph of`-isogenies for a single prime `).E.g., finding collisions in the Charles-Goren-Lauter hash function.Let N be the size of the isogeny graph.

I Time/memory tradeoff in O(√

N) isogeny computations andstorage (G.).

I For ordinary elliptic curves there is a low memory algorithmfor this problem due to G.-Hess-Smart.(Some recent tricks by Anton Stolbunov.)

I A variant of the algorithm applies in the supersingular case,but there are some difficulties with the random walks.There should be an algorithm with complexity O(

√N) but it

is unclear what the precise running time should be.


The DLP in an Interval

I Given g , h,N find a, if it exists, such that h = ga and0 ≤ a < N.

I This problem does arise in practice (pseudorandom generatorby Gennaro, decryption in the Boneh-Goh-Nissim scheme,analysis of the static/strong Diffie-Hellman problem, etc).

I Pollard kangaroo method using distinguished points (vanOorschot and Wiener 1996/1999) solves problem in averagecase expected (1 + ε)2

√N group operations.

I Important: kangaroo method is not analysed using thebirthday paradox.

I 10 years pass . . .


Improved DLP in an Interval

Two ways to improve:

I Pollard 3 or 4 kangaroos method ≈ 1.71√

N.(Trick is to start wild kangaroos at both h and h−1.)

I Gaudry-Schost algorithm (cockroaches).


Gaudry-Schost Algorithm

I A way to tackle constrained problems using the birthdayparadox.

I One has a “tame set” T and a “wild set” W and seekscollisions in T ∩W .

I Basic idea for DLP in an interval:

T = {ga : 0 ≤ a < N}, and W = {hga : −N/2 < a < N/2}.

Then N/2 ≤ #(T ∩W ) ≤ N.

I This gives an algorithm with average case expected runningtime of (1 + ε)2.08

√N group operations – worse than Pollard

kangaroo.

I There are some inconvenient aspects: e.g., boundaries of Tand W .


Gaudry-Schost Algorithm

I The Gaudry-Schost algorithm (as with Pollard rho andkangaroo) is fundamentally different from the time/memorytradeoff.

I Time/memory tradeoff: Sets S1,S1 with #Si ≈√

N and#(S1 ∩ S2) = 1.

I Gaudry-Schost: Sets S1,S2 with #Si ≈ N and#(S1 ∩ S2) ≥ cN for some constant.

I There is great flexibility in the choice of sets.

I Combining smaller sets with the Pollard 4 kangaroo idea givesan algorithm for the DLP in an interval with average caseexpected time of 1.48

√N group operations (beating Pollard’s

1.71√

N).


A Variant of the Birthday Paradox

I To analyse the Gaudry-Schost algorithm one needs a variantof the birthday paradox.

I Placing balls of two colours (equally likely) into N urns, theexpected number of samples to get a collision is

√πN.

I Example: The expected number of people in a room,containing an equal number of boys and girls, to have a boyand a girl with the same birthday is 33.86 (compare with23.94 for any pair having the same birthday).

I Puzzle: In my hotel there is a meeting of the “boys born inJanuary” club, and a meeting of the “random girls” club.How many of each should I put in a room until I expect a boyand girl with the same birthday?

I What happens as the number of days in a year →∞ butJanuary is still about 1/12 of the days?


Equivalence Classes

I Many groups have efficiently computable automorphisms ψ.For example, the map ψ : g 7→ g−1 is easy for elliptic curvesand the torus T2.

I A very Canadian idea (Gallant-Lambert-Vanstone andWiener-Zuccherato) for solving the DLP is to define a randomwalk on G/ψ (sets of orbits in the group G under ψ).

I For Pollard rho, using equivalence classes with respect toinversion “should” speed-up the algorithm by a factor of

√2.

I A catch: lots of nasty little cycles in the pseudorandom walks.Handling these adds a significant overhead.

I All recent records for the ECDLP have not used equivalenceclasses (except for the case of Koblitz curves).

I See very nice papers by permutations of the authors Bos,Kaihara, Kleinjung and A. K. Lenstra.


DLP in an Interval Using Equivalence Classes

I It seems impossible to combine Pollard’s kangaroo algorithmwith equivalence classes.

I Consider DLP in an interval: g , h,N to find n, if it exists,such that h = gn and −N/2 ≤ n ≤ N/2.

I Define the tame set

T = {{ga, g−a} : −N/2 ≤ a ≤ N/2}

and

W = {{hga, (hga)−1} = {gn+a, g−(n+a)} : −N/2 ≤ a ≤ N/2}.

I We have #T ≈ N/2, but #W and #(T ∩W ) depend on n.

I Further subtlety: if one chooses a unique representative foreach class, one finds that sampling elements hga where a ischosen uniformly in −N/2 ≤ a ≤ N/2 does not necessarilycorrespond to sampling uniformly in W .


A Generalisation of the Birthday Paradox

(Building on work of Selivanov.)Theorem (G.-Holmes. beta version)Let C ∈ N. Balls will be chosen of colour 1 ≤ c ≤ C withprobability qc .Let N ∈ N (we consider this as variable). A ball of colour1 ≤ c ≤ C is assigned to urn 1 ≤ a ≤ N with probability qc,a.Suppose that some technical conditions hold.Let

AN =C∑

c=1

qc

C∑c ′=1,c ′ 6=c

qc ′

(N∑

a=1

qc,aqc ′,a

) .

Then the expected number of trials before an urn contains balls ofat least 2 different colours is√

π

2AN+ O(N1/4)

as N →∞.Steven Galbraith A Random Walk Talk

The answer to the puzzle

I Puzzle: In my hotel there is a meeting of the “boys born inJanuary” club, and a meeting of the “random girls” club.How many of each should I put in a room until I expect a boyand girl with the same birthday?

I What happens as the number of days in a year →∞ butJanuary is still about 1/12 of the days?

I 12 times more girls than boys? 6 times? 4 times? 3 times?Twice as many? The same number of each?

I Asymptotically, take an equal number of boys and girls!


DLP in an Interval Using Equivalence Classes

Theorem: (G.-Ruprai; PKC 2010) There is an algorithm to solvethe DLP in an interval of size N in groups with fast inversionwhich requires (ignoring the troubles with cycles) average expected(1 + ε)1.36


Possibly can be slightly improved.


Higher Dimensional Versions

I The original Gaudry-Schost algorithm was introduced forsolving problems like: Given g1, g2, h,N1,N2 find (a1, a2) if itexists such that

h = ga11 ga2

2

and0 ≤ a1 ≤ N1, 0 ≤ a2 ≤ N2.

I Applications: point counting on hyperelliptic curves, hardessunderlies protocols of Brands, solving such problems is neededfor a result of Cramer, Gennaro and Schoenmakers, solvingvariants of the DLP corresponding to Frobenius expansionsand the GLV method.

I Let N = N1N2. G.-Ruprai (Cirencester 2009) show one cansolve the 2-dim DLP in 2.36



Higher Dimensional Versions

I One can consider equivalence classes in this setting.This is still work-in-progress.

I Using equivalence classes under +/− in the 2-dim case itseems the average expected complexity could be as low as1.383

√N group operations (again, ignoring cycles).

This is a big speed up over 2.36√

N .


Conclusion

I The Gaudry-Schost algorithm is a really useful idea whichperhaps can be used to solve some currently unsolvedproblems.

I We have used it to combine the DLP in an interval (orhigher-dimensional box) with equivalence classes.

I We have developed a powerful generalisation of the birthdayparadox which will be a useful tool when working with theGaudry-Schost algorithm.


a random walk talk - centre de recherches mathématiques · steven galbraith a random walk talk....

Documents