Computational issues with the NFS

For each step of the NFS there are parameter choices to be made and implementation op-tions which affect the performance; the best parameter selection for one step of the NFS

can result in the suboptimal performance of another step and in turn of the NFS as a whole procedure. The most straightforward example of this is the choice of the smoothness bound B; taking a higher bound decreases the sieving time, as it is easier to find smooth values, but increases the time and space required in the linear algebra stage. The straightforward approach for an implementation would be to simply choose B so that the running time and space requirement of each step is equal; this, however is not as straightforward as it seems:

the sieving step is parallelisable, whereas the linear algebra stage is not as flexible [39]. The optimal choice for B not only depends on the particular field Fp^k and the relative sizes of p and k but also on the particular implementation and the platform on which it is being run.

The choice of f1(x) also has an unpredictable effect on the runtime of the NFS. The choice of f₁(x) not only determines K₁, but also K₂. It therefore makes sense to not only assess the structure of K₁, but also to assess the structure of K₂, when making this choice. In [51] it is suggested that f1(x) should be chosen so that K1has a large cyclic automorphism group (with order k), thus decreasing the number of relations required by a factor of k (and decreasing the size of the matrix accordingly). In [101] the author investigates the probability of finding relations (doubly smooth elements) for different choices of f1(x). It was shown that different choices of polynomial have a significant effect on the runtime of the sieving stage: changing the polynomial which defines the number fields can increase the probability of finding relations at a rate comparable with a four-fold increase in the size of the factor base [101]. As the degree of elements sieved increases, finding enough relations becomes a computational issue with the NFS so the selection of f₁(x) is clearly important, but the best choice for f1(x) can only be made on a case by case basis.

The smoothness bounds and polynomial selections are not the full extent of the vari-ability of the NFS. Other choices affecting the runtime of the NFS include the choice of the sieving region, the dimensions of the sieving space and whether to use large primes and partially smooth relations, or not. Though the NFS has an asymptotic complexity of L_pk(1/3, (64/9)^1/3+ o(1)) as p and k both tend to infinity, given the many implementation variables it is clear that we are not able to say much about the expected run time of the NFS

in practice, particularly for a fixed k.

In the PBC setting, as outlined in Chapter 3, the fixed extension degrees of the finite fields and the relative sizes of the prime fields used for the particular embedding degrees mean that the NFS is the most appropriate algorithm to use for solving the finite field DLP instance. Given the approximate field size, we are still not able to run experiments to test the runtime of the NFS as the parameters in such a simulation would be much too large; it is currently computationally infeasible. Taking a smaller instance of the prime for a particular embedding degree would not give us a realistic estimate of the runtime, as the relative sizes of k and p have a significant effect on the runtime. In fact, it is possible that for such an example the FFS would be the most appropriate algorithm to use, not the NFS. This leaves us with the problem of not being able to thoroughly test the NFS in the context of PBC and thus we are unable to give a concrete estimate of the hardness of the DLP in the context of PBC; we will have to rely on the heuristic analysis of [51]. In fact, this can be said for the use of the NFS in general: the NFS would obtain optimal performance (asymptotically) only for fields for which it is currently computationally infeasible to compute examples;

this means that for all example cases, the parameters will have to be chosen such that the NFS can not possibly achieve the optimal runtime; this is an advantage for PBC.

Complexity of the NFS in the context of PBC

There are three cases for the complexity of the NFS in the medium prime case. In the case relevant to PBC, the complexity of the NFS depends on the relative sizes of p and k, this will determine the degree of elements sieved. The parameters are such that p can be written as p = L_pk(2/3, c) for some constant c. The complexity of the NFS is given by

and l is the degree of the elements sieved, given by the closest integer solution to the real solution of 3tl³(l + 1)²− 32 = 0 [51].

Chapter 6

Solving the ECDLP

———————————————————————————————————

‘Sentence first – verdict afterwards.’

- The Queen, Lewis Carroll’s Alice in Wonderland, Chapter XII, Alices Evidence.

———————————————————————————————————

In this chapter, the hardness of solving the DLP in the groups of points on elliptic curves will be examined. In contrast to the finite field case, the methods for solving the ECDLP are well understood and have been rigorously tested.

6.1 Index Calculus for the ECDLP

One of the main arguments made by Miller [71] for the use of the group of points on an elliptic curve in cryptography as an alternative to the multiplicative group of a finite field is the improbability of the existence of a computationally feasible index calculus method for solving the ECDLP. The analogue of the index calculus methods to solve the DLP in a group of points on E(Fp), G = hP i, is to lift E to a curve defined over Q, E, and then lift the points in G to points on E (Q). Once this has been done, the DLP can be solved

efficiently [71]. There are a couple of issues with this method, outlined in [71]. The first being that E(Fp) needs to be lifted to a curve E(Q) with large rank and points with a

“small” enough representation (bounded by a value polynomial in log(p)), which is not achievable in practice [71, 92]. In the lucky case that an appropriate E (Q) is found another problem arises: there are many ways to lift points to E(Q), finding the correct points for the index calculus algorithm to work is arguably a more complicated problem than the original ECDLP.

These issues are investigated in depth in [92] with the authors giving more evidence to support the claim of Miller in [71] that “... it is extremely unlikely that an ‘index calculus’

type attack on the elliptic curve method will ever be able to work.”

In [92] the authors show that computing a factor base for an index calculus method for the ECDLP is exponentially more difficult than for the finite field case. The main explana-tion given by the authors in [71, 92] that the index calculus method is not a practical method in G, despite the success in the finite field, is the ‘size’ of the elements of the factor base.

Using a finite field index calculus method, the elements of a factor base with v elements can be represented using ≤ log(v) bits, whereas in the group G the factor base elements are significantly ‘larger’, around v log(v) bits in size [92].

In an effort to get around these problems, Silverman developed the Xedni calculus method [91]. The Xedni calculus method begins by lifting v points P1, . . . , P_vfrom E(Fp) to points Q₁, . . . , Q_v with integer coefficients. Next an elliptic curve E /Q which passes through all v points must be found such that E has minimal rank. The Xedni calculus method is thus the reverse process of the index calculus method, hence the name. If the points Qi happen to be dependent in the group E (Q) then the relationships between the points can be used to solve the ECDLP. The problem of finding points of small height in the index calculus method has been replaced by the very low probability of the points Qibeing dependent and the experimental results [91] show that the Xedni calculus is also impractical and the analysis of [48] shows that the algorithm will most certainly fail.

As there is currently no algorithm which can take into account the structure of the

group G, the best known algorithms for computing discrete logarithms in groups of points on an elliptic curve are the generic methods, algorithms for computing discrete logarithms in any general group. Such algorithms have expected run time O(p|G|). There are a few well known square root methods: Baby-step Giant-step (also known as Shank’s method), Pollard’s Kangaroo method (or Pollard’s Lambda method) and Pollard’s Rho method [4, 95].