Expander Graphs, GRH, and the Elliptic Curve Discrete Logarithm

1
Expander Graphs, GRH, and the Elliptic Curve
Discrete Logarithm

• Stephen D. Miller
• Rutgers University

Joint work with David Jao and Ramarathnam
Venkatesan Microsoft Research Cryptography and
Anti-Piracy Group
http//www.math.rutgers.edu/sdmiller
2
Brief Overview

• Many cryptographic applications are based on the
  discrete logarithm.
• Important example DLOG on elliptic curves.
• Is it always equally hard? Are there good
  curves and bad curves?
• Main result in some situations curves have
  equivalent difficulty.
• Mathematical content proof/techniques use
• Elliptic Curves
• Expander Graphs
• Modular Forms
• L-functions
• Generalized Riemann Hypothesis

3
Motivating Example Microsoft Product Key

• When Windows or Microsoft office are installed,
  the user is required to enter a 25-digit
  alphanumeric antipiracy code.
• This code (key) must be short.
• The computer must be able to quickly recognize
  whether or not this is a valid key, without
  giving away any clue as to how to manufacture
  additional valid keys.
• Otherwise thieves would copy the software CDs and
  illegally resell them with new codes. KeyCAH.
• Future attacks will be faster. How can one keep
  the key short, yet still keep up with the
  attackers?
• This requires new methods and cryptosystems.
  Serious mathematics involved in design.

4
Cryptography

• Mathematical Methods to hide information.
• Based on the difficulty of some underlying
  mathematical problem.
• Well-known problems include
• Pre-computer age guessing keys, inverting axb
  (mod n).
• Factoring (RSA).
• Discrete Logarithm.
• Braid group conjugacy problem.
• .. But a good problem is just the start
  implementation matters, too!

5
Other factors

• A good cryptosystem needs more than just a hard
  problem behind it.
• Its rare to reduce the cryptosystem directly to
  the underlying problem, for example
• Hypothetically RSA might be easier than
  factoring.
• Some desired attributes
• Speed of encryption and decryption.
• Use of a large state space without having to
  store it all.
• Short keys (passwords).
• Stability against foreseen attacks. Leave no
  trace.

6
Example of a difficult underlying problem
Discrete Logarithm on (Z/pZ), p prime.
(Z/pZ) is abstractly isomorphic to Z/(p-1)Z.
This sequence appears to be fairly random

(Z/19Z)
Z/18Z
Powers of 2
k ! 2k
For example, p19 (Z/19Z) ' Z/18Z is generated
by powers of 2.
7
Example of a difficult underlying problem
Discrete Logarithm on (Z/pZ), p prime.
Given p, y, and a generator g of (Z/pZ), solve
gx y for x. (In other words, explicitly invert
the previous isomorphism.)

• Difficult because the values of gx are very
  scattered (mod p) as x varies.
• Very important that p-1 have a large prime factor
• (otherwise can use Chinese remainder theorem to
  bootstrap from easier cases).
• Methods exist which are much faster than simply
  guessing. Some use the structure of Z.
• Possibly harder for more abstract incarnations of
  the same group. Different representations do not
  necessarily have equivalent DLOG problems.
• Example (Z/pZ) is abstractly isomorphic to
  Z/(p-1)Z.
• DLOG is very easy on the cyclic groups
  Z/mZ
• can easily solve axb (mod m), if a and m are
  relatively prime.
• especially when the generator a is 1
  (tautological).

8
A cryptosystem using DLOGDiffie-Hellman key
exchange

• A method for two users to share a common
• password (without revealing it to the public)

Evil Evesdropper Eve
Sees g, gx, gy but cannot compute gxy without
solving DLOG
Alice
1. Agree on Group G, generator g
Bob
g
2. Alice picks exponent x at random. Sends Bob gx
gx
3. Bob picks exponent y at random. Sends Alice gy
gy

• Both Alice and Bob have common password key
• gxy (gx)y (gy)x

9
DLOG on other abstract groups?

• Introduced because of subexponential attacks on
  DLOG over (Z/nZ).
• Idea Find an isomorphic group where the
  structure of the integers is not as apparent.
• Also want computation to be efficient, e.g. by
  polynomial operations (rules out many abstract
  choices).
• Elliptic Curves the set of solutions to an
  equation of the form E y2
  x3 a x b
• over a finite field satisfies these criteria.

10
Whats an elliptic curve?

• More or less, the solutions to an equation of the
  form
• E y2 x3 a x b

But over what field? What are x and y?
Over C, E is isomorphic to C/?, where ? is a
lattice ½ C (A torus).
In fact, the set of solutions always has an
abelian group law.
Number Theory study solutions over Fp
Z/pZ or more generally over Fq
11
Brief History of Elliptic Curve Cryptography

• Introduced by V. Miller and N. Koblitz circa
  1985.
• Bit-for-bit gives very strong cryptography,
  compared to e.g. RSA.
• RSA, EC, etc backbone of 2 billion/year
  industry.
• Drawbacks
• Elliptic curves are not well understood by
  mathematicians or cryptographers.
• Perhaps danger of hidden attacks possibly
  outweighs benefits of use (?).
• Therefore it is crucial to understand various
  risks. Many mathematically interesting
  challenges remain.

12
How are elliptic curves selected?
Essentially known pitfalls are avoided, with
limited understanding.

• Unlike DLOG on (Z/nZ), there can be many
  elliptic curves having the same order.
• Elliptic curves over finite fields can be
• supersingular have subexponential attacks.
• ordinary so far, no subexponential attacks.
• Want E(Fq) to be prime, or at least have a large
  prime factor. E(Fq) should be a cyclic group.

Are any other factors important?
13
Perhaps some curves are better than others?

• Widely thought that ordinary curves are superior
  to supersingular curves.
• National Institute of Standards and Technology
  (NIST) Part of US Department of Commerce.
• Proposed a family of convenient curves to serve
  as standards for Elliptic Curve Cryptography.
• Some users fear these curves are
  cryptographically weak.
• How can the consumer know they have a good curve
  or not? Is my neighbors stronger?

Settling this conspiracy theory is an important
practical question, no matter the outcome
14
Example of a NIST curve

• NIST P-192
• Characteristic p 6277101735386680763835789423207
  666416083908700390324961279
• Elliptic curve E y2 x3 - 3x
  24551555460089438177402939151974517847691080581611
  91238065 over Fp
• Number of points E 62771017353866807638357894
  23176059013767194773182842284081 (a prime)

15
Important Notion Isogeny Class

• An isogeny is a nontrivial algebraic map between
  two elliptic curves. It is a group
  homomorphism.Examples
• Map any E to itself by z ! 2z
  (called an endomorphism)
• map C/Zi ! C/Z2i by z ! 2z
• map C/Zi ! C/Zi by z ! iz
  (called complex multiplication CM)
• Tates Isogeny Theorem two elliptic curves over
  Fq with the same number of points are isogenous
  over Fq (isogenies exist between them in both
  directions).
• Related to commensurability.
• Isogenies give an explicit reduction between DLOG
  on different curves if they each have the same
  number of prime points. (Identical cyclic
  groups.)
• So because of Tates theorem, the selection
  problem can be reinterpreted is isogeny class a
  fine enough invariant for curve selection? Or is
  more needed?

16
Notions of Level, Conductor (technical)

• Given an elliptic curve E over Fq, let End(E)
  denote the endomorphisms of E
• ( isogenies trivial, zero map)
• which are defined over the algebraic closure of
  Fq.
• For an ordinary elliptic curve, End(E) is an
  order in some imaginary quadratic number field K
  Q(p-d).
• This field K is an invariant of the isogeny class
  (called the Complex Multiplication Field)
• Orders are always of the form OD ZcOK, where
  OK is the ring of algebraic integers in K
  (solutions to monic integral polynomials).
• The discriminant of the order OD is related to
  the discriminant d of K by Dc2d. Curves for
  a given constant value of c form levels.
• Isogenies can therefore be of two forms
• They can preserve D (horizontal).
• Or they can change D (vertical).
• Supersingular curves all lie on the same level
  (by definition), so this is really an issue
  pertaining to ordinary curves.

Levels of curves
17
Statement of Theorem

• Jao, M-, Venkatesan (2004) Assuming the
  Generalized Riemann Hypothesis (GRH), the DLOG
  problem on isogeneous elliptic curves is random
  reducible in the following sense

Given any algorithm A that solves DLOG on some
?-fraction of curves in a level, one can
probabilistically solve DLOG on any curve in the
same level with polylog(q)/? queries to A with
random inputs.
Without assuming GRH, but the weaker Lindelöf
hypothesis subexponentially many
instead of polynomially many.
18
Applications to NIST Curves

• All NIST and IPSec international standards
  elliptic curves have cmax 1
• (except NIST P-256 which has cmax 3)
• (and the NIST K family of Koblitz curves,
  which a priori have large cmax )

cmax is a measure of how hard it is to reduce
DLOG on a curve to other curves over Fq which
have the same number of points. Since it is
small, this means that the NIST and IPSec curves
(aside from the K curves) lie on the simplest
levels. Their DLOG problems are therefore random
reducible to all other typical curves on those
levels. Hence their DLOGs are no easier or
harder than those for typical curves. No
Conspiracy.
19
Method of proof uses Isogeny Graphs

• Low degree isogenies between elliptic curves
  provide explicit polynomial time reductions
  between the curves they connect.
• An isogeny graph is a graph whose vertices
  represent all the elliptic curves on a given
  level, and whose edges represent low degree
  isogenies (of degree (log q)2?, e gt 0).
• Mixing Hypothesis suppose that the random walk
  on this graph mixes rapidly (i.e. after
  polylog(q) steps one reaches any vertex with
  uniform probability up to a small error).This is
  proven using GRH.
• Then by computing random low degree isogenies,
  DLOG can be explicitly reduced between any two
  curves on that level.
• Therefore DLOG has uniform difficulty on this
  level (assuming the Mixing Hypothesis).

Various Elliptic Curves on the same level
Arrows represent equivalences between DLOG on
different curves
20
Application generating random isogenies,
studying mixing

• These applications of GRH and expander graphs are
  used in estimating the security of the upcoming
  Windows Longhorn product key algorithm (2006).
• Also, solidifies earlier heuristic cryptographic
  arguments which relied upon rapid mixing of the
  random walk (Kohel, Galbraith et al).

21
Brief Review of Graph Theory

• Definitions A graph ? is a collection of
  vertices V, and (undirected) edges E connecting
  the vertices.
• A k-regular graph has exactly k edges meeting at
  each vertex.
• Adjacency operator A on L2(V) averages the
  function over its neighbors
• A f(x) ! ?yx f(y)
• The constant functions on V are eigenfunctions
  with the trivial eigenvalue ? k.

22
Expander Graphs

• Graphs for which the random walk mixes rapidly
  (uniformly distributed up to small error).
  Assume degree k is relatively small compared to
  the size of the graph V -- e.g. k
  (logV)power.
• If all nontrivial eigenvalues of A satisfy
• ? lt k 1/(log k)r
• for some r, then the random walk mixes in (log
  k)r1 steps. Can serve as definition of
  expander.
• Optimal bound is ? lt 2(k-1)1/2, known as the
  Ramanujan bound.
• Isogeny graphs are close to being Ramanujan
  graphs
• Can have ? O(k1/2?).

23
Brief History of Expander Graphs

• Originally shown to exist by counting methods
• Pinsker There are far more graphs than there
  are
• non-expander graphs.
• Margulis (70s, 80s), Lubotzky-Phillips-Sarnak
  (1986) give first constructions.
• LPS Ramanujan graphs use the (known) Ramanujan
  conjectures in their proof. The Ramanujan
  conjectures in number theory are a statement
  about optimal cancellation in random sums.
• Other constructions Reingold-Vadhan-Wigderson
  Zig-Zag, algebraic geometry. Have algebraic
  flavor.

24
The Isogeny Graphs are Expanders

• Supersingular case essentially already observed
  by Ihara, Mestre, and Pizer. Relies on (known)
  Ramanujan conjectures as well, properties of
  Brandt matrices.
• Ordinary case (JMV) construction of isogeny
  graphs is a new method of constructing expanders
  with small degree k (logV)power. Relies
  conditionally on the (unproven) Generalized
  Riemann Hypothesis GRH.

25
GRH Graphs
New, conditional construction of expander graphs.

• Let Q be a large integer.
• Let S primes p lt (log Q)B , p - Q , for B gt
  2.
• Define the graph ? to have
• vertices V(Z/QZ).
• edges connecting v to pv, for each v 2 V and p 2
  S.
• (? is the Cayley graph of the group (Z/QZ) with
  respect to the generating set S).
• Theorem Assuming GRH, ? is an expander its
  nontrivial eigenvalues satisfy the bound
• ? O(k1/21/B).

26
Conclusions (Assuming GRH)

• DLOG has roughly equivalent difficulty on
  elliptic curves over Fq whose endomorphism rings
  are comparable in size.
• There is a random polynomial time reduction
  (equivalence) between the DLOG problems on such
  elliptic curves.
• NIST and IPSec international standards curves
  were not chosen as to foist cryptographically
  weak curves upon an unsuspecting public.
• Method gives a new elementary construction of
  expander graphs.