Uploaded byntheriau
PDF, PPTX401 views

ECC 2006

The document discusses the analysis of algorithms for solving the discrete logarithm problem on elliptic curves and hyperelliptic curves of higher genus. It notes that while Pollard's Rho algorithm is commonly used, index calculus algorithms may be faster for genus greater than 2. The document aims to more precisely analyze the constants involved in index calculus running times, as the impact of these constants is significant but not well understood. It presents analysis of the single large prime index calculus algorithm, finding an expression for its minimum running time in terms of unknown constants related to the random walk and linear algebra portions. Determining these constants is necessary for a precise security comparison between elliptic and hyperelliptic curves.

Embed presentation

Download as PDF, PPTX
Towards an exact cost analysis of index-calculus algorithms ECC 2006 Nicolas Thériault ntheriau@fields.utoronto.ca Fields Institute Work in progress with Roberto Avanzi
Elliptic Curve DLP For an elliptic curve E(Fq ), the fastest known method to ˜ solve the discrete logarithm problem is Pollard’s Rho algorithm, which takes an expected √ π +ǫ group order group operations. 2 [⇐] – p.1
Elliptic Curve DLP For an elliptic curve E(Fq ), the fastest known method to ˜ solve the discrete logarithm problem is Pollard’s Rho algorithm, which takes an expected √ π +ǫ group order group operations. 2 If ℓ is the largest prime divisor of the group order, this √ means ≈ 0.8862 ℓ group operations (Pohlig–Hellman). [⇐] – p.1
Elliptic Curve DLP For an elliptic curve E(Fq ), the fastest known method to ˜ solve the discrete logarithm problem is Pollard’s Rho algorithm, which takes an expected √ π +ǫ group order group operations. 2 If ℓ is the largest prime divisor of the group order, this √ means ≈ 0.8862 ℓ group operations (Pohlig–Hellman). √ √ π This is often stated as O( q ), hiding the constant ˜ 2 (assuming a group of prime order). [⇐] – p.1
Genus 2 HEC DLP For a hyperelliptic curves H of genus 2 defined over the field Fq , the fastest known method to solve the discrete log is still Pollard Rho, which is often stated as O(q). [⇐] – p.2
Genus 2 HEC DLP For a hyperelliptic curves H of genus 2 defined over the field Fq , the fastest known method to solve the discrete log is still Pollard Rho, which is often stated as O(q). To get the same security as an elliptic curve over Fq , we ask ˜ that q has half the number of bits as q (abusing notation, ˜ √ we ask that O( q ) = O(q)). ˜ We then compare the efficiency of Jac(H)(Fq ) with E(Fq ). ˜ [⇐] – p.2
Genus 2 HEC DLP For a hyperelliptic curves H of genus 2 defined over the field Fq , the fastest known method to solve the discrete log is still Pollard Rho, which is often stated as O(q). To get the same security as an elliptic curve over Fq , we ask ˜ that q has half the number of bits as q (abusing notation, ˜ √ we ask that O( q ) = O(q)). ˜ We then compare the efficiency of Jac(H)(Fq ) with E(Fq ). ˜ Since the security of both group depends on the same algorithm, the hidden constants are the same, so we might expect a fair comparison. [⇐] – p.2
Group Operations But we are making a very big assumption: the group operations have the same cost when we attack the DLP as they have in the scalar multiplication. [⇐] – p.3
Group Operations But we are making a very big assumption: the group operations have the same cost when we attack the DLP as they have in the scalar multiplication. This might not be true! The fastest algorithm to do the group operation for the scalar multiplication might not the the best choice for Pollard Rho (Montgomery’s trick for inversion, etc). [⇐] – p.3
Group Operations But we are making a very big assumption: the group operations have the same cost when we attack the DLP as they have in the scalar multiplication. This might not be true! The fastest algorithm to do the group operation for the scalar multiplication might not the the best choice for Pollard Rho (Montgomery’s trick for inversion, etc). We need to take into account the difference in the cost of the group operations. Convention: We define the average group operation as the average cost per group operation in a NAF. [⇐] – p.3
Genus 1 vs Genus 2 In characteristic 2, we find ≈ 0.5653 q ˜ for E(Fq ) of order 2 · prime at 157 bits, and at 223 bits: ˜ ≈ 0.5625 q . ˜ [⇐] – p.4
Genus 1 vs Genus 2 In characteristic 2, we find ≈ 0.5653 q ˜ for E(Fq ) of order 2 · prime at 157 bits, and at 223 bits: ˜ ≈ 0.5625 q . ˜ For genus 2, we find √ ≈ 0.5283 q for Jac(H)(Fq ) of order 2 · prime at 79 bits and at 109 bits: √ ≈ 0.5348 q . [⇐] – p.4
Genus g When we look at hyperelliptic curves H of genus g > 2 (but not too large) over Fq , asymptotically, Pollard Rho is not the fastest method to solve the discrete log, index calculus is. [⇐] – p.5
Genus g When we look at hyperelliptic curves H of genus g > 2 (but not too large) over Fq , asymptotically, Pollard Rho is not the fastest method to solve the discrete log, index calculus is. Different versions of index calculus have different running times, for example: 2 2− g +ǫ O q for the double large prime method (2LP) [⇐] – p.5
Genus g When we look at hyperelliptic curves H of genus g > 2 (but not too large) over Fq , asymptotically, Pollard Rho is not the fastest method to solve the discrete log, index calculus is. Different versions of index calculus have different running times, for example: 2 2− g +ǫ O q for the double large prime method (2LP), and 2 2− g+1/2 +ǫ O q for the single large prime method (1LP). [⇐] – p.5
Problems It is very difficult to obtain a fair comparison with ECC if we only know the asymptotic form. We could be dealing with constants 1000, 7.23, 0.002, etc, and these constants could change from one method to the other (and in fact they do). [⇐] – p.6
Problems It is very difficult to obtain a fair comparison with ECC if we only know the asymptotic form. We could be dealing with constants 1000, 7.23, 0.002, etc, and these constants could change from one method to the other (and in fact they do). The impact of index calculus at cryptographic sizes depends a lot on the value of the constant. The smaller the constants are, the lower the security of Jac(H)(Fq ) really is. If the constant is too large Pollard Rho could still be the fastest method to solve the DLP. [⇐] – p.6
Problems It is very difficult to obtain a fair comparison with ECC if we only know the asymptotic form. We could be dealing with constants 1000, 7.23, 0.002, etc, and these constants could change from one method to the other (and in fact they do). The impact of index calculus at cryptographic sizes depends a lot on the value of the constant. The smaller the constants are, the lower the security of Jac(H)(Fq ) really is. If the constant is too large Pollard Rho could still be the fastest method to solve the DLP. Index calculus does not exclude security, but it could exclude efficiency! [⇐] – p.6
Problems Index calculus should be nicer to analyze: the standard deviation of the running time is tiny when compared with the expected value (by an order of magnitude). In comparison, for Pollard Rho we have a standard deviation of almost 1/2 of the expected value. [⇐] – p.7
Problems Index calculus should be nicer to analyze: the standard deviation of the running time is tiny when compared with the expected value (by an order of magnitude). In comparison, for Pollard Rho we have a standard deviation of almost 1/2 of the expected value. But there is currently no detailed analysis of the constant for index calculus available in literature: [⇐] – p.7
Problems Index calculus should be nicer to analyze: the standard deviation of the running time is tiny when compared with the expected value (by an order of magnitude). In comparison, for Pollard Rho we have a standard deviation of almost 1/2 of the expected value. But there is currently no detailed analysis of the constant for index calculus available in literature: The algorithm is more complicated Not all costs involved are group operations [⇐] – p.7
Problems Index calculus should be nicer to analyze: the standard deviation of the running time is tiny when compared with the expected value (by an order of magnitude). In comparison, for Pollard Rho we have a standard deviation of almost 1/2 of the expected value. But there is currently no detailed analysis of the constant for index calculus available in literature: The algorithm is more complicated Not all costs involved are group operations We haven’t finished writing it up... [⇐] – p.7
1LP vs 2LP Asymptotically, the 2LP method is faster than the 1LP 1/(g 2 +g/2)+ǫ method by a factor of O(q ). [⇐] – p.8
1LP vs 2LP Asymptotically, the 2LP method is faster than the 1LP 1/(g 2 +g/2)+ǫ method by a factor of O(q ). But: Even rough estimates give a bigger constant for 2LP. The analysis is tighter for 1LP. For genus ≥ 4, 1LP could win. [⇐] – p.8
1LP vs 2LP Asymptotically, the 2LP method is faster than the 1LP 1/(g 2 +g/2)+ǫ method by a factor of O(q ). But: Even rough estimates give a bigger constant for 2LP. The analysis is tighter for 1LP. For genus ≥ 4, 1LP could win. At cryptographic sizes, some of the approximations used to obtain the asymptotic form have a big impact on the constant. One improvement does not apply to 2LP (so far). [⇐] – p.8
Analysis of 1LP To simplify notation on the slides, we let g = 4. [⇐] – p.9
Analysis of 1LP To simplify notation on the slides, we let g = 4. The cost of the single large prime index calculus is dominated by two things: The random Walk (to find 1-almost-smooth divisors) The Linear algebra solver (find a vector of the kernel) [⇐] – p.9
Analysis of 1LP To simplify notation on the slides, we let g = 4. The cost of the single large prime index calculus is dominated by two things: The random Walk (to find 1-almost-smooth divisors) The Linear algebra solver (find a vector of the kernel) which gives, for a factor base of size B: √ −5/2 7/2 3 2 T (B) = (1 + ǫ) cW · 3 2B q + cL · B 2 [⇐] – p.9
Analysis of 1LP To simplify notation on the slides, we let g = 4. The cost of the single large prime index calculus is dominated by two things: The random Walk (to find 1-almost-smooth divisors) The Linear algebra solver (find a vector of the kernel) which gives, for a factor base of size B: √ −5/2 7/2 3 2 T (B) = (1 + ǫ) cW · 3 2B q + cL · B 2 All other parts of the algorithm can be put in the +ǫ (so we ignore them). [⇐] – p.9
Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). [⇐] – p.10
Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). After playing around, we obtain a minimum of 27/9 54/9 Tmin = 3 5/9 + 11/9 cL 5/9 cW 4/9 q 14/9 5 2 [⇐] – p.10
Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). After playing around, we obtain a minimum of 27/9 54/9 Tmin = 3 5/9 + 11/9 cL 5/9 cW 4/9 q 14/9 5 2 To find the exact cost of 1LP, all we need is cW and cL ... [⇐] – p.10
Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). After playing around, we obtain a minimum of 27/9 54/9 Tmin = 3 5/9 + 11/9 cL 5/9 cW 4/9 q 14/9 5 2 To find the exact cost of 1LP, all we need is cW and cL ... To improve the running time, we can: [⇐] – p.10
Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). After playing around, we obtain a minimum of 27/9 54/9 Tmin = 3 5/9 + 11/9 cL 5/9 cW 4/9 q 14/9 5 2 To find the exact cost of 1LP, all we need is cW and cL ... To improve the running time, we can: 1. Improve cL [⇐] – p.10
Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). After playing around, we obtain a minimum of 27/9 54/9 Tmin = 3 5/9 + 11/9 cL 5/9 cW 4/9 q 14/9 5 2 To find the exact cost of 1LP, all we need is cW and cL ... To improve the running time, we can: 1. Improve cL 2. Improve cW [⇐] – p.10
Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). After playing around, we obtain a minimum of 27/9 54/9 Tmin = 3 5/9 + 11/9 cL 5/9 cW 4/9 q 14/9 5 2 To find the exact cost of 1LP, all we need is cW and cL ... To improve the running time, we can: 1. Improve cL 2. Improve cW 3. Introduce a new factor [⇐] – p.10
Linear Algebra Almost-all smooth relations involve 6 points. The density of the matrix is very low, Wiedemann is faster than Lanczos. [⇐] – p.11
Linear Algebra Almost-all smooth relations involve 6 points. The density of the matrix is very low, Wiedemann is faster than Lanczos. All entries are ±1. If some ±2 appear in the system (around O(9) times), they are done as two ±1. We use Horner’s trick to evaluate p(M )x. (no multiplications!) [⇐] – p.11
Linear Algebra Almost-all smooth relations involve 6 points. The density of the matrix is very low, Wiedemann is faster than Lanczos. All entries are ±1. If some ±2 appear in the system (around O(9) times), they are done as two ±1. We use Horner’s trick to evaluate p(M )x. (no multiplications!) cL is the cost of all the operations associated to one matrix entry for three matrix–vector multiplications. Berlekamp–Massey can be done in sub-quadratic time, so we ignore that cost (for now). [⇐] – p.11
Linear Algebra Almost-all smooth relations involve 6 points. The density of the matrix is very low, Wiedemann is faster than Lanczos. All entries are ±1. If some ±2 appear in the system (around O(9) times), they are done as two ±1. We use Horner’s trick to evaluate p(M )x. (no multiplications!) cL is the cost of all the operations associated to one matrix entry for three matrix–vector multiplications. Berlekamp–Massey can be done in sub-quadratic time, so we ignore that cost (for now). To reduce cL , we need block Wiedemann (in progress). [⇐] – p.11
Filtering Filtering in the Number Field Sieve: Remove equations and variables that do not contribute to the kernel Columns of zeros (variables not in use). Singletons (variables appearing only in one equation). Removing superfluous equations. [⇐] – p.12
Filtering Filtering in the Number Field Sieve: Remove equations and variables that do not contribute to the kernel Columns of zeros (variables not in use). Singletons (variables appearing only in one equation). Removing superfluous equations. Merging (preprocessing): if a variable appears in very few equations (2, 3, maybe 4) we can use one of the equations to cancel the variable from the system. [⇐] – p.12
Filtering Filtering in the Number Field Sieve: Remove equations and variables that do not contribute to the kernel Columns of zeros (variables not in use). Singletons (variables appearing only in one equation). Removing superfluous equations. Merging (preprocessing): if a variable appears in very few equations (2, 3, maybe 4) we can use one of the equations to cancel the variable from the system. Very limited impact for HEC index calculus. In progress... [⇐] – p.12
Extended Filtering The impact of filtering is quite limited for our systems. We decided to extend the idea: [⇐] – p.13
Extended Filtering The impact of filtering is quite limited for our systems. We decided to extend the idea: We find many more equations (smooth relations) than the number of variables (elements of the factor base) For a subset of the variables, we might be able to remove all the equations containing those variables. The filtered system can be much smaller than the original system. [⇐] – p.13
Extended Filtering The impact of filtering is quite limited for our systems. We decided to extend the idea: We find many more equations (smooth relations) than the number of variables (elements of the factor base) For a subset of the variables, we might be able to remove all the equations containing those variables. The filtered system can be much smaller than the original system. Finding the smallest consistent set of variables and equations is most likely NP-hard. A good approximation can be found in linear time. [⇐] – p.13
Extended Filtering The impact of filtering is quite limited for our systems. We decided to extend the idea: We find many more equations (smooth relations) than the number of variables (elements of the factor base) For a subset of the variables, we might be able to remove all the equations containing those variables. The filtered system can be much smaller than the original system. Finding the smallest consistent set of variables and equations is most likely NP-hard. A good approximation can be found in linear time. The result: Harvesting! [⇐] – p.13
Harvesting Assume that we find k times as many equations as variables, and let p(k) be the proportion of the factor base left after harvesting. [⇐] – p.14
Harvesting Assume that we find k times as many equations as variables, and let p(k) be the proportion of the factor base left after harvesting. If k is not too big, we get √ √ −5/2 7/2 3 Tk (B) = cW · 3 2 kB q + cL · p(k)2 B 2 2 and the minimal value is 27/9 54/9 5/9 4/9 5 2/9 14/9 Tk,min = 3 5/9 + 11/9 cL cW kp(k) q 5 2 [⇐] – p.14
Harvesting Assume that we find k times as many equations as variables, and let p(k) be the proportion of the factor base left after harvesting. If k is not too big, we get √ √ −5/2 7/2 3 Tk (B) = cW · 3 2 kB q + cL · p(k)2 B 2 2 and the minimal value is 27/9 54/9 5/9 4/9 5 2/9 14/9 Tk,min = 3 5/9 + 11/9 cL cW kp(k) q 5 2 The good news: f (k) = kp(k)5 is strictly decreasing. [⇐] – p.14
Harvesting Assume that we find k times as many equations as variables, and let p(k) be the proportion of the factor base left after harvesting. If k is not too big, we get √ √ −5/2 7/2 3 Tk (B) = cW · 3 2 kB q + cL · p(k)2 B 2 2 and the minimal value is 27/9 54/9 5/9 4/9 5 2/9 14/9 Tk,min = 3 5/9 + 11/9 cL cW kp(k) q 5 2 The good news: f (k) = kp(k)5 is strictly decreasing. The bad news: hard to analyze and decreases slowly. [⇐] – p.14
Harvesting To simplify, we will only use k = 4. [⇐] – p.15
Harvesting To simplify, we will only use k = 4. For q = 253 , we have some interference due to the field size, and we need to increase k by 3.29% in the random walk side, giving us ˜ f (4)2/9 = (4 · 1.0329 · p(4)5 )2/9 ≈ 0.7142 For q = 273 , the interference is close to 0, and we are very close to f (4)2/9 ≈ 0.7090 [⇐] – p.15
Harvesting To simplify, we will only use k = 4. For q = 253 , we have some interference due to the field size, and we need to increase k by 3.29% in the random walk side, giving us ˜ f (4)2/9 = (4 · 1.0329 · p(4)5 )2/9 ≈ 0.7142 For q = 273 , the interference is close to 0, and we are very close to f (4)2/9 ≈ 0.7090 We get a time-memory trade-off. Harvesting has a similar impact on 0LP, but we don’t know how to predict the impact on 2LP. [⇐] – p.15
Random Walk For index calculus, the goal of the random walk is very different from its goal in Pollard Rho: 1. Index calculus only cares about the factorization of group elements, not how we get to them (or where we would go afterwards). [⇐] – p.16
Random Walk For index calculus, the goal of the random walk is very different from its goal in Pollard Rho: 1. Index calculus only cares about the factorization of group elements, not how we get to them (or where we would go afterwards). 2. At each divisor considered, we have to see if it splits completely over Fq . 3. If a divisor splits (1 : 24), we have to factor it and see if it is smooth, 1-almost-smooth, etc. [⇐] – p.16
Random Walk For index calculus, the goal of the random walk is very different from its goal in Pollard Rho: 1. Index calculus only cares about the factorization of group elements, not how we get to them (or where we would go afterwards). 2. At each divisor considered, we have to see if it splits completely over Fq . 3. If a divisor splits (1 : 24), we have to factor it and see if it is smooth, 1-almost-smooth, etc. Point 1 will affect how we do the random walk. [⇐] – p.16
Random Walk For index calculus, the goal of the random walk is very different from its goal in Pollard Rho: 1. Index calculus only cares about the factorization of group elements, not how we get to them (or where we would go afterwards). 2. At each divisor considered, we have to see if it splits completely over Fq . 3. If a divisor splits (1 : 24), we have to factor it and see if it is smooth, 1-almost-smooth, etc. Point 1 will affect how we do the random walk. Point 2 and 3 have a huge impact on cW , and they depend on algorithms to factor polynomials. [⇐] – p.16
Random Walk D [⇐] – p.17
Random Walk add D + D1 D + D2 D D + D3 D + D4 [⇐] – p.17
Random Walk add sub D + D1 D − D1 D + D2 D − D2 D D + D3 D − D3 D + D4 D − D4 [⇐] – p.17
Random Walk add ×2 sub D + D1 2(D + D1 ) D − D1 2(D − D1 ) D + D2 2(D + D2 ) D − D2 2(D − D2 ) D D + D3 2(D + D3 ) D − D3 2(D − D3 ) D + D4 2(D + D4 ) D − D4 2(D − D4 ) [⇐] – p.17
Random Walk add ×2 ×2 sub D + D1 2(D + D1 ) 4(D + D1 ) D − D1 2(D − D1 ) 4(D − D1 ) D + D2 2(D + D2 ) 4(D + D2 ) D − D2 2(D − D2 ) 4(D − D2 ) D D + D3 2(D + D3 ) 4(D + D3 ) D − D3 2(D − D3 ) 4(D − D3 ) D + D4 2(D + D4 ) 4(D + D4 ) D − D4 2(D − D4 ) 4(D − D4 ) [⇐] – p.17
Random Walk add ×2 ×2 ×2 sub D + D1 2(D + D1 ) ··· 16(D + D1 ) D − D1 2(D − D1 ) ··· 16(D − D1 ) D + D2 2(D + D2 ) ··· 16(D + D2 ) D − D2 2(D − D2 ) ··· 16(D − D2 ) D D + D3 2(D + D3 ) ··· 16(D + D3 ) D − D3 2(D − D3 ) ··· 16(D − D3 ) D + D4 2(D + D4 ) ··· 16(D + D4 ) D − D4 2(D − D4 ) ··· 16(D − D4 ) [⇐] – p.17
Random Walk add add ×2 ×2 ×2 sub sub D + D1 2(D + D1 ) ··· 16(D + D1 ) D ′ + D1 D − D1 2(D − D1 ) ··· 16(D − D1 ) D ′ − D1 D + D2 2(D + D2 ) ··· 16(D + D2 ) D ′ + D2 D − D2 2(D − D2 ) ··· 16(D − D2 ) D ′ − D2 D D + D3 2(D + D3 ) ··· 16(D + D3 ) D ′ + D3 D − D3 2(D − D3 ) ··· 16(D − D3 ) D ′ − D3 D + D4 2(D + D4 ) ··· 16(D + D4 ) =: D′ D ′ + D4 D − D4 2(D − D4 ) ··· 16(D − D4 ) D ′ − D4 [⇐] – p.17
Random Walk add add ×2 ×2 ×2 sub sub D + D1 2(D + D1 ) ··· 16(D + D1 ) D ′ + D1 D − D1 2(D − D1 ) ··· 16(D − D1 ) D ′ − D1 D + D2 2(D + D2 ) ··· 16(D + D2 ) =: D′ D ′ + D2 D − D2 2(D − D2 ) ··· 16(D − D2 ) D ′ − D2 D D + D3 2(D + D3 ) ··· 16(D + D3 ) D ′ + D3 D − D3 2(D − D3 ) ··· 16(D − D3 ) D ′ − D3 D + D4 2(D + D4 ) ··· 16(D + D4 ) D ′ + D4 D − D4 2(D − D4 ) ··· 16(D − D4 ) D ′ − D4 [⇐] – p.17
Random Walk add add ×2 ×2 ×2 sub sub D + D1 2(D + D1 ) ··· 16(D + D1 ) D ′ + D1 D − D1 2(D − D1 ) ··· 16(D − D1 ) D ′ − D1 D + D2 2(D + D2 ) ··· 16(D + D2 ) D ′ + D2 D − D2 2(D − D2 ) ··· 16(D − D2 ) D ′ − D2 D D + D3 2(D + D3 ) ··· 16(D + D3 ) =: D′ D ′ + D3 D − D3 2(D − D3 ) ··· 16(D − D3 ) D ′ − D3 D + D4 2(D + D4 ) ··· 16(D + D4 ) D ′ + D4 D − D4 2(D − D4 ) ··· 16(D − D4 ) D ′ − D4 [⇐] – p.17
Random Walk add add ×2 ×2 ×2 sub sub D + D1 2(D + D1 ) ··· 16(D + D1 ) =: D′ D ′ + D1 D − D1 2(D − D1 ) ··· 16(D − D1 ) D ′ − D1 D + D2 2(D + D2 ) ··· 16(D + D2 ) D ′ + D2 D − D2 2(D − D2 ) ··· 16(D − D2 ) D ′ − D2 D D + D3 2(D + D3 ) ··· 16(D + D3 ) D ′ + D3 D − D3 2(D − D3 ) ··· 16(D − D3 ) D ′ − D3 D + D4 2(D + D4 ) ··· 16(D + D4 ) D ′ + D4 D − D4 2(D − D4 ) ··· 16(D − D4 ) D ′ − D4 Courtesy of Roberto Avanzi [⇐] – p.17
Group Operation Once D + Di is computed, we can re-use some of the operations to compute D − Di (saves up to half of the cost of an addition). [⇐] – p.18
Group Operation Once D + Di is computed, we can re-use some of the operations to compute D − Di (saves up to half of the cost of an addition). If doublings are cheaper than additions, we can do several blocks of doublings between each blocks of additions (we stopped at four). [⇐] – p.18
Group Operation Once D + Di is computed, we can re-use some of the operations to compute D − Di (saves up to half of the cost of an addition). If doublings are cheaper than additions, we can do several blocks of doublings between each blocks of additions (we stopped at four). We can use Montgomery’s trick for the inversions (and adapt our group operations). [⇐] – p.18
Group Operation The Di are selected wisely: They are random linear combinations of Da and Db of the form [ui (x), vi (x)] with ui (x) irreducible of degree 3 = g − 1. [⇐] – p.19
Group Operation The Di are selected wisely: They are random linear combinations of Da and Db of the form [ui (x), vi (x)] with ui (x) irreducible of degree 3 = g − 1. A group addition when ui has degree 3 costs about 2/3 of a general group addition. From D + D1, computing D − D1 takes about 2/5 of a general group addition. Choosing ui irreducible minimizes the risk of having gcd(u, ui ) = 1. [⇐] – p.19
Group Operation The Di are selected wisely: They are random linear combinations of Da and Db of the form [ui (x), vi (x)] with ui (x) irreducible of degree 3 = g − 1. A group addition when ui has degree 3 costs about 2/3 of a general group addition. From D + D1, computing D − D1 takes about 2/5 of a general group addition. Choosing ui irreducible minimizes the risk of having gcd(u, ui ) = 1. It takes ≈ 3q steps of pre-random-walk to find each Di (goes into the +ǫ). [⇐] – p.19
Factorization Given a polynomial of small degree d over Fq , the standard factorization algorithms take O(d2 log2 (q)) field operations to test if it splits, and to factor it into linear terms when possible. For fields of characteristic two, we can improve on the standard methods. [⇐] – p.20
Factorization Given a polynomial of small degree d over Fq , the standard factorization algorithms take O(d2 log2 (q)) field operations to test if it splits, and to factor it into linear terms when possible. For fields of characteristic two, we can improve on the standard methods. Taking advantage of the Frobenius over F2 , we can get an algorithm which takes O(d3 log2 (log2 (q))) field operations with a nice constant in the O(. . .) [⇐] – p.20
Factorization Given a polynomial of small degree d over Fq , the standard factorization algorithms take O(d2 log2 (q)) field operations to test if it splits, and to factor it into linear terms when possible. For fields of characteristic two, we can improve on the standard methods. Taking advantage of the Frobenius over F2 , we can get an algorithm which takes O(d3 log2 (log2 (q))) field operations with a nice constant in the O(. . .) (preprint in progress). [⇐] – p.20
constants After several hours of fun, and many pages of operation counts and implementation (finding ratios between the different operations), we found Field size step of random walk average group op. 53 ≈ 178.187 M ≈ 50.139 M 73 ≈ 194.688 M ≈ 49.813 M [⇐] – p.21
constants After several hours of fun, and many pages of operation counts and implementation (finding ratios between the different operations), we found Field size step of random walk average group op. 53 ≈ 178.187 M ≈ 50.139 M 73 ≈ 194.688 M ≈ 49.813 M giving us cW (53) ≈ 3.554 cL (73) ≈ 3.9084 cL (53) ≈ 0.1546 cL (73) ≈ 0.083125 [⇐] – p.21
constants After several hours of fun, and many pages of operation counts and implementation (finding ratios between the different operations), we found Field size step of random walk average group op. 53 ≈ 178.187 M ≈ 50.139 M 73 ≈ 194.688 M ≈ 49.813 M giving us cW (53) ≈ 3.554 cL (73) ≈ 3.9084 cL (53) ≈ 0.1546 cL (73) ≈ 0.083125 Combining everything to get cT in T4,min = cT q 14/9 , we find cT (53) ≈ 2.105 cT (73) ≈ 1.547 [⇐] – p.21
Back to 2LP If we try to apply the same approach to 2LP (without the ˜ ˜ filter), we find for cT in Tmin = cT q 3/2 : ˜ cT (53) ∼ 9.133 ˜ cT (73) ∼ 8.524 ˜ [⇐] – p.22
Back to 2LP If we try to apply the same approach to 2LP (without the ˜ ˜ filter), we find for cT in Tmin = cT q 3/2 : ˜ cT (53) ∼ 9.133 ˜ cT (73) ∼ 8.524 ˜ However, those numbers hide a few problems: The analysis uses some approximations which are too rough at these field sizes Some of the bounds may not be tight [⇐] – p.22
Back to 2LP If we try to apply the same approach to 2LP (without the ˜ ˜ filter), we find for cT in Tmin = cT q 3/2 : ˜ cT (53) ∼ 9.133 ˜ cT (73) ∼ 8.524 ˜ However, those numbers hide a few problems: The analysis uses some approximations which are too rough at these field sizes Some of the bounds may not be tight We are ignoring the cost of working in the graph of large primes [⇐] – p.22
Comparison At 53 bits, we find a total of ≈ 283.518 average group operations for 1LP and ∼ 282.691 for 2LP. [⇐] – p.23
Comparison At 53 bits, we find a total of ≈ 283.518 average group operations for 1LP and ∼ 282.691 for 2LP. This is closer to the security of an elliptic curve over a binary field of 166 to 168 bits than the 159 bits we would have expected from the O(. . .) (putting aside issues of Weil descent). [⇐] – p.23
Comparison At 53 bits, we find a total of ≈ 283.518 average group operations for 1LP and ∼ 282.691 for 2LP. This is closer to the security of an elliptic curve over a binary field of 166 to 168 bits than the 159 bits we would have expected from the O(. . .) (putting aside issues of Weil descent). At 73 bits, we find a total of ≈ 2114.185 average group operations for 1LP and ∼ 2112.59 for 2LP. We get a security level between E(F2226 ) and E(F2229 ) instead of E(F2219 ) (from the O-notation of 2LP). [⇐] – p.23
Comparison At 53 bits, we find a total of ≈ 283.518 average group operations for 1LP and ∼ 282.691 for 2LP. This is closer to the security of an elliptic curve over a binary field of 166 to 168 bits than the 159 bits we would have expected from the O(. . .) (putting aside issues of Weil descent). At 73 bits, we find a total of ≈ 2114.185 average group operations for 1LP and ∼ 2112.59 for 2LP. We get a security level between E(F2226 ) and E(F2229 ) instead of E(F2219 ) (from the O-notation of 2LP). Ignoring the constants leads us to underestimate the security of hyperelliptic curve of genus four by a few bits. [⇐] – p.23
Genus 3 Preliminary results for 2LP in genus 3 at 59 bits gives 4/3 ∼ 7.903 259 ∼ 281.649 average group operations. [⇐] – p.24
Genus 3 Preliminary results for 2LP in genus 3 at 59 bits gives 4/3 ∼ 7.903 259 ∼ 281.649 average group operations. Note: This estimates suffers from similar issues as those for 2LP in genus 4, on top of which the computations have to be checked... [⇐] – p.24

More Related Content

PDF
04greedy 2x2
byAnkit Malik
 
PDF
Supplementary material for my following paper: Infinite Latent Process Decomp...
byTomonari Masada
 
PPTX
Jarrar: First Order Logic- Inference Methods
byMustafa Jarrar
 
PDF
Db31463471
byIJMER
 
PDF
A Signature Scheme as Secure as the Diffie Hellman Problem
byvsubhashini
 
PDF
Sensors and Samples: A Homological Approach
byDon Sheehy
 
PPT
Сергей Кольцов —НИУ ВШЭ —ICBDA 2015
byrusbase
 
PDF
Discrete form of the riccati equation
byAlberth Carantón
 
04greedy 2x2
byAnkit Malik
 
Supplementary material for my following paper: Infinite Latent Process Decomp...
byTomonari Masada
 
Jarrar: First Order Logic- Inference Methods
byMustafa Jarrar
 
Db31463471
byIJMER
 
A Signature Scheme as Secure as the Diffie Hellman Problem
byvsubhashini
 
Sensors and Samples: A Homological Approach
byDon Sheehy
 
Сергей Кольцов —НИУ ВШЭ —ICBDA 2015
byrusbase
 
Discrete form of the riccati equation
byAlberth Carantón
 

What's hot

PDF
Stochastic Alternating Direction Method of Multipliers
byTaiji Suzuki
 
PDF
Multi layer potentials and boundary problems
bySpringer
 
PPTX
RSA final notation change2
byColeman Gorham
 
PPTX
P, NP and NP-Complete, Theory of NP-Completeness V2
byS.Shayan Daneshvar
 
PDF
AP Calculus January 19, 2009
byDarren Kuropatwa
 
PDF
AP Calculus Slides December 19, 2007
byDarren Kuropatwa
 
PPTX
Analysis of algorithms
byS.Shayan Daneshvar
 
PPT
NIPS2007: structured prediction
byzukun
 
PDF
Proof of Kraft-McMillan theorem
byVu Hung Nguyen
 
PDF
The price density function, a tool for measuring investment risk,volatility a...
byTinashe Mangoro
 
PPTX
CppConcurrencyInAction - Chapter07
byDooSeon Choi
 
PDF
Nominal Schema DL 2011
byAdila Krisnadhi
 
PDF
Context-dependent Token-wise Variational Autoencoder for Topic Modeling
byTomonari Masada
 
Stochastic Alternating Direction Method of Multipliers
byTaiji Suzuki
 
Multi layer potentials and boundary problems
bySpringer
 
RSA final notation change2
byColeman Gorham
 
P, NP and NP-Complete, Theory of NP-Completeness V2
byS.Shayan Daneshvar
 
AP Calculus January 19, 2009
byDarren Kuropatwa
 
AP Calculus Slides December 19, 2007
byDarren Kuropatwa
 
Analysis of algorithms
byS.Shayan Daneshvar
 
NIPS2007: structured prediction
byzukun
 
Proof of Kraft-McMillan theorem
byVu Hung Nguyen
 
The price density function, a tool for measuring investment risk,volatility a...
byTinashe Mangoro
 
CppConcurrencyInAction - Chapter07
byDooSeon Choi
 
Nominal Schema DL 2011
byAdila Krisnadhi
 
Context-dependent Token-wise Variational Autoencoder for Topic Modeling
byTomonari Masada
 

Viewers also liked

PPTX
H index
byDeakinlibraryresearch
 
PPT
Ch1 2 index number
byJay Tanna
 
PPTX
Index number
byPranav Krishna
 
PDF
Principles of scaling & root planing dr alaa attia
byAlaa Atia
 
PPT
Chap15 time series forecasting & index number
byUni Azza Aunillah
 
PPTX
Measurement of diseases
bySoyebo Oluseye
 
PPT
Index Number
bydeepakashwani
 
PPT
Writing Narratives
bymungo13
 
PDF
Formal and Informal Email Writing - Request Emails
bymybusinessenglish.com Jennings
 
PDF
Introduction to Technical Writing
byVince
 
PPTX
Writing A Research Paper In 10 Easy Steps
bylauren
 
H index
byDeakinlibraryresearch
 
Ch1 2 index number
byJay Tanna
 
Index number
byPranav Krishna
 
Principles of scaling & root planing dr alaa attia
byAlaa Atia
 
Chap15 time series forecasting & index number
byUni Azza Aunillah
 
Measurement of diseases
bySoyebo Oluseye
 
Index Number
bydeepakashwani
 
Writing Narratives
bymungo13
 
Formal and Informal Email Writing - Request Emails
bymybusinessenglish.com Jennings
 
Introduction to Technical Writing
byVince
 
Writing A Research Paper In 10 Easy Steps
bylauren
 

Similar to ECC 2006

PDF
Shor's discrete logarithm quantum algorithm for elliptic curves
byXequeMateShannon
 
PPTX
Digital signature
byShwetang (shweacha)
 
PPT
Muchtadi
byNiranjan Patidar
 
PPTX
DISCRETE LOGARITHM PROBLEM
byMANISH KUMAR
 
PDF
A1802040111
byIOSR Journals
 
PPT
Pairing scott
bySghaierAnissa
 
PDF
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
byijceronline
 
PDF
Winter school-pq2016v2
byLudovic Perret
 
PDF
25010001
byPremavardhan Reddy
 
PDF
A x86-optimized rank&select dictionary for bit sequences
byTakeshi Yamamuro
 
DOCX
Assignment 2 (1) (1).docx
bypinstechwork
 
PPTX
The Factoring Dead: Preparing for the Cryptopocalypse
byAlex Stamos
 
PPT
Lect no 13 ECC.ppt
byDEEPAK948083
 
PPT
Lect no 13 ECC.ppt
byDEEPAK948083
 
PDF
Implementation of Elliptic Curve Digital Signature Algorithm Using Variable T...
byijceronline
 
PDF
Implementation of Elliptic Curve Digital Signature Algorithm Using Variable T...
byijceronline
 
PDF
MAPREDUCE METHODOLOGY FOR ELLIPTICAL CURVE DISCRETE LOGARITHMIC PROBLEMS – SE...
byIAEME Publication
 
PDF
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
byPadmaGadiyar
 
PDF
Algebraic methods for design QC-LDPC codes
byUsatyuk Vasiliy
 
PPT
DFP Unit-3.pptdddddghsdjcbsjjhsjsvdcsvnbsv
byvishalduriseti2
 
Shor's discrete logarithm quantum algorithm for elliptic curves
byXequeMateShannon
 
Digital signature
byShwetang (shweacha)
 
Muchtadi
byNiranjan Patidar
 
DISCRETE LOGARITHM PROBLEM
byMANISH KUMAR
 
A1802040111
byIOSR Journals
 
Pairing scott
bySghaierAnissa
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
byijceronline
 
Winter school-pq2016v2
byLudovic Perret
 
25010001
byPremavardhan Reddy
 
A x86-optimized rank&select dictionary for bit sequences
byTakeshi Yamamuro
 
Assignment 2 (1) (1).docx
bypinstechwork
 
The Factoring Dead: Preparing for the Cryptopocalypse
byAlex Stamos
 
Lect no 13 ECC.ppt
byDEEPAK948083
 
Lect no 13 ECC.ppt
byDEEPAK948083
 
Implementation of Elliptic Curve Digital Signature Algorithm Using Variable T...
byijceronline
 
Implementation of Elliptic Curve Digital Signature Algorithm Using Variable T...
byijceronline
 
MAPREDUCE METHODOLOGY FOR ELLIPTICAL CURVE DISCRETE LOGARITHMIC PROBLEMS – SE...
byIAEME Publication
 
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
byPadmaGadiyar
 
Algebraic methods for design QC-LDPC codes
byUsatyuk Vasiliy
 
DFP Unit-3.pptdddddghsdjcbsjjhsjsvdcsvnbsv
byvishalduriseti2
 

Recently uploaded

PDF
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
PDF
Taxonomy Principles to Support Knowledge Management at a Not-for-Profit
byEnterprise Knowledge
 
PDF
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
PPTX
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 
PDF
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
PPTX
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
PPTX
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
PDF
DevOps GenAI_ How Generative AI Is Changing Software Delivery.pdf
byDevseccops.ai
 
PDF
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
PPTX
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
PDF
The Future of AI-Powered Fashion Design 10 Top Generators for 2026
bymockitseo
 
PDF
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
PPTX
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
PDF
threat-hunters-cookbook for cybersecurity
bylobster6719
 
PDF
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
PDF
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
PDF
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
PDF
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
Taxonomy Principles to Support Knowledge Management at a Not-for-Profit
byEnterprise Knowledge
 
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
DevOps GenAI_ How Generative AI Is Changing Software Delivery.pdf
byDevseccops.ai
 
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
The Future of AI-Powered Fashion Design 10 Top Generators for 2026
bymockitseo
 
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
threat-hunters-cookbook for cybersecurity
bylobster6719
 
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 

ECC 2006

  • 1.
    Towards an exactcost analysis of index-calculus algorithms ECC 2006 Nicolas Thériault ntheriau@fields.utoronto.ca Fields Institute Work in progress with Roberto Avanzi
  • 2.
    Elliptic Curve DLP For an elliptic curve E(Fq ), the fastest known method to ˜ solve the discrete logarithm problem is Pollard’s Rho algorithm, which takes an expected √ π +ǫ group order group operations. 2 [⇐] – p.1
  • 3.
    Elliptic Curve DLP For an elliptic curve E(Fq ), the fastest known method to ˜ solve the discrete logarithm problem is Pollard’s Rho algorithm, which takes an expected √ π +ǫ group order group operations. 2 If ℓ is the largest prime divisor of the group order, this √ means ≈ 0.8862 ℓ group operations (Pohlig–Hellman). [⇐] – p.1
  • 4.
    Elliptic Curve DLP For an elliptic curve E(Fq ), the fastest known method to ˜ solve the discrete logarithm problem is Pollard’s Rho algorithm, which takes an expected √ π +ǫ group order group operations. 2 If ℓ is the largest prime divisor of the group order, this √ means ≈ 0.8862 ℓ group operations (Pohlig–Hellman). √ √ π This is often stated as O( q ), hiding the constant ˜ 2 (assuming a group of prime order). [⇐] – p.1
  • 5.
    Genus 2 HECDLP For a hyperelliptic curves H of genus 2 defined over the field Fq , the fastest known method to solve the discrete log is still Pollard Rho, which is often stated as O(q). [⇐] – p.2
  • 6.
    Genus 2 HECDLP For a hyperelliptic curves H of genus 2 defined over the field Fq , the fastest known method to solve the discrete log is still Pollard Rho, which is often stated as O(q). To get the same security as an elliptic curve over Fq , we ask ˜ that q has half the number of bits as q (abusing notation, ˜ √ we ask that O( q ) = O(q)). ˜ We then compare the efficiency of Jac(H)(Fq ) with E(Fq ). ˜ [⇐] – p.2
  • 7.
    Genus 2 HECDLP For a hyperelliptic curves H of genus 2 defined over the field Fq , the fastest known method to solve the discrete log is still Pollard Rho, which is often stated as O(q). To get the same security as an elliptic curve over Fq , we ask ˜ that q has half the number of bits as q (abusing notation, ˜ √ we ask that O( q ) = O(q)). ˜ We then compare the efficiency of Jac(H)(Fq ) with E(Fq ). ˜ Since the security of both group depends on the same algorithm, the hidden constants are the same, so we might expect a fair comparison. [⇐] – p.2
  • 8.
    Group Operations But we are making a very big assumption: the group operations have the same cost when we attack the DLP as they have in the scalar multiplication. [⇐] – p.3
  • 9.
    Group Operations But we are making a very big assumption: the group operations have the same cost when we attack the DLP as they have in the scalar multiplication. This might not be true! The fastest algorithm to do the group operation for the scalar multiplication might not the the best choice for Pollard Rho (Montgomery’s trick for inversion, etc). [⇐] – p.3
  • 10.
    Group Operations But we are making a very big assumption: the group operations have the same cost when we attack the DLP as they have in the scalar multiplication. This might not be true! The fastest algorithm to do the group operation for the scalar multiplication might not the the best choice for Pollard Rho (Montgomery’s trick for inversion, etc). We need to take into account the difference in the cost of the group operations. Convention: We define the average group operation as the average cost per group operation in a NAF. [⇐] – p.3
  • 11.
    Genus 1 vsGenus 2 In characteristic 2, we find ≈ 0.5653 q ˜ for E(Fq ) of order 2 · prime at 157 bits, and at 223 bits: ˜ ≈ 0.5625 q . ˜ [⇐] – p.4
  • 12.
    Genus 1 vsGenus 2 In characteristic 2, we find ≈ 0.5653 q ˜ for E(Fq ) of order 2 · prime at 157 bits, and at 223 bits: ˜ ≈ 0.5625 q . ˜ For genus 2, we find √ ≈ 0.5283 q for Jac(H)(Fq ) of order 2 · prime at 79 bits and at 109 bits: √ ≈ 0.5348 q . [⇐] – p.4
  • 13.
    Genus g When we look at hyperelliptic curves H of genus g > 2 (but not too large) over Fq , asymptotically, Pollard Rho is not the fastest method to solve the discrete log, index calculus is. [⇐] – p.5
  • 14.
    Genus g When we look at hyperelliptic curves H of genus g > 2 (but not too large) over Fq , asymptotically, Pollard Rho is not the fastest method to solve the discrete log, index calculus is. Different versions of index calculus have different running times, for example: 2 2− g +ǫ O q for the double large prime method (2LP) [⇐] – p.5
  • 15.
    Genus g When we look at hyperelliptic curves H of genus g > 2 (but not too large) over Fq , asymptotically, Pollard Rho is not the fastest method to solve the discrete log, index calculus is. Different versions of index calculus have different running times, for example: 2 2− g +ǫ O q for the double large prime method (2LP), and 2 2− g+1/2 +ǫ O q for the single large prime method (1LP). [⇐] – p.5
  • 16.
    Problems It is very difficult to obtain a fair comparison with ECC if we only know the asymptotic form. We could be dealing with constants 1000, 7.23, 0.002, etc, and these constants could change from one method to the other (and in fact they do). [⇐] – p.6
  • 17.
    Problems It is very difficult to obtain a fair comparison with ECC if we only know the asymptotic form. We could be dealing with constants 1000, 7.23, 0.002, etc, and these constants could change from one method to the other (and in fact they do). The impact of index calculus at cryptographic sizes depends a lot on the value of the constant. The smaller the constants are, the lower the security of Jac(H)(Fq ) really is. If the constant is too large Pollard Rho could still be the fastest method to solve the DLP. [⇐] – p.6
  • 18.
    Problems It is very difficult to obtain a fair comparison with ECC if we only know the asymptotic form. We could be dealing with constants 1000, 7.23, 0.002, etc, and these constants could change from one method to the other (and in fact they do). The impact of index calculus at cryptographic sizes depends a lot on the value of the constant. The smaller the constants are, the lower the security of Jac(H)(Fq ) really is. If the constant is too large Pollard Rho could still be the fastest method to solve the DLP. Index calculus does not exclude security, but it could exclude efficiency! [⇐] – p.6
  • 19.
    Problems Index calculus should be nicer to analyze: the standard deviation of the running time is tiny when compared with the expected value (by an order of magnitude). In comparison, for Pollard Rho we have a standard deviation of almost 1/2 of the expected value. [⇐] – p.7
  • 20.
    Problems Index calculus should be nicer to analyze: the standard deviation of the running time is tiny when compared with the expected value (by an order of magnitude). In comparison, for Pollard Rho we have a standard deviation of almost 1/2 of the expected value. But there is currently no detailed analysis of the constant for index calculus available in literature: [⇐] – p.7
  • 21.
    Problems Index calculus should be nicer to analyze: the standard deviation of the running time is tiny when compared with the expected value (by an order of magnitude). In comparison, for Pollard Rho we have a standard deviation of almost 1/2 of the expected value. But there is currently no detailed analysis of the constant for index calculus available in literature: The algorithm is more complicated Not all costs involved are group operations [⇐] – p.7
  • 22.
    Problems Index calculus should be nicer to analyze: the standard deviation of the running time is tiny when compared with the expected value (by an order of magnitude). In comparison, for Pollard Rho we have a standard deviation of almost 1/2 of the expected value. But there is currently no detailed analysis of the constant for index calculus available in literature: The algorithm is more complicated Not all costs involved are group operations We haven’t finished writing it up... [⇐] – p.7
  • 23.
    1LP vs 2LP Asymptotically, the 2LP method is faster than the 1LP 1/(g 2 +g/2)+ǫ method by a factor of O(q ). [⇐] – p.8
  • 24.
    1LP vs 2LP Asymptotically, the 2LP method is faster than the 1LP 1/(g 2 +g/2)+ǫ method by a factor of O(q ). But: Even rough estimates give a bigger constant for 2LP. The analysis is tighter for 1LP. For genus ≥ 4, 1LP could win. [⇐] – p.8
  • 25.
    1LP vs 2LP Asymptotically, the 2LP method is faster than the 1LP 1/(g 2 +g/2)+ǫ method by a factor of O(q ). But: Even rough estimates give a bigger constant for 2LP. The analysis is tighter for 1LP. For genus ≥ 4, 1LP could win. At cryptographic sizes, some of the approximations used to obtain the asymptotic form have a big impact on the constant. One improvement does not apply to 2LP (so far). [⇐] – p.8
  • 26.
    Analysis of 1LP To simplify notation on the slides, we let g = 4. [⇐] – p.9
  • 27.
    Analysis of 1LP To simplify notation on the slides, we let g = 4. The cost of the single large prime index calculus is dominated by two things: The random Walk (to find 1-almost-smooth divisors) The Linear algebra solver (find a vector of the kernel) [⇐] – p.9
  • 28.
    Analysis of 1LP To simplify notation on the slides, we let g = 4. The cost of the single large prime index calculus is dominated by two things: The random Walk (to find 1-almost-smooth divisors) The Linear algebra solver (find a vector of the kernel) which gives, for a factor base of size B: √ −5/2 7/2 3 2 T (B) = (1 + ǫ) cW · 3 2B q + cL · B 2 [⇐] – p.9
  • 29.
    Analysis of 1LP To simplify notation on the slides, we let g = 4. The cost of the single large prime index calculus is dominated by two things: The random Walk (to find 1-almost-smooth divisors) The Linear algebra solver (find a vector of the kernel) which gives, for a factor base of size B: √ −5/2 7/2 3 2 T (B) = (1 + ǫ) cW · 3 2B q + cL · B 2 All other parts of the algorithm can be put in the +ǫ (so we ignore them). [⇐] – p.9
  • 30.
    Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). [⇐] – p.10
  • 31.
    Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). After playing around, we obtain a minimum of 27/9 54/9 Tmin = 3 5/9 + 11/9 cL 5/9 cW 4/9 q 14/9 5 2 [⇐] – p.10
  • 32.
    Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). After playing around, we obtain a minimum of 27/9 54/9 Tmin = 3 5/9 + 11/9 cL 5/9 cW 4/9 q 14/9 5 2 To find the exact cost of 1LP, all we need is cW and cL ... [⇐] – p.10
  • 33.
    Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). After playing around, we obtain a minimum of 27/9 54/9 Tmin = 3 5/9 + 11/9 cL 5/9 cW 4/9 q 14/9 5 2 To find the exact cost of 1LP, all we need is cW and cL ... To improve the running time, we can: [⇐] – p.10
  • 34.
    Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). After playing around, we obtain a minimum of 27/9 54/9 Tmin = 3 5/9 + 11/9 cL 5/9 cW 4/9 q 14/9 5 2 To find the exact cost of 1LP, all we need is cW and cL ... To improve the running time, we can: 1. Improve cL [⇐] – p.10
  • 35.
    Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). After playing around, we obtain a minimum of 27/9 54/9 Tmin = 3 5/9 + 11/9 cL 5/9 cW 4/9 q 14/9 5 2 To find the exact cost of 1LP, all we need is cW and cL ... To improve the running time, we can: 1. Improve cL 2. Improve cW [⇐] – p.10
  • 36.
    Analysis of 1LP d To minimize, we differentiate T (B), solve dB T (B) = 0 and substitute back into T (B). After playing around, we obtain a minimum of 27/9 54/9 Tmin = 3 5/9 + 11/9 cL 5/9 cW 4/9 q 14/9 5 2 To find the exact cost of 1LP, all we need is cW and cL ... To improve the running time, we can: 1. Improve cL 2. Improve cW 3. Introduce a new factor [⇐] – p.10
  • 37.
    Linear Algebra Almost-all smooth relations involve 6 points. The density of the matrix is very low, Wiedemann is faster than Lanczos. [⇐] – p.11
  • 38.
    Linear Algebra Almost-all smooth relations involve 6 points. The density of the matrix is very low, Wiedemann is faster than Lanczos. All entries are ±1. If some ±2 appear in the system (around O(9) times), they are done as two ±1. We use Horner’s trick to evaluate p(M )x. (no multiplications!) [⇐] – p.11
  • 39.
    Linear Algebra Almost-all smooth relations involve 6 points. The density of the matrix is very low, Wiedemann is faster than Lanczos. All entries are ±1. If some ±2 appear in the system (around O(9) times), they are done as two ±1. We use Horner’s trick to evaluate p(M )x. (no multiplications!) cL is the cost of all the operations associated to one matrix entry for three matrix–vector multiplications. Berlekamp–Massey can be done in sub-quadratic time, so we ignore that cost (for now). [⇐] – p.11
  • 40.
    Linear Algebra Almost-all smooth relations involve 6 points. The density of the matrix is very low, Wiedemann is faster than Lanczos. All entries are ±1. If some ±2 appear in the system (around O(9) times), they are done as two ±1. We use Horner’s trick to evaluate p(M )x. (no multiplications!) cL is the cost of all the operations associated to one matrix entry for three matrix–vector multiplications. Berlekamp–Massey can be done in sub-quadratic time, so we ignore that cost (for now). To reduce cL , we need block Wiedemann (in progress). [⇐] – p.11
  • 41.
    Filtering Filtering in the Number Field Sieve: Remove equations and variables that do not contribute to the kernel Columns of zeros (variables not in use). Singletons (variables appearing only in one equation). Removing superfluous equations. [⇐] – p.12
  • 42.
    Filtering Filtering in the Number Field Sieve: Remove equations and variables that do not contribute to the kernel Columns of zeros (variables not in use). Singletons (variables appearing only in one equation). Removing superfluous equations. Merging (preprocessing): if a variable appears in very few equations (2, 3, maybe 4) we can use one of the equations to cancel the variable from the system. [⇐] – p.12
  • 43.
    Filtering Filtering in the Number Field Sieve: Remove equations and variables that do not contribute to the kernel Columns of zeros (variables not in use). Singletons (variables appearing only in one equation). Removing superfluous equations. Merging (preprocessing): if a variable appears in very few equations (2, 3, maybe 4) we can use one of the equations to cancel the variable from the system. Very limited impact for HEC index calculus. In progress... [⇐] – p.12
  • 44.
    Extended Filtering The impact of filtering is quite limited for our systems. We decided to extend the idea: [⇐] – p.13
  • 45.
    Extended Filtering The impact of filtering is quite limited for our systems. We decided to extend the idea: We find many more equations (smooth relations) than the number of variables (elements of the factor base) For a subset of the variables, we might be able to remove all the equations containing those variables. The filtered system can be much smaller than the original system. [⇐] – p.13
  • 46.
    Extended Filtering The impact of filtering is quite limited for our systems. We decided to extend the idea: We find many more equations (smooth relations) than the number of variables (elements of the factor base) For a subset of the variables, we might be able to remove all the equations containing those variables. The filtered system can be much smaller than the original system. Finding the smallest consistent set of variables and equations is most likely NP-hard. A good approximation can be found in linear time. [⇐] – p.13
  • 47.
    Extended Filtering The impact of filtering is quite limited for our systems. We decided to extend the idea: We find many more equations (smooth relations) than the number of variables (elements of the factor base) For a subset of the variables, we might be able to remove all the equations containing those variables. The filtered system can be much smaller than the original system. Finding the smallest consistent set of variables and equations is most likely NP-hard. A good approximation can be found in linear time. The result: Harvesting! [⇐] – p.13
  • 48.
    Harvesting Assume that we find k times as many equations as variables, and let p(k) be the proportion of the factor base left after harvesting. [⇐] – p.14
  • 49.
    Harvesting Assume that we find k times as many equations as variables, and let p(k) be the proportion of the factor base left after harvesting. If k is not too big, we get √ √ −5/2 7/2 3 Tk (B) = cW · 3 2 kB q + cL · p(k)2 B 2 2 and the minimal value is 27/9 54/9 5/9 4/9 5 2/9 14/9 Tk,min = 3 5/9 + 11/9 cL cW kp(k) q 5 2 [⇐] – p.14
  • 50.
    Harvesting Assume that we find k times as many equations as variables, and let p(k) be the proportion of the factor base left after harvesting. If k is not too big, we get √ √ −5/2 7/2 3 Tk (B) = cW · 3 2 kB q + cL · p(k)2 B 2 2 and the minimal value is 27/9 54/9 5/9 4/9 5 2/9 14/9 Tk,min = 3 5/9 + 11/9 cL cW kp(k) q 5 2 The good news: f (k) = kp(k)5 is strictly decreasing. [⇐] – p.14
  • 51.
    Harvesting Assume that we find k times as many equations as variables, and let p(k) be the proportion of the factor base left after harvesting. If k is not too big, we get √ √ −5/2 7/2 3 Tk (B) = cW · 3 2 kB q + cL · p(k)2 B 2 2 and the minimal value is 27/9 54/9 5/9 4/9 5 2/9 14/9 Tk,min = 3 5/9 + 11/9 cL cW kp(k) q 5 2 The good news: f (k) = kp(k)5 is strictly decreasing. The bad news: hard to analyze and decreases slowly. [⇐] – p.14
  • 52.
    Harvesting To simplify, we will only use k = 4. [⇐] – p.15
  • 53.
    Harvesting To simplify, we will only use k = 4. For q = 253 , we have some interference due to the field size, and we need to increase k by 3.29% in the random walk side, giving us ˜ f (4)2/9 = (4 · 1.0329 · p(4)5 )2/9 ≈ 0.7142 For q = 273 , the interference is close to 0, and we are very close to f (4)2/9 ≈ 0.7090 [⇐] – p.15
  • 54.
    Harvesting To simplify, we will only use k = 4. For q = 253 , we have some interference due to the field size, and we need to increase k by 3.29% in the random walk side, giving us ˜ f (4)2/9 = (4 · 1.0329 · p(4)5 )2/9 ≈ 0.7142 For q = 273 , the interference is close to 0, and we are very close to f (4)2/9 ≈ 0.7090 We get a time-memory trade-off. Harvesting has a similar impact on 0LP, but we don’t know how to predict the impact on 2LP. [⇐] – p.15
  • 55.
    Random Walk For index calculus, the goal of the random walk is very different from its goal in Pollard Rho: 1. Index calculus only cares about the factorization of group elements, not how we get to them (or where we would go afterwards). [⇐] – p.16
  • 56.
    Random Walk For index calculus, the goal of the random walk is very different from its goal in Pollard Rho: 1. Index calculus only cares about the factorization of group elements, not how we get to them (or where we would go afterwards). 2. At each divisor considered, we have to see if it splits completely over Fq . 3. If a divisor splits (1 : 24), we have to factor it and see if it is smooth, 1-almost-smooth, etc. [⇐] – p.16
  • 57.
    Random Walk For index calculus, the goal of the random walk is very different from its goal in Pollard Rho: 1. Index calculus only cares about the factorization of group elements, not how we get to them (or where we would go afterwards). 2. At each divisor considered, we have to see if it splits completely over Fq . 3. If a divisor splits (1 : 24), we have to factor it and see if it is smooth, 1-almost-smooth, etc. Point 1 will affect how we do the random walk. [⇐] – p.16
  • 58.
    Random Walk For index calculus, the goal of the random walk is very different from its goal in Pollard Rho: 1. Index calculus only cares about the factorization of group elements, not how we get to them (or where we would go afterwards). 2. At each divisor considered, we have to see if it splits completely over Fq . 3. If a divisor splits (1 : 24), we have to factor it and see if it is smooth, 1-almost-smooth, etc. Point 1 will affect how we do the random walk. Point 2 and 3 have a huge impact on cW , and they depend on algorithms to factor polynomials. [⇐] – p.16
  • 59.
    Random Walk D [⇐] – p.17
  • 60.
    Random Walk add D + D1 D + D2 D D + D3 D + D4 [⇐] – p.17
  • 61.
    Random Walk add sub D + D1 D − D1 D + D2 D − D2 D D + D3 D − D3 D + D4 D − D4 [⇐] – p.17
  • 62.
    Random Walk add ×2 sub D + D1 2(D + D1 ) D − D1 2(D − D1 ) D + D2 2(D + D2 ) D − D2 2(D − D2 ) D D + D3 2(D + D3 ) D − D3 2(D − D3 ) D + D4 2(D + D4 ) D − D4 2(D − D4 ) [⇐] – p.17
  • 63.
    Random Walk add ×2 ×2 sub D + D1 2(D + D1 ) 4(D + D1 ) D − D1 2(D − D1 ) 4(D − D1 ) D + D2 2(D + D2 ) 4(D + D2 ) D − D2 2(D − D2 ) 4(D − D2 ) D D + D3 2(D + D3 ) 4(D + D3 ) D − D3 2(D − D3 ) 4(D − D3 ) D + D4 2(D + D4 ) 4(D + D4 ) D − D4 2(D − D4 ) 4(D − D4 ) [⇐] – p.17
  • 64.
    Random Walk add ×2 ×2 ×2 sub D + D1 2(D + D1 ) ··· 16(D + D1 ) D − D1 2(D − D1 ) ··· 16(D − D1 ) D + D2 2(D + D2 ) ··· 16(D + D2 ) D − D2 2(D − D2 ) ··· 16(D − D2 ) D D + D3 2(D + D3 ) ··· 16(D + D3 ) D − D3 2(D − D3 ) ··· 16(D − D3 ) D + D4 2(D + D4 ) ··· 16(D + D4 ) D − D4 2(D − D4 ) ··· 16(D − D4 ) [⇐] – p.17
  • 65.
    Random Walk add add ×2 ×2 ×2 sub sub D + D1 2(D + D1 ) ··· 16(D + D1 ) D ′ + D1 D − D1 2(D − D1 ) ··· 16(D − D1 ) D ′ − D1 D + D2 2(D + D2 ) ··· 16(D + D2 ) D ′ + D2 D − D2 2(D − D2 ) ··· 16(D − D2 ) D ′ − D2 D D + D3 2(D + D3 ) ··· 16(D + D3 ) D ′ + D3 D − D3 2(D − D3 ) ··· 16(D − D3 ) D ′ − D3 D + D4 2(D + D4 ) ··· 16(D + D4 ) =: D′ D ′ + D4 D − D4 2(D − D4 ) ··· 16(D − D4 ) D ′ − D4 [⇐] – p.17
  • 66.
    Random Walk add add ×2 ×2 ×2 sub sub D + D1 2(D + D1 ) ··· 16(D + D1 ) D ′ + D1 D − D1 2(D − D1 ) ··· 16(D − D1 ) D ′ − D1 D + D2 2(D + D2 ) ··· 16(D + D2 ) =: D′ D ′ + D2 D − D2 2(D − D2 ) ··· 16(D − D2 ) D ′ − D2 D D + D3 2(D + D3 ) ··· 16(D + D3 ) D ′ + D3 D − D3 2(D − D3 ) ··· 16(D − D3 ) D ′ − D3 D + D4 2(D + D4 ) ··· 16(D + D4 ) D ′ + D4 D − D4 2(D − D4 ) ··· 16(D − D4 ) D ′ − D4 [⇐] – p.17
  • 67.
    Random Walk add add ×2 ×2 ×2 sub sub D + D1 2(D + D1 ) ··· 16(D + D1 ) D ′ + D1 D − D1 2(D − D1 ) ··· 16(D − D1 ) D ′ − D1 D + D2 2(D + D2 ) ··· 16(D + D2 ) D ′ + D2 D − D2 2(D − D2 ) ··· 16(D − D2 ) D ′ − D2 D D + D3 2(D + D3 ) ··· 16(D + D3 ) =: D′ D ′ + D3 D − D3 2(D − D3 ) ··· 16(D − D3 ) D ′ − D3 D + D4 2(D + D4 ) ··· 16(D + D4 ) D ′ + D4 D − D4 2(D − D4 ) ··· 16(D − D4 ) D ′ − D4 [⇐] – p.17
  • 68.
    Random Walk add add ×2 ×2 ×2 sub sub D + D1 2(D + D1 ) ··· 16(D + D1 ) =: D′ D ′ + D1 D − D1 2(D − D1 ) ··· 16(D − D1 ) D ′ − D1 D + D2 2(D + D2 ) ··· 16(D + D2 ) D ′ + D2 D − D2 2(D − D2 ) ··· 16(D − D2 ) D ′ − D2 D D + D3 2(D + D3 ) ··· 16(D + D3 ) D ′ + D3 D − D3 2(D − D3 ) ··· 16(D − D3 ) D ′ − D3 D + D4 2(D + D4 ) ··· 16(D + D4 ) D ′ + D4 D − D4 2(D − D4 ) ··· 16(D − D4 ) D ′ − D4 Courtesy of Roberto Avanzi [⇐] – p.17
  • 69.
    Group Operation Once D + Di is computed, we can re-use some of the operations to compute D − Di (saves up to half of the cost of an addition). [⇐] – p.18
  • 70.
    Group Operation Once D + Di is computed, we can re-use some of the operations to compute D − Di (saves up to half of the cost of an addition). If doublings are cheaper than additions, we can do several blocks of doublings between each blocks of additions (we stopped at four). [⇐] – p.18
  • 71.
    Group Operation Once D + Di is computed, we can re-use some of the operations to compute D − Di (saves up to half of the cost of an addition). If doublings are cheaper than additions, we can do several blocks of doublings between each blocks of additions (we stopped at four). We can use Montgomery’s trick for the inversions (and adapt our group operations). [⇐] – p.18
  • 72.
    Group Operation The Di are selected wisely: They are random linear combinations of Da and Db of the form [ui (x), vi (x)] with ui (x) irreducible of degree 3 = g − 1. [⇐] – p.19
  • 73.
    Group Operation The Di are selected wisely: They are random linear combinations of Da and Db of the form [ui (x), vi (x)] with ui (x) irreducible of degree 3 = g − 1. A group addition when ui has degree 3 costs about 2/3 of a general group addition. From D + D1, computing D − D1 takes about 2/5 of a general group addition. Choosing ui irreducible minimizes the risk of having gcd(u, ui ) = 1. [⇐] – p.19
  • 74.
    Group Operation The Di are selected wisely: They are random linear combinations of Da and Db of the form [ui (x), vi (x)] with ui (x) irreducible of degree 3 = g − 1. A group addition when ui has degree 3 costs about 2/3 of a general group addition. From D + D1, computing D − D1 takes about 2/5 of a general group addition. Choosing ui irreducible minimizes the risk of having gcd(u, ui ) = 1. It takes ≈ 3q steps of pre-random-walk to find each Di (goes into the +ǫ). [⇐] – p.19
  • 75.
    Factorization Given a polynomial of small degree d over Fq , the standard factorization algorithms take O(d2 log2 (q)) field operations to test if it splits, and to factor it into linear terms when possible. For fields of characteristic two, we can improve on the standard methods. [⇐] – p.20
  • 76.
    Factorization Given a polynomial of small degree d over Fq , the standard factorization algorithms take O(d2 log2 (q)) field operations to test if it splits, and to factor it into linear terms when possible. For fields of characteristic two, we can improve on the standard methods. Taking advantage of the Frobenius over F2 , we can get an algorithm which takes O(d3 log2 (log2 (q))) field operations with a nice constant in the O(. . .) [⇐] – p.20
  • 77.
    Factorization Given a polynomial of small degree d over Fq , the standard factorization algorithms take O(d2 log2 (q)) field operations to test if it splits, and to factor it into linear terms when possible. For fields of characteristic two, we can improve on the standard methods. Taking advantage of the Frobenius over F2 , we can get an algorithm which takes O(d3 log2 (log2 (q))) field operations with a nice constant in the O(. . .) (preprint in progress). [⇐] – p.20
  • 78.
    constants After several hours of fun, and many pages of operation counts and implementation (finding ratios between the different operations), we found Field size step of random walk average group op. 53 ≈ 178.187 M ≈ 50.139 M 73 ≈ 194.688 M ≈ 49.813 M [⇐] – p.21
  • 79.
    constants After several hours of fun, and many pages of operation counts and implementation (finding ratios between the different operations), we found Field size step of random walk average group op. 53 ≈ 178.187 M ≈ 50.139 M 73 ≈ 194.688 M ≈ 49.813 M giving us cW (53) ≈ 3.554 cL (73) ≈ 3.9084 cL (53) ≈ 0.1546 cL (73) ≈ 0.083125 [⇐] – p.21
  • 80.
    constants After several hours of fun, and many pages of operation counts and implementation (finding ratios between the different operations), we found Field size step of random walk average group op. 53 ≈ 178.187 M ≈ 50.139 M 73 ≈ 194.688 M ≈ 49.813 M giving us cW (53) ≈ 3.554 cL (73) ≈ 3.9084 cL (53) ≈ 0.1546 cL (73) ≈ 0.083125 Combining everything to get cT in T4,min = cT q 14/9 , we find cT (53) ≈ 2.105 cT (73) ≈ 1.547 [⇐] – p.21
  • 81.
    Back to 2LP If we try to apply the same approach to 2LP (without the ˜ ˜ filter), we find for cT in Tmin = cT q 3/2 : ˜ cT (53) ∼ 9.133 ˜ cT (73) ∼ 8.524 ˜ [⇐] – p.22
  • 82.
    Back to 2LP If we try to apply the same approach to 2LP (without the ˜ ˜ filter), we find for cT in Tmin = cT q 3/2 : ˜ cT (53) ∼ 9.133 ˜ cT (73) ∼ 8.524 ˜ However, those numbers hide a few problems: The analysis uses some approximations which are too rough at these field sizes Some of the bounds may not be tight [⇐] – p.22
  • 83.
    Back to 2LP If we try to apply the same approach to 2LP (without the ˜ ˜ filter), we find for cT in Tmin = cT q 3/2 : ˜ cT (53) ∼ 9.133 ˜ cT (73) ∼ 8.524 ˜ However, those numbers hide a few problems: The analysis uses some approximations which are too rough at these field sizes Some of the bounds may not be tight We are ignoring the cost of working in the graph of large primes [⇐] – p.22
  • 84.
    Comparison At 53 bits, we find a total of ≈ 283.518 average group operations for 1LP and ∼ 282.691 for 2LP. [⇐] – p.23
  • 85.
    Comparison At 53 bits, we find a total of ≈ 283.518 average group operations for 1LP and ∼ 282.691 for 2LP. This is closer to the security of an elliptic curve over a binary field of 166 to 168 bits than the 159 bits we would have expected from the O(. . .) (putting aside issues of Weil descent). [⇐] – p.23
  • 86.
    Comparison At 53 bits, we find a total of ≈ 283.518 average group operations for 1LP and ∼ 282.691 for 2LP. This is closer to the security of an elliptic curve over a binary field of 166 to 168 bits than the 159 bits we would have expected from the O(. . .) (putting aside issues of Weil descent). At 73 bits, we find a total of ≈ 2114.185 average group operations for 1LP and ∼ 2112.59 for 2LP. We get a security level between E(F2226 ) and E(F2229 ) instead of E(F2219 ) (from the O-notation of 2LP). [⇐] – p.23
  • 87.
    Comparison At 53 bits, we find a total of ≈ 283.518 average group operations for 1LP and ∼ 282.691 for 2LP. This is closer to the security of an elliptic curve over a binary field of 166 to 168 bits than the 159 bits we would have expected from the O(. . .) (putting aside issues of Weil descent). At 73 bits, we find a total of ≈ 2114.185 average group operations for 1LP and ∼ 2112.59 for 2LP. We get a security level between E(F2226 ) and E(F2229 ) instead of E(F2219 ) (from the O-notation of 2LP). Ignoring the constants leads us to underestimate the security of hyperelliptic curve of genus four by a few bits. [⇐] – p.23
  • 88.
    Genus 3 Preliminary results for 2LP in genus 3 at 59 bits gives 4/3 ∼ 7.903 259 ∼ 281.649 average group operations. [⇐] – p.24
  • 89.
    Genus 3 Preliminary results for 2LP in genus 3 at 59 bits gives 4/3 ∼ 7.903 259 ∼ 281.649 average group operations. Note: This estimates suffers from similar issues as those for 2LP in genus 4, on top of which the computations have to be checked... [⇐] – p.24