International Workshop on Public Key Cryptography

PKC 2014: Public-Key Cryptography – PKC 2014 pp 203-220 | Cite as

Elliptic and Hyperelliptic Curves: A Practical Security Analysis

  • Joppe W. Bos
  • Craig Costello
  • Andrea Miele
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8383)

Abstract

Motivated by the advantages of using elliptic curves for discrete logarithm-based public-key cryptography, there is an active research area investigating the potential of using hyperelliptic curves of genus 2. For both types of curves, the best known algorithms to solve the discrete logarithm problem are generic attacks such as Pollard rho, for which it is well-known that the algorithm can be sped up when the target curve comes equipped with an efficiently computable automorphism. In this paper we incorporate all of the known optimizations (including those relating to the automorphism group) in order to perform a systematic security assessment of two elliptic curves and two hyperelliptic curves of genus 2. We use our software framework to give concrete estimates on the number of core years required to solve the discrete logarithm problem on four curves that target the 128-bit security level: on the standardized NIST CurveP-256, on a popular curve from the Barreto-Naehrig family, and on their respective analogues in genus 2.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 48–68. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  2. 2.
    Bailey, D.V., Batina, L., Bernstein, D.J., Birkner, P., Bos, J.W., Chen, H.-C., Cheng, C.-M., van Damme, G., de Meulenaer, G., Perez, L.J.D., Fan, J., Güneysu, T., Gurkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Niederhagen, R., Paar, C., Regazzoni, F., Schwabe, P., Uhsadel, L., Herrewege, A.V., Yang, B.-Y.: Breaking ECC2K-130. Cryptology ePrint Archive, Report 2009/541 (2009), http://eprint.iacr.org/2009/541
  3. 3.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J.: Elliptic vs. Hyperelliptic, part I. Talk at the ECC (September 2006), slides at http://cr.yp.to/talks/2006.09.20/slides.pdf
  6. 6.
    Bernstein, D.J., Lange, T., Schwabe, P.: On the correct use of the negation map in the Pollard rho method. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 128–146. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    Bos, J.W., Costello, C., Hisil, H., Lauter, K.: Fast cryptography in genus 2. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 194–210. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  8. 8.
    Bos, J.W., Kaihara, M.E., Kleinjung, T., Lenstra, A.K., Montgomery, P.L.: Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. International Journal of Applied Cryptography 2(3), 212–228 (2012)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Bos, J.W., Kleinjung, T., Lenstra, A.K.: On the use of the negation map in the Pollard rho method. In: Hanrot, G., Morain, F., Thomé, E. (eds.) ANTS-IX. LNCS, vol. 6197, pp. 66–82. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Brent, R.P., Pollard, J.M.: Factorization of the eighth Fermat number. Mathematics of Computation 36(154), 627–630 (1981)MathSciNetCrossRefMATHGoogle Scholar
  11. 11.
    Buhler, J., Koblitz, N.: Lattice basis reduction, Jacobi sums and hyperelliptic cryptosystems. Bull. Australian Math. Soc. 58(1), 147–154 (1998)MathSciNetCrossRefMATHGoogle Scholar
  12. 12.
  13. 13.
    Certicom Research. Standards for efficient cryptography 2: Recommended elliptic curve domain parameters. Standard SEC2, Certicom (2000)Google Scholar
  14. 14.
    Costello, C., Lauter, K.: Group law computations on Jacobians of hyperelliptic curves. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 92–117. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  15. 15.
    Duursma, I.M., Gaudry, P., Morain, F.: Speeding up the discrete log computation on curves with automorphisms. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 103–121. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  16. 16.
    Galbraith, S.D.: Mathematics of public key cryptography. Cambridge University Press (2012)Google Scholar
  17. 17.
    Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Cryptology 24(3), 446–469 (2011)MathSciNetCrossRefMATHGoogle Scholar
  18. 18.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Gaudry, P., Kohel, D.R., Smith, B.A.: Counting points on genus 2 curves with real multiplication. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 504–519. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  20. 20.
    Gaudry, P., Schost, É.: Genus 2 point counting over prime fields. J. Symb. Comput. 47(4), 368–400 (2012)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Geovandro, C.C.F.P., Simplício Jr., M.A., Naehrig, M., Barreto, P.S.L.M.: A family of implementation-friendly BN elliptic curves. Journal of Systems and Software 84(8), 1319–1326 (2011)CrossRefGoogle Scholar
  22. 22.
    Harley, R.: Elliptic curve discrete logarithms project, http://pauillac.inria.fr/~harley/
  23. 23.
    Harris, B.: Probability distributions related to random mappings. The Annals of Mathematical Statistics 31, 1045–1062 (1960)MathSciNetCrossRefMATHGoogle Scholar
  24. 24.
    Hisil, H.: Elliptic curves, group law, and efficient computation. PhD thesis (2010)Google Scholar
  25. 25.
    Koblitz, N.: Elliptic curve cryptosystems. Mathematics of Computation 48(177), 203–209 (1987)MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Koblitz, N.: Hyperelliptic cryptosystems. Journal of Cryptology 1(3), 139–150 (1989)MathSciNetCrossRefMATHGoogle Scholar
  27. 27.
    Lange, T.: Elliptic vs. Hyperelliptic, part II. Talk at the ECC (September 2006), slides at http://www.hyperelliptic.org/tanja/vortraege/ECC_06.ps
  28. 28.
    Longa, P., Sica, F.: Four-dimensional Gallant-Lambert-Vanstone scalar multiplication. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 718–739. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  29. 29.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  30. 30.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48(177), 243–264 (1987)MathSciNetCrossRefMATHGoogle Scholar
  31. 31.
    Nagao, K.: Improving group law algorithms for Jacobians of hyperelliptic curves. In: Bosma, W. (ed.) ANTS-IV. LNCS, vol. 1838, pp. 439–447. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  32. 32.
    Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2009), http://bitcoin.org/bitcoin.pdf
  33. 33.
    Pollard, J.M.: Monte Carlo methods for index computation (mod p). Mathematics of Computation 32(143), 918–924 (1978)MathSciNetMATHGoogle Scholar
  34. 34.
    Smith, B.A.: Families of fast elliptic curves from ℚ-curves. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 61–78. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  35. 35.
    Teske, E.: On random walks for Pollard’s rho method. Mathematics of Computation 70(234), 809–825 (2001)MathSciNetCrossRefMATHGoogle Scholar
  36. 36.
    U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-4 (2013), http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
  37. 37.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. Journal of Cryptology 12(1), 1–28 (1999)MathSciNetCrossRefMATHGoogle Scholar
  38. 38.
    Walter, C.D.: Montgomery exponentiation needs no final subtractions. Electronics Letters 35(21), 1831–1832 (1999)CrossRefGoogle Scholar
  39. 39.
    Wiener, M.J., Zuccherato, R.J.: Faster attacks on elliptic curve cryptosystems. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 190–200. Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Joppe W. Bos
    • 1
  • Craig Costello
    • 1
  • Andrea Miele
    • 2
  1. 1.Microsoft ResearchRedmondUSA
  2. 2.LACAL, EPFLLausanneSwitzerland

Personalised recommendations