Memory Optimization Techniques for Computing Discrete Logarithms in Compressed SIKE

Abstract

The supersingular isogeny-based key encapsulation (SIKE) suite stands as an attractive post- quantum cryptosystem with its relatively small public keys. Public key sizes in SIKE can further be compressed by computing pairings and solving discrete logarithms in certain subgroups of finite fields. This comes at a cost of precomputing and storing large discrete logarithm tables. In this paper, we propose several techniques to optimize memory requirements in computing discrete logarithms in SIKE, and achieve to reduce table sizes by a factor of 4. We implement our techniques and verify our theoretical findings.

Appendices

A The Pohlig-Hellman Algorithm with width-w Windows

Given an instance \(\mathbb {G}_{\ell , e}\), g, and \(h\in \mathbb {G}\) of a discrete logarithm problem (DLP) in \(\mathbb {G}_{\ell , e}\), Pohlig-Hellman algorithm (PH) [13] uses width-w windows and computes \(d=\log _{g}{h}\) as follows. Let w be a positive integer with \(w\mid e\)⁴, define \(m = \lceil {e/w}\rceil \), and write the exponent d in base \(L = \ell ^w\) as \(d = \sum _{i=0}^{m-1}{D_iL^i}\), \(D_i\in [0,L)\). Define the sequence \(h_k = g^{\sum _{i=k}^{m-1}{D_iL^i}}\), which satisfies

$$\begin{aligned} h_0=h,\quad h_{k+1} = h_k g^{-D_kL^k},\quad h_k^{L^{m-1-k}} = \left( g^{L^{m-1}}\right) ^{D_k},\ k=0,\ldots ,m-2. \end{aligned}$$

(5)

Note that \(D_k = \log _{\rho }{h_k^{L^{m-1-k}}}\in [0,L)\), where \(\rho = g^{L^{m-1}}\) generates a group \(\mathbb {G}_{\ell , w}\) of order \(\ell ^{w}\). In PH, a table \(T\) of elements are precomputed and stored such that \(T[k][D] = g^{-DL^k}\), for \(0\le k \le m-1\) and \(0\le D< L\). Note that the table \(T\) consists of \(m\cdot L\) elements of \(\mathbb {G}_{\ell , e}\). One computes \(h_0^{L^{m-1}}\), and determines \(D_0\) by looking up the last row \(T[m-1]\) of T. For \(k=1,\ldots ,m-1\), first \(h_k = h_{k-1}T[k-1][D_{k-1}]\) is computed (one multiplication), and then \(h_k^{L^{m-1-k}}\) is computed (\((m-1-k)\) exponentiations by L), and \(D_k\) is determined by looking up the row \(T[m-1]\). Once \(D_0, \ldots , D_{m-1}\) are known, \(d = \sum _{i=0}^{m-1}{D_iL^i}\) can be recovered.

As previously observed in the literature [8, 15], the steps of the above PH algorithm can be associated with subgraph of a directed graph \(\mathcal {T}_{e,w}\). The vertices of \(\mathcal {T}_{e,w}\) are labeled as \(\varDelta _{j,k}\) for \(0 \le k \le m-1\) and \(0 \le j \le m-1-k\), with \(\varDelta _{0,0}\) being the top-most vertex and \(\varDelta _{j,k}\) being the vertex lying at the end of the path starting at \(\varDelta _{0,0}\) and following j many left edges and k many right edges. The vertices \(\varDelta _{m-1-k,k}\) for \(0 \le k \le m-1\) are referred to as leaves, and \(\varDelta _{0,0}\) is the root. We make a correspondence between vertices \(\varDelta _{j,k}\) of \(\mathcal {T}_{e,w}\) and elements of \(\mathbb {G}_{\ell ,e}\) by associating \(\varDelta _{j,k}\) with \(h_k^{L^j}\), and it will be convenient to use “\(=\)” for this association: \(\varDelta _{j,k} = h_k^{L^j}, \text{ for } 0\le k \le m-1 \text{ and } 0\le j \le m-1-k\) In particular, the root \(\varDelta _{0,0}\) is associated with the input \(h_0=h\) to the DLP, and the leaves \(\varDelta _{m-1-k,k}\) correspond to the elements \(h_k^{L^{m-1-k}}\) used to determine \(D_k\). The outgoing edges of non-leaf vertices \(\varDelta _{j,k}\) can then be interpreted as group operations in \(\mathbb {G}_{\ell ,e}\) as follows: \( \text{ left } \text{ traversal: } \varDelta _{j,k}\rightarrow \varDelta _{j+1,k} = \varDelta _{j,k}^L; \text{ right } \text{ traversal: } \varDelta _{j,k}\rightarrow \varDelta _{j,k+1} = \varDelta _{j,k}\cdot g^{-D_kL^{j+k}}. \)

Note that an edge with a positive slope in \(\mathcal {T}_{e,w}\) (a left traversal) corresponds to exponentiation by L, and an edge with a negative slope in \(\mathcal {T}_{e,w}\) (a right traversal) corresponds to a multiplication by a group element, assuming access to the lookup table \(T\), as previously defined.

One can notice that the computational steps in the generalized PH algorithm correspond to traversing a spanning subgraph S of \(\mathcal {T}_{e,w}\), where the edge set of S consists of all the positive slope edges of \(\mathcal {T}_{e,w}\), and all negative slope edges of the form \(\{\varDelta _{0,k}, \varDelta _{0,k+1}\}\) for \(k=0,\ldots ,m-1\). One can do better by assigning weights \(\mathfrak {p}\) (the cost of exponentiation by \(\ell ^w\) in \(\mathbb {G}_{\ell , e}\)) and \(\mathfrak {q}\) (the cost of multiplication in \(\mathbb {G}_{\ell , e}\)) to the edges of \(\mathcal {T}_{e,w}\) with positive and negative slopes, respectively, and determining an optimal strategy (originally introduced in the context of isogeny computation [7] and then extended to discrete logarithms [8]) to minimize the cost of solving DLP. Such strategies are typically represented in linear form as a list of positive integers of length m. This yields a recursive algorithm to solve discrete logarithms; see Algorithm 6.3 in [15].

B Torus-based Representations

We summarize the torus-based compressed representation of elements of \(\mathbb {G}\) as detailed in [14]. Elements of \(\mathbb {G}\) written in the form \(a+bi\) are said to be in standard representation, and we must have \(a^2 + b^2 = 1\) (see Sect. 2). When \(b\ne 0\), one can write \(a+bi = (\alpha + i)/(\alpha - i)\), where \(\alpha := (a+1)/b\). Since taking \(\alpha =0\) produces \(a+bi=-1+0i\), we can represent cyclotomic subgroup elements with a single element in \(\mathbb {F}_p\) as follows:

$$\begin{aligned} \mathbb {G}= \{1\} \cup \left\{ \frac{\alpha + i}{\alpha - i}:\ \alpha \in \mathbb {F}_p\right\} . \end{aligned}$$

(6)

Under this correspondence, we define the compression function \(C : \mathbb {G}\setminus \lbrace 1,-1 \rbrace \rightarrow \mathbb {F}_p\) as \(C(a+bi):=(a+1)/b\). Group operations respect compressed representation of elements in \(\mathbb {G}\) in the following sense: If \(C(a+bi)=\alpha \) and \(C(c+di)=\beta \), then we have \(C((a+bi)^{-1}) = -\alpha \), and

$$\begin{aligned} C((a+bi)\cdot (c+di))&= {\left\{ \begin{array}{ll} (\alpha \beta -1)/(\alpha +\beta ) &{} \alpha +\beta \ne 0\\ 1 &{} \alpha +\beta = 0 \end{array}\right. } \end{aligned}$$

Compressed representations inherit a projective representation as follows. For \(x,y \in \mathbb {F}_p\) not both zero, if we define , then we can write the identity element as \(1 = [1 : 0]\) (the point at infinity), and for any [x : y] with \(y\ne 0\) we have \([x:y]=[x/y : 1]\). In other words, we can rewrite (6) as

$$\begin{aligned} \mathbb {G}= \{[1:0]\} \cup \{[\alpha :1]:\ \alpha \in \mathbb {F}_p\} =\{[x:y]:\ x,y\in \mathbb {F}_p\text { not both } 0 \}. \end{aligned}$$

(7)

Note that the compression function C is undefined for \(1,-1 \in \mathbb {F}_p\), but these elements are represented in projective coordinates as [1 : 0] and [0 : 1], respectively. Passing from regular to projective representation is easy, but the reverse direction requires at least an inversion in \(\mathbb {F}_p\): for \(a+bi \not = -1\) and \(x^2 + y^2 \not =0\) we have

$$\begin{aligned} a+bi \longmapsto [a+1 : b], \quad [x :y] \longmapsto \dfrac{x^2 - y^2}{x^2 + y^2} + \dfrac{2xy}{x^2+y^2}i \end{aligned}$$

We summarize the group operations of \(\mathbb {G}\) in projective coordinates in Table 3. Each formula can be directly verified by converting to the regular representations of the involved elements using the above mappings.

Table 3. Summary of operations and their costs for elements of \(\mathbb {G}\) in projective coordinates. Here, \(x,y,z,t,\alpha , a,b \in \mathbb {F}_p\) with x and y not both 0, z and t not both 0, and \(a^2 + b^2 = 1\).

C Proofs

Below is a proof of Theorem 3.

Proof

Given \(1\ne h\), we first determine the least positive integer k such that \(h^{\ell ^k}=1\), by performing k exponentiations by \(\ell \) in \(\mathbb {G}_{\ell , w}\). We also store the intermediate values \(h_i = h^{\ell ^{k-i}}\), \(i=0,\ldots ,k\), in an array \(H = [h_0=1, h_1, \ldots , h_k=h]\). By Theorem 2, there is a unique path \(P_{0,k} = v_{0,0}, v_{1,i_1}, \ldots , v_{j,i_{k}}\) in \(\mathcal {G}_{\ell , w}\) such that \(v_{j,i_j}\in V_j\) and \(h_j=g_{j,i_j}\) for \(j=0,\ldots ,k\). By the proof of Theorem 2, \(i_1\in \{0,\ldots ,(\ell -2)\}\) can be determined as the integer satisfying \(h_1 = g_{1,i_1}\), and we set \(s_1=i_1+1\). Next, we inductively assume that \(i_{j-1}\) and \(s_{j-1}\) are already known for some \(2\le j\le w\). By the definition of \(E_j\), and the fact that \(v_{j-1,i_{j-1}}v_{j,i_j}\in E_j\), \(i_j = \ell \cdot i_{j-1} + s_j\) for some \(s_j\in \{0,\ldots ,(\ell -1)\}\). Since \(i_{j-1}\) is already known, the value of \(s_j\) (and \(i_j\)) can be determined as the integer satisfying \(h_j = g_{j, i_j} = g_{j,\ell \cdot i_{j-1}+s_j}\). As a result, we can recover all \(i_j\) and \(s_j\) for all \(j=1,\ldots ,k\), where \(s_1=i_1+1\) and \(i_{j} = \ell \cdot i_{j-1}+s_j\). To prove the last claim of our theorem, we need to show \(d = v_{k,i_k}\), because \(h = h_k = g_{k,i_k} = \rho ^{v_{k, i_k}}\). For \(k=1\), Theorem 3 yields \(d = s_1\ell ^{w-1}\), and it follows from (2) that \(v_{1,i_1} = (i_1+1)\ell ^{w-1} = s_1\ell ^{w-1}=d\), as required. In the following, we assume that \(k\ge 2\). Using (1)–(3), we write

$$\begin{aligned} v_{k,i_k}&= \frac{v_{k-1, i_{k-1}}}{\ell } + s_{k}\ell ^{w-1} = \frac{v_{k-2, i_{k-2}}}{\ell ^2} + s_{k-1}\ell ^{w-2} + s_{k}\ell ^{w-1}\\&=\frac{v_{1, i_{1}}}{\ell ^{k-1}} + s_{2}\ell ^{w-k+1} + \cdots + s_{k}\ell ^{w-1} =s_1\ell ^{w-k} + s_{2}\ell ^{w-k+1} + \cdots + s_{k}\ell ^{w-1}\\&= \ell ^{w-k}\sum _{j=1}^{k}{s_j\ell ^{j-1}} = d, \text { which finishes the proof.} \end{aligned}$$

D Algorithms