Abstract
A low storage algorithm for constructing isogenies between ordinary elliptic curves was proposed by Galbraith, Hess and Smart (GHS). We give an improvement of this algorithm by modifying the pseudorandom walk so that lower-degree isogenies are used more frequently. This is motivated by the fact that high degree isogenies are slower to compute than low degree ones. We analyse the running time of the parallel collision search algorithm when the partitioning is uneven. We also give experimental results. We conclude that our algorithm is around \(14\) times faster than the GHS algorithm when constructing horizontal isogenies between random isogenous elliptic curves over a \(160\)-bit prime field. The results apply to generic adding walks and the more general group action inverse problem; a speed-up is obtained whenever the cost of computing edges in the graph varies significantly.
Similar content being viewed by others
Notes
Van Oorschot and Wiener [41] suggest \(c_{\max }=20/\theta \). Our value is larger in order to preserve more non-looped walks.
We do not count database access times and expected \(L \theta \sqrt{n}\) random samplings of a group element.
This remark also applies to the isogeny walk given by Teske [40, Algorithm 1]. Interestingly, another isogeny walk is given in Algorithm 3 of the same paper, which is not affected by this problem.
A generating sequence \(S\) in Bisson-Sutherland algorithm consists of at least \(\log _2 (h)\) ideals of small norms. \(S\) is divided in two subsequences \(A\) and \(B\) of roughly equal lengths. On every hop a sequence is chosen from the set of all subsequences of \(A\) or \(B\) using a pseudo-random function.
The term in-degree refers to a graph with the set of vertices \(X\) and the edges \((z,\psi _\pi (z))\). For a visited vertex, the number of used incoming edges equals zero if it is a randomized starting vertex, or one otherwise.
Let us justify the suitability of this choice by an example. Suppose one tries to solve a \(\mathcal{CL }\)-GAIP over a \(244\)-bit field, a problem size proposed for isogeny-based cryptosystems [35]. Since the group size (i.e., class number) \(n\approx 2^{122}\), the database of distinguished nodes should store \(L\theta \sqrt{n}\) nodes, which is less than \(2^{33}\) on average. Since the class number is approximately \(122\) bits long, one entry of the database (binary tree) of distinguished nodes would occupy \(48\) bytes, of which \(16\) bytes are used by a hashed \(j\)-invariant, \(16\) bytes by a compressed class group element and \(16\) bytes by two pointers. The whole database would occupy not more than \(384\) gigabytes of disk space, which we find to be quite moderate.
We use \(n>2^{27}\) because otherwise the measured number of visited nodes is highly affected by looped walks. Every loop increases the number of visited nodes by \(30 n^{1/4}\). We want the overhead introduced by loops be much smaller than the total number of visited nodes \(L\sqrt{n}\).
For each \(m\in \{28, 32, 36, \ldots , 56\}\) we sample uniformly from the set of isomorphism classes of abelian groups of order \(n\) and rank at most \(r\), where \(2^{m-1} + 1 \le n \le 2^m\).
If two or more consecutive hops are made by the same split isogeny degree \(\ell \), and there are no vertical \(\ell \)-isogenies, then it is sufficient to choose the correct isogeny only at the first hop. On each subsequent hop one simply checks that the \(j\)-invariant does not match the previous one. This provides extra saving, especially when the partitioning is uneven. This extra saving is not accounted in Table 3.
Parameters: \(\lceil \log (p)\rceil =90\), \(4\le r\le 16\); \(w\), \(\theta \), \(c_{\max }\) and \(k_1\) are as in Experiment 1.
Because approximately half of primes are split.
References
Bailey, D.V., Batina, L., Bernstein, D.J., Birkner, P., Bos, J.W., Chen, H.C., Cheng, C.M., van Damme, G., de Meulenaer, G., Perez, L.J.D., Fan, J., Gneysu, T., Gurkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Niederhagen, R., Paar, C., Regazzoni, F., Schwabe, P., Uhsadel, L., Herrewege, A.V., Yang, B.Y.: Breaking ECC2K-130. Cryptology ePrint Archive, Report 2009/541 (2009). http://eprint.iacr.org/2009/541
Bernstein, D.J., Lange, T.: Two grumpy giants and a baby. Tenth Algorithmic Number Theory Symposium ANTS-X, In (2012)
Biasse, J.F.: Improvements in the computation of ideal class groups of imaginary quadratic number fields. Adv. Math. Commun. 4(2), 141–154 (2010). doi:10.3934/amc.2010.4.141
Bisson, G., Sutherland, A.V.: Computing the endomorphism ring of an ordinary elliptic curve over a finite field. J. Number Theory 131(5), 815–831 (2011). doi:10.1016/j.jnt.2009.11.003. http://www.sciencedirect.com/science/article/pii/S0022314X09002789
Bisson, G., Sutherland, A.V.: A low-memory algorithm for finding short product representations in finite groups. Des. Codes Cryptogr. 63(1), 1–13 (2012). doi:10.1007/s10623-011-9527-8
Blackburn, S.R., Murphy, S.: The number of partitions in Pollard rho (1998). Preprint
Brent, R.P., Pollard, J.M.: Factorization of the eighth Fermat number. Math. Comp. 36(154), 627–630 (1981). doi:10.2307/2007666
Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time (2010). http://arxiv.org/abs/1012.4019v1
Cohen, H., Lenstra Jr., H.W.: Heuristics on class groups of number fields. In: Number theory, Noordwijkerhout 1983 (Noordwijkerhout, 1983), Lecture Notes in Mathemetics, vol. 1068, pp. 33–62. Springer, Berlin (1984). doi:10.1007/BFb0099440
Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006). http://eprint.iacr.org/2006/291
Dai, J.J., Hildebrand, M.V.: Random random walks on the integers mod \(n\). Stat. Probab. Lett. 35(4), 371–379 (1997). doi:10.1016/S0167-7152(97)00035-7
Debiao, H., Jianhua, C., Jin, H.: An authenticated key agreement protocol using isogenies between elliptic curves. Int. J. Comput. Commun. Control 6, 258–265 (2011)
Galbraith, S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math. 2, 118–138 (1999). (electronic)
Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS Weil descent attack. In: Advances in cryptology–EUROCRYPT 2002 (Amsterdam), Lecture Notes in Computer Science, vol. 2332, pp. 29–44. Springer, Berlin (2002). doi:10.1007/3-540-46035-7_3
Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Improving the parallelized Pollard lambda search on binary anomalous curves. Math. Comput. 69(232), 1699–1705 (2000)
Goldreich, O.: Lecture notes: Randomized methods in computation (2001). http://www.wisdom.weizmann.ac.il/~oded/rnd.html
Harris, B.: Probability distributions related to random mappings. Ann. Math. Stat. 31, 1045–1062 (1960)
Jacobson Jr., M.J., Ramachandran, S., Williams, H.C.: Numerical results on class groups of imaginary quadratic fields. In: Algorithmic number theory, Lecture Notes in Computer Science, vol. 4076, pp. 87–101. Springer, Berlin (2006). doi:10.1007/11792086_7
Jao, D., Miller, S.D., Venkatesan, R.: Do all elliptic curves of the same order have the same difficulty of discrete log? In: Advances in cryptology–ASIACRYPT 2005, Lecture Notes in Computer Science, vol. 3788, pp. 21–40. Springer, Berlin (2005). doi:10.1007/11593447_2
Jao, D., Miller, S.D., Venkatesan, R.: Expander graphs based on GRH with an application to elliptic curve cryptography. J. Number Theory 129(6), 1491–1504 (2009). doi:10.1016/j.jnt.2008.11.006
Knuth, D.E.: The Art of Computer Programming: Seminumerical Algorithms, vol. 2, 3rd edn. Addison-Wesley, Boston (1997)
Koblitz, A.H., Koblitz, N., Menezes, A.: Elliptic curve cryptography: the serpentine course of a paradigm shift. J. Number Theory 131(5), 781–814 (2011). doi:10.1016/j.jnt.2009.01.006
Kohel, D.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California at Berkeley (1996)
Matsumoto, M., Nishimura, T.: Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator. ACM Trans. Model. Comput. Simul. 8(1), 3–30 (1998)
Montenegro, R.: A simple method for precisely determining complexity of many birthday attacks (2012). http://faculty.uml.edu/rmontenegro/research/intersectionheuristic-abstract.pdf
Pohl, I.: Bi-directional and heuristic search in path problems. Technical Report 104, Stanford Linear Accelerator Center, Stanford, California (1969)
Pollard, J.M.: A Monte Carlo method for factorization, Nordisk Tidskr. BIT 15(3), 331–334 (1975)
Pollard, J.M.: Monte Carlo methods for index computation (mod \(p\)). Math. Comp. 32(143), 918–924 (1978)
Rapoport, A.: Cycle distributions in random nets. Bull. Math. Biol. 10, 145–157 (1948)
Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, report 2006/145 (2006). http://eprint.iacr.org/2006/145
Schoof, R.: Quadratic fields and factorization. In: Computational methods in number theory, Part II, Math. Centre Tracts, vol. 155, pp. 235–286. Math. Centrum, Amsterdam (1982)
Schulte-Geers, E.: Collision search in a random mapping: some asymptotic results. Presentation at ECC 2000 (Essen, Germany) (2000)
Soong, T.T.: Fundamentals of Probability and Statistics for Engineers. Wiley, Hoboken (2004)
Stolbunov, A.: ClassEll package, ver. 0.1. http://www.item.ntnu.no/people/personalpages/phd/anton/software, last visited 15/12/2012
Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010). doi:10.3934/amc.2010.4.215
Stolbunov, A.: Cryptographic schemes based on isogenies. Ph.D. thesis, Norwegian University of Science and Technology (NTNU) (2012)
Strutt [Lord Rayleigh], J.W.: On the resultant of a large number of vibrations of the same pitch and of arbitrary phase. Philos. Mag. 10(60), 73–78 (1880)
Tate, J.: Endomorphisms of abelian varieties over finite fields. Invent. Math. 2, 134–144 (1966)
Teske, E.: On random walks for Pollard’s rho method. Math. Comp. 70(234), 809–825 (2001). doi:10.1090/S0025-5718-00-01213-8
Teske, E.: An elliptic curve trapdoor system. J. Cryptol. 19(1), 115–133 (2006). doi:10.1007/s00145-004-0328-3
van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999). doi:10.1007/PL00003816
Wang, T.: Integer hash function. http://www.concentric.net/~Ttwang/tech/inthash.htm, last visited 08/06/2010
Waterhouse, W.C.: Abelian varieties over finite fields. Ann. Sci. École Norm. Sup. 4(2), 521–560 (1969)
Wiener, M.J., Zuccherato, R.J.: Faster attacks on elliptic curve cryptosystems. In: S.E. Tavares, H. Meijer (eds.) SAC 1998, LNCS, vol. 1556, pp. 190–200. Springer (1998)
Acknowledgments
The paper was created through a collaboration of two authors whose names are listed alphabetically. The work was initiated during a two-month research visit of Anton Stolbunov to Steven Galbraith. Stolbunov would like to thank Department of Telematics, Norwegian University of Science and Technology, for the financial support of his research and that visit. We thank Gaetan Bisson and Edlyn Teske for their valuable comments on this paper.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Galbraith, S., Stolbunov, A. Improved algorithm for the isogeny problem for ordinary elliptic curves. AAECC 24, 107–131 (2013). https://doi.org/10.1007/s00200-013-0185-0
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00200-013-0185-0