Skip to main content
SpringerLink
Log in

Improved algorithm for the isogeny problem for ordinary elliptic curves

  • Original Paper
  • Published:
Applicable Algebra in Engineering, Communication and Computing Aims and scope

Abstract

A low storage algorithm for constructing isogenies between ordinary elliptic curves was proposed by Galbraith, Hess and Smart (GHS). We give an improvement of this algorithm by modifying the pseudorandom walk so that lower-degree isogenies are used more frequently. This is motivated by the fact that high degree isogenies are slower to compute than low degree ones. We analyse the running time of the parallel collision search algorithm when the partitioning is uneven. We also give experimental results. We conclude that our algorithm is around \(14\) times faster than the GHS algorithm when constructing horizontal isogenies between random isogenous elliptic curves over a \(160\)-bit prime field. The results apply to generic adding walks and the more general group action inverse problem; a speed-up is obtained whenever the cost of computing edges in the graph varies significantly.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. The GHS algorithm [14] does not specify how to sample random vertices in the isogeny graph. We use an algorithm from Stolbunov [35, §6.1], which will be briefly explained at the end of Sect. 3.4.

  2. Van Oorschot and Wiener [41] suggest \(c_{\max }=20/\theta \). Our value is larger in order to preserve more non-looped walks.

  3. We do not count database access times and expected \(L \theta \sqrt{n}\) random samplings of a group element.

  4. This remark also applies to the isogeny walk given by Teske [40, Algorithm 1]. Interestingly, another isogeny walk is given in Algorithm 3 of the same paper, which is not affected by this problem.

  5. A generating sequence \(S\) in Bisson-Sutherland algorithm consists of at least \(\log _2 (h)\) ideals of small norms. \(S\) is divided in two subsequences \(A\) and \(B\) of roughly equal lengths. On every hop a sequence is chosen from the set of all subsequences of \(A\) or \(B\) using a pseudo-random function.

  6. The term in-degree refers to a graph with the set of vertices \(X\) and the edges \((z,\psi _\pi (z))\). For a visited vertex, the number of used incoming edges equals zero if it is a randomized starting vertex, or one otherwise.

  7. Let us justify the suitability of this choice by an example. Suppose one tries to solve a \(\mathcal{CL }\)-GAIP over a \(244\)-bit field, a problem size proposed for isogeny-based cryptosystems [35]. Since the group size (i.e., class number) \(n\approx 2^{122}\), the database of distinguished nodes should store \(L\theta \sqrt{n}\) nodes, which is less than \(2^{33}\) on average. Since the class number is approximately \(122\) bits long, one entry of the database (binary tree) of distinguished nodes would occupy \(48\) bytes, of which \(16\) bytes are used by a hashed \(j\)-invariant, \(16\) bytes by a compressed class group element and \(16\) bytes by two pointers. The whole database would occupy not more than \(384\) gigabytes of disk space, which we find to be quite moderate.

  8. We use \(n>2^{27}\) because otherwise the measured number of visited nodes is highly affected by looped walks. Every loop increases the number of visited nodes by \(30 n^{1/4}\). We want the overhead introduced by loops be much smaller than the total number of visited nodes \(L\sqrt{n}\).

  9. For each \(m\in \{28, 32, 36, \ldots , 56\}\) we sample uniformly from the set of isomorphism classes of abelian groups of order \(n\) and rank at most \(r\), where \(2^{m-1} + 1 \le n \le 2^m\).

  10. If two or more consecutive hops are made by the same split isogeny degree \(\ell \), and there are no vertical \(\ell \)-isogenies, then it is sufficient to choose the correct isogeny only at the first hop. On each subsequent hop one simply checks that the \(j\)-invariant does not match the previous one. This provides extra saving, especially when the partitioning is uneven. This extra saving is not accounted in Table 3.

  11. Parameters: \(\lceil \log (p)\rceil =90\), \(4\le r\le 16\); \(w\), \(\theta \), \(c_{\max }\) and \(k_1\) are as in Experiment 1.

  12. Because approximately half of primes are split.

References

  1. Bailey, D.V., Batina, L., Bernstein, D.J., Birkner, P., Bos, J.W., Chen, H.C., Cheng, C.M., van Damme, G., de Meulenaer, G., Perez, L.J.D., Fan, J., Gneysu, T., Gurkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Niederhagen, R., Paar, C., Regazzoni, F., Schwabe, P., Uhsadel, L., Herrewege, A.V., Yang, B.Y.: Breaking ECC2K-130. Cryptology ePrint Archive, Report 2009/541 (2009). http://eprint.iacr.org/2009/541

  2. Bernstein, D.J., Lange, T.: Two grumpy giants and a baby. Tenth Algorithmic Number Theory Symposium ANTS-X, In (2012)

  3. Biasse, J.F.: Improvements in the computation of ideal class groups of imaginary quadratic number fields. Adv. Math. Commun. 4(2), 141–154 (2010). doi:10.3934/amc.2010.4.141

  4. Bisson, G., Sutherland, A.V.: Computing the endomorphism ring of an ordinary elliptic curve over a finite field. J. Number Theory 131(5), 815–831 (2011). doi:10.1016/j.jnt.2009.11.003. http://www.sciencedirect.com/science/article/pii/S0022314X09002789

  5. Bisson, G., Sutherland, A.V.: A low-memory algorithm for finding short product representations in finite groups. Des. Codes Cryptogr. 63(1), 1–13 (2012). doi:10.1007/s10623-011-9527-8

    Article  MathSciNet  MATH  Google Scholar 

  6. Blackburn, S.R., Murphy, S.: The number of partitions in Pollard rho (1998). Preprint

  7. Brent, R.P., Pollard, J.M.: Factorization of the eighth Fermat number. Math. Comp. 36(154), 627–630 (1981). doi:10.2307/2007666

    Article  MathSciNet  MATH  Google Scholar 

  8. Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time (2010). http://arxiv.org/abs/1012.4019v1

  9. Cohen, H., Lenstra Jr., H.W.: Heuristics on class groups of number fields. In: Number theory, Noordwijkerhout 1983 (Noordwijkerhout, 1983), Lecture Notes in Mathemetics, vol. 1068, pp. 33–62. Springer, Berlin (1984). doi:10.1007/BFb0099440

  10. Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006). http://eprint.iacr.org/2006/291

  11. Dai, J.J., Hildebrand, M.V.: Random random walks on the integers mod \(n\). Stat. Probab. Lett. 35(4), 371–379 (1997). doi:10.1016/S0167-7152(97)00035-7

  12. Debiao, H., Jianhua, C., Jin, H.: An authenticated key agreement protocol using isogenies between elliptic curves. Int. J. Comput. Commun. Control 6, 258–265 (2011)

    Google Scholar 

  13. Galbraith, S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math. 2, 118–138 (1999). (electronic)

    MathSciNet  MATH  Google Scholar 

  14. Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS Weil descent attack. In: Advances in cryptology–EUROCRYPT 2002 (Amsterdam), Lecture Notes in Computer Science, vol. 2332, pp. 29–44. Springer, Berlin (2002). doi:10.1007/3-540-46035-7_3

  15. Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Improving the parallelized Pollard lambda search on binary anomalous curves. Math. Comput. 69(232), 1699–1705 (2000)

    MathSciNet  MATH  Google Scholar 

  16. Goldreich, O.: Lecture notes: Randomized methods in computation (2001). http://www.wisdom.weizmann.ac.il/~oded/rnd.html

  17. Harris, B.: Probability distributions related to random mappings. Ann. Math. Stat. 31, 1045–1062 (1960)

    Article  MATH  Google Scholar 

  18. Jacobson Jr., M.J., Ramachandran, S., Williams, H.C.: Numerical results on class groups of imaginary quadratic fields. In: Algorithmic number theory, Lecture Notes in Computer Science, vol. 4076, pp. 87–101. Springer, Berlin (2006). doi:10.1007/11792086_7

  19. Jao, D., Miller, S.D., Venkatesan, R.: Do all elliptic curves of the same order have the same difficulty of discrete log? In: Advances in cryptology–ASIACRYPT 2005, Lecture Notes in Computer Science, vol. 3788, pp. 21–40. Springer, Berlin (2005). doi:10.1007/11593447_2

  20. Jao, D., Miller, S.D., Venkatesan, R.: Expander graphs based on GRH with an application to elliptic curve cryptography. J. Number Theory 129(6), 1491–1504 (2009). doi:10.1016/j.jnt.2008.11.006

    Article  MathSciNet  MATH  Google Scholar 

  21. Knuth, D.E.: The Art of Computer Programming: Seminumerical Algorithms, vol. 2, 3rd edn. Addison-Wesley, Boston (1997)

    Google Scholar 

  22. Koblitz, A.H., Koblitz, N., Menezes, A.: Elliptic curve cryptography: the serpentine course of a paradigm shift. J. Number Theory 131(5), 781–814 (2011). doi:10.1016/j.jnt.2009.01.006

    Article  MathSciNet  MATH  Google Scholar 

  23. Kohel, D.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California at Berkeley (1996)

  24. Matsumoto, M., Nishimura, T.: Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator. ACM Trans. Model. Comput. Simul. 8(1), 3–30 (1998)

    Article  MATH  Google Scholar 

  25. Montenegro, R.: A simple method for precisely determining complexity of many birthday attacks (2012). http://faculty.uml.edu/rmontenegro/research/intersectionheuristic-abstract.pdf

  26. Pohl, I.: Bi-directional and heuristic search in path problems. Technical Report 104, Stanford Linear Accelerator Center, Stanford, California (1969)

  27. Pollard, J.M.: A Monte Carlo method for factorization, Nordisk Tidskr. BIT 15(3), 331–334 (1975)

    Article  MathSciNet  MATH  Google Scholar 

  28. Pollard, J.M.: Monte Carlo methods for index computation (mod \(p\)). Math. Comp. 32(143), 918–924 (1978)

    MathSciNet  MATH  Google Scholar 

  29. Rapoport, A.: Cycle distributions in random nets. Bull. Math. Biol. 10, 145–157 (1948)

    Google Scholar 

  30. Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, report 2006/145 (2006). http://eprint.iacr.org/2006/145

  31. Schoof, R.: Quadratic fields and factorization. In: Computational methods in number theory, Part II, Math. Centre Tracts, vol. 155, pp. 235–286. Math. Centrum, Amsterdam (1982)

  32. Schulte-Geers, E.: Collision search in a random mapping: some asymptotic results. Presentation at ECC 2000 (Essen, Germany) (2000)

  33. Soong, T.T.: Fundamentals of Probability and Statistics for Engineers. Wiley, Hoboken (2004)

    MATH  Google Scholar 

  34. Stolbunov, A.: ClassEll package, ver. 0.1. http://www.item.ntnu.no/people/personalpages/phd/anton/software, last visited 15/12/2012

  35. Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010). doi:10.3934/amc.2010.4.215

    Article  MathSciNet  MATH  Google Scholar 

  36. Stolbunov, A.: Cryptographic schemes based on isogenies. Ph.D. thesis, Norwegian University of Science and Technology (NTNU) (2012)

  37. Strutt [Lord Rayleigh], J.W.: On the resultant of a large number of vibrations of the same pitch and of arbitrary phase. Philos. Mag. 10(60), 73–78 (1880)

    Google Scholar 

  38. Tate, J.: Endomorphisms of abelian varieties over finite fields. Invent. Math. 2, 134–144 (1966)

    Article  MathSciNet  MATH  Google Scholar 

  39. Teske, E.: On random walks for Pollard’s rho method. Math. Comp. 70(234), 809–825 (2001). doi:10.1090/S0025-5718-00-01213-8

    Google Scholar 

  40. Teske, E.: An elliptic curve trapdoor system. J. Cryptol. 19(1), 115–133 (2006). doi:10.1007/s00145-004-0328-3

    Article  MathSciNet  MATH  Google Scholar 

  41. van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999). doi:10.1007/PL00003816

    Article  MATH  Google Scholar 

  42. Wang, T.: Integer hash function. http://www.concentric.net/~Ttwang/tech/inthash.htm, last visited 08/06/2010

  43. Waterhouse, W.C.: Abelian varieties over finite fields. Ann. Sci. École Norm. Sup. 4(2), 521–560 (1969)

    MathSciNet  Google Scholar 

  44. Wiener, M.J., Zuccherato, R.J.: Faster attacks on elliptic curve cryptosystems. In: S.E. Tavares, H. Meijer (eds.) SAC 1998, LNCS, vol. 1556, pp. 190–200. Springer (1998)

Download references

Acknowledgments

The paper was created through a collaboration of two authors whose names are listed alphabetically. The work was initiated during a two-month research visit of Anton Stolbunov to Steven Galbraith. Stolbunov would like to thank Department of Telematics, Norwegian University of Science and Technology, for the financial support of his research and that visit. We thank Gaetan Bisson and Edlyn Teske for their valuable comments on this paper.

Author information

Authors and Affiliations

  1. Mathematics Department, University of Auckland, Auckland, New Zealand

    Steven Galbraith

  2. Department of Telematics, Norwegian University of Science and Technology, Trondheim, Norway

    Anton Stolbunov

Authors
  1. Steven Galbraith
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anton Stolbunov
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anton Stolbunov.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Galbraith, S., Stolbunov, A. Improved algorithm for the isogeny problem for ordinary elliptic curves. AAECC 24, 107–131 (2013). https://doi.org/10.1007/s00200-013-0185-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00200-013-0185-0

Keywords

Mathematics Subject Classification (2000)

Search

Navigation