Expander Graphs GRH and the Elliptic Curve Discrete

Expander Graphs, GRH, and the Elliptic Curve Discrete Logarithm Stephen D. Miller Rutgers University Joint work with David Jao and Ramarathnam Venkatesan Microsoft Research Cryptography and Anti-Piracy Group http: //www. math. rutgers. edu/~sdmiller

Brief Overview Many cryptographic applications are based on the discrete logarithm. Important example: DLOG on elliptic curves. Is it always equally hard? Are there “good curves” and “bad curves”? Main result: in some situations curves have equivalent difficulty. Mathematical content: proof/techniques use • • • Elliptic Curves Expander Graphs Modular Forms L-functions Generalized Riemann Hypothesis

Motivating Example: Microsoft Product Key • When Windows or Microsoft office are installed, the user is required to enter a 25 digit alphanumeric antipiracy code. • This code (“key”) must be short. • The computer must be able to quickly recognize whether or not this is a valid key, without giving away any clue as to how to manufacture additional valid keys. • Otherwise thieves would copy the software CDs and illegally resell them with new codes. Key=CA$H. • Future attacks will be faster. How can one keep the key short, yet still keep up with the attackers? • This requires new methods and cryptosystems. Serious mathematics involved in design.

Cryptography • Mathematical Methods to hide information. • Based on the difficulty of some underlying mathematical problem. • Well-known problems include: – – Pre-computer age: guessing keys, inverting ax+b (mod n). Factoring (RSA). Discrete Logarithm. Braid group conjugacy problem. …. . But a good problem is just the start – implementation matters, too!

Other factors A good cryptosystem needs more than just a hard problem behind it. • It’s rare to reduce the cryptosystem directly to the underlying problem, for example… • Hypothetically: RSA might be easier than factoring. Some desired attributes: • Speed of encryption and decryption. • Use of a large state space – without having to store it all. • Short “keys” (passwords). • Stability against foreseen attacks. Leave no trace.

Example of a difficult underlying problem: Discrete Logarithm on (Z/p. Z)*, p prime. (Z/p. Z)* is abstractly isomorphic to Z/(p-1)Z. 15 14 13 12 12 10 17 Z/18 Z 0 9 ~ 7 2 3 4 5 6 11 15 10 k ! 2 k 17 * (Z/19 Z) 1 18 Powers of 2 2 8 1 3 5 11 16 6 This sequence appears to be fairly random 9 14 4 8 16 13 7 For example, p=19: (Z/19 Z)* ' Z/18 Z is generated by powers of 2.

Example of a difficult underlying problem: Discrete Logarithm on (Z/p. Z)*, p prime. Given p, y, and a generator g of (Z/p. Z)*, solve gx = y for x. (In other words, explicitly invert the previous isomorphism. ) • Difficult because the values of gx are very scattered (mod p) as x varies. • Very important that p-1 have a large prime factor (otherwise can use Chinese remainder theorem to “bootstrap” from easier cases). • Methods exist which are much faster than simply guessing. Some use the structure of Z. • Possibly harder for more abstract incarnations of the same group. Different representations do not necessarily have equivalent DLOG problems. – Example: (Z/p. Z)* is abstractly isomorphic to Z/(p-1)Z. DLOG is very easy on the cyclic groups Z/m. Z : can easily solve ax=b (mod m), if a and m are relatively prime. … especially when the generator a is 1 (tautological).

A cryptosystem using DLOG: Diffie-Hellman key exchange A method for two users to share a common password (without revealing it to the public) Sees g, gx, gy – but cannot compute gxy without solving DLOG 1. Agree on Group G, generator g g 2. Alice picks exponent x at random. x Sends Bob gx g 3. Bob picks exponent y at random. Sends Alice gyy g 4. Both Alice and Bob have common password key gxy = (gx)y = (gy)x

DLOG on other abstract groups? • Introduced because of subexponential attacks on DLOG over (Z/n. Z)*. • Idea: Find an isomorphic group where the structure of the integers is not as apparent. • Also want computation to be efficient, e. g. by polynomial operations (rules out many abstract choices). • Elliptic Curves: the set of solutions to an equation of the form E : y 2 = x 3 + a x + b over a finite field satisfies these criteria.

What’s an elliptic curve? More or less, the solutions to an equation of the form E : y 2 = x 3 + a x + b But over what field? What are x and y? Over C, E is isomorphic to C/ , where is a lattice ½ C (A torus). In fact, the set of solutions always has an abelian group law. Number Theory: study solutions over Fp = Z/p. Z or more generally over Fq

Brief History of Elliptic Curve Cryptography • Introduced by V. Miller and N. Koblitz circa 1985. • Bit-for-bit gives very strong cryptography, compared to e. g. RSA. • RSA, EC, etc: backbone of $2 billion/year industry. • Drawbacks: – Elliptic curves are not well understood by mathematicians or cryptographers. – Perhaps danger of hidden attacks possibly outweighs benefits of use (? ). • Therefore it is crucial to understand various risks. Many mathematically interesting challenges remain.

How are elliptic curves selected? Essentially: known pitfalls are avoided, with limited understanding. • Unlike DLOG on (Z/n. Z)*, there can be many elliptic curves having the same order. • Elliptic curves over finite fields can be – “supersingular”: have subexponential attacks. – “ordinary”: so far, no subexponential attacks. * • Want E(Fq) to be prime, or at least have a large prime factor. E(Fq) should be a cyclic group. Are any other factors important?

Perhaps some curves are better than others? • Widely thought that ordinary curves are superior to supersingular curves. • National Institute of Standards and Technology (NIST) – Part of US Department of Commerce. – Proposed a family of convenient curves to serve as standards for Elliptic Curve Cryptography. – Some users fear these curves are cryptographically weak. – How can the consumer know they have a good curve or not? Is my neighbor’s stronger? Settling this “conspiracy theory” is an important practical question, no matter the outcome

Example of a NIST curve NIST P-192 • Characteristic p = 62771017353866807638357894232076664160 83908700390324961279 • Elliptic curve E: y 2 = x 3 - 3 x + 24551555460089438177402939151974517847 69108058161191238065 over Fp • Number of points = #E = 62771017353866807638357894231760590137 67194773182842284081 (a prime)

Important Notion: Isogeny Class • An isogeny is a nontrivial algebraic map between two elliptic curves. It is a group homomorphism. Examples: 1. Map any E to itself by z ! 2 z 2. map C/Z[i] ! C/Z[2 i] by z ! 2 z 3. map C/Z[i] ! C/Z[i] by z ! iz (called an endomorphism) (called complex multiplication “CM”) • Tate’s Isogeny Theorem: two elliptic curves over Fq with the same number of points are isogenous over Fq (isogenies exist between them in both directions). • Related to commensurability. • Isogenies give an explicit reduction between DLOG on different curves if they each have the same number of prime points. (Identical cyclic groups. ) • So because of Tate’s theorem, the selection problem can be reinterpreted: is isogeny class a fine enough invariant for curve selection? Or is more needed?

Notions of Level, Conductor (technical) • Given an elliptic curve E over Fq, let End(E) denote the endomorphisms of E ( = isogenies + trivial, zero map) which are defined over the algebraic closure of Fq. • For an ordinary elliptic curve, End(E) is an order in some imaginary quadratic number field K = Q(p-d). • This field K is an invariant of the isogeny class (called the “Complex Multiplication Field”) • Orders are always of the form OD = Z+c. OK, where OK is the ring of algebraic integers in K (solutions to monic integral polynomials). • The discriminant of the order OD is related to the discriminant d of K by Curves for a given constant value of c form levels. • Isogenies can therefore be of two forms: D=c 2 d. – They can preserve D (“horizontal”). – Or they can change D (“vertical”). • Supersingular curves all lie on the same level (by definition), so this is really an issue pertaining to ordinary curves. Levels of curves

Statement of Theorem Jao, M-, Venkatesan (2004): Assuming the Generalized Riemann Hypothesis (GRH), the DLOG problem on isogeneous elliptic curves is “random reducible” in the following sense: Given any algorithm A that solves DLOG on some -fraction of curves in a level, one can probabilistically solve DLOG on any curve in the same level with polylog(q)/ queries to A with random inputs. Without assuming GRH, but the weaker Lindelöf hypothesis: subexponentially many instead of polynomially many.

Applications to NIST Curves All NIST and IPSec international standards elliptic curves have cmax = 1 (except NIST P-256 which has cmax = 3) (and the NIST K family of Koblitz curves, which a priori have large cmax ) cmax is a measure of how hard it is to reduce DLOG on a curve to other curves over Fq which have the same number of points. Since it is small, this means that the NIST and IPSec curves (aside from the K curves) lie on the simplest levels. Their DLOG problems are therefore random reducible to all other typical curves on those levels. Hence their DLOGs are no easier or harder than those for typical curves. No “Conspiracy”.

Method of proof uses “Isogeny Graphs” • Low degree isogenies between elliptic curves provide explicit polynomial time reductions between the curves they connect. • An “isogeny graph” is a graph whose vertices represent all the elliptic curves on a given level, and whose edges represent low degree isogenies (of degree (log q)2+ , > 0). • Mixing Hypothesis: suppose that the random walk on this graph mixes rapidly (i. e. after polylog(q) steps one reaches any vertex with uniform probability up to a small error). This is proven using GRH. Then by computing random low degree isogenies, DLOG can be explicitly reduced between any two curves on that level. • • Therefore DLOG has uniform difficulty on this level (assuming the Mixing Hypothesis). Various Elliptic Curves on the same level Arrows represent equivalences between DLOG on different curves

Application: generating random isogenies, studying mixing These applications of GRH and expander graphs are used in estimating the security of the upcoming Windows Longhorn product key algorithm (2006). Also, solidifies earlier heuristic cryptographic arguments which relied upon rapid mixing of the random walk (Kohel, Galbraith et al).

Brief Review of Graph Theory • Definitions: A graph is a collection of vertices V, and (undirected) edges E connecting the vertices. • A k-regular graph has exactly k edges meeting at each vertex. • Adjacency operator A on L 2(V) averages the function over its neighbors A: f(x) ! y~x f(y) • The constant functions on V are eigenfunctions with the trivial eigenvalue = k.

Expander Graphs • Graphs for which the random walk mixes rapidly (=uniformly distributed up to small error). Assume degree k is relatively small compared to the size of the graph |V| -- e. g. k = (log|V|)power. • If all nontrivial eigenvalues of A satisfy | | < k – 1/(log k)r for some r, then the random walk mixes in (log k)r+1 steps. Can serve as definition of “expander”. • “Optimal” bound is | | < 2(k-1)1/2, known as the Ramanujan bound. • Isogeny graphs are close to being “Ramanujan graphs” Can have | | = O(k 1/2+ ).

Brief History of Expander Graphs • Originally shown to exist by counting methods Pinsker: There are far more graphs than there are non-expander graphs. • Margulis (70 s, 80 s), Lubotzky-Phillips-Sarnak (1986) give first constructions. • LPS “Ramanujan graphs” use the (known) Ramanujan conjectures in their proof. The Ramanujan conjectures in number theory are a statement about optimal cancellation in random sums. • Other constructions: Reingold-Vadhan-Wigderson “Zig. Zag”, algebraic geometry. Have algebraic flavor.

The Isogeny Graphs are Expanders • Supersingular case: essentially already observed by Ihara, Mestre, and Pizer. Relies on (known) Ramanujan conjectures as well, properties of Brandt matrices. • Ordinary case (JMV): construction of isogeny graphs is a new method of constructing expanders with small degree k = (log|V|)power. Relies conditionally on the (unproven) Generalized Riemann Hypothesis “GRH”.

“GRH Graphs” New, conditional construction of expander graphs. • Let Q be a large integer. • Let S = { primes p < (log Q)B , p - Q } , for B > 2. • Define the graph to have – vertices V=(Z/QZ)*. – edges connecting v to pv, for each v 2 V and p 2 S. – ( is the Cayley graph of the group (Z/QZ)* with respect to the generating set S). • Theorem – Assuming GRH, is an expander: its nontrivial eigenvalues satisfy the bound | | = O(k 1/2+1/B).

Conclusions (Assuming GRH) • DLOG has roughly equivalent difficulty on elliptic curves over Fq whose endomorphism rings are “comparable” in size. • There is a random polynomial time reduction (equivalence) between the DLOG problems on such elliptic curves. • NIST and IPSec international standards curves were not chosen as to foist cryptographically weak curves upon an unsuspecting public. • Method gives a new elementary construction of expander graphs.