HAL Id: inria-00514426
https://hal.inria.fr/inria-00514426
Submitted on 2 Sep 2010
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
Finding secure curves with the Satoh-FGH algorithm and an early-abort strategy
Mireille Fouquet, Pierrick Gaudry, Robert Harley
To cite this version:
Mireille Fouquet, Pierrick Gaudry, Robert Harley. Finding secure curves with the Satoh-FGH algo- rithm and an early-abort strategy. Eurocrypt, 2001, Innsbruck, Austria. pp.14-29, �10.1007/3-540- 44987-6_2�. �inria-00514426�
Algorithm and an Early-Abort Strategy
MireilleFouquet 1
,PierrikGaudry 1
,andRobert Harley 2
1
LIX,
Eolepolytehnique,91128PalaiseauCedex,Frane
2
ArgoTeh,26terrueNiola,75012Paris,Frane
Abstrat. Theuseofelliptiurvesinryptographyreliesontheability
toount thenumberofpointsonagivenurve. Before 1999,the SEA
algorithmwastheonlyeÆientmethodknownforrandomurves.Then
Satohproposed a new algorithm based on the anonial p-adi lift of
theurvefor p 5.Inanearlier paper, the authors extended Satoh's
methodtotheaseofharaterististwoandthree.Thispaperpresents
animplementationoftheSatoh-FGHalgorithmanditsappliationtothe
problemofndingurvessuitableforryptography.ByombiningSatoh-
FGHandanearly-abortstrategybasedonSEA,weareabletondseure
randomurvesinharateristi two inmuhlesstime thanpreviously
reported.Inpartiularweangenerateurveswidelyonsideredtobeas
seureasRSA-1024inlessthanoneminuteeahonafastworkstation.
1 Introdution
Sine ellipti urve ryptosystems were rst proposed in the mid-eighties by
Koblitz [Kob87℄ and Miller[Mil87℄,their eÆieny and seurityhavebeenthe
fous of intense study. In reent years, they have beome widely aepted as
analternativetoryptosystemsbasedonfatorisationordisretelogarithmsin
niteelds, espeiallyforonstrainedenvironments.
Oneoftheinitialstepsinprotoolsbasedonelliptiurveryptographyisto
generateasuitableurvedenedoveraniteeld.Toensurethatthesystemis
seure,theurvemustbehosentohaveanumberofpointswhihisdivisibleby
alargeprime sothatomputingdisretelogarithms ontheurveis intratable
usingknownattaks.Hene itisneessarytoknowtheardinalityoftheurve.
Among the ellipti urves dened over a given nite eld, there are some
lasses of urves with partiularproperties that are useful for ounting points
or for aelerating arithmeti operations ourring in the protools. However
hoosingsuhurvesan bedangerous.
Perhapsthe moststrikingexampleis trae1urves.Thenumberof points
overF
q
is simply q. HoweverSmart [Sma99℄, Satoh-Araki [SA98℄ and Semaev
[Sem98℄independentlydisoveredapolynomial-timeattak.
Another attak due to Menezes-Okamoto-Vanstone [MOV91℄, and gener-
alised by Frey-Ruk [FR94℄, redues disrete logs on supersingular and trae
2urvesto disretelogsin asmall-degreeextension ofF
q
.This yieldsanalgo-
[GLV℄, [DGM99℄ inluding urves dened over a small subeld, proposed by
Koblitz, andsomeomplex-multipliationurves.Attaks ontheseurvestake
lesstimethanforgeneriurves,butremainin exponentialtime.
Ithasreentlybeenshown byGaudry-Hess-Smart[GHS00℄that urvesde-
ned over omposite extension elds are also weak in ertain ases, using a
redutionviahyperelliptiurves.
These results suggest that for maximum seurity one should avoid urves
with speial properties and instead hoose a random urve whose number of
pointsis divisiblebyalargeprime,overaprimeeld oranextensionofprime
degree.ThisidealproedurewasmadepossibleinpratiebytheSEAalgorithm
duetoShoof[Sh85℄, [Sh95℄, Elkies[Elk98℄,Atkin[Atk92℄andothers[Cou94℄
[Cou96℄, [Mor95℄, [Ler97a℄, [Mul95℄, [Dew98℄, et. With this method, ounting
pointsononegivenurveisreasonablyfast.
However nding a ryptographially suitable urve requires testing many
urvesandthistakesmuhmoretime.Forinstane,JohnsonandMenezes[JM99℄
reentlydesribedthisproessasa\ompliatedandumbersometask"requir-
ing\afewhoursonaworkstation"for200bits.
Reently,anewalgorithm forountingpointsonurvesin small harater-
istip5wasdesignedbySatoh [Sat00℄ andweextended itto harateristis
two and three in [FGH00℄. An independent extension to harateristi two is
desribedbySkjernaa[Skj ℄.
Satoh'salgorithm is asymptotially superior to SEA for xed p, requiring
O(log 3+"
q)deterministitime,insteadofO(log 4+"
q)underreasonablehypothe-
ses. As demonstrated in [FGH00℄, the Satoh-FGH algorithm is muh faster in
pratie in harateristitwo. Indeedwewere ableto ount points overmuh
largerelds(upto8009bits)thanhadpreviouslybeenpossible,andouldmath
thelargestsize reahedwithSEA(i.e.1999bits)in justthree hours.
Inthefollowingwewilldesribeamethod for generatingryptographially
suitable urves, overelds of 113to 571 bits, using an implementation of the
Satoh-FGHalgorithmombinedwithaneÆientearly-abortstrategybasedon
ideasfrom SEA. Inthis manner weredue substantially thetime required for
urve-generation,nding suitable200-bit urves in minutes rather than hours
onaworkstation,forinstane.
Insetion2,wereallsomebasifatsaboutelliptiurvesdenedovernite
elds of harateristi two. Next we review somealgorithms that anbe used
to ompute the ardinality of aurve,and in partiular we give adesription
of theSatoh-FGH algorithm. Setion 4givesthe onditionsthat aurvemust
satisfyinordertobesuitableforryptographiappliations.Italsodesribesthe
early-abortstrategy rstused by Lerierin [Ler97a℄ forseleting good urves.
Lastbutnotleastwedesribeourimplementationandtheresultsweobtainedby
Inthis setion, we reallsomebasifats about elliptiurvesdened overF
q
where q = 2 d
. We will only be onerned with harateristi two. For more
informationsonelliptiurves,thereaderanreferto[Men93℄,[Sil86℄,[BSS99℄.
For ourpurposes, we anhoose the equation of an ellipti urve E (with
non-zeroj-invariant)to be:
E: y 2
+xy=x 3
+a
6
wherea
6 2F
q .
Itstwisturveis:
E
: y 2
+xy=x 3
+a
2 x
2
+a
6
wherea
2
issomexed elementoftrae1.
An important invariant of the urve is its j-invariantj(E) =1=a
6
. In the
followingwe assumej(E)62F
4
and in partiularthat urvesare ordinaryi.e.,
notsupersingular.
Theset ofpointsE(F
q
)oftheurveis:
E(F
q
)=f(x;y)2F 2
q
j(x;y)satisestheequation ofEg[fO
E g;
whereO
E
isthepointatinnity.
TheFrobeniusautomorphismF isthemapx7!x q
onF
q
.Itanbeextended
toanendomorphismofE:
F: E!E
(x;y)7!(x q
;y q
)
Itsharateristiequationisoftheform:
F 2
F +q=0:
OneanshowthatthenumberofpointsonE is
N =q+1 ; with jj2 p
q
whereisthetraeofFrobeniusonE.TheboundonisduetoHasse[Has33℄.
Notethat 4jN sinethepoint( 4 p
a
6
; p
a
6
)onE hasorderfour. Thenumberof
pointsonE
isN
=q+1+ andonehas2 k N
.
ThelittleFrobeniusautomorphism isthemapx7!x 2
.Itanbeextended
toanisogenyfromE totheonjugateurveE
: y 2
+xy=x 3
+a 2
6
asfollows:
: E!E
2 2
3.1 The Shoof-Elkies-Atkin Algorithm
Therst polynomial-timealgorithm forountingpointson elliptiurvesover
niteeldswasdesribedbyShoofin[Sh85℄.Thebasiideaistondthetrae
oftheurvemodulosmallprimes`bystudyingtheationofF onthe`{torsion
partofE.RestritingtheharateristiequationofF tothe`{torsionresultsin
(X q
2
;Y q
2
) [q℄(X;Y)=[
`
℄(X q
;Y q
)
for eah point (X;Y), where
`
mod`. This equality an be tested, for
eah andidate
`
2 [0:::` 1℄, by doing polynomial arithmeti modulo the
`{division polynomial.Now,it suÆes to ompute
`
for manysmall primes `
andthentoreovertheexatresultusingtheChineseRemainderTheorem.The
timerequiredforpoint-ountingoverF
q
withthisalgorithmisO(log 5+"
q)using
asymptotiallyfastmethodsforarithmeti(orO(log 8
q)usingnavearithmeti).
Thedegreeofthe`{divisionpolynomialisO(`
2
),whihgrowsquiklyandauses
thisalgorithmto beslowinpratie.
Inlarge harateristi, Elkies[Elk98℄and Atkin [Atk92℄ improved Shoof's
method yielding the so-alled SEA algorithm (see [Sh95℄) with run-time re-
dued to O(log 4+"
q)(or O(log 6
q)) under reasonablehypotheses.Their ideais
toonstrutafatorofdegreeO(`)ofthedivisionpolynomialandworkwithit
instead.Suhafatoranbefoundbyfatoringthemodularpolynomialtond
eigenspaesoftheFrobeniusendomorphismF restritedtoE[`℄.
FurtherworkbyMorain[Mor95℄andothersledtopratialimplementations
ofSEAforprimeelds.CouveignesextendedSEAtoworkinsmallharateristi
using the formal group[Cou94℄ orthe p-torsion[Cou96℄ and Lerier found an
eÆientmethod forharateristitwo[Ler97a℄.
3.2 The Satoh-FGH Algorithm
HerewepresentouradaptationofSatoh'salgorithmtotheaseofharateristi
two.Thereaderanndmoredetails,inludingforoddharateristi,in[Sat00℄
and[FGH00℄.
TheprinipalideaofthisnewalgorithmistoliftEtoaurveEovera2{adi
ringZ
q
andto omputethetraeoftheFrobeniusonE.
Canonial Lift of the Curve Just asF
q
is obtained from F
2
by taking an
algebrai extension modulo an irreduible polynomial f(x), oneanobtainZ
q
from the 2{adiintegersZ
2
bytaking an extension modulo apolynomialg(x)
whihreduesmodulo2tof(x).ThuswehaveZ
q
=Z
2
[x℄=(g(x)).Werepresent
000000000000000 000000000000000 000000000000000 000000000000000 111111111111111 111111111111111 111111111111111 111111111111111 00000000
00000000 00000000 00000000 00000000 00000000 00000000
11111111 11111111 11111111 11111111 11111111 11111111 11111111
00000000 00000000 11111111 11111111
00 00 11 11
n
F
2
d Zq 2
Fq
AFrobeniusmorphismF analsobedenedon Z
q
.In thisaseitis nota
simpleq-thpoweringoperation but somethingmuh moreompliated. Wedo
not deneit expliitly sinewewill neverhaveto omputeit. Similarly, there
existsalittleFrobeniusmorphism.ForfurtherdetailsonZ
q
anditsFrobenius
maps,see [Ser68℄.
A theorem of Lubin, Serre and Tate [LST64℄ guarantees theexistene and
uniquenessofaanonialliftedurveEoverZ
q
suhthatEnd(E)=End(E),via
aanonialliftofthej-invariant.IndeedJ =j(E)isharaterisedbyJ j(E)
modulo 2and
2
(J;(J))=0,where
2
isthe2{modularpolynomial.
Aruial partof Satoh'sontribution isan eÆientalgorithm for liftingj-
invariants.Insteadofliftingj(E)inisolation,hesuggestsliftingthewholeyle
ofonjugatej'ssimultaneously.Healsoproposesonsideringtheduals
^
i ofthe
littleFrobeniusisogeniesinsteadof
i
themselves.Indeedthedualsareseparable
and hene are determined by their kernel. After having lifted the j-invariants
usingSatoh'smethod,welifttheoeÆientsoftheurvesandthenomputethe
kernelsbyliftinga2{torsionpointoneahonjugateurve,using themethods
from[FGH00℄.Asaresult,weomputethefollowingdiagram:
E
0
^
0 //
E
1
^
1 //
^
d 2
//
E
d 1
^
d 1
//
E
0
E
0
^ 0 //
E
1
^ 1 //
^ d
2//
E
d 1
^ d
1 //
E
0
HerethetoprowisoverZ
q
topreisionO(2 d=2+o(d)
)and isredutionmodulo
2downtoF
q .
Computing the Trae in Z
q
Sine traesare preservedby taking the dual
andbyanoniallifting,wehavetheequation:
Tr(F)=Tr(
^
F)=Tr(
^
F):
Moreover
^
F anbewritten astheomposition
^
F =
^
Æ:::Æ
^
Æ
^
:
isogenies are represented by powerseries and omposing isogenies is done by
omposing the power series. Therst oeÆient
1
of the powerseries of
^
F is
relatedtoitstraeasfollows:
Tr
^
F =
1 +
q
1 :
Therefore,omputingthetraeanbedonebyomputing
1
,andthelatter
an be omputed by omposing all the power series of the
^
i
. Only the rst
oeÆientsg
i ofthe
^
i
havetobedetermined,andthisanbedonewithVelu's
formulae[Vel71℄.Morepreisely,g 2
i
isgivenbyanexpliitformulainvolvingthe
liftedurvesand2{torsion.Takingoneofthesquarerootsof Q
g 2
i
produesthe
traetosuÆientpreisionforittobereoveredexatlyusingHasse'sbound.
3.3 Desription ofthe Algorithm
In this setion, we give a syntheti desription of the algorithm. For a more
detailed one,wereferthereaderto [FGH00℄.Thegeneralproedureis:
ProedureMainAlgorithm
Input: AnelliptiurveE denedoverF
q
,withj(E)62F
4 .
Output: Thetraeoftheurve.
1. ComputetheyleofdurvesE
i
andtheirj-invariantsj
i .
2. Liftallthej
i
'ssimultaneously,yieldingJ
i .
3. Lifteahurvebyliftingitsa
6
oeÆient.
4. Liftthekernelofeah
^
i .
5. Computethetraefromthelifteddata.
Inthisproedure,points2,3and4onerntheliftingoftheyleofurves
andofthekernels.Wewilldetailtheserst.AnessentialingredientisNewton's
iterationforimprovingthe(2{adi)preisionofaroot ofafuntion.
ProedureLiftCurvesAnd2Torsion
Input: Ayleofdonjugateurves,andtheirj-invariants.
Output: TheanonialliftofthisyleoverZ
q .
1. Liftthej-invariantssimultaneouslyusinganadaptationoftheNewtoniter-
ationtothemultivariatease.Thefuntiontobeonsideredatsona1d
vetor:(x
0
;:::;x
d 1 )=(
2 (x
0
;x
1 );
2 (x
1
;x
2
); ;
2 (x
d 1
;x
0
))andthe
initialapproximationoftherootisthevetor(j
0
;j
1
;:::;j
d 1
)modulo 2.
2. LifteahurveE
i
by liftingitsa
6
oeÆient,yielding A
i
, using aNewton
iterationwiththefuntion f(x)=1+J(x+432x 2
)andtheinitialapproxi-
mation 1=J
i
modulo 16.
3. Liftthe2{torsionpointinthekernelofeah
^
i
yielding(X
i
;Y
i )onE
i ,using
aNewtoniterationbasedonthefuntionf(x)=8x 3
+x 2
+A
i
withinitial
approximation1=J modulo4.
done, it remains to ompute the trae of
^
F. The equations in the following
algorithmarederivedfromVelu'sformulae.
ProedureComputeTrae
Input: Ayleofdurves,givenbyA
i
,and 2{torsionabsissaeX
i .
Output: Thetraeof
^
F.
1. ComputethesquareoftherstoeÆientoftheexpansionofeah
^
i inthe
formalgroupofE
i
usingVelu'sformulae.Theresultis:
g 2
i
=
1 252X
i
+19008A
i
(1+120(X
i +6X
2
i
))( 1+864A
i+1 )
:
2. Compute 2
= Q
g 2
i .
3. Compute by omputing asquare root of 2
and bydetermining thesign
using1 mod4.
4 Good Ellipti Curves in Cryptography
TheseurityofelliptiurveryptosystemsdependsonthediÆultyofsolving
theellipti urvedisretelogarithm (ECDL) problem. Asmentionedin thein-
trodution,thereareseveralattaksagainsturveswithspeialpropertiessuh
astheoneagainsttrae1urves,ortheMOVredutionforsupersingularurves,
et.
Forrandomurves,thehane that oneof thesemethods anapply isvan-
ishingly small. However there are other attaks that work for generi abelian
nitegroups.
TherstisPohlig-Hellmanredution[PH78℄.WhenthegrouporderN has
allitsprimefatorssmall,disretelogsanbeomputedquiklybyworkingin
small subgroups. Thus for good seurity it is essentialto pik a group whose
orderisdivisiblebyalargeprime.
The other attaks are algorithms that run in time O(
p
N). They inlude
Shanks' baby-step giant-step algorithm (see [Coh96℄) and Pollard's method
[Pol78℄. In pratie, the most diÆult ECDLthat has been omputed is ona
KoblitzurveoverF
2
1 09 usingadistributedversionofPollard{[Har00℄.
Byextrapolatingtheworkrequiredtolargersizesandallowingsafetymargins
forfutureinreasesinomputingpower,itisgenerallybelieved(see[FIPS186℄,
[LV00℄,[P1363℄,[Sil00℄)thatarandomurvewhoseorderisdivisiblebyaprime
ofat least160bitswill oerreasonableseurity,omparableto 80-bitsymmet-
risystemsor1024-bitRSA.Forappliationswiththehighestseurityrequire-
ments,onemaytakelargersafetymargins.
Tondaseureurve,Lerier[Ler97a℄proposed anearly-abort strategyto
usewhenomputingtheardinalityoftheurveusingSEA.Theideais totest
on the y if q+1 0mod`. If the test is true,then we throw awaythe
urveand try again with another one.Sine SEA omputes mod`, this test
theexistingliteratureonthesubjet[LM95℄, [IKNY98℄, [MP98℄.
A diÆulty that arises when designing an early-abort strategy to use with
theSatoh-FGHalgorithmisthat mod` isnotavailable(exeptfor` apower
of p). Our solution is to implement a simplied version of SEA to determine
whethertheurvehasarationalpointof`-torsionornotfortherstfewprimes
`,asapreliminary stepbeforelaunhingSatoh-FGH.There isatrade-oto be
madebetweentheextraostofthesealulationsandthebenettobegainedby
avoidinganentireardinalityomputation.Inpratiewefoundthisstrategyto
beveryworthwhileandobtainedrun-timeslowerthanthosepreviouslyreported
in theliterature.
5 Implementation and Results
5.1 ImplementationDetails
Wewroteoptimisedimplementationsoftheearly-abortstrategyandtheSatoh-
FGH algorithm for harateristi two, in the C programming language. This
implementationof theearly-abortstrategyis independantof Lerier'sone.For
multipliation in F
q
weused Karatsuba'salgorithm; in Z
q
weused Toom'sal-
gorithm. Toensure thatmodular redutiontook verylittletime, wehose the
irreduible polynomialto be atrinomial orpentanomial. For division we used
thebinaryEulideanalgorithminF
q
,andinversionbyNewtoniterationsinZ
q .
Most of our timing tests were run on a 750MHz EV6 Alpha. In order to
ompareresultswith[Ler97a℄,wealsoransometestsona266MHzEV4Alpha
identialtotheoneLerierused.Notethatthedierenebetweentheseproes-
sors ismorethanwhat weouldthink byjust omparing thelokspeeds:for
usual appliations, thegainis bya fatorof about15. Finallywetimed urve
generationforonesmall eldona275MHzStrongARMhip.
Intheearly-abortpart,asexplainedbelow,themosttimeonsuming parts
are lazy fatorizationsofsmall-degree polynomials overF
q
. Themostfrequent
operationismultipliation inF
q
.Wegiverelevanttimingsobtainedonthe750
MHzAlphain Table1.
Field size 163bits 193bits 239bits 409bits 571bits
CostofamultipliationinF
q
0.488s0.639s0.917s2.632s4.685s
Table1.CostofamultipliationinFq ona750MHzEV6Alpha.
Themostfrequentoperationin thepoint-ountingpartismultipliationin
Z
q
. In Table 2, we givethe time for one suh operationat the highest2{adi
preisionrequiredi.e.,dd=2e + 3bits,forvariouseldsizesd.Thesemeasurements
