Parameters for Secure Elliptic Curve Cryptosystem

0 downloads 0 Views 105KB Size Report
Feb 15, 2016 - Schoof's algorithm is used to define a secure elliptic curve, as it .... -We used Karatsuba's method in the multiplication of polynomials so that we.
Parameters for Secure Elliptic Curve Cryptosystem -Improvements on Schoof ’s Algorithm Tetsuya Izu1 , Jun Kogure2 , Masayuki Noro1 , and Kazuhiro Yokoyama1 1

Fujitsu Laboratories Ltd., 4-1-1 Kamikodanaka Nakahara-ku Kawasaki 211-8588, Japan [email protected], {noro,yokoyama}@para.flab.fujitsu.co.jp 2 Fujitsu Ltd., Nikko Fudousan Bldg. 2-15-16 Shinyokohama Kouhoku-ku Yokohama 222-0033, Japan [email protected]

Abstract. The security of elliptic curve cryptosystem depends on the choice of an elliptic curve on which cryptographic operations are performed. Schoof’s algorithm is used to define a secure elliptic curve, as it can compute the number of rational points on a randomly selected elliptic curve defined over a finite field. By realizing efficient combination of several improvements, such as Atkin-Elkies’s method, isogeny cycles method, and baby-step-giant-step algorithm, we can count the number of rational points on an elliptic curve over GF (p) in a reasonable time, where p is a prime whose size is around 240-bit.

1

Introduction

When we use the Elliptic Curve Cryptosystem(ECC for short), we first have to define an elliptic curve over a finite field. Schoof’s method is believed to generate most secure elliptic curves for ECC, as it can compute the cardinality of a randomly selected curve. Though Schoof’s algorithm was not efficient in its original form, thanks to the contributions of many people, such as Atkin[1], Elkies[4], Morain[9], Couveignes[3], Lercier[8], and so on, the algorithm became remarkably faster. However, as far as the authors know, there have not been explicit criteria that give an efficient ordering of combining these improvements. The purpose of this paper is to develop an explicit criterion by introducing several new strategies. Basically our methods can be applied independent of the characteristics of the base field. In section 2, we will briefly look over the improvements of Atkin-Elkies and Couveignes-Morain. In section 3, we will introduce another improvements and show an explicit criterion. In section 4, we will give our experimental results to show our improvements are actually efficient.

2

Overview of Previous Works

Let p be an odd prime. We will consider an elliptic curve E defined over GF (p) : E : y2 = x3 + Ax + B, where A, B ∈ GF (p) with 4A3 + 27B 2 6= 0 (mod p). H. Imai and Y. Zheng (Eds.): Public Key Cryptography, PKC’98, LNCS 1431, pp. 253–257, 1998. c Springer-Verlag Berlin Heidelberg 1998

254

Tetsuya Izu et al.

Schoof ’s Algorithm: We will briefly recall the Schoof’s algorithm[11]. We denote the subgroup of `-torsion points of E by E[`]. The Frobenius endomorphism φ : (x, y) → (xp , yp ) is defined on Tate module T` (E) and satisfies the equation: φ2 − tφ + p = 0, where t denotes the trace of the Frobenius map and #E(GF (p)) = p + 1 − t. If we find an integer t` such that φ2 (P ) + pP = t` φ(P ) for any P ∈ E[`], we get t ≡ t` (mod `). Therefore if we compute t mod ` for √ various small primes until their product exceeds 4 p, we can uniquely determine the cardinality of the curve by means of the Chinese Remainder Theorem. Atkin-Elkies’s Method: Elkies’s idea[4,12] is to make use of a degree (`−1)/2 factor g` of the `-division polynomial f` when it is possible to compute g` in GF (p)[x](In this case, ` is called an Elkies prime. Otherwise ` is called an Atkin prime). g` represents an eigensubspace of the Frobenius map φ, which can be computed as a kernel of an isogeny map. Rather than determining the unique value of t mod `, Atkin [1,12] obtained certain restrictions on the value. As we have to find the real value of t among a lot of candidates by, for example, the baby-step-giant-step algorithm[6], the Schoof-Elkies-Atkin(SEA) method consists of two phases: (I) computing t mod ` for various `’s (II) determining the value of t Isogeny Cycles Method: According to Morain et al. [2], t mod `2 , t mod `3 , . . . can be computed efficiently from t mod ` when ` is an Elkies prime. A factor g`k of the `k -division polynomial f`k is computed, and the degree of g`k is `k−1 (` − 1)/2.

3

Intelligent Choice System

When we find an Elkies prime `, we have two choices in the next step : (a) compute t mod `0 (next prime), and (b) compute t mod `2 . When we find an Atkin prime, we have to decide whether to compute the candidates for the value of t or just abandon it. In order to reduce the total time needed to compute the cardinality of a curve, we should have an explicit criterion, by which we can make an efficient choice in various situations. For this purpose, we will propose several new strategies. 3.1

Estimation of the Complexity

So far we have three methods to get the information on t mod `k : (1) Schoof’s Algorithm, (2) Atkin-Elkies’s method, and (3) isogeny cycles method. Estimation of the Complexity: Before we actually begin computation for each prime `, we will estimate the complexity of each method and choose the most efficient one(and `). For example, we can construct a ”complexity function” by estimating the dominating computations. For simplicity, we only deal with t mod `2 in isogeny cycles case. Here we denote by M (n) the time needed to compute the product of two polynomials of degree n:

Parameters for Secure Elliptic Curve Cryptosystem

255

(1) In Schoof’s (original) algorithm case, we estimate its complexity at log pM ((`2 − 1)/2) for a prime `. (2) In Atkin-Elkies’s method case, we estimate its complexity at log pM (` + 1) for a prime `. (3) In isogeny cycles method case, we estimate its complexity at log p(M (U ) + M ((` − 1)/2)) for an Elkies prime `, where U is the degree of a factor of g`2 that is used in computing t mod `2 . 3.2

Virtual Atkin Method, Virtual Isogeny Cycles Method

Now we introduce another method: (4) virtual Atkin and virtual isogeny cycles method. If the total number of candidates for the value of t mod ` gets too large, the determination phase will take much time. Therefore we set an upper limit to the total number of candidates, which we denote by CanMAX. We define CanMAX from experiments according to the size of p. (4) Let T`k denote the set of candidates for t mod `k . If a prime ` satisfies the following three conditions, we regard the candidates for t mod `k+j as T`k+j = {a + b`k |a ∈ T`k , 0 ≤ b ≤ `j − 1}. We estimate its complexity at 0. Q √ (4-a) t mod `ki i are already computed and 4 p > ( i;`i 6=` `ki i ) × `k . Q √ (4-b) 4 p < ( i;`i 6=` `ki i ) × `k+j . (4-c) Total number of candidates for the value t does not exceed CanMAX. We can consider several primes `m ’s at the same time. In this case, we can replace the inequality (4-b) Q with Q √ (4-b)’ 4 p < ( i `ki i ) × ( m `kmm +jm ) where `i 6= `m . By this technique, we can reduce the candidates for t as well as the operations in the determination phase. 3.3

Re-ordering Atkin Primes

Even if the total number of candidates for the value t exceeds CanMAX, we do not give up using new Atkin primes. ”Good” Atkin prime is the one, which itself is fairly large and the number of whose candidates for t is small. We define ”Atkin index” of an Atkin prime ` as: (the number of candidates for the value t) / `. When we find a new Atkin prime and the total number of candidates exceeds CanMAX, we look for ”worse” Atkin primes and replace them with the new ”better” one. General Techniques: In estimating the complexity, we used the dominant term of each method. In order to make the criterion work efficiently, we need to minimize the effect of non-dominant terms. -We used Karatsuba’s method in the multiplication of polynomials so that we can assume M (n) = n1.6 instead of n2 . This will be effective when p is around 240-bit long.

256

Tetsuya Izu et al.

-In isogeny cycles case, we made use of a kind of baby-step-giant-step algorithm in calculating an eigenvalue. -In the determination phase, we made use of projective coordinates and precomputed multiples of a fixed point. -We used ”canonical” modular equations.

4

Experimental Results

We have implemented the Intelligent Choice System using Risa/Asir 1 computer algebra system on Pentium II 300MHz machine. We chose 300 curves over GF (p), where p = 2160 + 7, A = 1, and 1 ≤ B ≤ 300. We measured the average time needed to compute the cardinality of one curve. We set the value of CanMAX=108. We also put the best and the worst time in the following table. In order to see the effect of our methods we tried several combinations of our methods. We have not yet implemented the Schoof’s original algorithm. (Case I) Using Intelligent Choice System (Seconds): No. isogeny virtual re-ordering best average worst (1) YES YES YES 34.7 66.5 334.7 (2) NO YES YES 56.2 82.8 330.9 (3) YES NO YES 43.7 76.1 339.4 (4) YES YES NO 34.4 68.0 348.2 (Case II) Not Using Intelligent Choice System (Seconds): No. isogeny virtual re-ordering best average worst (5) YES NO NO 43.6 83.4 365.3 (6) YES NO NO 43.6 86.9 374.1 (5) uses isogeny cycles if g` has a factor of degree ≤ 32. (6) uses isogeny cycles if g` has a factor of degree ≤ 64. Our strategies will be characterized as follows: (a) The estimation of the complexity strategy has the main effect of speeding up the computation process overall. (b) The isogeny strategy and the virtual methods strategy have the main effect of speeding up the computation process in good cases. (Case we can proceed to the determination phase early on.) (c) The re-ordering strategy should have the main effect of speeding up the computation process in bad cases. (Case the number of candidates for t exceeds i CanMAX). Currently our implementation of calculation of xp has not yet been tuned up. The authors believe that we can see a better effect after tuning up the process. Remark: When we search an appropriate curve for ECC, we would like to use a curve whose cardinality is a prime. For this purpose, we can use ”early 1

developed by Fujitsu Laboratories Ltd. [10]

Parameters for Secure Elliptic Curve Cryptosystem

257

abort” strategy[7]. We check if the cardinality has a factor in each step of the computation of t mod `. If we find that the cardinality is not a prime, we can abandon the curve and try the next one. When p = 2240 + 115, we could try 3569 curves in 52.5 hours, and found 16 curves whose cardinalities are prime numbers.

5

Conclusion

We have introduced an explicit criterion for efficient computation of the cardinality of an elliptic curve over a finite field. The experiment shows that we could speed up the process almost 20%. Therefore we can find elliptic curves whose cardinalities are prime numbers in a reasonable time when the characteristics p of the base field is around 240-bit long. We are going to tune up the complexity estimation function and CanMAX to get a better result. We will also implement FFT for the case when p is a larger prime. Currently we are preparing another paper[5] for details.

References 1. Atkin, A.O., The number of points on an elliptic curve modulo a prime, preprint, 1988. 2. Couveignes, J.-M., Dewaghe, L., Morain, F., Isogeny cycles and the Schoof-ElkiesAtkin algorithm, LIX/RR/96/03, 1996. 3. Couveignes, J.-M., Morain, F., Schoof’s algorithm and isogeny cycles, In ANT-I , L.Adleman and M.-D.Huang, Eds., Lecture Notes in Computer Science, 877, pp.43– 58, 1994. 4. Elkies, N.D., Explicit isogenies, preprint, 1991. 5. Izu, T., Kogure, J., Noro, M., Yokoyama, K., Secure Elliptic Curve Cryptosystem: Improvements on Schoof’s Algorithm by Intelligent Choice System, in preparation. 6. Lercier, R., Algorithmique des courbes elliptiques dans les corps finis, Doctoral ´ Thesis, L’Ecole Polytechnique, 1997. 7. Lercier, R., Finding good random elliptic curves for cryptosystems definded over F2n , In EURO-CRYPTO ’97 , W.Fumy, Ed., Lecture Notes in Computer Science, 1233, pp.379–392, 1997. 8. Lercier, R., Morain, F., Counting the number of points on elliptic curves over finite fields: strategy and performances, In EURO-CRYPTO ’95 , L.C.Guillou and J.J.Quisquater, Eds., Lecture Notes in Computer Science, 921, pp.79–94, 1995. 9. Morain, F., Calcul du nombre de points sur une courbe elliptique dans un corps fini: aspects algorithmiques, J. Th´eor. Nombres Bordeaux 7 (1995) 255–282. 10. Noro, M., Takeshima, T., ftp://endeavor.fujitsu.co.jp/pub/isis/asir 11. Schoof, R., Elliptic curves over finite fields and the computation of square roots mod p, Math. Comp. 44 (1985) 483–494. 12. Schoof, R., Counting points on elliptic curves over finite fields, J. Th´eor. Nombres Bordeaux 7 (1995) 219–254.