Security in Genus 3

transcript

Security in Genus 3

Kim Laine and Kristin Lauter

UC Berkeley, Microsoft Research

November 13, 2014

Kim Laine and Kristin Lauter (UC Berkeley, Microsoft Research) Security in Genus 3 November 13, 2014 1 / 51

Security in genus 3

- A a multiplicative abelian group

- Let g ∈ A be a generator of a large prime order subgroup and h = g x forsome number x .

- x is the discrete logarithm of h with respect to g .

- Discrete logarithm problem (DLP): Compute x from h and g .

- No efficient general method (depends strongly on the group)

- Most important for cryptography: A = F×p or E (Fp), where p is large

Security in genus 3

- Neil Koblitz: “Is the DLP hard in Jacobians of higher genus curves?”

- Impressive result: Not hard enough when g > 3.

- The case g = 2 seems very interesting for crypto (fast arithmetic, seemssecure)

- The case g = 3? Claus Diem: “DLP can be solved in time complexity O(q)for non-hyperelliptic curves.”

- For genus 3 hyperelliptic curves DLP is harder.

- Ben Smith: “In some cases one can use explicit isogenies to map the DLPfrom a hyperelliptic Jacobian to a non-hyperelliptic Jacobian and solve itthere.”

- Other major developments in computing explicitly maximal isotropic isogeniesby Damien Robert et al.

- Very important to know: How feasible is Diem’s algorithm in practice? Can itbe further improved?

Security in genus 3

Structure of this talk

1. [Diem’s index calculus] See how Claus Diem’s index calculus fornon-hyperelliptic genus 3 curves works [DT, Die, Die2].

2. [New method] Introduce our variation of Diem’s algorithm.

3. [Complexity] Analyze the complexity of our algorithm.

4. [Memory cost] Introduce ways of dealing with the huge memory cost.

5. [Conclusions] What does this all mean for genus 3 cryptography?

1. Diem’s Index Calculus

Index calculus: An algorithm for solving the DLP, but the details and performancedepend strongly on the group

Diem’s index calculus: Case of non-hyperelliptic genus 3

Genus 3 non-hyperelliptic curves are precisely the smooth plane quartics.

Diem: “There is a particularly fast index calculus algorithm on Jacobians oflow-degree plane curves.” [Die, Die2]

Complexity: O(q), where the curve is defined over the finite field Fq.

Complexity of a generic method (Pollard rho): O(q3/2)

The difference is enormous for field sizes of practical interest.

Diem’s index calculus: Setup

Consider a DLPD2 − 3P0 = x · (D1 − 3P0)

on a plane quartic C/Fq. Here

deg(D1) = deg(D2) = 3 , deg(P0) = 1 .

Suppose for simplicity:

D1 = [P11 ] + [P1

2 ] + [P13 ] , D2 = [P2

1 ] + [P22 ] + [P2

where P ji are Fq-points on C

Suppose: D1 − 3P0 is a generator of a prime order subgroup andD2 − 3P0 ∈ 〈D1 − 3P0〉

Diem’s index calculus: Choosing the factor base

- Choose a set F ⊆ C(Fq) with roughly q1/2 elements.

- Include {P ij } ∪ {P0} in F .

- F is called the factor base.

- Main idea: Di − 3P0 are sums of elements of F . Find lots of linear relationsbetween the elements of F . Use linear algebra to find x .

Diem’s index calculus: Choosing the factor base

- Choose a set F ⊆ C(Fq) with roughly q1/2 elements.

- Include {P ij } ∪ {P0} in F .

- F is called the factor base.

- Main idea: Di − 3P0 are sums of elements of F . Find lots of linear relationsbetween the elements of F . Use linear algebra to find x .

Diem’s index calculus: Intersecting the curve with a line

Theorem 1 ([DT])

If you intersect the non-hyperelliptic curve C with a generic line, the intersectionwill contain four points since the curve has degree 4. Moreover, if the coefficientsof the line are in Fq and you know that two of the points of intersection aredefined over Fq, the probability that the other two are also defined over Fq is1/2 + O(q−1/2).

A standard operation: Intersecting the curve C with a line through two knownFq-points. With probability approximately 1/2 the other two points ofintersection are also Fq-points. Find those two other points if they exist.

Diem’s index calculus: Tree building

- Construct a tree T

- V set of vertices, E set of edges

- Set V = {∗}, E = ∅.- ∗ denotes a distinguished special vertex.

- The rest will be labeled by points of C(Fq).

- Iterate over pairs Fi ,Fj ∈ F , i 6= j

- Intersect C with line through Fi ,Fj

- Find other two points of intersection if they are Fq-rational (prob. 1/2)

- Call them L1, L2

- Most likely: L1, L2 /∈ V ∪ F , in which case move on

- No so likely: Say L1 ∈ F but L2 /∈ V ∪ F- Then add a vertex labeled L2; draw an edge between ∗ and L2 labeled with

[Fi ] + [Fj ] + [L1] + [L2] = 0 .

- No so likely: Say L1 ∈ V and L2 /∈ V ∪ F- Then add a vertex L2 to V; draw an edge between L1 and L2 labeled with

[Fi ] + [Fj ] + [L1] + [L2] = 0 .

- Repeat until the tree has size q3/4.

- Call them L1, L2

[Fi ] + [Fj ] + [L1] + [L2] = 0 .

- Call them L1, L2

[Fi ] + [Fj ] + [L1] + [L2] = 0 .

- Call them L1, L2

[Fi ] + [Fj ] + [L1] + [L2] = 0 .

- Call them L1, L2

[Fi ] + [Fj ] + [L1] + [L2] = 0 .

Found relation:[F1] + [F2] + [L1] + [L2] = 0, where L1 ∈ F

Found relation:[Fi] + [Fj] + [Li] + [Lj] = 0, where Li ∈ V

Diem’s index calculus: Relation search

- The graph has now q3/4 vertices.

- Iterate over remaining pairs Fi ,Fj ∈ F , i 6= j

- Each time intersect the curve with a line though Fi ,Fj .

- With probability 1/2 we have new Fq-points L1, L2.

- If both L1, L2 ∈ V, use the tree and the linear relations labeling the edges towrite

[Fi ] + [Fj ] + [L1] + [L2] =∑F∈F

λF [F ] = 0 ,

where λF are integers.

- Obtain a linear relation, a full relation, between elements of F .

- Store it.

- Repeat until you have found at least #F − 1 full relations.

[Fi ] + [Fj ] + [L1] + [L2] =∑F∈F

λF [F ] = 0 ,

- Store it.

[Fi ] + [Fj ] + [L1] + [L2] =∑F∈F

λF [F ] = 0 ,

- Store it.

[Fi ] + [Fj ] + [L1] + [L2] =∑F∈F

λF [F ] = 0 ,

- Store it.

Found relation:[Fi] + [Fj] + [Li] + [Lj] = 0, where Li, Lj ∈ V

Produced a full relation!

Diem’s index calculus: Linear algebra

Build a matrix as follows:

- Elements of F label columns

- Coefficients of full relations give rows

- For the first two rows use the divisors D1 − 3P0 and D2 − 3P0.

- Use linear algebra modulo the order of the cyclic subgroup of the Jacobian tofind a linear combination of the rows that sums to 0 and involves the firstand the second row. If γ1 and γ2 are the coefficients of the first and thesecond row, compute

x ≡ −γ1γ2.

- Output x .

x ≡ −γ1γ2.

- Output x .

x ≡ −γ1γ2.

- Output x .

x ≡ −γ1γ2.

- Output x .

Diem’s index calculus: Explanation

Why does this work?

In the Jacobian each row (full relation) equals 0 except first two.

So if we find a linear combination of the rows that involves the first and thesecond rows and equals 0, you have found γ1 and γ2 such that

γ1(D1 − 3P0) + γ2(D2 − 3P0) = 0 .

The result immediately follows as long as γ2 is invertible modulo the order ofthe cyclic subgroup.

Why does this work?

γ1(D1 − 3P0) + γ2(D2 − 3P0) = 0 .

Why does this work?

γ1(D1 − 3P0) + γ2(D2 − 3P0) = 0 .

- Running time: O(q) [Die, Die2]

- Unit of time: The standard operation

- Question: What are the logarithmic and constant factors?

- Question: What is the memory consumption like?

- Question: Are there better ways of doing this?

- Running time: O(q) [Die, Die2]

- Unit of time: The standard operation

- Question: What are the logarithmic and constant factors?

- Question: What is the memory consumption like?

- Question: Are there better ways of doing this?

2. A New Method

New method: Initialization

- Let λ be a positive root of

λ exp(4λ8)

= q1/8 .

- For realistic size q, 1 < λ < 1.2.

- RP a set of⌈4λ q1/8

⌉Fq-points on the curve

- F another set of points (the factor base), which we construct using RP- Let for now

F = RP ∪ {P ij } ∪ {P0} .

New method: Initialization

- Let λ be a positive root of

λ exp(4λ8)

= q1/8 .

- For realistic size q, 1 < λ < 1.2.

- RP a set of⌈4λ q1/8

⌉Fq-points on the curve

- F another set of points (the factor base), which we construct using RP- Let for now

F = RP ∪ {P ij } ∪ {P0} .

New method: Base vertices

- Construct a “graph”T; vertices V = {∗}; edges E = ∅

- Iterate over pairs Fi ,Fj ∈ RP, i 6= j .

- Find Fq-points F ,B in intersection of curve with line through Fi ,Fj (prob.1/2)

- Most likely: Neither in V ∪ F- Add F to F (so we are building the factor base here)

- Add a vertex labeled B. Draw an edge between ∗ and B labeled with

[Fi ] + [Fj ] + [F ] + [B] = 0 .

- B is called a base vertex. Denote the set of them by B.

- At this point both the graph and the factor base contain O(q1/4

)elements.

- Construct a “graph”T; vertices V = {∗}; edges E = ∅- Iterate over pairs Fi ,Fj ∈ RP, i 6= j .

[Fi ] + [Fj ] + [F ] + [B] = 0 .

)elements.

[Fi ] + [Fj ] + [F ] + [B] = 0 .

)elements.

[Fi ] + [Fj ] + [F ] + [B] = 0 .

)elements.

[Fi ] + [Fj ] + [F ] + [B] = 0 .

)elements.

Found relation:[Fi] + [Fj] + [F ] + [B] = 0, where Fi, Fj ∈ RPAdded F to F .

Base vertices

New method: Triangle relations

- Iterate over pairs of base vertices Bi ,Bj ∈ B, i 6= j .

- Find two other points in the intersection of the line through Bi ,Bj with C(prob. 1/2)

- Most likely: Neither is in V ∪ F- Add F to F (futher building the factor base).

- Add a vertex T and draw a triangle to the graph with corners Bi ,Bj and T ,labeled with

[Bi ] + [Bj ] + [F ] + [T ] = 0 .

- T is called a top triangle vertex.

)elements.

[Bi ] + [Bj ] + [F ] + [T ] = 0 .

)elements.

[Bi ] + [Bj ] + [F ] + [T ] = 0 .

)elements.

[Bi ] + [Bj ] + [F ] + [T ] = 0 .

)elements.

Found relation:[Bi] + [Bj] + [F ] + [T ] = 0, where Bi, Bj ∈ BAdded F to F .

Top triangle vertices (not all drawn)

New method: Graph building/Relation search

- Head-start to graph building: We already have O(q1/2) vertices!

- Problem with Diem’s algorithm: Growth of the graph is extremely slow atfirst.

- In contrast to Diem, we will search for full relations while simultaneouslybuilding the graph.

- Use top triangle vertices as roots of trees.

- Result: A“graph” less deep than Diem’s, resulting in an improvement in linearalgebra (our matrix is more sparse)

- Iterate over pairs Fi ,Fj ∈ F , i 6= j .

- Find two other points L1, L2 in the intersection of the line through Fi ,Fj withC (prob. 1/2)

- If L1 ∈ V is above a top triangle vertex, L2 /∈ V ∪ F , then add a vertexlabeled L2 and draw an edge between L1 and L2. Label the edge with

[Fi ] + [Fj ] + [L1] + [L2] = 0 .

- If L1, L2 ∈ V, use edge labels to obtain a relation involving only top trianglevertices and factor base elements. Next use the triangle relations to write thetop triangle vertices in terms of a pair of base vertices and a factor baseelement, and finally write each base vertex in terms of three factor baseelements. Record the full relation.

- Repeat until you have found at least #K − 1 full relations.

[Fi ] + [Fj ] + [L1] + [L2] = 0 .

Found relation:[Fi] + [Fj] + [Li] + [Lj] = 0, where Li ∈ V, Lj /∈ V

Found relation:[Fi] + [Fj] + [Li] + [Lj] = 0, where Li, Lj ∈ V

Produced a full relation!

New method: Linear algebra

- Proceed exactly like in Diem’s algorithm.

x ≡ −γ1γ2.

- Output x .

x ≡ −γ1γ2.

- Output x .

x ≡ −γ1γ2.

- Output x .

x ≡ −γ1γ2.

- Output x .

x ≡ −γ1γ2.

- Output x .

3. Complexity

Complexity: Two theorems

Recall:λ exp(4λ8) = q1/8

Theorem 2Under some heuristic assumptions and if q is large enough, we can expect thealgorithm to terminate successfully (and return the discrete logarithm x). Thenumber of pairs of factor base elements will be just right. The size of the factorbase will be approximately 4λ4 q1/2 and the number of vertices in the graph at theend will be approximately 4λ2 q3/4.

Theorem 3

The average row weight of the matrix (the average number of non-zero entries ona row) will be ≤ 18− 8λ+ ln q.

Complexity: Implementation and experiments

- The algorithm was implemented in C++ (with some Magma).

- For simplicity of implementation, we only considered binary fields.

- We chose a slightly larger factor base to ensure that the algorithm terminatessuccessfully.

- Number of field multiplications in standard operation: 7 log2 q + 13 (in ourimplementation)

- Optimized so that all pairs Fi ,Fj ∈ F will be processed.

- There are 8λ8 q such pairs, so the total number of field multiplications is

MTotal = (7 log2 q + 13) · 8λ8 q .

- Locally, for instance if q ∈ [270, 2120],

Mtotal ≈ 1.23 · log22(q) · q .

- Memory consumption very implementation-specific: In our rather naiveimplementation 370 bytes per vertex. For field sizes bigger than 64 bits, thisshould be roughly doubled (64-bit words).

MTotal = (7 log2 q + 13) · 8λ8 q .

Mtotal ≈ 1.23 · log22(q) · q .

MTotal = (7 log2 q + 13) · 8λ8 q .

Mtotal ≈ 1.23 · log22(q) · q .

MTotal = (7 log2 q + 13) · 8λ8 q .

Mtotal ≈ 1.23 · log22(q) · q .

MTotal = (7 log2 q + 13) · 8λ8 q .

Mtotal ≈ 1.23 · log22(q) · q .

- Size of the graph at the end: Nmax = 4λ2 q3/4

- Total memory cost: ≈ 4λ2 q3/4 · 370 bytes

- Experimental results:

q λ logq #F logq MTotal (th/pr) logq Nmax (th) Mem (th)217 0.89 > 0.58 1.51/1.51 0.85 8 MB219 0.90 > 0.57 1.47/1.47 0.84 22 MB221 0.91 > 0.57 1.44/1.44 0.83 65 MB223 0.92 > 0.57 1.41/1.41 0.83 187 MB225 0.93 > 0.56 1.39/1.38 0.82 538 MB227 0.94 > 0.56 1.37/1.36 0.82 1550 MB

- The experimental results for total number of field multiplications seem tocorrepond to the values suggested by our complexity analysis. Also the otherparameters of the experiments match closely to the theoretical predictions.

- Size of the graph at the end: Nmax = 4λ2 q3/4

- Total memory cost: ≈ 4λ2 q3/4 · 370 bytes

- Experimental results:

q λ logq #F logq MTotal (th/pr) logq Nmax (th) Mem (th)217 0.89 > 0.58 1.51/1.51 0.85 8 MB219 0.90 > 0.57 1.47/1.47 0.84 22 MB221 0.91 > 0.57 1.44/1.44 0.83 65 MB223 0.92 > 0.57 1.41/1.41 0.83 187 MB225 0.93 > 0.56 1.39/1.38 0.82 538 MB227 0.94 > 0.56 1.37/1.36 0.82 1550 MB

- The experimental results for total number of field multiplications seem tocorrepond to the values suggested by our complexity analysis. Also the otherparameters of the experiments match closely to the theoretical predictions.

Complexity: Theoretical results for larger field sizes

q λ logq #F logq Nmax logq MTotal log2 MTotal Mem230 0.95 0.56 0.81 1.34 40.21 7.4 GB240 0.98 0.55 0.80 1.27 51.00 1430 GB250 1.01 0.54 0.79 1.23 61.62 267 TB260 1.03 0.54 0.78 1.20 72.13 50490 TB270 1.05 0.53 0.78 1.18 82.56 1.90 · 107 TB280 1.07 0.53 0.78 1.16 92.94 3.56 · 109 TB290 1.09 0.53 0.77 1.15 103.28 6.62 · 1011 TB2100 1.10 0.53 0.77 1.14 113.58 1.2 · 1014 TB2110 1.11 0.52 0.77 1.13 123.85 2.28 · 1016 TB2115 1.12 0.52 0.77 1.12 128.98 3.10 · 1017 TB2120 1.13 0.52 0.77 1.12 134.10 4.22 · 1018 TB2140 1.15 0.52 0.77 1.10 154.54 2.16 · 1023 TB2160 1.17 0.52 0.77 1.09 174.92 7.29 · 1027 TB2180 1.18 0.52 0.76 1.08 195.26 8.43 · 1031 TB2200 1.20 0.52 0.76 1.08 215.56 1.10 · 1037 TB2220 1.21 0.51 0.76 1.07 235.84 3.71 · 1041 TB2240 1.23 0.51 0.76 1.07 256.09 1.24 · 1046 TB

- Expected average row weight: west = 18− 8 lnλ+ ln q

- Complexity of linear algebra: O(west · (#F)2

)- Linear algebra complexity is comparable to the complexity of the graph

building/relation search step:

q log2 west log2 #F Lin. alg. MTotal

230 5.29 16.70 ≈ 239 ≈ 240

240 5.52 21.90 ≈ 249 ≈ 251

250 5.72 27.06 ≈ 260 ≈ 262

260 5.89 32.18 ≈ 270 ≈ 272

270 6.05 37.29 ≈ 281 ≈ 283

280 6.19 42.39 ≈ 291 ≈ 293

290 6.32 47.47 ≈ 2101 ≈ 2103

2100 6.44 52.55 ≈ 2112 ≈ 2114

2110 6.55 57.62 ≈ 2122 ≈ 2124

2115 6.60 60.15 ≈ 2127 ≈ 2129

2120 6.65 62.68 ≈ 2132 ≈ 2134

2140 6.83 72.79 ≈ 2152 ≈ 2155

2160 7.00 82.89 ≈ 2173 ≈ 2175

2180 7.14 92.97 ≈ 2193 ≈ 2195

2200 7.28 103.05 ≈ 2213 ≈ 2216

2220 7.40 113.12 ≈ 2234 ≈ 2236

2240 7.51 123.18 ≈ 2254 ≈ 2256

4. Memory cost

Memory cost: Bounding

- Biggest problem: Memory cost

- Computational complexity is impressive; memory cost makes the algorithmnearly unusable

- Diem’s algorithm has a smaller memory cost: Diem’s tree restricted to q3/4

vertices, whereas we let the graph grow freely

- Bigger graph size gives better computational complexity.

- Question: What happens if we simply stop adding any new vertices to thegraph once it has reached size χ q3/4 and only continue with finding fullrelations?

- Biggest problem: Memory cost

- Computational complexity is impressive; memory cost makes the algorithmnearly unusable

- Diem’s algorithm has a smaller memory cost: Diem’s tree restricted to q3/4

vertices, whereas we let the graph grow freely

- Bigger graph size gives better computational complexity.

- Question: What happens if we simply stop adding any new vertices to thegraph once it has reached size χ q3/4 and only continue with finding fullrelations?

- Choose RP to be a set of 4η q1/8 points on the curve.

Theorem 4

The size of the factor base will be 4η2 q1/2 and the size of the graph will bebounded by χ q3/4.If q is large enough and we take η to be a root of

2η2 exp(4η8 − 4η4/χ2 + 1/4

)= χ1/2 q1/8 ,

then we can expect the algorithm to terminate successfully.The average row weight of the matrix will be approximately

wχest := 20− χ2

8η4− 4 ln

(4η4)

+ ln q + 4 lnχ .

- As a function of χ, η has a global minimum at a point where χ = 4η2, whichrecovers the original case (the definition of λ). This is expected since theunbounded graph should yield the best computational complexity.

Theorem 4

2η2 exp(4η8 − 4η4/χ2 + 1/4

)= χ1/2 q1/8 ,

wχest := 20− χ2

8η4− 4 ln

(4η4)

+ ln q + 4 lnχ .

Theorem 4

2η2 exp(4η8 − 4η4/χ2 + 1/4

)= χ1/2 q1/8 ,

wχest := 20− χ2

8η4− 4 ln

(4η4)

+ ln q + 4 lnχ .

Here is our relation search complexity compared to that of Diem’s algorithm, forfield sizes q = 260, 280, 2100, 2120, 2140, 2160, 2180, 2200:

1 2 3 4 5χ

Here is our linear algebra complexity compared to that of Diem’s algorithm, forfield sizes q = 260, 280, 2100, 2120, 2140, 2160, 2180, 2200:

1 2 3 4 5χ

Here is our relation search complexity compared to the fastest case (unrestrictedgraph), for field sizes q = 260, 280, 2100, 2120, 2140, 2160, 2180, 2200:

0.2 0.4 0.6 0.8 1Ratio of memory cost to worst: χ/(4λ2 )

: (η/λ

Here is our linear algebra complexity compared to the fastest case (unrestrictedgraph), for field sizes q = 260, 280, 2100, 2120, 2140, 2160, 2180, 2200:

0.2 0.4 0.6 0.8 1Ratio of memory cost to worst: χ/(4λ2 )

χ est/w

est)·(η/λ

Lemma 5For any fixed χ, asymptotically as q →∞ our algorithm is 3 times faster thanDiem’s algorithm for relation search and 9 times faster for linear algebra.

- Unfortunately the best we can do are these constant coefficientimprovements.

- For relation search, if χ is big enough, we actually approach the value 3 fromabove, so that for practical field sizes and χ big enough, we are in fact fasterthan this. If χ is closer to 1, we approach the speed-up factor 3 much sloweras q grows, and from below.

- For linear algebra we always approach the speed-up factor 9 from below.

Memory cost: Parallelization

- Trivial to parallelize intersection computations to multiple cores

- Parallelizing memory cost possible? Want: Divide the graph into severalpieces and process independently by several computers/memory units

- Build first base vertices, triangles, factor base

- K computers

- Factor base to all K computers

- Base vertices to all K computers

- Divide triangles among K computers

- Divide factor base pairs among K computers

- K computers

- Each computer processes their share of factor base pairs and shares withothers (need fast communication)

- Each builds their own graphs and collects their own full relations using theirshare of the triangles

- Finally: Collect all full relations together and proceed as usual with linearalgebra

- Choose a set RP of 4λK q1/8 points on the curve.

Theorem 6If q is large enough and we take λK to be a root of

λK exp(4λ8K

)=(K 2 q

)1/8then we can expect the algorithm to terminate successfully. Each of the Kcomputers will end up with a graph of size

4λK q3/4

The average row weight of the matrix will be approximately

18− 8 lnλK + ln(K 2 q

- Total memory cost: ≈√

K · (case of K = 1).

- Can also restrict sizes of each graph to χ q3/4/√

- Choose a set RP of 4ηK ,χ q1/8 points on the curve.

Theorem 7If q is large enough and we take ηK ,χ to be a root of

2η2K ,χ, exp(4η8K ,χ − 4η4K ,χ/χ

2 + 1/4)

= χ1/2(K 2 q

4λK q3/4

20− χ2

η4K ,χ− 4 ln(4η4K ,χ) + ln(K 2 q) + 4 lnχ .

- Can also restrict sizes of each graph to χ q3/4/√

- Choose a set RP of 4ηK ,χ q1/8 points on the curve.

Theorem 7If q is large enough and we take ηK ,χ to be a root of

2η2K ,χ, exp(4η8K ,χ − 4η4K ,χ/χ

2 + 1/4)

= χ1/2(K 2 q

4λK q3/4

20− χ2

η4K ,χ− 4 ln(4η4K ,χ) + ln(K 2 q) + 4 lnχ .

Memory cost: Example

Example 8

Let q = 260, K = 100 and χ/(4λ2K ) = 1/50. Then:

- The number of field multiplications each computer has to do isapproximately 279, but this can be further parallelized to any number of cores.

- The memory cost per computer is roughly 100 TB.

- With no bounding or parallelization we had a complexity of approximately 272

field multiplications and a memory cost of over 50000 TB.

Example 8

5. Conclusions

Conclusions

- Complexity of hyperelliptic genus 3 index calculus: O(q4/3)

- Danger with genus 3 hyperelliptic curves: Might be possible to map DLP tonon-hyperelliptic Jacobian

- Our results show that for small field sizes (< 70 bits) the attack can be madepractical, or at least nearly practical, even with current technology.

- Larger field sizes: Computational complexity irrelevant as memory costskyrockets

- Full paper available at https://eprint.iacr.org/2014/346.

Conclusions

- Complexity of hyperelliptic genus 3 index calculus: O(q4/3)

- Danger with genus 3 hyperelliptic curves: Might be possible to map DLP tonon-hyperelliptic Jacobian

- Our results show that for small field sizes (< 70 bits) the attack can be madepractical, or at least nearly practical, even with current technology.

- Larger field sizes: Computational complexity irrelevant as memory costskyrockets

- Full paper available at https://eprint.iacr.org/2014/346.

References

Gaudry, P., Thome , E., Theriault, N., Diem, C.,A Double Large Prime Variation for Small Genus Hyperelliptic Index Calculus,Math. Comp. 76 (2007), no. 257, 475–492.

Diem, C., Thome, E.,Index Calculus in Class Groups of Non-Hyperelliptic Curves of Genus Three,Journal of Cryptology 21 (2008), no. 4, 591–611.

Diem, C.,An Index Calculus Algorithm for Plane Curves of Small Degree,Algorithmic number theory, 543–557,Springer Berlin Heidelberg, 2006.

Diem, C.,Index Calculus in Class Groups of Non-Hyperelliptic Curves of Genus 3 from aFull Cost Perspective,Available on Claus Diem’s website.

Thank you!

Security in Genus 3

Documents