EL AMBIENTE, LAS ACCIONES HUMANAS Y SUS INTERRELACIONES

4. DISEÑO Y DESARROLLO METODOLÓGICO

5.3 EL AMBIENTE, LAS ACCIONES HUMANAS Y SUS INTERRELACIONES

The main idea behind Pollard’s rho algorithm is to find distinct pairs (c,d) and

(c,d)of integers modulonsuch that

cP+dQ=cP+dQ.

Then

(c−c)P=(d−d)Q=(d−d)l P

and so

(c−c)≡(d−d)l (modn).

Hencel=log_PQcan be obtained by computing

l=(c−c)(d−d)−1modn. (4.1)

A na¨ıve method for finding such pairs(c,d)and(c,d)is to select random in- tegersc,d∈ [0,n−1]and store the triples(c,d,c P+d Q)in a table sorted by third component until a pointc P+d Qis obtained for a second time—such an occurrence is called acollision. By the birthday paradox,4the expected number of iterations before a collision is obtained is approximately√πn/2≈1.2533√n. The drawback of this algorithm is the storage required for the√πn/2 triples.

Pollard’s rho algorithm finds(c,d)and(c,d)in roughly the same expected time as the na¨ıve method, but has negligible storage requirements. The idea is to define aniterating function f : P → Pso that given X∈ Pandc,d∈ [0,n−1]with

X=c P+d Q, it is easy to computeX= f(X)andc,d∈ [0,n−1]withX=c P+d Q. Furthermore, f should have the characteristics of a random function.

The following is an example of a suitable iterating function. Let{S1,S2,...,SL}be a “random” partition ofPintoLsets of roughly the same size. Typical values for the 4_{Suppose that an urn has}_n_{balls numbered 1 to}_{n. The balls are randomly drawn, one at a time with}

replacement, from the urn. Then the expected number of draws before some ball is drawn for the second time is approximately√πn/2. Ifn=365 and the balls represent different days of the year, then the statement can be interpreted as saying that the expected number of people that have to be gathered in a room before one expects at least two of them to have the same birthday is approximately√π365/2≈24. This number is surprisingly small and hence the nomenclature “birthday paradox.”

number ofbranches Lare 16 and 32. For example, ifL=32 then a pointX∈ Pcan be assigned toSj if the five least significant bits of thex-coordinate ofXrepresent the integer j−1. We write H(X)= jifX∈Sj and callH thepartition function. Finally, letaj,bj ∈R[0,n−1]for 1≤j ≤L. Then f : P → Pis defined by

f(X)=X+ajP+bjQwhere j =H(X).

Observe that if X=c P+d Q, then f(X)=X=c P+d Q wherec=c+aj modn andd=d+bj modn.

Now, any point X0 ∈ P determines a sequence {Xi}i≥0 of points where Xi =

f(Xi−1) for i ≥1. Since the set Pis finite, the sequence will eventually collide

and then cycle forever; that is, there is a smallest index t for which Xt = Xt+s for somes ≥1, and then Xi = Xi−s for all i ≥t+s (see Figure 4.1). Here, t is called

X₁ X₃ X_t₊_s₊₂ Xt+2 X_t₊₁ X_t₊_s₊₃ X_t₊₄ X_t₊_s₋₂ X_t₋₁ X_t₊₃ X_t₊_s₊₁ Xt+s Xt X_t₊_s₊₄ X₂ X₀ X_t₊_s₋₁

Figure 4.1.ρ-like shape of the sequence{X_i}in Pollard’s rho algorithm, wheret=tail length ands=cycle length.

thetail lengthands is called thecycle lengthof the sequence. If f is assumed to be a random function, then the sequence is expected to first collide after approximately

√

πn/2 terms. Moreover, the expected tail length ist≈√πn/8 and the expected cycle length iss≈√πn/8.

A collision, that is, points Xi,Xj with Xi = Xj and i = j, can be found using

Floyd’s cycle-finding algorithm wherein one computes pairs(Xi,X2i) of points for

i =1,2,3...until Xi = X2i. After computing a new pair, the previous pair can be discarded; thus the storage requirements are negligible. The expected numberkof such pairs that have to be computed before Xi = X2i is easily seen to satisfyt ≤k≤t+

s. In fact, assuming that f is a random function, the expected value of k is about 1.0308√n, and hence the expected number of elliptic curve group operations is about

3√n. The complete algorithm is presented as Algorithm 4.3. Note that the probability of the algorithm terminating with failure (i.e.,d=din step 7) is negligible.

Algorithm 4.3Pollard’s rho algorithm for the ECDLP (single processor) INPUT: P∈E(Fq)of prime ordern,Q∈ P.

OUTPUT: The discrete logarithml=log_PQ.

1. Select the numberLof branches (e.g.,L=16 orL=32). 2. Select a partition function H: P → {1,2,...,L}. 3. For j from 1 toLdo

3.1 Selectaj,bj∈R[0,n−1]. 3.2 ComputeRj =ajP+bjQ.

4. Selectc,d∈R[0,n−1]and compute X=cP+dQ. 5. SetX←X,c←c,d←d.

6. Repeat the following: 6.1 Compute j=H(X).

SetX←X+Rj,c←c+aj modn,d←d+bj modn. 6.2 Fori from 1 to 2 do

Compute j=H(X).

SetX←X+Rj,c←c+aj modn,d←d+bj modn. Until X=X.

7. Ifd=dthen return(“failure”);

Else computel=(c−c)(d−d)−1modnand return(l).

Example 4.4(Pollard’s rho algorithm for solving the ECDLP) Consider the elliptic curve defined overF229by the equation:

E:y2=x3+x+44.

The pointP=(5,116)∈E(F229)has prime ordern=239. LetQ=(155,166)∈ P. We wish to determinel=log_PQ.

We select the partition functionH: P → {1,2,3,4}withL=4 branches:

H(x,y)=(x mod 4)+1, and the four triples

[a1,b1,R1] = [79,163,(135,117)] [a2,b2,R2] = [206,19,(96,97)] [a3,b3,R3] = [87,109,(84,62)] [a4,b4,R4] = [219,68,(72,134)].

The following table lists the triples (c,d,X) and (c,d,X) computed in Algo- rithm 4.3 for the case(c,d)=(54,175)in step 4.

Iteration c d X c d X – 54 175 ( 39,159) 54 175 ( 39,159) 1 34 4 (160, 9) 113 167 (130,182) 2 113 167 (130,182) 180 105 ( 36, 97) 3 200 37 ( 27, 17) 0 97 (108, 89) 4 180 105 ( 36, 97) 46 40 (223,153) 5 20 29 (119,180) 232 127 (167, 57) 6 0 97 (108, 89) 192 24 ( 57,105) 7 79 21 ( 81,168) 139 111 (185,227) 8 46 40 (223,153) 193 0 (197, 92) 9 26 108 ( 9, 18) 140 87 (194,145) 10 232 127 (167, 57) 67 120 (223,153) 11 212 195 ( 75,136) 14 207 (167, 57) 12 192 24 ( 57,105) 213 104 ( 57,105)

The algorithm finds

192P+24Q=213P+104Q,

and hence

l=(192−213)·(104−24)−1 mod 239=176.

Parallelized Pollard’s rho attack

Suppose now thatM processors are available for solving an ECDLP instance. A na¨ıve approach would be to run Pollard’s rho algorithm independently on each processor (with different randomly chosen starting pointsX0) until any one processor terminates.

A careful analysis shows that the expected number of elliptic curve operations performed by each processor before one terminates is about 3√n/M. Thus the expected speedup is only by a factor of√M.

Van Oorschot and Wiener proposed a variant of Pollard’s rho algorithm that yields a factorMspeedup whenMprocessors are employed. The idea is to allow the sequences

{Xi}i≥0generated by the processors to collide with one another. More precisely, each

processor randomly selects its own starting point X0, but all processors use the same

iterating function f to compute subsequent pointsXi. Thus, if the sequences from two different processors ever collide, then, as illustrated in Figure 4.2, the two sequences will be identical from that point on.

Floyd’s cycle-finding algorithm finds a collision in the sequence generated by a single processor. The following strategy enables efficient finding of a collision in the sequences generated by different processors. An easily testabledistinguishing property

of points is selected. For example, a point may bedistinguishedif the leadingtbits of itsx-coordinate are zero. Letθ be the proportion of points inPhaving this distinguishing property. Whenever a processor encounters a distinguished point, it transmits the point to a central server which stores it in a sorted list. When the server receives the same distinguished point for the second time, it computes the desired discrete logarithm

via (4.1) and terminates all processors. The expected number of steps per processor before a collision occurs is(√πn/2)/M. A subsequent distinguished point is expected after 1/θ steps. Hence the expected number of elliptic curve operations performed by each processor before a collision of distinguished points is observed is

1 M πn 2 + 1 θ, (4.2)

and this parallelized version of Pollard’s rho algorithm achieves a speedup that is lin- ear in the number of processors employed. Observe that the processors do not have to communicate with each other, and furthermore have limited communications with the central server. Moreover, the total space requirements at the central server can be controlled by careful selection of the distinguishing property. The complete algorithm is presented as Algorithm 4.5. Note that the probability of the algorithm terminating with failure (i.e.,d=din step 7) is negligible.

Algorithm 4.5Parallelized Pollard’s rho algorithm for the ECDLP INPUT: P∈E(Fq)of prime ordern,Q∈ P.

OUTPUT: The discrete logarithml=log_PQ.

1. Select the numberLof branches (e.g.,L=16 orL=32). 2. Select a partition function H: P → {1,2,...,L}. 3. Select a distinguishing property for points inP. 4. For j from 1 toLdo

4.1 Selectaj,bj∈R[0,n−1]. 4.2 ComputeRj =ajP+bjQ.

5. Each of theMprocessors does the following:

5.1 Selectc,d∈R[0,n−1]and compute X=c P+d Q. 5.2 Repeat the following:

If Xis distinguished then send(c,d,X)to the central server. Compute j=H(X).

SetX←X+Rj,c←c+aj modn, andd←d+bj modn. Until the server receives some distinguished pointYfor the second time. 6. Let the two triples associated withY be(c,d,Y)and(c,d,Y).

7. Ifd=dthen return(“failure”);

Else computel=(c−c)(d−d)−1modnand return(l).

Speeding Pollard’s rho algorithm using automorphisms

Let ψ : P → P be a group automorphism, where P ∈ E(Fq) has order n. We assume thatψ can be computed very efficiently—significantly faster than a point ad- dition. Suppose thatψ has ordert, that is,t is the smallest positive integer such that

X Y Processor 3 Processor 4 Processor 1 Processor 2 distinguished points

Figure 4.2. Sequences generated by the parallelized Pollard’s rho algorithm. The sequences generated by processors 3 and 4 first collide atX. The algorithm reports the collision atY, the first subsequent distinguished point.

ψt₍_R₎₌_R_{for all}_R_∈_P_{. The relation}_∼_on_P_{defined by}

R1∼R2if and only if R1=ψj(R2)for some j∈ [0,t−1]

is an equivalence relation. The equivalence class[R]containing a pointR∈ Pis

[R] = {R,ψ(R),ψ2(R),...,ψl−1(R)},

wherelis the smallest positive divisor oftsuch thatψl(R)=R.

The idea behind the speedup is to modify the iterating function f so that it is defined on the equivalence classes (rather than just on the points inP). To achieve this, we define a canonical representativeRfor each equivalence class[R]. For example,Rmay be defined to be the point in[R]whosex-coordinate is the smallest when considered as an integer (with ties broken by selecting the point with a smaller y-coordinate). Then, we can define an iterating functiongon the canonical representatives by

g(R)= f(R).

Suppose now that we know the integerλ∈ [0,n−1]such that

ψ(P)=λP.

Then, sinceψ is a group automorphism, we have that ψ(R)=λRfor all R∈ P. Thus, if we know integers a andb such that X =a P+bQ, then we can efficiently compute integers a andb such that X=aP+bQ. Namely, if X=ψj(X), then

The functiongcan now be used as the iterating function in the parallelized Pollard’s rho algorithm. The initial point in a sequence is X₀= X0 where X0 =a0P+b0Q

anda0,b0∈R [0,n−1]. Subsequent terms of the sequence are computed iteratively:

X_i=g(X_i₋₁)fori≥1. If most equivalence classes have sizet, then the search space has size approximatelyn/t (versusnif equivalence classes are not employed) and thus the expected running time of the modified parallelized Pollard’s rho algorithm is

1 M πn 2t + 1 θ, (4.3)

a speedup by a factor of√t over (4.2).

Example 4.6(using the negation map) The negation mapψ(P)= −Phas order 2 and possesses the requisite properties described above. Thus, the parallelized Pollard’s rho algorithm that uses equivalence classes under the negation map has an expected running

time of _√

πn

2M +

θ. (4.4)

This is a speedup by a factor of√2 over (4.2) and is applicable to all elliptic curves. Example 4.7(speeding Pollard’s rho algorithm for Koblitz curves) Recall from §3.4 that a Koblitz curve Ea (where a∈ {0,1}) is an elliptic curve defined overF2. The Frobenius mapτ:Ea(F2m)→E_a(F2m), defined byτ(∞)= ∞andτ(x,y)=(x2,y2),

is also a group automorphism of orderm and can be computed efficiently since squar- ing is a cheap operation inF2m_{. If} _P∈_E_a(F2m)_{has prime order}_n _{such that}_n2_does

not divide #Ea(F2m), thenτ(P)∈ Pand henceτ is also a group automorphism of P. Letµ=(−1)1−a. It follows from Note 3.72 that one of the two solutionsλto the modular equation

λ2₋_µλ₊₂_≡₀ ₍_mod_n₎

satisfiesτ(P)=λP. Thus, τ has the requisite properties, and parallelized Pollard’s rho algorithm that uses equivalence classes under the Frobenius map has an expected running time of 1 M πn 2m + 1 θ.

Furthermore, the parallelized Pollard’s rho algorithm can exploit both the Frobenius map and the negation map to achieve an expected running time of

1 2M πn m + 1 θ. (4.5)

Example 4.8(solving a 113-bit ECDLP instance on the Internet) LetEbe an elliptic curve defined over a prime fieldFp, and let P∈E(Fp)have prime ordern. Suppose also that both pandnare 113-bit primes. Elliptic curves with these parameters would offer roughly the same security as provided by 56-bit DES. Assume that we haveM=

10,000 computers available on the Internet to solve an instance of the ECDLP inP, and that each computer can perform one iteration (of step 5.2 of Algorithm 4.5) in 10 microseconds. If we select the distinguishing property so that θ=2−30, then the expected number of iterations performed by each computer before the logarithm is found is approximately

√

π2113

2·10000+2

30_≈₉_.₀₃_×₁₀13_.

Hence, the expected running time before the logarithm is found is about 1045 days, or three years. Since thex-coordinate and associated(c,d)pair of a distinguished point can be stored in 12 32-bit words, the total space required for storing the distinguished points at the central server is about

12θ

√

πn

2 words ≈3.8 Gigabytes.

One concludes from these calculations that while solving a 113-bit ECDLP requires significant resources, 113-bit ECC provides adequate security only for low-security short-term applications.

Multiple logarithms

We show how the distinguished points stored during the solution of one ECDLP instance in P using (parallelized) Pollard’s rho algorithm can be used to accelerate the solution of other ECDLP instances in P. This property is relevant to the security of elliptic curve cryptographic systems because users typically share elliptic curve parameters E,Fq,P, and select their own public keys Q∈ P. Thus, if one or more private keys can be found using Pollard’s rho algorithm, then finding other private keys becomes progressively easier.

Suppose that l =log_PQ has been computed. For each stored triple (c,d,X) associated to distinguished points X encountered during the computation, the integer

s=c+dl modnsatisfiesX=s P. Similarly, the integersrj =aj+bjl modnsatisfy

Rj =rjPfor 1≤ j ≤L. Now, to computel=logPQwhereQ∈ P, each processor computes the termsYi of a random sequence with starting point Y0=c₀P+d₀Q

wherec₀,d₀ ∈R [0,n−1], and thesameiterating function f as before. For each distinguished point Y encountered in the new sequences, a triple (c,d,Y) such that

Y =cP+dQ is sent to the central server. A collision can occur between two new sequences or between a new sequence and an old one. In the former case, we have

whencel=(c−c)(d−d)−1_mod_n_{. In the latter case, we have} cP+dQ=s P,

whencel=(s−c)(d)−1modn.

The distinguished points collected during the first two ECDLP computations can similarly be used for the computation of the third ECDLP computation, and so on. The expected numberWk of random walk steps beforek ECDLP instances are iteratively solved in the manner described has been shown to be

Wk ≈T k−1 i=0 ₂_i i 4i ,

where T is the expected number of random walk steps to solve a single ECDLP instance. Thus, solving the second, third, and fourth ECDLP instances take only 50%, 37%, 31%, respectively, of the time to solve the first instance.

Concerns that successive ECDLP computations become easier can be addressed by ensuring that the elliptic curve parameters are chosen so that the first ECDLP instance is infeasible to solve.

In document Secuencia didáctica para la formación de pensamiento ambiental en los estudiantes de grado tercero de la Normal Superior de Ibagué Tolima (página 83-88)