Cryptanalysis of elliptic curve hidden number problem from PKC 2017

Abstract

In PKC 2017, the elliptic curve hidden number problem (EC-HNP) was revisited in order to rigorously assess the bit security of the elliptic curve Diffie–Hellman key exchange protocol. In this paper, we solve EC-HNP by using the Coppersmith technique which combines the idea behind the second lattice method of Boneh, Halevi and Howgrave-Graham for solving the modular inversion hidden number problem. We show that the hidden point in EC-HNP can be recovered asymptotically if about half of the most significant bits of the x-coordinates of the corresponding points are given. A similar result is also obtained for the least significant bits. We provide better bounds than the one in the work of PKC 2017, which needs about 5/6 of the bits as a result of a rigorous algorithm. However, our solution is based on a heuristic assumption. We verify the validity of our heuristic algorithm by computer experiments.

Appendices

Appendix

Proof of Lemma 3

Proof

Our goal is to prove the invertibility of matrix \(\mathbf {M{[j_1, \ldots , j_s]}}\) over \({\mathbb {Z}}_{p^{s-1}}\), where \(1\le j_1<\cdots <j_s \le n\). Since p is a prime, our goal is translated into show that \(\mathbf {M{[j_1, \ldots , j_s]}}\) is invertible over prime field \(\mathbb {{\mathbb {F}}}_{p}\).

Based on (10), we get that the row vectors of \(\mathbf {M{[j_1, \ldots , j_s]}}\) are the corresponding coefficient vectors of polynomials \(g_{l,v}\) with respect to monomials \(y_{j_1}\ldots y_{j_s},~x_0y_{j_1}\ldots y_{j_s}, \ldots ,~x^{2s-1}_0y_{j_1}\ldots y_{j_s}\) for \(l=1, \ldots , s\) and \(v=0,1\). According to (9), we have

$$\begin{aligned} g_{l,v}=\bigg (x_0^vy_{j_1}\ldots y_{j_s} \cdot \prod \limits _{t\ne l}(x_0^2+A_{j_t}x_0+B_{j_t})\bigg )+h_{l,v} \end{aligned}$$

Based on (5), we obtain \(A_{j_t}=2(h_0-x_{Q_{j_t}})~\mathrm {mod}~p\) and \(B_{j_t} =(h_0-x_{Q_{j_t}})^2~\mathrm {mod}~p\) for \(t\in [1, \ldots , s]\). Thus \(x_0^2+A_{j_t}x_0+B_{j_t} \equiv (x_0+h_0-x_{Q_{j_t}})^2~\mathrm {mod}~p\). Therefore, we can write

$$\begin{aligned} g_{l,v} \equiv \bigg (x_0^vy_{j_1}\ldots y_{j_s} \cdot \prod \limits _{t\ne l}(x_0+h_0-x_{Q_{j_t}})^2\bigg )+h_{l,v}~(\mathrm {mod}~p^{s-1}) \end{aligned}$$

Let univariate polynomials \(G_{j_t}(x_0) =x_0+h_0-x_{Q_{j_t}}\) and \({\widetilde{G}}_{j_l}(x_0)=\prod \limits _{t\ne l}G_{j_t}(x_0)\). Based on the above relation, we get

$$\begin{aligned} g_{l,v} \equiv x_0^vy_{j_1}\ldots y_{j_s} \cdot {\widetilde{G}}^2_{j_l}(x_0)+h_{l,v}~(\mathrm {mod}~p^{s-1})~\mathrm {for}~l=1, \ldots , s~\mathrm {and}~v=0,1. \end{aligned}$$

We use the matrix equation to express the above relation:

$$\begin{aligned} \begin{pmatrix} g_{1,0} \\ \vdots \\ g_{s,0} \\ g_{1,1} \\ \vdots \\ g_{s,1} \\ \end{pmatrix} \equiv \begin{pmatrix} {\widetilde{G}}^2_{j_1}(x_0) \\ \vdots \\ {\widetilde{G}}^2_{j_s}(x_0) \\ x_0{\widetilde{G}}^2_{j_1}(x_0) \\ \vdots \\ x_0{\widetilde{G}}^2_{j_s}(x_0) \\ \end{pmatrix} \cdot (y_{j_1}\ldots y_{j_s}) + \begin{pmatrix} h_{1,0} \\ \vdots \\ h_{s,0} \\ h_{1,1} \\ \vdots \\ h_{s,1} \\ \end{pmatrix} ~\mathrm {mod}~p^{s-1}. \end{aligned}$$

According to (10), i.e.,

$$\begin{aligned} \begin{pmatrix} g_{1,0} \\ \vdots \\ g_{s,0} \\ g_{1,1} \\ \vdots \\ g_{s,1} \\ \end{pmatrix} = \mathbf {M{[j_1, \ldots , j_s]}}\cdot \begin{pmatrix} y_{j_1}\ldots y_{j_s} \\ x_0y_{j_1}\ldots y_{j_s} \\ \vdots \\ \vdots \\ \vdots \\ x^{2s-1}_0y_{j_1}\ldots y_{j_s} \end{pmatrix}+ \begin{pmatrix} h_{1,0} \\ \vdots \\ h_{s,0} \\ h_{1,1} \\ \vdots \\ h_{s,1} \\ \end{pmatrix}, \end{aligned}$$

we deduce that the rows of matrix \(\mathbf {M{[j_1, \ldots , j_s]}}\) (in the sense of modulo prime p) correspond to the coefficient vectors of \({\widetilde{G}}^2_{j_1}(x_0), \ldots ,\)\( {\widetilde{G}}^2_{j_s}(x_0),\)\( x_0{\widetilde{G}}^2_{j_1}(x_0), \ldots , x_0{\widetilde{G}}^2_{j_s}(x_0)\) on a basis \((1, x_0, \ldots , x^{2s-1}_0)\) over prime field \({\mathbb {F}}_p\). Therefore, \(\mathbf {M{[j_1, \ldots , j_s]}}\) is invertible in \({\mathbb {F}}_p\) if and only if polynomials

$$\begin{aligned} {\widetilde{G}}^2_{j_1}(x_0), \ldots , {\widetilde{G}}^2_{j_s}(x_0), x_0{\widetilde{G}}^2_{j_1}(x_0), \ldots , x_0{\widetilde{G}}^2_{j_s}(x_0) \end{aligned}$$

are linearly independent over \({\mathbb {F}}_p\).

Suppose that there exist \(u_1, \ldots , u_s, v_1, \ldots , v_s\in {\mathbb {F}}_p\) such that \(u_1{\widetilde{G}}^2_{j_1}(x_0)+\cdots +u_s{\widetilde{G}}^2_{j_s}(x_0)+v_1x_0{\widetilde{G}}^2_{j_1}(x_0)+v_sx_0{\widetilde{G}}^2_{j_1}(x_0)=0\), i.e.,

$$\begin{aligned} (u_1+x_0v_1)\cdot {\widetilde{G}}^2_{j_1}(x_0)+\cdots +(u_s+x_0v_s)\cdot {\widetilde{G}}^2_{j_s}(x_0)=0. \end{aligned}$$

(14)

Note that \({\widetilde{G}}_{j_l}(x_0)=\prod \limits _{t\ne l}G_{j_t}(x_0)\) for all \(1\le l\le s\). Then taking modulo \(G^2_{j_l}(x_0)\) on both sides of (14), we get

$$\begin{aligned} (u_i+x_0v_i)\cdot {\widetilde{G}}^2_{j_l}(x_0)\equiv 0~(\mathrm {mod}~G^2_{j_l}(x_0))~\mathrm {for~all}~l=1, \ldots , s. \end{aligned}$$

(15)

According to \(G_{j_l}(x_0)=x_0+h_0-x_{Q_{j_l}}\) for \(l \in [1, \ldots , s]\). Note that \(1\le j_1< \cdots < j_s \le n\), and \(x_{Q_1}, \ldots , x_{Q_n}\) are different over \({\mathbb {F}}_p\) (see the analysis of Sect. 3). It implies that \(x_{Q_{j_1}}, \ldots , x_{Q_{j_s}}\) are also different. Furthermore, univariate linear polynomials \({G}_{j_1}(x_0), \ldots ,\)\( {G}_{j_s}(x_0)\) have different roots over \({\mathbb {F}}_p\), which are \(x_{Q_{j_1}}-h_0, \ldots ,\)\(x_{Q_{j_s}}-h_0\) respectively. Therefore, \({G}_{j_{1}}(x_0), \ldots ,\)\( {G}_{j_{s}}(x_0)\) are pairwise coprime. Based on \({\widetilde{G}}_{j_l}(x_0)=\prod \limits _{t\ne l}G_{j_t}(x_0)\), we also have \(\gcd (G_{j_l}(x_0)),{\widetilde{G}}_{j_l}(x_0))=1\) for all \(1\le l\le s\). Thus, from (15) we have

$$\begin{aligned} u_l+x_0v_l\equiv 0~(\mathrm {mod}~G^2_{j_l}(x_0))~\mathrm {for}~l\in [1,\ldots , s]. \end{aligned}$$

Since \(\deg (G^2_{j_l}(x_0))=2\) and \(\deg (u_l+x_0v_l)\le 1\), we get \(u_l+x_0v_l= 0\) for all \(l=1, \ldots , s\), i.e.,

$$\begin{aligned} u_1=v_1=\cdots =u_s=v_s=0. \end{aligned}$$

It implies that \(u_1{\widetilde{G}}^2_{j_1}(x_0)+\cdots +u_s{\widetilde{G}}^2_{j_s}(x_0)+v_1x_0{\widetilde{G}}^2_{j_1}(x_0)+v_sx_0{\widetilde{G}}^2_{j_1}(x_0)=0\) if and only if \(u_1=v_1=\cdots =u_s=v_s=0\). Hence, \({\widetilde{G}}^2_{j_1}(x_0), \ldots , {\widetilde{G}}^2_{j_s}(x_0), x_0{\widetilde{G}}^2_{j_1}(x_0), \ldots , x_0{\widetilde{G}}^2_{j_1}(x_0)\) are linearly independent over \({\mathbb {F}}_p\), that is, \(\mathbf {M{[j_1, \ldots , j_s]}}\) is invertible over \({\mathbb {F}}_p\).

\(\square \)