Trustless Groups of Unknown Order with Hyperelliptic Curves

Groups of unknown order are of major interest due to their applications including time-lock puzzles, verifiable delay functions, and accumulators. In this paper we focus on trustless setup: in this setting, the most popular unknown-order group construction is ideal class groups of imaginary quadratic fields. We argue that the full impact of Sutherland's generic group-order algorithm has not been recognised in this context, and show that group sizes currently being proposed in practice (namely, approximately 830 bits) do not meet the claimed security level. Instead, we claim that random group orders should be at least 3300 bits to meet a 128-bit security level. For ideal class groups this leads to discriminants of around 6656 bits, which are much larger than desirable. One drawback of class groups is that current approaches require approximately 2log_2(N) bits to represent an element in a group of order N. We provide two solutions to mitigate this blow-up in the size of representations. First, we explain how an idea of Bleichenbacher can be used to compress class group elements to (3/2)log_2(N) bits. Second, we note that using Jacobians of hyperelliptic curves (in other words, class groups of quadratic function fields) allows efficient compression to the optimal element representation size of log_2(N) bits. We discuss point-counting approaches for hyperelliptic curves and argue that genus-3 curves are secure in the trustless unknown-order setting. We conclude that in practice, Jacobians of hyperelliptic curves are more efficient in practice than ideal class groups at the same security level---both in the group operation and in the size of the element representation.

[1]  R. Brent,et al.  Public Key Cryptography with a Group of Unknown Order , 2000 .

[2]  Éric Schost,et al.  Construction of Secure Random Curves of Genus 2 over Prime Fields , 2004, EUROCRYPT.

[3]  Claus Diem,et al.  An Index Calculus Algorithm for Plane Curves of Small Degree , 2006, ANTS.

[4]  Éric Schost,et al.  Genus 2 point counting over prime fields , 2012, J. Symb. Comput..

[5]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[6]  Bodo Möller,et al.  Security of Cryptosystems Based on Class Groups of Imaginary Quadratic Orders , 2000, ASIACRYPT.

[7]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[8]  Nicolas Thériault,et al.  A double large prime variation for small genus hyperelliptic index calculus , 2004, Math. Comput..

[9]  Annegret Weng,et al.  Constructing hyperelliptic curves of genus 2 suitable for cryptography , 2003, Math. Comput..

[10]  Pierrick Gaudry,et al.  Counting Points on Genus 2 Curves with Real Multiplication , 2011, IACR Cryptol. ePrint Arch..

[11]  Harald Niederreiter,et al.  On the Analogue of the Division Polynomials for Hyperelliptic Curves , 2012 .

[12]  K. Kedlaya Counting Points on Hyperelliptic Curves using Monsky-Washnitzer Cohomology , 2001, math/0105031.

[13]  Neal Koblitz,et al.  Hyperelliptic cryptosystems , 1989, Journal of Cryptology.

[14]  Koh-ichi Nagao,et al.  Improvement of ThéLeriault Algorithm of Index Calculus for Jacobian of Hyperelliptic Curves of Small Genus , 2004, IACR Cryptol. ePrint Arch..

[15]  Robert Harley,et al.  Counting Points on Hyperelliptic Curves over Finite Fields , 2000, ANTS.

[16]  Dan Boneh,et al.  Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains , 2019, IACR Cryptol. ePrint Arch..

[17]  Eric Bach,et al.  Asymptotic semismoothness probabilities , 1996, Math. Comput..

[18]  Dan Boneh,et al.  A Survey of Two Verifiable Delay Functions , 2018, IACR Cryptol. ePrint Arch..

[19]  David Harvey,et al.  Kedlaya's Algorithm in Larger Characteristic , 2006 .

[20]  Pierrick Gaudry,et al.  An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves , 2000, EUROCRYPT.

[21]  R. Schoof Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p , 1985 .

[22]  Ben Fisch,et al.  Transparent SNARKs from DARK Compilers , 2020, IACR Cryptol. ePrint Arch..

[23]  D. Cantor Computing in the Jacobian of a hyperelliptic curve , 1987 .

[24]  Zheng Wang,et al.  Rethinking low genus hyperelliptic Jacobian arithmetic over binary fields: interplay of field arithmetic and explicit formulæ , 2008, J. Math. Cryptol..

[25]  Andrew V. Sutherland Order computations in generic groups , 2007 .

[26]  Andrew V. Sutherland A generic approach to searching for Jacobians , 2007, Math. Comput..

[27]  Craig Costello,et al.  Group Law Computations on Jacobians of Hyperelliptic Curves , 2011, IACR Cryptol. ePrint Arch..

[28]  Pierrick Gaudry,et al.  Improved Complexity Bounds for Counting Points on Hyperelliptic Curves , 2017, Foundations of Computational Mathematics.

[29]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[30]  R. Zuccherato,et al.  An elementary introduction to hyperelliptic curves , 1996 .

[31]  J. Pila Frobenius maps of Abelian varieties and finding roots of unity in finite fields , 1990 .

[32]  Gadiel Seroussi,et al.  Two Topics in Hyperelliptic Cryptography , 2001, Selected Areas in Cryptography.

[33]  Simon Abelard,et al.  Counting points on hyperelliptic curves in large characteristic : algorithms and complexity. (Comptage de points de courbes hyperelliptiques en grande caractéristique : algorithmes et complexité) , 2018 .

[34]  Kim Laine,et al.  Time-memory trade-offs for index calculus in genus 3 , 2015, J. Math. Cryptol..

[35]  Jonathan Lee,et al.  The security of Groups of Unknown Order based on Jacobians of Hyperelliptic Curves , 2020, IACR Cryptol. ePrint Arch..

[36]  M. Hellman The Mathematics of Public-Key Cryptography , 1979 .

[37]  Steve Thakur,et al.  Constructing hidden order groups using genus three Jacobians , 2020, IACR Cryptol. ePrint Arch..

[38]  Johannes A. Buchmann,et al.  A key-exchange system based on imaginary quadratic fields , 1988, Journal of Cryptology.

[39]  Benjamin A. Smith Isogenies and the Discrete Logarithm Problem in Jacobians of Genus 3 Hyperelliptic Curves, , 2008, Journal of Cryptology.

[40]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[41]  Pierrick Gaudry,et al.  Counting points on genus-3 hyperelliptic curves with explicit real multiplication , 2018, The Open Book Series.

[42]  Johannes Buchmann,et al.  A Survey on {IQ} Cryptography , 2001 .

[43]  David A. Cox Primes of the Form x2 + ny2: Fermat, Class Field Theory, and Complex Multiplication , 1989 .

[44]  Hans-Georg Rück,et al.  On the discrete logarithm in the divisor class group of curves , 1999, Math. Comput..

[45]  K. McCurley,et al.  A rigorous subexponential algorithm for computation of class groups , 1989 .

[46]  Guang Gong,et al.  Efficient explicit formulae for genus 3 hyperelliptic curve cryptosystems over binary fields , 2007, IET Inf. Secur..

[47]  Nicolas Thériault,et al.  Index Calculus Attack for Hyperelliptic Curves of Small Genus , 2003, ASIACRYPT.

[48]  Henri Cohen,et al.  Heuristics on class groups of number fields , 1984 .

[49]  Benjamin Wesolowski,et al.  Efficient Verifiable Delay Functions , 2019, Journal of Cryptology.

[50]  Tanja Lange,et al.  Formulae for Arithmetic on Genus 2 Hyperelliptic Curves , 2005, Applicable Algebra in Engineering, Communication and Computing.

[51]  Andreas Enge,et al.  Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time , 2002, Math. Comput..

[52]  Daniel J. Bernstein,et al.  Efficient point-counting on genus-2 hyperelliptic curves , 2009 .

[53]  Daniel Bleichenbacher,et al.  Compressing Rabin Signatures , 2004, CT-RSA.