0

Can someone explain how the Gallant-Lambert-Vanstone method works (or which literature explains it)?

It is also unclear to me how the Frobenius endomorphism can be used in some cases for a speedup.

Also: how does it make sure that an attack remains infeasible (by using this method)?

(I am especially interested because of the sec256k1 curve which uses the method)

NightRain23
  • 153
  • 4
  • Does https://crypto.stackexchange.com/a/60626 answer your question? We don't know that an attack is impossible but after two decades nobody's found one, other than the obvious speedup of using the endomorphism in rho attacks or similar. – Squeamish Ossifrage Mar 29 '19 at 16:22
  • Thansk for the link, very helpful. Why is β a nontrivial root of unity when β^2 + β + 1 = 0? – NightRain23 Mar 29 '19 at 16:53
  • Note that $\beta^2 = -\beta - 1$. Can you find what $\beta^3$ is using this relation? (Side note: If the equation $\beta^2 + \beta + 1 = 0$ isn't familiar, or perhaps as it is more often written, $\omega^2 + \omega + 1 = 0$, consider brushing up on some algebra, maybe Galois-flavored.) – Squeamish Ossifrage Mar 29 '19 at 17:04
  • I was aware that this holds in e.g. GF(4) using polynomials (x^3 = 1) but not for β in Fp. I guess I'll look into that, thanks! – NightRain23 Mar 29 '19 at 17:17
  • It holds in any field, even in those of characteristic zero like $\mathbb C$! Of course, there may not be a nontrivial cube root of unity in the field, but if there is some $\beta$ with $\beta^2 + \beta + 1 = 0$ then $\beta$ is a cube root of unity. Exercise: If $p \equiv 1 \pmod 3$, how can you find such a $\beta$? – Squeamish Ossifrage Mar 29 '19 at 17:24
  • I would say by finding a solution for β^2+β+1 ≡ 0 (mod p)? – NightRain23 Mar 29 '19 at 17:50
  • That's kind of tautological. There's a specific method for finding a nontrivial cube root of unity modulo $p \equiv 1 \pmod 3$. Hint: Use the fact that $p \equiv 1 \pmod 3$. Write out what that means, as an equation about integers rather than a congruence. – Squeamish Ossifrage Mar 29 '19 at 17:54
  • I see now that one solution is β^((p-1)/3), but how do you get the second solution? – NightRain23 Mar 29 '19 at 18:27
  • If $\beta^3 = 1$, what's $(\beta^2)^3$? (Hint: Roots of unity!) – Squeamish Ossifrage Mar 29 '19 at 18:35
  • Ah, I see the solutions are β^((p-1)/3) and β^(2((p-1)/3)). You analogously find α^4 = 1 when p ≡ 1 mod 4 with α^((p-1)/4), α^2((p-1)/4) and α^3*((p-1)/4), right? – NightRain23 Mar 29 '19 at 18:37

0 Answers0