Join Log in
Score:3
fgrieu avatar Crypto

Multi-target attacks of ECC public keys

ng flag
fgrieu

Imagine a situation where there are many high-value public keys around, using the same Elliptic Curve group, say $k$ in the millions public keys¹. Can an adversary reasonably find one of the matching private key at much lower cost that finding the private key for a particular one?

What's the best feasible² method? What's it's cost relative to the best known feasible method for one key (that is, I believe, distributed Polard's rho with distinguished points), as a function of $k$ and perhaps the Elliptic Curve group order $n$?

¹ Imagine Bitcoin with secp224k1, and the corresponding ponzi had similar market value.

² Assuming known existing technologies, including supercomputers, GPUs, FPGAs, ASICs, but not quantum computers usable for cryptanalysis.

109
1 + 7
SAI Peregrinus avatar
si flag
SAI Peregrinus
I know Kuhn and Struik [proved in 2001](https://tik-db.ee.ethz.ch/file/24d4a86d39ea8fae126fc84b69885ba7/sac01.pdf) (section 4) that Pollard's rho method can compute $k$ discrete logs in $\sqrt k$ time. The first takes the full expected time, the second less, the next even less, etc.
2
Reply
SAI Peregrinus avatar
si flag
SAI Peregrinus
The issue with that is that it's from 2001. I expect there's new research, or that new attacks might be cheaper. So I don't really want to answer it with that alone, since it's a 20-year old paper. I just remembered that it's cited in the "Batch discrete logarithms" section of Bernstein's Curve25519 paper and looked it up. Certainly it's an upper-bound on the difficulty though.
2
Reply
pe flag
Samuel Neves
This is basically the same as [this answer](https://crypto.stackexchange.com/a/25849/592)
1
Reply
fgrieu avatar
ng flag
fgrieu
@Samuel Neves: thanks for pointing [that](https://crypto.stackexchange.com/a/25849/592). Not quite the same maybe: precomputation is not the same as multi-target, because the target(s) are not known when a precomputation starts. In RSA at least, that makes a significant difference: I know no precomputation attack to factor RSA moduli, but there are some (borderline useful) multi-target attacks, like Pollard's p-1.
0
Reply
pe flag
Samuel Neves
There's no precomputation involved there either; the "precomputation" is really just solving the first target (or a dummy target, if one insists on precomputation).
0
Reply
fgrieu avatar
ng flag
fgrieu
@SamuelNeves: \[Updated: following the next comment, I now get you, and that [your existing answer](https://crypto.stackexchange.com/a/25849/592) does solve the question\]. I don't get you. Are you saying finding all private keys is as hard as finding one? I'm ready to believe that, but how?
0
Reply
pe flag
Samuel Neves
No; finding all $k$ private keys costs $O(\sqrt{kn})$, that is, you save a $\sqrt{k}$ factor compared to solving each log separately. This has been explicitly proved by [Yun](https://eprint.iacr.org/2014/637), but was already the cost of the best attack since 1997 or so (Silverman).
2
Reply
Score:2
poncho avatar Crypto
my flag
poncho

Can an adversary reasonably find one of the matching private key at much lower cost that finding the private key for a particular one?

No, and that's provable (and is independent of the technology employed)

Suppose that we had a black box that could take $k$ different public keys $a_1G, a_2G, ..., a_kG$, and recover $a_iG$ (for some $i$) in $o(\sqrt{n})$ time.

Then, here is how we could use that black box to, given one public key $aG$, recover the private key $a$ in $o(\sqrt{n})$ time. We would:

  • Select $k$ random values $r_1, r_2, ..., r_k$, and compute the sequence $r_1(aG), r_2(aG), ..., r_k(aG)$, which (by defining $b_i = r_i a$) can be viewed as $b_1G, b_2G, ..., b_kG$

  • Give the sequence $b_1G, b_2G, ..., b_kG$, which will recover $b_i$

  • We compute $a = r_i^{-1}b_i$, and thus recover the key.

The steps in addition to the invocation of the black box takes $O(k)$ time, which can be ignored for reasonablely sized $k$.

Note that the sequence $b_1G, b_2G, ..., b_kG$ is uniformly distributed, and hence even if the black box is probabilistic, it'll still allow us to recover the public key.

0 + 1
fgrieu avatar
ng flag
fgrieu
That's a variation of something you already told me, and spot on!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.