Number Theory in Cryptology
|
|
- Gyles Morton
- 5 years ago
- Views:
Transcription
1 Number Theory in Cryptology Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology Kharagpur October 15, 2011
2 What is Number Theory? Theory of natural numbers N = {1, 2, 3,...}. Uses larger algebraic structures Z, Q, R, C. Modular arithmetic: Z n = {0, 1, 2,...,n 1}. Finite fields: F p n, p P, n N. Elliptic curves: Arithmetic algebraic geometry. Algebraic number theory: Study of number fields and number rings. Analytic number theory: Use of complex analysis tools. All these are extensively used in cryptography and cryptanalysis.
3 Uses in Cryptology: Examples Modular arithmetic: RSA, ElGamal, Rabin and many other cryptosystems. Finite fields: Diffie-Hellman key agreement, ElGamal, DSA. Elliptic curves: ECDSA. Pairing on elliptic curves: Identity-based cryptosystems, multi-party key agreement, short signature schemes. Algebraic number theory: Number-field sieve method. Analytic number theory: Density estimates (like prime number theorem, Riemann hypothesis).
4 Modular Arithmetic Modulus n N, n 2. Z n = {0, 1, 2,...,n 1}. Arithmetic in Z n : { a + b if a + b < n Addition: a + n b = a + b n otherwise { a b if a b Subtraction: a n b = a b + n otherwise Multiplication: a n b = (ab) rem n. Division: a is invertible modulo n if and only if gcd(a, n) = 1. Extended gcd calculation: ua + vn = gcd(a, n) for some integers u, v. If gcd(a, n) = 1, u as the inverse of a modulo n.
5 Modular Exponentiation To compute a e (mod n) Binary expansion: e = (e s 1 e s 2... e 1 e 0 ) 2. Initialize t = 1. For i = s 1, s 2,...,1, 0 do: Set t = t 2 (mod n). If e i = 1, set t = ta (mod n). Return t.
6 The Multiplicative Group of Z n Z n = {a Z n gcd(a, n) = 1}. Euler-phi function: φ(n) = Z n. If n = p e 1 1 pe 2 2 pe k k, then φ(n) = p e (p 1 1)p e (p 2 1) p e k 1 k (p k 1) = n p P p n ( 1 1 ). p Z n is cyclic if and only if n = 2, 4, p e, 2p e with p P, p 2, and e N. Special case: n = p P. Z p is a field. Z p = {1, 2,...,p 1}. φ(p) = p 1. Z p is cyclic.
7 Finite Fields Every finite field is of size p n for p P, n N. For q = p n, denote F q = F p n to be the finite field of size q. If the extension degree n is 1, F p = Z p. If n > 1, F p n Z p n. Polynomial-basis representation: Choose an irreducible polynomial f(x) F p [x] of degree n. Elements of F p n are represented as polynomials: F p n = {a 0 + a 1 x + a 2 x a n 1 x n 1 a i F p }. Arithmetic operations in F p n: polynomial operations modulo f(x). Extensions of extensions: Let q = p n and m N. F q m = {α 0 + α 1 y + α 2 y α m 1 y m 1 α i F p n}. Arithmetic in F q m is the polynomial arithmetic of F q [y] modulo an irreducible polynomial g(y) F q [y] of degree m.
8 Some Properties of Finite Fields F q = F q \ {0} is cyclic. There are φ(q 1) generators of F q. Fermat s little theorem: α q 1 = 1 for all α F q. β q = β for all β F q. Multiplicative order: Let α F q. The smallest positive integer h satisfying α h = 1 is the order of α, denoted h = ord(α). ord(α) (q 1).
9 Elliptic Curves Let K be a field. An elliptic curve E over K is defined by the Weierstrass equation: E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6, a i K. The curve should be smooth (no singularities). Special forms char K 2, 3: y 2 = x 3 + ax + b, a, b K. char K 2: y 2 = x 3 + b 2 x 2 + b 4 x + b 6, b i K. char K = 2: Non-supersingular curve: y 2 + xy = x 3 + ax 2 + b, a, b K. Supersingular curve: y 2 + ay = x 3 + bx + c, a, b, c K.
10 Real Elliptic Curves: Example y y x x (a) y 2 = x 3 x + 1 (b) y 2 = x 3 x
11 The Elliptic Curve Group Any (x, y) K 2 satisfying the equation of an elliptic curve E is called a K-rational point on E. Point at infinity: There is a single point at infinity on E, denoted by O. This point cannot be visualized in the two-dimensional (x, y) plane. The point exists in the projective plane. E(K) is the set of all finite K-rational points on E and the point at infinity. An additive group structure can be defined on E(K). O acts as the identity of the group.
12 The Opposite of a Point P Ordinary Points Q P Special Points Q P Q P Q (a) (b)
13 Addition of Two Points Chord and tangent rule Q R R Q P P P+Q (a) P+Q (b)
14 Doubling of a Point Chord and tangent rule 2P P R R P 2P (a) (b)
15 Addition and Doubling Formulas Let P = (h 1, k 1 ) and Q = (h 2, k 2 ) be finite points. Assume that P + Q O and 2P O. Let P + Q = (h 3, k 3 ) (Note that P + Q = 2P if P = Q). E : y 2 = x 3 + ax + b P = (h 1, k 1 ) h 3 = λ 2 h 1 h 2 k 3 = λ(h 1 h 3 ) k 1, where k 2 k 1 h 2 h, if P Q, 1 λ = 3h a 2k 1, if P = Q.
16 Addition and Doubling in Non-supersingular Curves E : y 2 + xy = x 3 + ax 2 + b (with char K = 2). P = (h 1, k 1 + h 1 ), ( ) k1 + k 2 2 h 1 + h + k 1 + k 2 2 h 1 + h + h 1 + h 2 + a, if P Q, 2 h 3 = h b h 2, if P = Q, 1 ( ) k1 + k 2 h 1 + h (h 1 + h 3 ) + h 3 + k 1, if P Q, 2 k 3 = h 2 1 (h k ) 1 h + 1 h 3, if P = Q. 1
17 Addition and Doubling in Supersingular Curves E : y 2 + ay = x 3 + bx + c (with char K = 2). P = (h 1, k 1 + a), ( ) k1 + k 2 2 h 1 + h + h1 + h 2, if P Q, 2 h 3 = h b 2 a 2, if P = Q, ( ) k1 + k 2 h 1 + h (h 1 + h 3 ) + k 1 + a, if P Q, 2 k 3 = ( ) h b a (h 1 + h 3 ) + k 1 + a, if P = Q.
18 Size of the Elliptic Curve Group Let E be an elliptic curve defined over F q = F p n. Hasse s Theorem: E(F q ) = q + 1 t, where 2 q t 2 q. t is called the trace of Frobenius at q. If t = 1, then E is called anomalous. If p t, then E is called supersingular. If p t, then E is called non-supersingular. Let α, β C satisfy 1 tx + qx 2 = (1 αx)(1 βx). Then, E(F q m) = q m + 1 (α m + β m ). Note: E(F q ) is not necessarily cyclic.
19 Formal Sums and Free Abelian Groups Let a i, i I, be symbols indexed by I. A finite formal sum of a i, i I, is an expression of the form i I m i a i with m i Z such that m i = 0 except for only finitely many i I. The sum i I m i a i is formal in the sense that the symbols a i are not meant to be evaluated. They act as placeholders. Define i I m i a i + i I n i a i = i I (m i + n i )a i Also define i I m i a i = i I ( m i )a i The set of all finite formal sums is an Abelian group called the free Abelian group generated by a i, i I.
20 Divisors on Curves Let C be a projective curve defined over K. K is assumed to be algebraically closed. A divisor is a formal sum of the K-rational points on C. Notation: D = P m P[P]. The support of D is the set of points P for which m P 0. The degree of D is the sum P m P. All divisors on C form a group denoted by Div K (C) or Div(C). All divisors on C of degree 0 form a subgroup denoted by Div 0 K (C) or Div 0 (C). Divisor of a rational function R(x, y) is Div(R) = P ord P(R)[P]. A principal divisor is the divisor of a rational function. Principal divisors satisfy: Div(R) + Div(S) = Div(RS) and Div(R) Div(S) = Div(R/S).
21 Divisor of a line: Example Q l R P t Q P v P Q (a) (b) (c) (a) Div(l) = [P] + [Q] + [R] 3[O]. (b) Div(t) = 2[P] + [Q] 3[O]. (c) Div(v) = [P] + [Q] 2[O].
22 Divisors and the Chord-and-Tangent Rule Let C be an elliptic curve over an algebraically closed field K. For every D Div 0 K (C), there exist a unique rational point P and a rational function R such that D = [P] [O] + Div(R). D is identified with [P] [O]. This bijection leads to the chord-and-tangent rule in the following sense: Let D = P m P[P] Div K (C). Then, D is a principal divisor if and only if P m P = 0 (integer sum), and p m PP = O (sum under the chord-and-tangent rule).
23 Illustrations of the Chord-and-Tangent Rule Q t v Q l R P P P Q (a) (b) (c) Identity: O is identified with [O] [O] = 0 = Div(1). Opposite: By Part (c), Div(v) = ([P] [O]) + ([Q] [O]) is 0. By the correspondence, P + Q = O, that is, Q = P. Sum: By Part (a), Div(l) = ([P] [O]) + ([Q] [O]) + ([R] [O]) is 0, that is, P + Q + R = O, that is, P + Q = R. Double: By Part (b), Div(t) = ([P] [O]) + ([P] [O]) + ([Q] [O]) is 0, that is, P + P + Q = O, that is, 2P = Q.
24 More on Divisors P Q R R Div(L P,Q ) = [P] + [Q] + [R] 3[O]. Div(L R, R ) = [R] + [ R] 2[O]. Div(L P,Q /L R, R ) = [P] + [Q] [ R] [O] = [P] + [Q] [P + Q] [O]. [P] [O] is equivalent to [P + Q] [Q]. ([P] [O]) + ([Q] [O]) is equivalent to [P + Q] [O]. For both these cases of equivalence, the pertinent rational function is L P,Q /L P+Q, (P+Q) which can be easily computed. We can force this rational function to have leading coefficient 1.
25 More on Divisors (contd) Let D = P n P[P] be divisor on E and f K(E) a rational function such that the supports of D and Div(f) are disjoint. Define f(d) = P E f(p) n P = P Supp(D) f(p) n P. Div(f) = Div(g) if and only if f = cg for some non-zero constant c K. If D has degree 0, then f(d) = g(d) P cn P = g(d)c P P n P = g(d)c 0 = g(d). Weil reciprocity theorem: If f and g are two non-zero rational functions on E such that Div(f) and Div(g) have disjoint supports, then f(div(g)) = g(div(f)).
26 Weil Pairing: Definition Let E be an elliptic curve defined over a finite field K = F q. Take a positive integer m coprime to p = char K. Let µ m denote the m-th roots of unity in K. We have µ m F q k, where k = ord m (q) is called the embedding degree. Let E[m] be those points in E = E K, whose orders divide m. Weil pairing is a function defined as follows. Take P 1, P 2 E[m]. e m : E[m] E[m] µ m Let D 1 be a divisor equivalent to [P 1 ] [O]. Since mp 1 = O, there exists a rational function f 1 such that Div(f 1 ) = md 1 = m[p 1 ] m[o]. Similarly, let D 2 be a divisor equivalent to [P 2 ] [O]. There exists a rational function f 2 such that Div(f 2 ) = md 2 = m[p 2 ] m[o]. D 1 and D 2 are chosen to have disjoint supports. Define e m (P 1, P 2 ) = f 1 (D 2 )/f 2 (D 1 ).
27 Properties of Weil Pairing Let P, Q, R be arbitrary points in E[m]. Bilinearity: e m (P + Q, R) = e m (P, R)e m (Q, R), e m (P, Q + R) = e m (P, Q)e m (P, R). Alternating: e m (P, P) = 1. Skew symmetry: e m (Q, P) = e m (P, Q) 1. Non-degeneracy: If P O, then e m (P, Q) 1 for some Q E[m]. Compatibility: If S E[mn] and Q E[n], then e mn (S, Q) = e n (ms, Q). If m is a prime and P O, then e m (P, Q) = 1 if and only if Q lies in the subgroup generated by P (that is, Q = ap for some integer a).
28 Computing Weil Pairing: The Functions f n,p Let P E. For n Z, define the rational functions f n,p as having the divisor Div(f n,p ) = n[p] [np] (n 1)[O]. f n,p are unique up to multiplication by elements of K. We may choose the unique monic polynomial for f n,p. f n,p satisfy the recurrence relation: f 0,P = f 1,P ( = 1, f n+1,p = L P,nP L (n+1)p, (n+1)p f n,p = 1 f n,p for n 1. ) f n,p for n 1, If P E[m], then Div(f m,p ) = m[p] [mp] (m 1)[O] = m[p] m[o]. Computing f m,p using the above recursive formula is too inefficient.
29 Computing Weil Pairing: More about f n,p The rational functions f n,p also satisfy ( f n+n,p = f n,p f n,p In particular, for n = n, we have f 2n,P = f 2 n,p L np,n P L (n+n )P, (n+n )P ( LnP,nP L 2nP, 2nP Here, L np,np is the line tangent to E at the point np. This and the recursive expression of f n+1,p in terms of f n,p yield a repeated double-and-add algorithm. ). The function f n,p is usually kept in the factored form. It is often not necessary to compute f n,p explicitly. The value of f n,p at some point Q is only needed. ).
30 Miller s Algorithm for Computing f n,p Input: A point P E and a positive integer n. Output: The rational function f n,p. Steps Let n = (n s n s 1... n 1 n 0 ) 2 be the binary representation of n with n s = 1. Initialize f = 1 and U = P. For i = s 1, s 2,...,1, 0, do the following: Return f. /* Doubling */ Update f = f 2 ( ) LU,U L 2U, 2U /* Conditional adding */ ( If (n i = 1), update f = f and U = 2U. ) L U,P L U+P, (U+P) and U = U + P. Note: One may supply a point Q E and wish to compute the value f n,p (Q) (instead of the function f n,p ). In that case, the functions L U,U /L 2U, 2U and L U,P /L U+P, (U+P) should be evaluated at Q before multiplication with f.
31 Weil Pairing and the Functions f n,p Let P 1, P 2 E[m], and we want to compute e m (P 1, P 2 ). Choose a point T not equal to ±P 1, P 2, P 2 P 1, O. We have e m (P 1, P 2 ) = f m,p 2 (T) f m,p1 (P 2 T) f m,p1 ( T) f m,p2 (P 1 + T). If P 1 P 2, then we also have e m (P 1, P 2 ) = ( 1) m f m,p 1 (P 2 ) f m,p2 (P 1 ). Miller s algorithm for computing f n,p (Q) can be used. All these invocations of Miller s algorithm have n = m. So a single double-and-add loop suffices. For efficiency, one may avoid the division operations in Miller s loop by separately maintaining polynomial expressions for the numerator and the denominator of f. After the loop terminates, a single division is made.
32 Some Intractable Number-theoretic Problems of Cryptographic Significance Integer factorization problem (IFP): Given a composite integer n with unknown prime divisors, factor n. Square root problem (SQRTP): Given a composite integer n with unknown factorization, and a modular square a Z n, compute x Z n such that x 2 a (mod n). Discrete logarithm problem (DLP): Let G be a finite cyclic group generated by g. Given a G, find x such that g = a x in G. Diffie-Hellman problem (DHP): Let G be a finite cyclic group generated by g. Given g x, g y G (but not x or y), compute g xy in G. DLP and DHP apply to many number-theoretic groups like F q and E(F q ). Bilinear Diffie-Hellman problem (BDHP): Let e : G G G be a pairing map. Given P, ap, bp, cp G only, compute e(p, P) abc G.
33 Cryptanalysis: Factoring Integers Exponential algorithms Trial division Pollard rho method Pollard p 1 method Williams p + 1 method Sub-exponential algorithms CFRAC method Dixon s method Quadratic sieve method Cubic sieve method L(n, ω, c) = exp [ (c + o(1))(ln n) ω (ln ln n) 1 ω] Elliptic curve method Number-field sieve method
34 The Number-field Sieve Method Based on Fermat s method of squares: Compute a, b with a 2 b 2 (mod n) and a ±b (mod n). In this case, gcd(a b, n) is a non-trivial factor of n. Choose an irreducible polynomial f(x) Q[x] and a positive integer H such that f(h) is a small multiple of n. Let d = deg f(x). Define the number field K = Q[x]/ f(x) = {g(x) Q[x] deg g(x) d 1}. Arithmetic in K is the polynomial arithmetic of Q[x] modulo f(x). Let O K be the ring of integers in K. Assume that O K supports element-wise unique factorization. Consider the map Φ : O K Z n taking x H. Relation: Let Φ(α 1 )Φ(α 2 ) Φ(α k ) t i=1 pe i i (mod n). Combine many relations to obtain a 2 b 2 (mod n).
35 Questions? In mathematics you don t understand things. You just get used to them. John von Neumann Some Recommended Textbooks Das, Computational Number Theory, CRC, 2012 (?). Das and Veni Madhavan, Public-key Cryptography: Theory and Practice, Pearson, Zuckerman, Montgomery, Niven and Niven, An Introduction to the Theory of Numbers, Wiley, Bressoud, Factorization and Primality Testing, Springer UTM, Cohen, A Course in Computational Algebraic Number Theory, Springer GTM, Crandall and Pomerance, Prime Numbers: A Computational Perspective, Springer, Enge, Elliptic Curves and Their Applications to Cryptography, Kluwer, Blake, Seroussi and Smart, Advances in Elliptic Curve Cryptography, Cambridge, Charlap and Robbins, An Elementary Introduction to Elliptic Curves, CRD Report, Martin, Introduction to Identity-Based Encryption, Artech House, Mollin, Fundamental Number Theory with Applications, CRC, Mollin, Algebraic Number Theory, CRC, 1999.
Public-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationParshuram Budhathoki FAU October 25, Ph.D. Preliminary Exam, Department of Mathematics, FAU
Parshuram Budhathoki FAU October 25, 2012 Motivation Diffie-Hellman Key exchange What is pairing? Divisors Tate pairings Miller s algorithm for Tate pairing Optimization Alice, Bob and Charlie want to
More informationA Remark on Implementing the Weil Pairing
A Remark on Implementing the Weil Pairing Cheol Min Park 1, Myung Hwan Kim 1 and Moti Yung 2 1 ISaC and Department of Mathematical Sciences, Seoul National University, Korea {mpcm,mhkim}@math.snu.ac.kr
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationMathematics for Cryptography
Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationLECTURE NOTES IN CRYPTOGRAPHY
1 LECTURE NOTES IN CRYPTOGRAPHY Thomas Johansson 2005/2006 c Thomas Johansson 2006 2 Chapter 1 Abstract algebra and Number theory Before we start the treatment of cryptography we need to review some basic
More informationChapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations
Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9.1 Chapter 9 Objectives
More informationScalar multiplication in compressed coordinates in the trace-zero subgroup
Scalar multiplication in compressed coordinates in the trace-zero subgroup Giulia Bianco and Elisa Gorla Institut de Mathématiques, Université de Neuchâtel Rue Emile-Argand 11, CH-2000 Neuchâtel, Switzerland
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationChapter 4 Finite Fields
Chapter 4 Finite Fields Introduction will now introduce finite fields of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public Key concern operations on numbers what constitutes a number
More informationFinite Fields. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
1 / 25 Finite Fields Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay September 25, 2014 2 / 25 Fields Definition A set F together
More informationThe Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright
The Elliptic Curve Method and Other Integer Factorization Algorithms John Wright April 12, 2012 Contents 1 Introduction 2 2 Preliminaries 3 2.1 Greatest common divisors and modular arithmetic...... 3 2.2
More informationA Few Primality Testing Algorithms
A Few Primality Testing Algorithms Donald Brower April 2, 2006 0.1 Introduction These notes will cover a few primality testing algorithms. There are many such, some prove that a number is prime, others
More informationSummary Slides for MATH 342 June 25, 2018
Summary Slides for MATH 342 June 25, 2018 Summary slides based on Elementary Number Theory and its applications by Kenneth Rosen and The Theory of Numbers by Ivan Niven, Herbert Zuckerman, and Hugh Montgomery.
More informationLecture 6: Cryptanalysis of public-key algorithms.,
T-79.159 Cryptography and Data Security Lecture 6: Cryptanalysis of public-key algorithms. Helsinki University of Technology mjos@tcs.hut.fi 1 Outline Computational complexity Reminder about basic number
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationFinite Fields and Elliptic Curves in Cryptography
Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1 Overview Public-key vs. symmetric cryptosystem
More informationWeil pairing. Algant: Regensburg and Leiden Elliptic curves and Weil conjectures seminar, Regensburg. Wednesday 22 nd June, 2016.
Weil pairing Jana Sotáková Algant: Regensburg and Leiden Elliptic curves and Weil conjectures seminar, Regensburg Wednesday 22 nd June, 2016 Abstract In this talk we are mainly invested in constructing
More informationSEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY
SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY OFER M. SHIR, THE HEBREW UNIVERSITY OF JERUSALEM, ISRAEL FLORIAN HÖNIG, JOHANNES KEPLER UNIVERSITY LINZ, AUSTRIA ABSTRACT. The area of elliptic curves
More information1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation
1 The Fundamental Theorem of Arithmetic A positive integer N has a unique prime power decomposition 2 Primality Testing Integer Factorisation (Gauss 1801, but probably known to Euclid) The Computational
More informationFast arithmetic and pairing evaluation on genus 2 curves
Fast arithmetic and pairing evaluation on genus 2 curves David Freeman University of California, Berkeley dfreeman@math.berkeley.edu November 6, 2005 Abstract We present two algorithms for fast arithmetic
More informationELLIPTIC CURVES OVER FINITE FIELDS
Further ELLIPTIC CURVES OVER FINITE FIELDS FRANCESCO PAPPALARDI #4 - THE GROUP STRUCTURE SEPTEMBER 7 TH 2015 SEAMS School 2015 Number Theory and Applications in Cryptography and Coding Theory University
More informationThe Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms
The Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms by Michael Shantz A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationElliptic Curves Spring 2013 Lecture #12 03/19/2013
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationElliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.
Elliptic Curves Cryptography and factorization Part VIII Elliptic curves cryptography and factorization Cryptography based on manipulation of points of so called elliptic curves is getting momentum and
More informationPart II. Number Theory. Year
Part II Year 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007 2006 2005 2017 Paper 3, Section I 1G 70 Explain what is meant by an Euler pseudoprime and a strong pseudoprime. Show that 65 is an Euler
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationNumber Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.
CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 29 December 2011 CSS322Y11S2L06, Steve/Courses/2011/S2/CSS322/Lectures/number.tex,
More informationMath/Mthe 418/818. Review Questions
Math/Mthe 418/818 Review Questions 1. Show that the number N of bit operations required to compute the product mn of two integers m, n > 1 satisfies N = O(log(m) log(n)). 2. Can φ(n) be computed in polynomial
More informationCongruences and Residue Class Rings
Congruences and Residue Class Rings (Chapter 2 of J. A. Buchmann, Introduction to Cryptography, 2nd Ed., 2004) Shoichi Hirose Faculty of Engineering, University of Fukui S. Hirose (U. Fukui) Congruences
More informationElliptic Curves, Factorization, and Cryptography
Elliptic Curves, Factorization, and Cryptography Brian Rhee MIT PRIMES May 19, 2017 RATIONAL POINTS ON CONICS The following procedure yields the set of rational points on a conic C given an initial rational
More informationA. Algebra and Number Theory
A. Algebra and Number Theory Public-key cryptosystems are based on modular arithmetic. In this section, we summarize the concepts and results from algebra and number theory which are necessary for an understanding
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More informationThe Weil Pairing on Elliptic Curves and Its Cryptographic Applications
UNF Digital Commons UNF Theses and Dissertations Student Scholarship 2011 The Weil Pairing on Elliptic Curves and Its Cryptographic Applications Alex Edward Aftuck University of North Florida Suggested
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationNumber Theory. Modular Arithmetic
Number Theory The branch of mathematics that is important in IT security especially in cryptography. Deals only in integer numbers and the process can be done in a very fast manner. Modular Arithmetic
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013
18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and
More informationElliptic Curve Cryptosystems
Elliptic Curve Cryptosystems Santiago Paiva santiago.paiva@mail.mcgill.ca McGill University April 25th, 2013 Abstract The application of elliptic curves in the field of cryptography has significantly improved
More informationNumbers. Çetin Kaya Koç Winter / 18
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 18 Number Systems and Sets We represent the set of integers as Z = {..., 3, 2, 1,0,1,2,3,...} We denote the set of positive integers modulo n as
More informationNumber Theory and Algebra: A Brief Introduction
Number Theory and Algebra: A Brief Introduction Indian Statistical Institute Kolkata May 15, 2017 Elementary Number Theory: Modular Arithmetic Definition Let n be a positive integer and a and b two integers.
More informationAspects of Pairing Inversion
Applications of Aspects of ECC 2007 - Dublin Aspects of Applications of Applications of Aspects of Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear
More informationNumber Theory and Group Theoryfor Public-Key Cryptography
Number Theory and Group Theory for Public-Key Cryptography TDA352, DIT250 Wissam Aoudi Chalmers University of Technology November 21, 2017 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography
More informationCurves, Cryptography, and Primes of the Form x 2 + y 2 D
Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible.
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationElliptic Nets and Points on Elliptic Curves
Department of Mathematics Brown University http://www.math.brown.edu/~stange/ Algorithmic Number Theory, Turku, Finland, 2007 Outline Geometry and Recurrence Sequences 1 Geometry and Recurrence Sequences
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationElliptic Curves: Theory and Application
s Phillips Exeter Academy Dec. 5th, 2018 Why Elliptic Curves Matter The study of elliptic curves has always been of deep interest, with focus on the points on an elliptic curve with coe cients in certain
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the
More informationElliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm Problem Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM October 19, 2009 Vanessa VITSE (UVSQ) Elliptic Curve Discrete Logarithm Problem October
More informationConstructing Families of Pairing-Friendly Elliptic Curves
Constructing Families of Pairing-Friendly Elliptic Curves David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-155 August 24, 2005* cryptography, pairings, elliptic curves, embedding
More informationGenerating more MNT elliptic curves
Generating more MNT elliptic curves Michael Scott 1 and Paulo S. L. M. Barreto 2 1 School of Computer Applications Dublin City University Ballymun, Dublin 9, Ireland. mike@computing.dcu.ie 2 Universidade
More informationMathematical Foundations of Cryptography
Mathematical Foundations of Cryptography Cryptography is based on mathematics In this chapter we study finite fields, the basis of the Advanced Encryption Standard (AES) and elliptical curve cryptography
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationElliptic curves and modularity
Elliptic curves and modularity For background and (most) proofs, we refer to [1]. 1 Weierstrass models Let K be any field. For any a 1, a 2, a 3, a 4, a 6 K consider the plane projective curve C given
More informationGroups, Rings, and Finite Fields. Andreas Klappenecker. September 12, 2002
Background on Groups, Rings, and Finite Fields Andreas Klappenecker September 12, 2002 A thorough understanding of the Agrawal, Kayal, and Saxena primality test requires some tools from algebra and elementary
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationThe RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay
The RSA Cryptosystem: Factoring the public modulus Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationFinite Fields. Mike Reiter
1 Finite Fields Mike Reiter reiter@cs.unc.edu Based on Chapter 4 of: W. Stallings. Cryptography and Network Security, Principles and Practices. 3 rd Edition, 2003. Groups 2 A group G, is a set G of elements
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationBackground of Pairings
Background of Pairings Tanja Lange Department of Mathematics and Computer Science Technische Universiteit Eindhoven The Netherlands tanja@hyperelliptic.org 04.09.2007 Tanja Lange Background of Pairings
More informationOutline of the Seminar Topics on elliptic curves Saarbrücken,
Outline of the Seminar Topics on elliptic curves Saarbrücken, 11.09.2017 Contents A Number theory and algebraic geometry 2 B Elliptic curves 2 1 Rational points on elliptic curves (Mordell s Theorem) 5
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 9 September 30, 2015 CPSC 467, Lecture 9 1/47 Fast Exponentiation Algorithms Number Theory Needed for RSA Elementary Number Theory
More informationThe Application of the Mordell-Weil Group to Cryptographic Systems
The Application of the Mordell-Weil Group to Cryptographic Systems by André Weimerskirch A Thesis Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 Public Key Encryption page 2 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem:
More informationA brief overwiev of pairings
Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks
More informationLecture notes: Algorithms for integers, polynomials (Thorsten Theobald)
Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald) 1 Euclid s Algorithm Euclid s Algorithm for computing the greatest common divisor belongs to the oldest known computing procedures
More informationLECTURE 7, WEDNESDAY
LECTURE 7, WEDNESDAY 25.02.04 FRANZ LEMMERMEYER 1. Singular Weierstrass Curves Consider cubic curves in Weierstraß form (1) E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6, the coefficients a i
More informationElliptic Curves and Public Key Cryptography (3rd VDS Summer School) Discussion/Problem Session I
Elliptic Curves and Public Key Cryptography (3rd VDS Summer School) Discussion/Problem Session I You are expected to at least read through this document before Wednesday s discussion session. Hopefully,
More informationLECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS Modular arithmetics that we have discussed in the previous lectures is very useful in Cryptography and Computer Science. Here we discuss several
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationAte Pairing on Hyperelliptic Curves
Ate Pairing on Hyperelliptic Curves R. Granger, F. Hess, R. Oyono, N. Thériault F. Vercauteren EUROCRYPT 2007 - Barcelona Pairings Pairings Let G 1, G 2, G T be groups of prime order l. A pairing is a
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationNUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA
NUMBER THEORY Anwitaman DATTA SCSE, NTU Singapore Acknowledgement: The following lecture slides are based on, and uses material from the text book Cryptography and Network Security (various eds) by William
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationA Guide to Arithmetic
A Guide to Arithmetic Robin Chapman August 5, 1994 These notes give a very brief resumé of my number theory course. Proofs and examples are omitted. Any suggestions for improvements will be gratefully
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationFURTHER REFINEMENT OF PAIRING COMPUTATION BASED ON MILLER S ALGORITHM
Unspecified Journal Volume 00, Number 0, Pages 000 000 S????-????(XX)0000-0 FURTHER REFINEMENT OF PAIRING COMPUTATION BASED ON MILLER S ALGORITHM CHAO-LIANG LIU, GWOBOA HORNG, AND TE-YU CHEN Abstract.
More information