On the distribution of the elliptic curve power generator
|
|
- Lorin Holt
- 5 years ago
- Views:
Transcription
1 On the distribution of the elliptic curve power generator László Mérai Eötvös Loránd University Budapest László Mérai (Budapest) On the elliptic curve power generator / 16
2 Elliptic curves E(F q ) = {(x, y) : y 2 = x 3 + a 1 x + a 2 } { }, a 1, a 2 F q (E(F p ), +) is an Abelian group. Adding: (x P, y P ) + (x Q, y Q ): x = ( yp y Q x P x Q ) 2 xp x Q y = y P + y P y Q x P x Q (x P x) Doubling: 2(x P, y P ): ( ) 2 x = 2x P 3x 2 P +A 2z P y = y P + 3x2 P +A (x 2z P P x) y P Discrete logarithm problem: given P, np E(F p ) find n! fff László Mérai (Budapest) On the elliptic curve power generator / 16
3 Elliptic curves E(F q ) = {(x, y) : y 2 = x 3 + a 1 x + a 2 } { }, a 1, a 2 F q (E(F p ), +) is an Abelian group. Adding: (x P, y P ) + (x Q, y Q ): x = ( yp y Q x P x Q ) 2 xp x Q y = y P + y P y Q x P x Q (x P x) Doubling: 2(x P, y P ): ( ) 2 x = 2x P 3x 2 P +A 2z P y = y P + 3x2 P +A (x 2z P P x) y P Discrete logarithm problem: given P, np E(F p ) find n! fff László Mérai (Budapest) On the elliptic curve power generator / 16
4 Elliptic curves E(F q ) = {(x, y) : y 2 = x 3 + a 1 x + a 2 } { }, a 1, a 2 F q (E(F p ), +) is an Abelian group. Adding: (x P, y P ) + (x Q, y Q ): x = ( yp y Q x P x Q ) 2 xp x Q y = y P + y P y Q x P x Q (x P x) Doubling: 2(x P, y P ): ( ) 2 x = 2x P 3x 2 P +A 2z P y = y P + 3x2 P +A (x 2z P P x) y P Discrete logarithm problem: given P, np E(F p ) find n! fff László Mérai (Budapest) On the elliptic curve power generator / 16
5 Elliptic curves E(F q ) = {(x, y) : y 2 = x 3 + a 1 x + a 2 } { }, a 1, a 2 F q Applications: Public key cryptosystem Digital signature Generating pseudorandom sequences,... Doubling: 2(x P, y P ): ( ) 2 x = 2x P 3x 2 P +A 2z P László Mérai (Budapest) On the elliptic curve power generator / 16
6 Elliptic curves E(F q ) = {(x, y) : y 2 = x 3 + a 1 x + a 2 } { }, a 1, a 2 F q Applications: Public key cryptosystem Digital signature Generating pseudorandom sequences,... Doubling: 2(x P, y P ): ( ) 2 x = 2x P 3x 2 P +A 2z P Discrete logarithm problem: given P, np E(F p ) find n! fff László Mérai (Budapest) On the elliptic curve power generator / 16
7 Sequences generated by elliptic curve Let P n E(F q ) be a sequence of points. We study the distribution of points P n = (x n, y n ), (x n, y n F q ) László Mérai (Budapest) On the elliptic curve power generator / 16
8 Sequences generated by elliptic curve Let P n E(F q ) be a sequence of points. We study the distribution of points P n = (x n, y n ), (x n, y n F q ) Importance: We may get a good pseudorandom generator. Helps us to trust the hardness of discrete logarithm problem. László Mérai (Budapest) On the elliptic curve power generator / 16
9 Sequences generated by elliptic curve Let P n E(F q ) be a sequence of points. We study the distribution of points P n = (x n, y n ), (x n, y n F q ) Importance: We may get a good pseudorandom generator. Helps us to trust the hardness of discrete logarithm problem. A negative result would help us to attack this problem. László Mérai (Budapest) On the elliptic curve power generator / 16
10 Pseudorandomness of sequences - Discrepancy Let (u n ) [0, 1) be a sequence. For a positive integer s, the discrepancy D s (N) of the points is defined by (u n,..., u n+s 1 ), n = 1,..., N D s (N) = sup B [0,1) s N(B) N B, where N(B) is the number of points which hit the box B = [a 1, b 1 ) [a s, b s ) and the supremum is taken over all such boxes B. László Mérai (Budapest) On the elliptic curve power generator / 16
11 Pseudorandomness of sequences - Discrepancy Let (u n ) [0, 1) be a sequence. For a positive integer s, the discrepancy D s (N) of the points is defined by (u n,..., u n+s 1 ), n = 1,..., N D s (N) = sup B [0,1) s N(B) N B, where N(B) is the number of points which hit the box B = [a 1, b 1 ) [a s, b s ) and the supremum is taken over all such boxes B. We can apply the discrepancy to the sequence xn p P n = (x n, y n ) E(F p ) where László Mérai (Budapest) On the elliptic curve power generator / 16
12 Pseudorandomness of sequences - Measures of pseudorandomness Let E N = (e 1,..., e N ) {+1, 1} N binary sequence. The well-distribution measure W (E N ) is t W (E N ) = max a,b,t e a+jb j=1 László Mérai (Budapest) On the elliptic curve power generator / 16
13 Pseudorandomness of sequences - Measures of pseudorandomness Let E N = (e 1,..., e N ) {+1, 1} N binary sequence. The well-distribution measure W (E N ) is t W (E N ) = max a,b,t e a+jb The correlation measure C l (E N ) of order l is M C l (E N ) = max e n+d1... e n+dl M,d 1,...,d l n=1 j=1 László Mérai (Budapest) On the elliptic curve power generator / 16
14 Pseudorandomness of sequences - Measures of pseudorandomness Let E N = (e 1,..., e N ) {+1, 1} N binary sequence. The well-distribution measure W (E N ) is t W (E N ) = max a,b,t e a+jb The correlation measure C l (E N ) of order l is M C l (E N ) = max e n+d1... e n+dl M,d 1,...,d l We can apply this measures by transforming P n to a binary sequence: { +1, if xn {0, 1,..., p 1 P n = (x n, y n) } 2 1, otherwise ( ) ( ) x P n = (x n, y n) np, (Here is the Legendre symbol.) p n=1 László Mérai (Budapest) On the elliptic curve power generator / 16 j=1
15 Sequences generated by elliptic curve Elliptic curve linear congruential generator, EC-LCG: Let P, P 0 E(F q ) and the sequence U n (n N) generated by the rule U n = U n 1 + P = np + P 0 László Mérai (Budapest) On the elliptic curve power generator / 16
16 Sequences generated by elliptic curve Elliptic curve linear congruential generator, EC-LCG: Let P, P 0 E(F q ) and the sequence U n (n N) generated by the rule U n = U n 1 + P = np + P 0 Given consecutive elements U n, U n+1 one can easily compute P. We can consider the sequence f (U n) F q with secret f F q(e). Due to the simple structure, the generator is well-understood. László Mérai (Budapest) On the elliptic curve power generator / 16
17 Sequences generated by elliptic curve Elliptic curve linear congruential generator, EC-LCG: Let P, P 0 E(F q ) and the sequence U n (n N) generated by the rule U n = U n 1 + P = np + P 0 Given consecutive elements U n, U n+1 one can easily compute P. We can consider the sequence f (U n) F q with secret f F q(e). Due to the simple structure, the generator is well-understood. Elliptic curve power generator, EC-PG: Let Q E(F q ) and fix an integer e. The sequence W n (n N) generated by the rule W n = ew n 1 = e n Q László Mérai (Budapest) On the elliptic curve power generator / 16
18 Sequences generated by elliptic curve Elliptic curve linear congruential generator, EC-LCG: Let P, P 0 E(F q ) and the sequence U n (n N) generated by the rule U n = U n 1 + P = np + P 0 Given consecutive elements U n, U n+1 one can easily compute P. We can consider the sequence f (U n) F q with secret f F q(e). Due to the simple structure, the generator is well-understood. Elliptic curve power generator, EC-PG: Let Q E(F q ) and fix an integer e. The sequence W n (n N) generated by the rule W n = ew n 1 = e n Q To compute e from consecutive elements W n, W n+1 one may need to solve the discrete logarithm problem. To compute an element W n from the some previous ones one may need to solve the Diffie-Helmann problem. László Mérai (Budapest) On the elliptic curve power generator / 16
19 Elliptic curve linear congruential generator, EC-LCG Discrepancy bounds: Hess, Shparlinski: Let u n = x(ng) p [0, 1). Then the discrepancy of (u n+1,..., u n+s ) is D s (t) t 1 p 1/2+ε, (Here t is the order of G.) László Mérai (Budapest) On the elliptic curve power generator / 16
20 Elliptic curve linear congruential generator, EC-LCG Discrepancy bounds: Hess, Shparlinski: Let u n = x(ng) p [0, 1). Then the discrepancy of (u n+1,..., u n+s ) is D s (t) t 1 p 1/2+ε, (Here t is the order of G.) Bounds on the pseudorandom measures of binary case: ) Chen; Mérai: Let e n = {+1, 1}, then ( f (ng) p W (E N ), C l (E N ) p 1/2+ε. László Mérai (Budapest) On the elliptic curve power generator / 16
21 Elliptic curve linear congruential generator, EC-LCG Discrepancy bounds: Hess, Shparlinski: Let u n = x(ng) p [0, 1). Then the discrepancy of (u n+1,..., u n+s ) is D s (t) t 1 p 1/2+ε, (Here t is the order of G.) Bounds on the pseudorandom measures of binary case: ) Chen; Mérai: Let e n = {+1, 1}, then ( f (ng) p W (E N ), C l (E N ) p 1/2+ε. Liu, Wang, Zhand; Mérai: { +1, if f (ng) {0, 1,..., p 1 Let e n = 2 } 1, otherwise, then W (E N ), C l (E N ) p 1/2+ε. László Mérai (Budapest) On the elliptic curve power generator / 16
22 Elliptic curve power generator, EC-PG Discrepancy bound: Banks, Friedlander, Garaev, Shparlinski: Let u n = x(en G) p [0, 1). Then its discrepancy: D 1 (N) N 2/3 T 5/9 p 1/18+ε Here T is the multiplicative order of e modulo G. László Mérai (Budapest) On the elliptic curve power generator / 16
23 Elliptic curve power generator, EC-PG Discrepancy bound: Banks, Friedlander, Garaev, Shparlinski: Let u n = x(en G) p [0, 1). Then its discrepancy: D 1 (N) N 2/3 T 5/9 p 1/18+ε Here T is the multiplicative order of e modulo G. Remarks: ( ) There are no non-trivial bound on discrepancy even of x(e n G) p, x(en+1 G) p! Except for some trivial examples, e.g. e = 2. László Mérai (Budapest) On the elliptic curve power generator / 16
24 Elliptic curve power generator, EC-PG Discrepancy bound: Main result: Let u n = f (en G) p Then for an f F p (E). D 1 (N) deg f N 2/3 T 5/9 p 1/18+ε László Mérai (Budapest) On the elliptic curve power generator / 16
25 Elliptic curve power generator, EC-PG Discrepancy bound: Main result: Let u n = f (en G) p Then for an f F p (E). D 1 (N) deg f N 2/3 T 5/9 p 1/18+ε Remarks: ( ) Discrepancy bound on f (e n G) p, f (en+1 G) p,..., f (en+s 1 G) p can be also given just small e: D s (N) deg f e 2(s 1) N 2/3 T 5/9 p 1/18+ε László Mérai (Budapest) On the elliptic curve power generator / 16
26 Exponential sums over elliptic curves The discrepancy bounds immediately follow from exponential sum estimates. Kohel, Shparlinski: Let H E(F q) and ψ be an additive character of F q. If f is not constant, then ψ(f (Q)) 2 deg f q 1/2 Q H László Mérai (Budapest) On the elliptic curve power generator / 16
27 Exponential sums over elliptic curves The discrepancy bounds immediately follow from exponential sum estimates. Kohel, Shparlinski: Let H E(F q) and ψ be an additive character of F q. If f is not constant, then ψ(f (Q)) 2 deg f q 1/2 Q H Lange, Shparlinski: Let H E(F q) and ψ be an additive character of F q. If 1 d 1 < < d s D, then ( s ) ψ c i x(d i Q) s D 2 q 1/2 Q H i=1 László Mérai (Budapest) On the elliptic curve power generator / 16
28 Exponential sums over elliptic curves The discrepancy bounds immediately follow from exponential sum estimates. Kohel, Shparlinski: Let H E(F q) and ψ be an additive character of F q. If f is not constant, then ψ(f (Q)) 2 deg f q 1/2 Q H Lange, Shparlinski: Let H E(F q) and ψ be an additive character of F q. If 1 d 1 < < d s D, then ( s ) ψ c i x(d i Q) s D 2 q 1/2 Q H i=1 Banks, Friedlander, Garaev, Shparlinski: Let Q E(F p) and e be an integer of order T modulo G, then N e p(x(e n Q)) N 1/3 T 5/9 p 1/18+ε n=1 László Mérai (Budapest) On the elliptic curve power generator / 16
29 Exponential sums over elliptic curves A new bound: Let H E(F q ), ψ be an additive character of F q. If f F q (E) is not constant and 1 d 1 < < d s D, then ( s ) ψ c i f (d i Q) s deg f D 2 q 1/2 Q H i=1 László Mérai (Budapest) On the elliptic curve power generator / 16
30 Exponential sums over elliptic curves Let F (Q) = s c i f (d i Q) i=1 László Mérai (Budapest) On the elliptic curve power generator / 16
31 Exponential sums over elliptic curves Let F (Q) = s c i f (d i Q) i=1 In order to prove the theorem it is enough to show: F(Q) is not constant. It can be shown that there is at least one pole: László Mérai (Budapest) On the elliptic curve power generator / 16
32 Exponential sums over elliptic curves Let F (Q) = s c i f (d i Q) i=1 In order to prove the theorem it is enough to show: F(Q) is not constant. It can be shown that there is at least one pole: deg F s deg f D 2 László Mérai (Budapest) On the elliptic curve power generator / 16
33 Exponential sums over elliptic curves Let F (Q) = s c i f (d i Q) i=1 In order to prove the theorem it is enough to show: F(Q) is not constant. It can be shown that there is at least one pole: We can order the poles of f (d i Q) by their orders, and there is an (almost) unique maximum element. deg F s deg f D 2 László Mérai (Budapest) On the elliptic curve power generator / 16
34 Thank you! László Mérai (Budapest) On the elliptic curve power generator / 16
Construction of pseudorandom binary lattices using elliptic curves
Construction of pseudorandom binary lattices using elliptic curves László Mérai Abstract In an earlier paper Hubert, Mauduit and Sárközy introduced and studied the notion of pseudorandomness of binary
More informationElliptic Curve DRNGs. Çetin Kaya Koç Winter / 19
Elliptic Curve DRNGs Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 19 Elliptic Curve DRNGs There are three existing proposals Linear Congruential Generator Power Generator
More informationTrue & Deterministic Random Number Generators
True & Deterministic Random Number Generators Çetin Kaya Koç http://cs.ucsb.edu/~koc koc@cs.ucsb.edu 1.0 0.5 1.0 0.5 0.5 1.0 0.5 1.0 Koç (http://cs.ucsb.edu/~koc) HRL RNG April 11, 2013 1 / 47 Random Numbers
More informationElliptic Curve DRNGs. Çetin Kaya Koç Winter / 21
Elliptic Curve DRNGs http://koclab.org Çetin Kaya Koç Winter 2017 1 / 21 Elliptic Curve DRNGs Linear Congruential Generator Power Generator Naor-Reingold Generator Dual EC RNG http://koclab.org Çetin Kaya
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationAnalysis of pseudorandom sequences
Eötvös Loránd University, Budapest, Hungary Department of Computer Algebra Summer School on Real-world Crypto and Privacy June 5 9, 2017 Sibenik, Croatia Introduction New, constructive approach - definitions
More informationPseudorandom Sequences II: Exponential Sums and Uniform Distribution
Pseudorandom Sequences II: Exponential Sums and Uniform Distribution Arne Winterhof Austrian Academy of Sciences Johann Radon Institute for Computational and Applied Mathematics Linz Carleton University
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationGroup Structure of Elliptic Curves over Finite Fields
Group Structure of Elliptic Curves over Finite Fields Igor E. Shparlinski Macquarie University 2 Introduction Notation IF q = finite field of q elements. An elliptic curve IE is given by a Weierstraß equation
More informationOn the elliptic curve analogue of the sum-product problem
Finite Fields and Their Applications 14 (2008) 721 726 http://www.elsevier.com/locate/ffa On the elliptic curve analogue of the sum-product problem Igor Shparlinski Department of Computing, Macuarie University,
More informationSum-Product Problem: New Generalisations and Applications
Sum-Product Problem: New Generalisations and Applications Igor E. Shparlinski Macquarie University ENS, Chaire France Telecom pour la sécurité des réseaux de télécommunications igor@comp.mq.edu.au 1 Background
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationA Complexity Measure for Families of Binary Sequences
A Complexity Measure for Families of Binary Sequences Rudolf Ahlswede and Levon H. Khachatrian Fakultät für Mathematik, Universität Bielefeld Postfach 100131, D 33501 Bielefeld, Germany, e-mail: ahlswede@mathematik.uni-bielefeld.de
More informationarxiv: v1 [math.nt] 15 Aug 2017
Sidon sets and statistics of the ElGamal function arxiv:1708.04395v1 [math.nt] 15 Aug 2017 Lucas Boppré Niehues, Joachim von zur Gathen, Lucas Pandolfo Perin, Ana Zumalacárregui October 14, 2018 Abstract
More informationSummation polynomials and the discrete logarithm problem on elliptic curves
Summation polynomials and the discrete logarithm problem on elliptic curves Igor Semaev Department of Mathematics University of Leuven,Celestijnenlaan 200B 3001 Heverlee,Belgium Igor.Semaev@wis.kuleuven.ac.be
More informationElliptic Curves: Theory and Application
s Phillips Exeter Academy Dec. 5th, 2018 Why Elliptic Curves Matter The study of elliptic curves has always been of deep interest, with focus on the points on an elliptic curve with coe cients in certain
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More informationPREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS
PREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS JAIME GUTIERREZ, ÁLVAR IBEAS, DOMINGO GÓMEZ-PEREZ, AND IGOR E. SHPARLINSKI Abstract. We study the security of the linear generator
More informationPseudorandom Sequences I: Linear Complexity and Related Measures
Pseudorandom Sequences I: Linear Complexity and Related Measures Arne Winterhof Austrian Academy of Sciences Johann Radon Institute for Computational and Applied Mathematics Linz Carleton University 2010
More informationIntroduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016
Introduction to Modern Cryptography Recitation 3 Orit Moskovich Tel Aviv University November 16, 2016 The group: Z N Let N 2 be an integer The set Z N = a 1,, N 1 gcd a, N = 1 with respect to multiplication
More informationOn the Fractional Parts of a n /n
On the Fractional Parts of a n /n Javier Cilleruelo Instituto de Ciencias Matemáticas CSIC-UAM-UC3M-UCM and Universidad Autónoma de Madrid 28049-Madrid, Spain franciscojavier.cilleruelo@uam.es Angel Kumchev
More informationDouble character sums over elliptic curves and finite fields
Double character sums over elliptic curves and finite fields William D. Banks Department of Mathematics University of Missouri Columbia, MO 65211, USA bbanks@math.missouri.edu John B. Friedlander Department
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationThe cross-correlation measure for families of binary sequences
The cross-correlation measure for families of binary sequences Katalin Gyarmati Eötvös Loránd University Department of Algebra and Number Theory and MTA-ELTE Geometric and Algebraic Combinatorics Research
More informationNON-LINEAR COMPLEXITY OF THE NAOR REINGOLD PSEUDO-RANDOM FUNCTION
NON-LINEAR COMPLEXITY OF THE NAOR REINGOLD PSEUDO-RANDOM FUNCTION William D. Banks 1, Frances Griffin 2, Daniel Lieman 3, Igor E. Shparlinski 4 1 Department of Mathematics, University of Missouri Columbia,
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative
More informationCharacter sums with Beatty sequences on Burgess-type intervals
Character sums with Beatty sequences on Burgess-type intervals William D. Banks Department of Mathematics University of Missouri Columbia, MO 65211 USA bbanks@math.missouri.edu Igor E. Shparlinski Department
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationOn the Distribution of the Subset Sum Pseudorandom Number Generator on Elliptic Curves
On the Distribution of the Subset Sum Pseudorandom Number Generator on Elliptic Curves Simon R. Blacburn Department of Mathematics Royal Holloway University of London Egham, Surrey, TW20 0EX, UK s.blacburn@rhul.ac.u
More informationA Digital Signature Scheme based on two hard problems
A Digital Signature Scheme based on two hard problems Dimitrios Poulakis and Robert Rolland Abstract In this paper we propose a signature scheme based on two intractable problems, namely the integer factorization
More informationSome Security Comparisons of GOST R and ECDSA Signature Schemes
Some Security Comparisons of GOST R 34.10-2012 and ECDSA Signature Schemes Trieu Quang Phong Nguyen Quoc Toan Institute of Cryptography Science and Technology Gover. Info. Security Committee, Viet Nam
More informationChapter 10 Elliptic Curves in Cryptography
Chapter 10 Elliptic Curves in Cryptography February 15, 2010 10 Elliptic Curves (ECs) can be used as an alternative to modular arithmetic in all applications based on the Discrete Logarithm (DL) problem.
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationTwo-sources Randomness Extractors for Elliptic Curves
Two-sources Randomness Extractors for Elliptic Curves Abdoul Aziz Ciss Laboratoire de Traitement de l Information et Systèmes Intelligents, École Polytechnique de Thiès, Sénégal aaciss@ept.sn Abstract.
More informationCounting points on elliptic curves over F q
Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 p.2 Motivation Given an elliptic curve E over a finite
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationAitken and Neville Inverse Interpolation Methods over Finite Fields
Appl. Num. Anal. Comp. Math. 2, No. 1, 100 107 (2005) / DOI 10.1002/anac.200410027 Aitken and Neville Inverse Interpolation Methods over Finite Fields E.C. Laskari 1,3, G.C. Meletiou 2,3, and M.N. Vrahatis
More informationIncomplete exponential sums over finite fields and their applications to new inversive pseudorandom number generators
ACTA ARITHMETICA XCIII.4 (2000 Incomplete exponential sums over finite fields and their applications to new inversive pseudorandom number generators by Harald Niederreiter and Arne Winterhof (Wien 1. Introduction.
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationElGamal type signature schemes for n-dimensional vector spaces
ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional
More informationOn the Bit Security of Elliptic Curve Diffie Hellman
On the Bit Security of Elliptic Curve Diffie Hellman Barak Shani Department of Mathematics, University of Auckland, New Zealand Abstract This paper gives the first bit security result for the elliptic
More informationAn Introduction to Elliptic Curve Cryptography
Harald Baier An Introduction to Elliptic Curve Cryptography / Summer term 2013 1/22 An Introduction to Elliptic Curve Cryptography Harald Baier Hochschule Darmstadt, CASED, da/sec Summer term 2013 Harald
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationIsogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem
Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem Chloe Martindale 26th January, 2018 These notes are from a talk given in the Séminaire Géométrie et algèbre effectives
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationNumber Theory in Cryptology
Number Theory in Cryptology Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology Kharagpur October 15, 2011 What is Number Theory? Theory of natural numbers N = {1,
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationAspects of Pairing Inversion
Applications of Aspects of ECC 2007 - Dublin Aspects of Applications of Applications of Aspects of Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear
More information= (, ) V λ (1) λ λ ( + + ) P = [ ( ), (1)] ( ) ( ) = ( ) ( ) ( 0 ) ( 0 ) = ( 0 ) ( 0 ) 0 ( 0 ) ( ( 0 )) ( ( 0 )) = ( ( 0 )) ( ( 0 )) ( + ( 0 )) ( + ( 0 )) = ( + ( 0 )) ( ( 0 )) P V V V V V P V P V V V
More informationThe Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem
The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem Qi Cheng and Shigenori Uchiyama April 22, 2003 Abstract In this paper, we propose an algorithm to solve the Decisional Diffie-Hellman
More informationPoints of High Order on Elliptic Curves ECDSA
! Independent thesis advanced level (degree of master (two years)) Points of High Order on Elliptic Curves ECDSA Author: Behnaz Kouchaki Barzi Supervisor: Per-Anders Svensson Examiner: Andrei Khrennikov
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationMath/Mthe 418/818. Review Questions
Math/Mthe 418/818 Review Questions 1. Show that the number N of bit operations required to compute the product mn of two integers m, n > 1 satisfies N = O(log(m) log(n)). 2. Can φ(n) be computed in polynomial
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationElliptic Curve Cryptosystems
Elliptic Curve Cryptosystems Santiago Paiva santiago.paiva@mail.mcgill.ca McGill University April 25th, 2013 Abstract The application of elliptic curves in the field of cryptography has significantly improved
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationPossible Group Structures of Elliptic Curves over Finite Fields
Possible Group Structures of Elliptic Curves over Finite Fields Igor Shparlinski (Sydney) Joint work with: Bill Banks (Columbia-Missouri) Francesco Pappalardi (Roma) Reza Rezaeian Farashahi (Sydney) 1
More informationThe point decomposition problem in Jacobian varieties
The point decomposition problem in Jacobian varieties Jean-Charles Faugère2, Alexandre Wallet1,2 1 2 ENS Lyon, Laboratoire LIP, Equipe AriC UPMC Univ Paris 96, CNRS, INRIA, LIP6, Equipe PolSys 1 / 19 1
More informationDiscrete mathematics I - Number theory
Discrete mathematics I - Number theory Emil Vatai (based on hungarian slides by László Mérai) 1 January 31, 2018 1 Financed from the financial support ELTE won from the Higher Education
More informationCSC 5930/9010 Modern Cryptography: Number Theory
CSC 5930/9010 Modern Cryptography: Number Theory Professor Henry Carter Fall 2018 Recap Hash functions map arbitrary-length strings to fixedlength outputs Cryptographic hashes should be collision-resistant
More informationInferring Sequences Produced by a Linear Congruential Generator on Elliptic Curves Using Coppersmith s Methods
Inferring Sequences Produced by a Linear Congruential Generator on Elliptic Curves Using Coppersmith s Methods Thierry Mefenza To cite this version: Thierry Mefenza. Inferring Sequences Produced by a Linear
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationExponential and character sums with Mersenne numbers
Exponential and character sums with Mersenne numbers William D. Banks Dept. of Mathematics, University of Missouri Columbia, MO 652, USA bankswd@missouri.edu John B. Friedlander Dept. of Mathematics, University
More informationAte Pairing on Hyperelliptic Curves
Ate Pairing on Hyperelliptic Curves R. Granger, F. Hess, R. Oyono, N. Thériault F. Vercauteren EUROCRYPT 2007 - Barcelona Pairings Pairings Let G 1, G 2, G T be groups of prime order l. A pairing is a
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationSecurity Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2
Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 ) December 2001 Contents Summary 2 Detailed Evaluation 3 1 The Elliptic Curve Method 3 1.1 The ECM applied to N = p d............................
More informationOn the missing values of n! mod p
On the missing values of n! mod p Kevin A. Broughan and A. Ross Barnett University of Waikato, Hamilton, New Zealand Version: 15th Jan 2009 E-mail: kab@waikato.ac.nz, arbus@math.waikato.ac.nz We show that
More informationJUST THE MATHS UNIT NUMBER 1.4. ALGEBRA 4 (Logarithms) A.J.Hobson
JUST THE MATHS UNIT NUMBER 1.4 ALGEBRA 4 (Logarithms) by A.J.Hobson 1.4.1 Common logarithms 1.4.2 Logarithms in general 1.4.3 Useful Results 1.4.4 Properties of logarithms 1.4.5 Natural logarithms 1.4.6
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationRandom Number Generators
1/18 Random Number Generators Professor Karl Sigman Columbia University Department of IEOR New York City USA 2/18 Introduction Your computer generates" numbers U 1, U 2, U 3,... that are considered independent
More informationIntroduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions
Introduction to Modern Cryptography Lecture 7 1. RSA Public Key CryptoSystem 2. One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts:
More information8.1 Principles of Public-Key Cryptosystems
Public-key cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More informationRandomness and Complexity of Sequences over Finite Fields. Harald Niederreiter, FAMS. RICAM Linz and University of Salzburg (Austria)
Randomness and Complexity of Sequences over Finite Fields Harald Niederreiter, FAMS RICAM Linz and University of Salzburg (Austria) Introduction A hierarchy of complexities Complexity and random sequences
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationCalcul d indice et courbes algébriques : de meilleures récoltes
Calcul d indice et courbes algébriques : de meilleures récoltes Alexandre Wallet ENS de Lyon, Laboratoire LIP, Equipe AriC Alexandre Wallet De meilleures récoltes dans le calcul d indice 1 / 35 Today:
More informationMeasures of pseudorandomness of binary lattices, III. (Q k, correlation, normality, minimal values.) Dedicated to the memory of Edmund Hlawka
Measures of pseudorandomness of binary lattices, III. (Q k, correlation, normality, minimal values.) Dedicated to the memory of Edmund Hlawka Katalin Gyarmati Eötvös Loránd University Department of Algebra
More informationSecure Bilinear Diffie-Hellman Bits
Secure Bilinear Diffie-Hellman Bits Steven D. Galbraith 1, Herbie J. Hopkins 1, and Igor E. Shparlinski 2 1 Mathematics Department, Royal Holloway University of London Egham, Surrey, TW20 0EX, UK Steven.Galbraith@rhul.ac.uk,
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationElliptic Curves Spring 2013 Lecture #8 03/05/2013
18.783 Elliptic Curves Spring 2013 Lecture #8 03/05/2013 8.1 Point counting We now consider the problem of determining the number of points on an elliptic curve E over a finite field F q. The most naïve
More informationCongruent number elliptic curves of high rank
Michaela Klopf, BSc Congruent number elliptic curves of high rank MASTER S THESIS to achieve the university degree of Diplom-Ingenieurin Master s degree programme: Mathematical Computer Science submitted
More informationRecovering Private Keys Generated With Weak PRNGs
Recovering Private Keys Generated With Weak PRNGs Pierre-Alain Fouque (Univ. Rennes 1) Mehdi Tibouchi (NTT Secure Platform Lab.) Jean-Christophe Zapalowicz (Inria) Journées C2 2014 Jean-Christophe Zapalowicz
More informationComputing the image of Galois
Computing the image of Galois Andrew V. Sutherland Massachusetts Institute of Technology October 9, 2014 Andrew Sutherland (MIT) Computing the image of Galois 1 of 25 Elliptic curves Let E be an elliptic
More informationCryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1
Cryptography CS 555 Topic 18: RSA Implementation and Security Topic 18 1 Outline and Readings Outline RSA implementation issues Factoring large numbers Knowing (e,d) enables factoring Prime testing Readings:
More information