Number Theory in Cryptology

Transcription

1 Number Theory in Cryptology Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology Kharagpur October 15, 2011

2 What is Number Theory? Theory of natural numbers N = {1, 2, 3,...}. Uses larger algebraic structures Z, Q, R, C. Modular arithmetic: Z n = {0, 1, 2,...,n 1}. Finite fields: F p n, p P, n N. Elliptic curves: Arithmetic algebraic geometry. Algebraic number theory: Study of number fields and number rings. Analytic number theory: Use of complex analysis tools. All these are extensively used in cryptography and cryptanalysis.

3 Uses in Cryptology: Examples Modular arithmetic: RSA, ElGamal, Rabin and many other cryptosystems. Finite fields: Diffie-Hellman key agreement, ElGamal, DSA. Elliptic curves: ECDSA. Pairing on elliptic curves: Identity-based cryptosystems, multi-party key agreement, short signature schemes. Algebraic number theory: Number-field sieve method. Analytic number theory: Density estimates (like prime number theorem, Riemann hypothesis).

4 Modular Arithmetic Modulus n N, n 2. Z n = {0, 1, 2,...,n 1}. Arithmetic in Z n : { a + b if a + b < n Addition: a + n b = a + b n otherwise { a b if a b Subtraction: a n b = a b + n otherwise Multiplication: a n b = (ab) rem n. Division: a is invertible modulo n if and only if gcd(a, n) = 1. Extended gcd calculation: ua + vn = gcd(a, n) for some integers u, v. If gcd(a, n) = 1, u as the inverse of a modulo n.

5 Modular Exponentiation To compute a e (mod n) Binary expansion: e = (e s 1 e s 2... e 1 e 0 ) 2. Initialize t = 1. For i = s 1, s 2,...,1, 0 do: Set t = t 2 (mod n). If e i = 1, set t = ta (mod n). Return t.

6 The Multiplicative Group of Z n Z n = {a Z n gcd(a, n) = 1}. Euler-phi function: φ(n) = Z n. If n = p e 1 1 pe 2 2 pe k k, then φ(n) = p e (p 1 1)p e (p 2 1) p e k 1 k (p k 1) = n p P p n ( 1 1 ). p Z n is cyclic if and only if n = 2, 4, p e, 2p e with p P, p 2, and e N. Special case: n = p P. Z p is a field. Z p = {1, 2,...,p 1}. φ(p) = p 1. Z p is cyclic.

7 Finite Fields Every finite field is of size p n for p P, n N. For q = p n, denote F q = F p n to be the finite field of size q. If the extension degree n is 1, F p = Z p. If n > 1, F p n Z p n. Polynomial-basis representation: Choose an irreducible polynomial f(x) F p [x] of degree n. Elements of F p n are represented as polynomials: F p n = {a 0 + a 1 x + a 2 x a n 1 x n 1 a i F p }. Arithmetic operations in F p n: polynomial operations modulo f(x). Extensions of extensions: Let q = p n and m N. F q m = {α 0 + α 1 y + α 2 y α m 1 y m 1 α i F p n}. Arithmetic in F q m is the polynomial arithmetic of F q [y] modulo an irreducible polynomial g(y) F q [y] of degree m.

8 Some Properties of Finite Fields F q = F q \ {0} is cyclic. There are φ(q 1) generators of F q. Fermat s little theorem: α q 1 = 1 for all α F q. β q = β for all β F q. Multiplicative order: Let α F q. The smallest positive integer h satisfying α h = 1 is the order of α, denoted h = ord(α). ord(α) (q 1).

9 Elliptic Curves Let K be a field. An elliptic curve E over K is defined by the Weierstrass equation: E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6, a i K. The curve should be smooth (no singularities). Special forms char K 2, 3: y 2 = x 3 + ax + b, a, b K. char K 2: y 2 = x 3 + b 2 x 2 + b 4 x + b 6, b i K. char K = 2: Non-supersingular curve: y 2 + xy = x 3 + ax 2 + b, a, b K. Supersingular curve: y 2 + ay = x 3 + bx + c, a, b, c K.

10 Real Elliptic Curves: Example y y x x (a) y 2 = x 3 x + 1 (b) y 2 = x 3 x

11 The Elliptic Curve Group Any (x, y) K 2 satisfying the equation of an elliptic curve E is called a K-rational point on E. Point at infinity: There is a single point at infinity on E, denoted by O. This point cannot be visualized in the two-dimensional (x, y) plane. The point exists in the projective plane. E(K) is the set of all finite K-rational points on E and the point at infinity. An additive group structure can be defined on E(K). O acts as the identity of the group.

12 The Opposite of a Point P Ordinary Points Q P Special Points Q P Q P Q (a) (b)

13 Addition of Two Points Chord and tangent rule Q R R Q P P P+Q (a) P+Q (b)

14 Doubling of a Point Chord and tangent rule 2P P R R P 2P (a) (b)

15 Addition and Doubling Formulas Let P = (h 1, k 1 ) and Q = (h 2, k 2 ) be finite points. Assume that P + Q O and 2P O. Let P + Q = (h 3, k 3 ) (Note that P + Q = 2P if P = Q). E : y 2 = x 3 + ax + b P = (h 1, k 1 ) h 3 = λ 2 h 1 h 2 k 3 = λ(h 1 h 3 ) k 1, where k 2 k 1 h 2 h, if P Q, 1 λ = 3h a 2k 1, if P = Q.

16 Addition and Doubling in Non-supersingular Curves E : y 2 + xy = x 3 + ax 2 + b (with char K = 2). P = (h 1, k 1 + h 1 ), ( ) k1 + k 2 2 h 1 + h + k 1 + k 2 2 h 1 + h + h 1 + h 2 + a, if P Q, 2 h 3 = h b h 2, if P = Q, 1 ( ) k1 + k 2 h 1 + h (h 1 + h 3 ) + h 3 + k 1, if P Q, 2 k 3 = h 2 1 (h k ) 1 h + 1 h 3, if P = Q. 1

17 Addition and Doubling in Supersingular Curves E : y 2 + ay = x 3 + bx + c (with char K = 2). P = (h 1, k 1 + a), ( ) k1 + k 2 2 h 1 + h + h1 + h 2, if P Q, 2 h 3 = h b 2 a 2, if P = Q, ( ) k1 + k 2 h 1 + h (h 1 + h 3 ) + k 1 + a, if P Q, 2 k 3 = ( ) h b a (h 1 + h 3 ) + k 1 + a, if P = Q.

18 Size of the Elliptic Curve Group Let E be an elliptic curve defined over F q = F p n. Hasse s Theorem: E(F q ) = q + 1 t, where 2 q t 2 q. t is called the trace of Frobenius at q. If t = 1, then E is called anomalous. If p t, then E is called supersingular. If p t, then E is called non-supersingular. Let α, β C satisfy 1 tx + qx 2 = (1 αx)(1 βx). Then, E(F q m) = q m + 1 (α m + β m ). Note: E(F q ) is not necessarily cyclic.

19 Formal Sums and Free Abelian Groups Let a i, i I, be symbols indexed by I. A finite formal sum of a i, i I, is an expression of the form i I m i a i with m i Z such that m i = 0 except for only finitely many i I. The sum i I m i a i is formal in the sense that the symbols a i are not meant to be evaluated. They act as placeholders. Define i I m i a i + i I n i a i = i I (m i + n i )a i Also define i I m i a i = i I ( m i )a i The set of all finite formal sums is an Abelian group called the free Abelian group generated by a i, i I.

20 Divisors on Curves Let C be a projective curve defined over K. K is assumed to be algebraically closed. A divisor is a formal sum of the K-rational points on C. Notation: D = P m P[P]. The support of D is the set of points P for which m P 0. The degree of D is the sum P m P. All divisors on C form a group denoted by Div K (C) or Div(C). All divisors on C of degree 0 form a subgroup denoted by Div 0 K (C) or Div 0 (C). Divisor of a rational function R(x, y) is Div(R) = P ord P(R)[P]. A principal divisor is the divisor of a rational function. Principal divisors satisfy: Div(R) + Div(S) = Div(RS) and Div(R) Div(S) = Div(R/S).

21 Divisor of a line: Example Q l R P t Q P v P Q (a) (b) (c) (a) Div(l) = [P] + [Q] + [R] 3[O]. (b) Div(t) = 2[P] + [Q] 3[O]. (c) Div(v) = [P] + [Q] 2[O].

22 Divisors and the Chord-and-Tangent Rule Let C be an elliptic curve over an algebraically closed field K. For every D Div 0 K (C), there exist a unique rational point P and a rational function R such that D = [P] [O] + Div(R). D is identified with [P] [O]. This bijection leads to the chord-and-tangent rule in the following sense: Let D = P m P[P] Div K (C). Then, D is a principal divisor if and only if P m P = 0 (integer sum), and p m PP = O (sum under the chord-and-tangent rule).

23 Illustrations of the Chord-and-Tangent Rule Q t v Q l R P P P Q (a) (b) (c) Identity: O is identified with [O] [O] = 0 = Div(1). Opposite: By Part (c), Div(v) = ([P] [O]) + ([Q] [O]) is 0. By the correspondence, P + Q = O, that is, Q = P. Sum: By Part (a), Div(l) = ([P] [O]) + ([Q] [O]) + ([R] [O]) is 0, that is, P + Q + R = O, that is, P + Q = R. Double: By Part (b), Div(t) = ([P] [O]) + ([P] [O]) + ([Q] [O]) is 0, that is, P + P + Q = O, that is, 2P = Q.

24 More on Divisors P Q R R Div(L P,Q ) = [P] + [Q] + [R] 3[O]. Div(L R, R ) = [R] + [ R] 2[O]. Div(L P,Q /L R, R ) = [P] + [Q] [ R] [O] = [P] + [Q] [P + Q] [O]. [P] [O] is equivalent to [P + Q] [Q]. ([P] [O]) + ([Q] [O]) is equivalent to [P + Q] [O]. For both these cases of equivalence, the pertinent rational function is L P,Q /L P+Q, (P+Q) which can be easily computed. We can force this rational function to have leading coefficient 1.

25 More on Divisors (contd) Let D = P n P[P] be divisor on E and f K(E) a rational function such that the supports of D and Div(f) are disjoint. Define f(d) = P E f(p) n P = P Supp(D) f(p) n P. Div(f) = Div(g) if and only if f = cg for some non-zero constant c K. If D has degree 0, then f(d) = g(d) P cn P = g(d)c P P n P = g(d)c 0 = g(d). Weil reciprocity theorem: If f and g are two non-zero rational functions on E such that Div(f) and Div(g) have disjoint supports, then f(div(g)) = g(div(f)).

26 Weil Pairing: Definition Let E be an elliptic curve defined over a finite field K = F q. Take a positive integer m coprime to p = char K. Let µ m denote the m-th roots of unity in K. We have µ m F q k, where k = ord m (q) is called the embedding degree. Let E[m] be those points in E = E K, whose orders divide m. Weil pairing is a function defined as follows. Take P 1, P 2 E[m]. e m : E[m] E[m] µ m Let D 1 be a divisor equivalent to [P 1 ] [O]. Since mp 1 = O, there exists a rational function f 1 such that Div(f 1 ) = md 1 = m[p 1 ] m[o]. Similarly, let D 2 be a divisor equivalent to [P 2 ] [O]. There exists a rational function f 2 such that Div(f 2 ) = md 2 = m[p 2 ] m[o]. D 1 and D 2 are chosen to have disjoint supports. Define e m (P 1, P 2 ) = f 1 (D 2 )/f 2 (D 1 ).

27 Properties of Weil Pairing Let P, Q, R be arbitrary points in E[m]. Bilinearity: e m (P + Q, R) = e m (P, R)e m (Q, R), e m (P, Q + R) = e m (P, Q)e m (P, R). Alternating: e m (P, P) = 1. Skew symmetry: e m (Q, P) = e m (P, Q) 1. Non-degeneracy: If P O, then e m (P, Q) 1 for some Q E[m]. Compatibility: If S E[mn] and Q E[n], then e mn (S, Q) = e n (ms, Q). If m is a prime and P O, then e m (P, Q) = 1 if and only if Q lies in the subgroup generated by P (that is, Q = ap for some integer a).

28 Computing Weil Pairing: The Functions f n,p Let P E. For n Z, define the rational functions f n,p as having the divisor Div(f n,p ) = n[p] [np] (n 1)[O]. f n,p are unique up to multiplication by elements of K. We may choose the unique monic polynomial for f n,p. f n,p satisfy the recurrence relation: f 0,P = f 1,P ( = 1, f n+1,p = L P,nP L (n+1)p, (n+1)p f n,p = 1 f n,p for n 1. ) f n,p for n 1, If P E[m], then Div(f m,p ) = m[p] [mp] (m 1)[O] = m[p] m[o]. Computing f m,p using the above recursive formula is too inefficient.

29 Computing Weil Pairing: More about f n,p The rational functions f n,p also satisfy ( f n+n,p = f n,p f n,p In particular, for n = n, we have f 2n,P = f 2 n,p L np,n P L (n+n )P, (n+n )P ( LnP,nP L 2nP, 2nP Here, L np,np is the line tangent to E at the point np. This and the recursive expression of f n+1,p in terms of f n,p yield a repeated double-and-add algorithm. ). The function f n,p is usually kept in the factored form. It is often not necessary to compute f n,p explicitly. The value of f n,p at some point Q is only needed. ).

30 Miller s Algorithm for Computing f n,p Input: A point P E and a positive integer n. Output: The rational function f n,p. Steps Let n = (n s n s 1... n 1 n 0 ) 2 be the binary representation of n with n s = 1. Initialize f = 1 and U = P. For i = s 1, s 2,...,1, 0, do the following: Return f. /* Doubling */ Update f = f 2 ( ) LU,U L 2U, 2U /* Conditional adding */ ( If (n i = 1), update f = f and U = 2U. ) L U,P L U+P, (U+P) and U = U + P. Note: One may supply a point Q E and wish to compute the value f n,p (Q) (instead of the function f n,p ). In that case, the functions L U,U /L 2U, 2U and L U,P /L U+P, (U+P) should be evaluated at Q before multiplication with f.

31 Weil Pairing and the Functions f n,p Let P 1, P 2 E[m], and we want to compute e m (P 1, P 2 ). Choose a point T not equal to ±P 1, P 2, P 2 P 1, O. We have e m (P 1, P 2 ) = f m,p 2 (T) f m,p1 (P 2 T) f m,p1 ( T) f m,p2 (P 1 + T). If P 1 P 2, then we also have e m (P 1, P 2 ) = ( 1) m f m,p 1 (P 2 ) f m,p2 (P 1 ). Miller s algorithm for computing f n,p (Q) can be used. All these invocations of Miller s algorithm have n = m. So a single double-and-add loop suffices. For efficiency, one may avoid the division operations in Miller s loop by separately maintaining polynomial expressions for the numerator and the denominator of f. After the loop terminates, a single division is made.

32 Some Intractable Number-theoretic Problems of Cryptographic Significance Integer factorization problem (IFP): Given a composite integer n with unknown prime divisors, factor n. Square root problem (SQRTP): Given a composite integer n with unknown factorization, and a modular square a Z n, compute x Z n such that x 2 a (mod n). Discrete logarithm problem (DLP): Let G be a finite cyclic group generated by g. Given a G, find x such that g = a x in G. Diffie-Hellman problem (DHP): Let G be a finite cyclic group generated by g. Given g x, g y G (but not x or y), compute g xy in G. DLP and DHP apply to many number-theoretic groups like F q and E(F q ). Bilinear Diffie-Hellman problem (BDHP): Let e : G G G be a pairing map. Given P, ap, bp, cp G only, compute e(p, P) abc G.

33 Cryptanalysis: Factoring Integers Exponential algorithms Trial division Pollard rho method Pollard p 1 method Williams p + 1 method Sub-exponential algorithms CFRAC method Dixon s method Quadratic sieve method Cubic sieve method L(n, ω, c) = exp [ (c + o(1))(ln n) ω (ln ln n) 1 ω] Elliptic curve method Number-field sieve method

34 The Number-field Sieve Method Based on Fermat s method of squares: Compute a, b with a 2 b 2 (mod n) and a ±b (mod n). In this case, gcd(a b, n) is a non-trivial factor of n. Choose an irreducible polynomial f(x) Q[x] and a positive integer H such that f(h) is a small multiple of n. Let d = deg f(x). Define the number field K = Q[x]/ f(x) = {g(x) Q[x] deg g(x) d 1}. Arithmetic in K is the polynomial arithmetic of Q[x] modulo f(x). Let O K be the ring of integers in K. Assume that O K supports element-wise unique factorization. Consider the map Φ : O K Z n taking x H. Relation: Let Φ(α 1 )Φ(α 2 ) Φ(α k ) t i=1 pe i i (mod n). Combine many relations to obtain a 2 b 2 (mod n).

35 Questions? In mathematics you don t understand things. You just get used to them. John von Neumann Some Recommended Textbooks Das, Computational Number Theory, CRC, 2012 (?). Das and Veni Madhavan, Public-key Cryptography: Theory and Practice, Pearson, Zuckerman, Montgomery, Niven and Niven, An Introduction to the Theory of Numbers, Wiley, Bressoud, Factorization and Primality Testing, Springer UTM, Cohen, A Course in Computational Algebraic Number Theory, Springer GTM, Crandall and Pomerance, Prime Numbers: A Computational Perspective, Springer, Enge, Elliptic Curves and Their Applications to Cryptography, Kluwer, Blake, Seroussi and Smart, Advances in Elliptic Curve Cryptography, Cambridge, Charlap and Robbins, An Elementary Introduction to Elliptic Curves, CRD Report, Martin, Introduction to Identity-Based Encryption, Artech House, Mollin, Fundamental Number Theory with Applications, CRC, Mollin, Algebraic Number Theory, CRC, 1999.