Definition of a finite group

Transcription

1 Elliptic curves

2 Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e * a = a. 4. For each a in G there is a b in G with a * b = b * a = e. 5. For all a, b and c in G, (a * b) * c = a * (b * c). The element e in 3 above is the identity element of the group (G, * ). 2

3 Order of a group The number of elements of a finite group (G, * ) is denoted by the symbol G, and is said to be the order of the group. For a finite group (G, * ) it can be computationally difficult to compute the order, G, of the group. 3

4 Subgroup Let (G, * ) be a group. If H is a subset of G and (H, * ) is also a group, then (H, * ) is said to be a subgroup of (G, * ). Theorem: If (H, * ) is a finite group and if H is a subset of G such that H is nonempty and for any a and b in H, also a * b is in H. Then (H, * ) is a subgroup of (G, * ). 4 Theorem(Lagrange): If (G, * ) is a finite group and if (H, * ) is a subgroup of (G, * ), then H is a factor of G.

5 Abelian group and cyclic group (G, * ) is an Abelian group if it is a group and for each a and b in G, a * b = b * a. If it exists, the least n such that a n = e is called the order of a in G. For an element a of order n of the finite group (G, * ), let <a> denote the set {a i :i=0,1,2,,n-1}. Then <a> is a subgroup of G, generated by the element a of G, and is said to be the cyclic subgroup of G generated by a. The element a is called a generator of <a>. 5

6 Finite fields (F,+, * ) is a field if: (F,+) is an abelian group with (additive) identity denoted by 0. (F\{0}, * ) is an abelian group with (muliplicative) identity denoted by 1. The distributive law holds Theorem. There exists a finite field F of order q iff q=p m where p is prime and m is positive integer. The prime p is called a characteristic of F. If m=1, F is called a prime field. If m>1, then F is called an extension field. 6

7 Mod and reduction mod Modulo operation: a mod p b if p (b-a). Z p ={0,1,2,,p-1}. Reduction modulo p: a mod p = r where r [0,p-1] is the remainder obtained upon dividing a by p. 7

8 Prime fields Addition: If a,b Z p, then a + p b = r in Z p where r [0,p-1] is the remainder when the integer a+b is divided by p. Multiplication: If a,b Z p, then a o p b = r in Z p where r [0,p-1] is the remainder when the integer a b is divided by p. Prime field: F p =(Z p,+ p,o p ) 8

9 The finite field F 2 m F 2 m ={a m 1 x m 1 +a m-2 x m 2 + +a 2 x 2 +a 1 x +a 0 : a i {0,1}} Addition in F 2 m: Usual addition of polynomials, with coefficients in F 2 m: Arithmetic performed modulo 2. Multiplication in F 2 m: Usual multiplication of polynomials and then division by a fixed irreducible polynomial f(x) of degree m. 9

10 Further readings Fast algorithms for performing the reduction modulo operation and modular multiplication: Barrett reduction algorithm [1] Montgomery multiplication algorithm [1] [1] D.Hankerson, A.Menezes and S.Vanstone, Guide to, (2004) 10

11 NIST primes The following primes are the NIST standards for EC over prime fields: p 192 = p 224 = p 256 = p 384 = p 521 =

12 Generalized Weierstrass equation An elliptic curve E over a field K is defined by an equation E: y 2 + Axy + By = x 3 + Cx 2 + Dx + F where A,B,C,D,F K. 12

13 Isomorphic Elliptic curves Two elliptic curves E 1 : y 2 + A 1 xy + B 1 y = x 3 + C 1 x 2 + D 1 x + F 1 E 2 : y 2 + A 2 xy + B 2 y = x 3 + C 2 x 2 + D 2 x + F 2 are isomorphic if there exist u,r,s,t K such that the change of the variables (x,y) (u 2 x + r,u 3 y + u 2 sx + t) transforms equation E 1 into equation E 2. 13

14 Isomorphic EC The following change of the variables (x,y) ( x-3a 2-12C, y-3ax A 3-4AC-12B ) transforms the elliptic curve E: y 2 + Axy + By = x 3 + Cx 2 + Dx + F into an elliptic curve y 2 = x 3 + ax + b where a,b K and K is a field with characteristic 2,3. 14

15 Further readings Isomorphic elliptic curves over fields with characteristic 2. Isomorphic elliptic curves over fields with characteristic 3. [1] D.Hankerson, A.Menezes and S.Vanstone, Guide to, (2004) 15

16 The elliptic curve y 2 =x 3 +Ax+B E(A,B)={(x,y): y 2 =x 3 +Ax+B} {Id} where A,B K such that 4A 3 +27B 2 0. and K is a finite field. Id point at infinity Geometric model of Elliptic curve y 2 =x 3 +Ax+B. 16

17 The group law in y 2 =x 3 +Ax+B Adding points P Q = R or just P + Q = R P R Q 17

18 The group law in y 2 =x 3 +Ax+B Adding points P Q= - P Problem: The vertical line through P and Q does not E(A,B) in a third point! Solution: P Q = Id or just P + Q = Id intersect 18

19 The group law in y 2 =x 3 +Ax+B Adding points to itself P 2P 19 P P or just 2P

20 The algebra of elliptic curves The addition law on E(A,B) has the following properties: P Id = Id P = P for all P in E(A,B). P (-P)=Id P (Q R)=(P Q) R P Q=Q P for all P in E(A,B). or all P, Q, R in E(A,B). for all P, Q in E(A,B). 20

21 The algebra of elliptic curves Theorem (E(A,B), )is an Abelian group. Note:For the generalized Weierstress equation this is no longer true. 21

22 Formulas for addition on E(A,B) Case 1: Let P(x 1,y 1 ) and Q(x 2,y 2 ) be two distinct points on E(A,B) with x 1 x 2 Let the line connecting P and Q be L: y = y 1 + m(x-x 1 ) Then the slope of L is given by m y x 2 2 y x P+Q = ( m 2 -x 1 -x 2, -y 1 +m(x 1 -x 3 ) )

23 Formulas for addition on E(A,B) Case 2: Let P(x 1,y 1 ) and Q(x 2,y 2 ) be two distinct points on E(A,B) with x 1 =x 2 Then P + Q = Q + P = Id. 23

24 Formulas for addition on E(A,B) Case 3: Let P(x 1,y 1 ) = Q(x 2,y 2 ) and y 1 0. The slope of the tangent line can be found by implicitly differentiating the equation y 2 = x 3 + Ax + B and substituting in the coordinates of P: 2 1 3x A m 2y 1 Then P + P = 2P = (m 2-2x 1,-y 1 +m(x 1 -m 2 +2x 1 )). 24

25 Formulas for addition in E(A,B) Case 4: Let P(x 1,y 1 )=Q(x 2,y 2 ) and y 1 =0. Then P+Q = 2P = Id. 25

26 Computing multiples of a point Double-and-Add method: Write k=k 0 +k 1 2+k k n 2 n with k 0,k 1,k 2,,k n in {0,1}. Then, kp = k 0 P+k 1 2P+k P+ +k n 2 n P where 2 n P= P requires only n doublings. 26

27 Order of E(F p ) It is clear that #E(F p ) [1,p 2 +1]. The following theorem gives better bounds for #E(F p ). Theorem(Hasse, 1922): For p 3 prime, p+1-2 p #E(F p ) p+1+2 p. Alternate formulation of Hasse s theorem: #E(F p )=p+1-t where t 2 p Remark: t is called the trace of E(F p ). 27

28 Order of E(F p n) Theorem(weil, 1949): Let E be defined over F p and #E(F p )=p+1-s and m is a positive integer. Decompose T 2 -st+p=(t-a)(t-b) over the complex numbers. Then #E(F p n)=p n +1-(a n -b n ). 28

29 Order of E(F q ) Theorem (Waterhouse, 1969). Let q=p n be a power of a prime p and N=q+1-t. There is an elliptic curve over F q with order N iff t 2 q and t satisfies one of the following: gcd(t,p)=1 n is even and t=2 q or t=-2 q n is even, p 1 mod 3 and t= q or t=- q n is odd, p=2 or 3 and t=p (n+1)/2 or t=-p (n+1)/2 n is even, p 1 mod 4 and t=0 n is odd and t=0. 29

30 Counting points on E(F q ) Baby Step Giant Step (Shanks,1971) Running time: O(q 1/4+ ) Schoof s algorithm (1985) Running time: O(log(q)) 30

31 Supersingular EC groups Def. An elliptic curve E defined over a field F q of characteristic p is called a supersingular if p t, where t is the trace. If p does not divide t, then E is called non-supersingular. Note: The DLP in supersingular elliptic curve can be reduced to the DLP in F p n. 31

32 Supersingular EC groups Theorem(Koblitz): The supersingular elliptic curve y 2 = x 3 y over F 2 n has order #E(F 2n ) = 2n + 1 if n is odd. 32

33 Supersingular EC groups Theorem: Let p>3 be a prime number. [1] If B=0 and p mod 4 = 3 then #E(A,B,p)=p+1 [2] If A=0 and p mod 3 = 2 then #E(A,B,p)=p+1 33 [1] B. Kaliski, A pseudo-random Bit Generator based on elliptic curves, CRYPTO 86. [2] V. Miller, Use of elliptic curves in cryptography, CRYPTO 85.

34 Anomalous curves Def. If the order #E(F q ) is equal to the characteristic p of F q, the elliptic curve is called an anomalous curve. Note: The anomalous curves are not secure for use in ECC. (Smart, 1999) 34

35 - advantages Computationally efficient public key cryptosystem Memory and power savings Highest security 35

36 NIST provides greater security and more efficient performance than the first generation public key Techniques (RSA and Diffie-Hellman) now in use. As vendors look to upgrade their systems they should seriously consider the elliptic curve alternative. For the computational and bandwidth advantages they offer at comparable security. The majority of public key systems in use today use 1024 bit parameters for RSA and Diffie-Hellman. The US National Institute for Standards and Technology has recommended that these 1024-bit systems are sufficient for use until After that, NIST recommends that they be upgraded to something providing more security. 36

37 NIST Recommended Key Sizes Symmetric Key Size (bits) RSA and Diffie-Hellman Key Size (bits) Elliptic Curve Key Size (bits)