Elliptic Curves and Cryptography
|
|
- Alvin Bradford
- 6 years ago
- Views:
Transcription
1 Ellitic Curves and Crytograhy Background in Ellitic Curves We'll now turn to the fascinating theory of ellitic curves. For simlicity, we'll restrict our discussion to ellitic curves over Z, where is a rime greater than 3. Kee in mind, though, that ellitic curves can more generally be defined over any finite field. In articular, the "characteristic two finite fields" 2 m are of secial interest since they lead to the most efficient imlementation of the ellitic curve arithmetic. An ellitic curve E over Z is defined by an equation of the form (1) y 2 = x 3 + ax + b, where a,b Z, and 3 2 4a 27b 0 (mod ) +, together with a secial oint O, called the "oint at infinity". The set EZ ( ) consists of all oints (x, y), x Z, y Z, which satisfy the equation in equation (1), together with O. 1
2 For examle, let =23 and consider the ellitic curve E: y 2 =x 3 +x+1 defined over Z 23. (In the notation of equation (1), we have a =1 and b =1.) Note that 4a b 2 = 4+4 = 8 0, so E is indeed an ellitic curve. The oints in E( Z ) are O and those listed in Figure 1. Figure 1: Points on the ellitic curve y 2 = x 3 +x+1 over Z 23. There is a rule for adding two oints on an ellitic curve EZ ( ) to give a third ellitic curve oint. Together with this addition oeration, the set of oints EZ ( ) forms a grou with serving as its identity. It is this grou that is used in the construction of ellitic curve crytosystems. The addition rule, which can be exlained geometrically, is resented in Figure 2 as a sequence of algebraic formulae. 2
3 Figure 2: The addition rule. Examles of the addition rule are given in Figure 3. For historical reasons, the grou oeration for an ellitic curve EZ ( ) has been called "addition." By contrast, the grou * oeration in Z is "multilication." The differences in the resulting additive notation and multilicative notation can 3
4 sometimes be confusing. Table 1 shows the corresondence * between notation used for the two grous Z and ( ) E Z. Figure 3: Examles of ellitic curve addition on the curve y 2 =x 3 +x+1 over Z 23. 4
5 * Table 1: Corresondence between Z and E( Z ) notation 5
6 ECC Diffie-Hellman Illustrate here the ellitic curve analog of Diffie-Hellman key exchange, which is a close analogy given ellitic curve multilication equates to modulo exonentiation. can do key exchange analogous to D-H users select a suitable curve E q (a, b) select base oint G = (x 1, y 1 ) with large order n s.t. ng = O A & B select rivate keys n A <n, n B <n comute ublic keys: P A = n A G, P B = n B G comute shared key: K = n A P B, K = n B P A same since K =n A n B G Examle: = 211; E q (0,-4), y = x 4 ; and G = (2, 2), 240G = O. 2 3 A: Private key n A = 121, Public key P A = 121(2, 2) = (115, 48) B: Private key n B = 203, Public key P A = 203(2, 2) = (130, 203) Shared secret key: 121(130, 203) = 203(115, 48) = (161, 69). 6
7 Figure 4. ECC Diffie-Hellman 7
8 ECC Encrytion/Decrytion Several aroaches to encrytion/decrytion using ellitic curves have been analyzed in the literature. This one is an analog of the ElGamal ublic-key encrytion algorithm. The sender must first encode any message m as a oint on the ellitic curve P m (there are relatively straightforward techniques for this). Note that the cihertext is a air of oints on the ellitic curve. The sender masks the message using random k, but also sends along a clue allowing the receiver who know the rivate-key to recover k and hence the message. For an attacker to recover the message, the attacker would have to comute k given G and kg, which is assumed hard. 8
9 first encode any message m as a oint on the ellitic curve P m select suitable curve & oint G as in D-H A & B select rivate keys n A <n, n B <n comute ublic keys: P A = n A G, P B = n B G A encryts P m : C m ={kg, P m + kp B }, k: random ositive integer P B : B s ublic key B decryts C m comute: P m + kp B n B (kg) = P m + k(n B G) n B (kg) = P m Examle: = 751; E q (-1, 188) 2 3 y = x x+ 188; and G = (0, 376). A B: P m = (562, 201) A selects the random number k = 386. B s Public key: P B = (201, 5). A comutes: 386(0, 376) = (676, 558) and (562, 201) + 386(201, 5) = (385, 328). A sends the ciher text: {(676, 558), (385, 328)}. 9
10 The Digital Signature Algorithm The Digital Signature Algorithm (DSA) was roosed in August of 1991 by the U.S. National Institute of Standards and Technology (NIST) and became a U.S. Federal Information Processing Standard (FIPS 186) in It was the first digital signature scheme to be acceted as legally binding by a government. The algorithm is a variant of the ElGamal signature * scheme. It exloits small subgrous in Z { 1,2,..., 1} = in order to decrease the size of signatures. Figure 5 shows the key-generation, signature-generation, and signature-verification rocedures for DSA. Figure 5-1: DSA aroach 10
11 Figure 5-2: DSA Algorithm 11
12 Since r and s are each integers less than q, DSA signatures are 320 bits in length. The security of the DSA relies on two distinct (but related) discrete logarithm roblems. One is the discrete * logarithm roblem in Z where the number field sieve algorithm alies. Since is a 1024-bit rime, the DSA is currently not vulnerable to this attack. The second discrete logarithm roblem works to the base g: given, q, g, and y, find x x such that y g (mod ). For large (1024 bits, for examle), the best-known algorithm for this roblem is the Pollard rho-method, which takes about π q /2 stes. Since 160 q 2, the DSA is not vulnerable to this attack. 12
13 The Ellitic Curve Digital Signature Algorithm (ECDSA) ECDSA is the ellitic curve analogue of the DSA. That is, * instead of working in a subgrou of order q in Z, you work in an ellitic curve grou EZ ( ). The ECDSA is currently being standardized by the ANSI X9F1 and IEEE P1363 standards committees. Table 2 shows the corresondence between some math notation used in DSA and ECDSA. Tables 1 and 2 should make the analogies between the DSA and ECDSA more aarent (see Figure 6). Table 2: Corresondence between DSA and ECDSA notation. The key-generation, signature-generation, and signature-verification rocedures for ECDSA are given in Figure 6. The only significant difference between ECDSA and DSA is in the generation of r. The DSA does this by taking the random element (g k mod ) and reducing it modulo q, thus 13
14 obtaining an integer in the interval [1, q -1]. The ECDSA generates the integer r in the interval [1, n -1] by taking the x-coordinate of the random oint kp and reducing it modulo n. To obtain a security level similar to that of the DSA (with 160-bit q and 1024-bit ), the arameter n should have about 160 bits. If this is the case, then DSA and ECDSA signatures have the same bit length (320 bits). 14
15 Figure 6: (a) ECDSA key generation; (b) ECDSA signature generation; (c) ECDSA signature verification. 15
16 Instead of each entity generating its own ellitic curve, the entities may elect to use the same curve E and oint P of order n. In this case, an entity's ublic key consists only of the oint Q. This results in ublic keys of smaller sizes. Additionally, there are oint comression techniques whereby the oint Q = (x Q, y Q ) can be efficiently constructed from its x-coordinate x Q and a secific bit of the y-coordinate y Q. Thus, for examle, if (so elements in Z are 160-bit strings), then ublic keys can be reresented as 161-bit strings. Security Issues The basis for the security of ellitic curve crytosystems such as the ECDSA is the aarent intractability of this ellitic curve discrete logarithm roblem (ECDLP): given an ellitic curve E defined over, a oint P E( ) of order n, and a oint Q E( ), determine the integer l, 0 l n 1, such that Q = lp, rovided that such an integer exists. Over the ast 12 years, the ECDLP has received considerable attention from leading mathematicians, and no significant 16
17 weaknesses have been reorted. An algorithm by Pohlig and Hellman reduces the determination of l to the determination of l modulo each of the rime factors of n. Hence, to achieve the maximum ossible security level, n should be rime. The best-known algorithm to date for the ECDLP in general is the Pollard rho-method, which takes about π n /2 stes, where a ste is an ellitic curve addition. In 1993, Paul van Oorschot and Michael Wiener showed how the Pollard rho-method can be arallelized so that if r rocessors are used, the exected number of stes by each rocessor before a single discrete logarithm is obtained is n/2/ π r. In considering software attacks on ECDLP, we assume that a million instructions er second (MIPS) machine can erform ellitic curve additions er second. (This estimate is indeed conservative -- an alication-secific integrated circuit for erforming ellitic curve oerations over the field described in "An Imlementation of Ellitic Curve Crytosystems over 2 155," by G. Agnew, R. Mullin, and S. Vanstone [IEEE Journal on Selected Areas in Communications, 17
18 11, 1993] has a 40-MHz clock rate and can erform roughly 40,000 ellitic additions er second.) Then the number of ellitic curve additions that can be erformed by a 1 MIPS machine in one year is (4 10 ) i ( ) Table 3 shows, for various values of n, the comuting ower required to comute a single discrete logarithm using the Pollard rho-method. A MIPS year is equivalent ot the comutational ower of a comuter that is rated at 1 MIPS and utilized for one year. Table 3: Comuting ower to comute ellitic curve logarithms with the Pollard rho-method. For instance, if 10,000 comuters each rated at 1000 MIPS are available, and 150 n 2, then an ellitic curve discrete logarithm can be comuted in 3800 years. Andrew Odlyzko has 18
19 estimated that if 0.1 ercent of the world's comuting ower were available for one year to work on a collaborative effort to break some challenge ciher, then the comuting ower available would be 10 8 MIPS years in 2004 and MIPS years in To ut the numbers in Table 3 in some ersective, Table 4 (see A. Odlyzko's "The Future of Integer Factorization," CrytoBytes: The Technical Newsletter of RSA Laboratories, Summer 1995; also available at htt:// shows the estimated comuting ower required to factor integers with current versions of the general number field sieve. Table 4: Comuting ower required to factor integers using the general number field sieve. 19
20 A more romising attack (for well-funded attackers) on ellitic curve systems would be to build secial-urose hardware for a arallel search using the Pollard rho-method. In "Parallel Collision Search with Crytanalytic Alications" (to aear in Journal of Crytology), P. van Oorschot and M. Wiener rovide a detailed study of such a ossibility. They estimated that if n 10 2, then a machine with m = 325,000 rocessors that could be built for about $10 million would comute a single discrete logarithm in about 35 days. It should be ointed out that in the software and hardware attacks just described, comutation of a single ellitic curve discrete logarithm has the effect of revealing a single user's rivate key. The same effort must be reeated to determine another user's rivate key. In "Minimal Key Lengths for Symmetric Cihers to Provide Adequate Commercial Security" (January 1996, available from htt://theory.lcs.mit.edu/~rivest/ublications.html), M. Blaze, W. Diffie, R. Rivest, B. Schneier, T. Shimomura, E. Thomson, and 20
21 M. Wiener reorted on the minimum key lengths required for secure symmetric-key encrytion schemes (such as DES and IDEA). Their reort comes to the following conclusion: To rovide adequate rotection against the most serious threats -- well-funded commercial enterrises or government intelligence agencies -- keys used to rotect data today should be at least 75 bits long. To rotect information adequately for the next 20 years in the face of exected advances in comuting ower, keys in newly-deloyed systems should be at least 90 bits long. Extraolating these conclusions to the case of ellitic curves, you see that n should be at least 150 bits for short-term security and 180 bits for medium-term security. This extraolation is justified by the following considerations: Exhaustive search through a k-bit symmetric-key ciher takes about the same time as the Pollard rho algorithm alied to an ellitic curve having a 2k-bit arameter n. 21
22 Exhaustive searches with a symmetric-key ciher and the Pollard rho algorithm can be arallelized with a linear seedu. A basic oeration with ellitic curves (addition of two oints) is comutationally more exensive than a basic oeration in a symmetric-key ciher (encrytion of one block). In both symmetric-key cihers and ellitic curve systems, a "break" has the same effect: It will recover a single rivate key. 22
23 ECC Security Comared to factoring, can use much smaller key sizes than with RSA etc. For equivalent key lengths comutations are roughly equivalent. Hence for similar security ECC offers significant comutational advantages Comarable Key Sizes for Equivalent Security Table 5: Comarable Key Sizes in Terms of Comutational Effort for Crytanalysis 23
Elliptic Curves and Cryptography
Elliptic Curves and Cryptography Aleksandar Jurišić Alfred J. Menezes March 23, 2005 Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is
More informationA Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem
A Modified Menezes-Vanstone Ellitic Curve Multi-Keys Crytosystem By K.H. Rahouma Electrical Technology Deartment Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationA Public-Key Cryptosystem Based on Lucas Sequences
Palestine Journal of Mathematics Vol. 1(2) (2012), 148 152 Palestine Polytechnic University-PPU 2012 A Public-Key Crytosystem Based on Lucas Sequences Lhoussain El Fadil Communicated by Ayman Badawi MSC2010
More informationTanja Lange Technische Universiteit Eindhoven
Crytanalysis Course Part I Tanja Lange Technische Universiteit Eindhoven 28 Nov 2016 with some slides by Daniel J. Bernstein Main goal of this course: We are the attackers. We want to break ECC and RSA.
More informationCryptography Assignment 3
Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some
More information1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings
Identity-based Digital Signature Scheme Without Bilinear Pairings He Debiao, Chen Jianhua, Hu Jin School of Mathematics Statistics, Wuhan niversity, Wuhan, Hubei, China, 43007 Abstract: Many identity-based
More informationCDH/DDH-Based Encryption. K&L Sections , 11.4.
CDH/DDH-Based Encrytion K&L Sections 8.3.1-8.3.3, 11.4. 1 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { 0 1 2 q 1} In this case, G = g = g, g, g,, g ; G is said to be
More informationCryptography. Lecture 8. Arpita Patra
Crytograhy Lecture 8 Arita Patra Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous
More informationPublic Key Cryptosystems RSA
Public Key Crytosystems RSA 57 17 Receiver Sender 41 19 and rime 53 Attacker 47 Public Key Crytosystems RSA Comute numbers n = * 2337 323 57 17 Receiver Sender 41 19 and rime 53 Attacker 2491 47 Public
More informationLattice Attacks on the DGHV Homomorphic Encryption Scheme
Lattice Attacks on the DGHV Homomorhic Encrytion Scheme Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmanenitaj@unicaenfr
More informationA secure approach for embedding message text on an elliptic curve defined over prime fields, and building 'EC-RSA-ELGamal' Cryptographic System
International Journal of Comuter Science an Information Security (IJCSIS), Vol. 5, No. 6, June 7 A secure aroach for embeing message tet on an ellitic curve efine over rime fiels, an builing 'EC-RSA-ELGamal'
More informationOutline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding
Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationAdvanced Cryptography Midterm Exam
Advanced Crytograhy Midterm Exam Solution Serge Vaudenay 17.4.2012 duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will
More informationA New and Optimal Chosen-message Attack on RSA-type Cryptosystems
Published in Y. Han, T. Okamoto, and S. Qing, eds, Information and Communications Security (ICICS 97), vol. 1334 of Lecture Notes in Comer Science,. 30-313, Sringer-Verlag, 1997. A New and Otimal Chosen-message
More informationCryptanalysis of Pseudorandom Generators
CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we
More informationEfficient Hardware Architecture of SEED S-box for Smart Cards
JOURNL OF SEMICONDUCTOR TECHNOLOY ND SCIENCE VOL.4 NO.4 DECEMBER 4 37 Efficient Hardware rchitecture of SEED S-bo for Smart Cards Joon-Ho Hwang bstract This aer resents an efficient architecture that otimizes
More informationMultiplicative group law on the folium of Descartes
Multilicative grou law on the folium of Descartes Steluţa Pricoie and Constantin Udrişte Abstract. The folium of Descartes is still studied and understood today. Not only did it rovide for the roof of
More informationBayesian System for Differential Cryptanalysis of DES
Available online at www.sciencedirect.com ScienceDirect IERI Procedia 7 (014 ) 15 0 013 International Conference on Alied Comuting, Comuter Science, and Comuter Engineering Bayesian System for Differential
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationOutline. Available public-key technologies. Diffie-Hellman protocol Digital Signature. Elliptic curves and the discrete logarithm problem
Outline Public-key cryptography A collection of hard problems Mathematical Background Trapdoor Knapsack Integer factorization Problem Discrete logarithm problem revisited Case of Study: The Sun NFS Cryptosystem
More informationBilinear Entropy Expansion from the Decisional Linear Assumption
Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University luke@cs.columbia.edu Allison Bisho Lewko Columbia University alewko@cs.columbia.edu Abstract We develo
More informationA Block Cipher Involving a Key and a Key Bunch Matrix, Supplemented with Key-Based Permutation and Substitution
(IJACSA) International Journal of Advanced Comuter Science and Alications, Vol. 4, No., 0 A Block Ciher Involving a Key and a Key Bunch Matrix, Sulemented with Key-Based Permutation and Substitution Dr.
More informationElGamal type signature schemes for n-dimensional vector spaces
ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional
More informationAN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction
J. Al. Math. & Comuting Vol. 20(2006), No. 1-2,. 485-489 AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES BYEONG-KWEON OH, KIL-CHAN HA AND JANGHEON OH Abstract. In this aer, we slightly
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Efficient Crytosystems From k -th Power Residue Symbols Fabrice Benhamouda, Javier Herranz, Marc Joye 3, and Benoît Libert 4, ENS Paris, CNRS, INRIA, and PSL 45 rue d Ulm, 7530 Paris Cedex 06, France fabrice.benhamouda@ens.fr
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Published in Journal of Crytology, 30(2:519 549, 2017. Efficient Crytosystems From 2 k -th Power Residue Symbols Fabrice Benhamouda 1, Javier Herranz 2, Marc Joye 3, and Benoît Libert 4, 1 ES Paris, CRS,
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationA generalization of Amdahl's law and relative conditions of parallelism
A generalization of Amdahl's law and relative conditions of arallelism Author: Gianluca Argentini, New Technologies and Models, Riello Grou, Legnago (VR), Italy. E-mail: gianluca.argentini@riellogrou.com
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More informationConversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs
Conversions among Several Classes of Predicate Encrytion and Alications to ABE with Various Comactness Tradeoffs Nuttaong Attraadung, Goichiro Hanaoka, and Shota Yamada National Institute of Advanced Industrial
More informationAn Introduction to Elliptic Curve Cryptography
Harald Baier An Introduction to Elliptic Curve Cryptography / Summer term 2013 1/22 An Introduction to Elliptic Curve Cryptography Harald Baier Hochschule Darmstadt, CASED, da/sec Summer term 2013 Harald
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationGoldbach s Conjecture on ECDSA Protocols N Vijayarangan, S Kasilingam, Nitin Agarwal
Goldbach s Conjecture on ECDSA Protocols N Vijayarangan, S Kasilingam, Nitin Agarwal Abstract - In this paper, an algorithm on Goldbach s conjecture is newly defined for computing a large even number as
More informationTi Secured communications
Ti5318800 Secured communications Pekka Jäppinen September 20, 2007 Pekka Jäppinen, Lappeenranta University of Technology: September 20, 2007 Relies on use of two keys: Public and private Sometimes called
More information#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS
#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS Ramy F. Taki ElDin Physics and Engineering Mathematics Deartment, Faculty of Engineering, Ain Shams University, Cairo, Egyt
More information(IV.D) PELL S EQUATION AND RELATED PROBLEMS
(IV.D) PELL S EQUATION AND RELATED PROBLEMS Let d Z be non-square, K = Q( d). As usual, we take S := Z[ [ ] d] (for any d) or Z 1+ d (only if d 1). We have roved that (4) S has a least ( fundamental )
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationRound-off Errors and Computer Arithmetic - (1.2)
Round-off Errors and Comuter Arithmetic - (.). Round-off Errors: Round-off errors is roduced when a calculator or comuter is used to erform real number calculations. That is because the arithmetic erformed
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationGalois Fields, Linear Feedback Shift Registers and their Applications
Galois Fields, Linear Feedback Shift Registers and their Alications With 85 illustrations as well as numerous tables, diagrams and examles by Ulrich Jetzek ISBN (Book): 978-3-446-45140-7 ISBN (E-Book):
More informationRandomness Extraction in finite fields F p
Randomness Extraction in finite fields F n Abdoul Aziz Ciss École doctorale de Mathématiques et d Informatique, Université Cheikh Anta Dio de Dakar, Sénégal BP: 5005, Dakar Fann abdoul.ciss@ucad.edu.sn,
More informationElliptic Curves Spring 2015 Problem Set #1 Due: 02/13/2015
18.783 Ellitic Curves Sring 2015 Problem Set #1 Due: 02/13/2015 Descrition These roblems are related to the material covered in Lectures 1-2. Some of them require the use of Sage, and you will need to
More informationPretest (Optional) Use as an additional pacing tool to guide instruction. August 21
Trimester 1 Pretest (Otional) Use as an additional acing tool to guide instruction. August 21 Beyond the Basic Facts In Trimester 1, Grade 8 focus on multilication. Daily Unit 1: Rational vs. Irrational
More informationState Estimation with ARMarkov Models
Deartment of Mechanical and Aerosace Engineering Technical Reort No. 3046, October 1998. Princeton University, Princeton, NJ. State Estimation with ARMarkov Models Ryoung K. Lim 1 Columbia University,
More informationElliptic Curve Cryptography with Derive
Elliptic Curve Cryptography with Derive Johann Wiesenbauer Vienna University of Technology DES-TIME-2006, Dresden General remarks on Elliptic curves Elliptic curces can be described as nonsingular algebraic
More informationThe State of Elliptic Curve Cryptography
Designs, Codes and Cryptography, 19, 173 193 (2000) c 2000 Kluwer Academic Publishers, Boston. Manufactured in The Netherlands. The State of Elliptic Curve Cryptography NEAL KOBLITZ koblitz@math.washington.edu
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS
#A13 INTEGERS 14 (014) ON THE LEAST SIGNIFICANT ADIC DIGITS OF CERTAIN LUCAS NUMBERS Tamás Lengyel Deartment of Mathematics, Occidental College, Los Angeles, California lengyel@oxy.edu Received: 6/13/13,
More informationEigenanalysis of Finite Element 3D Flow Models by Parallel Jacobi Davidson
Eigenanalysis of Finite Element 3D Flow Models by Parallel Jacobi Davidson Luca Bergamaschi 1, Angeles Martinez 1, Giorgio Pini 1, and Flavio Sartoretto 2 1 Diartimento di Metodi e Modelli Matematici er
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationPredicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products
Predicate Encrytion Suorting Disjunctions, Polynomial Equations, and Inner Products Jonathan Katz jkatz@cs.umd.edu Amit Sahai sahai@cs.ucla.edu Brent Waters bwaters@csl.sri.com Abstract Predicate encrytion
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationCHAPTER-II Control Charts for Fraction Nonconforming using m-of-m Runs Rules
CHAPTER-II Control Charts for Fraction Nonconforming using m-of-m Runs Rules. Introduction: The is widely used in industry to monitor the number of fraction nonconforming units. A nonconforming unit is
More informationON LINEAR COMPLEXITY OF GENERALIZED SHRINKING-MULTIPLEXING GENERATOR
Journal of Basic and Alied Research International 4(1): 8 17, 015 O LIEAR COMPLEXITY OF GEERALIZED SHRIKIG-MULTIPLEXIG GEERATOR ZHAETA. TASHEVA 1* 1 Faculty of Artillery, AAD and CIS, ational Military
More informationAnalysis of execution time for parallel algorithm to dertmine if it is worth the effort to code and debug in parallel
Performance Analysis Introduction Analysis of execution time for arallel algorithm to dertmine if it is worth the effort to code and debug in arallel Understanding barriers to high erformance and redict
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Efficient Crytosystems From 2 k -th Power Residue Symbols Marc Joye and Benoît Libert Technicolor 975 avenue des Chams Blancs, 35576 Cesson-Sévigné Cedex, France {marc.joye,benoit.libert}@technicolor.com
More informationA Distance-sensitive Attribute Based Cryptosystem for Privacy-Preserving Querying
MITSUBISHI ELECTRIC RESEARCH LABORATORIES htt://www.merl.com A Distance-sensitive Attribute Based Crytosystem for Privacy-Preserving Querying Sun, W.; Rane, S. TR2012-054 July 2012 Abstract We roose an
More informationAn Attack on a Fully Homomorphic Encryption Scheme
An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, 710071 Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University,
More information2 IEICE TRANS. FUNDAMENTALS, VOL.E82 A, NO.1 JANUARY 1999 exist another trace of ellitic curves which is reduced to at most 6, seriously low, degree e
IEICE TRANS. FUNDAMENTALS, VOL.E82 A, NO.1 JANUARY 1999 1 PAPER New exlicit conditions of ellitic curve traces for FR-reduction Atsuko MIYAJI y, Member, Masaki NAKABAYASHI y, and Shunzou TAKANO yy, Nonmembers
More information(Workshop on Harmonic Analysis on symmetric spaces I.S.I. Bangalore : 9th July 2004) B.Sury
Is e π 163 odd or even? (Worksho on Harmonic Analysis on symmetric saces I.S.I. Bangalore : 9th July 004) B.Sury e π 163 = 653741640768743.999999999999.... The object of this talk is to exlain this amazing
More informationAttacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP)
Attacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP) Mrs.Santoshi Pote 1, Mrs. Jayashree Katti 2 ENC, Usha Mittal Institute of Technology, Mumbai, India 1 Information Technology,
More informationAn Analysis of Reliable Classifiers through ROC Isometrics
An Analysis of Reliable Classifiers through ROC Isometrics Stijn Vanderlooy s.vanderlooy@cs.unimaas.nl Ida G. Srinkhuizen-Kuyer kuyer@cs.unimaas.nl Evgueni N. Smirnov smirnov@cs.unimaas.nl MICC-IKAT, Universiteit
More informationComputer arithmetic. Intensive Computation. Annalisa Massini 2017/2018
Comuter arithmetic Intensive Comutation Annalisa Massini 7/8 Intensive Comutation - 7/8 References Comuter Architecture - A Quantitative Aroach Hennessy Patterson Aendix J Intensive Comutation - 7/8 3
More informationElementary Analysis in Q p
Elementary Analysis in Q Hannah Hutter, May Szedlák, Phili Wirth November 17, 2011 This reort follows very closely the book of Svetlana Katok 1. 1 Sequences and Series In this section we will see some
More informationA random zoo: sloth, un corn, and trx
i A random zoo: sloth, un corn, and trx Arjen K. Lenstra and Benjamin Wesolowski EPFL IC LACAL, Station 14, CH-1015 Lausanne, Switzerland Abstract. Many alications require trustworthy generation of ublic
More informationShadow Computing: An Energy-Aware Fault Tolerant Computing Model
Shadow Comuting: An Energy-Aware Fault Tolerant Comuting Model Bryan Mills, Taieb Znati, Rami Melhem Deartment of Comuter Science University of Pittsburgh (bmills, znati, melhem)@cs.itt.edu Index Terms
More informationOn Line Parameter Estimation of Electric Systems using the Bacterial Foraging Algorithm
On Line Parameter Estimation of Electric Systems using the Bacterial Foraging Algorithm Gabriel Noriega, José Restreo, Víctor Guzmán, Maribel Giménez and José Aller Universidad Simón Bolívar Valle de Sartenejas,
More informationQUANTUM INFORMATION DELAY SCHEME USING ORTHOGONAL PRODUCT STATES
0 th March 0. Vol. No. 00-0 JATIT & LLS. All rights reserved. ISSN: -86 www.jatit.org E-ISSN: 87- QUANTUM INFORMATION DELAY SCHEME USING ORTHOGONAL PRODUCT STATES XIAOYU LI, LIJU CHEN School of Information
More informationCubic Sieve Congruence of the Discrete Logarithm Problem, and Fractional Part Sequences
Cubic Sieve Congruence of the Discrete Logarithm Problem, and Fractional Part Sequences Srinivas Vivek University of Luxembourg, Luxembourg C. E. Veni Madhavan Deartment of Comuter Science and Automation,
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationElliptic Curve Computations
Elliptic Curve Computations New Mexico Supercomputing Challenge Final Report April 1st, 2009 Team 66 Manzano High School Team Members Kristin Cordwell Chen Zhao Teacher Stephen Schum Project Mentor William
More informationThe Elliptic Curve Digital Signature Algorithm (ECDSA) 1 2. Alfred Menezes. August 23, Updated: February 24, 2000
The Elliptic Curve Digital Signature Algorithm (ECDSA) 1 2 Don Johnson Certicom Research djohnson@certicom.com Alfred Menezes University of Waterloo ajmeneze@uwaterloo.ca August 23, 1999 Updated: February
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationMATH 361: NUMBER THEORY ELEVENTH LECTURE
MATH 361: NUMBER THEORY ELEVENTH LECTURE The subjects of this lecture are characters, Gauss sums, Jacobi sums, and counting formulas for olynomial equations over finite fields. 1. Definitions, Basic Proerties
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationThe Graph Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule
The Grah Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule STEFAN D. BRUDA Deartment of Comuter Science Bisho s University Lennoxville, Quebec J1M 1Z7 CANADA bruda@cs.ubishos.ca
More informationPositive decomposition of transfer functions with multiple poles
Positive decomosition of transfer functions with multile oles Béla Nagy 1, Máté Matolcsi 2, and Márta Szilvási 1 Deartment of Analysis, Technical University of Budaest (BME), H-1111, Budaest, Egry J. u.
More informationWhen do the Fibonacci invertible classes modulo M form a subgroup?
Annales Mathematicae et Informaticae 41 (2013). 265 270 Proceedings of the 15 th International Conference on Fibonacci Numbers and Their Alications Institute of Mathematics and Informatics, Eszterházy
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationMATH 250: THE DISTRIBUTION OF PRIMES. ζ(s) = n s,
MATH 50: THE DISTRIBUTION OF PRIMES ROBERT J. LEMKE OLIVER For s R, define the function ζs) by. Euler s work on rimes ζs) = which converges if s > and diverges if s. In fact, though we will not exloit
More informationA Special Case Solution to the Perspective 3-Point Problem William J. Wolfe California State University Channel Islands
A Secial Case Solution to the Persective -Point Problem William J. Wolfe California State University Channel Islands william.wolfe@csuci.edu Abstract In this aer we address a secial case of the ersective
More informationImproved Hidden Vector Encryption with Short Ciphertexts and Tokens
Imroved Hidden Vector Encrytion with Short Cihertexts and Tokens Kwangsu Lee Dong Hoon Lee Abstract Hidden vector encrytion HVE) is a articular kind of redicate encrytion that is an imortant crytograhic
More informationThe non-stochastic multi-armed bandit problem
Submitted for journal ublication. The non-stochastic multi-armed bandit roblem Peter Auer Institute for Theoretical Comuter Science Graz University of Technology A-8010 Graz (Austria) auer@igi.tu-graz.ac.at
More informationSolvability and Number of Roots of Bi-Quadratic Equations over p adic Fields
Malaysian Journal of Mathematical Sciences 10(S February: 15-35 (016 Secial Issue: The 3 rd International Conference on Mathematical Alications in Engineering 014 (ICMAE 14 MALAYSIAN JOURNAL OF MATHEMATICAL
More informationSession 5: Review of Classical Astrodynamics
Session 5: Review of Classical Astrodynamics In revious lectures we described in detail the rocess to find the otimal secific imulse for a articular situation. Among the mission requirements that serve
More informationElliptic Curve Cryptography
Technical Guideline BSI TR-03111 Elliptic Curve Cryptography Version 2.10 Date: 2018-06-01 History Version Date Comment 1.00 2007-02-14 Initial public version. 1.10 2009-02-03 Enhancements, corrections,
More informationCMSC 425: Lecture 4 Geometry and Geometric Programming
CMSC 425: Lecture 4 Geometry and Geometric Programming Geometry for Game Programming and Grahics: For the next few lectures, we will discuss some of the basic elements of geometry. There are many areas
More informationOn Nonlinear Polynomial Selection and Geometric Progression (mod N) for Number Field Sieve
On onlinear Polynomial Selection and Geometric Progression (mod ) for umber Field Sieve amhun Koo, Gooc Hwa Jo, and Soonhak Kwon Email: komaton@skku.edu, achimheasal@nate.com, shkwon@skku.edu Det. of Mathematics,
More informationBatch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco
Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco Department of Computer Science and Engineering Indian Institute of Technology Kharagpur, West Bengal, India. Outline Introduction
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More information