Finite Fields and Elliptic Curves in Cryptography
|
|
- Shon Caldwell
- 5 years ago
- Views:
Transcription
1 Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1
2 Overview Public-key vs. symmetric cryptosystem Security of RSA cryptosystem Elliptic curve discrete logarithm Pohlig-Hellman attack on ECDLP Proofs of primality with elliptic curves 2
3 Public-key vs. symmetric cryptosystem Symmetric cryptosystem: Alice and Bob share a common key K K is used both for encryption and decryption n users n(n 1)/2 keys Both Alice and Bob have to keep K secret High speeds are possible, e.g. AES: 8MB/s on Pentium 200MHz 3
4 Public-key vs. Symmetric Cryptosystem Public-key cryptosystem: Diffie-Hellman (1976) based on (trapdoor) one-way functions given x, easy to compute f(x) given f(x), difficult to compute x given f(x) and trapdoor, easy to compute x Example: Let g be generator of F p, p large prime, then f g (x) g x mod p is a one-way function. Discrete log problem: compute x given f g (x). Key exchange: Alice sends Bob P A = x A mod p, Bob sends Alice P B = x B mod p. Common key K AB = x A B mod p. 4
5 The RSA-cryptosystem Invented by Rivest, Shamir, Adleman (1977) construct trapdoor one-way function Let n = p q, with p and q large primes (i.e. at least 512 bits) Compute φ(n) = (p 1) (q 1), i.e. order of (Z/nZ) Choose e and d such that e d = 1 mod φ(n), gcd(e, n) = gcd(d, n) = 1 Public key: (e, n) Private key: d or p and q Encryption: C = M e mod n Decryption: M = C d mod n 5
6 Security of RSA-cryptosystem Three computationally equivalent problems: 1. Factor modulus n 2. Compute Euler-Phi φ(n) = (p 1) (q 1) 3. Given P = (e, n) compute d with e d = 1 mod φ(n) Proof: (1) (2) (3) : trivial (3) (1) : Given (e, n) we get d, with e d = 1 mod φ(n), so e d 1 = k φ(n). For a (Z/nZ) we therefore have a e d 1 = 1 mod n a e d 1 = 1 mod p and a e d 1 = 1 mod q. 6
7 Security of RSA-cryptosystem (cont.) Now, e d 1 is even, so a (e d 1)/2 will be a root of 1 modulo p and q. This gives 4 possibilities for a (e d 1)/2 mod n via CRT p \ q r 1 1 r 2 1 Note that r i ±1 mod n, since CRT gives isomorphism. So we expect a (e d 1)/2 ±1 mod n for about half (Z/nZ) (this can be shown rigorously). Search a (Z/nZ) with a (e d 1)/2 ±1 mod n, then we clearly have 1 < gcd(a (e d 1)/2 1, n) < n since either p or q divides a (e d 1)/2 1, but not both. 7
8 Factoring vs. Discrete Log Define function L n (a, b) = exp ( (b + O(1))(ln n) a (lnlnn) 1 a). If a = 1 then L n is exponential in lnn, for a = 0 L n is polynomial in lnn. If 0 < a < 1 then L n is called sub-exponential. Best known method for factoring and computing discrete logarithms is general number field sieve which has running time L n ( 1 3, 1.923). Factoring: August 1999, RSA-155 (512 bits), factored with GNFS in 8000 MIPS years Discrete log: April 2001, DLP-120 (400 bits), computed with GNFS in 400 MIPS years 8
9 Definition of Elliptic Curves Let K and K its algebraic closure, then an elliptic curve E over K is the set of solutions in P(K) of E : Y 2 Z + a 1 XY Z + a 3 Y Z 2 = X 3 + a 2 X 2 Z + a 4 XZ 2 + a 6 Z 3, with a 1, a 2, a 3, a 4, a 6 K and E non-singular. Canonical forms over different fields K: Condition on K Equation Char(K) 2, 3 y 2 = x 3 + a 4x + a 6 Char(K) = 3, j(e) 0 y 2 = x 3 + a 2x 2 + a 6 Char(K) = 3, j(e) = 0 y 2 = x 3 + a 4x + a 6 Char(K) = 2, j(e) 0 y 2 + xy = x 3 + a 2x 2 + a 6 Char(K) = 2, j(e) = 0 y 2 + a 3y = x 3 + a 4x + a 6 9
10 Group Law on Elliptic Curves R L 4 L P Q 4 P 2 2 R P L L 4 P Q Construction P Q Construction 2P The elliptic curve y 2 = x 3 7x + 6 over R and the group law 10
11 Elliptic Curve over Finite Field Ù Ù Ù ¾¾ Ù ¾½ ¾¼ Ù ½ Ù ½ Ù ½ Ù ½ Ù Ù Ù ½ Ù ½ Ù ½ ½¾ ½½ Ù ½¼ Ù Ù Ù Ù Ù Ù Ù Ù Ù ¾ Ù Ù Ù ½ ¼ ¼ ½ ¾ ½¼ ½½ ½¾ ½ ½ ½ ½ ½ ½ ½ ¾¼ ¾½ ¾¾ The elliptic curve y 2 = x 3 + x + 3 mod 23 11
12 Elliptic Curve Discrete Logarithm Problem Let F q be finite field with q elements and E an elliptic curve over F q. Take point P E(F q ) and k Z and set Q = k P, then the ECDLP is: given Q and P, compute k. Attacks on ECDLP: Let n = #E(F q ) General attacks: work in any group and have run time O( n). For an elliptic curve n q, so O( q), i.e. exponential in log q. MOV-attack: use Weil pairing to reduce ECDLP to DLP in F l q, with l smallest integer such that q l = 1 mod n. For small l, this leads to sub-exponential attack. Anomalous curves: n = q. Apply q-adic elliptic curve logarithm. Time complexity of O(log q), so linear in log q. 12
13 Pohlig and Hellman Attack To solve DLP in any finite abelian group G, it is sufficient to solve DLP in all subgroups of prime power. The original DLP can be recovered using CRT. Suppose G = n = p e 1 1 pe 2 2 pe s s and we wish to solve Q = m P. Set p = p 1 and e = e 1, then we show how to compute m mod p e. Restrict DLP to subgroup of order p by multiplying with n 1 = n/p e 1, i.e. Q 1 = n 1 Q = m (n 1 P) = mp 1 = m 0 P 1 with m 0 = m mod p. Use general attack to compute m 0. 13
14 Pohlig and Hellman Attack (cont.) Suppose we know m i = m mod p i then m = m i +λ i p i mod p i+1, with 0 λ i < p. Set n i+1 = n/p e i 1, then and also Q i+1 = n i+1 Q = m (n i+1 P) = (m i + λ p i ) P i+1 Q i+1 m i P i+1 = λ i (p i P i+1 ) = λ i P 1. Again use general attack to compute λ i. Conclusion: a general attack on ECDLP exists with run time O( p) where p is the largest prime factor in #E(F q ). Before using elliptic curve, check if it is divisible by large prime (at least 160 bits). 14
15 ECDLP vs. RSA & DLP 15
16 2B 2B, that s the question... Fundamental Theorem of Arithmetic Given n N 0, then the factorisation of n into primes is unique up to order, i.e. Different questions: What is the factorisation of n Test if n is prime Test if n is composite n = p a 1 1 pa 2 2 pa r r 16
17 Tests of Primality and of Compositeness Test of Primality If a certain condition on n is fulfilled, then n is prime, otherwise n is composite Test of Compositeness If a certain condition on n is fulfilled, then n is composite Primality Test Compositeness Test Success n is prime n is composite Fail n is composite? 17
18 Tests of Compositeness Fermat s Theorem If p is prime and gcd(a, p) = 1, then a p 1 1 mod p. Fermat Compositeness Test If gcd(a, n) = 1 and a n 1 1 mod n, then n is composite. Definition An odd composite number n for which a n 1 1 mod n is called a Fermat pseudoprime for base a. Example n = 341 = gives mod 341, however mod
19 Tests of Compositeness Data Pomerance, Selfridge and Wagstaff: < pseudoprimes to base pseudoprimes to base 2 and pseudoprimes to base 2 and 3 and pseudoprimes to base 2 and 3 and 5 and 7 Definition An odd composite number n for which a n 1 1 mod n for all a satisfying gcd(a, N) = 1 is called a Carmichael number. Example Smallest Carmichael number is n = 561 = Data 2163 Carmichael numbers < and < Stucture of Carmichael Numbers n is a Carmichael number iff p 1 n for every prime factor p of n and n is composite and squarefree. 19
20 Strong pseudoprime test Definition An odd composite number n with n = 2 s d + 1, with d odd is called a strong pseudoprime for base a if a d 1 mod n or r < s, a d 2r 1 mod n. Data Jaeschke: < only 101 strong pseudoprimes to bases 2, 3, 5 Data is smallest strong pseudoprime to bases 2, 3, 5, 7, 11, 13, 17 No Strong Carmichael Numbers If n is odd and composite then n fails the strong pseudoprime test for at least 3/4 of the bases less than n. Miller-Rabin Algorithm Apply strong pseudoprime test for t different bases a i ; if n is composite then this will be proved with 20
21 probability > 1 (1/4) t. 21
22 Simple Tests of Primality Trial Division If n is composite, then n has a prime factor p n. If for all primes p n, we have p n, then n is prime. Strong Pseudoprime Test If n is a strong pseudoprime for more than 1/4 of the bases smaller than n, then n is prime. SPT with Generalized Riemann Hytpothesis If n is strong pseudoprime for all {2, 3,..., 2 log n 2 }, then n is prime. A proof of the Generalized Riemann Hypothesis implies a deterministic polynomial-time primality test. 22
23 Tests of Primality Pocklington s theorem Let n be an integer > 1 and q a prime divisor of n 1, with q e (n 1) and q e+1 (n 1). Suppose there is an integer a such that a n 1 1 mod n and gcd(a (n 1)/q, n) = 1. Then if p is any prime divisor of n then p 1 mod q e. Proof Let b be the order of a in F p. Then b p 1 and since a n 1 1 mod p, we have b n 1. However, a (n 1)/q 1 mod p, so b (n 1)/q and thus q e b and so also q e p 1. 23
24 Tests of Primality Corollary Write n 1 as F R, with F and R coprime and the factorisation of F completely known and F > n. For each prime factor q of F we can find an a q such that a n 1 q 1 mod n and gcd(a (n 1)/q q, n) = 1, if and only if n is prime. Proof F divides p 1 for every prime p dividing n, and F > n. If n is prime, take a primitive root. Problem Half the factorisation of n 1 should be known and it should be proven that all factors of F are prime DOWNRUN process. 24
25 Tests of Primality Example Take n = , then n 1 = Take F = then a = a = 2 will prove primality of n if p = and q = are prime. Now p 1 = and take F = and a 29 = a 101 = 2, then this proves primality of p. Also q 1 = and take F = and a 3 = 5 and a = 2, then this proves primality of q iff is prime. 25
26 Certificate of primality
27 General Principle for Tests of Primality Definition G is a group modulo n if the elements are (vectors of) residues modulo n the group operation is defined in terms of arithmetic operations modulo n. Definition Let d n, then G d is the group derived from G by reducing modulo d is called the restricted group modulo d. Example (Z/nZ) is a group modulo n and for each d n (Z/dZ) is the restricted group modulo n. 27
28 General Principle for Tests of Primality Primality proof Let n be highly probable prime and G group modulo n. If there exists x G and integers m, s m with the following conditions, then n is prime: s > the order of G q for each prime q n and q n. x m = e. For each prime p s, at least one of the coordinates of x (m/p) e is coprime to n. Example Let G = Z/nZ and q n, with q n. Then G q = Z/qZ and the order of G q is q 1 < n. Problem Given n this provides only 1 group G = Z/nZ modulo n. 28
29 Primality Test based on Elliptic Curves Definition Let n be positive integer and gcd(n, 6) = 1. An elliptic curve E over Z/nZ is a curve y 2 = x 3 + ax + b, with gcd(4a b 2, n) = 1. If p n then the reduction of E modulo p is an elliptic curve over F p. Group operation on E(Z/nZ) Let P 1 and P 2 be two points in E(Z/nZ), with P 1 P 2. Define P 1 + P 2 using the ordinary elliptic curve group operation. Then P 1 + P 2 will have denominators prime to n if and only if for all primes p n we have P 1 mod p + P 2 mod p is different from O in E(F p ). 29
30 Primality Test based on Elliptic Curves Apply General Principle to G = E(Z/nZ): Let q n and q n, then G q = E(F q ) and so #G ( q + 1) 2. Since q n, #G < (n 1/4 + 1) 2. Let m, s m integers with s > (n 1/4 + 1) 2 and P E(Z/nZ) with 1. m P = O, 2. (m/p) P is defined and different from O, for each prime p s, n is prime. 30
31 Primality Test based on Elliptic Curves: Algorithm 1. Select a, b Z/nZ, such that E a,b is an elliptic curve over Z/nZ. 2. Determine m = #E(Z/nZ) as if n were prime. 3. Test if m = k q with k > 1 and probable prime q > (n 1/4 + 1) If this test fails then return to 1, else proceed. 5. Select a point P = (x, y) E(Z/nZ). 6. Compute (m/q) P = k P. If this is undefined, then a divisor of n is found. If
32 8. Prove the primality of q recursively, using this algorithm.
33 Proof that n = is prime Consider elliptic curve E a,b with a = b = m = is the order of E(Z/nZ) and has a 81-bit cofactor p 1 = which is probably prime. ( , ) is a point on E a,b and satisfies m P = O and (m/q) P O. 33
34 Proof that n = is prime 34
35 Selecting E and m: Goldwasser & Kilian Select a, b Z/nZ, such that gcd(n, 4a b 2 ) = 1. Compute #E(Z/nZ) using Schoof s algorithm (run time O(log 8 n)). If the algorithm fails, then n is not a prime, else it produces m. If m is not of the form k q then go to the first step. Under reasonable hypotheses on the distribution of primes in small intervals (i.e. O( x)) the expected run time is O(log 12 n). 35
36 Selecting E and m: Atkin Let #E(F p ) = p + 1 t, then the complex multiplication field of E is L = Q( t 2 4p). If L is known for a certain E, then m = #E(F p ) can be easily computed. If L and p are given, then a small list of m s can be computed for those elliptic curves which have L as their CMF. Given Q( ) and prime p, a small list of elliptic curves over F p having Q( ) as CMF can be constructed. 36
37 Selecting E and m: Atkin (cont.) 1. Select imaginary quadratic field L = Q( ) which has not been used yet. 2. Compute candidates m s for elliptic curves with L as CMF. 3. If none of these m is of the form k q with k > 1 and q probable prime > (n 1/4 + 1) 2, then return to (1). 4. Let m have the right form. Compute small list curves E over Z/nZ with L as CMF. Select curve E, with #E(Z/nZ) = m, e.g. by testing if m P = O. Expected run time of CM primality test is O(log 6+ε n). 37
38 Counting Points on Elliptic Curves in Characteristic 2 Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 38
39 Overview Elliptic curves over finite fields of characteristic 2 The Frobenius endomorphism Counting two by two Baby-Step Giant-Step Weil s theorem and Koblitz curves Schoof s algorithm Improvements of Elkies and Atkin Satoh s algorithm 39
40 Elliptic Curves over Finite Fields of Characteristic 2 Finite field of char 2: F q = F 2 [X]/(f(X)), q = 2 n Algebraic closure: F q = m 1 F q m Th: Suppose x F q, then x F q x q = x Elliptic curve E over F q (a, b F q ): y 2 + xy = x 3 + ax 2 + b O = [0 : 1 : 0] Isomorphism classes: a {0, γ}, Tr(γ) = 1. #E 0,b (F q ) + #E γ,b (F q ) = 2q
41 Frobenius Endomorphism Def: Frobenius endomorphism: F : E(F q ) E(F q ) : (x, y) (x q, y q ) Def: Trace of Frobenius t: #E(F q ) = q + 1 t Def: [m] : E(F q ) E(F q ) : P mp Characteristic equation of F: F 2 [t] F + [q] = [0] (Hasse, 1933): Trace of Frobenius satisfies t 2 q 41
42 Counting Two by Two # solutions of Ax 2 + Bx + C = 0, with A 0, B, C F q is B = 0 1 solution and B 0 2 (1 Tr( AC )) solutions. B2 E over F q given by y 2 + xy = x 3 + ax 2 + b, then (0, b) E(F q ) If x 0 then points also satisfy ( y ) 2 x + x y = x + a + b x, and therefore one can compute #E(F q ) as #E(F q ) = (1 Tr(x + a + bx ) ). x F q 42
43 Slow algorithm, with complexity O(q log 2 q), useful for q <
44 Baby-Step Giant-Step Algorithm Hasse-Weil: #E(F q ) H := [q + 1 q, q q] Set N = 4 q and write x = j N i, with i, j N and i < k Generate point P on curve and suppose x = j N ī H satisfies x P = O ( j N) P = ī P Precompute table with i P for 0 < i < N Compute Q = N P and compare j Q with table, for j > N If match, compute Ord(P) j m N i m and devise #E(F q ) Time O( 4 q log 2 q) Memory O( 4 q) 44
45 Weil s Theorem & Koblitz Curves Weil: Let E be defined over F q, #E(F q ) = q + 1 t and let X 2 tx + q = (X α)(x β), then for every m N we have #E(F m q ) = q m + 1 (α m + β m ). Recursion: Set t 0 = 2 and t m = q m +1 #E(F m q ), then t m satisfy t m+1 = t 1 t m q t m 1. Curve over F 2 is called a Koblitz curve If l m then E(F 2 l) is subgroup of E(F 2 m), so #E(F 2 l) #E(F 2 m) Very few Koblitz curves with #E divisible by large prime NIST: Koblitz curves over F 2 n with m = 163, 233, 283, 409,
46 Schoof s Algorithm (1985) Idea: compute trace of Frobenius t mod l i for primes l i l i l i > 4 q and use CRT to compute the correct value of t Def: l-torsion group E[l] = {P E lp = O} = Z l Z l Idea: restrict characteristic equation of F to E[l] F 2 l [t l ] F l + [q l ] = [0] where t l = t mod l and q l = q mod l For all l-torsion points P = (x, y) (x q2, y q2 ) + [q l ](x, y) = [t l ](x q, y q ) 46
47 Algorithm: test for every τ {0, 1,...,l 1} (x q2, y q2 ) + [q l ](x, y) = [τ](x q, y q ) 47
48 Schoof s Algorithm Details How can we compute in E[l]? Solution: division polynomials f l of degree (l 2 1)/2 f 0 = 0, f 1 = 1, f 2 = x, f 3 = x 4 + x 3 + a 6, f 4 = x 6 + a 6 x 2, f 2m+1 = fmf 3 m+2 + f m 1 fm+1 3 m 2, xf 2m = fm 1f 2 m f m+2 + f m 2 f m fm+1 2 m 3. Theorem: P = (x, y) E[l] f l (x) = 0 Note P E[l] F(P) E[l], so if S = P E[l]\O x(p) then f l (x) = α S(x α) F q [x] 48
49 Schoof s Algorithm Details Theorem: m 2, P = (x, y) E \ O, mp = ( x, ỹ) x = x + f m 1f m+1 f 2 m, ỹ = x + y + f m 1f m+1 f 2 m + f m 2f 2 m+1 xf 3 m + (x 2 + y) f m 1f m+1 xf 2 m All computations in E[l] transformed to F q [x]/(f l (x)) Time complexity of O(log 8 q) Memory complexity of O(log 3 q) Useful for fields with q <
50 Ideas of Elkies and Atkin Idea: roots of X 2 t l X + q l in F l are not? Criterium: = t 2 4q is a square modulo l or not? Def: if is a square modulo l then l is Elkies-prime, else l is Atkin-prime. Note E[l] = Z l Z l = i=1...l+1 C i, if P 1, P 2 generate E[l] then E 1 = P 1, E 2 = P 2, E i = P 1 + (i 2) P 2 i = 3,...l + 1. Study the action of F l on these l-groups If F l (C i ) C i then F l (C i ) = C i and F l has eigenvalue λ in F l 50
51 Ideas of Elkies and Atkin (cont.) Suppose l is Elkies-prime, then (X λ)(x µ) = 0, λ, µ F l At least 1 C i s is invariant under Frobenius-map Let g l (x) = ±P i C 1 \O (x x(p i)) then g l (x) F q [x] Note that deg(g l ) = (l 1)/2 and g l (x) f l (x), so more efficient Equating coefficient of char. polynomial of F l gives t = λ + q λ mod l 51
52 Ideas of Elkies and Atkin (cont.) Problem: how can one compute g l (x)? Solution: compute isogenie φ with kernel C 1 ( ) G(x) φ : E E H(x) + yk(x) : (x, y), g l (x) 2 g l (x) 3 Suppose l is Atkin-prime, then is a quadratic non-residu modulo l Generate a number of possibilities for t mod l Final step: combine info from both Elkies and Atkin primes Complexity = O(log 6 q) 52
53 Isogenies and modular polynomials Morphism from E 1 to E 2 is a rational map that is defined at every point P on E 1. Isogenie is a morphism and I(O 1 ) = O 2 Theorem: every isogenie is a group homomorphism from E 1 to E 2 Suppose I separable, then the degree of I = #ker(i) Theorem: Let E be an elliptic curve over F q and S a subgroup of E with F(S) = S, then there exists an elliptic curve E and an isogenie φ : E E defined over F q, with ker(φ) = S 53
54 Isogenies and modular polynomials (cont.) Let j a = 1/a be the j-invariant of curve E : y 2 + xy = x 3 + a. Theorem: for every prime l there exists a modular polynomial Φ l (x, y) of degree l + 1 with following properties: there exists an isogenie of degree l from E a to E b iff Φ l (j a, j b ) = 0 the polynomial Φ l (x, j a ) has a root j b F q r iff the kernel of the isogenie I : E a E b is a one dimensional eigenspace of F r in E[l] the polynomial Φ l (x, j a ) splits completely in F q r[x] iff F r acts as a scalar matrix on E[l] 54
55 Isogenies and modular polynomials Theorem: factorisation of Φ l (x, j a ) = h 1 h 2 h s, then possibilities for the degrees of h 1, h 2,...,h s are: (1 l) or ( ) and t 2 4q = 0 mod l (1 1 r...r) and t 2 4q is a square modulo l, r l 1 and F acts on E[l] as a matrix λ 0 0 µ (r r...r) and r > 1 and r l + 1 and t 2 4q is not a square modulo l and t satisfies the equation t 2 = q(ζ ζ 1 ) mod l for ζ a primitive r-th root of unity in F l. 1 A 55
56 SEA-algorithm: outline 1. M := 1, l := 2, A := {}, E := {} 2. While M < 4 q do: (a) Compute modular polynomial Φ l (x, y) (b) Compute splitting S of Φ l (x, y) (c) If S = (1 l) or S = ( ), E (2 q, l) (d) If S = (1 1 r...r): Compute polynomial F l (x) via isogenie Find eigenvalue λ modulo l t = λ + q/λ mod l E (t, l) (e) If S = (r r...r) Compute set T such that t mod l T
57 3. Compute t exact using match and sort
58 Satoh s Algorithm: Main Idea Theorem of Deuring: exists an elliptic curve E over a p-adic field Reduction modulo p of E equals E End(E) = End(E) The elliptic curve E is called the canonical lift of E E π E F F E π E 58
59 Since TrF = TrF = t, it suffices to compute TrF 59
60 p-adic Integers and Extensions p-adic integer is a sequence x = (x 1, x 2,...,x k,...) with x k Z/p k Z and x k+1 x k mod p k for k 1 Projection π k : Z p Z/p k Z : x x k and π(z p ) = F p Let q = p n and f(t) a monic polynomial in Z p [t] of degree n, with π(f) irreducible in F p [t], then Z q is defined as Z p [t]/(f(t)) If a Z q then a = a n 1 t n a 1 t + a 0 with a i Z p Note π(z q ) = F q and π k (Z q ) = (Z/p k Z)[t]/(f(t)) 60
61 Newton Iteration Let f(t) Z q [t] and suppose x 0 Z q such that f(x 0 ) 0 mod p m and f (x 0 ) 0 mod p, then we can get a better approximate root x 1 of f as follows which satisfies x 1 = x 0 f(x 0) f (x 0 ), f(x 1 ) 0 mod p 2m and f (x 1 ) 0 mod p. General case: Let k N be largest integer with f (x 0 ) 0 mod p k. If m > 2k, then we can compute a better approximate root x 1 with f(x 1 ) 0 mod p 2m 2k. 61
62 Computing the Canonical Lift of an Elliptic Curve The little Frobenius endomorphism σ : F q F q : x x p Applying σ to coefficients of E gives the conjugate E σ and extend the little Frobenius to elliptic curves as σ : E E σ : (x, y) (x p, y p ) If p = 2 then E σ is given by the equation y 2 + xy = x 3 + a 2 Let E i = E σ(n i) and σ i : E i+1 E i : (x, y) (x p, y p ) σ n 1 E = E σ n 2 0 E σ 1 n 1 σ 0 E 1 E 0 = E Frobenius endomorphism F = σ 0 σ n 1 62
63 Computing the Canonical Lift of an Elliptic Curve Theorem of Lubin-Serre-Tate: Let E be an elliptic curve over F q and let j(e) be its j-invariant and j(e) F q \ F p 2 and consider the following diagram, E 0 Σ n 1 Σ n 2 Σ 1 Σ 0 E n 1 E 1 E 0 π π π π σ n 1 σ n 2 σ 1 σ 0 E 0 E n 1 E 1 E 0 then the j-invariants j(e i ) satisfy j(e i ) Z q and Φ p (j(e i ), j(e i+1 )) = 0 and j(e i ) j(e i ) mod p 63
64 Computing the Canonical Lift of an Elliptic Curve Let the vector function Θ : Z n q Z n q be Θ(x 0,...,x n 1 ) = (Φ p (x 0, x 1 ), Φ p (x 1, x 2 ),...,Φ p (x n 1, x 0 )) and denote with (DΘ)(x 0,...,x n 1 ) its Jacobian matrix, i.e. 0 1 Φ p (x Φ X 0, x 1 ) p (x Y 0, x 1 ) 0 Φ 0 p (x X 1, x 2 ) 0... Φ 0 0 p (x Y n 2, x n 1 ) C A Φ p (x Φ Y n 1, x 0 ) 0 p (x X n 1, x 0 ) then one can lift (j(e 0 ),...,j(e n 1 )) to (j(e 0 ),...,j(e n 1 )) via (x 0,...,x n 1 ) (x 0,...,x n 1 ) ((DΘ) 1 Θ)(x 0,...,x n 1 ) 64
65 Computing Trace of Frobenius on Lifted Curve Theorem by Satoh: Let E be formal group associated with E and f End(E), f End(E), π(f) separable f(z) = cz + O(z 2 ) Tr(f) = c + q c F is inseparable so take dual F, which is separable E 0 ˆΣ 0 ˆΣ1 ˆΣn 2 ˆΣn 1 E 1 E n 1 E 0 π π π π ˆσ 0 ˆσ 1 ˆσ n 2 ˆσ n 1 E 0 E 1 E n 1 E 0 65
66 Let Σi (z) = c i z + O(z 2 ) then c = n 1 i=0 c i 66
67 Computing Trace of Frobenius on Lifted Curve (cont.) Theorem: Let E be an elliptic curve and G finite subgroup of E, then there exists a unique elliptic curve E and separable isogeny φ : E E with kerφ = G. ˆΣ E i i E i+1 v λ E i /KerˆΣ i Vélu s formulae give equation of E i /KerˆΣ i and of the isogeny ν This finally leads to formula for c 2 i 67
68 Outline of Satoh s Algorithm Input: Elliptic curve E over finite field F q Output: Trace of Frobenius t = q + 1 #E(F q ) 1. Compute conjugates of E, i.e. E σi for i = 0,...,n 1 2. Lift the j-invariants j(e i ) simultaneously to j(e i ) using a multivariate Newton iteration 3. Compute the squares c 2 i using j(e i) and j(e i+1 ) 4. Set c 2 = n 1 i=0 c2 i and compute c with correct sign 5. Return t c mod p n+3 2 and t 2 q Time of O(log 3+ǫ q) Memory of O(log 3 q). Recently: new algorithm with memory of O(log 2 q). 68
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS Modular arithmetics that we have discussed in the previous lectures is very useful in Cryptography and Computer Science. Here we discuss several
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationNumber Theory in Cryptology
Number Theory in Cryptology Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology Kharagpur October 15, 2011 What is Number Theory? Theory of natural numbers N = {1,
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationCounting points on elliptic curves over F q
Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 p.2 Motivation Given an elliptic curve E over a finite
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationRSA Cryptosystem and Factorization
RSA Cryptosystem and Factorization D. J. Guan Department of Computer Science National Sun Yat Sen University Kaoshiung, Taiwan 80424 R. O. C. guan@cse.nsysu.edu.tw August 25, 2003 RSA Cryptosystem was
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationMath/Mthe 418/818. Review Questions
Math/Mthe 418/818 Review Questions 1. Show that the number N of bit operations required to compute the product mn of two integers m, n > 1 satisfies N = O(log(m) log(n)). 2. Can φ(n) be computed in polynomial
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the
More informationRSA: Genesis, Security, Implementation & Key Generation
ECE 646 Lecture 8 RSA: Genesis, Security, Implementation & Key Generation Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob
More informationECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation
ECE 646 Lecture 8 RSA: Genesis, Security, Implementation & Key Generation Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationElementary Number Theory and Cryptography, 2014
Elementary Number Theory and Cryptography, 2014 1 Basic Properties of the Integers Z and the rationals Q. Notation. By Z we denote the set of integer numbers and by Q we denote the set of rational numbers.
More informationBasic Algorithms in Number Theory
Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi Discrete Logs, Modular Square Roots & Euclidean Algorithm. July 20 th 2010 Basic Algorithms
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More informationCounting Points on Curves using Monsky-Washnitzer Cohomology
Counting Points on Curves using Monsky-Washnitzer Cohomology Frederik Vercauteren frederik@cs.bris.ac.uk Jan Denef jan.denef@wis.kuleuven.ac.be University of Leuven http://www.arehcc.com University of
More information1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation
1 The Fundamental Theorem of Arithmetic A positive integer N has a unique prime power decomposition 2 Primality Testing Integer Factorisation (Gauss 1801, but probably known to Euclid) The Computational
More informationRSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality
ECE646 Lecture RSA Key Generation Required Reading W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality A.Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography
More informationThe Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright
The Elliptic Curve Method and Other Integer Factorization Algorithms John Wright April 12, 2012 Contents 1 Introduction 2 2 Preliminaries 3 2.1 Greatest common divisors and modular arithmetic...... 3 2.2
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationIntroduction to Elliptic Curves
IAS/Park City Mathematics Series Volume XX, XXXX Introduction to Elliptic Curves Alice Silverberg Introduction Why study elliptic curves? Solving equations is a classical problem with a long history. Starting
More informationCurves, Cryptography, and Primes of the Form x 2 + y 2 D
Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible.
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationThe Application of the Mordell-Weil Group to Cryptographic Systems
The Application of the Mordell-Weil Group to Cryptographic Systems by André Weimerskirch A Thesis Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements
More informationElliptic curves: Theory and Applications. Day 3: Counting points.
Elliptic curves: Theory and Applications. Day 3: Counting points. Elisa Lorenzo García Université de Rennes 1 13-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 1 / 26 Counting points:
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationCongruent Number Problem and Elliptic curves
Congruent Number Problem and Elliptic curves December 12, 2010 Contents 1 Congruent Number problem 2 1.1 1 is not a congruent number.................................. 2 2 Certain Elliptic Curves 4 3 Using
More informationSEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY
SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY OFER M. SHIR, THE HEBREW UNIVERSITY OF JERUSALEM, ISRAEL FLORIAN HÖNIG, JOHANNES KEPLER UNIVERSITY LINZ, AUSTRIA ABSTRACT. The area of elliptic curves
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationHOMEWORK 11 MATH 4753
HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question
More informationDiscrete Logarithm Computation in Hyperelliptic Function Fields
Discrete Logarithm Computation in Hyperelliptic Function Fields Michael J. Jacobson, Jr. jacobs@cpsc.ucalgary.ca UNCG Summer School in Computational Number Theory 2016: Function Fields Mike Jacobson (University
More informationPart II. Number Theory. Year
Part II Year 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007 2006 2005 2017 Paper 3, Section I 1G 70 Explain what is meant by an Euler pseudoprime and a strong pseudoprime. Show that 65 is an Euler
More informationScalar multiplication in compressed coordinates in the trace-zero subgroup
Scalar multiplication in compressed coordinates in the trace-zero subgroup Giulia Bianco and Elisa Gorla Institut de Mathématiques, Université de Neuchâtel Rue Emile-Argand 11, CH-2000 Neuchâtel, Switzerland
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationA gentle introduction to isogeny-based cryptography
A gentle introduction to isogeny-based cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Motivation Part 2: Preliminaries Part 3: Brief SIDH sketch
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationCryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1
Cryptography CS 555 Topic 18: RSA Implementation and Security Topic 18 1 Outline and Readings Outline RSA implementation issues Factoring large numbers Knowing (e,d) enables factoring Prime testing Readings:
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationA Few Primality Testing Algorithms
A Few Primality Testing Algorithms Donald Brower April 2, 2006 0.1 Introduction These notes will cover a few primality testing algorithms. There are many such, some prove that a number is prime, others
More informationElliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm Problem Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM October 19, 2009 Vanessa VITSE (UVSQ) Elliptic Curve Discrete Logarithm Problem October
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationCPSC 467b: Cryptography and Computer Security
Outline Quadratic residues Useful tests Digital Signatures CPSC 467b: Cryptography and Computer Security Lecture 14 Michael J. Fischer Department of Computer Science Yale University March 1, 2010 Michael
More informationIsogenies in a quantum world
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal
More informationEvaluating Large Degree Isogenies between Elliptic Curves
Evaluating Large Degree Isogenies between Elliptic Curves by Vladimir Soukharev A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationDiscrete mathematics I - Number theory
Discrete mathematics I - Number theory Emil Vatai (based on hungarian slides by László Mérai) 1 January 31, 2018 1 Financed from the financial support ELTE won from the Higher Education
More informationIntroduction. will now introduce finite fields of increasing importance in cryptography. AES, Elliptic Curve, IDEA, Public Key
Introduction will now introduce finite fields of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public Key concern operations on numbers where what constitutes a number and the type of
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationSuppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:
Elliptic Curve Cryptography Jim Royer CIS 428/628: Introduction to Cryptography November 6, 2018 Suppose F is a field and a 1,..., a 6 F. Definition 1. An elliptic curve E over a field F is a curve given
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013
18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and
More informationPostmodern Primality Proving
Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 1 / 29 Postmodern Primality Proving Preda Mihăilescu Mathematical Institute, University of Göttingen, Germany June
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationCounting points on hyperelliptic curves
University of New South Wales 9th November 202, CARMA, University of Newcastle Elliptic curves Let p be a prime. Let X be an elliptic curve over F p. Want to compute #X (F p ), the number of F p -rational
More informationAn introduction to supersingular isogeny-based cryptography
An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular
More informationMappings of elliptic curves
Mappings of elliptic curves Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves
More informationLecture 14: Hardness Assumptions
CSE 594 : Modern Cryptography 03/23/2017 Lecture 14: Hardness Assumptions Instructor: Omkant Pandey Scribe: Hyungjoon Koo, Parkavi Sundaresan 1 Modular Arithmetic Let N and R be set of natural and real
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationOWO Lecture: Modular Arithmetic with Algorithmic Applications
OWO Lecture: Modular Arithmetic with Algorithmic Applications Martin Otto Winter Term 2008/09 Contents 1 Basic ingredients 1 2 Modular arithmetic 2 2.1 Going in circles.......................... 2 2.2
More informationIdentifying supersingular elliptic curves
Identifying supersingular elliptic curves Andrew V. Sutherland Massachusetts Institute of Technology January 6, 2012 http://arxiv.org/abs/1107.1140 Andrew V. Sutherland (MIT) Identifying supersingular
More informationCounting points on genus 2 curves over finite
Counting points on genus 2 curves over finite fields Chloe Martindale May 11, 2017 These notes are from a talk given in the Number Theory Seminar at the Fourier Institute, Grenoble, France, on 04/05/2017.
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPublic Key Encryption
Public Key Encryption 3/13/2012 Cryptography 1 Facts About Numbers Prime number p: p is an integer p 2 The only divisors of p are 1 and p s 2, 7, 19 are primes -3, 0, 1, 6 are not primes Prime decomposition
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationNumber Theory. Modular Arithmetic
Number Theory The branch of mathematics that is important in IT security especially in cryptography. Deals only in integer numbers and the process can be done in a very fast manner. Modular Arithmetic
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationLinear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:
Linear Congruences The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence: ax b (mod m), a, b Z, m N +. (1) If x 0 is a solution then so is x k :=
More informationCorollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1
4. Primality testing 4.1. Introduction. Factorisation is concerned with the problem of developing efficient algorithms to express a given positive integer n > 1 as a product of powers of distinct primes.
More informationNumber Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.
CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 29 December 2011 CSS322Y11S2L06, Steve/Courses/2011/S2/CSS322/Lectures/number.tex,
More information= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2
8. p-adic numbers 8.1. Motivation: Solving x 2 a (mod p n ). Take an odd prime p, and ( an) integer a coprime to p. Then, as we know, x 2 a (mod p) has a solution x Z iff = 1. In this case we can suppose
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationBasic Algorithms in Number Theory
Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi #2 - Discrete Logs, Modular Square Roots, Polynomials, Hensel s Lemma & Chinese Remainder
More informationTheme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS
1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS 2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology!
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 Public Key Encryption page 2 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem:
More information