Curves, Cryptography, and Primes of the Form x 2 + y 2 D
|
|
- Annabella Park
- 5 years ago
- Views:
Transcription
1 Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible. Such a group can be used as the setting for many cryptographic protocols, from Diffie- Hellman key exchange to El Gamal encryption. As the group of points of an elliptic curve over a finite field is one of the few known examples, it is important to be able to efficiently construct elliptic curves with large prime order. We show how constructing such a cryptographic elliptic curve over the field of p elements relates to the classic number theory problem of determining which primes p can be written as x + y D for integers x, y and D. 1 The Discrete Logarithm Problem Consider a finite group G of prime order N. The discrete logarithm problem, or DLP, is: The Discrete Log Problem: Given a, b G, with b = a n, find n. This can be thought of as computing the log of b with base a. Consider Z/NZ, the set of equivalence classes of integers {[0], [1], [],..., [N 1]}, where two integers a, b are equivalent modulo N if a b is a multiple of N. The group operation is addition modulo N so the DLP is written b an mod N. Solving this requires computing the inverse of a mod N, which can be done in polynomial time using Euclid s algorithm. Thus the DLP is not NP-hard in Z/NZ. However, for the group of points of an elliptic curve E over a finite field F p with prime order N (defined in the next section), the best ways to solve the DLP are all exponential in log(n). For N 10 80, with current computing power, it is infeasible to determine n. Thus the exponent n can be used to hide information in cryptographic protocols. To construct a cryptographic elliptic curve, that for which the DLP will be hard, we want to solve the following problem: Problem: Find large primes p and N and an elliptic curve E such that the group of points of E with coordinates in F p has size N. A Brief Introduction to Elliptic Curves An elliptic curve E over a field F is given by a Weierstrass equation y = x 3 + Ax + B (1) with A, B F and 4A 3 + 7B 0. (This last requirement says the curve has no singularities.) Let F be the algebraic closure of F, the set of all solutions of polynomials with coefficients in F. For example, if F = R, F = C. The set of points of E, denoted E( F ) consists of all points (x, y) F F that satisfy (??). The remarkable fact is that there is a natural way to add points on the curve, thus turning E( F ) into a commutative group. For the details, a good source is [? 1
2 Since F is algebraically closed, for any x 0 F, the points (x 0, ± x Ax 0 + B) are in E( F ). Thus, since F is infinite, E( F ) is an infinite group. But we are interested in a finite group for the DLP, so we consider E(F ), where F = F p = Z/pZ.) Each x 0 F p gives at most two points in E(F p ), depending on whether or not x Ax 0 + B has a square root modulo p. Therefore E(F p ) is always a finite group. More importantly, we have a bound on its order by Hasse s Theorem. Let N = #E(F p ). Then p + 1 p < N < p p () We call this the Hasse interval and denote it H p. Recall that we want to find an elliptic curve E over F p such that #E(F p ) = N. By this, we mean find an equation of the form (??) with coefficients in F p. It is possible, however, that two different Weierstrass equations describe essentially the same elliptic curve, in which case the two curves are said to be isomorphic. For E defined over a field F, the j-invariant of E is a rational function of A and B, taking values in F, which classifies elliptic curves up to isomorphism. That is, j(e) = j(e ) if and only if E and E are isomorphic. Given a value j F, it is straightforward to determine a Weierstrass equation for E with j(e) = j. We note that if E and E are isomorphic, the groups E(F p ) and E (F p ) may have different orders, in which case we say the curves are twists. If E(F p ) has N = p + 1 t points, its twist will have p t points. The value t is known as the trace of E. If t 0, E is called ordinary, and we focus only on these curves, since trace zero curves are susceptible to sub-exponential attacks [? So to solve the problem, we could first find p, N such that N H p. (This is heuristically possible by the Prime Number Theorem). Then we could choose j-invariants at random until we find E such that it or its twist has N points [? But how do we know we will succeed? The amazing fact is that given N H p, there exists an elliptic curve over F p such that #E(F p ) = N. This relies on the intimate connection between the j-invariant of certain elliptic curves over C and primes of the form x + y D, where D = t 4p. Understanding this connection will be the focus of the remainder of this essay. 3 The Endomorphism Ring of an Elliptic Curve Let F be any field. Recall that we can add two points on an elliptic curve, so in particular, we can add a point to itself. This allows us to define a multiplication on E as [n]p := P } + P {{ P }. n As the resulting sum is a point of E, we have a map [n] : E E, given by rational functions. Furthermore, since addition is associative and commutative, [n](p + Q) = [n]p + [n]q. That is, [n] is a homomorphism. A homomorphism of E given by rational functions is called an endomorphism. Let s consider the set End F (E). We can define the sum of two endomorphisms as (φ+ψ)(p ) = φ(p )+ψ(p ). This addition makes End F (E) into a commutative group. Furthermore, we can compose two endomorphisms (φ ψ)(p ) = φ(ψ(p )) and this composition law makes End F (E) into a ring. A lot of key information about an elliptic curve is encoded in the structure of this ring, as we shall see. We already know that End F (E) contains [n] for every positive integer [n Defining [ n] : P [n]p, we have that End F (E) contains [n] for all n Z. Thus, for any E, End F (E) contains Z. 3.1 Endomorphisms over F p Now let s consider an elliptic curve over F p. The Frobenius map (x, y) π (x p, y p ) (3)
3 is given by rational functions over F p and can be shown to be a homomophism ([?], 75). Thus π is in End Fp (E). Write N = p + 1 t. The Frobenius map satisfies the equation: π [t]π + [p] = [0] (4) in End Fp (E). 1 Note that t 4p is negative by Hasse s theorem (??). We can write this quantity as f D, for some f, D Z with D > 0 and squarefree. Solving the equation (??) for π, we see that π corresponds to an element of the quadratic imaginary field K = Q( D): π = t ± f D. (5) We now see that if E has N = p + 1 t points, End Fp (E) contains Z and π, and therefore the ring Z[π Note that Z[π] Z[ 1+ D ] = {a + b 1+ D a, b Z}. Since N is an odd prime number, t and f must be odd, and so D 3 mod 4. This means the ring Z[ 1+ D ] is the ring of integers of K, where K = Q( D). That is, every element is an algebraic integer α, the root of a polynomial with integer coefficients and leading coefficient one which cannot be factored in Z. This polynomial is known as the minimal polynomial of α. It turns out that End Fp (E) for E with N points will always be contained in or equal to Z[ 1+ D So to solve the original problem, it is enough to solve the following problem: Problem: Given p, N, construct an elliptic curve E with End Fp (E) = Z[ 1+ D But how can we construct an elliptic curve just by knowing its endomorphism ring? Fortunately, this turns out to be more tractable for elliptic curves over C and there is a way to relate elliptic curves over C to those over F p via their j-invariants. Note that a curve Ẽ over C will have a complex-valued j(ẽ), thus there is no reason a priori that it makes sense as an element of F p. For example, the complex number i is not in F 7 since 1 = 6 mod 7 and 6 doesn t have a square root in F 7. If, however, j(ẽ) does make sense as an element of F p, then the elliptic curve E over F p with j-invariant j(ẽ) mod p will have the same endomorphism ring as the curve over C. (This is due to a deep theorem of Deuring [?) So we can tackle the problem by first finding an elliptic curve over C with End C (Ẽ) = Z[ 1+ D ], and then seeing if its j-invariant makes sense modulo p. 3. Endomorphisms over C Any elliptic curve over C can be identified uniquely with the group C/Λ, where Λ = Z + τz is a lattice in C. Here C/Λ is the group of equivalence classes of points in C where z 1 z if and only if z 1 z Λ. It turns out that End C (E) = Z[ 1+ D ] if and only if λλ Λ for every λ Z[ 1+ D ], in which case we say λ has complex multiplication. So we want to find a lattice with complex multiplication by Z[ 1+ D We can classify lattices up to isomorphism by the complex-valued function j, where j(λ) = 1 q q +... and q = e πiτ [? This value agrees with the j-invariant of the elliptic curve E over C corresponding to C/Λ, but it is not an integer value and cannot be calculated exactly. However, if Λ has complex multiplication by Z[ 1+ D ], then j(λ) is an algebraic integer. The roots of its minimal polynomial, denoted H D (x), are precisely the j-invariants of all lattices with complex multiplication by Z[ 1+ D 1 The fact that π is closely related to the order of N of E(F p) shouldn t be a surprise. If P = (x, y) E(F p), then π(p ) = P since F p is the set of solutions to x p = x. Futhermore, π(p ) = P implies that P E(F p). The λ correspond to symmetries of the lattice. For example, the lattice Λ = Z + iz has multiplication by λ = i since i(a + ib) = b + ia Λ. This is equivalent to a counterclockwise rotation of 90. 3
4 Since H D (x) has coefficients in Z, we can reduce the coefficients modulo p and get a polynomial with coefficients in F p. If H D (x) has a root in F p this means that the j-invariant of the elliptic curve over C makes sense modulo p. Thus any roots of this polynomial in F p will be the j-invariants of elliptic curves over F p with End Fp = Z[ 1+ D So all that remains is to show that the polynomial H D has roots modulo p! This question relates precisely to the classic number theory problem of primes of the form x + y D, which we explore in the final section. 4 Primes of the Form x + y D Consider the following classic problem from number theory: when is a prime p = x + y for x, y integers? 3 Though we are looking for integer solutions, it s best to tackle this problem in a larger set of numbers, namely the Gaussian integers Z[i] = {a + bi : a, b Z, i = 1}. For example, the prime 5 can be written as 1 + which is the same as (1 + i)(1 i) in Z[i The problem therefore becomes: When do there exist x, y Z such that p = (x iy)(x + iy) in the ring Z[i]? Z[i] is a unique factorization domain, which means that, just like in the integers, every element of Z[i] has a unique decomposition into prime elements. (By prime, we simply mean a number can be written of the product of two non-invertible elements.) The norm of an element is just the standard complex norm: N(x + iy) = (x + iy)(x iy). Since the norm is a multiplicative map, an element with prime norm must be prime. Thus x ± iy are both prime. So if p = (x + iy)(x iy), by unique factorization this means p cannot be a prime element of Z[i]! In this case, the prime p is said to split in Z[i Thus, answering the problem comes down to understanding when the prime p of Z splits in Z[i We note also that if p splits in Z[i], then the minimal polynomial of i, x + 1, factors modulo p. For example, x + 1 = (x + )(x ) modulo 5. This gives a very useful criterion for when a prime splits: 4 a prime p splits in a ring Z[α] if and only if the minimal polynomial of α factors completely into linear terms modulo p. Now consider the more general problem: For D fixed, when can a prime p be written as x +y D for x, y Z? Note how this relates to the problem of constructing E with N = p + 1 t. Recall that End Fp (E) will contain Z[π] where π = t+f D, for t, f integers. Thus, if we can construct such an elliptic curve, we have that 4p can be written as x + y D for x, y Z. As in the case of D = 1, both of these problems hinge on how the prime p behaves in Z[ D], respectively Z[ 1+ D We can follow the above strategy, but we have to deal with ideals, introduced to circumvent the problem that these rings may not necessarily be unique factorization domains. (The classic example is Z[ 5] where (1 + 5)(1 5) = 3.) In particular, it turns out that 4p = x +y D if and only if the ideal (p) splits completely in H, the Hilbert class field of K. (For those familiar with algebraic number theory, K is the maximal abelian unramified extension of K.) The minimal polynomial of this extension, known as the Hilbert class polynomial of D, is precisely H D (x), whose roots are the j-invariants of elliptic curves over C with endomorphism ring Z[ 1+ D But we know that a number splits completely in an extension if and only if the minimal polynomial factors into linear terms modulo p. Thus, precisely because we can write 4p = t + f D, we know that H D (x) has roots modulo p which will be the j-invariants of elliptic curves over F p with N = p + 1 t points. Thus, constructing a cryptographic curve comes down to factoring a polynomial in F p! Of course, this requires computing the Hilbert class polynomial H D (x), which is not a trivial matter. For small D, it has been done [? However as the size of D grows, so do the coefficients of H D (x), and it becomes 3 The answer, known as Fermat s Theorem on the Sum of Two Squares, is that for p odd, there exist x, y Z such that p = x + y if and only if p 1 mod 4. The forward direction is straightforward to see. If x, y are both even or both odd, then x + y 0 mod, which means p 0 mod. As p is odd, this is clearly impossible. Thus x, y must be of opposite parity, in which case x + y 1 mod 4. For the reverse direction, see for example [?] or [? 4 There are actually a few exceptions to this, but these do not occur in the situation in which we are interested. 4
5 computationally infeasible to determine H D (x). Thus, techniques for determining j without knowing the whole polynomial is an active area of research in number theory, which as we have now seen, is highly relevant to building secure cryptosystems. References [1] Bröker, Reiner, Constructing elliptic curves of prescribed order, PhD Thesis, Thomas Stieltjes Institute for Mathematics, 006. [] Cox, D., Primes of the Form x + ny : Fermat, Class Field Theory and Complex Multiplication, John Wiley & Sons, [3] Silverman, J. The Arithmetic of Elliptic Curves, Springer-Verlag, [4] Wagon, S. Editor s corner: the Euclidean algorithm strikes again, Amer. Math. Monthly 97 (1990), no., [5] Washington, L. Elliptic Curves: Number Theory and Cryptography Chapman & Hall/CRC, 003. [6] Zagier, D. A one-sentence proof that every prime p 1 (mod 4) is a sum of two squares, Amer. Math. Monthly 97 (1990), no.,
Introduction to Elliptic Curves
IAS/Park City Mathematics Series Volume XX, XXXX Introduction to Elliptic Curves Alice Silverberg Introduction Why study elliptic curves? Solving equations is a classical problem with a long history. Starting
More informationCONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker
CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES Reinier Bröker Abstract. We give an algorithm that constructs, on input of a prime power q and an integer t, a supersingular elliptic curve over F q with trace
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More information14 Ordinary and supersingular elliptic curves
18.783 Elliptic Curves Spring 2015 Lecture #14 03/31/2015 14 Ordinary and supersingular elliptic curves Let E/k be an elliptic curve over a field of positive characteristic p. In Lecture 7 we proved that
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationExplicit Complex Multiplication
Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven,
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationIsogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem
Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem Chloe Martindale 26th January, 2018 These notes are from a talk given in the Séminaire Géométrie et algèbre effectives
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationElliptic Curve Cryptosystems
Elliptic Curve Cryptosystems Santiago Paiva santiago.paiva@mail.mcgill.ca McGill University April 25th, 2013 Abstract The application of elliptic curves in the field of cryptography has significantly improved
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationIdentifying supersingular elliptic curves
Identifying supersingular elliptic curves Andrew V. Sutherland Massachusetts Institute of Technology January 6, 2012 http://arxiv.org/abs/1107.1140 Andrew V. Sutherland (MIT) Identifying supersingular
More informationSome algebraic number theory and the reciprocity map
Some algebraic number theory and the reciprocity map Ervin Thiagalingam September 28, 2015 Motivation In Weinstein s paper, the main problem is to find a rule (reciprocity law) for when an irreducible
More informationMath/Mthe 418/818. Review Questions
Math/Mthe 418/818 Review Questions 1. Show that the number N of bit operations required to compute the product mn of two integers m, n > 1 satisfies N = O(log(m) log(n)). 2. Can φ(n) be computed in polynomial
More informationMappings of elliptic curves
Mappings of elliptic curves Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves
More informationElliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography
Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Andrew Sutherland MIT Undergraduate Mathematics Association November 29, 2018 Creating a shared secret
More informationCongruent number elliptic curves of high rank
Michaela Klopf, BSc Congruent number elliptic curves of high rank MASTER S THESIS to achieve the university degree of Diplom-Ingenieurin Master s degree programme: Mathematical Computer Science submitted
More informationElliptic Curves Spring 2015 Lecture #23 05/05/2015
18.783 Elliptic Curves Spring 2015 Lecture #23 05/05/2015 23 Isogeny volcanoes We now want to shift our focus away from elliptic curves over C and consider elliptic curves E/k defined over any field k;
More informationThe Splitting of Primes in Division Fields of Elliptic Curves
The Splitting of Primes in Division Fields of Elliptic Curves W.Duke and Á. Tóth Introduction Dedicated to the memory of Petr Cižek Given a Galois extension L/K of number fields with Galois group G, a
More informationIgusa Class Polynomials
, supported by the Leiden University Fund (LUF) Joint Mathematics Meetings, San Diego, January 2008 Overview Igusa class polynomials are the genus 2 analogue of the classical Hilbert class polynomials.
More informationCounting points on elliptic curves: Hasse s theorem and recent developments
Counting points on elliptic curves: Hasse s theorem and recent developments Igor Tolkov June 3, 009 Abstract We introduce the the elliptic curve and the problem of counting the number of points on the
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationElliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.
Elliptic Curves I 1.0 Introduction The first three sections introduce and explain the properties of elliptic curves. A background understanding of abstract algebra is required, much of which can be found
More informationClass invariants for quartic CM-fields
Number Theory Seminar Oxford 2 June 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P E is a commutative algebraic group P Q Endomorphisms
More informationIgusa Class Polynomials
Genus 2 day, Intercity Number Theory Seminar Utrecht, April 18th 2008 Overview Igusa class polynomials are the genus 2 analogue of the classical Hilbert class polynomial. For each notion, I will 1. tell
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationCounting points on elliptic curves over F q
Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 p.2 Motivation Given an elliptic curve E over a finite
More informationIgusa class polynomials
Number Theory Seminar Cambridge 26 April 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P P Q E is a commutative algebraic group Endomorphisms
More informationCourse 2316 Sample Paper 1
Course 2316 Sample Paper 1 Timothy Murphy April 19, 2015 Attempt 5 questions. All carry the same mark. 1. State and prove the Fundamental Theorem of Arithmetic (for N). Prove that there are an infinity
More informationAn Introduction to Supersingular Elliptic Curves and Supersingular Primes
An Introduction to Supersingular Elliptic Curves and Supersingular Primes Anh Huynh Abstract In this article, we introduce supersingular elliptic curves over a finite field and relevant concepts, such
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationApplications of Complex Multiplication of Elliptic Curves
Applications of Complex Multiplication of Elliptic Curves MASTER THESIS Candidate: Massimo CHENAL Supervisor: Prof. Jean-Marc COUVEIGNES UNIVERSITÀ DEGLI STUDI DI PADOVA UNIVERSITÉ BORDEAUX 1 Facoltà di
More informationModular forms and the Hilbert class field
Modular forms and the Hilbert class field Vladislav Vladilenov Petkov VIGRE 2009, Department of Mathematics University of Chicago Abstract The current article studies the relation between the j invariant
More informationAn Alternate Decomposition of an Integer for Faster Point Multiplication on Certain Elliptic Curves
An Alternate Decomposition of an Integer for Faster Point Multiplication on Certain Elliptic Curves Young-Ho Park 1,, Sangtae Jeong 2, Chang Han Kim 3, and Jongin Lim 1 1 CIST, Korea Univ., Seoul, Korea
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationIndependence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen)
Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen) Brown University Cambridge University Number Theory Seminar Thursday, February 22, 2007 0 Modular Curves and Heegner Points
More informationIsogenies in a quantum world
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues
More informationSEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY
SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY OFER M. SHIR, THE HEBREW UNIVERSITY OF JERUSALEM, ISRAEL FLORIAN HÖNIG, JOHANNES KEPLER UNIVERSITY LINZ, AUSTRIA ABSTRACT. The area of elliptic curves
More informationAn introduction to the algorithmic of p-adic numbers
An introduction to the algorithmic of p-adic numbers David Lubicz 1 1 Universté de Rennes 1, Campus de Beaulieu, 35042 Rennes Cedex, France Outline Introduction 1 Introduction 2 3 4 5 6 7 8 When do we
More information6]. (10) (i) Determine the units in the rings Z[i] and Z[ 10]. If n is a squarefree
Quadratic extensions Definition: Let R, S be commutative rings, R S. An extension of rings R S is said to be quadratic there is α S \R and monic polynomial f(x) R[x] of degree such that f(α) = 0 and S
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationElliptic Curves: Theory and Application
s Phillips Exeter Academy Dec. 5th, 2018 Why Elliptic Curves Matter The study of elliptic curves has always been of deep interest, with focus on the points on an elliptic curve with coe cients in certain
More informationHOMEWORK 11 MATH 4753
HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS
ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS GORA ADJ, OMRAN AHMADI, AND ALFRED MENEZES Abstract. We study the isogeny graphs of supersingular elliptic curves over finite fields,
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013
18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationElGamal type signature schemes for n-dimensional vector spaces
ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationThe Application of the Mordell-Weil Group to Cryptographic Systems
The Application of the Mordell-Weil Group to Cryptographic Systems by André Weimerskirch A Thesis Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements
More informationConstructing Families of Pairing-Friendly Elliptic Curves
Constructing Families of Pairing-Friendly Elliptic Curves David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-155 August 24, 2005* cryptography, pairings, elliptic curves, embedding
More informationThe Discrete Logarithm Problem on the p-torsion Subgroup of Elliptic Curves
The Discrete Logarithm Problem on the p-torsion Subgroup of Elliptic Curves Juliana V. Belding May 4, 2007 The discrete logarithm problem on elliptic curves Consider a finite group G of prime order N.
More informationProjects on elliptic curves and modular forms
Projects on elliptic curves and modular forms Math 480, Spring 2010 In the following are 11 projects for this course. Some of the projects are rather ambitious and may very well be the topic of a master
More informationFinite Fields and Elliptic Curves in Cryptography
Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1 Overview Public-key vs. symmetric cryptosystem
More informationArithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products
1 Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products David Kohel Institut de Mathématiques de Luminy International Workshop on Codes and Cryptography 2011 Qingdao, 2 June
More informationEvaluating Large Degree Isogenies between Elliptic Curves
Evaluating Large Degree Isogenies between Elliptic Curves by Vladimir Soukharev A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics
More informationThe L-series Attached to a CM Elliptic Curve
The L-series Attached to a CM Elliptic Curve Corina E. Pǎtraşcu patrascu@fas.harvard.edu May 19, 2005 Abstract In this paper we present the L-series attached to an elliptic curve with complex multiplication.
More informationON A FAMILY OF ELLIPTIC CURVES
UNIVERSITATIS IAGELLONICAE ACTA MATHEMATICA, FASCICULUS XLIII 005 ON A FAMILY OF ELLIPTIC CURVES by Anna Antoniewicz Abstract. The main aim of this paper is to put a lower bound on the rank of elliptic
More informationExercises MAT2200 spring 2014 Ark 5 Rings and fields and factorization of polynomials
Exercises MAT2200 spring 2014 Ark 5 Rings and fields and factorization of polynomials This Ark concerns the weeks No. (Mar ) andno. (Mar ). Status for this week: On Monday Mar : Finished section 23(Factorization
More informationElliptic curves and modularity
Elliptic curves and modularity For background and (most) proofs, we refer to [1]. 1 Weierstrass models Let K be any field. For any a 1, a 2, a 3, a 4, a 6 K consider the plane projective curve C given
More informationChapter 5. Modular arithmetic. 5.1 The modular ring
Chapter 5 Modular arithmetic 5.1 The modular ring Definition 5.1. Suppose n N and x, y Z. Then we say that x, y are equivalent modulo n, and we write x y mod n if n x y. It is evident that equivalence
More informationOutline of the Seminar Topics on elliptic curves Saarbrücken,
Outline of the Seminar Topics on elliptic curves Saarbrücken, 11.09.2017 Contents A Number theory and algebraic geometry 2 B Elliptic curves 2 1 Rational points on elliptic curves (Mordell s Theorem) 5
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationETA-QUOTIENTS AND ELLIPTIC CURVES
PROCEEDINGS OF THE AMERICAN MATHEMATICAL SOCIETY Volume 125, Number 11, November 1997, Pages 3169 3176 S 0002-9939(97)03928-2 ETA-QUOTIENTS AND ELLIPTIC CURVES YVES MARTIN AND KEN ONO (Communicated by
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationFORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS
Sairaiji, F. Osaka J. Math. 39 (00), 3 43 FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS FUMIO SAIRAIJI (Received March 4, 000) 1. Introduction Let be an elliptic curve over Q. We denote by ˆ
More informationClass Field Theory. Steven Charlton. 29th February 2012
Class Theory 29th February 2012 Introduction Motivating examples Definition of a binary quadratic form Fermat and the sum of two squares The Hilbert class field form x 2 + 23y 2 Motivating Examples p =
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationElliptic Curves Spring 2013 Lecture #8 03/05/2013
18.783 Elliptic Curves Spring 2013 Lecture #8 03/05/2013 8.1 Point counting We now consider the problem of determining the number of points on an elliptic curve E over a finite field F q. The most naïve
More informationComputing the image of Galois
Computing the image of Galois Andrew V. Sutherland Massachusetts Institute of Technology October 9, 2014 Andrew Sutherland (MIT) Computing the image of Galois 1 of 25 Elliptic curves Let E be an elliptic
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationOn Orders of Elliptic Curves over Finite Fields
Rose-Hulman Undergraduate Mathematics Journal Volume 19 Issue 1 Article 2 On Orders of Elliptic Curves over Finite Fields Yujin H. Kim Columbia University, yujin.kim@columbia.edu Jackson Bahr Eric Neyman
More informationUsing semidirect product of (semi)groups in public key cryptography
Using semidirect product of (semi)groups in public key cryptography Delaram Kahrobaei 1 and Vladimir Shpilrain 2 1 CUNY Graduate Center and City Tech, City University of New York dkahrobaei@gc.cuny.edu
More informationIsogeny graphs, modular polynomials, and point counting for higher genus curves
Isogeny graphs, modular polynomials, and point counting for higher genus curves Chloe Martindale July 7, 2017 These notes are from a talk given in the Number Theory Seminar at INRIA, Nancy, France. The
More informationHyperelliptic curves
1/40 Hyperelliptic curves Pierrick Gaudry Caramel LORIA CNRS, Université de Lorraine, Inria ECC Summer School 2013, Leuven 2/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic
More informationCOMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162
COMPUTER ARITHMETIC 13/05/2010 cryptography - math background pp. 1 / 162 RECALL OF COMPUTER ARITHMETIC computers implement some types of arithmetic for instance, addition, subtratction, multiplication
More informationCLASS FIELD THEORY AND COMPLEX MULTIPLICATION FOR ELLIPTIC CURVES
CLASS FIELD THEORY AND COMPLEX MULTIPLICATION FOR ELLIPTIC CURVES FRANK GOUNELAS 1. Class Field Theory We ll begin by motivating some of the constructions of the CM (complex multiplication) theory for
More informationELLIPTIC CURVES OVER FINITE FIELDS
Further ELLIPTIC CURVES OVER FINITE FIELDS FRANCESCO PAPPALARDI #4 - THE GROUP STRUCTURE SEPTEMBER 7 TH 2015 SEAMS School 2015 Number Theory and Applications in Cryptography and Coding Theory University
More informationGalois Representations
9 Galois Representations This book has explained the idea that all elliptic curves over Q arise from modular forms. Chapters 1 and introduced elliptic curves and modular curves as Riemann surfaces, and
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationElliptic curve cryptography. Matthew England MSc Applied Mathematical Sciences Heriot-Watt University
Elliptic curve cryptography Matthew England MSc Applied Mathematical Sciences Heriot-Watt University Summer 2006 Abstract This project studies the mathematics of elliptic curves, starting with their derivation
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationOn elliptic curves in characteristic 2 with wild additive reduction
ACTA ARITHMETICA XCI.2 (1999) On elliptic curves in characteristic 2 with wild additive reduction by Andreas Schweizer (Montreal) Introduction. In [Ge1] Gekeler classified all elliptic curves over F 2
More informationORAL QUALIFYING EXAM QUESTIONS. 1. Algebra
ORAL QUALIFYING EXAM QUESTIONS JOHN VOIGHT Below are some questions that I have asked on oral qualifying exams (starting in fall 2015). 1.1. Core questions. 1. Algebra (1) Let R be a noetherian (commutative)
More informationEXAMPLES OF MORDELL S EQUATION
EXAMPLES OF MORDELL S EQUATION KEITH CONRAD 1. Introduction The equation y 2 = x 3 +k, for k Z, is called Mordell s equation 1 on account of Mordell s long interest in it throughout his life. A natural
More informationHONDA-TATE THEOREM FOR ELLIPTIC CURVES
HONDA-TATE THEOREM FOR ELLIPTIC CURVES MIHRAN PAPIKIAN 1. Introduction These are the notes from a reading seminar for graduate students that I organised at Penn State during the 2011-12 academic year.
More informationMathematical analysis of the computational complexity of integer sub-decomposition algorithm
Journal of Physics: Conference Series PAPER OPEN ACCESS Mathematical analysis of the computational complexity of integer sub-decomposition algorithm To cite this article: Ruma Kareem K Ajeena and Hailiza
More informationEXAMPLES OF MORDELL S EQUATION
EXAMPLES OF MORDELL S EQUATION KEITH CONRAD 1. Introduction The equation y 2 = x 3 +k, for k Z, is called Mordell s equation 1 on account of Mordell s long interest in it throughout his life. A natural
More informationThe group law on elliptic curves
Mathematisch Instituut Universiteit Leiden Elliptic curves The theory of elliptic curves is a showpiece of modern mathematics. Elliptic curves play a key role both in the proof of Fermat s Last Theorem
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationSchoof s Algorithm for Counting Points on E(F q )
Schoof s Algorithm for Counting Points on E(F q ) Gregg Musiker December 7, 005 1 Introduction In this write-up we discuss the problem of counting points on an elliptic curve over a finite field. Here,
More informationElliptic Curves Spring 2015 Lecture #7 02/26/2015
18.783 Elliptic Curves Spring 2015 Lecture #7 02/26/2015 7 Endomorphism rings 7.1 The n-torsion subgroup E[n] Now that we know the degree of the multiplication-by-n map, we can determine the structure
More information2-ADIC ARITHMETIC-GEOMETRIC MEAN AND ELLIPTIC CURVES
-ADIC ARITHMETIC-GEOMETRIC MEAN AND ELLIPTIC CURVES KENSAKU KINJO, YUKEN MIYASAKA AND TAKAO YAMAZAKI 1. The arithmetic-geometric mean over R and elliptic curves We begin with a review of a relation between
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationThe complexity of Diophantine equations
The complexity of Diophantine equations Colloquium McMaster University Hamilton, Ontario April 2005 The basic question A Diophantine equation is a polynomial equation f(x 1,..., x n ) = 0 with integer
More information