Number Theory in Cryptology

Similar documents
Public-key Cryptography: Theory and Practice

SM9 identity-based cryptographic algorithms Part 1: General

Parshuram Budhathoki FAU October 25, Ph.D. Preliminary Exam, Department of Mathematics, FAU

A Remark on Implementing the Weil Pairing

Introduction to Elliptic Curve Cryptography. Anupam Datta

Cryptography IV: Asymmetric Ciphers

Mathematics for Cryptography

Definition of a finite group

One can use elliptic curves to factor integers, although probably not RSA moduli.

LECTURE NOTES IN CRYPTOGRAPHY

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Scalar multiplication in compressed coordinates in the trace-zero subgroup

Cyclic Groups in Cryptography

Chapter 4 Finite Fields

Finite Fields. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

The Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright

A Few Primality Testing Algorithms

Summary Slides for MATH 342 June 25, 2018

Lecture 6: Cryptanalysis of public-key algorithms.,

8 Elliptic Curve Cryptography

Finite Fields and Elliptic Curves in Cryptography

Weil pairing. Algant: Regensburg and Leiden Elliptic curves and Weil conjectures seminar, Regensburg. Wednesday 22 nd June, 2016.

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Fast arithmetic and pairing evaluation on genus 2 curves

ELLIPTIC CURVES OVER FINITE FIELDS

The Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms

CPSC 467b: Cryptography and Computer Security

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Mathematics of Cryptography

Katherine Stange. ECC 2007, Dublin, Ireland

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

Part II. Number Theory. Year

On the complexity of computing discrete logarithms in the field F

Lecture 1: Introduction to Public key cryptography

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Math/Mthe 418/818. Review Questions

Congruences and Residue Class Rings

Elliptic Curves, Factorization, and Cryptography

A. Algebra and Number Theory

CPSC 467: Cryptography and Computer Security

COMP4109 : Applied Cryptography

The Weil Pairing on Elliptic Curves and Its Cryptographic Applications

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Public-key Cryptography and elliptic curves

Number Theory. Modular Arithmetic

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

Elliptic Curve Cryptosystems

Numbers. Çetin Kaya Koç Winter / 18

Number Theory and Algebra: A Brief Introduction

Aspects of Pairing Inversion

Number Theory and Group Theoryfor Public-Key Cryptography

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Constructing Pairing-Friendly Elliptic Curves for Cryptography

Elliptic Nets and Points on Elliptic Curves

Topics in Cryptography. Lecture 5: Basic Number Theory

Elliptic Curves: Theory and Application

Applied Cryptography and Computer Security CSE 664 Spring 2018

Elliptic Curve Discrete Logarithm Problem

Constructing Families of Pairing-Friendly Elliptic Curves

Generating more MNT elliptic curves

Mathematical Foundations of Cryptography

Introduction to Elliptic Curve Cryptography

Non-generic attacks on elliptic curve DLPs

Arithmétique et Cryptographie Asymétrique

Elliptic curves and modularity

Groups, Rings, and Finite Fields. Andreas Klappenecker. September 12, 2002

Chapter 4 Asymmetric Cryptography

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

Asymmetric Cryptography

Constructing genus 2 curves over finite fields

Public Key Cryptography

Finite Fields. Mike Reiter

Chapter 8 Public-key Cryptography and Digital Signatures

Background of Pairings

Outline of the Seminar Topics on elliptic curves Saarbrücken,

Discrete Logarithm Problem

Polynomial Interpolation in the Elliptic Curve Cryptosystem

CPSC 467: Cryptography and Computer Security

The Application of the Mordell-Weil Group to Cryptographic Systems

Lecture Notes, Week 6

Introduction to Cryptography. Lecture 6

A brief overwiev of pairings

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

LECTURE 7, WEDNESDAY

Elliptic Curves and Public Key Cryptography (3rd VDS Summer School) Discussion/Problem Session I

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Ate Pairing on Hyperelliptic Curves

Discrete logarithm and related schemes

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Public Key Algorithms

A Guide to Arithmetic

Public-Key Cryptosystems CHAPTER 4

Introduction to Cybersecurity Cryptography (Part 4)

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

FURTHER REFINEMENT OF PAIRING COMPUTATION BASED ON MILLER S ALGORITHM

Transcription:

Number Theory in Cryptology Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology Kharagpur October 15, 2011

What is Number Theory? Theory of natural numbers N = {1, 2, 3,...}. Uses larger algebraic structures Z, Q, R, C. Modular arithmetic: Z n = {0, 1, 2,...,n 1}. Finite fields: F p n, p P, n N. Elliptic curves: Arithmetic algebraic geometry. Algebraic number theory: Study of number fields and number rings. Analytic number theory: Use of complex analysis tools. All these are extensively used in cryptography and cryptanalysis.

Uses in Cryptology: Examples Modular arithmetic: RSA, ElGamal, Rabin and many other cryptosystems. Finite fields: Diffie-Hellman key agreement, ElGamal, DSA. Elliptic curves: ECDSA. Pairing on elliptic curves: Identity-based cryptosystems, multi-party key agreement, short signature schemes. Algebraic number theory: Number-field sieve method. Analytic number theory: Density estimates (like prime number theorem, Riemann hypothesis).

Modular Arithmetic Modulus n N, n 2. Z n = {0, 1, 2,...,n 1}. Arithmetic in Z n : { a + b if a + b < n Addition: a + n b = a + b n otherwise { a b if a b Subtraction: a n b = a b + n otherwise Multiplication: a n b = (ab) rem n. Division: a is invertible modulo n if and only if gcd(a, n) = 1. Extended gcd calculation: ua + vn = gcd(a, n) for some integers u, v. If gcd(a, n) = 1, u as the inverse of a modulo n.

Modular Exponentiation To compute a e (mod n) Binary expansion: e = (e s 1 e s 2... e 1 e 0 ) 2. Initialize t = 1. For i = s 1, s 2,...,1, 0 do: Set t = t 2 (mod n). If e i = 1, set t = ta (mod n). Return t.

The Multiplicative Group of Z n Z n = {a Z n gcd(a, n) = 1}. Euler-phi function: φ(n) = Z n. If n = p e 1 1 pe 2 2 pe k k, then φ(n) = p e 1 1 1 (p 1 1)p e 2 1 2 (p 2 1) p e k 1 k (p k 1) = n p P p n ( 1 1 ). p Z n is cyclic if and only if n = 2, 4, p e, 2p e with p P, p 2, and e N. Special case: n = p P. Z p is a field. Z p = {1, 2,...,p 1}. φ(p) = p 1. Z p is cyclic.

Finite Fields Every finite field is of size p n for p P, n N. For q = p n, denote F q = F p n to be the finite field of size q. If the extension degree n is 1, F p = Z p. If n > 1, F p n Z p n. Polynomial-basis representation: Choose an irreducible polynomial f(x) F p [x] of degree n. Elements of F p n are represented as polynomials: F p n = {a 0 + a 1 x + a 2 x 2 + + a n 1 x n 1 a i F p }. Arithmetic operations in F p n: polynomial operations modulo f(x). Extensions of extensions: Let q = p n and m N. F q m = {α 0 + α 1 y + α 2 y 2 + + α m 1 y m 1 α i F p n}. Arithmetic in F q m is the polynomial arithmetic of F q [y] modulo an irreducible polynomial g(y) F q [y] of degree m.

Some Properties of Finite Fields F q = F q \ {0} is cyclic. There are φ(q 1) generators of F q. Fermat s little theorem: α q 1 = 1 for all α F q. β q = β for all β F q. Multiplicative order: Let α F q. The smallest positive integer h satisfying α h = 1 is the order of α, denoted h = ord(α). ord(α) (q 1).

Elliptic Curves Let K be a field. An elliptic curve E over K is defined by the Weierstrass equation: E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6, a i K. The curve should be smooth (no singularities). Special forms char K 2, 3: y 2 = x 3 + ax + b, a, b K. char K 2: y 2 = x 3 + b 2 x 2 + b 4 x + b 6, b i K. char K = 2: Non-supersingular curve: y 2 + xy = x 3 + ax 2 + b, a, b K. Supersingular curve: y 2 + ay = x 3 + bx + c, a, b, c K.

Real Elliptic Curves: Example y y x x (a) y 2 = x 3 x + 1 (b) y 2 = x 3 x

The Elliptic Curve Group Any (x, y) K 2 satisfying the equation of an elliptic curve E is called a K-rational point on E. Point at infinity: There is a single point at infinity on E, denoted by O. This point cannot be visualized in the two-dimensional (x, y) plane. The point exists in the projective plane. E(K) is the set of all finite K-rational points on E and the point at infinity. An additive group structure can be defined on E(K). O acts as the identity of the group.

The Opposite of a Point P Ordinary Points Q P Special Points Q P Q P Q (a) (b)

Addition of Two Points Chord and tangent rule Q R R Q P P P+Q (a) P+Q (b)

Doubling of a Point Chord and tangent rule 2P P R R P 2P (a) (b)

Addition and Doubling Formulas Let P = (h 1, k 1 ) and Q = (h 2, k 2 ) be finite points. Assume that P + Q O and 2P O. Let P + Q = (h 3, k 3 ) (Note that P + Q = 2P if P = Q). E : y 2 = x 3 + ax + b P = (h 1, k 1 ) h 3 = λ 2 h 1 h 2 k 3 = λ(h 1 h 3 ) k 1, where k 2 k 1 h 2 h, if P Q, 1 λ = 3h 2 1 + a 2k 1, if P = Q.

Addition and Doubling in Non-supersingular Curves E : y 2 + xy = x 3 + ax 2 + b (with char K = 2). P = (h 1, k 1 + h 1 ), ( ) k1 + k 2 2 h 1 + h + k 1 + k 2 2 h 1 + h + h 1 + h 2 + a, if P Q, 2 h 3 = h 2 1 + b h 2, if P = Q, 1 ( ) k1 + k 2 h 1 + h (h 1 + h 3 ) + h 3 + k 1, if P Q, 2 k 3 = h 2 1 (h + 1 + k ) 1 h + 1 h 3, if P = Q. 1

Addition and Doubling in Supersingular Curves E : y 2 + ay = x 3 + bx + c (with char K = 2). P = (h 1, k 1 + a), ( ) k1 + k 2 2 h 1 + h + h1 + h 2, if P Q, 2 h 3 = h 4 1 + b 2 a 2, if P = Q, ( ) k1 + k 2 h 1 + h (h 1 + h 3 ) + k 1 + a, if P Q, 2 k 3 = ( ) h 2 1 + b a (h 1 + h 3 ) + k 1 + a, if P = Q.

Size of the Elliptic Curve Group Let E be an elliptic curve defined over F q = F p n. Hasse s Theorem: E(F q ) = q + 1 t, where 2 q t 2 q. t is called the trace of Frobenius at q. If t = 1, then E is called anomalous. If p t, then E is called supersingular. If p t, then E is called non-supersingular. Let α, β C satisfy 1 tx + qx 2 = (1 αx)(1 βx). Then, E(F q m) = q m + 1 (α m + β m ). Note: E(F q ) is not necessarily cyclic.

Formal Sums and Free Abelian Groups Let a i, i I, be symbols indexed by I. A finite formal sum of a i, i I, is an expression of the form i I m i a i with m i Z such that m i = 0 except for only finitely many i I. The sum i I m i a i is formal in the sense that the symbols a i are not meant to be evaluated. They act as placeholders. Define i I m i a i + i I n i a i = i I (m i + n i )a i Also define i I m i a i = i I ( m i )a i The set of all finite formal sums is an Abelian group called the free Abelian group generated by a i, i I.

Divisors on Curves Let C be a projective curve defined over K. K is assumed to be algebraically closed. A divisor is a formal sum of the K-rational points on C. Notation: D = P m P[P]. The support of D is the set of points P for which m P 0. The degree of D is the sum P m P. All divisors on C form a group denoted by Div K (C) or Div(C). All divisors on C of degree 0 form a subgroup denoted by Div 0 K (C) or Div 0 (C). Divisor of a rational function R(x, y) is Div(R) = P ord P(R)[P]. A principal divisor is the divisor of a rational function. Principal divisors satisfy: Div(R) + Div(S) = Div(RS) and Div(R) Div(S) = Div(R/S).

Divisor of a line: Example Q l R P t Q P v P Q (a) (b) (c) (a) Div(l) = [P] + [Q] + [R] 3[O]. (b) Div(t) = 2[P] + [Q] 3[O]. (c) Div(v) = [P] + [Q] 2[O].

Divisors and the Chord-and-Tangent Rule Let C be an elliptic curve over an algebraically closed field K. For every D Div 0 K (C), there exist a unique rational point P and a rational function R such that D = [P] [O] + Div(R). D is identified with [P] [O]. This bijection leads to the chord-and-tangent rule in the following sense: Let D = P m P[P] Div K (C). Then, D is a principal divisor if and only if P m P = 0 (integer sum), and p m PP = O (sum under the chord-and-tangent rule).

Illustrations of the Chord-and-Tangent Rule Q t v Q l R P P P Q (a) (b) (c) Identity: O is identified with [O] [O] = 0 = Div(1). Opposite: By Part (c), Div(v) = ([P] [O]) + ([Q] [O]) is 0. By the correspondence, P + Q = O, that is, Q = P. Sum: By Part (a), Div(l) = ([P] [O]) + ([Q] [O]) + ([R] [O]) is 0, that is, P + Q + R = O, that is, P + Q = R. Double: By Part (b), Div(t) = ([P] [O]) + ([P] [O]) + ([Q] [O]) is 0, that is, P + P + Q = O, that is, 2P = Q.

More on Divisors P Q R R Div(L P,Q ) = [P] + [Q] + [R] 3[O]. Div(L R, R ) = [R] + [ R] 2[O]. Div(L P,Q /L R, R ) = [P] + [Q] [ R] [O] = [P] + [Q] [P + Q] [O]. [P] [O] is equivalent to [P + Q] [Q]. ([P] [O]) + ([Q] [O]) is equivalent to [P + Q] [O]. For both these cases of equivalence, the pertinent rational function is L P,Q /L P+Q, (P+Q) which can be easily computed. We can force this rational function to have leading coefficient 1.

More on Divisors (contd) Let D = P n P[P] be divisor on E and f K(E) a rational function such that the supports of D and Div(f) are disjoint. Define f(d) = P E f(p) n P = P Supp(D) f(p) n P. Div(f) = Div(g) if and only if f = cg for some non-zero constant c K. If D has degree 0, then f(d) = g(d) P cn P = g(d)c P P n P = g(d)c 0 = g(d). Weil reciprocity theorem: If f and g are two non-zero rational functions on E such that Div(f) and Div(g) have disjoint supports, then f(div(g)) = g(div(f)).

Weil Pairing: Definition Let E be an elliptic curve defined over a finite field K = F q. Take a positive integer m coprime to p = char K. Let µ m denote the m-th roots of unity in K. We have µ m F q k, where k = ord m (q) is called the embedding degree. Let E[m] be those points in E = E K, whose orders divide m. Weil pairing is a function defined as follows. Take P 1, P 2 E[m]. e m : E[m] E[m] µ m Let D 1 be a divisor equivalent to [P 1 ] [O]. Since mp 1 = O, there exists a rational function f 1 such that Div(f 1 ) = md 1 = m[p 1 ] m[o]. Similarly, let D 2 be a divisor equivalent to [P 2 ] [O]. There exists a rational function f 2 such that Div(f 2 ) = md 2 = m[p 2 ] m[o]. D 1 and D 2 are chosen to have disjoint supports. Define e m (P 1, P 2 ) = f 1 (D 2 )/f 2 (D 1 ).

Properties of Weil Pairing Let P, Q, R be arbitrary points in E[m]. Bilinearity: e m (P + Q, R) = e m (P, R)e m (Q, R), e m (P, Q + R) = e m (P, Q)e m (P, R). Alternating: e m (P, P) = 1. Skew symmetry: e m (Q, P) = e m (P, Q) 1. Non-degeneracy: If P O, then e m (P, Q) 1 for some Q E[m]. Compatibility: If S E[mn] and Q E[n], then e mn (S, Q) = e n (ms, Q). If m is a prime and P O, then e m (P, Q) = 1 if and only if Q lies in the subgroup generated by P (that is, Q = ap for some integer a).

Computing Weil Pairing: The Functions f n,p Let P E. For n Z, define the rational functions f n,p as having the divisor Div(f n,p ) = n[p] [np] (n 1)[O]. f n,p are unique up to multiplication by elements of K. We may choose the unique monic polynomial for f n,p. f n,p satisfy the recurrence relation: f 0,P = f 1,P ( = 1, f n+1,p = L P,nP L (n+1)p, (n+1)p f n,p = 1 f n,p for n 1. ) f n,p for n 1, If P E[m], then Div(f m,p ) = m[p] [mp] (m 1)[O] = m[p] m[o]. Computing f m,p using the above recursive formula is too inefficient.

Computing Weil Pairing: More about f n,p The rational functions f n,p also satisfy ( f n+n,p = f n,p f n,p In particular, for n = n, we have f 2n,P = f 2 n,p L np,n P L (n+n )P, (n+n )P ( LnP,nP L 2nP, 2nP Here, L np,np is the line tangent to E at the point np. This and the recursive expression of f n+1,p in terms of f n,p yield a repeated double-and-add algorithm. ). The function f n,p is usually kept in the factored form. It is often not necessary to compute f n,p explicitly. The value of f n,p at some point Q is only needed. ).

Miller s Algorithm for Computing f n,p Input: A point P E and a positive integer n. Output: The rational function f n,p. Steps Let n = (n s n s 1... n 1 n 0 ) 2 be the binary representation of n with n s = 1. Initialize f = 1 and U = P. For i = s 1, s 2,...,1, 0, do the following: Return f. /* Doubling */ Update f = f 2 ( ) LU,U L 2U, 2U /* Conditional adding */ ( If (n i = 1), update f = f and U = 2U. ) L U,P L U+P, (U+P) and U = U + P. Note: One may supply a point Q E and wish to compute the value f n,p (Q) (instead of the function f n,p ). In that case, the functions L U,U /L 2U, 2U and L U,P /L U+P, (U+P) should be evaluated at Q before multiplication with f.

Weil Pairing and the Functions f n,p Let P 1, P 2 E[m], and we want to compute e m (P 1, P 2 ). Choose a point T not equal to ±P 1, P 2, P 2 P 1, O. We have e m (P 1, P 2 ) = f m,p 2 (T) f m,p1 (P 2 T) f m,p1 ( T) f m,p2 (P 1 + T). If P 1 P 2, then we also have e m (P 1, P 2 ) = ( 1) m f m,p 1 (P 2 ) f m,p2 (P 1 ). Miller s algorithm for computing f n,p (Q) can be used. All these invocations of Miller s algorithm have n = m. So a single double-and-add loop suffices. For efficiency, one may avoid the division operations in Miller s loop by separately maintaining polynomial expressions for the numerator and the denominator of f. After the loop terminates, a single division is made.

Some Intractable Number-theoretic Problems of Cryptographic Significance Integer factorization problem (IFP): Given a composite integer n with unknown prime divisors, factor n. Square root problem (SQRTP): Given a composite integer n with unknown factorization, and a modular square a Z n, compute x Z n such that x 2 a (mod n). Discrete logarithm problem (DLP): Let G be a finite cyclic group generated by g. Given a G, find x such that g = a x in G. Diffie-Hellman problem (DHP): Let G be a finite cyclic group generated by g. Given g x, g y G (but not x or y), compute g xy in G. DLP and DHP apply to many number-theoretic groups like F q and E(F q ). Bilinear Diffie-Hellman problem (BDHP): Let e : G G G be a pairing map. Given P, ap, bp, cp G only, compute e(p, P) abc G.

Cryptanalysis: Factoring Integers Exponential algorithms Trial division Pollard rho method Pollard p 1 method Williams p + 1 method Sub-exponential algorithms CFRAC method Dixon s method Quadratic sieve method Cubic sieve method L(n, ω, c) = exp [ (c + o(1))(ln n) ω (ln ln n) 1 ω] Elliptic curve method Number-field sieve method

The Number-field Sieve Method Based on Fermat s method of squares: Compute a, b with a 2 b 2 (mod n) and a ±b (mod n). In this case, gcd(a b, n) is a non-trivial factor of n. Choose an irreducible polynomial f(x) Q[x] and a positive integer H such that f(h) is a small multiple of n. Let d = deg f(x). Define the number field K = Q[x]/ f(x) = {g(x) Q[x] deg g(x) d 1}. Arithmetic in K is the polynomial arithmetic of Q[x] modulo f(x). Let O K be the ring of integers in K. Assume that O K supports element-wise unique factorization. Consider the map Φ : O K Z n taking x H. Relation: Let Φ(α 1 )Φ(α 2 ) Φ(α k ) t i=1 pe i i (mod n). Combine many relations to obtain a 2 b 2 (mod n).

Questions? In mathematics you don t understand things. You just get used to them. John von Neumann Some Recommended Textbooks Das, Computational Number Theory, CRC, 2012 (?). Das and Veni Madhavan, Public-key Cryptography: Theory and Practice, Pearson, 2009. Zuckerman, Montgomery, Niven and Niven, An Introduction to the Theory of Numbers, Wiley, 1991. Bressoud, Factorization and Primality Testing, Springer UTM, 1989. Cohen, A Course in Computational Algebraic Number Theory, Springer GTM, 1993. Crandall and Pomerance, Prime Numbers: A Computational Perspective, Springer, 2001. Enge, Elliptic Curves and Their Applications to Cryptography, Kluwer, 1999. Blake, Seroussi and Smart, Advances in Elliptic Curve Cryptography, Cambridge, 2005. Charlap and Robbins, An Elementary Introduction to Elliptic Curves, CRD Report, 1988. Martin, Introduction to Identity-Based Encryption, Artech House, 2008. Mollin, Fundamental Number Theory with Applications, CRC, 1998. Mollin, Algebraic Number Theory, CRC, 1999.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback