Definition of a finite group

Similar documents
Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Chapter 10 Elliptic Curves in Cryptography

Arithmétique et Cryptographie Asymétrique

CPSC 467: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Elliptic Curve Cryptography with Derive

Counting points on elliptic curves over F q

6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)

Non-generic attacks on elliptic curve DLPs

Elliptic Curve Cryptosystems

Elliptic curve cryptography. Matthew England MSc Applied Mathematical Sciences Heriot-Watt University

One can use elliptic curves to factor integers, although probably not RSA moduli.

Introduction to Elliptic Curve Cryptography

8 Elliptic Curve Cryptography

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Number Theory in Cryptology

Public-key Cryptography: Theory and Practice

Introduction to Elliptic Curve Cryptography. Anupam Datta

Public-key Cryptography and elliptic curves

APPLICATION OF ELLIPTIC CURVES IN CRYPTOGRAPHY-A REVIEW

Finite Fields and Elliptic Curves in Cryptography

Mathematics for Cryptography

SM9 identity-based cryptographic algorithms Part 1: General

Attacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP)

Cryptography and Security Protocols. Previously on CSP. Today. El Gamal (and DSS) signature scheme. Paulo Mateus MMA MEIC

Discrete logarithm and related schemes

Finite Fields. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Chapter 4 Finite Fields

Other Public-Key Cryptosystems

Suppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

Aspects of Pairing Inversion

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

Public-key Cryptography and elliptic curves

Math/Mthe 418/818. Review Questions

The Elliptic Curve in https

The Application of the Mordell-Weil Group to Cryptographic Systems

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

On the complexity of computing discrete logarithms in the field F

COUNTING POINTS ON ELLIPTIC CURVES OVER F q

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

An Introduction to Elliptic Curve Cryptography

Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map

Mathematical Foundations of Cryptography

ABHELSINKI UNIVERSITY OF TECHNOLOGY

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Elliptic Curve Cryptography

Finite Fields. Mike Reiter

Elliptic curves: Theory and Applications. Day 3: Counting points.

Julio López and Ricardo Dahab. Institute of Computing (IC) UNICAMP. April,

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Fast Scalar Multiplication on Elliptic Curves fo Sensor Nodes

Elliptic Curve Cryptography

Cyclic Groups in Cryptography

Lecture 14: Hardness Assumptions

Elliptic Curves over Finite Fields

RSA Cryptosystem and Factorization

Hyperelliptic curves

CSC 774 Advanced Network Security

Elliptic Curves and Public Key Cryptography

CSC 774 Advanced Network Security

Constructing genus 2 curves over finite fields

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Public Key Algorithms

CDH/DDH-Based Encryption. K&L Sections , 11.4.

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Elliptic Curves: Theory and Application

Minal Wankhede Barsagade, Dr. Suchitra Meshram

Functions and Equations

The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem

Number Theory, Algebra and Analysis. William Yslas Vélez Department of Mathematics University of Arizona

Selecting Elliptic Curves for Cryptography Real World Issues

Scalar multiplication in compressed coordinates in the trace-zero subgroup

MATH 3030, Abstract Algebra FALL 2012 Toby Kenney Midyear Examination Friday 7th December: 7:00-10:00 PM

Modular Multiplication in GF (p k ) using Lagrange Representation

Elliptic Curves and an Application in Cryptography

Constructing Pairing-Friendly Elliptic Curves for Cryptography

ACCELERATING THE SCALAR MULTIPLICATION ON GENUS 2 HYPERELLIPTIC CURVE CRYPTOSYSTEMS

Chapter 4 Mathematics of Cryptography

CSC 5930/9010 Modern Cryptography: Number Theory

Cryptography IV: Asymmetric Ciphers

Katz, Lindell Introduction to Modern Cryptrography

Elliptic Curve Cryptography

Elliptic Curve Cryptography

Roots and Coefficients Polynomials Preliminary Maths Extension 1

Low-Resource and Fast Elliptic Curve Implementations over Binary Edwards Curves

Other Public-Key Cryptosystems

CIS 551 / TCOM 401 Computer and Network Security

Weak Curves In Elliptic Curve Cryptography

Elliptic Curves, Factorization, and Cryptography

An introduction to supersingular isogeny-based cryptography

Attacking the Elliptic Curve Discrete Logarithm Problem. Matthew Musson. Thesis submitted in partial fulfillment of the requirements of the degree

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Elliptic Curve Discrete Logarithm Problem

Fast Multiple Point Multiplication on Elliptic Curves over Prime and Binary Fields using the Double-Base Number System

Counting points on genus 2 curves over finite

Introduction to Elliptic Curves

Fast arithmetic and pairing evaluation on genus 2 curves

GRE Subject test preparation Spring 2016 Topic: Abstract Algebra, Linear Algebra, Number Theory.

Transcription:

Elliptic curves

Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e * a = a. 4. For each a in G there is a b in G with a * b = b * a = e. 5. For all a, b and c in G, (a * b) * c = a * (b * c). The element e in 3 above is the identity element of the group (G, * ). 2

Order of a group The number of elements of a finite group (G, * ) is denoted by the symbol G, and is said to be the order of the group. For a finite group (G, * ) it can be computationally difficult to compute the order, G, of the group. 3

Subgroup Let (G, * ) be a group. If H is a subset of G and (H, * ) is also a group, then (H, * ) is said to be a subgroup of (G, * ). Theorem: If (H, * ) is a finite group and if H is a subset of G such that H is nonempty and for any a and b in H, also a * b is in H. Then (H, * ) is a subgroup of (G, * ). 4 Theorem(Lagrange): If (G, * ) is a finite group and if (H, * ) is a subgroup of (G, * ), then H is a factor of G.

Abelian group and cyclic group (G, * ) is an Abelian group if it is a group and for each a and b in G, a * b = b * a. If it exists, the least n such that a n = e is called the order of a in G. For an element a of order n of the finite group (G, * ), let <a> denote the set {a i :i=0,1,2,,n-1}. Then <a> is a subgroup of G, generated by the element a of G, and is said to be the cyclic subgroup of G generated by a. The element a is called a generator of <a>. 5

Finite fields (F,+, * ) is a field if: (F,+) is an abelian group with (additive) identity denoted by 0. (F\{0}, * ) is an abelian group with (muliplicative) identity denoted by 1. The distributive law holds Theorem. There exists a finite field F of order q iff q=p m where p is prime and m is positive integer. The prime p is called a characteristic of F. If m=1, F is called a prime field. If m>1, then F is called an extension field. 6

Mod and reduction mod Modulo operation: a mod p b if p (b-a). Z p ={0,1,2,,p-1}. Reduction modulo p: a mod p = r where r [0,p-1] is the remainder obtained upon dividing a by p. 7

Prime fields Addition: If a,b Z p, then a + p b = r in Z p where r [0,p-1] is the remainder when the integer a+b is divided by p. Multiplication: If a,b Z p, then a o p b = r in Z p where r [0,p-1] is the remainder when the integer a b is divided by p. Prime field: F p =(Z p,+ p,o p ) 8

The finite field F 2 m F 2 m ={a m 1 x m 1 +a m-2 x m 2 + +a 2 x 2 +a 1 x +a 0 : a i {0,1}} Addition in F 2 m: Usual addition of polynomials, with coefficients in F 2 m: Arithmetic performed modulo 2. Multiplication in F 2 m: Usual multiplication of polynomials and then division by a fixed irreducible polynomial f(x) of degree m. 9

Further readings Fast algorithms for performing the reduction modulo operation and modular multiplication: Barrett reduction algorithm [1] Montgomery multiplication algorithm [1] [1] D.Hankerson, A.Menezes and S.Vanstone, Guide to, (2004) 10

NIST primes The following primes are the NIST standards for EC over prime fields: p 192 =2 192-2 64-1 p 224 =2 224-2 96 +1 p 256 =2 256-2 224 + 2 192 + 2 96-1 p 384 =2 384 + 2 128 + 2 96 + 2 32-1 p 521 =2 521-1 11

Generalized Weierstrass equation An elliptic curve E over a field K is defined by an equation E: y 2 + Axy + By = x 3 + Cx 2 + Dx + F where A,B,C,D,F K. 12

Isomorphic Elliptic curves Two elliptic curves E 1 : y 2 + A 1 xy + B 1 y = x 3 + C 1 x 2 + D 1 x + F 1 E 2 : y 2 + A 2 xy + B 2 y = x 3 + C 2 x 2 + D 2 x + F 2 are isomorphic if there exist u,r,s,t K such that the change of the variables (x,y) (u 2 x + r,u 3 y + u 2 sx + t) transforms equation E 1 into equation E 2. 13

Isomorphic EC The following change of the variables (x,y) ( x-3a 2-12C, y-3ax A 3-4AC-12B ) 36 216 24 transforms the elliptic curve E: y 2 + Axy + By = x 3 + Cx 2 + Dx + F into an elliptic curve y 2 = x 3 + ax + b where a,b K and K is a field with characteristic 2,3. 14

Further readings Isomorphic elliptic curves over fields with characteristic 2. Isomorphic elliptic curves over fields with characteristic 3. [1] D.Hankerson, A.Menezes and S.Vanstone, Guide to, (2004) 15

The elliptic curve y 2 =x 3 +Ax+B E(A,B)={(x,y): y 2 =x 3 +Ax+B} {Id} where A,B K such that 4A 3 +27B 2 0. and K is a finite field. Id point at infinity Geometric model of Elliptic curve y 2 =x 3 +Ax+B. 16

The group law in y 2 =x 3 +Ax+B Adding points P Q = R or just P + Q = R P R Q 17

The group law in y 2 =x 3 +Ax+B Adding points P Q= - P Problem: The vertical line through P and Q does not E(A,B) in a third point! Solution: P Q = Id or just P + Q = Id intersect 18

The group law in y 2 =x 3 +Ax+B Adding points to itself P 2P 19 P P or just 2P

The algebra of elliptic curves The addition law on E(A,B) has the following properties: P Id = Id P = P for all P in E(A,B). P (-P)=Id P (Q R)=(P Q) R P Q=Q P for all P in E(A,B). or all P, Q, R in E(A,B). for all P, Q in E(A,B). 20

The algebra of elliptic curves Theorem (E(A,B), )is an Abelian group. Note:For the generalized Weierstress equation this is no longer true. 21

Formulas for addition on E(A,B) Case 1: Let P(x 1,y 1 ) and Q(x 2,y 2 ) be two distinct points on E(A,B) with x 1 x 2 Let the line connecting P and Q be L: y = y 1 + m(x-x 1 ) Then the slope of L is given by m y x 2 2 y x P+Q = ( m 2 -x 1 -x 2, -y 1 +m(x 1 -x 3 ) ) 1 1 22

Formulas for addition on E(A,B) Case 2: Let P(x 1,y 1 ) and Q(x 2,y 2 ) be two distinct points on E(A,B) with x 1 =x 2 Then P + Q = Q + P = Id. 23

Formulas for addition on E(A,B) Case 3: Let P(x 1,y 1 ) = Q(x 2,y 2 ) and y 1 0. The slope of the tangent line can be found by implicitly differentiating the equation y 2 = x 3 + Ax + B and substituting in the coordinates of P: 2 1 3x A m 2y 1 Then P + P = 2P = (m 2-2x 1,-y 1 +m(x 1 -m 2 +2x 1 )). 24

Formulas for addition in E(A,B) Case 4: Let P(x 1,y 1 )=Q(x 2,y 2 ) and y 1 =0. Then P+Q = 2P = Id. 25

Computing multiples of a point Double-and-Add method: Write k=k 0 +k 1 2+k 2 2 2 + +k n 2 n with k 0,k 1,k 2,,k n in {0,1}. Then, kp = k 0 P+k 1 2P+k 2 2 2 P+ +k n 2 n P where 2 n P= 2 2 2 2P requires only n doublings. 26

Order of E(F p ) It is clear that #E(F p ) [1,p 2 +1]. The following theorem gives better bounds for #E(F p ). Theorem(Hasse, 1922): For p 3 prime, p+1-2 p #E(F p ) p+1+2 p. Alternate formulation of Hasse s theorem: #E(F p )=p+1-t where t 2 p Remark: t is called the trace of E(F p ). 27

Order of E(F p n) Theorem(weil, 1949): Let E be defined over F p and #E(F p )=p+1-s and m is a positive integer. Decompose T 2 -st+p=(t-a)(t-b) over the complex numbers. Then #E(F p n)=p n +1-(a n -b n ). 28

Order of E(F q ) Theorem (Waterhouse, 1969). Let q=p n be a power of a prime p and N=q+1-t. There is an elliptic curve over F q with order N iff t 2 q and t satisfies one of the following: gcd(t,p)=1 n is even and t=2 q or t=-2 q n is even, p 1 mod 3 and t= q or t=- q n is odd, p=2 or 3 and t=p (n+1)/2 or t=-p (n+1)/2 n is even, p 1 mod 4 and t=0 n is odd and t=0. 29

Counting points on E(F q ) Baby Step Giant Step (Shanks,1971) Running time: O(q 1/4+ ) Schoof s algorithm (1985) Running time: O(log(q)) 30

Supersingular EC groups Def. An elliptic curve E defined over a field F q of characteristic p is called a supersingular if p t, where t is the trace. If p does not divide t, then E is called non-supersingular. Note: The DLP in supersingular elliptic curve can be reduced to the DLP in F p n. 31

Supersingular EC groups Theorem(Koblitz): The supersingular elliptic curve y 2 = x 3 y over F 2 n has order #E(F 2n ) = 2n + 1 if n is odd. 32

Supersingular EC groups Theorem: Let p>3 be a prime number. [1] If B=0 and p mod 4 = 3 then #E(A,B,p)=p+1 [2] If A=0 and p mod 3 = 2 then #E(A,B,p)=p+1 33 [1] B. Kaliski, A pseudo-random Bit Generator based on elliptic curves, CRYPTO 86. [2] V. Miller, Use of elliptic curves in cryptography, CRYPTO 85.

Anomalous curves Def. If the order #E(F q ) is equal to the characteristic p of F q, the elliptic curve is called an anomalous curve. Note: The anomalous curves are not secure for use in ECC. (Smart, 1999) 34

- advantages Computationally efficient public key cryptosystem Memory and power savings Highest security 35

NIST provides greater security and more efficient performance than the first generation public key Techniques (RSA and Diffie-Hellman) now in use. As vendors look to upgrade their systems they should seriously consider the elliptic curve alternative. For the computational and bandwidth advantages they offer at comparable security. The majority of public key systems in use today use 1024 bit parameters for RSA and Diffie-Hellman. The US National Institute for Standards and Technology has recommended that these 1024-bit systems are sufficient for use until 2010. After that, NIST recommends that they be upgraded to something providing more security. http://www.nsa.gov 36

NIST Recommended Key Sizes Symmetric Key Size (bits) RSA and Diffie-Hellman Key Size (bits) Elliptic Curve Key Size (bits) 80 1024 160 112 2048 224 128 3072 256 192 7680 384 256 15360 521 37

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback