https://hal.inria.fr/hal /

https://hal.inria.fr/hal-00767404/

sk sk Encrypt sk (m ) = c Decrypt sk (c ) = m Encrypt sk (m ) = c Decrypt sk (c ) = m m, m c, c Encrypt Decrypt sk pk, sk Encrypt pk (m) = c Decrypt sk (c) = m pk sk k 2 k n (G, ) g G g = {g, g, g,, g n = 1} = G n

(Z/pZ) p (Z/pZ) p 1 n p 1 g (Z/pZ) n F q q = p d (F q ) q 1 E(F q ) (q + 1) 2 q n (G, +) G = {P, 2P, 3P,, np = O} h g h = g x x x x = log g (h) x n exp g (Z/nZ, +) (G, ) a g a a = b + kn exp g (a) = g a = g b = exp g (b) exp g (a + b) = exp g (a) exp g (b) exp g (a) = 1 n a a = 0 (G, ) (Z/nZ, +) g g g = g a a n b g = g b = g ab ab 1 mod n h = g a a h h b = 1 g ab = 1 ab 0 b 0 g, g h = g a h = g b log g (h) = a log g (h) = b. c = log g g g = g c h = g bc = g a a bc log g (g) = log g (h) log g g log g (h) log g (g) log g g g g g G = (Z/nZ, +) g gcd(g, n) = 1 1 G = {1, 2, 3,, n = 0} = {1, 2 1, 3 1, n 1 = 0} a 1 a n (Z/nZ, +) = G = g, 2g, 3g, ng = 0 h Z/nZ h xg x hg G n ρ n p p p n G O ( n) G h = g x x g, g, g, O (n) G (g i, i) g i G O (n) G O (n) G O (n log(n)) x h = g x h O (log(n))

h = g x x m = n x = i + mj 0 i, j < m h = g x = (g m ) j g i h(g ) i = (g m ) j ((g m ) j, j) j < m O ( n) O ( n log(n)) h, hg, h(g ),... O ( n) O ( n log(n)) ρ n g i h j = g i h j g i i = h j j i i x(j j) (j j) n x (g i h j, i, j) i j G n k n p(k) 1 p(k) = 1 1 n 1 2 n 1 k 1 k n = 1 i n 1 x e x x R 1 p(k) k i= e i/n = e k(k )/ n e (k ) / n f(k) = 1 e (k ) / n k = 1 + 2n log(1 A) A = f(k ) k k p(k) f(k) f(k ) = A 1/2 1 + 2n log 2 1.177 n 0.99 3.03 n n = 365 1/2 1 + 2 365 log 2 23.49 23 πn/2 + 2 1.253 n f G G X G i, j X = g i h j f(x) i, j f(x) = g i h j G S,, S n f S k g h G S, S, S f(x) = X X S f(x) = hx X S f(x) = gx X S S X = g i h j f(x) = X = g i h j 10 20 i=

X G X m = f(x m ) m > 0 ρ (X m, X m ) = (f(x m ), f f(x (m ) )) l c X,, X l, X l,, X l+c X m+c = X m m l u X u = X u u l 2u u = u u c u c l l = qc + r l c r = 0 u = qc = l r > 0 u = (q + 1)c u = (q + 1)c (q + 1)c + r = qc + r + c = l + c u c + l c + l O ( n) f O ( n) λ (X, i, j) X = g i h j F(X), i, j F(X) = g i h j n g h x h = g x i x, j x Z/nZ X = g i xh j x (X, i x, j x ) = (X, i x, j x ) (Y, i y, j y ) = (X, i x, j x ) X Y (X, i x, j x ) = (X, i x, j x ) (Y, i y, j y ) = (Y, i y, j y ) (Y, i y, j y ) = (Y, i y, j y ) j y j x n (i x i y )(j y j x ) (mod n) n p p p n n = p e p e r r h = g x p e i i n x p e x mod p e = a +a p+ +a e p e 0 a i p 1 h = g x h n/p = (g n/p ) a g n/p p g a mod p = a p h n/p = (g n/p ) a +a p (h/g a ) n/p = (g n/p ) a +a p a = (g n/p ) a p = (g n/p ) a a p x mod p e e mod p n (p,, p r ) (e,, e r ) g h

x h = g x i = 1 r g = g n/p i h = h n/p i a = log g ( h) f = 1 x i = a j = 1 e 1 f = fg a j p j i h = (hf ) n/pj+ i a j = log g ( h) x i = x i + a j p j i x (mod n) x x i (mod p e i i ) i = 1,, r n p n n S = {p, p,, p t } G G p i log g (p i ) k Z/nZ g k = p e i i k = e i log g (p i ) t log g (p i ) h = g x hg k k S x + k = e i log g (p i ) t t S L n (α, c) = O (exp(c(log n) α (log log n) α )) L(0, c) = (log n) c n L(1, c) = n c Z/pZ S = {primes < B} L p (1/2, 2) F q L q (1/3, c) c > 0 F p n p n n = 1 Z/pZ 768 p L q (1/4, c) c > 0 p n F n F n F L q (1/3, c) c p q = p n n F n p n = 6 n = 12 http://en.wikipedia.org/wiki/discrete_logarithm_records

(Z/pZ) 128 2 p 3072 q p 1 q 256 p 80 1024 112 2048 128 3072 192 7680 256 15360 Z/pZ E(Z/pZ) p p 2k k 256 p 128 F p 112 2 ρ 3

(G, x) G = g n a Z/nZ X = g a X b Z/nZ Y = g b Y Z = g ab = Y a = X b X Y Z = g ab X = g a Y = g b (X = g a, Y = g b, Z = g ab ) Z G X Y a X Z = Y a G m G mz z Y pk = Y = g b m G X = g a my a = mz b b X Z m pk = h = g x x Z/nZ sk = x m G h = pk r Z/nZ c = (c, c ) = (g r, mh r ) c = (c, c ) x = sk c (c x ) (c, c ) = (g r, mh r ) c (c x ) = mh r (g rx ) = mg rx (g rx ) = m G m c pk

CDH m c pk DDH pk sk m sk σ m σ m pk H H {0, 1} A A A = {0, 1} n H G (Z/pZ) m M = H(m) Z/nZ H H {0, 1} Z/nZ h = g x x Z/nZ m M g (g r, h r g ) = (g r, g xr+ ) r Z/nZ s = xr + M Z/nZ f = g r (g r, g xr+ ) = (f, g s ) m σ = (f, s) (h, f, g s /g ) = (g x, g r, g xr ) r x r r, s, m x x = r (s M) Z/nZ r r 0 n H(f) r s g s = g xr+ s f s = g x (f)+ rs = xh(f) + M G n H {0, 1} Z/nZ pk = h = g x x sk = x m x r n f = g r s r (xh(f)+ H(m)) (mod n) σ = (f, s)

σ = (f, s) m h v = f s v = h (f) g (m) v = v v = f s = g rs = g x (f)+ (m) v = h (f) g (m) = g x (f)+ (m) q (Z/pZ) 2048 3072 200 256 ρ P n H {0, 1} {1,, n 1} SHA2 l l n pk = Q = xp x 0 < x < n sk = x m x r 0 < r < n R = (x, y ) = rp x mod n = 0 r s r (x(x modn) + H(m)) (mod n) s 0 r σ = (σ, σ ) = (x mod n, s) (σ, σ ) Q Q n 1 < σ i < n i = 1, 2 u H(m)σ (mod n) u σ σ (mod n) (x, y ) = u P + u Q σ x mod n u P + u Q = (u + u x)p = (H(m)s + (x modn)s x)p = s (H(m) + (x modn)x)p = r(h(m) + x(x modn)) (H(m) + (x modn)x)p = rp x rp x r r σ σ m m σ σ = r (H(m) H(m )) r σ = r (x(x modn)+h(m)) x r r = 4

http://nvlpubs.nist.gov/nistpubs/ FIPS/NIST.FIPS.186-4.pdf F p p G = P P = (x, y ) n n h Card E = nh h n p F p P 192, P 224, P 256, P 384, P 521 p h = 1 y = x 3x + b mod p a = 3 a p p F d K 163, K 233, K 283, K 409, K 571 d y + xy = x + ax + 1 a = 0, 1 h = 2 a = 1 h = 4 a = 0 y + xy = x + x + b b F d h = 2 B 163, B 233B 283, B 409, B 571 p > 3 y = x + ax + b Δ = 16(4a + 27b ) 0 (mod p) a b c a b cb a (mod p) a = c b = c a a, b a, b 5 u a = a u b = b c = a /b = a /b Δ 0 4a + 27b 0 4a /27b 1 4c 27 4c + 27 0 https://safecurves. cr.yp.to F p