Finite Fields and Elliptic Curves in Cryptography

Similar documents
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Number Theory in Cryptology

SM9 identity-based cryptographic algorithms Part 1: General

Mathematics of Cryptography

Counting points on elliptic curves over F q

One can use elliptic curves to factor integers, although probably not RSA moduli.

RSA Cryptosystem and Factorization

Chapter 8 Public-key Cryptography and Digital Signatures

Math/Mthe 418/818. Review Questions

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Introduction to Elliptic Curve Cryptography. Anupam Datta

Non-generic attacks on elliptic curve DLPs

Lecture 1: Introduction to Public key cryptography

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Applied Cryptography and Computer Security CSE 664 Spring 2018

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

Definition of a finite group

Cryptography IV: Asymmetric Ciphers

Cyclic Groups in Cryptography

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Elliptic Curve Cryptography

Elementary Number Theory and Cryptography, 2014

Basic Algorithms in Number Theory

Constructing Abelian Varieties for Pairing-Based Cryptography

Public-key Cryptography: Theory and Practice

Katherine Stange. ECC 2007, Dublin, Ireland

Introduction to Elliptic Curve Cryptography

8 Elliptic Curve Cryptography

Constructing genus 2 curves over finite fields

Counting Points on Curves using Monsky-Washnitzer Cohomology

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

The Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Introduction to Elliptic Curves

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

The Application of the Mordell-Weil Group to Cryptographic Systems

Elliptic curves: Theory and Applications. Day 3: Counting points.

CIS 551 / TCOM 401 Computer and Network Security

Lecture Notes, Week 6

Public-key Cryptography and elliptic curves

Congruent Number Problem and Elliptic curves

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

Arithmétique et Cryptographie Asymétrique

HOMEWORK 11 MATH 4753

Discrete Logarithm Computation in Hyperelliptic Function Fields

Part II. Number Theory. Year

Scalar multiplication in compressed coordinates in the trace-zero subgroup

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

CPSC 467: Cryptography and Computer Security

A gentle introduction to isogeny-based cryptography

Topics in Cryptography. Lecture 5: Basic Number Theory

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Introduction to Modern Cryptography. Benny Chor

A Few Primality Testing Algorithms

Elliptic Curve Discrete Logarithm Problem

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Isogenies in a quantum world

Evaluating Large Degree Isogenies between Elliptic Curves

RSA. Ramki Thurimella

Discrete mathematics I - Number theory

Introduction. will now introduce finite fields of increasing importance in cryptography. AES, Elliptic Curve, IDEA, Public Key

10 Public Key Cryptography : RSA

CPSC 467b: Cryptography and Computer Security

Introduction to Cybersecurity Cryptography (Part 4)

Suppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

Postmodern Primality Proving

Public Key Cryptography

Counting points on hyperelliptic curves

An introduction to supersingular isogeny-based cryptography

Mappings of elliptic curves

Lecture 14: Hardness Assumptions

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Identifying supersingular elliptic curves

Counting points on genus 2 curves over finite

Introduction to Cybersecurity Cryptography (Part 4)

Public Key Encryption

Public-Key Encryption: ElGamal, RSA, Rabin

Number Theory. Modular Arithmetic

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Linear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

CRYPTOGRAPHY AND NUMBER THEORY

Basic Algorithms in Number Theory

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Introduction to Cryptography. Lecture 8

Public Key Cryptography

Constructing Pairing-Friendly Elliptic Curves for Cryptography

Introduction to Cryptography. Lecture 6

Transcription:

Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1

Overview Public-key vs. symmetric cryptosystem Security of RSA cryptosystem Elliptic curve discrete logarithm Pohlig-Hellman attack on ECDLP Proofs of primality with elliptic curves 2

Public-key vs. symmetric cryptosystem Symmetric cryptosystem: Alice and Bob share a common key K K is used both for encryption and decryption n users n(n 1)/2 keys Both Alice and Bob have to keep K secret High speeds are possible, e.g. AES: 8MB/s on Pentium 200MHz 3

Public-key vs. Symmetric Cryptosystem Public-key cryptosystem: Diffie-Hellman (1976) based on (trapdoor) one-way functions given x, easy to compute f(x) given f(x), difficult to compute x given f(x) and trapdoor, easy to compute x Example: Let g be generator of F p, p large prime, then f g (x) g x mod p is a one-way function. Discrete log problem: compute x given f g (x). Key exchange: Alice sends Bob P A = x A mod p, Bob sends Alice P B = x B mod p. Common key K AB = x A B mod p. 4

The RSA-cryptosystem Invented by Rivest, Shamir, Adleman (1977) construct trapdoor one-way function Let n = p q, with p and q large primes (i.e. at least 512 bits) Compute φ(n) = (p 1) (q 1), i.e. order of (Z/nZ) Choose e and d such that e d = 1 mod φ(n), gcd(e, n) = gcd(d, n) = 1 Public key: (e, n) Private key: d or p and q Encryption: C = M e mod n Decryption: M = C d mod n 5

Security of RSA-cryptosystem Three computationally equivalent problems: 1. Factor modulus n 2. Compute Euler-Phi φ(n) = (p 1) (q 1) 3. Given P = (e, n) compute d with e d = 1 mod φ(n) Proof: (1) (2) (3) : trivial (3) (1) : Given (e, n) we get d, with e d = 1 mod φ(n), so e d 1 = k φ(n). For a (Z/nZ) we therefore have a e d 1 = 1 mod n a e d 1 = 1 mod p and a e d 1 = 1 mod q. 6

Security of RSA-cryptosystem (cont.) Now, e d 1 is even, so a (e d 1)/2 will be a root of 1 modulo p and q. This gives 4 possibilities for a (e d 1)/2 mod n via CRT p \ q 1 1 1 1 r 1 1 r 2 1 Note that r i ±1 mod n, since CRT gives isomorphism. So we expect a (e d 1)/2 ±1 mod n for about half (Z/nZ) (this can be shown rigorously). Search a (Z/nZ) with a (e d 1)/2 ±1 mod n, then we clearly have 1 < gcd(a (e d 1)/2 1, n) < n since either p or q divides a (e d 1)/2 1, but not both. 7

Factoring vs. Discrete Log Define function L n (a, b) = exp ( (b + O(1))(ln n) a (lnlnn) 1 a). If a = 1 then L n is exponential in lnn, for a = 0 L n is polynomial in lnn. If 0 < a < 1 then L n is called sub-exponential. Best known method for factoring and computing discrete logarithms is general number field sieve which has running time L n ( 1 3, 1.923). Factoring: August 1999, RSA-155 (512 bits), factored with GNFS in 8000 MIPS years Discrete log: April 2001, DLP-120 (400 bits), computed with GNFS in 400 MIPS years 8

Definition of Elliptic Curves Let K and K its algebraic closure, then an elliptic curve E over K is the set of solutions in P(K) of E : Y 2 Z + a 1 XY Z + a 3 Y Z 2 = X 3 + a 2 X 2 Z + a 4 XZ 2 + a 6 Z 3, with a 1, a 2, a 3, a 4, a 6 K and E non-singular. Canonical forms over different fields K: Condition on K Equation Char(K) 2, 3 y 2 = x 3 + a 4x + a 6 Char(K) = 3, j(e) 0 y 2 = x 3 + a 2x 2 + a 6 Char(K) = 3, j(e) = 0 y 2 = x 3 + a 4x + a 6 Char(K) = 2, j(e) 0 y 2 + xy = x 3 + a 2x 2 + a 6 Char(K) = 2, j(e) = 0 y 2 + a 3y = x 3 + a 4x + a 6 9

Group Law on Elliptic Curves R L 4 L P Q 4 P 2 2 R 0 0 2 2 2P L L 4 P Q 4 6 4 2 0 2 4 6 6 4 2 0 2 4 6 Construction P Q Construction 2P The elliptic curve y 2 = x 3 7x + 6 over R and the group law 10

Elliptic Curve over Finite Field Ù Ù Ù ¾¾ Ù ¾½ ¾¼ Ù ½ Ù ½ Ù ½ Ù ½ Ù Ù Ù ½ Ù ½ Ù ½ ½¾ ½½ Ù ½¼ Ù Ù Ù Ù Ù Ù Ù Ù Ù ¾ Ù Ù Ù ½ ¼ ¼ ½ ¾ ½¼ ½½ ½¾ ½ ½ ½ ½ ½ ½ ½ ¾¼ ¾½ ¾¾ The elliptic curve y 2 = x 3 + x + 3 mod 23 11

Elliptic Curve Discrete Logarithm Problem Let F q be finite field with q elements and E an elliptic curve over F q. Take point P E(F q ) and k Z and set Q = k P, then the ECDLP is: given Q and P, compute k. Attacks on ECDLP: Let n = #E(F q ) General attacks: work in any group and have run time O( n). For an elliptic curve n q, so O( q), i.e. exponential in log q. MOV-attack: use Weil pairing to reduce ECDLP to DLP in F l q, with l smallest integer such that q l = 1 mod n. For small l, this leads to sub-exponential attack. Anomalous curves: n = q. Apply q-adic elliptic curve logarithm. Time complexity of O(log q), so linear in log q. 12

Pohlig and Hellman Attack To solve DLP in any finite abelian group G, it is sufficient to solve DLP in all subgroups of prime power. The original DLP can be recovered using CRT. Suppose G = n = p e 1 1 pe 2 2 pe s s and we wish to solve Q = m P. Set p = p 1 and e = e 1, then we show how to compute m mod p e. Restrict DLP to subgroup of order p by multiplying with n 1 = n/p e 1, i.e. Q 1 = n 1 Q = m (n 1 P) = mp 1 = m 0 P 1 with m 0 = m mod p. Use general attack to compute m 0. 13

Pohlig and Hellman Attack (cont.) Suppose we know m i = m mod p i then m = m i +λ i p i mod p i+1, with 0 λ i < p. Set n i+1 = n/p e i 1, then and also Q i+1 = n i+1 Q = m (n i+1 P) = (m i + λ p i ) P i+1 Q i+1 m i P i+1 = λ i (p i P i+1 ) = λ i P 1. Again use general attack to compute λ i. Conclusion: a general attack on ECDLP exists with run time O( p) where p is the largest prime factor in #E(F q ). Before using elliptic curve, check if it is divisible by large prime (at least 160 bits). 14

ECDLP vs. RSA & DLP 15

2B 2B, that s the question... Fundamental Theorem of Arithmetic Given n N 0, then the factorisation of n into primes is unique up to order, i.e. Different questions: What is the factorisation of n Test if n is prime Test if n is composite n = p a 1 1 pa 2 2 pa r r 16

Tests of Primality and of Compositeness Test of Primality If a certain condition on n is fulfilled, then n is prime, otherwise n is composite Test of Compositeness If a certain condition on n is fulfilled, then n is composite Primality Test Compositeness Test Success n is prime n is composite Fail n is composite? 17

Tests of Compositeness Fermat s Theorem If p is prime and gcd(a, p) = 1, then a p 1 1 mod p. Fermat Compositeness Test If gcd(a, n) = 1 and a n 1 1 mod n, then n is composite. Definition An odd composite number n for which a n 1 1 mod n is called a Fermat pseudoprime for base a. Example n = 341 = 11 31 gives 2 340 1 mod 341, however 3 340 56 mod 341. 18

Tests of Compositeness Data Pomerance, Selfridge and Wagstaff: < 25 10 9 21853 pseudoprimes to base 2 4709 pseudoprimes to base 2 and 3 2552 pseudoprimes to base 2 and 3 and 5 1770 pseudoprimes to base 2 and 3 and 5 and 7 Definition An odd composite number n for which a n 1 1 mod n for all a satisfying gcd(a, N) = 1 is called a Carmichael number. Example Smallest Carmichael number is n = 561 = 3 11 17 Data 2163 Carmichael numbers < 25 10 9 and 105212 < 10 15 Stucture of Carmichael Numbers n is a Carmichael number iff p 1 n for every prime factor p of n and n is composite and squarefree. 19

Strong pseudoprime test Definition An odd composite number n with n = 2 s d + 1, with d odd is called a strong pseudoprime for base a if a d 1 mod n or r < s, a d 2r 1 mod n. Data Jaeschke: < 10 12 only 101 strong pseudoprimes to bases 2, 3, 5 Data 34155 00717 28321 is smallest strong pseudoprime to bases 2, 3, 5, 7, 11, 13, 17 No Strong Carmichael Numbers If n is odd and composite then n fails the strong pseudoprime test for at least 3/4 of the bases less than n. Miller-Rabin Algorithm Apply strong pseudoprime test for t different bases a i ; if n is composite then this will be proved with 20

probability > 1 (1/4) t. 21

Simple Tests of Primality Trial Division If n is composite, then n has a prime factor p n. If for all primes p n, we have p n, then n is prime. Strong Pseudoprime Test If n is a strong pseudoprime for more than 1/4 of the bases smaller than n, then n is prime. SPT with Generalized Riemann Hytpothesis If n is strong pseudoprime for all {2, 3,..., 2 log n 2 }, then n is prime. A proof of the Generalized Riemann Hypothesis implies a deterministic polynomial-time primality test. 22

Tests of Primality Pocklington s theorem Let n be an integer > 1 and q a prime divisor of n 1, with q e (n 1) and q e+1 (n 1). Suppose there is an integer a such that a n 1 1 mod n and gcd(a (n 1)/q, n) = 1. Then if p is any prime divisor of n then p 1 mod q e. Proof Let b be the order of a in F p. Then b p 1 and since a n 1 1 mod p, we have b n 1. However, a (n 1)/q 1 mod p, so b (n 1)/q and thus q e b and so also q e p 1. 23

Tests of Primality Corollary Write n 1 as F R, with F and R coprime and the factorisation of F completely known and F > n. For each prime factor q of F we can find an a q such that a n 1 q 1 mod n and gcd(a (n 1)/q q, n) = 1, if and only if n is prime. Proof F divides p 1 for every prime p dividing n, and F > n. If n is prime, take a primitive root. Problem Half the factorisation of n 1 should be known and it should be proven that all factors of F are prime DOWNRUN process. 24

Tests of Primality Example Take n = 105554676553297, then n 1 = 2 4 3 1048583 2097169. Take F = 1048583 2097169 then a 1048583 = a 2097169 = 2 will prove primality of n if p = 1048583 and q = 2097169 are prime. Now p 1 = 2 29 101 179 and take F = 29 101 and a 29 = a 101 = 2, then this proves primality of p. Also q 1 = 2 4 3 43691 and take F = 3 43691 and a 3 = 5 and a 43691 = 2, then this proves primality of q iff 43691 is prime. 25

Certificate of primality 105554676553297 1048583 2 2097169 2 1048583 29 2 101 2 2097169 3 5 43691 2 43691 257 3 26

General Principle for Tests of Primality Definition G is a group modulo n if the elements are (vectors of) residues modulo n the group operation is defined in terms of arithmetic operations modulo n. Definition Let d n, then G d is the group derived from G by reducing modulo d is called the restricted group modulo d. Example (Z/nZ) is a group modulo n and for each d n (Z/dZ) is the restricted group modulo n. 27

General Principle for Tests of Primality Primality proof Let n be highly probable prime and G group modulo n. If there exists x G and integers m, s m with the following conditions, then n is prime: s > the order of G q for each prime q n and q n. x m = e. For each prime p s, at least one of the coordinates of x (m/p) e is coprime to n. Example Let G = Z/nZ and q n, with q n. Then G q = Z/qZ and the order of G q is q 1 < n. Problem Given n this provides only 1 group G = Z/nZ modulo n. 28

Primality Test based on Elliptic Curves Definition Let n be positive integer and gcd(n, 6) = 1. An elliptic curve E over Z/nZ is a curve y 2 = x 3 + ax + b, with gcd(4a 3 + 27b 2, n) = 1. If p n then the reduction of E modulo p is an elliptic curve over F p. Group operation on E(Z/nZ) Let P 1 and P 2 be two points in E(Z/nZ), with P 1 P 2. Define P 1 + P 2 using the ordinary elliptic curve group operation. Then P 1 + P 2 will have denominators prime to n if and only if for all primes p n we have P 1 mod p + P 2 mod p is different from O in E(F p ). 29

Primality Test based on Elliptic Curves Apply General Principle to G = E(Z/nZ): Let q n and q n, then G q = E(F q ) and so #G ( q + 1) 2. Since q n, #G < (n 1/4 + 1) 2. Let m, s m integers with s > (n 1/4 + 1) 2 and P E(Z/nZ) with 1. m P = O, 2. (m/p) P is defined and different from O, for each prime p s, n is prime. 30

Primality Test based on Elliptic Curves: Algorithm 1. Select a, b Z/nZ, such that E a,b is an elliptic curve over Z/nZ. 2. Determine m = #E(Z/nZ) as if n were prime. 3. Test if m = k q with k > 1 and probable prime q > (n 1/4 + 1) 2. 4. If this test fails then return to 1, else proceed. 5. Select a point P = (x, y) E(Z/nZ). 6. Compute (m/q) P = k P. If this is undefined, then a divisor of n is found. If

8. Prove the primality of q recursively, using this algorithm.

Proof that n = 2 100 + 277 is prime Consider elliptic curve E a,b with a = 169317673849406496638751929789 b = 535428649309014131591402355077 m = 1267650600228230776357544186344 is the order of E(Z/nZ) and has a 81-bit cofactor p 1 = 1764763222984205716119937 which is probably prime. (1223116517107234371890879608558,348818700976692547697219665601) is a point on E a,b and satisfies m P = O and (m/q) P O. 33

Proof that n = 2 100 + 277 is prime 34

Selecting E and m: Goldwasser & Kilian Select a, b Z/nZ, such that gcd(n, 4a 3 + 27b 2 ) = 1. Compute #E(Z/nZ) using Schoof s algorithm (run time O(log 8 n)). If the algorithm fails, then n is not a prime, else it produces m. If m is not of the form k q then go to the first step. Under reasonable hypotheses on the distribution of primes in small intervals (i.e. O( x)) the expected run time is O(log 12 n). 35

Selecting E and m: Atkin Let #E(F p ) = p + 1 t, then the complex multiplication field of E is L = Q( t 2 4p). If L is known for a certain E, then m = #E(F p ) can be easily computed. If L and p are given, then a small list of m s can be computed for those elliptic curves which have L as their CMF. Given Q( ) and prime p, a small list of elliptic curves over F p having Q( ) as CMF can be constructed. 36

Selecting E and m: Atkin (cont.) 1. Select imaginary quadratic field L = Q( ) which has not been used yet. 2. Compute candidates m s for elliptic curves with L as CMF. 3. If none of these m is of the form k q with k > 1 and q probable prime > (n 1/4 + 1) 2, then return to (1). 4. Let m have the right form. Compute small list curves E over Z/nZ with L as CMF. Select curve E, with #E(Z/nZ) = m, e.g. by testing if m P = O. Expected run time of CM primality test is O(log 6+ε n). 37

Counting Points on Elliptic Curves in Characteristic 2 Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 38

Overview Elliptic curves over finite fields of characteristic 2 The Frobenius endomorphism Counting two by two Baby-Step Giant-Step Weil s theorem and Koblitz curves Schoof s algorithm Improvements of Elkies and Atkin Satoh s algorithm 39

Elliptic Curves over Finite Fields of Characteristic 2 Finite field of char 2: F q = F 2 [X]/(f(X)), q = 2 n Algebraic closure: F q = m 1 F q m Th: Suppose x F q, then x F q x q = x Elliptic curve E over F q (a, b F q ): y 2 + xy = x 3 + ax 2 + b O = [0 : 1 : 0] Isomorphism classes: a {0, γ}, Tr(γ) = 1. #E 0,b (F q ) + #E γ,b (F q ) = 2q + 2 40

Frobenius Endomorphism Def: Frobenius endomorphism: F : E(F q ) E(F q ) : (x, y) (x q, y q ) Def: Trace of Frobenius t: #E(F q ) = q + 1 t Def: [m] : E(F q ) E(F q ) : P mp Characteristic equation of F: F 2 [t] F + [q] = [0] (Hasse, 1933): Trace of Frobenius satisfies t 2 q 41

Counting Two by Two # solutions of Ax 2 + Bx + C = 0, with A 0, B, C F q is B = 0 1 solution and B 0 2 (1 Tr( AC )) solutions. B2 E over F q given by y 2 + xy = x 3 + ax 2 + b, then (0, b) E(F q ) If x 0 then points also satisfy ( y ) 2 x + x y = x + a + b x, and therefore one can compute #E(F q ) as #E(F q ) = 2 + 2 (1 Tr(x + a + bx ) ). x F q 42

Slow algorithm, with complexity O(q log 2 q), useful for q < 2 30 43

Baby-Step Giant-Step Algorithm Hasse-Weil: #E(F q ) H := [q + 1 q, q + 1 + q] Set N = 4 q and write x = j N i, with i, j N and i < k Generate point P on curve and suppose x = j N ī H satisfies x P = O ( j N) P = ī P Precompute table with i P for 0 < i < N Compute Q = N P and compare j Q with table, for j > N If match, compute Ord(P) j m N i m and devise #E(F q ) Time O( 4 q log 2 q) Memory O( 4 q) 44

Weil s Theorem & Koblitz Curves Weil: Let E be defined over F q, #E(F q ) = q + 1 t and let X 2 tx + q = (X α)(x β), then for every m N we have #E(F m q ) = q m + 1 (α m + β m ). Recursion: Set t 0 = 2 and t m = q m +1 #E(F m q ), then t m satisfy t m+1 = t 1 t m q t m 1. Curve over F 2 is called a Koblitz curve If l m then E(F 2 l) is subgroup of E(F 2 m), so #E(F 2 l) #E(F 2 m) Very few Koblitz curves with #E divisible by large prime NIST: Koblitz curves over F 2 n with m = 163, 233, 283, 409, 571 45

Schoof s Algorithm (1985) Idea: compute trace of Frobenius t mod l i for primes l i l i l i > 4 q and use CRT to compute the correct value of t Def: l-torsion group E[l] = {P E lp = O} = Z l Z l Idea: restrict characteristic equation of F to E[l] F 2 l [t l ] F l + [q l ] = [0] where t l = t mod l and q l = q mod l For all l-torsion points P = (x, y) (x q2, y q2 ) + [q l ](x, y) = [t l ](x q, y q ) 46

Algorithm: test for every τ {0, 1,...,l 1} (x q2, y q2 ) + [q l ](x, y) = [τ](x q, y q ) 47

Schoof s Algorithm Details How can we compute in E[l]? Solution: division polynomials f l of degree (l 2 1)/2 f 0 = 0, f 1 = 1, f 2 = x, f 3 = x 4 + x 3 + a 6, f 4 = x 6 + a 6 x 2, f 2m+1 = fmf 3 m+2 + f m 1 fm+1 3 m 2, xf 2m = fm 1f 2 m f m+2 + f m 2 f m fm+1 2 m 3. Theorem: P = (x, y) E[l] f l (x) = 0 Note P E[l] F(P) E[l], so if S = P E[l]\O x(p) then f l (x) = α S(x α) F q [x] 48

Schoof s Algorithm Details Theorem: m 2, P = (x, y) E \ O, mp = ( x, ỹ) x = x + f m 1f m+1 f 2 m, ỹ = x + y + f m 1f m+1 f 2 m + f m 2f 2 m+1 xf 3 m + (x 2 + y) f m 1f m+1 xf 2 m All computations in E[l] transformed to F q [x]/(f l (x)) Time complexity of O(log 8 q) Memory complexity of O(log 3 q) Useful for fields with q < 2 130 49

Ideas of Elkies and Atkin Idea: roots of X 2 t l X + q l in F l are not? Criterium: = t 2 4q is a square modulo l or not? Def: if is a square modulo l then l is Elkies-prime, else l is Atkin-prime. Note E[l] = Z l Z l = i=1...l+1 C i, if P 1, P 2 generate E[l] then E 1 = P 1, E 2 = P 2, E i = P 1 + (i 2) P 2 i = 3,...l + 1. Study the action of F l on these l-groups If F l (C i ) C i then F l (C i ) = C i and F l has eigenvalue λ in F l 50

Ideas of Elkies and Atkin (cont.) Suppose l is Elkies-prime, then (X λ)(x µ) = 0, λ, µ F l At least 1 C i s is invariant under Frobenius-map Let g l (x) = ±P i C 1 \O (x x(p i)) then g l (x) F q [x] Note that deg(g l ) = (l 1)/2 and g l (x) f l (x), so more efficient Equating coefficient of char. polynomial of F l gives t = λ + q λ mod l 51

Ideas of Elkies and Atkin (cont.) Problem: how can one compute g l (x)? Solution: compute isogenie φ with kernel C 1 ( ) G(x) φ : E E H(x) + yk(x) : (x, y), g l (x) 2 g l (x) 3 Suppose l is Atkin-prime, then is a quadratic non-residu modulo l Generate a number of possibilities for t mod l Final step: combine info from both Elkies and Atkin primes Complexity = O(log 6 q) 52

Isogenies and modular polynomials Morphism from E 1 to E 2 is a rational map that is defined at every point P on E 1. Isogenie is a morphism and I(O 1 ) = O 2 Theorem: every isogenie is a group homomorphism from E 1 to E 2 Suppose I separable, then the degree of I = #ker(i) Theorem: Let E be an elliptic curve over F q and S a subgroup of E with F(S) = S, then there exists an elliptic curve E and an isogenie φ : E E defined over F q, with ker(φ) = S 53

Isogenies and modular polynomials (cont.) Let j a = 1/a be the j-invariant of curve E : y 2 + xy = x 3 + a. Theorem: for every prime l there exists a modular polynomial Φ l (x, y) of degree l + 1 with following properties: there exists an isogenie of degree l from E a to E b iff Φ l (j a, j b ) = 0 the polynomial Φ l (x, j a ) has a root j b F q r iff the kernel of the isogenie I : E a E b is a one dimensional eigenspace of F r in E[l] the polynomial Φ l (x, j a ) splits completely in F q r[x] iff F r acts as a scalar matrix on E[l] 54

Isogenies and modular polynomials Theorem: factorisation of Φ l (x, j a ) = h 1 h 2 h s, then possibilities for the degrees of h 1, h 2,...,h s are: (1 l) or (1 1...1) and t 2 4q = 0 mod l (1 1 r...r) and t 2 4q is a square modulo l, r l 1 and F acts on E[l] as a matrix 0 @ λ 0 0 µ (r r...r) and r > 1 and r l + 1 and t 2 4q is not a square modulo l and t satisfies the equation t 2 = q(ζ + 2 + ζ 1 ) mod l for ζ a primitive r-th root of unity in F l. 1 A 55

SEA-algorithm: outline 1. M := 1, l := 2, A := {}, E := {} 2. While M < 4 q do: (a) Compute modular polynomial Φ l (x, y) (b) Compute splitting S of Φ l (x, y) (c) If S = (1 l) or S = (1 1...1), E (2 q, l) (d) If S = (1 1 r...r): Compute polynomial F l (x) via isogenie Find eigenvalue λ modulo l t = λ + q/λ mod l E (t, l) (e) If S = (r r...r) Compute set T such that t mod l T

3. Compute t exact using match and sort

Satoh s Algorithm: Main Idea Theorem of Deuring: exists an elliptic curve E over a p-adic field Reduction modulo p of E equals E End(E) = End(E) The elliptic curve E is called the canonical lift of E E π E F F E π E 58

Since TrF = TrF = t, it suffices to compute TrF 59

p-adic Integers and Extensions p-adic integer is a sequence x = (x 1, x 2,...,x k,...) with x k Z/p k Z and x k+1 x k mod p k for k 1 Projection π k : Z p Z/p k Z : x x k and π(z p ) = F p Let q = p n and f(t) a monic polynomial in Z p [t] of degree n, with π(f) irreducible in F p [t], then Z q is defined as Z p [t]/(f(t)) If a Z q then a = a n 1 t n 1 + + a 1 t + a 0 with a i Z p Note π(z q ) = F q and π k (Z q ) = (Z/p k Z)[t]/(f(t)) 60

Newton Iteration Let f(t) Z q [t] and suppose x 0 Z q such that f(x 0 ) 0 mod p m and f (x 0 ) 0 mod p, then we can get a better approximate root x 1 of f as follows which satisfies x 1 = x 0 f(x 0) f (x 0 ), f(x 1 ) 0 mod p 2m and f (x 1 ) 0 mod p. General case: Let k N be largest integer with f (x 0 ) 0 mod p k. If m > 2k, then we can compute a better approximate root x 1 with f(x 1 ) 0 mod p 2m 2k. 61

Computing the Canonical Lift of an Elliptic Curve The little Frobenius endomorphism σ : F q F q : x x p Applying σ to coefficients of E gives the conjugate E σ and extend the little Frobenius to elliptic curves as σ : E E σ : (x, y) (x p, y p ) If p = 2 then E σ is given by the equation y 2 + xy = x 3 + a 2 Let E i = E σ(n i) and σ i : E i+1 E i : (x, y) (x p, y p ) σ n 1 E = E σ n 2 0 E σ 1 n 1 σ 0 E 1 E 0 = E Frobenius endomorphism F = σ 0 σ n 1 62

Computing the Canonical Lift of an Elliptic Curve Theorem of Lubin-Serre-Tate: Let E be an elliptic curve over F q and let j(e) be its j-invariant and j(e) F q \ F p 2 and consider the following diagram, E 0 Σ n 1 Σ n 2 Σ 1 Σ 0 E n 1 E 1 E 0 π π π π σ n 1 σ n 2 σ 1 σ 0 E 0 E n 1 E 1 E 0 then the j-invariants j(e i ) satisfy j(e i ) Z q and Φ p (j(e i ), j(e i+1 )) = 0 and j(e i ) j(e i ) mod p 63

Computing the Canonical Lift of an Elliptic Curve Let the vector function Θ : Z n q Z n q be Θ(x 0,...,x n 1 ) = (Φ p (x 0, x 1 ), Φ p (x 1, x 2 ),...,Φ p (x n 1, x 0 )) and denote with (DΘ)(x 0,...,x n 1 ) its Jacobian matrix, i.e. 0 B @ 1 Φ p (x Φ X 0, x 1 ) p (x Y 0, x 1 ) 0 Φ 0 p (x X 1, x 2 ) 0... Φ 0 0 p (x Y n 2, x n 1 ) C A Φ p (x Φ Y n 1, x 0 ) 0 p (x X n 1, x 0 ) then one can lift (j(e 0 ),...,j(e n 1 )) to (j(e 0 ),...,j(e n 1 )) via (x 0,...,x n 1 ) (x 0,...,x n 1 ) ((DΘ) 1 Θ)(x 0,...,x n 1 ) 64

Computing Trace of Frobenius on Lifted Curve Theorem by Satoh: Let E be formal group associated with E and f End(E), f End(E), π(f) separable f(z) = cz + O(z 2 ) Tr(f) = c + q c F is inseparable so take dual F, which is separable E 0 ˆΣ 0 ˆΣ1 ˆΣn 2 ˆΣn 1 E 1 E n 1 E 0 π π π π ˆσ 0 ˆσ 1 ˆσ n 2 ˆσ n 1 E 0 E 1 E n 1 E 0 65

Let Σi (z) = c i z + O(z 2 ) then c = n 1 i=0 c i 66

Computing Trace of Frobenius on Lifted Curve (cont.) Theorem: Let E be an elliptic curve and G finite subgroup of E, then there exists a unique elliptic curve E and separable isogeny φ : E E with kerφ = G. ˆΣ E i i E i+1 v λ E i /KerˆΣ i Vélu s formulae give equation of E i /KerˆΣ i and of the isogeny ν This finally leads to formula for c 2 i 67

Outline of Satoh s Algorithm Input: Elliptic curve E over finite field F q Output: Trace of Frobenius t = q + 1 #E(F q ) 1. Compute conjugates of E, i.e. E σi for i = 0,...,n 1 2. Lift the j-invariants j(e i ) simultaneously to j(e i ) using a multivariate Newton iteration 3. Compute the squares c 2 i using j(e i) and j(e i+1 ) 4. Set c 2 = n 1 i=0 c2 i and compute c with correct sign 5. Return t c mod p n+3 2 and t 2 q Time of O(log 3+ǫ q) Memory of O(log 3 q). Recently: new algorithm with memory of O(log 2 q). 68

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback