Efficient Computation of Roots in Finite Fields

Similar documents
Generating more MNT elliptic curves

Some Efficient Algorithms for the Final Exponentiation of η T Pairing

Formulas for cube roots in F 3 m

Efficient Algorithms for Pairing-Based Cryptosystems

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Efficient Algorithms for Pairing-Based Cryptosystems

Modular Multiplication in GF (p k ) using Lagrange Representation

Multiplicative Order of Gauss Periods

Optimised versions of the Ate and Twisted Ate Pairings

A Remark on Implementing the Weil Pairing

Compressed Pairings. 1 School of Computing

Implementing Pairing-Based Cryptosystems

Efficient Tate Pairing Computation Using Double-Base Chains

Taking Roots over High Extensions of Finite Fields

Goldbach s Conjecture on ECDSA Protocols N Vijayarangan, S Kasilingam, Nitin Agarwal

The Final Exponentiation in Pairing-Based Cryptography

On the distribution of irreducible trinomials over F 3

Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Constructing Abelian Varieties for Pairing-Based Cryptography

GENERATORS OF FINITE FIELDS WITH POWERS OF TRACE ZERO AND CYCLOTOMIC FUNCTION FIELDS. 1. Introduction

Lecture Notes, Week 6

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

Optimal Use of Montgomery Multiplication on Smart Cards

Asymmetric Cryptography

A REDUCTION OF SEMIGROUP DLP TO CLASSIC DLP

Chapter 4 Asymmetric Cryptography

Fast hashing onto pairing-friendly elliptic curves over ternary fields

Introduction to Elliptic Curve Cryptography. Anupam Datta

A New Algorithm to Compute Terms in Special Types of Characteristic Sequences

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Public Key Cryptography

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

José Felipe Voloch. Abstract: We discuss the problem of constructing elements of multiplicative high

Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields

No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such

anomalous binary curves, also known as Koblitz curves. The application of our algorithm could lead to efficient implementations of elliptic curve cryp

Optimal Extension Field Inversion in the Frequency Domain

Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions

Lecture 1: Introduction to Public key cryptography

CPSC 467b: Cryptography and Computer Security

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring

Katherine Stange. Pairing, Tokyo, Japan, 2007

Number Theory A focused introduction

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Katherine Stange. ECC 2007, Dublin, Ireland

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

FURTHER REFINEMENT OF PAIRING COMPUTATION BASED ON MILLER S ALGORITHM

How to Hash into Elliptic Curves

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves

A message recovery signature scheme equivalent to DSA over elliptic curves

Number theory (Chapter 4)

CS483 Design and Analysis of Algorithms

Constructing Families of Pairing-Friendly Elliptic Curves

Theoretical Cryptography, Lecture 13

output H = 2*H+P H=2*(H-P)

ICS141: Discrete Mathematics for Computer Science I

On the Complexity of the Dual Bases of the Gaussian Normal Bases

CPSC 467b: Cryptography and Computer Security

CIS 551 / TCOM 401 Computer and Network Security

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

CS 6260 Some number theory

CPSC 467b: Cryptography and Computer Security

Pairings for Cryptography

Applied Cryptography and Computer Security CSE 664 Spring 2018

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

A New Attack on RSA with Two or Three Decryption Exponents

MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.

Hashing into Hessian Curves

CPSC 467: Cryptography and Computer Security

cse 311: foundations of computing Fall 2015 Lecture 11: Modular arithmetic and applications

Partial Key Exposure: Generalized Framework to Attack RSA

Breaking Plain ElGamal and Plain RSA Encryption

Constructing Pairing-Friendly Elliptic Curves for Cryptography

Introduction to Cybersecurity Cryptography (Part 5)

Analyzing and Optimizing the Combined Primality test with GCD Operation on Smart Mobile Devices

RATIONAL POINTS ON SOME FERMAT CURVES AND SURFACES OVER FINITE FIELDS

Asymmetric Encryption

An Efficient ID-based Digital Signature with Message Recovery Based on Pairing

BREAKING THE AKIYAMA-GOTO CRYPTOSYSTEM. Petar Ivanov & José Felipe Voloch

Algorithms (II) Yu Yu. Shanghai Jiaotong University

COMP4109 : Applied Cryptography

Definition 6.1 (p.277) A positive integer n is prime when n > 1 and the only positive divisors are 1 and n. Alternatively

Arithmetic operators for pairing-based cryptography

A SIMPLE GENERALIZATION OF THE ELGAMAL CRYPTOSYSTEM TO NON-ABELIAN GROUPS

Elliptic Curve Cryptosystems and Scalar Multiplication

Public Key Algorithms

Mathematical Foundations of Public-Key Cryptography

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Discrete Mathematics GCD, LCM, RSA Algorithm

Cryptography IV: Asymmetric Ciphers

dit-upm RSA Cybersecurity Cryptography

Transcription:

Efficient Computation of Roots in Finite Fields PAULO S. L. M. BARRETO (pbarreto@larc.usp.br) Laboratório de Arquitetura e Redes de Computadores (LARC), Escola Politécnica, Universidade de São Paulo, Brazil. JOSÉ FELIPE VOLOCH (voloch@math.utexas.edu) Department of Mathematics, University of Texas, Austin TX 78712, USA. Abstract. We present an algorithm to compute r-th roots in Fq m with complexity O((log m + r log q)m 2 log 2 q) for certain choices of m and q. This compares well to previously known algorithms, which need O(rm 3 log 3 q) steps. Keywords: finite fields, root computation, efficient algorithms 1. Introduction Calculation of roots in finite fields Fq m (where q = pd for some prime p and some d > 0) is a classical problem in computational algebra and number theory. Besides its intrinsic interest, it plays an essential role in cryptosystems based on elliptic curves and other Abelian varieties, where plain exponentiation (fundamental for more conventional cryptosystems) is not relevant. A typical application of root extraction is point compression in elliptic curves. In general, a point (x, y) on a curve E(Fqm) is compressed as (x, β) where β Z2 is a single bit from y; the full y value is recovered from (x, β) by solving for y the curve equation y 2 = P (x), which involves computing a square root P (x). Under certain circumstances it may be more convenient to compress (x, y) as (α, y) where α Z3 is a single trit from x; the full x value is recovered by solving the curve equation for x rather than y. This is the case when taking a cubic root is more efficient than taking a square root, for instance, when the curve equation is y 2 = x 3 + c over Fq m for some c (in this case, our new algorithm is most suitable for odd m and a Fermat prime q). A similar situation arises in the operation of hashing onto elliptic curves, as needed by a large number of cryptosystems, notably pairingbased schemes [4, 5, 10, 12]. The method usually consists of mapping messages onto (x, β) or (α, y) pairs as above by applying a conventional hash function, then solving the curve equation to get a complete point. Supported by Scopus Tecnologia S. A. Supported by NSA grant MDA904-03-1-0117 c 2004 Kluwer Academic Publishers. Printed in the Netherlands. roots.tex; 4/03/2004; 9:33; p.1

2 Higher order roots appear in analogous settings over hyperelliptic and superelliptic curves [6]. Taking r-th roots in a finite field Fq m is most commonly computed by means of the Adleman-Manders-Miller algorithm [1] (see also [2, section 7.3]), which extends Tonelli s square root algorithm. The complexity of the Adleman-Manders-Miller algorithm is O(rm 4 log 4 q) steps in general, but for certain special fields Fq this drops to O(rm 3 log 3 q) steps if r is fixed and small. Cipolla s square-root algorithm attains complexity O(m 3 log 3 q) for any finite field Fqm, but does not seem to admit of a simple generalization for higher order roots. Computing generic powers, on the other hand, is a problem for which many efficient algorithms are known. Particularly efficient algorithms are described in [7], with complexity O(m 2 log log m log q) if q is a small prime. Other specialized improved algorithms for exponentiation are given in [13]. It is natural to ask if similar methods could be used for root calculation since one can compute r x as x v with v r 1 (mod q m 1) when (r, q m 1) = 1, and what can be done when r is not invertible modulo (q m 1) as in this case not all field elements have r-th roots. Our contribution in this paper is to show, for a large family of prime powers q and extension degrees m, how to take advantage of the periodic structure of v written in base q to compute r-th roots in Fq m. The complexity of the resulting scheme is O((log m + r log q)m 2 log 2 q) due to a divide-and-conquer strategy; we conjecture that algorithms even more efficient are possible using more complex addition chains. Furthermore, we explore extensions of this strategy that work, under certain circumstances, when (r, q m 1) 1. The basic idea of the new algorithm stems from the Itoh-Tsujii [9] algorithm for computing multiplicative inverses and was already used in [3] to efficiently compute square roots. The Itoh-Tsujii algorithm is described in depth in [8], where the reader will also find a discussion of implementation aspects; that discussion applies equally well to our algorithm. 2. The New Algorithm Our new algorithm computes r-th roots in Fq m provided that q, m, r satisfy certain constraints. Our fundamental strategy is to seek a simple expression for v r 1 (mod q m 1) so as to reduce the complexity of computing r x as x v in Fq. Efficiently taking roots that are powers of the characteristic p in is straightforward. Notice that, since raising to a power of p is a Fq m roots.tex; 4/03/2004; 9:33; p.2

linear bijection in characteristic p, the complexity of such operation is no larger than that of multiplication, namely, O(m 2 log 2 q), and under certain circumstances can be much smaller [11, chapter 6]. For certain primes q > 2 and odd m, efficient computation of square roots has been described in a previous work [3], and generalizing that method to roots that are higher powers of 2 is immediate. It is possible to compute roots by using exponent periodicity for more general q, m, r. This is established by the results below. First we state as a separate lemma the divide-and-conquer strategy to using periodicity in the algorithm. 3 LEMMA 1. Let Fq m be a finite field of characteristic p and let s be a power of p. Define the map φ n : Fq m Fq m, y y1+s+ +sn for n N. We can compute φ n (y) with O(log n) multiplications and raisings to powers of p. Proof. If n = 2k + 1, then y 1+s+ +sn = y 1+s+ +sk (y 1+s+ +sk ) sk+1 and if n = 2k then y 1+s+ +sn = y 1+s+ +sk 1 (y(y 1+s+ +sk 1 ) s ) sk. The result follows by iterating this procedure, halving the value of n each time; this can be done at most max( lg n, 1) times, taking no more than 2 multiplications and 2 raisings to powers of s at each step. We will show that we can reduce root extraction to an operation of the form x x a φ n (x b ) for small a, b and apply the above lemma. 2.1. Taking roots by inverting the exponent We first tackle root extraction in the case (r, q 1) = 1. The periodic structure of r 1 (mod q m 1) leads to an efficient r-th root algorithm, as established by the following considerations. LEMMA 2. Given q and r with (q(q 1), r) = 1, let k > 1 be the order of q modulo r. For any m > 0, (m, k) = 1, let u, 1 u < r satisfy u(q m 1) 1 (mod r) and v = q m u/r. Then rv 1 (mod q m 1). In addition, v = a + b n 1 j=0 qjk, a, b < q 2k, n = m/k. Proof. Note that (q m 1, q k 1) = q 1 since m and k are coprime. As r divides q k 1 but is coprime to q 1 we conclude that q m 1 and r are coprime, and u therefore is well-defined. Thus u(q m 1) = vr 1 for some integer v and since q m u/r = v + (u 1)/r we have that v = q m u/r and from the equation u(q m 1) = vr 1 it follows that rv 1 (mod q m 1). roots.tex; 4/03/2004; 9:33; p.3

4 Finally, let z = u(q k 1)/r. Then z is an integer and z < q k 1. Now, q m u/r = q m z/(q k 1) = q m k z j=0 n 1 q jk = q m k z q jk + α, say. Thus v = zq m nk n 1 j=0 qjk + α and we take a = α, b = zq m nk, which completes the proof. Remark 1. To compute u one can replace m by its least residue modulo k since q k 1 (mod r). Also u/r has a periodic expansion in base q of period k and therefore v = q m u/r also has a periodic expansion in base q with the same period for all m in a fixed residue class modulo k. THEOREM 1. Let q be a prime power, let r > 1 be such that (q(q 1), r) = 1 and let k > 1 be the order of q modulo r. For any m > 0, (m, k) = 1, the complexity of taking r-th roots in Fqm is O((log m + r log q)m 2 log 2 q). Proof. By Lemma 2, r 1 a + b n 1 j=0 qjk (mod q m 1) for some a, b < q 2k depending only on m (mod k) and n = m/k. By Lemma 1, raising to the power n 1 j=0 qjk takes O(log n) multiplications and raisings to powers of p. The remaining work essentially consists of raising to the powers a and b, each operation taking O(k log q) multiplications due to the bound on the exponents. The total computation cost is therefore O(log m + r log q) operations of complexity O(m 2 log 2 q), from which the claimed overall complexity follows. Remark 2. The complexity simplifies to O(rm 2 log 3 q) if r log q > log m, and to O(m 2 log m log 2 q) if r log q < log m. In either case it compares well to the O(rm 3 log 3 q) complexity of the Adleman- Manders-Miller algorithm at its best. j=0 2.2. Taking r-th roots when r is not invertible We now deal with root extraction when r (q 1). The analogous result to Lemma 2 above is the following. Note that not every element of Fq m is a r-th power, so we need to work in the subgroup of order (q m 1)/r of F q m. LEMMA 3. Given q and r with r (q 1) and ((q 1)/r, r) = 1, for any m > 0, (m, r) = 1, let u, 1 u < r satisfy u(q m 1)/r 1 (mod r) and v = q m u/r 2. Then rv 1 (mod (q m 1)/r). In addition, v = a + b n 1 j=0 qjr, a, b < q 2r, n = m/r. roots.tex; 4/03/2004; 9:33; p.4

Proof. Note that, since (q m 1)/r m(q 1)/r (mod r), (q m 1)/r and r are coprime and u therefore is well-defined. Thus u(q m 1)/r = vr 1 for some integer v and since q m u/r 2 = v (r u)/r 2 we have that v = q m u/r 2. From the equation u(q m 1)/r = vr 1 it follows that rv 1 (mod (q m 1)/r). The rest of the proof is identical to that of Lemma 2. Remark 3. To compute u one can replace m by its least residue modulo r since (q m 1)/r m(q 1)/r (mod r). Also u/r 2 has a periodic expansion in base q of period r and therefore v = q m u/r 2 also has a periodic expansion in base q with the same period for all m in a fixed residue class modulo r. THEOREM 2. Let q be a prime power and let r > 1 be such that r (q 1) and ((q 1)/r, r) = 1. For any m > 0, (m, r) = 1, given x Fq m one can compute the r-th root of x in Fqm, or show it does not exist, in O(r(log m + log log q)m 2 log 2 q) steps. Proof. By Lemma 3, r 1 v = a + b n 1 j=0 qjr (mod (q m 1)/r) for some a, b < q 2r depending only on m (mod r) and n = m/r. By Lemma 1, raising to the power n 1 j=0 qjr takes O(log n) multiplications and raisings to powers of p. The remaining work essentially consists of raising to the powers a and b, each operation taking O(r log q) multiplications due to the bound on the exponents. The cost of raising to v is therefore O(log m + r log q) operations of complexity O(m 2 log 2 q). But given x Fq m we must still check that y = xv is a correct root, and to this end we compute y r with cost O(log rm 2 log 2 q). If x is an r-th power, then necessarily y r = x and we are done, otherwise y r is not equal to x and we are done too. The total computation cost is therefore O(r(log m + log log q)m 2 log 2 q) as claimed. 5 2.3. An example As an example consider cube roots in characteristic two. Let F2 m be a finite field. If m is odd then we are in the situation of Lemma 2 with q = 2 and 1/3 (m 1)/2 j=0 4 j (mod 2 m 1). If m is even and not divisible by 3, then we are in the situation of Lemma 3 with q = 4 and we need to distinguish two cases. For m 2 (mod 6) we have 1/3 1 + 56 (m 8)/6 j=0 64 j (mod (2 m 1)/3) and for m 4 (mod 6) we have 1/3 2 + 112 (m 10)/6 j=0 64 j (mod (2 m 1)/3). For 6 m we can apply Theorem 2 with q = 64 and r = 9 to obtain a method for extracting 9-th roots if m is not divisible by 9. To convert this to a method of extracting cube roots we need to roots.tex; 4/03/2004; 9:33; p.5

6 introduce randomization as in the Adleman-Manders-Miller algorithm. Given x choose a random z and try to extract the 9-th root y of xz 3. If successful output y 3 /z as a cube root of x, otherwise try a different z. If a number of these steps fail, declare x not to be a cube. 3. Conclusion This contribution described an efficient algorithm to compute r-roots in certain finite fields Fqm. Whenever applicable, our technique benefits from the periodic structure of either r 1 (mod q m 1) or r 1 (mod (q m 1)/r), which is handled by a divide-and-conquer technique. The computational complexity of new algorithm improves upon previously known methods like the Adleman-Manders-Miller algorithm. References 1. Adleman, L. M., K. Manders, and G. Miller: 1977, On taking roots in finite fields. In: 18th IEEE Symposium on Foundations of Computer Science. pp. 175 177. 2. Bach, E. and J. Shallit: 1996, Algorithmic Number Theory, Vol. 1. MIT Press. 3. Barreto, P. S. L. M., H. Y. Kim, B. Lynn, and M. Scott: 2002, Efficient Algorithms for Pairing-Based Cryptosystems. In: Advances in Cryptology Crypto 2002, Vol. 2442 of Lecture Notes in Computer Science. pp. 354 368. 4. Boneh, D. and M. Franklin: 2003, Identity-based encryption from the Weil pairing. SIAM Journal of Computing 32(3), 586 615. 5. Boneh, D., B. Lynn, and H. Shacham: 2002, Short signatures from the Weil pairing. In: Advances in Cryptology Asiacrypt 2001, Vol. 2248 of Lecture Notes in Computer Science. pp. 514 532. 6. Galbraith, S., S. Paulus, and N. Smart: 2002, Arithmetic on superelliptic curves. Mathematics of Computation 71, 393 405. 7. Gao, S., J. von zur Gathen, D. Panario, and V. Shoup: 2000, Algorithms for Exponentiation in Finite Fields. Journal of Symbolic Computation 29, 879 889. 8. Guajardo, J. and C. Paar: 2002, Itoh-Tsujii Inversion in Standard Basis and its Application in Cryptography and Codes. Designs, Codes and Cryptography 25, 207 216. 9. Itoh, T. and S. Tsujii: 1988, A fast algorithm for computing multiplicative inverses in GF(2 m ) using normal bases. Information and Computation 78, 171 177. 10. Libert, B. and J.-J. Quisquater: 2003, New identity based signcryption schemes based on pairings. In: 2003 IEEE Information Theory Workshop. Paris, France. 11. Menezes, A.: 1993, Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers. 12. Smart, N. P.: 2002, An Identity Based Authenticated Key Agreement Protocol Based on the Weil Pairing. Electronics Letters 38, 630 632. roots.tex; 4/03/2004; 9:33; p.6

13. von zur Gathen, J. and M. Noecker: 2003, Computing special powers in finite fields. Mathematics of Computation. Article electronically published on September 26, 2003; see http://www.ams.org/jourcgi/jour-getitem?pii= S0025-5718-03-01599-0. 7 roots.tex; 4/03/2004; 9:33; p.7

roots.tex; 4/03/2004; 9:33; p.8

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback