Добавил:
Upload Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:

Prime Numbers

.pdf
Скачиваний:
49
Добавлен:
23.03.2015
Размер:
2.99 Mб
Скачать

382

Chapter 7 ELLIPTIC CURVE ARITHMETIC

algorithm whose complexity lies essentially between naive residue counting and the Shanks–Mestre algorithm. There is yet one more possible avenue of exploration: The DAGM of Exercise 2.42 might actually apply to truncated hypergeometric series (mod p) in some sense, which we say because the classical AGM—for real arguments—is a rapid means of evaluating such as the hypergeometric form above [Borwein and Borwein 1987].

Incidentally, a profound application of the AGM notion has recently been used in elliptic-curve point counting; see the end of Section 7.5.2.

7.27. Along the lines of Exercise 7.26, show that for a prime p ≡ 1 (mod 8), the elliptic curve E with governing cubic

 

y2

= x3

3

x2 + x

 

 

 

 

+

 

 

 

 

 

2

 

 

 

has order

 

 

 

p−1

 

 

 

 

#E = p + 1

mod

 

4

 

 

2(p−1)/4

2

 

±

p ,

 

 

 

 

 

 

 

p−1

 

 

 

where the mod± notation means that we take the signed residue nearest 0. Does this observation have any value for factoring of Fermat numbers? Here

are some observations. We do know that any prime factor of a composite F

n is 1 (mod 8), and that 3/ 2 can be written modulo any Fermat number

Fn > 5 as 3(23m/4 2m/4)1, with m = 2n; moreover, this algebra works modulo any prime factor of Fn. In this connection see [Atkin and Morain 1993a], who show how to construct advantageous curves when potential factors p are known to have certain congruence properties.

7.28. Implement the ECM variant of [Peralta and Okamoto 1996], in which composite numbers n = pq2 with p prime, q odd, are attacked e ciently. Their result depends on an interesting probabilistic way to check whether x1 ≡ x2 (mod p); namely, choose a random r and check whether the Jacobi symbol equality

x1 + r

=

x2 + r

n

n

 

holds, which check can be performed, remarkably, in ignorance of p.

7.29. Here is a fascinating line of research in connection with Schoof point counting, Algorithm 7.5.6. First, investigate the time and space (memory) tradeo s for the algorithm, as one decides upon one of the

following representation options:

(a) the rational

point representations

(N (x)/D(x), yM (x)/C(x)) as we

displayed; (b) a

projective description

(X(x, y), Y (x, y), Z(x, y)) along the lines of Algorithm 7.2.3; or (c) an a ne representation. Note that these options have the same basic asymptotic complexity, but we are talking here about implementation advantages, e.g., the implied big-O constants.

Such analyses have led to actual packages, not only for the “vanilla Schoof” Algorithm 7.5.6, but the sophisticated SEA variants. Some such packages are

7.8 Research problems

383

highly e cient, able to resolve the curve order for a 200-bit value of p in a matter of minutes. For example, there is the implementation in [Scott 1999], which uses projective coordinates and the Shoup method (see Exercise 9.70) for polynomial multiplication, and for the SEA extension, uses precomputed polynomials.

But there is another tantalizing option: Employ Montgomery representation, as in Algorithm 7.2.7, for which the Schoof relation

xp2 , yp2 + [k](x, y) = [t](xp, yp)

can be analyzed in x-coordinates alone. One computes xp2 (but no powers of y), uses division polynomials to find the x-coordinate of [k](x, y) (and perhaps the [t] multiple as well), and employs Algorithm 7.2.8 to find doublyambiguous values of t. This having been done, one has a “partial-CRT” scenario that is itself of research interest. In such a scenario, one knows not a specific t mod l for each small prime l, but a pair of t values for each l. At first it may seem that we need twice as many small primes, but not really so. If one has, say, n smaller primes l1, . . . , ln one can perform at most 2n elliptic multiplies to see which genuine curve order annihilates a random point. One might say that for large n this is too much work, but one could just use the x- coordinate arithmetic only on some of the larger l. So the research problem is this: Given that x-coordinate (Montgomery) arithmetic is less expensive than full (x, y) versions, how does one best handle the ambiguous t values that result? Besides the 2n continuation, is there a Shanks–Mestre continuation that starts from the partial-CRT decomposition? Note that in all of this analysis, one will sometimes get the advantage that t = 0, in which case there is no ambiguity of (p + 1 ± t) mod l.

7.30. In Exercise 7.21 was outlined “symbolic” means for carrying out Schoof calculations for an elliptic curve order. Investigate whether the same manipulations can be e ected, again (mod 3), for curves governed by

y2 = x3 + ax,

or for that matter, curves having both a, b nonzero—which cases you would expect to be di cult. Investigate whether any of these ideas can be e ected for small primes l > 3.

7.31. Describe how one may use Algorithm 7.5.10 to create a relatively simple primality-proving program, in which one would search only for discriminant-D curves with h(D) = 1, 2. The advantage of such a scheme is obvious: The elliptic curve generation is virtually immediate for such discriminants. The primary disadvantage, of course, is that for large probable primes under scrutiny, a great deal of e ort must go into factoring the severely limited set of curve orders (one might even contemplate an ECM factoring engine, to put extra weight on the factoring part of ECPP). Still, this could be a fine approach for primes of a few hundred binary bits or less. For one thing,

384

Chapter 7 ELLIPTIC CURVE ARITHMETIC

neither floating-point class-polynomial calculations nor massive polynomial storage nor sophisticated root-finding routines would be required.

7.32.There is a way to simplify somewhat the elliptic curve computations for ECPP. Argue that Montgomery parameterization (as in Algorithm 7.2.7) can certainly be used for primality proofs of some candidate n in the

ECPP Algorithms 7.6.2 or 7.5.9, provided that along with the conditions of nonvanishing for multiples (X , Z ) = [m/q](X, Z), we always check gcd(Z , n) for possible factors of n.

Describe, then, some enhancements to the ECPP algorithms that we enjoy when Montgomery parameterization is in force. For example, finding a point on a curve is simpler, because we only need a valid x-coordinate, and so on.

7.33.Here is a peculiar form of “rapid ECPP” that can—if one has su cient luck—work to e ect virtually instantaneous primality proofs. Recall, as in

Corollary 4.1.4, that if a probable prime n has n − 1 = F R where the factored

part F exceeds n (or in various refinements exceeds an even lesser bound), then a primality proof can be e ected quickly. Consider instead a scenario in which the same “FR” decomposition is obtained, but we are lucky to be able to write

R = αF + β,

with a representation 4α = β2 + |D|γ2 existing for fundamental discriminant −|D|. Show that, under these conditions, if n is prime, there then exists a CM curve E for discriminant −|D|, with curve order given by the attractive

relation

#E = αF 2.

Thus, we might be able to have F nearly as small as n1/4, and still e ect an ECPP result on n.

Next, show that a McIntosh–Wagsta probable prime of the form n = (2q +1)/3 always has a representation with discriminant D = 8, and give the corresponding curve order. Using these ideas, prove that (2313 + 1)/3 is prime, taking account of the fact that the curve order in question is #E = (2/3)h2, where h is

32 ·5·7·132 ·53·79·157·313·1259·1613·2731·3121·8191·21841·121369·22366891.

Then prove another interesting corollary: If

n = 22r+2m + 2r+m+1 + 22r + 1

is prime, then the curve E in question has

#E = 22r(22m + 1).

In this manner, and by analyzing the known algebraic factors of 22m + 1 when

m is odd, prove that

n = 2576 + 2289 + 22 + 1

7.8 Research problems

385

is prime.

For more information on “rapid” primality proofs, see [Pomerance 1987a] and the discussion in [Williams 1998, p. 366] in regard to numbers of certain ternary form.

7.34. An interesting problem one may address after having found a factor via an ECM scheme such as Algorithm 7.4.4 is this: What is the actual group order that allowed the factor discovery?

One approach, which has been used in [Brent et al. 2000], is simply to “backtrack” on the stage limits until the precise largestand second-largest primes are found, and so on until the group order is completely factored.

But another way is simply to obtain, via Algorithm 7.5.6, say, the actual order. To this end, work out the preparatory curve algebra as follows. First, show that if a curve is constructed according to Theorem 7.4.3, then the rational initial point x/z = u3/v3 satisfies

x3 + Cx2z + xz2 = σ2 5 3 125 105σ2 21σ4 + σ6 2

in the ring. Then deduce that the order of the curve is either the order of

y2 = x3 + ax + b,

or the order of the twist, depending respectively on whether ( σ35σ ) = 1 or

p

1, where a ne parameters a, b are computed from

γ = (v − u)3(3u + v) 2,

4u3v

a = 1 13 γ2,

b = 272 γ3 13 γ.

These machinations suggest a straightforward algorithm for finding the order of the curve that discovered a factor p. Namely, one uses the starting seed σ, calculates again if necessary the u, v field parameters, then applies the above formulae to get an a ne curve parameter pair (a, b), which in turn can be used directly in the Schoof algorithm.

Here is an explicit example of the workings of this method. The McIntosh– Tardif factor

p = 81274690703860512587777

of F18 was found with seed parameter σ = 16500076. One finds with the above formulae that

a = 26882295688729303004012,

b = 10541033639146374421403,

386

Chapter 7 ELLIPTIC CURVE ARITHMETIC

and Algorithm 7.5.6 determines the curve order as

#E = 81274690703989163570820

= 22 · 3 · 5 · 23 · 43 · 67 · 149 · 2011 · 2341 · 3571 · 8161.

Indeed, looking at the two largest prime factors here, we see that the factor could have been found with respective stage limits as low as B1 = 4000, B2 = 10000. R. McIntosh and C. Tardif actually used 100000, 4000000, respectively, but as always with ECM, what we might call post-factoring hindsight is a low-cost commodity. Note also the explicit verification that the Brent parameterization method indeed yields a curve whose order is divisible by twelve, as expected.

If you are in possession of su ciently high-precision software, here is another useful test of the above ideas. Take the known prime factor p = 4485296422913 of F21, and for the specific Brent parameter σ = 1536151048, find the elliptic-curve group order (mod p), and show that stage limits B1 = 60000, B2 = 3000000 (being the actual pair used originally in practice to drive this example of hindsight) su ce to discover the factor p.

Chapter 8

THE UBIQUITY OF PRIME NUMBERS

It is often remarked that prime numbers finally found a legitimate practical application in the domain of cryptography. The cryptographic relevance is not disputed, but there are many other applications of the majestic primes. Some applications are industrial—such as applications in numerical analysis, applied mathematics, and other applied sciences—while some are of the “conceptual feedback” variety, in which primes and their surrounding concepts are used in theoretical work outside of, say, pure number theory. In this lucrative research mode, primes are used within algorithms that might appear a priori independent of primes, and so on. It seems fair to regard the prime number concept as ubiquitous, since the primes appear in so very many disparate domains of thought.

8.1 Cryptography

On the face of it, the prime numbers apply to cryptography by virtue of the extreme di culty of certain computations. Two such problems are factoring and the discrete logarithm problem. We shall discuss practical instances of these problems in the field of cryptography, and also discuss elliptic curve generalizations.

8.1.1Di e–Hellman key exchange

In a monumental paper [Di e and Hellman 1976], those authors observed the following “one-way function” behavior of certain group operations. For a given integer x ≥ 0 and an element g of Fp, the computation of

h = gx

in the field (so, involving continual (mod p) reductions) is generally of complexity O(ln x) field operations. On the other hand, solving this equation for x, assuming g, h, p given, is evidently very much harder. As x is an exponent, and since we are taking something like a logarithm in this latter problem, the extraction of the unknown x is known as the discrete logarithm (DL) problem. Though the forward (exponentiation) direction is of polynomial-time complexity, no general method is known for obtaining the DL with anything like that e ciency. Some DL algorithms are discussed in Chapter 5 and in [Schirokauer et al. 1996].

388

Chapter 8 THE UBIQUITY OF PRIME NUMBERS

An immediate application of this “one-way” feature of exponentiation is a cryptographic algorithm so simple that we simply state it in English without formal exhibition. Say you want individuals to have their own passwords to allow entry onto a computer system or information channel. A universal prime p and primitive root g are chosen for the whole system of users. Now each individual user “thinks up” his or her secret password x, an integer, and computes h = gx mod p, finally storing his or her h value on the system itself. Thus for the array of users, there is a stored array of h values on the system. Now when it is time to gain entry to the system, a user need only type the “password” x, and the system exponentiates this, comparing the result to that user’s h. The scheme is all very simple, depending on the di culty of looking at an h and inferring what was the password x for that h.

Not quite so obvious, but equally elegant, is the Di e–Hellman key exchange scheme, which allows two individuals to create a common encryption key:

Algorithm 8.1.1 (Di e–Hellman key exchange).

Two individuals, Alice

and Bob, agree on a prime p and a generator g

 

p

 

F . This algorithm allows

Alice and Bob to establish a mutual key (mod p), with neither individual being able (under DL di culty) to infer each other’s secret key.

1.

[Alice generates public key]

 

 

[2, p

 

 

2];

 

 

Alice

chooses random a

 

// Alice’s secret key.

 

a

mod p;

 

 

 

 

 

x = g

 

 

 

 

 

 

 

 

// x is Alice’s public key.

2.

[Bob generates public key]

 

 

[2, p

 

 

2];

 

 

chooses random b

 

// Bob’s secret key.

 

Bob

b

mod p;

 

 

 

 

// y is Bob’s public key.

 

y = g

 

 

 

 

 

 

 

 

 

3.

[Each individual creates the same mutual key]

 

Bob computes k = xb mod p;

 

 

 

 

 

 

Alice computes k = ya mod p;

 

 

 

// The two k-values are identical.

This mutual key creation works, of course, because

(ga)b = (gb)a = gab,

and all of this goes through with the usual reductions (mod p). There are several important features of this basic Di e–Hellman key exchange notion. First, note that in principle Alice and Bob could have avoided random numbers; choosing instead a memorable phrase, slogan, whatever, and made those into respective secret values a, b. Second, note that the public keys ga, gb mod p can be made public in the sense that—under DL di culty—it is safe literally to publish such values to the world. Third, on the issue of what to do with the mutual key created in the algorithm, actual practical applications often involve the use of the mutual key to encrypt/decrypt long messages, say through the expedient of a standard block cipher such as DES [Schneier 1996]. Though it is easy to break the Di e–Hellman scheme given a fast DL method, it is unclear whether the two problems are equivalent. That

8.1 Cryptography

389

is, if an oracle could tell you gab on input of ga and gb, could you use this oracle to quickly solve for discrete logarithms?

8.1.2RSA cryptosystem

Soon after the Di e–Hellman ideas, the now prevalent RSA cryptosystem was invented by Rivest, Shamir, and Adleman [Rivest et al. 1978].

Algorithm 8.1.2 (RSA private/public key generation).

In this

algorithm

we generate an individual’s private and associated public

keys for

the RSA

cryptosystem.

 

 

1.

[Choose primes]

 

 

Choose two distinct primes p, q under prevailing safety criteria (see text);

2.

[Generate public key]

 

 

N = pq;

 

 

ϕ = (p − 1)(q − 1);

// Euler totient of N .

 

Choose random integer E [3, N − 2] coprime to ϕ;

 

Report public key as (N, E);

// User publishes this key.

3.

[Generate private key]

 

 

D = E1 mod ϕ;

 

 

Report private key as D;

// User keeps D secret.

The primary observation is that because of the di culty of factoring N = pq, the public integer N does not give an easy prescription for the private primes p, q. Furthermore, it is known that if one knows integers D, E in [1, n − 1] with DE ≡ 1 (mod ϕ), then one can factor N in (probabilistic) polynomial time [Long 1981] (cf. Exercise 5.27). In the above algorithm it is fashionable to choose approximately equal private primes p, q, but some cryptographers suggest further safety tests. In fact, one can locate in the literature a host of potential drawbacks for certain p, q choices. There is a brief but illuminating listing of possible security flaws that depend on the magnitudes and other number-theoretical properties of p, q in [Williams 1998, p. 391]. The reference [Bressoud and Wagon 2000, p. 249] also lists RSA pitfalls. See also Exercise

8.2for a variety of RSA security issues.

Having adopted the notion that the public key is the hard-to-break (i.e.,

di cult to factor) composite integer N = pq, we can proceed with actual encryption of messages, as follows:

Algorithm 8.1.3 (RSA encryption/decryption). We assume that Alice possesses a private key DA and public key (NA, EA) from Algorithm 8.1.2. Here we show how another individual (Bob) can encrypt a message x (thought of as an integer in [0, NA)) to Alice, and how Alice can decrypt said message.

1. [Bob encrypts]

y = xEA mod NA; // Bob is using Alice’s public key. Bob then sends y to Alice;

2. [Alice decrypts]

390

Chapter 8 THE UBIQUITY OF PRIME NUMBERS

Alice receives encrypted message y; x = yDA mod NA;

// Alice recovers the original x.

It is not hard to see that, as required for Algorithm 8.1.3 to work, we must have

xDE ≡ x (mod N ).

This, in turn, follows from the fact that DE = 1 + by construction of D itself, so that xDE = x(xϕ)k ≡ x · 1k = x (mod N ), when gcd(x, N ) = 1. In addition, it is easy to see that xDE ≡ x (mod N ) continues to hold even when gcd(x, N ) > 1.

Now with the RSA scheme we envision a scenario in which a great number of individuals all have their respective public keys (Ni, Ei) literally published—as one might publish individual numbers in a telephone book. Any individual may thereby send an encrypted message to individual j by casually referring to the public (Nj , Ej ) and doing a little arithmetic. But can the recipient j know from whom the message was encrypted and sent? It turns out, yes, to be quite possible, using a clever digital signature method:

Algorithm 8.1.4 (RSA signature: Simple version). We assume that Alice possesses a private key DA and public key (NA, EA) from Algorithm 8.1.2. Here we show how another individual (Bob) having private key DB and public key (NB, EB) can “sign” a message x (thought of as an integer in [0, min{NA, NB})).

1. [Bob encrypts with signature]

 

s = xDB mod NB;

// Bob creates signature from message.

y = sEA mod NA;

// Bob is using here Alice’s public key.

Bob then sends y to Alice;

 

2. [Alice decrypts]

Alice receives signed/encrypted message y;

s = yDA mod NA; // Alice uses her private key. x = sEB mod NB; // Alice recovers message using Bob’s public key.

Note that in the final stage, Alice uses Bob’s public key, the idea being that— up to the usual questions of di culty or breakability of the scheme—only Bob could have originated the message, because only he knows private key DB. But there are weaknesses in this admittedly elegant signature scheme. One such is this: If a forger somehow prepares a “factored message” x = x1x2, and somehow induces Bob to send Alice the signatures y1, y2 corresponding to the component messages x1, x2, then the forger can later pose as Bob by sending Alice y = y1y2, which is the signature for the composite message x. In a sense, then, Algorithm 8.1.4 has too much symmetry. Such issues can be resolved nicely by invoking a “message digest,” or hash function, at the signing stage [Schneier 1996], [Menezes et al. 1997]. Such standards as SHA-1 provide such a hash function H, where if x is plaintext, H(x) is an integer (often much smaller, i.e., having many fewer bits, than x). In this way certain methods for breaking signatures—or false signing—would be suppressed. A signature scheme involving a hash function goes as follows:

8.1 Cryptography

391

Algorithm 8.1.5 (RSA encrypt-with-signature: More practical version).

We assume that Bob possesses a private key DB and public key (NB, EB) from Algorithm 8.1.2. Here we show how Alice can recover Bob’s plaintext message x (thought of as an integer in some appropriate interval) and also verify Bob’s signature. We assume the existence of message digest function H, such as from the SHA-1 standard.

1.

[Bob encrypts with signature]

 

 

y = xEA mod NA;

// Bob encrypts, using Alice’s public key.

 

y1 = H(x);

// y1 is the “hash” of plaintext x.

 

s = y1DB mod NB;

// Bob creates signature s.

 

Bob sends (y, s) (i.e., combined message/signature) to Alice;

2.

[Alice decrypts]

 

 

Alice receives (y, s);

 

 

x = yDA mod NA;

// Alice decrypts to recover plaintext x.

3.

[Alice processes signature]

 

 

y2 = sEB mod NB;

 

if(y2 == H(x)) Alice accepts signature; else Alice rejects signature;

We note that there are practical variants of this algorithm that do not involve actual encryption; e.g., if plaintext security is not an issue while only authentication is, one can simply concatenate the plaintext and signature, as (x, s) for transmission to Alice. Note also there are alternative, yet practical signature schemes that depend instead on a so-called redundancy function, as laid out, for example, in [Menezes et al. 1997].

8.1.3Elliptic curve cryptosystems (ECCs)

The mid-1980s saw the emergence of yet another fascinating cryptographic idea, that of using elliptic curves in cryptosystems [Miller 1987], [Koblitz 1987]. Basically, elliptic curve cryptography (ECC) involves a public curve Ea,b(F ) where F is a finite field. Prevailing choices are F = Fp for prime p, and F = F2k for suitable integers k. We shall focus primarily on the former fields Fp, although much of what we describe works for finite fields in general. The central idea is that given points P, Q E such that the relation

Q = [k]P

holds for some integer k, it should be hard in general to extract the elliptic discrete logarithm (EDL), namely a value for the integer multiplier k. There is by now a considerable literature on the EDL problem, of which just one example work is [Lim and Lee 1997], in which it is explained why the group order’s character (prime or composite, and what kind of factorization) is important as a security matter.

The Di e–Hellman key exchange protocol (see Algorithm 8.1.1) can be used in a cyclic subgroup of any group. The following algorithm is Di e– Hellman for elliptic-curve groups.

Соседние файлы в предмете [НЕСОРТИРОВАННОЕ]