Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

7.6 Elliptic curve primality proving (ECPP) 373 5. [Operate on point] Compute the multiple U =[m/q]P (however if any illegal inversions occur, return “n is composite”); if(U == O) goto [Choose point ...]; Compute V =[q]U (however check the above rule on illegal inversions); if(V = O) return “n is composite”; return “If q is prime, then n is prime”; Note that if n is composite, then there is no guarantee that Algorithm 2.3.13 in Step [Choose discriminant] will successfully find u, v, eveniftheyexist.In this event, we continue with the next D, until we are eventually successful, or we lose patience and give up. Let us work through an explicit example. Recall the Mersenne prime p =2 89 − 1 analyzed after Algorithm 7.5.9. We found a discriminant D = −3 for complex multiplication curves, for which D there turn out to be six possible curve orders. The recursive primality proving works, in this case, by taking p +1+u as the order; in fact, this choice happens to work at every level like so: p =2 89 − 1, D = −3 : u = 34753815440788, v = 20559283311750, #E = p +1+u =2 2 · 3 2 · 5 2 · 7 · 848173 · p2, p2 = 115836285129447871, D = −3 : u = 557417116, v = 225559526, #E = p2 +1+u =2 2 · 3 · 7 · 37 · 65707 · p3, and we establish that p3 = 567220573 is prime by trial division. What we have outlined is the essential “backbone” of a primality certificate for p =2 89 − 1. The full certificate requires, of course, the actual curve parameters (from Step [Obtain curve parameters]) and relevant starting points (from Step [Choose point ...]) in Algorithm 7.6.3. Compared to the Goldwasser–Kilian approach, the complexity of the Atkin–Morain method is a cloudy issue—although heuristic estimates are polynomial, e.g. O(ln 4+ɛ N) operations to prove N prime (see Section 7.6.3). The added difficulty comes from the fact that the potential curve orders that one tries to factor have an unknown distribution. However, in practice, the method is excellent, and like the Goldwasser–Kilian method a complete and succinct certificate of primality is provided. Morain’s implementation of variants of Algorithm 7.6.3 has achieved primality proofs for “random” primes of well over two thousand decimal digits, as we mentioned in Section 1.1.2. But even more enhancement has been possible, as we discuss next. 7.6.3 Fast primality-proving via ellpitic curves (fastECPP) A new development in primality proving has enabled primality proofs of some spectacularly large numbers. For example, in July 2004, the primality of the

374 Chapter 7 ELLIPTIC CURVE ARITHMETIC Leyland number (with general form x y + y x ) N = 4405 2638 + 2638 4405 was established, a number of 15071 decimal digits. This “fastECPP” method is based on an asymptotic improvement, due to J. Shallit, that yields a bitcomplexity heuristic of O(ln 4+ɛ N)toproveN prime. The basic idea is to build a base of small squareroots, and build discriminants from this basis. Let L =lnN where N isthepossibleprime under scrutiny. Now Algorithm 7.6.3 requires, we expect, O(L 2 ) discriminants D tried before finding a good D. Instead, one may build discriminants of the form −D =(−p)(q), where p, q are primes each taken from a pool of size only O(L). In this way, Step [Choose discriminant] can be enhanced, and the overall operation complexity of Algorithm 7.6.3—which complexity started out as O(ln 5+ɛ N) thus has the 5 turning into a 4. The details and various primality-proof records are found in [Franke et al. 2004] and (especially for the fastECPP theory) [Morain 2004]. 7.7 Exercises 7.1. Find a bilinear transformation of the form that renders the curve (x, y) ↦→ (αx + βy,γx + δy) y 2 + axy + by = x 3 + cx 2 + dx + e (7.11) into Weierstrass form (7.4). Indicate, then, where the fact of field characteristic not equal to 2 or 3 is required for the transformation to be legal. 7.2. Show that curve with governing cubic has affine representation Y 2 = X 3 + CX 2 + AX + B y 2 = x 3 +(A − C 2 /3)x +(B − AC/3+2C 3 /27). This shows that a Montgomery curve (B = 0) always has an affine equivalent. But the converse is false. Describe exactly under what conditions on parameters a, b in y 2 = x 3 + ax + b such an affine curve does possess a Montgomery equivalent with B = 0. Describe applications of this result, for example in cryptography or pointcounting. 7.3. Show that the curve given by relation (7.4) is nonsingular over a field F with characteristic = 2, 3 if and only if 4a 3 +27b 2 =0.

374 Chapter 7 ELLIPTIC CURVE ARITHMETIC<br />

Leyland number (with general form x y + y x )<br />

N = 4405 2638 + 2638 4405<br />

was established, a number of 15071 decimal digits. This “fastECPP” method<br />

is based on an asymptotic improvement, due to J. Shallit, that yields a bitcomplexity<br />

heuristic of O(ln 4+ɛ N)toproveN prime.<br />

The basic idea is to build a base of small squareroots, and build<br />

discriminants from this basis. Let L =lnN where N isthepossibleprime<br />

under scrutiny. Now Algorithm 7.6.3 requires, we expect, O(L 2 ) discriminants<br />

D tried before finding a good D. Instead, one may build discriminants of the<br />

form −D =(−p)(q), where p, q are primes each taken from a pool of size<br />

only O(L). In this way, Step [Choose discriminant] can be enhanced, and the<br />

overall operation complexity of Algorithm 7.6.3—which complexity started<br />

out as O(ln 5+ɛ N) thus has the 5 turning into a 4.<br />

The details and various primality-proof records are found in [Franke et al.<br />

2004] and (especially for the fastECPP theory) [Morain 2004].<br />

7.7 Exercises<br />

7.1. Find a bilinear transformation of the form<br />

that renders the curve<br />

(x, y) ↦→ (αx + βy,γx + δy)<br />

y 2 + axy + by = x 3 + cx 2 + dx + e (7.11)<br />

into Weierstrass form (7.4). Indicate, then, where the fact of field characteristic<br />

not equal to 2 or 3 is required for the transformation to be legal.<br />

7.2. Show that curve with governing cubic<br />

has affine representation<br />

Y 2 = X 3 + CX 2 + AX + B<br />

y 2 = x 3 +(A − C 2 /3)x +(B − AC/3+2C 3 /27).<br />

This shows that a Montgomery curve (B = 0) always has an affine<br />

equivalent. But the converse is false. Describe exactly under what conditions<br />

on parameters a, b in<br />

y 2 = x 3 + ax + b<br />

such an affine curve does possess a Montgomery equivalent with B = 0.<br />

Describe applications of this result, for example in cryptography or pointcounting.<br />

7.3. Show that the curve given by relation (7.4) is nonsingular over a field<br />

F with characteristic = 2, 3 if and only if 4a 3 +27b 2 =0.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!