Prime Numbers
Prime Numbers Prime Numbers
8.1 Cryptography 391 Algorithm 8.1.5 (RSA encrypt-with-signature: More practical version). We assume that Bob possesses a private key DB and public key (NB,EB) from Algorithm 8.1.2. Here we show how Alice can recover Bob’s plaintext message x (thought of as an integer in some appropriate interval) and also verify Bob’s signature. We assume the existence of message digest function H, such as from the SHA-1 standard. 1. [Bob encrypts with signature] y = xEA mod NA; // Bob encrypts, using Alice’s public key. y1 = H(x); // y1 is the “hash” of plaintext x. s = y DB 1 mod NB; // Bob creates signature s. Bob sends (y, s) (i.e., combined message/signature) to Alice; 2. [Alice decrypts] Alice receives (y, s); x = y DA mod NA; // Alice decrypts to recover plaintext x. 3. [Alice processes signature] y2 = s EB mod NB; if(y2 == H(x)) Alice accepts signature; else Alice rejects signature; We note that there are practical variants of this algorithm that do not involve actual encryption; e.g., if plaintext security is not an issue while only authentication is, one can simply concatenate the plaintext and signature, as (x, s) for transmission to Alice. Note also there are alternative, yet practical signature schemes that depend instead on a so-called redundancy function, as laid out, for example, in [Menezes et al. 1997]. 8.1.3 Elliptic curve cryptosystems (ECCs) The mid-1980s saw the emergence of yet another fascinating cryptographic idea, that of using elliptic curves in cryptosystems [Miller 1987], [Koblitz 1987]. Basically, elliptic curve cryptography (ECC) involves a public curve Ea,b(F )whereF is a finite field. Prevailing choices are F = Fp for prime p, and F = F 2 k for suitable integers k. We shall focus primarily on the former fields Fp, although much of what we describe works for finite fields in general. The central idea is that given points P, Q ∈ E such that the relation Q =[k]P holds for some integer k, it should be hard in general to extract the elliptic discrete logarithm (EDL), namely a value for the integer multiplier k. There is by now a considerable literature on the EDL problem, of which just one example work is [Lim and Lee 1997], in which it is explained why the group order’s character (prime or composite, and what kind of factorization) is important as a security matter. The Diffie–Hellman key exchange protocol (see Algorithm 8.1.1) can be used in a cyclic subgroup of any group. The following algorithm is Diffie– Hellman for elliptic-curve groups.
392 Chapter 8 THE UBIQUITY OF PRIME NUMBERS Algorithm 8.1.6 (ECC key exchange). Two individuals, Alice and Bob, agree on a public elliptic curve E and a public point P ∈ E whose point order is n. (In many scenarios, n is prime, or admits of a large prime factor.) This algorithm produces a mutual key. 1. [Alice generates public key] Alice chooses random KA ∈ [2,n− 2]; // Alice’s secret key. Q =[KA]P ; // Point Q is Alice’s public key. 2. [Bob generates public key] Bob chooses random KB ∈ [2,n− 2]; // Bob’s secret key. R =[KB]P ; // Point R is Bob’s public key. 3. [Each individual creates the unique mutual key] Bob computes point K =[KB]Q; Alice computes point K =[KA]R. // Results agree. That the mutual key is unique follows directly from the group rules, as [KB]([KA]P )=[KBKA]P =[KAKB]P =[KA]([KB]P ). Again the notion of the difficulty of Bob, say, discovering Alice’s private key KA is presumably the difficulty of EDL. That is, if EDL is easy, then the ECC key exchange is not secure; and, it is thought that the converse is true as well. Note that in ECC implementations, private keys are integers, usually roughly thesizeofp (but could be larger than p—recall that the group order #E can itself slightly exceed p), while public keys and the exchanged mutual key are points. Typically, some bits of a mutual key would be used in, say, a block cipher; for example, one might take the bits of the x-coordinate. A primary result in regard to the EDL problem is the so-called “MOV theorem,” which states essentially that the EDL problem over Fp is equivalent to the normal DL problem over F∗ pB,forsomeB [Menezes et al. 1993]. There is a practical test for the estimated level of security in an ECC system—call this level the MOV threshold—see [Solinas 1998]. In practice, the MOV threshold B is “about 10,” but depends, of course, on the prevailing complexity estimate for the DL problem in finite fields. Note, however, that “supersingular” curves, having order #E = p+1, are particularly susceptible, having EDL complexity known to be no worse than that of the DL problem in Fpk, some k ≤ 6 [Menezes et al. 1993]. Such curves can be ruled out a priori for the reason stated. There is also the so-called Semaev–Smart–Satoh–Araki attack, when the order is #E = p, based on p-adic arithmetic. (The 1998 announcement in [Smart 1999] caused a noticeable ripple in the cryptography field, although the theoretical knowledge is older than the announcement; see [Semaev 1998], [Satoh and Araki 1998].) More modern attacks, some of which involve the real-timing of elliptic ladders, are discussed in may references; for example, see V. Müller’s site [Müller 2004]. Incidentally, the question of how one finds elliptic curves of prime order (and so having elements of prime order) is itself interesting. One approach is
- Page 350 and 351: 7.4 Elliptic curve method 341 propa
- Page 352 and 353: 7.4 Elliptic curve method 343 As fo
- Page 354 and 355: 7.4 Elliptic curve method 345 if(1
- Page 356 and 357: 7.5 Counting points on elliptic cur
- Page 358 and 359: 7.5 Counting points on elliptic cur
- Page 360 and 361: 7.5 Counting points on elliptic cur
- Page 362 and 363: 7.5 Counting points on elliptic cur
- Page 364 and 365: 7.5 Counting points on elliptic cur
- Page 366 and 367: 7.5 Counting points on elliptic cur
- Page 368 and 369: 7.5 Counting points on elliptic cur
- Page 370 and 371: 7.5 Counting points on elliptic cur
- Page 372 and 373: 7.5 Counting points on elliptic cur
- Page 374 and 375: 7.5 Counting points on elliptic cur
- Page 376 and 377: 7.5 Counting points on elliptic cur
- Page 378 and 379: 7.6 Elliptic curve primality provin
- Page 380 and 381: 7.6 Elliptic curve primality provin
- Page 382 and 383: 7.6 Elliptic curve primality provin
- Page 384 and 385: 7.7 Exercises 375 7.4. As in Exerci
- Page 386 and 387: 7.7 Exercises 377 (some Bj equals A
- Page 388 and 389: 7.7 Exercises 379 This reduction ig
- Page 390 and 391: 7.8 Research problems 381 multiply-
- Page 392 and 393: 7.8 Research problems 383 highly ef
- Page 394 and 395: 7.8 Research problems 385 is prime.
- Page 396 and 397: Chapter 8 THE UBIQUITY OF PRIME NUM
- Page 398 and 399: 8.1 Cryptography 389 is, if an orac
- Page 402 and 403: 8.1 Cryptography 393 just to genera
- Page 404 and 405: 8.1 Cryptography 395 where in the l
- Page 406 and 407: 8.2 Random-number generation 397 ar
- Page 408 and 409: 8.2 Random-number generation 399 Al
- Page 410 and 411: 8.2 Random-number generation 401 }
- Page 412 and 413: 8.2 Random-number generation 403 is
- Page 414 and 415: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 416 and 417: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 418 and 419: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 420 and 421: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 422 and 423: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 424 and 425: 8.4 Diophantine analysis 415 [Tezuk
- Page 426 and 427: 8.4 Diophantine analysis 417 9262 3
- Page 428 and 429: 8.5 Quantum computation 419 We spea
- Page 430 and 431: 8.5 Quantum computation 421 three H
- Page 432 and 433: 8.5 Quantum computation 423 for a n
- Page 434 and 435: 8.6 Curious, anecdotal, and interdi
- Page 436 and 437: 8.6 Curious, anecdotal, and interdi
- Page 438 and 439: 8.6 Curious, anecdotal, and interdi
- Page 440 and 441: 8.7 Exercises 431 universal Golden
- Page 442 and 443: 8.7 Exercises 433 standards insist
- Page 444 and 445: 8.7 Exercises 435 of positive compo
- Page 446 and 447: 8.8 Research problems 437 element o
- Page 448 and 449: 8.8 Research problems 439 the Leveq
392 Chapter 8 THE UBIQUITY OF PRIME NUMBERS<br />
Algorithm 8.1.6 (ECC key exchange). Two individuals, Alice and Bob,<br />
agree on a public elliptic curve E and a public point P ∈ E whose point order<br />
is n. (In many scenarios, n is prime, or admits of a large prime factor.) This<br />
algorithm produces a mutual key.<br />
1. [Alice generates public key]<br />
Alice chooses random KA ∈ [2,n− 2]; // Alice’s secret key.<br />
Q =[KA]P ; // Point Q is Alice’s public key.<br />
2. [Bob generates public key]<br />
Bob chooses random KB ∈ [2,n− 2]; // Bob’s secret key.<br />
R =[KB]P ; // Point R is Bob’s public key.<br />
3. [Each individual creates the unique mutual key]<br />
Bob computes point K =[KB]Q;<br />
Alice computes point K =[KA]R. // Results agree.<br />
That the mutual key is unique follows directly from the group rules, as<br />
[KB]([KA]P )=[KBKA]P =[KAKB]P =[KA]([KB]P ).<br />
Again the notion of the difficulty of Bob, say, discovering Alice’s private key<br />
KA is presumably the difficulty of EDL. That is, if EDL is easy, then the ECC<br />
key exchange is not secure; and, it is thought that the converse is true as well.<br />
Note that in ECC implementations, private keys are integers, usually roughly<br />
thesizeofp (but could be larger than p—recall that the group order #E can<br />
itself slightly exceed p), while public keys and the exchanged mutual key are<br />
points. Typically, some bits of a mutual key would be used in, say, a block<br />
cipher; for example, one might take the bits of the x-coordinate.<br />
A primary result in regard to the EDL problem is the so-called “MOV<br />
theorem,” which states essentially that the EDL problem over Fp is equivalent<br />
to the normal DL problem over F∗ pB,forsomeB [Menezes et al. 1993]. There is<br />
a practical test for the estimated level of security in an ECC system—call this<br />
level the MOV threshold—see [Solinas 1998]. In practice, the MOV threshold<br />
B is “about 10,” but depends, of course, on the prevailing complexity estimate<br />
for the DL problem in finite fields. Note, however, that “supersingular” curves,<br />
having order #E = p+1, are particularly susceptible, having EDL complexity<br />
known to be no worse than that of the DL problem in Fpk, some k ≤ 6<br />
[Menezes et al. 1993]. Such curves can be ruled out a priori for the reason<br />
stated.<br />
There is also the so-called Semaev–Smart–Satoh–Araki attack, when the<br />
order is #E = p, based on p-adic arithmetic. (The 1998 announcement in<br />
[Smart 1999] caused a noticeable ripple in the cryptography field, although<br />
the theoretical knowledge is older than the announcement; see [Semaev 1998],<br />
[Satoh and Araki 1998].) More modern attacks, some of which involve the<br />
real-timing of elliptic ladders, are discussed in may references; for example,<br />
see V. Müller’s site [Müller 2004].<br />
Incidentally, the question of how one finds elliptic curves of prime order<br />
(and so having elements of prime order) is itself interesting. One approach is