Prime Numbers
Prime Numbers Prime Numbers
8.1 Cryptography 393 just to generate random curves and assess their orders via Algorithm 7.5.6. Another is to use Algorithm 7.5.9 or 7.5.10 to generate possible orders, and when a prime order is found, go ahead and specify a curve with that order. But there are clever variants of these basic approaches (see Exercise 8.27). It should be remarked that some cryptographers accept curves of order #E = fr, where f may consist of small prime factors while r is a large prime. For such curves, one still prefers to find points of the prime order r, and this can be done very simply: Algorithm 8.1.7 (Find a point of prime order). Given an elliptic curve Ea,b(Fp) of order #E = fr, where r is prime, this algorithm endeavors to find a point P ∈ E of order r. 1. [Find starting point] Choose a random point P ∈ E, via Algorithm 7.2.1; 2. [Check multiple] Q =[f]P ; if(Q == O) goto [Find starting point]; return Q; // A point of prime order r. The algorithm is admittedly almost trivial, but important in cryptography applications. One such application is elliptic signature. There is a standard elliptic-curve digital signature scheme that runs like so, with the prerequisite of a point of prime order evident right at the outset: Algorithm 8.1.8 (Elliptic curve digital signature algorithm (ECDSA)). This algorithm provides functions for key generation, signing, and verification of messages. A message is generally denoted by M, an integer, and it is assumed that a suitable hash function h is in hand. 1. [Alice generates key] Alice chooses a curve E, whose order #E = fr with r a “large” prime; Alice finds point P ∈ E of order r, via Algorithm 8.1.7; Alice chooses random d ∈ [2,r− 2]; Q =[d]P ; Alice publishes public key (E,P,r,Q); // Private key is d. 2. [Alice signs] Alice chooses random k ∈ [2,r− 2]; (x1,y1) =[k]P ; R = x1 mod r; // Note that R = 0. s = k −1 (h(M)+Rd) modr; if(s == 0) goto [Alice signs]; Alice’s signature is the pair (R, s), transmitted with message M; 3. [Bob verifies] Bob obtains Alice’s public key (E,P,r,Q); w = s −1 mod r; u1 = h(M)w mod r; u2 = Rw mod r;
394 Chapter 8 THE UBIQUITY OF PRIME NUMBERS (x0,y0) =[u1]P +[u2]Q; v = x0 mod r; if(v == R) Bob accepts signature; else Bob rejects signature; This algorithm is modeled on an older DSA standard, and amounts to the natural elliptic-curve variant of DSA. Modern details and issues are discussed in [Johnson et al. 2001]. The hash value h(M) is, technically speaking, supposed to be effected via another standard, the SHA-1 hash function [Juriˇsić and Menezes 1997]. Those authors also discuss the interesting issue of security. They conclude that a 1024-bit DSA system is about as secure as a 160-bit ECDSA system. If valid, such an observation shows once again that, on our current knowledge, the EDL problem is about as hard as a computational number-theoretical problem can be. The current record for an EDL computation pertains to the “Certicom Challenge,” for which an EDL was solved in 2002 by C. Monico et al. for an elliptic curve over Fp with p being a 109-bit prime. The next challenge of this type on the list is a 131-bit prime, but under current knowledge of EDL difficulty, the 131-bit case is perhaps two thousand times harder than the 109-bit case. Incidentally, there is a different way to effect a signature scheme with elliptic curves, which is the El Gamal scheme. We do not write out the algorithm—it is less standard than the above ECDSA scheme (but no less interesting))—but the essentials lie in Algorithm 8.1.10. Also, the theoretical ideas are found in [Koblitz 1987]. We have mentioned, in connection with RSA encryption, the practical expedient of using the sophisticated methods (RSA, ECC) for a key exchange, then using the mutually understood key in a rapid block cipher, such as DES, say. But there is another fascinating way to proceed with a kind of “direct” ECC scheme, based on the notion of embedding plaintext as points on elliptic curves. In this fashion, all encryption/decryption proceeds with nothing but elliptic algebra at all phases. Theorem 8.1.9 (Plaintext-embedding theorem). For prime p > 3 let E denote an elliptic curve over Fp, with governing cubic y 2 = x 3 + ax + b. Let X be any integer in [0,p− 1]. Then X is either an x-coordinate of some point on E, or on the twist curve E ′ whose governing cubic is gy 2 = x 3 +ax+b, for some g with g p = −1. Furthermore,ifp≡ 3(mod4), and we assign s = X 3 + aX + b mod p, Y = s (p+1)/4 mod p, then (X, Y ) is a point on either E,E ′ , respectively, as Y 2 ≡ s, −s (mod p),
- Page 352 and 353: 7.4 Elliptic curve method 343 As fo
- Page 354 and 355: 7.4 Elliptic curve method 345 if(1
- Page 356 and 357: 7.5 Counting points on elliptic cur
- Page 358 and 359: 7.5 Counting points on elliptic cur
- Page 360 and 361: 7.5 Counting points on elliptic cur
- Page 362 and 363: 7.5 Counting points on elliptic cur
- Page 364 and 365: 7.5 Counting points on elliptic cur
- Page 366 and 367: 7.5 Counting points on elliptic cur
- Page 368 and 369: 7.5 Counting points on elliptic cur
- Page 370 and 371: 7.5 Counting points on elliptic cur
- Page 372 and 373: 7.5 Counting points on elliptic cur
- Page 374 and 375: 7.5 Counting points on elliptic cur
- Page 376 and 377: 7.5 Counting points on elliptic cur
- Page 378 and 379: 7.6 Elliptic curve primality provin
- Page 380 and 381: 7.6 Elliptic curve primality provin
- Page 382 and 383: 7.6 Elliptic curve primality provin
- Page 384 and 385: 7.7 Exercises 375 7.4. As in Exerci
- Page 386 and 387: 7.7 Exercises 377 (some Bj equals A
- Page 388 and 389: 7.7 Exercises 379 This reduction ig
- Page 390 and 391: 7.8 Research problems 381 multiply-
- Page 392 and 393: 7.8 Research problems 383 highly ef
- Page 394 and 395: 7.8 Research problems 385 is prime.
- Page 396 and 397: Chapter 8 THE UBIQUITY OF PRIME NUM
- Page 398 and 399: 8.1 Cryptography 389 is, if an orac
- Page 400 and 401: 8.1 Cryptography 391 Algorithm 8.1.
- Page 404 and 405: 8.1 Cryptography 395 where in the l
- Page 406 and 407: 8.2 Random-number generation 397 ar
- Page 408 and 409: 8.2 Random-number generation 399 Al
- Page 410 and 411: 8.2 Random-number generation 401 }
- Page 412 and 413: 8.2 Random-number generation 403 is
- Page 414 and 415: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 416 and 417: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 418 and 419: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 420 and 421: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 422 and 423: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 424 and 425: 8.4 Diophantine analysis 415 [Tezuk
- Page 426 and 427: 8.4 Diophantine analysis 417 9262 3
- Page 428 and 429: 8.5 Quantum computation 419 We spea
- Page 430 and 431: 8.5 Quantum computation 421 three H
- Page 432 and 433: 8.5 Quantum computation 423 for a n
- Page 434 and 435: 8.6 Curious, anecdotal, and interdi
- Page 436 and 437: 8.6 Curious, anecdotal, and interdi
- Page 438 and 439: 8.6 Curious, anecdotal, and interdi
- Page 440 and 441: 8.7 Exercises 431 universal Golden
- Page 442 and 443: 8.7 Exercises 433 standards insist
- Page 444 and 445: 8.7 Exercises 435 of positive compo
- Page 446 and 447: 8.8 Research problems 437 element o
- Page 448 and 449: 8.8 Research problems 439 the Leveq
- Page 450 and 451: 8.8 Research problems 441 for every
8.1 Cryptography 393<br />
just to generate random curves and assess their orders via Algorithm 7.5.6.<br />
Another is to use Algorithm 7.5.9 or 7.5.10 to generate possible orders, and<br />
when a prime order is found, go ahead and specify a curve with that order.<br />
But there are clever variants of these basic approaches (see Exercise 8.27). It<br />
should be remarked that some cryptographers accept curves of order #E = fr,<br />
where f may consist of small prime factors while r is a large prime. For such<br />
curves, one still prefers to find points of the prime order r, and this can be<br />
done very simply:<br />
Algorithm 8.1.7 (Find a point of prime order). Given an elliptic curve<br />
Ea,b(Fp) of order #E = fr, where r is prime, this algorithm endeavors to find a<br />
point P ∈ E of order r.<br />
1. [Find starting point]<br />
Choose a random point P ∈ E, via Algorithm 7.2.1;<br />
2. [Check multiple]<br />
Q =[f]P ;<br />
if(Q == O) goto [Find starting point];<br />
return Q; // A point of prime order r.<br />
The algorithm is admittedly almost trivial, but important in cryptography<br />
applications. One such application is elliptic signature. There is a standard<br />
elliptic-curve digital signature scheme that runs like so, with the prerequisite<br />
of a point of prime order evident right at the outset:<br />
Algorithm 8.1.8 (Elliptic curve digital signature algorithm (ECDSA)).<br />
This algorithm provides functions for key generation, signing, and verification<br />
of messages. A message is generally denoted by M, an integer, and it is assumed<br />
that a suitable hash function h is in hand.<br />
1. [Alice generates key]<br />
Alice chooses a curve E, whose order #E = fr with r a “large” prime;<br />
Alice finds point P ∈ E of order r, via Algorithm 8.1.7;<br />
Alice chooses random d ∈ [2,r− 2];<br />
Q =[d]P ;<br />
Alice publishes public key (E,P,r,Q); // Private key is d.<br />
2. [Alice signs]<br />
Alice chooses random k ∈ [2,r− 2];<br />
(x1,y1) =[k]P ;<br />
R = x1 mod r; // Note that R = 0.<br />
s = k −1 (h(M)+Rd) modr;<br />
if(s == 0) goto [Alice signs];<br />
Alice’s signature is the pair (R, s), transmitted with message M;<br />
3. [Bob verifies]<br />
Bob obtains Alice’s public key (E,P,r,Q);<br />
w = s −1 mod r;<br />
u1 = h(M)w mod r;<br />
u2 = Rw mod r;