Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

8.1 Cryptography 393 just to generate random curves and assess their orders via Algorithm 7.5.6. Another is to use Algorithm 7.5.9 or 7.5.10 to generate possible orders, and when a prime order is found, go ahead and specify a curve with that order. But there are clever variants of these basic approaches (see Exercise 8.27). It should be remarked that some cryptographers accept curves of order #E = fr, where f may consist of small prime factors while r is a large prime. For such curves, one still prefers to find points of the prime order r, and this can be done very simply: Algorithm 8.1.7 (Find a point of prime order). Given an elliptic curve Ea,b(Fp) of order #E = fr, where r is prime, this algorithm endeavors to find a point P ∈ E of order r. 1. [Find starting point] Choose a random point P ∈ E, via Algorithm 7.2.1; 2. [Check multiple] Q =[f]P ; if(Q == O) goto [Find starting point]; return Q; // A point of prime order r. The algorithm is admittedly almost trivial, but important in cryptography applications. One such application is elliptic signature. There is a standard elliptic-curve digital signature scheme that runs like so, with the prerequisite of a point of prime order evident right at the outset: Algorithm 8.1.8 (Elliptic curve digital signature algorithm (ECDSA)). This algorithm provides functions for key generation, signing, and verification of messages. A message is generally denoted by M, an integer, and it is assumed that a suitable hash function h is in hand. 1. [Alice generates key] Alice chooses a curve E, whose order #E = fr with r a “large” prime; Alice finds point P ∈ E of order r, via Algorithm 8.1.7; Alice chooses random d ∈ [2,r− 2]; Q =[d]P ; Alice publishes public key (E,P,r,Q); // Private key is d. 2. [Alice signs] Alice chooses random k ∈ [2,r− 2]; (x1,y1) =[k]P ; R = x1 mod r; // Note that R = 0. s = k −1 (h(M)+Rd) modr; if(s == 0) goto [Alice signs]; Alice’s signature is the pair (R, s), transmitted with message M; 3. [Bob verifies] Bob obtains Alice’s public key (E,P,r,Q); w = s −1 mod r; u1 = h(M)w mod r; u2 = Rw mod r;

394 Chapter 8 THE UBIQUITY OF PRIME NUMBERS (x0,y0) =[u1]P +[u2]Q; v = x0 mod r; if(v == R) Bob accepts signature; else Bob rejects signature; This algorithm is modeled on an older DSA standard, and amounts to the natural elliptic-curve variant of DSA. Modern details and issues are discussed in [Johnson et al. 2001]. The hash value h(M) is, technically speaking, supposed to be effected via another standard, the SHA-1 hash function [Juriˇsić and Menezes 1997]. Those authors also discuss the interesting issue of security. They conclude that a 1024-bit DSA system is about as secure as a 160-bit ECDSA system. If valid, such an observation shows once again that, on our current knowledge, the EDL problem is about as hard as a computational number-theoretical problem can be. The current record for an EDL computation pertains to the “Certicom Challenge,” for which an EDL was solved in 2002 by C. Monico et al. for an elliptic curve over Fp with p being a 109-bit prime. The next challenge of this type on the list is a 131-bit prime, but under current knowledge of EDL difficulty, the 131-bit case is perhaps two thousand times harder than the 109-bit case. Incidentally, there is a different way to effect a signature scheme with elliptic curves, which is the El Gamal scheme. We do not write out the algorithm—it is less standard than the above ECDSA scheme (but no less interesting))—but the essentials lie in Algorithm 8.1.10. Also, the theoretical ideas are found in [Koblitz 1987]. We have mentioned, in connection with RSA encryption, the practical expedient of using the sophisticated methods (RSA, ECC) for a key exchange, then using the mutually understood key in a rapid block cipher, such as DES, say. But there is another fascinating way to proceed with a kind of “direct” ECC scheme, based on the notion of embedding plaintext as points on elliptic curves. In this fashion, all encryption/decryption proceeds with nothing but elliptic algebra at all phases. Theorem 8.1.9 (Plaintext-embedding theorem). For prime p > 3 let E denote an elliptic curve over Fp, with governing cubic y 2 = x 3 + ax + b. Let X be any integer in [0,p− 1]. Then X is either an x-coordinate of some point on E, or on the twist curve E ′ whose governing cubic is gy 2 = x 3 +ax+b, for some g with g p = −1. Furthermore,ifp≡ 3(mod4), and we assign s = X 3 + aX + b mod p, Y = s (p+1)/4 mod p, then (X, Y ) is a point on either E,E ′ , respectively, as Y 2 ≡ s, −s (mod p),

8.1 Cryptography 393<br />

just to generate random curves and assess their orders via Algorithm 7.5.6.<br />

Another is to use Algorithm 7.5.9 or 7.5.10 to generate possible orders, and<br />

when a prime order is found, go ahead and specify a curve with that order.<br />

But there are clever variants of these basic approaches (see Exercise 8.27). It<br />

should be remarked that some cryptographers accept curves of order #E = fr,<br />

where f may consist of small prime factors while r is a large prime. For such<br />

curves, one still prefers to find points of the prime order r, and this can be<br />

done very simply:<br />

Algorithm 8.1.7 (Find a point of prime order). Given an elliptic curve<br />

Ea,b(Fp) of order #E = fr, where r is prime, this algorithm endeavors to find a<br />

point P ∈ E of order r.<br />

1. [Find starting point]<br />

Choose a random point P ∈ E, via Algorithm 7.2.1;<br />

2. [Check multiple]<br />

Q =[f]P ;<br />

if(Q == O) goto [Find starting point];<br />

return Q; // A point of prime order r.<br />

The algorithm is admittedly almost trivial, but important in cryptography<br />

applications. One such application is elliptic signature. There is a standard<br />

elliptic-curve digital signature scheme that runs like so, with the prerequisite<br />

of a point of prime order evident right at the outset:<br />

Algorithm 8.1.8 (Elliptic curve digital signature algorithm (ECDSA)).<br />

This algorithm provides functions for key generation, signing, and verification<br />

of messages. A message is generally denoted by M, an integer, and it is assumed<br />

that a suitable hash function h is in hand.<br />

1. [Alice generates key]<br />

Alice chooses a curve E, whose order #E = fr with r a “large” prime;<br />

Alice finds point P ∈ E of order r, via Algorithm 8.1.7;<br />

Alice chooses random d ∈ [2,r− 2];<br />

Q =[d]P ;<br />

Alice publishes public key (E,P,r,Q); // Private key is d.<br />

2. [Alice signs]<br />

Alice chooses random k ∈ [2,r− 2];<br />

(x1,y1) =[k]P ;<br />

R = x1 mod r; // Note that R = 0.<br />

s = k −1 (h(M)+Rd) modr;<br />

if(s == 0) goto [Alice signs];<br />

Alice’s signature is the pair (R, s), transmitted with message M;<br />

3. [Bob verifies]<br />

Bob obtains Alice’s public key (E,P,r,Q);<br />

w = s −1 mod r;<br />

u1 = h(M)w mod r;<br />

u2 = Rw mod r;

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!