Prime Numbers
Prime Numbers Prime Numbers
8.1 Cryptography 395 where in the latter case we take the governing cubic for E ′ to be −y 2 = x 3 + ax + b. This theorem is readily proved via the same twist algebra that we encountered in Theorem 7.5.2 and Exercise 7.16, and leads to the following algorithm for direct-embedding encryption: Algorithm 8.1.10 (Direct-embedding ECC encryption). This algorithm allows encryption/decryption using exclusively elliptic algebra, i.e., with no intermediary cipher, via the direct embedding of plaintext onto curves. We assume that Alice and Bob have agreed upon a public curve Ea,b(Fp) with its twist curve E ′ , on which lie respectively public points P, P ′ . In addition, it is assumed that Bob has generated respective public keys PB =[KB]P, P ′ B =[KB]P ′ ,asinAlgorithm 8.1.6. We denote by X a parcel of plaintext (an integer in [0,...,p− 1]) that Alice wishes to encrypt for Bob. 1. [Alice embeds plaintext X] Alice determines the curve E or E ′ on which X is a valid x-coordinate (and, if y-coordinates are relevant, computes such number Y ) via Theorem 8.1.9, taking the curve to be E if X is on both curves; // See Exercise 8.5. Depending respectively on which curve E,E ′ is in force, Alice sets respectively: d =0or 1; // Curve-selecting bit. Q = P or P ′ ; QB = PB or P ′ B . Alice chooses random r ∈ [2,p− 2]; U =[r]QB +(X, Y ); // Elliptic add, to obfuscate plaintext. C =[r]Q; // The “clue” for undoing the obfuscation. Alice transmits a parcel (encrypted message, clue, bit) as (U, C, d); 2. [Bob decrypts to get plaintext X] Bob inspects d to determine on which curve elliptic algebra will proceed; (X, Y )=U − [KB]C; // Private key applied with elliptic subtract. Bob now recovers the plaintext as the x-coordinate X; This method will be recognized as an El Gamal embedding scheme, where we have made some improvements over previous renditions [Koblitz 1987], [Kaliski 1988]. Note that the last part of Theorem 8.1.9 allows Algorithm 8.1.10 to proceed efficiently when the field characteristic has p ≡ 3 (mod 4). In practical implementations of Algorithm 8.1.10, there are two further substantial improvements one may invoke. First, the y-coordinates are not needed if one uses Montgomery coordinates (Algorithm 7.2.7) throughout and carefully applies Algorithm 7.2.8 at the right junctures. Second, the “clue” point C of the algorithm effectively doubles the transmitted data size. This, too, can be avoided by carefully setting up a random number exchange protocol, so that the random number r itself is deterministically kept in synchrony by the two parties. (The authors are indebted to B. Garst for
396 Chapter 8 THE UBIQUITY OF PRIME NUMBERS this observation, which in fact has led to a U. S. Patent [Crandall and Garst 2001].) See Exercise 8.3 for more detail on such enhancements. If properly done, one obtains a fairly efficient, elegant direct-embedding scheme with— asymptotically speaking—no data expansion. 8.1.4 Coin-flip protocol In cryptography, a protocol is essentially an algorithm specifying—in a certain order—the steps that involved parties must take. We have seen key-exchange and related protocols already. Here we investigate an intriguing cultural application of number-theoretical protocols. How can one toss a coin, fairly, over the telephone? Or play poker among n individuals, playing “blind” on a network? We assume the worst: That no party trusts any other, yet a decision has to be reached, as one would so reach it via a coin toss, with one party calling heads or tails. It turns out that such a remote tossing is indeed possible, using properties of certain congruences. Incidentally, the motivation for even having a coin-flip protocol is obvious, when one imagines a telephone conversation—say between two hostile parties involved in a lawsuit—in which some important result accrues on the basis of a coin flip, meaning a random bit whose statistics cannot be biased by either party. Having one party claim they just flipped a head, and therefore won the toss, is clearly not good enough. Everyone must be kept honest, and this can be done via adroit application of congruences involving primes or certain composites. Here is one way to proceed, where we have adapted some ideas from [Bressoud and Wagon 2000] on simple protocols: Algorithm 8.1.11 (Coin-flip protocol). Alice and Bob wish to “flip a fair coin,” using only a communication channel. They have agreed that if Bob guesses correctly, below, then Bob wins, otherwise Alice wins. 1. [Alice selects primes] Alice chooses two large primes p
- Page 354 and 355: 7.4 Elliptic curve method 345 if(1
- Page 356 and 357: 7.5 Counting points on elliptic cur
- Page 358 and 359: 7.5 Counting points on elliptic cur
- Page 360 and 361: 7.5 Counting points on elliptic cur
- Page 362 and 363: 7.5 Counting points on elliptic cur
- Page 364 and 365: 7.5 Counting points on elliptic cur
- Page 366 and 367: 7.5 Counting points on elliptic cur
- Page 368 and 369: 7.5 Counting points on elliptic cur
- Page 370 and 371: 7.5 Counting points on elliptic cur
- Page 372 and 373: 7.5 Counting points on elliptic cur
- Page 374 and 375: 7.5 Counting points on elliptic cur
- Page 376 and 377: 7.5 Counting points on elliptic cur
- Page 378 and 379: 7.6 Elliptic curve primality provin
- Page 380 and 381: 7.6 Elliptic curve primality provin
- Page 382 and 383: 7.6 Elliptic curve primality provin
- Page 384 and 385: 7.7 Exercises 375 7.4. As in Exerci
- Page 386 and 387: 7.7 Exercises 377 (some Bj equals A
- Page 388 and 389: 7.7 Exercises 379 This reduction ig
- Page 390 and 391: 7.8 Research problems 381 multiply-
- Page 392 and 393: 7.8 Research problems 383 highly ef
- Page 394 and 395: 7.8 Research problems 385 is prime.
- Page 396 and 397: Chapter 8 THE UBIQUITY OF PRIME NUM
- Page 398 and 399: 8.1 Cryptography 389 is, if an orac
- Page 400 and 401: 8.1 Cryptography 391 Algorithm 8.1.
- Page 402 and 403: 8.1 Cryptography 393 just to genera
- Page 406 and 407: 8.2 Random-number generation 397 ar
- Page 408 and 409: 8.2 Random-number generation 399 Al
- Page 410 and 411: 8.2 Random-number generation 401 }
- Page 412 and 413: 8.2 Random-number generation 403 is
- Page 414 and 415: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 416 and 417: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 418 and 419: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 420 and 421: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 422 and 423: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 424 and 425: 8.4 Diophantine analysis 415 [Tezuk
- Page 426 and 427: 8.4 Diophantine analysis 417 9262 3
- Page 428 and 429: 8.5 Quantum computation 419 We spea
- Page 430 and 431: 8.5 Quantum computation 421 three H
- Page 432 and 433: 8.5 Quantum computation 423 for a n
- Page 434 and 435: 8.6 Curious, anecdotal, and interdi
- Page 436 and 437: 8.6 Curious, anecdotal, and interdi
- Page 438 and 439: 8.6 Curious, anecdotal, and interdi
- Page 440 and 441: 8.7 Exercises 431 universal Golden
- Page 442 and 443: 8.7 Exercises 433 standards insist
- Page 444 and 445: 8.7 Exercises 435 of positive compo
- Page 446 and 447: 8.8 Research problems 437 element o
- Page 448 and 449: 8.8 Research problems 439 the Leveq
- Page 450 and 451: 8.8 Research problems 441 for every
- Page 452 and 453: Chapter 9 FAST ALGORITHMS FOR LARGE
396 Chapter 8 THE UBIQUITY OF PRIME NUMBERS<br />
this observation, which in fact has led to a U. S. Patent [Crandall and Garst<br />
2001].) See Exercise 8.3 for more detail on such enhancements. If properly<br />
done, one obtains a fairly efficient, elegant direct-embedding scheme with—<br />
asymptotically speaking—no data expansion.<br />
8.1.4 Coin-flip protocol<br />
In cryptography, a protocol is essentially an algorithm specifying—in a certain<br />
order—the steps that involved parties must take. We have seen key-exchange<br />
and related protocols already. Here we investigate an intriguing cultural<br />
application of number-theoretical protocols. How can one toss a coin, fairly,<br />
over the telephone? Or play poker among n individuals, playing “blind” on a<br />
network? We assume the worst: That no party trusts any other, yet a decision<br />
has to be reached, as one would so reach it via a coin toss, with one party<br />
calling heads or tails. It turns out that such a remote tossing is indeed possible,<br />
using properties of certain congruences.<br />
Incidentally, the motivation for even having a coin-flip protocol is obvious,<br />
when one imagines a telephone conversation—say between two hostile parties<br />
involved in a lawsuit—in which some important result accrues on the basis of<br />
a coin flip, meaning a random bit whose statistics cannot be biased by either<br />
party. Having one party claim they just flipped a head, and therefore won<br />
the toss, is clearly not good enough. Everyone must be kept honest, and this<br />
can be done via adroit application of congruences involving primes or certain<br />
composites. Here is one way to proceed, where we have adapted some ideas<br />
from [Bressoud and Wagon 2000] on simple protocols:<br />
Algorithm 8.1.11 (Coin-flip protocol). Alice and Bob wish to “flip a fair<br />
coin,” using only a communication channel. They have agreed that if Bob guesses<br />
correctly, below, then Bob wins, otherwise Alice wins.<br />
1. [Alice selects primes]<br />
Alice chooses two large primes p