Download Document

Textbook: Introduction to Cryptography 2nd ed.
By J.A. Buchmann
Chap 13 Other Systems
Department of Computer Science and Information Engineering,
Chaoyang University of Technology
朝陽科技大學資工系
Speaker: Fuw-Yi Yang 楊伏夷
伏夷非征番,
道德經 察政章(Chapter 58) 伏者潛藏也
道紀章(Chapter 14) 道無形象, 視之不可見者曰夷
Fuw-Yi Yang
1
Contents
Finite Fields
DL Problem
Elliptic Curves
Fuw-Yi Yang
2
13.1 Finite Fields
This chapter show that the ElGamal algorithms can be
implemented in the unit group
(the invertible elements of a commutative ring with unit
element form a group)
of any finite field, not only of the prime field Z/pZ for a
prime p.
Fuw-Yi Yang
3
13.1 Finite Fields
13.1.1 DL problem
Let p be a prime number and let n be a positive integer.
In Theorem 2.21.1, we have shown that the unit group of
the finite field GF(pn) is cyclic.
Its order is pn - 1. If this order has only small prime
factors, then the Pohlig-Hellman DL algorithm will
efficiently compute discrete logarithms in this group (see
Section 10.5).
Fuw-Yi Yang
4
13.1 Finite Fields
13.1.1 DL problem
Otherwise, an index calculus algorithm can be applied
(Section 10.6).
For fixed n, the number field sieve can be applied.
For fixed p and growing n, the function field sieve is used.
Both algorithms have running time Lq[1/3, c+o(1)].
See next page.
Fuw-Yi Yang
5
13.1 Finite Fields
9.4 Analysis of the quadratic sieve
Let n, u, v be real numbers and let n be greater than the
Euler constant e = 2.718.
Ln[u, v] =
u(log log n)1-u
v(log
n)
e
.
Ln[0, v] =
0(log log n)1
v(log
n)
e
= ev(log log n) = (logn)v
//polynomial time
Ln[1, v] = ev(log n)u(log log n)1-u = ev(log n)
//exponential time
0 < u < 1 : subexponential time
Fuw-Yi Yang
6
13.2 Elliptic Curves
13.2.1 Definition
Elliptic curves can be defined over any field. This
section only describe elliptic curves over prime fields.
Let p be a prime number, p > 3 and let a, b  GF(p) be
positive integers.
Consider the equation: y2z = x3 + axz2 + bz3
Discriminant: = -16(4a3 + 27b2)
(13.1)
(13.2)
In the followings, assume that   0.
Fuw-Yi Yang
7
13.2 Elliptic Curves
13.2.1 Definition
If (x, y, z)  GF(p)3 is a solution of equation 13.1, then
for any c  GF(p), c(x, y, z) is also a solution.
y2z = x3 + axz2 + bz3
(13.1)
Two solutions (x, y, z) and (x, y, z) are called
equivalent if there is a nonzero c  GF(p) with
(x, y, z) = c(x, y, z).
This defines an equivalent relation on the set of all
solutions of (13.1). The equivalence class of (x, y, z) is
denoted by (x : y : z).
Fuw-Yi Yang
8
13.2 Elliptic Curves
13.2.1 Definition
The elliptic curve E(p; a, b) is the set of all equivalence
classes of solutions of (13.1). Each element of this set is
called a point on the curve.
y2z = x3 + axz2 + bz3
(13.1)
If (x, y, z)  GF(p)3 is a solution of equation 13.1, and
if z  0, then the class (x: y: z) contains exactly one
element (x, y, 1).
Fuw-Yi Yang
9
13.2 Elliptic Curves
13.2.1 Definition
Hence, (x, y) is also a solution of the equation
y2 = x3 + ax + b
(13.4)
(example: y2 = x3 + x + 6 mod 11)
Conversely, if (x, y)  GF(p)2 is a solution of (13.4),
then (x, y, 1) is a solution of (13.1).
Moreover, there is exactly one equivalence class of
solutions of (13.1) which are all of the form (x, y, 0).
y2z = x3 + axz2 + bz3
(13.1)
In fact, if z = 0, then x must be also 0, so the
equivalence class is (0 : 1 : 0). Note: (0 : 1 : 0) = c(0 : y : 0)
Fuw-Yi Yang
10
13.2 Elliptic Curves
13.2.1 Definition
In fact, if z = 0, then x must be also 0, so the
equivalence class is (0 : 1 : 0).
Hence, the elliptic curve can be written as
E(p; a, b) = {(x : y : 1): y2 = x3 + ax + b}  {(0 : 1 : 0)}.
Also write (x, y) instead of (x : y : 1) and  instead of (0 :
1 : 0)}, so
E(p; a, b) = {(x, y): y2 = x3 + ax + b}  {}.
Fuw-Yi Yang
11