THE MATHEMATICAL PRINCIPLESOF MODERN CRYPTOGRAPHY
ATHESIS SUBMITTEDTO THE UNIVERSITYOF MANCHESTER FORA MASTER’S DEGREEIN MATHEMATICS INTHE FACULTY OF SCIENCEAND ENGINEERING
May 2021
Sam Holmes Department of Mathematics 1 Abstract
In this thesis we study the mathematics that underpins elliptic curve cryptogra- phy and the RSA cryptosystem. The security of most cryptographic protocols used across the internet is currently based on the difficulty of factorising large semiprimes (RSA) or solving the elliptic curve discrete logarithm problem (ECDLP). To study these problems in detail we first provide an extensive background in the theory elliptic curves by proving that the set of points on an elliptic curve forms a finitely generated, abelian group and computing the subgroup of points of finite order. After introducing bilinear pairings we then move on to studying some of the applications of this theory which include secure encryption schemes, key exchange protocols and digital signature schemes. We also implement pollard’s p − 1 fac- torisation algorithm and Lenstra’s elliptic curve factorisation algorithm in Python to compare their ability to factorise large semiprimes. Contents
1 Introduction5
2 The Theory of Elliptic Curves9 2.1 The Projective Plane ...... 10 2.2 Algebraic Representations of Elliptic Curves...... 11 2.2.1 Weierstrass Normal Form ...... 11 2.2.2 Singular cubic Curves ...... 13 2.2.3 Isomorphic Elliptic Curves...... 17 2.3 The Group of Points on an Elliptic Curve ...... 20 2.3.1 Point Addition ...... 21 2.3.2 Proving the Associativity of Point Addition ...... 26 2.3.3 Explicit Formulas for Point Addition ...... 28 2.4 Mordell’s Theorem...... 30 2.4.1 The Height Function...... 30 2.4.2 Bounding the Height of P + P0 ...... 31 2.4.3 Bounding the Height of [2]P ...... 34 2.4.4 The Subgroup of Points of Order 2...... 38 2.4.5 The Descent Theorem ...... 43 2.5 Points of Finite Order...... 47 2.5.1 The Nagell-Lutz Theorem...... 47 2.5.2 Reduction Modulo p ...... 50 2.6 Bilinear Pairings ...... 52 2.6.1 Divisors...... 53 2.6.2 The Weil Pairing...... 54
3 Cryptographic Applications 58 3.1 Preliminaries ...... 59 3.2 Factorising Large Semiprimes ...... 61 3.2.1 The RSA public key encryption scheme...... 61 3.2.2 Comparing Pollard’s p-1 and Lenstra Elliptic Curve Fac- torisation Algorithms...... 64 3.3 The Discrete Logarithm Problem and Diffie-Hellman protocol . . 68 3.3.1 Choosing a Suitable Elliptic Curve for the ECDLP . . . . 69 3.3.2 The Double-and-Add algorithm...... 71 3.4 Comparing Digital Signature Schemes...... 73 3.4.1 The RSA Digital Signature Scheme...... 75 3.4.2 The Elliptic Curve Digital Signature Algorithm ...... 76 3.4.3 BLS Signatures...... 77
4 Conclusion 79
A Appendix 81 A.1 Curve.py...... 81 A.2 Point.py...... 82
2 A.3 Plotting the Performance of the ECM and Pollard’s p-1 ...... 84 A.4 Plotting the Performance of the Double-and-Add algorithm . . . . 85
Bibliography 87
List of Figures
2.1 Examples of smooth elliptic curves...... 13 2.2 Examples of singular elliptic curves ...... 14 2.3 Elliptic curve point addition ...... 23 2.4 The associativity of elliptic curve point addition...... 27
3.1 Comparing the time complexity of various algorithms used to fac- tor semiprimes n = pq, where B = min p,q ...... 64 3.2 Comparing the performance of Pollard’s p−1 and the ECM integer factorisation algorithms...... 67 3.3 The performance of the Double-and-Add algorithm to compute multiples of a point on an elliptic curve...... 73
List of Tables
3.1 The RSA encryption scheme...... 63 3.2 Comparing digital signature schemes...... 74 3.3 The RSA digital signature scheme...... 75 3.4 The elliptic curve digital signature algorithm (ECDSA) ...... 76 3.5 The BLS digital signature scheme ...... 77
3 LIST OF ALGORITHMS 4
List of Algorithms
1 Computing Etors (Q) using the Nagell-Lutz Theorem...... 49 2 Pollard’s p − 1 factorisation algorithm...... 65 3 Lenstra’s elliptic curve factorisation algorithm (ECM)...... 66 4 The binary point multiplication algorithm...... 72 Chapter 1
Introduction
Cryptography is a fascinating field which draws inspiration from many areas of Mathematics and Computer Science in order to design protocols that enable secure communications between users in the presence of a potentially malicious adver- sary. Such adversaries may intend to eavesdrop on, tamper with or forge mes- sages between other users. The field is particularly relevant in today’s digital so- ciety because a large proportion of our online communications contain sensitive information, such as credit card details, which we would like to rigorously secure. Communication systems which use cryptographic protocols are often referred to as cryptographic systems or cryptosystems. Before we define the concept of security or explain the mathematics behind how cryptosystems operate in practice, we shall first state the four fundamental goals of cryptography which have remained at the heart of the subject since it’s inception [10].
(a) Confidentiality of the message: The primary goal of most cryptosystems is to allow messages to be sent in a disguised (or encrypted) form so that only the intended recipient(s) can obtain any information 1 from a transmitted message.
(b) Message integrity: The recipient of a message must be able to determine whether the message was altered during transmission. This is often achieved through the usage of cryptographic hash functions (Definition 22).
(c) Authentication of the sender: The recipient should be able to identify the sender and verify that no one else could have sent a given message. This is achieved through digital signatures. We study three examples in Section 3.4.
(d) Irrevocability of the sender: If a message originated from a given user of a cryptosystem then it should be impossible for the user to deny the authorship of the message.
1This means that obtaining any information about the contents of the message (such as the statis- tical distribution of characters) known as meta-data should not be possible as such systems can be easily broken by a technique known as frequency analysis.
5 CHAPTER 1. INTRODUCTION 6
Not all modern cryptosystems are designed to achieve all four of these goals and several other attributes of information transmission can also be mathematically as- sured. For example, cryptocurrencies such as Bitcoin aim to solve the problem of double spending [4] to provide an efficient, secure and anonymous digital currency. A given cryptosystem which aims to provide confidentiality usually consists of the following three algorithms:
(a)A key generation algorithm defines two distinct but related pieces of infor- mation: A user’s public and private keys.
(b) An encryption algorithm or bijective function is used to convert the original message or plaintext into illegible ciphertext using a public key.
(c)A decryption algorithm, another bijective function which carries out the reverse computation (from ciphertext back to plaintext) using the private key.
A cryptosystem is considered semantically secure (or simply secure for our purposes) if only negligible information about the plaintext can be extracted from the ciphertext using any probabilistic, polynomial time algorithm. In practice se- mantic security is considered an insufficient condition. One also needs to ensure that an adversary with access to a message and the message’s corresponding cipher- text is not able to decrypt any other messages2. Cryptosystems with larger keys (or signatures) are usually more secure, but less efficient. Modern cryptography aims to optimise this trade-off to design efficient cryptosystems which use the smallest keys (or signatures) possible whilst providing sufficient security. Cryptosystems can be divided into two main categories depending on whether the encryption and decryption keys for a given message are the same. A user of a Private key (or symmetric ) cryptosystem encrypts their message with the same key the recipient uses to decrypt the message. This was the only form of encryption used throughout history until 1976. The earliest use of private key cryptography arguably dates back to around 1900 BC where hieroglyphics were systematically substituted with other unusual symbols in the tomb of the ancient Egyptian noble- man Khnumhotep II. There is substantial evidence that the ancient Greeks, partic- ularly the Spartan Military later popularised the usage of private key cryptography with early protocols such as the Caeser Cipher [2]. Private key systems are usually faster but less secure than their public key coun- terparts because the decryption algorithm can be implemented in approximately the same order of magnitude of time as the encryption algorithm. One important dis- advantage of private key cryptosystems is that each distinct pair of users requires a unique shared key. This leads to extensive key management as the total number of keys required increases with the square of the number of users. Due to their speed,
2This technique is referred to as a “known-plaintext attack” and was used by Alan Turing and others at Bletchley Park during World War 2 to allow the western Allies to defeat the Nazis in several crucial engagements. Many historians believe their efforts may have shortened the war by several years, saving millions of lives [29]. CHAPTER 1. INTRODUCTION 7 several private key cryptosystems are widely used today and can be split into the following two categories:
(a) Block ciphers use a private key to encrypt and decrypt fixed length segments of bits known as blocks. Examples of block ciphers include DES - The Data Encryption Standard 3 developed at IBM in the early 1970s and it’s successor Rijndael / AES which is used today to secure protocols such as HTTPS on the web.
(b) Stream ciphers use a pseudorandom stream of digits known as a key stream as the private key to continuously encrypt streams of data. Such systems are only considered secure if the key stream is indistinguishable from random noise. The most widely used stream cipher is RC4 which was designed by Ron Rivest of RSA Security in 1987. RC4 has been used to ensure the confidentiality of wireless traffic, first using the deprecated WEP protocol and now with the WPA2 protocol.
Whitfield Diffie and Martin Hellman’s seminal 1976 paper [23] begins with the bold statement “We stand today on the brink of a revolution in cryptography.” This was no understatement. The introduction of public key (or asymmetric) cryp- tography instigated a new era of secure and efficient digital communications. In a public key cryptosystem (PKC) two different but mathematically related keys are used, each with a unique function - a public key4 used to encrypt messages and a corresponding private key used to decrypt messages. The security of a PKC re- lies on the assumption that computing a given private key using only encrypted data and the corresponding public key would be at least as hard as solving a com- putationally hard (Definition 19) problem. Of course this notion of difficulty is purely based on the efficiency of currently available algorithms, quoting [30] “The situation is somewhat analogous to theories in physics that gain credibility over time, as they fail to be disproved and continue to explain or generate interesting phenomena.” The cryptographic protocols used in cryptosystems are usually built from mul- tiple cryptographic primitives, such as the encryption algorithms, key exchange protocols and digital signature schemes we will study in Chapter3. Whilst public key primitives are usually slower than their private key counterparts, it is possi- ble to combine both types to benefit from the most useful properties of both. The TLS and SSH protocols used by modern web browsers make extensive use of this combination. In TLS an ephemeral (short lived) shared secret is first established using a variant of the Diffie-Hellman key exchange (Example7) to provide perfect forward secrecy (Remark 37). Next, authentication is established through a digital
3DES is now deprecated due to it’s vulnerability to brute force attacks, this insecurity is attributed to the relatively short 56-bit key size. 4Throughout this thesis we will assume that a user of a PKC can openly share their public key with other users without risk. In practice this is achieved through certification authorities, which act as trusted third parties. CHAPTER 1. INTRODUCTION 8 signature scheme (Section 3.4). Finally an efficient, symmetric block cipher such as AES uses the shared key to provide confidentiality of the message. Some public key primitives aim to provide confidentiality through establishing a shared secret key to be used in an encryption scheme. Others provide authenti- cation through digital signatures. The RSA cryptosystem, patented in 1983, was the first standardised cryptographic protocol to provide both confidentiality and au- thentication. RSA is still widely used across the internet at the time of writing, its security is based on the hard problem of factorising large semiprimes. In Section 3.2 we will implement and compare two efficient integer factorisation algorithms which can be used to break a poorly implemented RSA cryptosystem. Even when implemented correctly, RSA requires large (usually 1024 bit) keys to provide suf- ficient security in the modern world. This led to a search for other hard problems to use as the basis for more efficient cryptosystems. One of the most famous and well researched hard problems throughout mathematics is the discrete logarithm problem (DLP) in a suitable group G:
Problem 1. The discrete logarithm problem (DLP) in a group G
Given: A generator g of G and an element h ∈ G Compute: An integer x such that gx = h.
Diffie and Hellman’s paper [23] describes a key exchange protocol based on the difficulty of the DLP in the multiplicative group of a finite field. Unfortunately index-calculus [42] algorithms amongst others can solve the DLP in such groups within subexponential time, meaning relatively large keys are needed to provide sufficient security. This led to a search for other groups in which the DLP is more difficult. Possible candidates included extension fields, matrix groups and ideal class groups of number fields. In each of these cases either the group operation was too inefficient or a sub exponential algorithm was found to solve the DLP. In 1985 Neal Koblitz [33] and Victor Miller [42] independently proposed key distribution algorithms based on the difficulty of the DLP in the group of points on an elliptic curve. Protocols based on the elliptic curve discrete logarithm problem (ECDLP) formed the foundation of a rapidly expanding field known as Elliptic curve cryptography (ECC). It is widely believed that the ECDLP on a suitably chosen curve is much harder than both the DLP in the multiplicative group of a finite field and the integer factorisation problem. This means that one can use much shorter keys to gain the same level of security in a range of applications. It turns out that elliptic curves can be used for much more than just exchanging keys. Other applications of ECC studied throughout this thesis include the Lenstra elliptic curve integer factorisation method (Section3) and the elliptic curve digital signature algorithm (Section 3.4.2). Chapter 2
The Theory of Elliptic Curves
Elliptic curves have an extensive academic history stretching back to the second century A.D. where they were first used to study diophantine equations [8]. The theory of elliptic curves was continually developed by many of the greatest math- ematicians throughout history including Fermat, Euler, Newton and many others. Studying elliptic curves as purely abstract mathematical objects has also led to several important breakthroughs in recent years. For example, in 1995 Andrew Wiles famously proved Fermat’s last Theorem as a special case of the modularity Theorem for elliptic curves [57]. Other unexpected applications of elliptic curves include finding the optimal way of packing n-dimensional spheres in Euclidean space and the Lenstra elliptic curve factorization algorithm. Our aim throughout this Chapter is to build up the necessary background required to implement modern ECC protocols. Quoting Serge Lang “it is possible to write endlessly on elliptic curves,” [36] this sentiment will certainly become clear once the depth of the field is exposed throughout the Chapter. The general structure of the Chapter is as follows. We shall first study elliptic curves as abstract geometric objects defined in projective space. We will then in- troduce the standard algebraic representation of a given elliptic curve known as the short Weierstrass normal form. Next, we shall use discriminants of cubic curves to determine when they are singular and j-invariants of elliptic curves to determine when they are isomorphic. Using these results we will prove that the set of points on an elliptic curve together with a point addition operation forms an abelian group. We will also provide a explicit formulas for the sum of two points. With these fun- damentals in place we give a reformulated proof of Mordell’s Theorem, one of the fundamental results in the theory of elliptic curves which states that the group of points of a given elliptic curve defined over the rationals is finitely generated. Then, in Section 2.5 we state and apply the Nagell-Lutz and Reduction Theorems to de- termine the subgroup of points of finite order on a given curve. We conclude the Chapter with an introduction to bilinear pairings, a relatively recent development in the theory of elliptic curves which has many important applications. We shall mainly follow the ideas presented in two of the standard texts on the
9 CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 10 subject [53] and [31]. Independent contributions in the form of further examples, solutions to exercises, additional explanations and reformulations of proofs to well established results will be highlighted throughout the Chapter. The reader is not assumed to have any prior knowledge from algebraic number theory, Galois theory or algebraic geometry.
2.1 The Projective Plane
Many texts on elliptic curves begin with the standard algebraic definition of an elliptic curve given in Section 2.2. We will instead provide some background from the point of view of geometry to build up an understanding of the projective space in which elliptic curves are defined.
Definition 1. The projective plane defined over a field K, denoted P2 (K), is the set of equivalence classes of all homogeneous triples [a : b : c] with a,b,c ∈ K, excluding [0 : 0 : 0], such that
[a : b : c] ∼ [a0 : b0 : c0], whenever a = ta0, b = tb0, c = tc0 for some nonzero t.
Remark 1. We refer to these equivalence classes as points in the projective plane. In order to visualize the projective plane it may help to start with the usual Cartesian plane but instead of distinguishing a special point at (0,0), we define points at infinity which lie on each set of parallel lines within the plane.1 To describe curves in the projective plane we will sometimes use polynomials in three variables, since points in P2 are represented by homogeneous triples. Taking care to note that each point in P2 can be represented by infinitely many distinct homogeneous triples, since if F (a,b,c) = 0, we must also have F (at,bt,ct) = 0 for all t 6= 0.
Definition 2. A polynomial F (X,Y,Z) ∈ K[X,Y,Z] is a homogeneous polynomial of degree d if it satisfies
F (tX,tY,tZ) = tdF (X,Y,Z).
Furthermore, a projective or algebraic curve C in the projective plane is defined as the set of solutions to the following equation
C : F (X,Y,Z) = 0, where F is a non constant homogeneous polynomial. Subsets defined by zeroes of polynomial are often referred to as varieties in algebraic geometry, however we will use the term curve throughout this thesis to avoid confusion. 1We will later require a point at infinity to act as the neutral element in the group of points on an elliptic curve. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 11
Definition 3. Points in P2 of the form [x,y,1] are called affine points. They form an affine plane A2 embedded in P2. We will usually refer to the equation of a projective curve simply by it’s affine part, denoted f (x,y), where
f (x,y) = F (x,y,1).
Definition 4. An elliptic curve defined over a field K is a smooth2, projective, al- gebraic curve of genus one with a specified K-rational point O = [0 : 1 : 0]. We will often refer to such objects using the notation E/K or simply E when the underlying field is clear.
Remark 2. It may be of interest to the reader that elliptic curves are neither el- liptic, nor curves in the usual sense. The word “elliptic” is used in this context due to the connection with elliptic integrals used to find the arc length of an el- lipse. Furthermore, using the theory of elliptic functions, one can show that elliptic curves defined over the complex numbers are actually isomorphic to embeddings of a torus (or equivalently a Riemann surface of genus one) in the complex projec- tive plane. However, this topological view of elliptic curves is outside the scope of this book.
2.2 Algebraic Representations of Elliptic Curves
The main goal of this section is to introduce the standard algebraic representation of an elliptic curve - the Weierstrass normal form. Alternative algebraic represen- tations of elliptic curves such as the Edwards form and Hessian form are often preferred in practical applications because computations on these curves are often more efficient [14] and require less memory [26]. We have chosen to work only with the Weierstrass normal form due to its concise notation and ease of calcula- tions. Using the Weierstrass normal form we will be able to identify when a cubic curve is singular and when two elliptic curves are isomorphic. We will mainly be following well established results from [53] whilst reformulating certain proofs and providing additional examples.
2.2.1 Weierstrass Normal Form We begin by introducing the long Weierstrass normal form of an elliptic curve. Then, working over fields of characteristic not equal to two or three we shall derive the medium and short Weierstrass normal forms respectively. The Riemann-Roch theorem is a fundamental result in the study of algebraic geometry, see Section 3.3 of [31] for a proof. It can be used to show that every elliptic curve E/K can be described by an equation of the form
2 2 3 2 2 3 Y Z + a1XYZ + a3YZ = X + a2X Z + a4XZ + a6Z , (2.1)
2See section 2.2.2 for an explanation of why we ensure an elliptic curve is smooth. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 12 written in the homogeneous coordinates X,Y and Z, where O = [0 : 1 : 0] is the base point at infinity and a1,...,a6 ∈ K. Rewriting equation 2.1 using the non- homogeneous coordinates x = X/Z and y = Y/Z, we obtain the long Weierstrass normal form of E
2 3 2 E : y + a1xy + a3y = x + a2x + a4x + a6.
Assuming the characteristic of K is not equal to 2 we then make the substitution 1 y → 2 (y − a1x − a3) and obtain the medium Weierstrass normal form of E,
E : y2 = x3 + Ax2 + Bx +C, where
2 2 A = b2 = a1 + 4a4, B = 2b4 = 2(2a4 + a1a3), C = b6 = a3 + 4a6.
Finally, assuming the characteristic of K is not equal to 3 we perform another 2 change of variables, (x,y) → ((x − 3b2)/36,y/108) to eliminate the x term, giving us the short Weierstrass normal form of E/K
E : y2 = x3 + Bx +C, where