DOCSLIB.ORG

Constructive and Computational Aspects of Cryptographic Pairings

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Constructive and Computational Aspects of Cryptographic Pairings Constructive and Computational Aspects of Cryptographic Pairings Michael Naehrig Constructive and Computational Aspects of Cryptographic Pairings PROEFSCHRIFT ter verkrijging van de graad van doctor aan de Technische Universiteit Eindhoven, op gezag van de Rector Magnificus, prof.dr.ir. C.J. van Duijn, voor een commissie aangewezen door het College voor Promoties in het openbaar te verdedigen op donderdag 7 mei 2009 om 16.00 uur door Michael Naehrig geboren te Stolberg (Rhld.), Duitsland Dit proefschrift is goedgekeurd door de promotor: prof.dr. T. Lange CIP-DATA LIBRARY TECHNISCHE UNIVERSITEIT EINDHOVEN Naehrig, Michael Constructive and Computational Aspects of Cryptographic Pairings / door Michael Naehrig. – Eindhoven: Technische Universiteit Eindhoven, 2009 Proefschrift. – ISBN 978-90-386-1731-2 NUR 919 Subject heading: Cryptology 2000 Mathematics Subject Classification: 94A60, 11G20, 14H45, 14H52, 14Q05 Printed by Printservice Technische Universiteit Eindhoven Cover design by Verspaget & Bruinink, Nuenen c Copyright 2009 by Michael Naehrig Fur¨ Lukas und Julius Promotor: prof.dr. T. Lange Commissie: prof.dr.dr.h.c. G. Frey (Universit¨at Duisburg-Essen) prof.dr. M. Scott (Dublin City University) prof.dr.ir. H.C.A. van Tilborg prof.dr. A. Blokhuis prof.dr. D.J. Bernstein (University of Illinois at Chicago) prof.dr. P.S.L.M. Barreto (Universidade de S˜ao Paulo) Alles, was man tun muss, ist, die richtige Taste zum richtigen Zeitpunkt zu treffen. Johann Sebastian Bach Thanks This dissertation would not exist without the help, encouragement, motivation, and company of many people. I owe much to my supervisor, Tanja Lange. I thank her for her support; for all the efforts she made, even in those years, when I was not her PhD student; for taking care of so many things; and for being a really good supervisor. Another important person, who deserves my sincere thanks is Paulo S.L.M. Barreto. Paulo was the one who initiated my interests in pairings. His encouragement and never-ending curiosity is a great source of motivation. It was a pleasure for me to work with him. My short visit to S˜ao Paulo was a pleasant and important experience. I highly appreciate Paulo’s friendship. I am also indebted to Gerhard Frey, who was always open to answer questions and comment on problems. I thank him for his patience, friendliness, help, and hospitality. I express my gratitude to Gerhard Frey, Michael Scott, Henk van Tilborg, Aart Blokhuis, Dan Bernstein, and Paulo Barreto for agreeing to join my PhD committee, and for reading the manuscript and giving valuable comments. Furthermore, I thank Laura Hitt O’Connor for scientific and general discussions. I have profited also from encouraging conversations with Steven Galbraith. I thank Paulo Barreto, Peter Schwabe, Laura Hitt O’Connor, Gary McGuire, Marco Streng, Christophe Ar`ene, Tanja Lange, and Christophe Ritzenthaler for their fruitful col- laboration. Many thanks go to the people in the coding and cryptology group at TU/e, espe- cially to Henk and Anita for providing a nice working atmosphere, and to the PhD students, with which I had the pleasure to share a really big office: Christiane, Jing, Jos´e, Peter, Peter, Peter, Reza, and Sebastiaan. I also appreciate the company of the PhD students from the fridge: Antonino, Bruno, Ga¨etan, Daniel, Mayla, and Relinde. I thank Peter Schwabe and Peter Birkner for proofreading and pointing out mistakes and inconsistencies in earlier versions of this dissertation. Peter Schwabe is always a great help in choosing the right band for our weekly motto. Let me also mention Matilde Getz, Detlef, Gernot, Tobias, Daniel, Georg, Alex, Wolfgang, and Melli, some of my former colleagues in Aachen. I am grateful for their company in the last years. I am very happy to have shared many great musical experiences with all the nice vii viii people from the choir of the Aachener Bachverein. I also apologize to many friends for not being very communicative in the last months and thank them for understanding my full schedule. Vielen Dank an Simone und Andi fur¨ sehr willkommene Teepausen, die mich kurzzeitig von der Arbeit ablenken konnten. Ein besonderer Dank gilt meiner Familie: meinen Eltern, meinen Schwiegereltern, Großeltern und meinem Bruder fur¨ ihre Unterstutzung¨ und ihre Zuversicht. I need to thank Lukas and Julius for reminding me so many times of the important values in life. Finally, I deeply thank my wife Natalie. There are no words to express my gratitude for her enormous support and her love. Contents Introduction 1 1 Preliminaries 5 1.1 Curves ................................... 5 1.1.1 Affine and projective curves ................... 5 1.1.2 Singular points and tangent lines ................ 9 1.1.3 Intersection numbers and B´ezout’s Theorem .......... 11 1.1.4 Functions, morphisms, and twists ................ 13 1.1.5 Divisors, the Picard group and the genus ............ 16 1.1.6 Elliptic curves ........................... 17 1.1.7 Edwards curves and twisted Edwards curves .......... 26 1.1.8 Hyperelliptic curves ........................ 28 1.2 Pairings .................................. 31 1.2.1 The Tate-Lichtenbaum pairing .................. 32 1.2.2 The Weil pairing ......................... 35 1.2.3 Pairing computation on elliptic curves ............. 35 1.3 Constructing pairing-friendly curves ................... 41 1.3.1 The CM method for elliptic curves ............... 43 1.3.2 Elliptic curves with small embedding degree .......... 45 2 BN curves 47 2.1 Construction ............................... 47 2.1.1 Distribution of BN prime pairs ................. 49 2.1.2 Choosing a generator point ................... 50 2.2 Properties ................................. 52 2.2.1 Automorphisms .......................... 53 2.2.2 Twists and point representation ................. 54 2.2.3 Field extensions .......................... 55 2.2.4 Efficient endomorphisms ..................... 56 2.2.5 Point compression ......................... 59 2.3 Pairing computation ........................... 61 2.3.1 Tate and twisted ate pairings .................. 63 2.3.2 ate and optimal pairings ..................... 64 ix x Contents 2.3.3 Pairing compression ....................... 65 2.4 Construction revisited .......................... 66 2.4.1 Prime pairs and primitive roots ................. 67 2.4.2 Curve, twist, and automorphisms ................ 68 2.4.3 Finite fields and twist isomorphism ............... 68 2.5 Examples ................................. 69 3 Compressed pairing computation 71 3.1 Preliminaries on tori ........................... 72 3.2 Even embedding degree .......................... 73 3.3 Curves with a sextic twist ........................ 76 3.4 Implementation .............................. 83 4 Pairings on Edwards curves 85 4.1 Lines and conics .............................. 86 4.2 Geometric interpretation of the group law ............... 90 4.3 Explicit formulas for Miller functions .................. 98 4.3.1 Addition .............................. 99 4.3.2 Doubling ..............................100 4.3.3 Miller loop .............................101 4.3.4 Comparison ............................101 5 Constructing curves of genus 2 with p-rank 1 103 5.1 Abelian varieties with complex multiplication .............103 5.2 A CM construction for genus-2 curves with p-rank 1 ..........107 5.2.1 Genus-2 curves with p-rank 1 ..................107 5.2.2 The CM method for genus 2 ...................109 5.2.3 Algorithms ............................112 5.2.4 Examples .............................114 5.3 Prescribed embedding degree in genus 2 ................115 5.4 Prescribed embedding degree for p-rank 1 ...............116 A Compressed torus arithmetic 119 A.1 Verification of formulas ..........................119 A.2 Pseudo code ................................122 Bibliography 125 Index 135 Summary 139 Curriculum vitae 141 Introduction In 1976, Diffie and Hellman published their groundbreaking paper New Directions in Cryptography [DH76], in which they introduced the concept of public-key crypto- graphy. By then, the conventional cryptosystems were built on symmetric tech- niques, where a common secret key is used to encrypt data sent from one party to another. In contrast to that, Diffie and Hellman proposed asymmetric methods: A user A provides a public key, with which other users encrypt messages destined for A. The user A holds a corresponding secret key, only known to A, with which A can decrypt those messages. This solves the problem of securely distributing keys over insecure channels that always occurs in symmetric, secret-key systems. While sym- metric methods are still the most efficient choice for encrypting data, asymmetric techniques provide key agreement, digital signatures, and authentication. The security of cryptosystems as proposed by Diffie and Hellman relies on the exis- tence of one-way functions. Evaluating such functions is easy, while inverting is in- feasible. Exponentiation of integers modulo a prime number q is the most important example in [DH76]. Cryptosystems based on this function rely on the intractability of the discrete logarithm problem in the multiplicative group of a finite field Fq for sufficiently large primes q. The discrete logarithm problem (DLP) is defined for any group G as follows: Given a, y G, find an integer x with y = ax if it exists. For an abelian group, this problem is∈ often formulated additively: Given P, Q G with Q = [x]P being the x-fold sum of P , find x. If the DLP is hard to solve in∈ a group G, then G can be used for realizing
Load more

Recommended publications
  • Classics Revisited: El´ Ements´ De Geom´ Etrie´ Algebrique´
    Noname manuscript No. (will be inserted by the editor) Classics Revisited: El´ ements´ de Geom´ etrie´ Algebrique´ Ulrich Gortz¨ Received: date / Accepted: date Abstract About 50 years ago, El´ ements´ de Geom´ etrie´ Algebrique´ (EGA) by A. Grothen- dieck and J. Dieudonne´ appeared, an encyclopedic work on the foundations of Grothen- dieck’s algebraic geometry. We sketch some of the most important concepts developed there, comparing it to the classical language, and mention a few results in algebraic and arithmetic geometry which have since been proved using the new framework. Keywords El´ ements´ de Geom´ etrie´ Algebrique´ · Algebraic Geometry · Schemes Contents 1 Introduction . .2 2 Classical algebraic geometry . .3 2.1 Algebraic sets in affine space . .3 2.2 Basic algebraic results . .4 2.3 Projective space . .6 2.4 Smoothness . .8 2.5 Elliptic curves . .9 2.6 The search for new foundations of algebraic geometry . 10 2.7 The Weil Conjectures . 11 3 The Language of Schemes . 12 3.1 Affine schemes . 13 3.2 Sheaves . 15 3.3 The notion of scheme . 20 3.4 The arithmetic situation . 22 4 The categorical point of view . 23 4.1 Morphisms . 23 4.2 Fiber products . 24 4.3 Properties of morphisms . 28 4.4 Parameter Spaces and Representable Functors . 30 4.5 The Yoneda Lemma . 33 4.6 Group schemes . 34 5 Moduli spaces . 36 5.1 Coming back to moduli spaces of curves . 36 U. Gortz¨ University of Duisburg-Essen, Fakultat¨ fur¨ Mathematik, 45117 Essen, Germany E-mail: [email protected] 2 Ulrich Gortz¨ 5.2 Deformation theory .
    [Show full text]
  • Lecture Notes in Galois Theory
    Lecture Notes in Galois Theory Lectures by Dr Sheng-Chi Liu Throughout these notes, signifies end proof, and N signifies end of example. Table of Contents Table of Contents i Lecture 1 Review of Group Theory 1 1.1 Groups . 1 1.2 Structure of cyclic groups . 2 1.3 Permutation groups . 2 1.4 Finitely generated abelian groups . 3 1.5 Group actions . 3 Lecture 2 Group Actions and Sylow Theorems 5 2.1 p-Groups . 5 2.2 Sylow theorems . 6 Lecture 3 Review of Ring Theory 7 3.1 Rings . 7 3.2 Solutions to algebraic equations . 10 Lecture 4 Field Extensions 12 4.1 Algebraic and transcendental numbers . 12 4.2 Algebraic extensions . 13 Lecture 5 Algebraic Field Extensions 14 5.1 Minimal polynomials . 14 5.2 Composites of fields . 16 5.3 Algebraic closure . 16 Lecture 6 Algebraic Closure 17 6.1 Existence of algebraic closure . 17 Lecture 7 Field Embeddings 19 7.1 Uniqueness of algebraic closure . 19 Lecture 8 Splitting Fields 22 8.1 Lifts are not unique . 22 Notes by Jakob Streipel. Last updated December 6, 2019. i TABLE OF CONTENTS ii Lecture 9 Normal Extensions 23 9.1 Splitting fields and normal extensions . 23 Lecture 10 Separable Extension 26 10.1 Separable degree . 26 Lecture 11 Simple Extensions 26 11.1 Separable extensions . 26 11.2 Simple extensions . 29 Lecture 12 Simple Extensions, continued 30 12.1 Primitive element theorem, continued . 30 Lecture 13 Normal and Separable Closures 30 13.1 Normal closure . 31 13.2 Separable closure . 31 13.3 Finite fields .
    [Show full text]
  • MRD Codes: Constructions and Connections
    MRD Codes: Constructions and Connections John Sheekey April 12, 2019 This preprint is of a chapter to appear in Combinatorics and finite fields: Difference sets, polynomials, pseudorandomness and applications. Radon Series on Computational and Applied Mathematics, K.-U. Schmidt and A. Winterhof (eds.). The tables on clas- sifications will be periodically updated (in blue) when further results arise. If you have any data that you would like to share, please contact the author. Abstract Rank-metric codes are codes consisting of matrices with entries in a finite field, with the distance between two matrices being the rank of their difference. Codes with maximum size for a fixed minimum distance are called Maximum Rank Distance (MRD) codes. Such codes were constructed and studied independently by Delsarte (1978), Gabidulin (1985), Roth (1991), and Cooperstein (1998). Rank-metric codes have seen renewed interest in recent years due to their applications in random linear network coding. MRD codes also have interesting connections to other topics such as semifields (finite nonassociative division algebras), finite geometry, linearized polynomials, and cryptography. In this chapter we will survey the known constructions and applications of MRD codes, and present some open problems. arXiv:1904.05813v1 [math.CO] 11 Apr 2019 1 Definitions and Preliminaries 1.1 Rank-metric codes Coding theory is the branch of mathematics concerned with the efficient and accurate transfer of information. Error-correcting codes are used when communication is over a channel in which errors may occur. This requires a set equipped with a distance function, and a subset of allowed codewords; if errors are assumed to be small, then a received message is decoded to the nearest valid codeword.
    [Show full text]
  • Counting and Effective Rigidity in Algebra and Geometry
    COUNTING AND EFFECTIVE RIGIDITY IN ALGEBRA AND GEOMETRY BENJAMIN LINOWITZ, D. B. MCREYNOLDS, PAUL POLLACK, AND LOLA THOMPSON ABSTRACT. The purpose of this article is to produce effective versions of some rigidity results in algebra and geometry. On the geometric side, we focus on the spectrum of primitive geodesic lengths (resp., complex lengths) for arithmetic hyperbolic 2–manifolds (resp., 3–manifolds). By work of Reid, this spectrum determines the commensurability class of the 2–manifold (resp., 3–manifold). We establish effective versions of these rigidity results by ensuring that, for two incommensurable arithmetic manifolds of bounded volume, the length sets (resp., the complex length sets) must disagree for a length that can be explicitly bounded as a function of volume. We also prove an effective version of a similar rigidity result established by the second author with Reid on a surface analog of the length spectrum for hyperbolic 3–manifolds. These effective results have corresponding algebraic analogs involving maximal subfields and quaternion subalgebras of quaternion algebras. To prove these effective rigidity results, we establish results on the asymptotic behavior of certain algebraic and geometric counting functions which are of independent interest. 1. INTRODUCTION 1.1. Inverse problems. 1.1.1. Algebraic problems. Given a degree d central division algebra D over a field k, the set of isomorphism classes of maximal subfields MF(D) of D is a basic and well studied invariant of D. Question 1. Do there exist non-isomorphic, central division algebras D1;D2=k with MF(D1) = MF(D2)? Restricting to the class of number fields k, by a well-known consequence of class field theory, when D=k is a quaternion algebra, MF(D) = MF(D0) if and only if D =∼ D0 as k–algebras.
    [Show full text]
  • P-Adic Class Invariants
    LMS J. Comput. Math. 14 (2011) 108{126 C 2011 Author doi:10.1112/S1461157009000175e p-adic class invariants Reinier Br¨oker Abstract We develop a new p-adic algorithm to compute the minimal polynomial of a class invariant. Our approach works for virtually any modular function yielding class invariants. The main algorithmic tool is modular polynomials, a concept which we generalize to functions of higher level. 1. Introduction Let K be an imaginary quadratic number field and let O be an order in K. The ring class field HO of the order O is an abelian extension of K, and the Artin map gives an isomorphism s Pic(O) −−! Gal(HO=K) of the Picard group of O with the Galois group of HO=K. In this paper we are interested in explicitly computing ring class fields. Complex multiplication theory provides us with a means of doing so. Letting ∆ denote the discriminant of O, it states that we have j HO = K[X]=(P∆); j where P∆ is the minimal polynomial over Q of the j-invariant of the complex elliptic curve j C=O. This polynomial is called the Hilbert class polynomial. It is a non-trivial fact that P∆ has integer coefficients. The fact that ring class fields are closely linked to j-invariants of elliptic curves has its ramifications outside the context of explicit class field theory. Indeed, if we let p denote a j prime that is not inert in O, then the observation that the roots in Fp of P∆ 2 Fp[X] are j j-invariants of elliptic curves over Fp with endomorphism ring O made computing P∆ a key ingredient in the elliptic curve primality proving algorithm [12].
    [Show full text]
  • Computing Isomorphisms and Embeddings of Finite
    Computing isomorphisms and embeddings of finite fields Ludovic Brieulle, Luca De Feo, Javad Doliskani, Jean-Pierre Flori and Eric´ Schost May 4, 2017 Abstract Let Fq be a finite field. Given two irreducible polynomials f; g over Fq, with deg f dividing deg g, the finite field embedding problem asks to compute an explicit descrip- tion of a field embedding of Fq[X]=f(X) into Fq[Y ]=g(Y ). When deg f = deg g, this is also known as the isomorphism problem. This problem, a special instance of polynomial factorization, plays a central role in computer algebra software. We review previous algorithms, due to Lenstra, Allombert, Rains, and Narayanan, and propose improvements and generalizations. Our detailed complexity analysis shows that our newly proposed variants are at least as efficient as previously known algorithms, and in many cases significantly better. We also implement most of the presented algorithms, compare them with the state of the art computer algebra software, and make the code available as open source. Our experiments show that our new variants consistently outperform available software. Contents 1 Introduction2 2 Preliminaries4 2.1 Fundamental algorithms and complexity . .4 2.2 The Embedding Description problem . 11 arXiv:1705.01221v1 [cs.SC] 3 May 2017 3 Kummer-type algorithms 12 3.1 Allombert's algorithm . 13 3.2 The Artin{Schreier case . 18 3.3 High-degree prime powers . 20 4 Rains' algorithm 21 4.1 Uniquely defined orbits from Gaussian periods . 22 4.2 Rains' cyclotomic algorithm . 23 5 Elliptic Rains' algorithm 24 5.1 Uniquely defined orbits from elliptic periods .
    [Show full text]
  • Mor04, Mor12], Provides a Foundational Tool for 1 Solving Problems in A1-Enumerative Geometry
    THE TRACE OF THE LOCAL A1-DEGREE THOMAS BRAZELTON, ROBERT BURKLUND, STEPHEN MCKEAN, MICHAEL MONTORO, AND MORGAN OPIE Abstract. We prove that the local A1-degree of a polynomial function at an isolated zero with finite separable residue field is given by the trace of the local A1-degree over the residue field. This fact was originally suggested by Morel's work on motivic transfers, and by Kass and Wickelgren's work on the Scheja{Storch bilinear form. As a corollary, we generalize a result of Kass and Wickelgren relating the Scheja{Storch form and the local A1-degree. 1. Introduction The A1-degree, first defined by Morel [Mor04, Mor12], provides a foundational tool for 1 solving problems in A1-enumerative geometry. In contrast to classical notions of degree, 1 n n the local A -degree is not integer valued: given a polynomial function f : Ak ! Ak with 1 1 A isolated zero p, the local A -degree of f at p, denoted by degp (f), is defined to be an element of the Grothendieck{Witt group of the ground field. Definition 1.1. Let k be a field. The Grothendieck{Witt group GW(k) is defined to be the group completion of the monoid of isomorphism classes of symmetric non-degenerate bilinear forms over k. The group operation is the direct sum of bilinear forms. We may also give GW(k) a ring structure by taking tensor products of bilinear forms for our multiplication. The local A1-degree, which will be defined in Definition 2.9, can be related to other important invariants at rational points.
    [Show full text]
  • Hidden Number Problems
    Hidden Number Problems Barak Shani A thesis submitted in fulfillment of the requirements for the degree of Doctor of Philosophy in Mathematics The University of Auckland 2017 Abstract The hidden number problem is the problem of recovering an unknown group element (the \hidden number") given evaluations of some function on products of the hidden number with known elements in the group. This problem enjoys a vast variety of applications, and provides cross-fertilisation among different areas of mathematics. Bit security is a research field in mathematical cryptology that studies leakage of in- formation in cryptographic systems. Of particular interest are public-key cryptosystems, where the study revolves around the information about the private keys that the public keys leak. Ideally no information is leaked, or more precisely extraction of partial in- formation about the secret keys is (polynomially) equivalent to extraction of the entire keys. Accordingly, studies in this field focus on reducing the problem of recovering the private key to the problem of recovering some information about it. This is done by designing algorithms that use the partial information to extract the keys. The hidden number problem was originated to study reductions of this kind. This thesis studies the hidden number problem in different groups, where the functions are taken to output partial information on the binary representation of the input. A spe- cial focus is directed towards the bit security of Diffie–Hellman key exchange. The study presented here provides new results on the hardness of extracting partial information about Diffie–Hellman keys. Contents 1 Introduction 1 1.1 Summary of Contributions .
    [Show full text]
  • Kummer Surfaces for Primality Testing
    Kummer surfaces for primality testing Eduardo Ru´ız Duarte & Marc Paul Noordman Universidad Nacional Aut´onoma de M´exico, University of Groningen [email protected], [email protected] Abstract We use the arithmetic of the Kummer surface associated to the Jacobian of a hyperelliptic curve to study the primality of integersof the form 4m25n 1. We providean algorithmcapable of proving the primality or compositeness of most of the− integers in these families and discuss in detail the necessary steps to implement this algorithm in a computer. Although an indetermination is possible, in which case another choice of initial parameters should be used, we prove that the probability of reaching this situation is exceedingly low and decreases exponentially with n. Keywords: Primality, Jacobians, Hyperelliptic Curves, Kummer Surface 2020 MSC: 11G25, 11Y11, 14H40, 14H45 Introduction Determining the primality of an arbitrary integer n is a fundamental problem in number theory. The first deterministic polynomial time primality test (AKS) was developed by Agrawal, Kayal and Saxena [3]. Lenstra and Pomerance in [25] proved that a variant of AKS has running time (log n)6(2+log log n)c where c isaneffectively computablereal number. The AKS algorithm has more theoretical relevance than practical. If rather than working with general integers, one fixes a sequence of integers, for example Fermat or Mersenne numbers, one can often find an algorithm to determine primality using more efficient methods; for these two examples P´epin’s and Lucas-Lehmer’s tests respectively provide fast primality tests. Using elliptic curves, in 1985, Wieb Bosma in his Master Thesis [5] found analogues of Lucas tests for elements in Z[i] or Z[ζ] (with ζ a third root of unity) by replacing the arithmetic of (Z/nZ)× with the arithmetic of elliptic curves modulo n with complex multiplication (CM).
    [Show full text]
  • ATKIN's ECPP (Elliptic Curve Primality Proving) ALGORITHM
    ATKIN’S ECPP (Elliptic Curve Primality Proving) ALGORITHM OSMANBEY UZUNKOL OCTOBER 2004 ATKIN’S ECPP (Elliptic Curve Primality Proving ) ALGORITHM A THESIS SUBMITTED TO DEPARTMENT OF MATHEMATICS OF TECHNICAL UNIVERSITY OF KAISERSLAUTERN BY OSMANBEY UZUNKOL IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN THE DEPARTMENT OF MATHEMATICS October 2004 abstract ATKIN’S ECPP ALGORITHM Uzunkol, Osmanbey M.Sc., Department of Mathematics Supervisor: Prof. Dr. Gerhard Pfister October 2004, cxxiii pages In contrast to using a strong generalization of Fermat’s theorem, as in Jacobi- sum Test, Goldwasser and Kilian used some results coming from Group Theory in order to prove the primality of a given integer N ∈ N. They developed an algorithm which uses the group of rational points of elliptic curves over finite fields. Atkin and Morain extended the idea of Goldwasser and Kilian and used the elliptic curves with CM (complex multiplication) to obtain a more efficient algorithm, namely Atkin’s ECPP (elliptic curve primality proving) Algorithm. Aim of this thesis is to introduce some primality tests and explain the Atkin’s ECPP Algorithm. Keywords: Cryptography, Algorithms, Algorithmic Number Theory. ii oz¨ Herg¨unbir yere konmak ne g¨uzel, Bulanmadan donmadan akmak ne ho¸s, D¨unleberaber gitti canca˘gızım! Ne kadar s¨ozvarsa d¨uneait, S¸imdi yeni ¸seylers¨oylemeklazım... ...............Mevlana Celaleddini’i Rumi............... iii I would like to thank first of all to my supervisor Prof. Dr . Gerhard Pfister for his help before and during this work. Secondly, I would like to thank also Hans Sch¨onemann and Ra¸sitS¸im¸sekfor their computer supports in computer algebra system SINGULAR and programming language C++, respectively.
    [Show full text]
  • Elliptic Curves: Number Theory and Cryptography
    Elliptic Curves Number Theory and Cryptography Second Edition © 2008 by Taylor & Francis Group, LLC DISCRETE MATHEMATICS ITS APPLICATIONS !-%!. %/*- !))!/$ *.!)$ -*!'#**-*)/-* 0/%*)/** %)#$!*-4 *'#'%'",*#'#*-%/$(%*(%)/*-%.*)-/%'*- . -'("(''!-+))%)#-!!.) +/%(%5/%*)-*'!(. "*%&(+"*%&#+ )0(!-/%1!*(%)/*-%. '*#("' *"* *1,% ) **&*" ''%+/%) 4+!-!''%+/%0-1!-4+/*#-+$4 "*%+(%(-*'' *1 #'#,2 ) **&*"*(%)/*-%' !.%#).!*) %/%*) *,#' *#$+(''',"('122')/-* 0/%*)/*0(!-$!*-4 ,.' -*#'(#'!#('#'0#'!#' -(!.) !.*'1'! !.%#)..!. *)./-0/%*).) 3%./!)! '1 (%*!''#$-/%' ) **&*"+!!$* !-. ( ((&''(+)"4(-*$ ) **&*" %.-!/!) *(+0//%*)' !*(!/-4 !*) %/%*) (',"' *(++*(%)/*-%'!/$* .2%/$*(+0/!-++'%/%*). (',"' *(++'1%%' -+$$!*-4) /.++'%/%*).!*) %/%*) (',"' *(++'1%%' ) **&*" -+$$!*-4 **% '$*+(' *! **#+',*("'+(')/-* 0/%*)/*)"*-(/%*) $!*-4) /*(+-!..%*)!*) %/%*) *1% *&+#*(+%.*,2%"*%+(%(-*''("'.#,,!/2*-&!'%%'%/4 3+!-%(!)/.2%/$4(*'%'#!- )1%-*)(!)/ +%# (!' ) **&*"%)!-'#!- *$ (%,/#,",,#' #$' &(''4*#' ) **&*"*(+0//%*)' -*0+$!*-4 .#$+(''**1 #+',#')/'.*"(''!-+.%)-%!)/'!) *)*-%!)/'!0-"!. #"* %#&#% #!&('' *'+,,#,2#'!*++'%/%*).*"./-/'#!- 2%/$+'!7) 6!*) %/%*) ,*#$'-))'&#2%*#!-%"%/%*)*"*(+0/!-* !.%)*(+0//%*)'%!)! ) )#%)!!-%)# © 2008 by Taylor & Francis Group, LLC Continued Titles #%%#&(1'('%*"* -+$.'#*-%/$(.) +/%(%5/%*) ('%*"*'(-!%+,#'+('*(%)/*-%''#*-%/$(. !)!-/%*) )0(!-/%*) ) !-$ "*%+#''*'"*#+,()"*(!*+ !.%#)$!*-4 '!-1%--4*" -+$'#*-%/$(.) +/%(%5/%*) % *'2+-%.'(*+"(,'(,,'+,(' ) **&*"++'%! -4+/*#-+$4 #"*(%%#''#!-%0(!-$!*-4 #"*(%%#'* !.$! 0% !/*!-!4"-*()%!)//** !-)%(!. #"*(%%#' 0) (!)/'0(!-$!*-42%/$++'%/%*).!*)
    [Show full text]
  • Arxiv:2010.09374V1 [Math.AG] 19 Oct 2020 Lsdfils N Eoescasclcut Over Counts Classical Recovers One fields
    Applications to A1-enumerative geometry of the A1-degree Sabrina Pauli Kirsten Wickelgren Abstract These are lecture notes from the conference Arithmetic Topology at the Pacific Institute of Mathemat- ical Sciences on applications of Morel’s A1-degree to questions in enumerative geometry. Additionally, we give a new dynamic interpretation of the A1-Milnor number inspired by the first named author’s enrichment of dynamic intersection numbers. 1 Introduction A1-homotopy theory provides a powerful framework to apply tools from algebraic topology to schemes. In these notes, we discuss Morel’s A1-degree, giving the analog of the Brouwer degree in classical topology, and applications to enumerative geometry. Instead of the integers, the A1-degree takes values in bilinear forms, or more precisely, in the Grothendieck-Witt ring GW(k) of a field k, defined to be the group completion of isomorphism classes of symmetric, non-degenerate bilinear k-forms. This can result in an enumeration of algebro-geometric objects valued in GW(k), giving an A1-enumerative geometry over non-algebraically closed fields. One recovers classical counts over C using the rank homomorphism GW(k) Z, but GW(k) can contain more information. This information can record arithmetic-geometric properties→ of the objects being enumerated over field extensions of k. In more detail, we start with the classical Brouwer degree. We introduce enough A1-homotopy theory to describe Morel’s degree and use the Eisenbud-Khimshiashvili-Levine signature formula to give context for the degree and a formula for the local A1-degree. The latter is from joint work of Jesse Kass and the second-named author.
    [Show full text]