On the Implementation of Pairing-Based Cryptosystems a Dissertation Submitted to the Department of Computer Science and the Comm

Total Page:16

File Type:pdf, Size:1020Kb

On the Implementation of Pairing-Based Cryptosystems a Dissertation Submitted to the Department of Computer Science and the Comm ON THE IMPLEMENTATION OF PAIRING-BASED CRYPTOSYSTEMS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY Ben Lynn June 2007 c Copyright by Ben Lynn 2007 All Rights Reserved ii I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. Dan Boneh Principal Advisor I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. John Mitchell I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. Xavier Boyen Approved for the University Committee on Graduate Studies. iii Abstract Pairing-based cryptography has become a highly active research area. We define bilinear maps, or pairings, and show how they give rise to cryptosystems with new functionality. There is only one known mathematical setting where desirable pairings exist: hyperellip- tic curves. We focus on elliptic curves, which are the simplest case, and also the only curves used in practice. All existing implementations of pairing-based cryptosystems are built with elliptic curves. Accordingly, we provide a brief overview of elliptic curves, and functions known as the Tate and Weil pairings from which cryptographic pairings are derived. We describe several methods for obtaining curves that yield Tate and Weil pairings that are efficiently computable yet are still cryptographically secure. We discuss many optimizations that greatly reduce the running time of a naive imple- mentation of any pairing-based cryptosystem. These techniques were used to reduce the cost of a pairing from several minutes to several milliseconds on a modern consumer-level machine. Applications of pairings are largely beyond our scope, but we do show how pairings allow the construction of a digital signature scheme with the shortest known signature lengths at typical security levels. iv ON THE IMPLEMENTATION OF PAIRING-BASED CRYPTOSYSTEMS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY Ben Lynn June 2007 c Copyright by Ben Lynn 2007 All Rights Reserved ii I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. Dan Boneh Principal Advisor I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. John Mitchell I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. Xavier Boyen Approved for the University Committee on Graduate Studies. iii Preface Pairing-based cryptography is a relatively young area of cryptography that revolves around a particular function with interesting propreties. It allows the construction of novel cryp- tosystems that are otherwise difficult or impossible to assemble using standard primitives. We first define a cryptographic pairing abstractly and show how it can be used to build a signature scheme that is simple yet has many desirable properties. Next we examine how a pairing can be implemented in practice. The only known mathematical setting where suitable pairings exist are groups on certain families of curves. We focus on the simplest and most well-understood case: elliptic curves. We discuss methods for finding curves that yield cryptographic pairings, and outline various optimizations that can be applied. We shall see that pairing-based cryptosystems are quite practical and compare well against traditional cryptosystems. It is hoped that this work will be a useful guide to implementing pairing-based cryptog- raphy to a programmer who has experience with conventional cryptosystems. While not comprehensive, the information contained herein should be enough to allow one to build practical pairing-based applications from scratch. Notably absent are in-depth discussion of the characteristic 3 case, pairings where the subgroup size is necessarily significantly smaller than the field size, and hyperelliptic curves, This text is intended to be self-contained. Aside from arithmetic at the lowest level, algorithms not likely to be found in a basic course in number theory or cryptography are quoted here, enabling the reader to implement pairings without referring to any other sources. Some background is required by the reader as we do not review basic abstract algebra. On the other hand, we introduce enough elliptic curve theory for cryptographic purposes. The following publications form the foundation of this thesis: iv D.Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. Journal • of Cryptology, 17(1):297–319, 2004. P. S. L. M. Barreto, H. Y. Kim, B. Lynn and M. Scott. Efficient algorithms for • pairing-based cryptosystems. In CRYPTO 2002, pages 354–368. P. S. L. M. Barreto, B. Lynn and M. Scott. Constructing elliptic curves with pre- • scribed embedding degree. In Third Conference on Security in Communication Net- works 2002. P. S. L. M. Barreto, B. Lynn and M. Scott. On the selection of pairing-friendly groups. • In Selected Areas of Cryptography 2003. More polished versions of the above works can be found in the Journal of Cryptology [18, 7]. Most of the described algorithms and optimizations feature in the PBC (Pairing-Based Cryptography) library, maintained by the author, and available under the GNU Public License at http://crypto.stanford.edu/pbc/. v Contents Abstract iv Preface iv 1 Bilinear Maps 1 1.1 CyclicGroups................................... 2 1.2 FormalSecurityDefinitions . ... 2 1.3 ConcreteCyclicGroups . .. .. .. .. .. .. .. .. 4 1.4 TheSymmetricPairing ............................. 5 1.5 TheBLSSignatureScheme . .. .. .. .. .. .. .. 6 1.6 NewHardnessAssumptions . 6 1.7 LooseningthePairingDefinition . .... 7 1.7.1 AProblemWithHashing ........................ 8 1.8 TheGeneralBilinearPairing . ... 8 1.9 Exponentiation as a Bilinear Pairing . ...... 10 1.10 ChoosingaDefinition . .. .. .. .. .. .. .. .. 10 1.11 ConcreteBilinearMaps . 11 2 Elliptic Curves 14 2.1 InformalOverviewofEllipticCurves . ...... 14 2.2 PointsonEllipticCurves . 15 2.3 FindingPoints .................................. 17 2.3.1 Tonelli-Shanks Algorithm . 18 2.3.2 HashingtoPoints ............................ 19 2.4 PointCompressionandReduction . 19 vi 2.5 The Chord-Tangent Law of Composition . 19 2.6 ExplicitFormulas................................ 20 2.7 EllipticCurveCryptography . 21 2.8 SingularEllipticCurves . 23 2.9 Security ...................................... 24 2.10 ShortSignatures ................................ 25 3 The Weil and Tate Pairings 26 3.1 TorsionPoints .................................. 26 3.2 RationalFunctions ............................... 27 3.3 CurveEndomorphisms.............................. 27 3.4 ZeroesandPoles ................................. 29 3.5 Divisors ...................................... 30 3.6 TheWeilPairing ................................. 31 3.6.1 WeilReciprocity ............................. 32 3.7 TheTatePairing ................................. 33 3.8 MergingTheorywithPractice. 34 3.9 Miller’sAlgorithm ............................... 35 3.9.1 TheWeilPairing ............................. 35 3.9.2 TheTatePairing............................. 36 3.9.3 Intermediate Poles and Zeroes . 38 3.10WorkedExamples ................................ 38 3.10.1 TheWeilPairing ............................. 39 3.10.2 TheTatePairing............................. 40 3.10.3 Remarks.................................. 42 3.11 RestrictingInputs .............................. 42 3.12 TheShipsey-StangeAlgorithm . 43 3.12.1 Example.................................. 45 3.12.2 Remarks.................................. 45 4 Curve Selection 47 4.1 TheEmbeddingDegree ............................. 48 4.2 Weil and Tate Pairing Comparison . 49 4.2.1 CompositeGroupOrders . 50 vii 4.3 PairingSecurity................................. 50 4.4 Lower Bounds on Field and Group Sizes . 51 4.5 ApproachestoFindingCurves . 52 4.6 SupersingularCurves. 53 4.7 TypeACurves .................................. 54 4.8 TypeBCurves .................................. 55 4.9 OtherEmbeddingDegree2Curves . 55 4.10TypeCCurves .................................. 56 4.11 Complex Multiplication . 57 4.12TypeDCurves .................................. 58 4.13TypeECurves .................................. 60 4.14TypeFCurves .................................. 61 4.15TypeGCurves .................................. 62 4.16 ComparingPairings .............................. 63 4.17PellEquations .................................. 64 4.18 Generalized Pell Equations . 65 4.19 HilbertPolynomials . .. .. .. .. .. .. .. .. 66 4.20 ArbitraryEmbeddingDegree . 68 5 Optimizing Cryptosystems 71 5.1 Multiprecision Arithmetic . 72 5.2 AllorNothing .................................. 73 5.3 MontgomeryReduction ............................. 73 5.4 CubeRoots.................................... 75 5.5 RandomPoints .................................. 75 5.6 DedicatedSquaring..............................
Recommended publications
  • Fast Tabulation of Challenge Pseudoprimes Andrew Shallue and Jonathan Webster
    THE OPEN BOOK SERIES 2 ANTS XIII Proceedings of the Thirteenth Algorithmic Number Theory Symposium Fast tabulation of challenge pseudoprimes Andrew Shallue and Jonathan Webster msp THE OPEN BOOK SERIES 2 (2019) Thirteenth Algorithmic Number Theory Symposium msp dx.doi.org/10.2140/obs.2019.2.411 Fast tabulation of challenge pseudoprimes Andrew Shallue and Jonathan Webster We provide a new algorithm for tabulating composite numbers which are pseudoprimes to both a Fermat test and a Lucas test. Our algorithm is optimized for parameter choices that minimize the occurrence of pseudoprimes, and for pseudoprimes with a fixed number of prime factors. Using this, we have confirmed that there are no PSW-challenge pseudoprimes with two or three prime factors up to 280. In the case where one is tabulating challenge pseudoprimes with a fixed number of prime factors, we prove our algorithm gives an unconditional asymptotic improvement over previous methods. 1. Introduction Pomerance, Selfridge, and Wagstaff famously offered $620 for a composite n that satisfies (1) 2n 1 1 .mod n/ so n is a base-2 Fermat pseudoprime, Á (2) .5 n/ 1 so n is not a square modulo 5, and j D (3) Fn 1 0 .mod n/ so n is a Fibonacci pseudoprime, C Á or to prove that no such n exists. We call composites that satisfy these conditions PSW-challenge pseudo- primes. In[PSW80] they credit R. Baillie with the discovery that combining a Fermat test with a Lucas test (with a certain specific parameter choice) makes for an especially effective primality test[BW80].
    [Show full text]
  • An Analysis of Primality Testing and Its Use in Cryptographic Applications
    An Analysis of Primality Testing and Its Use in Cryptographic Applications Jake Massimo Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Information Security Royal Holloway, University of London 2020 Declaration These doctoral studies were conducted under the supervision of Prof. Kenneth G. Paterson. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Department of Mathe- matics as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Jake Massimo April, 2020 2 Abstract Due to their fundamental utility within cryptography, prime numbers must be easy to both recognise and generate. For this, we depend upon primality testing. Both used as a tool to validate prime parameters, or as part of the algorithm used to generate random prime numbers, primality tests are found near universally within a cryptographer's tool-kit. In this thesis, we study in depth primality tests and their use in cryptographic applications. We first provide a systematic analysis of the implementation landscape of primality testing within cryptographic libraries and mathematical software. We then demon- strate how these tests perform under adversarial conditions, where the numbers being tested are not generated randomly, but instead by a possibly malicious party. We show that many of the libraries studied provide primality tests that are not pre- pared for testing on adversarial input, and therefore can declare composite numbers as being prime with a high probability.
    [Show full text]
  • Public Auditing for Secure and Efficient Cloud Data Storage: a Comprehensive Survey
    Vol-7 Issue-4 2021 IJARIIE-ISSN(O)-2395-4396 Public Auditing for Secure and Efficient Cloud Data Storage: A Comprehensive Survey 1Ayesha Siddiqha Mukthar, 2Dr. Jitendra Sheetlani 1Research Scholar, Sri Satya Sai University of Technology and Medical Sciences, Sehore 2Associate Professor, Sri Satya Sai University of Technology and Medical Sciences, Sehore Abstract: Nowadays storage of data is big problem because the huge generation of multimedia data likes images, audio, video etc. whose size is very large. For storing of these data size of conventional storage is not sufficient so we need remote storage such as cloud which is resilient infrastructure, reliable and high quality performance for the cloud users. In the cloud there is no direct physical control over the records because the cloud uses its resource pool for storing. Consequently data reliability fortification and auditing is not a modest task. The user prerequisites to depend on a Third Party Auditor (TPA) who is working as a public auditor for authenticating the data integrity and privacy. This paper presents the various auditing techniques of cloud computing for improving security and then future research challenges which need to be adopt by researchers to make system obvious. Keywords: Auditing, Cloud Computing, Storage, TPA, Reliability, Integrity. Introduction: Cloud is offering the different services to its users. Data sharing between two organizations which common in many application areas. The current data sharing and integration among various organizations requires the central and trusted authority to collect data from all data sources and then integrate the collected data. In current trend, there is necessary condition which defines the data sharing while preserving privacy in cloud.
    [Show full text]
  • Triangular Numbers /, 3,6, 10, 15, ", Tn,'" »*"
    TRIANGULAR NUMBERS V.E. HOGGATT, JR., and IVIARJORIE BICKWELL San Jose State University, San Jose, California 9111112 1. INTRODUCTION To Fibonacci is attributed the arithmetic triangle of odd numbers, in which the nth row has n entries, the cen- ter element is n* for even /?, and the row sum is n3. (See Stanley Bezuszka [11].) FIBONACCI'S TRIANGLE SUMS / 1 =:1 3 3 5 8 = 2s 7 9 11 27 = 33 13 15 17 19 64 = 4$ 21 23 25 27 29 125 = 5s We wish to derive some results here concerning the triangular numbers /, 3,6, 10, 15, ", Tn,'" »*". If one o b - serves how they are defined geometrically, 1 3 6 10 • - one easily sees that (1.1) Tn - 1+2+3 + .- +n = n(n±M and (1.2) • Tn+1 = Tn+(n+1) . By noticing that two adjacent arrays form a square, such as 3 + 6 = 9 '.'.?. we are led to 2 (1.3) n = Tn + Tn„7 , which can be verified using (1.1). This also provides an identity for triangular numbers in terms of subscripts which are also triangular numbers, T =T + T (1-4) n Tn Tn-1 • Since every odd number is the difference of two consecutive squares, it is informative to rewrite Fibonacci's tri- angle of odd numbers: 221 222 TRIANGULAR NUMBERS [OCT. FIBONACCI'S TRIANGLE SUMS f^-O2) Tf-T* (2* -I2) (32-22) Ti-Tf (42-32) (52-42) (62-52) Ti-Tl•2 (72-62) (82-72) (9*-82) (Kp-92) Tl-Tl Upon comparing with the first array, it would appear that the difference of the squares of two consecutive tri- angular numbers is a perfect cube.
    [Show full text]
  • Easy Decision Diffie-Hellman Groups
    EASY DECISION-DIFFIE-HELLMAN GROUPS STEVEN D. GALBRAITH AND VICTOR ROTGER Abstract. The decision-Di±e-Hellman problem (DDH) is a central compu- tational problem in cryptography. It is already known that the Weil and Tate pairings can be used to solve many DDH problems on elliptic curves. A natural question is whether all DDH problems are easy on supersingular curves. To answer this question it is necessary to have suitable distortion maps. Verheul states that such maps exist, and this paper gives an algorithm to construct them. The paper therefore shows that all DDH problems on the supersingular elliptic curves used in practice are easy. We also discuss the issue of which DDH problems on ordinary curves are easy. 1. Introduction It is well-known that the Weil and Tate pairings make many decision-Di±e- Hellman (DDH) problems on elliptic curves easy. This observation is behind ex- citing new developments in pairing-based cryptography. This paper studies the question of which DDH problems are easy and which are not necessarily easy. First we recall some de¯nitions. Decision Di±e-Hellman problem (DDH): Let G be a cyclic group of prime order r written additively. The DDH problem is to distinguish the two distributions in G4 D1 = f(P; aP; bP; abP ): P 2 G; 0 · a; b < rg and D2 = f(P; aP; bP; cP ): P 2 G; 0 · a; b; c < rg: 4 Here D1 is the set of valid Di±e-Hellman-tuples and D2 = G . By `distinguish' we mean there is an algorithm which takes as input an element of G4 and outputs \valid" or \invalid", such that if the input is chosen with probability 1/2 from each of D1 and D2 ¡ D1 then the output is correct with probability signi¯cantly more than 1/2.
    [Show full text]
  • Primes and Primality Testing
    Primes and Primality Testing A Technological/Historical Perspective Jennifer Ellis Department of Mathematics and Computer Science What is a prime number? A number p greater than one is prime if and only if the only divisors of p are 1 and p. Examples: 2, 3, 5, and 7 A few larger examples: 71887 524287 65537 2127 1 Primality Testing: Origins Eratosthenes: Developed “sieve” method 276-194 B.C. Nicknamed Beta – “second place” in many different academic disciplines Also made contributions to www-history.mcs.st- geometry, approximation of andrews.ac.uk/PictDisplay/Eratosthenes.html the Earth’s circumference Sieve of Eratosthenes 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 Sieve of Eratosthenes We only need to “sieve” the multiples of numbers less than 10. Why? (10)(10)=100 (p)(q)<=100 Consider pq where p>10. Then for pq <=100, q must be less than 10. By sieving all the multiples of numbers less than 10 (here, multiples of q), we have removed all composite numbers less than 100.
    [Show full text]
  • On the Discriminator of Lucas Sequences
    Ann. Math. Québec (2019) 43:51–71 https://doi.org/10.1007/s40316-017-0097-7 On the discriminator of Lucas sequences Bernadette Faye1,2 · Florian Luca3,4,5 · Pieter Moree4 Received: 18 August 2017 / Accepted: 28 December 2017 / Published online: 12 February 2018 © The Author(s) 2018. This article is an open access publication Abstract We consider the family of Lucas sequences uniquely determined by Un+2(k) = (4k+2)Un+1(k)−Un(k), with initial values U0(k) = 0andU1(k) = 1andk ≥ 1anarbitrary integer. For any integer n ≥ 1 the discriminator function Dk(n) of Un(k) is defined as the smallest integer m such that U0(k), U1(k),...,Un−1(k) are pairwise incongruent modulo m. Numerical work of Shallit on Dk(n) suggests that it has a relatively simple characterization. In this paper we will prove that this is indeed the case by showing that for every k ≥ 1there is a constant nk such that Dk(n) has a simple characterization for every n ≥ nk. The case k = 1 turns out to be fundamentally different from the case k > 1. FRENCH ABSTRACT Pour un entier arbitraire k ≥ 1, on considère la famille de suites de Lucas déterminée de manière unique par la relation de récurrence Un+2(k) = (4k + 2)Un+1(k) − Un(k), et les valeurs initiales U0(k) = 0etU1(k) = 1. Pour tout entier n ≥ 1, la fonction discriminante Dk(n) de Un(k) est définie comme le plus petit m tel que U0(k), U1(k),...,Un−1(k) soient deux à deux non congruents modulo m.
    [Show full text]
  • And Its Properties on the Sequence Related to Lucas Numbers
    Mathematica Aeterna, Vol. 2, 2012, no. 1, 63 - 75 On the sequence related to Lucas numbers and its properties Cennet Bolat Department of Mathematics, Art and Science Faculty, Mustafa Kemal University, 31034, Hatay,Turkey Ahmet I˙pek Department of Mathematics, Art and Science Faculty, Mustafa Kemal University, 31034, Hatay,Turkey Hasan Köse Department of Mathematics, Science Faculty, Selcuk University 42031, Konya,Turkey Abstract The Fibonacci sequence has been generalized in many ways, some by preserving the initial conditions, and others by preserving the recur- rence relation. In this article, we study a new generalization {Lk,n}, with initial conditions Lk,0 = 2 and Lk,1 = 1, which is generated by the recurrence relation Lk,n = kLk,n−1 + Lk,n−2 for n ≥ 2, where k is integer number. Some well-known sequence are special case of this generalization. The Lucas sequence is a special case of {Lk,n} with k = 1. Modified Pell-Lucas sequence is {Lk,n} with k = 2. We produce an extended Binet’s formula for {Lk,n} and, thereby, identities such as Cassini’s, Catalan’s, d’Ocagne’s, etc. using matrix algebra. Moreover, we present sum formulas concerning this new generalization. Mathematics Subject Classi…cation: 11B39, 15A23. Keywords: Classic Fibonacci numbers; Classic Lucas numbers; k-Fibonacci numbers; k-Lucas numbers, Matrix algebra. 64 C. Bolat, A. Ipek and H. Kose 1 Introduction In recent years, many interesting properties of classic Fibonacci numbers, clas- sic Lucas numbers and their generalizations have been shown by researchers and applied to almost every …eld of science and art.
    [Show full text]
  • The Tate Pairing for Abelian Varieties Over Finite Fields
    Journal de Th´eoriedes Nombres de Bordeaux 00 (XXXX), 000{000 The Tate pairing for Abelian varieties over finite fields par Peter BRUIN Resum´ e.´ Nous d´ecrivons un accouplement arithm´etiqueassoci´e `aune isogenie entre vari´et´esab´eliennessur un corps fini. Nous montrons qu'il g´en´eralisel'accouplement de Frey et R¨uck, ainsi donnant une d´emonstrationbr`eve de la perfection de ce dernier. Abstract. In this expository note, we describe an arithmetic pairing associated to an isogeny between Abelian varieties over a finite field. We show that it generalises the Frey{R¨uck pairing, thereby giving a short proof of the perfectness of the latter. 1. Introduction Throughout this note, k denotes a finite field of q elements, and k¯ denotes an algebraic closure of k. If n is a positive integer, then µn denotes the group of n-th roots of unity in k¯×. Let C be a complete, smooth, geometrically connected curve over k, let J be the Jacobian variety of C, and let n be a divisor of q − 1. In [1], Frey and R¨uck defined a perfect pairing f ; gn : J[n](k) × J(k)=nJ(k) −! µn(k) as follows: if D and E are divisors on C with disjoint supports and f is a non-zero rational function with divisor nD, then (q−1)=n f[D]; [E] mod nJ(k)gn = f(E) ; where Y nx X f(E) = f(x) if E = nxx: x2C(k¯) x2C(k¯) Remark. We have composed the map as defined in [1] with the isomor- × × n phism k =(k ) ! µn(k) that raises elements to the power (q − 1)=n.
    [Show full text]
  • The Bivariate (Complex) Fibonacci and Lucas Polynomials: an Historical Investigation with the Maple's Help
    Volume 9, Number 4, 2016 THE BIVARIATE (COMPLEX) FIBONACCI AND LUCAS POLYNOMIALS: AN HISTORICAL INVESTIGATION WITH THE MAPLE´S HELP Francisco Regis Vieira Alves, Paula Maria Machado Cruz Catarino Abstract: The current research around the Fibonacci´s and Lucas´ sequence evidences the scientific vigor of both mathematical models that continue to inspire and provide numerous specializations and generalizations, especially from the sixthies. One of the current of research and investigations around the Generalized Sequence of Lucas, involves it´s polinomial representations. Therefore, with the introduction of one or two variables, we begin to discuss the family of the Bivariate Lucas Polynomias (BLP) and the Bivariate Fibonacci Polynomials (BFP). On the other hand, since it´s representation requires enormous employment of a large algebraic notational system, we explore some particular properties in order to convince the reader about an inductive reasoning that produces a meaning and produces an environment of scientific and historical investigation supported by the technology. Finally, throughout the work we bring several figures that represent some examples of commands and algebraic operations with the CAS Maple that allow to compare properties of the Lucas´polynomials, taking as a reference the classic of Fibonacci´s model that still serves as inspiration for several current studies in Mathematics. Key words: Lucas Sequence, Fibonacci´s polynomials, Historical investigation, CAS Maple. 1. Introduction Undoubtedly, the Fibonacci sequence preserves a character of interest and, at the same time, of mystery, around the numerical properties of a sequence that is originated from a problem related to the infinite reproduction of pairs of rabbits. On the other hand, in several books of History of Mathematics in Brazil and in the other countries (Eves, 1969; Gullberg, 1997; Herz, 1998; Huntley, 1970; Vajda, 1989), we appreciate a naive that usually emphasizes eminently basic and trivial properties related to this sequence.
    [Show full text]
  • The Generalized Weil Pairing and the Discrete Logarithm Problem on Elliptic Curves
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Elsevier - Publisher Connector Theoretical Computer Science 321 (2004) 59–72 www.elsevier.com/locate/tcs The generalized Weil pairing and the discrete logarithm problem on elliptic curves Theodoulos Garefalakis Department of Mathematics, University of Toronto, Ont., Canada M5S 3G3 Received 5 August 2002; received in revised form 2 May 2003; accepted 1 June 2003 Abstract We review the construction of a generalization of the Weil pairing, which is non-degenerate and bilinear, and use it to construct a reduction from the discrete logarithm problem on elliptic curves to the discrete logarithm problem in ÿnite ÿelds. We show that the new pairing can be computed e2ciently for curves with trace of Frobenius congruent to 2 modulo the order of the base point. This leads to an e2cient reduction for this class of curves. The reduction is as simple to construct as that of Menezes et al. (IEEE Trans. Inform. Theory, 39, 1993), and is provably equivalent to that of Frey and Ruck7 (Math. Comput. 62 (206) (1994) 865). c 2003 Elsevier B.V. All rights reserved. Keywords: Elliptic curves; Cryptography; Discrete Logarithm Problem 1. Introduction Since the seminal paper of Di2e and Hellman [11], the discrete logarithm prob- lem (DLP) has become a central problem in algorithmic number theory, with direct implications in cryptography. For arbitrary ÿnite groups the problem is deÿned as fol- lows: Given a ÿnite group G, a base point g ∈ G and a point y ∈g ÿnd the smallest non-negative integer ‘ such that y = g‘.
    [Show full text]
  • An Introduction to Pairing-Based Cryptography
    An Introduction to Pairing-Based Cryptography Alfred Menezes Abstract. Bilinear pairings have been used to design ingenious protocols for such tasks as one-round three-party key agreement, identity-based encryption, and aggregate signatures. Suitable bilinear pairings can be constructed from the Tate pairing for specially chosen elliptic curves. This article gives an introduction to the protocols, Tate pairing computation, and curve selection. 1. Introduction The discrete logarithm problem (DLP) has been extensively studied since the discovery of public-key cryptography in 1975. Recall that the DLP in an additively- written group G = P of order n is the problem, given P and Q, of finding the integer x [0,n 1]h suchi that Q = xP . The DLP is believed to be intractable for certain∈ (carefully− chosen) groups including the multiplicative group of a finite field, and the group of points on an elliptic curve defined over a finite field. The closely related Diffie-Hellman problem (DHP) is the problem, given P , aP and bP , of finding abP . It is easy to see that the DHP reduces in polynomial time to the DLP. It is generally assumed, and has been proven in some cases (e.g., see [10, 38]), that the DLP reduces in polynomial time to the DHP. The assumed intractability of the DHP is the basis for the security of the Diffie- Hellman key agreement protocol [20] illustrated in Figure 1. The objective of this protocol is to allow Alice and Bob to establish a shared secret by communicating over a channel that is being monitored by an eavesdropper Eve.
    [Show full text]