Elliptic curves and cryptography Jan Willemson September 2019 - PowerPoint PPT Presentation

Elliptic curves and cryptography Jan Willemson September 2019

Intro: some ancient cryptography 2 September 2019

Diffie-Hellman key exchange Prime p , g ∈ Z ∗ p g a g b a ∈ Z b ∈ Z ( g b ) a = ( g a ) b 3 September 2019

Security of DH key exchange Computational DH problem (CDH) Given a group G and g , g a , g b ∈ G , find g ab . Discrete logarithm problem (DL) Given a group G and g , g a ∈ G , find a . Obviously, simplicity of DL implies simplicity of CDH. Thus, in order for DH key exchange to be secure, DL must be hard. 4 September 2019

How hard is DL? In discrete groups, approximation algorithms do not work. � In generic groups, best known algorithms require about | G | group operations Baby-step-giant-step Pollard’s ρ � Note that | G | is still exponential in the length of group element representation. In case of specific groups we may be able to do better. 5 September 2019

DL in Z ∗ p In case of Z ∗ p , sieving algorithms give (heuristic) time for solving DL to be � � 1 / 3 � � 64 1 L p [ α, c ] = e c (ln( p )) α (ln(ln( p )) 1 − α . L p 3 , , where 9 6 September 2019

DL in Z ∗ p In case of Z ∗ p , sieving algorithms give (heuristic) time for solving DL to be � � 1 / 3 � � 64 1 L p [ α, c ] = e c (ln( p )) α (ln(ln( p )) 1 − α . L p 3 , , where 9 If α = 0, L p [ α, c ] = ln( p ) c , polynomial in ln( p ). If α = 1, L p [ α, c ] = e c ln( p ) , exponential in ln( p ). If α = 1 3 , L p [ α, c ] is between polynomial and exponential. 6 September 2019

DL in Z ∗ p In case of Z ∗ p , sieving algorithms give (heuristic) time for solving DL to be � � 1 / 3 � � 64 1 L p [ α, c ] = e c (ln( p )) α (ln(ln( p )) 1 − α . L p 3 , , where 9 If α = 0, L p [ α, c ] = ln( p ) c , polynomial in ln( p ). If α = 1, L p [ α, c ] = e c ln( p ) , exponential in ln( p ). If α = 1 3 , L p [ α, c ] is between polynomial and exponential. � � 1 / 3 � � 1 64 If p ≈ 2 2048 , L p ≈ 2 116 . 9 . 3 , 9 � p | ≈ 2 1024 . Generic group methods would give | Z ∗ 6 September 2019

DL in Z ∗ p In case of Z ∗ p , sieving algorithms give (heuristic) time for solving DL to be � � 1 / 3 � � 64 1 L p [ α, c ] = e c (ln( p )) α (ln(ln( p )) 1 − α . L p 3 , , where 9 If α = 0, L p [ α, c ] = ln( p ) c , polynomial in ln( p ). If α = 1, L p [ α, c ] = e c ln( p ) , exponential in ln( p ). If α = 1 3 , L p [ α, c ] is between polynomial and exponential. � � 1 / 3 � � 1 64 If p ≈ 2 2048 , L p ≈ 2 116 . 9 . 3 , 9 � p | ≈ 2 1024 . Generic group methods would give | Z ∗ Can we find groups that would act more like generic ones? 6 September 2019

Apollonius of Perga and conic sections 7 September 2019

History of elliptic curves In late 3rd – early 2nd centuries BC, Apollonius of Perga studied conic sections and wrote an 8-part monograph on them. For many centuries, his works contained most of the human knowledge on the subject. However, some of the questions he was not able to answer, e.g. how to determine the exact length of an arc of a conic section? The apparatus to answer this question was developed only about 2000 years later. With a long-long detour, scholars reached the study of equations of the form y 2 = p ( x ) , with p ( x ) being a cubic polynomial. Set of points defined by such an equation is called elliptic curve . 8 September 2019

History of elliptic curves In late 3rd – early 2nd centuries BC, Apollonius of Perga studied conic sections and wrote an 8-part monograph on them. For many centuries, his works contained most of the human knowledge on the subject. However, some of the questions he was not able to answer, e.g. how to determine the exact length of an arc of a conic section? The apparatus to answer this question was developed only about 2000 years later. With a long-long detour, scholars reached the study of equations of the form y 2 = p ( x ) , with p ( x ) being a cubic polynomial. Set of points defined by such an equation is called elliptic curve . NB! Ellipse is not an elliptic curve! 8 September 2019

Congruent number problem Definition A positive rational number n is called a congruent number if there is a rational right triangle with area n : there are rational a , b , c > 0 such that a 2 + b 2 = c 2 and 1 2 ab = n . 9 September 2019

Congruent number problem Definition A positive rational number n is called a congruent number if there is a rational right triangle with area n : there are rational a , b , c > 0 such that a 2 + b 2 = c 2 and 1 2 ab = n . Numbers 5, 6 and 7 are congruent: On the other hand, 1, 2 and 3 are not. 9 September 2019

Finding congruent numbers All primitive Pythagorean triples are of the form ( a , b , c ) = ( k 2 − ℓ 2 , 2 k ℓ, k 2 + ℓ 2 ) for k > ℓ > 0, ( k , ℓ ) = 1, k �≡ ℓ mod 2. 1 k ℓ ( a , b , c ) 2 ab Squarefree part 2 1 (3, 4, 5) 6 6 4 1 (15, 8, 17) 60 15 3 2 (5, 12, 13) 30 30 6 1 (35, 12, 37) 210 210 5 2 (21, 20, 29) 210 210 4 3 (7, 24, 25) 84 21 8 1 (63, 16, 65) 504 126 7 2 (45, 28, 53) 630 70 5 4 (9, 40, 41) 180 5 10 September 2019

Some obervations Any squarefree congruent integer will eventually occur in the table. The numbers in the table do not seem to follow a clear pattern. 53 is a congruent number, but it shows up for the first time when k = 1873180325 and ℓ = 1158313156. The corresponding right triangle has area 53 · 297855654284978790 2 . Some numbers occur several times. Hmm, how many times? 11 September 2019

Search for congruent numbers � a 2 + b 2 c 2 = We have the system of equations . ab / 2 = n Some rewriting: = a 2 + 2 ab + b 2 = c 2 + 4 n � a + b � 2 � c � 2 = + n , 2 4 4 2 = a 2 − 2 ab + b 2 = c 2 − 4 n � a − b � 2 � c � 2 = − n . 2 4 4 2 2 ) 2 and ( a + b 2 ) 2 form an The rational squares ( a − b 2 ) 2 , ( c arithmetic sequence with difference n . 2 ) 2 , we get that x − n , x and x + n are squares. Denoting x = ( c Consequently, so is ( x − n ) x ( x + n ) = x 3 − n 2 x . Thus, every congruent n leads to rational solutions of the equation y 2 = x 3 − n 2 x . 12 September 2019

The converse is also true � a 2 + b 2 c 2 = The equations of the system can be viewed ab / 2 = n as equations of two surfaces in a 3D space. Their intersection gives a line. With an appropriate change of variables, it can be converted to y 2 = x 3 − n 2 x . 13 September 2019

The converse is also true � a 2 + b 2 c 2 = The equations of the system can be viewed ab / 2 = n as equations of two surfaces in a 3D space. Their intersection gives a line. With an appropriate change of variables, it can be converted to y 2 = x 3 − n 2 x . Theorem For n ∈ Z , n > 0, there is 1-1 correspondence between the sets { ( a , b , c ) : a 2 + b 2 = c 2 , ab 2 = n } and { ( x , y ) : y 2 = x 3 − n 2 x , y � = 0 } . The correspondence can be implemented by � � � � x 2 − n 2 y , x 2 + n 2 c − a , 2 n 2 , 2 nx nb ( a , b , c ) �→ , ( x , y ) �→ . c − a y y 13 September 2019

Applying the theorem to do magic We saw that Pythagorean triangles (35 , 12 , 37) and (21 , 20 , 29) both have area 210. Applying the Theorem, they give two points on the curve y 2 = x 3 − 210 2 x , namely (1260 , 44100) and (525 , 11025). The line through these points is y = 45 x − 12600. It also intersects the curve in the third point. Replacing y : x 3 − 210 2 x , (45 x − 12600) 2 = x 3 − 2025 x 2 ± . . . = 0 . From Vi` ete formulae we get x 1 + x 2 + x 3 = 2025, hence x 3 = 240 and y 3 = 45 · 240 − 12600 = − 1800. The point (240 , − 1800) gives a , b , c < 0, but its reflection from x -axis (240 , 1800) is also on the curve and gives a new right triangle ( 15 2 , 56 , 113 2 ) with area 210. 14 September 2019

An operation on elliptic curve points • • Q P • • P ⊕ Q 15 September 2019

The case P = Q P • • • P ⊕ P 16 September 2019

Neutral and opposite elements O P • • − P 17 September 2019

The curve y 2 = x 3 − 5 x + 8 over R 18 September 2019

The curve y 2 = x 3 − 5 x + 8 over GF (37) 19 September 2019

The elliptic curve point group The operation ⊕ turns out to be commutative and associative, it also has a neutral element and opposite elements. All in all, we get a (commutative) group. In case of an elliptic curve defined over a finite field, we define “tangents” using explicit formulae obtained via formal differentiation. Hasse’s theorem states that an elliptic curve group defined over a q -element finite field has N elements where | N − ( q + 1) | ≤ 2 √ q . 20 September 2019

The elliptic curve point group The operation ⊕ turns out to be commutative and associative, it also has a neutral element and opposite elements. All in all, we get a (commutative) group. In case of an elliptic curve defined over a finite field, we define “tangents” using explicit formulae obtained via formal differentiation. Hasse’s theorem states that an elliptic curve group defined over a q -element finite field has N elements where | N − ( q + 1) | ≤ 2 √ q . Homework: We know that the (3 , 4 , 5)-triangle has area 6. Find another rational right triangle with area 6. 20 September 2019