finding ecm friendly curves a galois approach
play

Finding ECM friendly curves: A Galois approach Sudarshan SHINDE - PowerPoint PPT Presentation

Apr 30, 2023 •181 likes •547 views

Computer algebra Approach Modular curves approach Comparing different families Finding ECM friendly curves: A Galois approach Sudarshan SHINDE Sorbonne Universit es, Paris (UPMC, IMJ-PRG) 25/01/2018 1 / 24 Computer algebra Approach

  1. Computer algebra Approach Modular curves approach Comparing different families Finding ECM friendly curves: A Galois approach Sudarshan SHINDE Sorbonne Universit´ es, Paris (UPMC, IMJ-PRG) 25/01/2018 1 / 24

  2. Computer algebra Approach Modular curves approach Comparing different families Motivation : Cryptology Integer factorization is an important problem in cryptology. There are two types of algorithms to do so. 1 Algorithms which find all the factors < m with cost depending on m and polynomially on the integer to factor. Ex. Trial division, ECM - Elliptic Curve Method . 2 Algorithms whose cost depends on the size of integer to factor. Ex. QS (Quadratic Sieve), NFS (Number Field Sieve). 2 / 24

  3. Computer algebra Approach Modular curves approach Comparing different families Motivation : Cryptology Integer factorization is an important problem in cryptology. There are two types of algorithms to do so. 1 Algorithms which find all the factors < m with cost depending on m and polynomially on the integer to factor. Ex. Trial division, ECM - Elliptic Curve Method . 2 Algorithms whose cost depends on the size of integer to factor. Ex. QS (Quadratic Sieve), NFS (Number Field Sieve).The building block which takes a non-negligible proportion of time in NFS is ECM. 2 / 24

  4. Computer algebra Approach Modular curves approach Comparing different families Preliminaries - 1 1 K a field, E is a curve defined by y 2 = x 3 + ax + b where a , b ∈ K such that 4 a 3 + 27 b 2 � = 0. We call E an elliptic curve over K . 2 We note the set of points on E with coordinates in K by E ( K ). With a distinguished point O E , E ( K ) has a group law under which it forms an Abelian group. 3 An important quantity associated with an elliptic curve is its 4 a 3 j -invariant which is 1728 4 a 3 +27 b 2 . 3 / 24

  5. Computer algebra Approach Modular curves approach Comparing different families ECM algorithm Algorithm 1 Practical version of ECM (Lenstra + Montgomery) INPUT : Integers n and B OUTPUT : a non-trivial factor of n . 1: while No factor is found do E / Q ← an elliptic curve and P = ( x : y : z ) ∈ E ( Q ). 2: P B ← [ B !] P = ( x B : y B : z B ) mod n 3: g ← gcd( z B , n ) 4: if g �∈ { 1 , n } then return g 5: end if 6: 7: end while 4 / 24

  6. Computer algebra Approach Modular curves approach Comparing different families Correctness Idea Let p be an unknown prime factor of n . If ord( P ) in E ( F p ) divides B !, then [ B !]( x P : y P : z P ) ≡ (0 : 1 : 0) mod p . In this case p divides gcd( z P , n ). Sufficient condition # E ( F p ) is B − smooth i.e. all its prime factors are < B . Idea of Montgomery Question : What if # E ( F p ) is even for all primes p ? Theorem : If m divides torsion order of E ( Q ) then m divides # E ( F p ) for almost all p . 5 / 24

  7. Computer algebra Approach Modular curves approach Comparing different families Montgomery heuristic Definition Let E be an elliptic curve, ℓ be a prime and n be a sufficiently large integer. We define empirical average valuation, � p < n (val ℓ (# E ( F p )) v ℓ ( E ) = ¯ . # { p < n } Heuristic Curves with larger average valuation are ECM-friendly. 6 / 24

  8. Computer algebra Approach Modular curves approach Comparing different families How to improve average valuation ? Some ways 1 Montgomery (1985), Suyama (1985), Atkin et Morain (1993), Bernstein et al (2010) : Torsion points over Q 7 / 24

  9. Computer algebra Approach Modular curves approach Comparing different families How to improve average valuation ? Some ways 1 Montgomery (1985), Suyama (1985), Atkin et Morain (1993), Bernstein et al (2010) : Torsion points over Q 2 Brier and Clavier (2010) : Torsion points over Q ( i ) v 2 (# E ( F p )) = 1 2 v 2 (# E ( F p ) | p ≡ 1 mod 4) + 1 2 v 2 (# E ( F p ) | p ≡ 3 mod 4) 7 / 24

  10. Computer algebra Approach Modular curves approach Comparing different families How to improve average valuation ? Some ways 1 Montgomery (1985), Suyama (1985), Atkin et Morain (1993), Bernstein et al (2010) : Torsion points over Q 2 Brier and Clavier (2010) : Torsion points over Q ( i ) v 2 (# E ( F p )) = 1 2 v 2 (# E ( F p ) | p ≡ 1 mod 4) + 1 2 v 2 (# E ( F p ) | p ≡ 3 mod 4) 3 Barbulescu et al (2012) : Better average valuation without additional torsion points by reducing the size of a ”specific” Galois group. 7 / 24

  11. Computer algebra Approach Modular curves approach Comparing different families Preliminaries - 2 Definition - Theorem For an elliptic curve E and a an integer m , we define the m -division polynomial as � Ψ ( E , m ) ( X ) = ( X − x ) ∈ Q [ X ] . ( x : ± y :1) ∈ E (¯ Q )[ m ] Example Let E : y 2 = x 3 + ax + b then Ψ ( E , 3) = x 4 + 2 ax 2 + 4 bx − 1 3 a 2 8 / 24

  12. Computer algebra Approach Modular curves approach Comparing different families Preliminaries - 2 Definition - Theorem For an elliptic curve E and a an integer m , we define the m -division polynomial as � Ψ ( E , m ) ( X ) = ( X − x ) ∈ Q [ X ] . ( x : ± y :1) ∈ E (¯ Q )[ m ] Example Let E : y 2 = x 3 + ax + b then Ψ ( E , 3) = x 4 + 2 ax 2 + 4 bx − 1 3 a 2 Division polynomials can be computed recursively thus it is not necessary to know E (¯ Q )[ m ] and they are used to construct the torsion fields. 8 / 24

  13. Computer algebra Approach Modular curves approach Comparing different families Preliminaries - 3 Definition ( m -torsion field) Let E be an elliptic curve on Q , m a positive integer. The m -torsion field Q ( E [ m ]) is the extension of Q by the coordinates of m -torsion points in ¯ Q . As E (¯ Q )[ m ] ≃ Z / m Z × Z / m Z , G = Gal( Q ( E [ m ]) / Q ) is always a subgroup of Aut ( Z / m Z × Z / m Z ) = GL 2 ( Z / m Z ). 9 / 24

  14. Computer algebra Approach Modular curves approach Comparing different families Preliminaries - 3 Definition ( m -torsion field) Let E be an elliptic curve on Q , m a positive integer. The m -torsion field Q ( E [ m ]) is the extension of Q by the coordinates of m -torsion points in ¯ Q . As E (¯ Q )[ m ] ≃ Z / m Z × Z / m Z , G = Gal( Q ( E [ m ]) / Q ) is always a subgroup of Aut ( Z / m Z × Z / m Z ) = GL 2 ( Z / m Z ). Mod m Galois Image (Definition) ρ E , m : Gal ( Q ( E [ m ]) / Q ) ֒ → GL 2 ( Z / m Z ) . Weil pairing Q ( ζ m ) is contained in Q ( E [ m ]) and we have det( ρ E , m ( Gal ( Q ( E [ m ]) / Q ))) = ( Z / m Z ) ∗ . 9 / 24

  15. Computer algebra Approach Modular curves approach Comparing different families Galois images Theorem (Serre, 1972) Let E be an elliptic curve without complex multiplication. (Generic case) For all primes ℓ outside a finite set depending on E and for all k ≥ 1, Gal ( Q ( E [ ℓ k ]) / Q ) = GL 2 ( Z /ℓ k Z ). For all primes ℓ and k ≥ 1, the sequence ι k = [ GL 2 ( Z /ℓ k Z ) : ρ E ,ℓ k ( Gal ( Q ( E [ ℓ k ]) / Q ))] is non-decreasing and eventually stationary. A conjecture of Serre ”La condition ℓ ≥ 41 suffit-elle ` a assurer que ρ E est surjectif ?” 10 / 24

  16. Computer algebra Approach Modular curves approach Comparing different families How to improve average valuation ? Theorem (Barbulescu et al. 2012) Let ℓ be a prime and E 1 and E 2 be two elliptic curves. If ∀ n ∈ N , Gal ( Q ( E 1 [ ℓ n ]) / Q ) ≃ Gal ( Q ( E 2 [ ℓ n ]) / Q ) then ¯ v ℓ ( E 1 ) = ¯ v ℓ ( E 2 ) . Thus in order to change the average valuation, we must change Gal ( Q ( E [ ℓ n ]) / Q ) for at least one n . 11 / 24

  17. Computer algebra Approach Modular curves approach Comparing different families How to improve average valuation ? Theorem (Barbulescu et al. 2012) Let ℓ be a prime and E 1 and E 2 be two elliptic curves. If ∀ n ∈ N , Gal ( Q ( E 1 [ ℓ n ]) / Q ) ≃ Gal ( Q ( E 2 [ ℓ n ]) / Q ) then ¯ v ℓ ( E 1 ) = ¯ v ℓ ( E 2 ) . Thus in order to change the average valuation, we must change Gal ( Q ( E [ ℓ n ]) / Q ) for at least one n . Example Primes found Family Torsion ¯ v 2 between 2 15 , 2 22 Suyama Z / 6 Z 10 / 7529 3 Suyama - 11 Z / 6 Z 11 / 9041 (20% more) 3 11 / 24

  18. Computer algebra Approach Modular curves approach Comparing different families Computer algebra Approach 12 / 24

  19. Computer algebra Approach Modular curves approach Comparing different families Computer algebra approach : Subfields Question : Under which conditions on t 0 ∈ Q , Gal ( K ( t 0 ) / Q ) ⊆ H ? K ( t ) H Gal ( K ( t ) / Q ( t )) = G K ( t ) H P t ( x ) ∈ Q ( t )[ x ] Q ( t ) = K ( t ) G Answer : When P t 0 ( x ) has a root in Q . 13 / 24

  20. Computer algebra Approach Modular curves approach Comparing different families For particular subgroups H Let G = Gal ( K ( t ) / Q ( t )) and H ⊆ G . 1 G = H : It suffices to check that for any tower of extensions between Q ( t ) and K ( t ), every defining polynomial remains irreducible. The complexity is the complexity of multivariate polynomial factorization of degrees < [ K ( t ) : Q ( t )]. This case becomes easy when [ K ( t ) : Q ( t )] is small. 2 [ G : H ] = 2 : Factorize Disc ( K ( t )) ∈ Z [ t ]. 1 For each squarefree factor f ∈ Z [ t ] of Disc ( K ( t )), check using 2 specializations if K ( t ) H is defined by X 2 − f . This case becomes easy if the factors of Disc ( K ( t )) are known. 14 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Finding ECM-friendly curves through a study of Galois properties 10th Algorithmic Number Theory

Finding ECM-friendly curves through a study of Galois properties 10th Algorithmic Number Theory

Finding ECM-friendly curves through a study of Galois properties 10th Algorithmic Number Theory Symposium Razvan Barbulescu 1 Joppe W. Bos 3 Cyril Bouvier 1 Thorsten Kleinjung 2 Peter L. Montgomery 3 1. Universit de Lorraine, CNRS, INRIA,

231 views • 21 slides
F p 2 -maximal curves with many automorphisms are Galois-covered by the Hermitian curve Daniele

F p 2 -maximal curves with many automorphisms are Galois-covered by the Hermitian curve Daniele

F p 2 -maximal curves with many automorphisms are Galois-covered by the Hermitian curve Daniele Bartoli Universit` a degli Studi di Perugia (Italy) (Joint work with Maria Montanucci and Fernando Torres) Finite Geometries - Fifth Irsee

577 views • 47 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
Galois action on the homology of Fermat curves Rachel Pries Colorado State University

Galois action on the homology of Fermat curves Rachel Pries Colorado State University

Galois action on the homology of Fermat curves Rachel Pries Colorado State University pries@math.colostate.edu KR 2 V : joint work with R. Davis, V. Stojanoska, K.Wickelgren Thanks to Joe! Silvermania, Brown University August 12, 2015 Pries

377 views • 27 slides
Hopf-Galois Theory and Galois Module Structure University of Exeter. Induced Hopf Galois

Hopf-Galois Theory and Galois Module Structure University of Exeter. Induced Hopf Galois

Hopf-Galois Theory and Galois Module Structure University of Exeter. Induced Hopf Galois structures Teresa Crespo, Anna Rio and Montserrat Vela June 25th, 2015 Let K/k be a separable field extension of degree n , K its Galois closure, G =

270 views • 14 slides
A comparison of pairing-friendly curves at the 192-bit security level Aurore Guillevic Inria

A comparison of pairing-friendly curves at the 192-bit security level Aurore Guillevic Inria

A comparison of pairing-friendly curves at the 192-bit security level Aurore Guillevic Inria Nancy, Caramba team 17/04/2019 WRACH workshop, Roscoff Joint work with Shashank Singh, IISER Bhopal, India 1/43 Plan Introduction: Discrete

924 views • 64 slides
A New Family of Pairing-Friendly Elliptic Curves Michael Scott and Aurore Guillevic MIRACL.com

A New Family of Pairing-Friendly Elliptic Curves Michael Scott and Aurore Guillevic MIRACL.com

A New Family of Pairing-Friendly Elliptic Curves Michael Scott and Aurore Guillevic MIRACL.com Universit de Lorraine, CNRS, Inria, LORIA, Nancy, France WAIFI 2018, Bergen, Norway, June 1416 1 / 24 Pairings in cryptography ( G 1 , +) , ( G

473 views • 24 slides
:i extensions ) characterizations for Galois Thin ( Equivalent - Gal ( EIF ) . Then and

:i extensions ) characterizations for Galois Thin ( Equivalent - Gal ( EIF ) . Then and

Extension , Galois Galois Intermediate I : Extensions lame l Gal LEIF ) t.EE if ] ' tf Galois Elf is :i extensions ) characterizations for Galois Thin ( Equivalent - Gal ( EIF ) . Then and [ E : F) so let G - suppose

1.01k views • 15 slides
The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick joint work with Nuno Freitas (Warwick) AGC 2 T Luminy, 10 June 2019 Overview 1. Elliptic curves, mod p Galois representations, Weil pairing. 2.

954 views • 70 slides
Finding Periodicities in Astronomical Light Curves using Information Theoretic Learning Pablo

Finding Periodicities in Astronomical Light Curves using Information Theoretic Learning Pablo

Finding Periodicities in Astronomical Light Curves using Information Theoretic Learning Pablo Huijse H. Department of Electrical Engineering Universidad de Chile Joint work with: Pavlos Protopapas, Harvard University Jose Pr ncipe,

454 views • 17 slides
Computing modular Galois representations - the modulo p approach (after Jinxiang Zeng) Maarten

Computing modular Galois representations - the modulo p approach (after Jinxiang Zeng) Maarten

Computing modular Galois representations - the modulo p approach (after Jinxiang Zeng) Maarten Derickx 1 Universiteit Leiden and Universit e Bordeaux 1 Sage Days 51 22-26 July 2013 1 Original slides by Jinxiang Zeng, modified by D.

492 views • 23 slides
Stein Elliptic Curves over Q ( 5) William Stein, University of Washington (This is part of

Stein Elliptic Curves over Q ( 5) William Stein, University of Washington (This is part of

Curves Over Q ( 5) Stein Elliptic Curves over Q ( 5) William Stein, University of Washington (This is part of the NSF-funded AIM FRG project on Databases of L -functions) February 2011 Curves Over Q ( 5) Stein 1. Finding

536 views • 34 slides
Introduction to Galois Representations Applications Plan for today Serres Cyclicity NATO

Introduction to Galois Representations Applications Plan for today Serres Cyclicity NATO

Dipartim. Mat. &amp; Fis. Universit` a Roma Tre Introduction to Galois Representations Applications Plan for today Serres Cyclicity NATO ASI, Ohrid 2014 Conjecture Lang Trotter Conjecture Arithmetic of Hyperelliptic Curves for trace of

726 views • 31 slides
OVERCOMING FEAR, FINDING SUCCESS, AND BUILDING A MORE WOMEN-FRIENDLY STARTUP COMMUNITY Lynn

OVERCOMING FEAR, FINDING SUCCESS, AND BUILDING A MORE WOMEN-FRIENDLY STARTUP COMMUNITY Lynn

OVERCOMING FEAR, FINDING SUCCESS, AND BUILDING A MORE WOMEN-FRIENDLY STARTUP COMMUNITY Lynn Yanyo Chem E 81 ISBM De Novo Ground Practical Elegance First Question interested? Was it ever this? Todays Buzzwords Invention

473 views • 15 slides
A short-list of pairing-friendly curves resistant to Special TNFS at the 128-bit security level

A short-list of pairing-friendly curves resistant to Special TNFS at the 128-bit security level

A short-list of pairing-friendly curves resistant to Special TNFS at the 128-bit security level Aurore Guillevic Universit de Lorraine, CNRS, Inria, LORIA, Nancy, France aurore.guillevic@inria.fr PKC, June 4, 2020 1/18 Bilinear pairing in

407 views • 30 slides
A hierarchical graph-based approach to generating formally-proofed Galois-field multipliers

A hierarchical graph-based approach to generating formally-proofed Galois-field multipliers

PROOFS, August 24, 2013 A hierarchical graph-based approach to generating formally-proofed Galois-field multipliers Kotaro Okamoto, Naofumi Homma, and Takafumi Aoki Tohoku University, Japan GSIS, TOHOKU UNIVERSITY Arithmetic algorithms over

549 views • 31 slides
Number Theory (I) Cunsheng Ding HKUST, Hong Kong November 7, 2015 Cunsheng Ding (HKUST, Hong

Number Theory (I) Cunsheng Ding HKUST, Hong Kong November 7, 2015 Cunsheng Ding (HKUST, Hong

Number Theory (I) Cunsheng Ding HKUST, Hong Kong November 7, 2015 Cunsheng Ding (HKUST, Hong Kong) Number Theory (I) November 7, 2015 1 / 22 Contents Prime Factorization 1 Congruence Modulo n 2 Euler Totient Function 3 Primitive Roots

815 views • 22 slides
Questions about Prime Numbers Proving Existential Statements Is 1 prime? Prove existential

Questions about Prime Numbers Proving Existential Statements Is 1 prime? Prove existential

Even/Odd Numbers CSE 20 Discrete Math An integer n is even iff n equals twice some integer. An integer n is odd iff n equals twice some integer plus 1. Summer, 2006 July 12 (Day 3) Number Theory Methods of Proof Instructor: Neil Rhodes 2

270 views • 8 slides
Cryptography: Public Key Cryptography; Mathematical Preliminaries Greg Plaxton Theory in

Cryptography: Public Key Cryptography; Mathematical Preliminaries Greg Plaxton Theory in

Cryptography: Public Key Cryptography; Mathematical Preliminaries Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin Secure Communication Earlier we discussed the problems

202 views • 18 slides
Hadron Masses and Factorization (in DIS) Ted Rogers Jefferson Lab/Old Dominion University

Hadron Masses and Factorization (in DIS) Ted Rogers Jefferson Lab/Old Dominion University

Hadron Masses and Factorization (in DIS) Ted Rogers Jefferson Lab/Old Dominion University Quark-Hadron Duality 2018, James Madison University, Sept 24 2018 1 Hadronic vs. Partonic Degrees of Freedom Q 1 GeV, large x. Approach

716 views • 36 slides
Mathematical Induction Examples Strong Induction Induction hypothesis: n k P(n) To prove

Mathematical Induction Examples Strong Induction Induction hypothesis: n k P(n) To prove

Euclid (300 BC) Mathematical Induction Examples Strong Induction Induction hypothesis: n k P(n) To prove n Z + P(n): we prove P(1) (as before) and that k Z + (P(1) P(2) ... P(k)) P(k+1) P(1) P(1) P(2)

339 views • 8 slides
TDDE25 Computational Complexity Theory F 9 Chap 5: Algorithms Chap 12: Theory of Computation

TDDE25 Computational Complexity Theory F 9 Chap 5: Algorithms Chap 12: Theory of Computation

https://liuonline.sharepoint.com/sites/Lisam_TDDE25_2020HT_FZ Algorithmics and Computability Part II TDDE25 Computational Complexity Theory F 9 Chap 5: Algorithms Chap 12: Theory of Computation Patrick Doherty Dept of Computer and

639 views • 11 slides
Loosely Dependent Parallel Processes Complementary Paradigms Massively Parallel Task

Loosely Dependent Parallel Processes Complementary Paradigms Massively Parallel Task

Loosely Dependent Parallel Processes Complementary Paradigms Massively Parallel Task Farm Massively Parallel Slaves Master MPI/shared memory Task Farm Workers Controller Occasional network access E.g. BOINC Integer

913 views • 17 slides
What if Gauss had had a computer? Paul Zimmermann, INRIA, Nancy, France Celebrating 75 Years of

What if Gauss had had a computer? Paul Zimmermann, INRIA, Nancy, France Celebrating 75 Years of

What if Gauss had had a computer? Paul Zimmermann, INRIA, Nancy, France Celebrating 75 Years of Mathematics of Computation, ICERM, Brown University, Providence, November 1st, 2018 What if Gauss had had a computer? 1/43 Carl Friedrich Gauss,

643 views • 43 slides

More recommend