c 2006 by CRC Press, LLC.

Transcription

1 This is the of the Handbook of Elliptic and Hyperelliptic Curve Cryptography, Henri Cohen, Christophe Doche, and Gerhard Frey, Editors, CRC Press CRC Press has granted the following specific permissions for the electronic version of this book: Permission is granted to retrieve a copy of this chapter for personal use. This permission does not extend to binding multiple chapters of the book, photocopying or producing copies for other than personal use of the person creating the copy, or making electronic copies available for retrieval by others without prior permission in writing from CRC Press. The standard copyright notice from CRC Press applies to this electronic version: Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press for such copying..

2 List of Algorithms xxiii Preface xxix 1 Introduction to Public-Key Cryptography Cryptography Complexity Public-key cryptography Factorization and primality Primality Complexity of factoring RSA Discrete logarithm systems Generic discrete logarithm systems Discrete logarithm systems with bilinear structure Protocols Diffie Hellman key exchange Asymmetric Diffie Hellman and ElGamal encryption Signature scheme of ElGamal-type Tripartite key exchange Other problems I Mathematical Background 2 Algebraic Background Elementary algebraic structures Groups Rings Fields Vector spaces Introduction to number theory Extension of fields Algebraic closure Galois theory Number fields Finite fields First properties Algebraic extensions of a finite field Finite field representations Finite field characters xi

3 xii 3 Background on p-adic Numbers Definition of Q p and first properties Complete discrete valuation rings and fields First properties Lifting a solution of a polynomial equation The field Q p and its extensions Unramified extensions Totally ramified extensions Multiplicative system of representatives Witt vectors Background on Curves and Jacobians Algebraic varieties Affine and projective varieties Function fields Morphisms of affine varieties Rational maps of affine varieties Regular functions Generalization to projective varieties Abelian varieties Algebraic groups Birational group laws Homomorphisms of abelian varieties Isomorphisms and isogenies Points of finite order and Tate modules Background on l-adic representations Complex multiplication Arithmetic of curves Local rings and smoothness Genus and Riemann Roch theorem Divisor class group The Jacobian variety of curves Jacobian variety of elliptic curves and group law Ideal class group Class groups of hyperelliptic curves Varieties over Special Fields Varieties over the field of complex numbers Analytic varieties Curves over C Complex tori and abelian varieties Isogenies of abelian varieties over C Elliptic curves over C Hyperelliptic curves over C Varieties over finite fields The Frobenius morphism The characteristic polynomial of the Frobenius endomorphism The theorem of Hasse Weil for Jacobians Tate s isogeny theorem

4 xiii 6 Background on Pairings General duality results The Tate pairing Pairings over local fields The local Tate pairing The Lichtenbaum pairing on Jacobian varieties An explicit pairing The Tate Lichtenbaum pairing Size of the embedding degree Background on Weil Descent Affine Weil descent The projective Weil descent Descent by Galois theory Zariski closed subsets inside of the Weil descent Hyperplane sections Trace zero varieties Covers of curves The GHS approach Cohomological Background on Point Counting General principle Zeta function and the Weil conjectures Cohomology and Lefschetz fixed point formula Overview of l-adic methods Overview of p-adic methods Serre Tate canonical lift Monsky Washnitzer cohomology II Elementary Arithmetic 9 Exponentiation Generic methods Binary methods Left-to-right 2 k -ary algorithm Sliding window method Signed-digit recoding Multi-exponentiation Fixed exponent Introduction to addition chains Short addition chains search Exponentiation using addition chains Fixed base point Yao s method Euclidean method Fixed-base comb method

5 xiv 10 Integer Arithmetic Multiprecision integers Introduction Internal representation Elementary operations Addition and subtraction Multiplication Schoolbook multiplication Karatsuba multiplication Squaring Modular reduction Barrett method Montgomery reduction Special moduli Reduction modulo several primes Division Schoolbook division Recursive division Exact division Greatest common divisor Euclid extended gcd Lehmer extended gcd Binary extended gcd Chinese remainder theorem Square root Integer square root Perfect square detection Finite Field Arithmetic Prime fields of odd characteristic Representations and reductions Multiplication Inversion and division Exponentiation Squares and square roots Finite fields of characteristic Representation Multiplication Squaring Inversion and division Exponentiation Square roots and quadratic equations Optimal extension fields Introduction Multiplication Exponentiation Inversion Squares and square roots Specific improvements for degrees 3 and

6 xv 12 Arithmetic of p-adic Numbers Representation Introduction Computing the Teichmüller modulus Modular arithmetic Modular multiplication Fast division with remainder Newton lifting Inverse Inverse square root Square root Hensel lifting Frobenius substitution Sparse modulus Teichmüller modulus Gaussian normal basis Artin Schreier equations Lercier Lubicz algorithm Harley s algorithm Generalized Newton lifting Applications Teichmüller lift Logarithm Exponential Trace Norm III Arithmetic of Curves 13 Arithmetic of Elliptic Curves Summary of background on elliptic curves First properties and group law Scalar multiplication Rational points Torsion points Isomorphisms Isogenies Endomorphisms Cardinality Arithmetic of elliptic curves defined over F p Choice of the coordinates Mixed coordinates Montgomery scalar multiplication Parallel implementations Compression of points Arithmetic of elliptic curves defined over F 2 d Choice of the coordinates Faster doublings in affine coordinates

7 xvi Mixed coordinates Montgomery scalar multiplication Point halving and applications Parallel implementation Compression of points Arithmetic of Hyperelliptic Curves Summary of background on hyperelliptic curves Group law for hyperelliptic curves Divisor class group and ideal class group Isomorphisms and isogenies Torsion elements Endomorphisms Cardinality Compression techniques Compression in odd characteristic Compression in even characteristic Arithmetic on genus 2 curves over arbitrary characteristic Different cases Addition and doubling in affine coordinates Arithmetic on genus 2 curves in odd characteristic Projective coordinates New coordinates in odd characteristic Different sets of coordinates in odd characteristic Montgomery arithmetic for genus 2 curves in odd characteristic Arithmetic on genus 2 curves in even characteristic Classification of genus 2 curves in even characteristic Explicit formulas in even characteristic in affine coordinates Inversion-free systems for even characteristic when h Projective coordinates Inversion-free systems for even characteristic when h 2 = Arithmetic on genus 3 curves Addition in most common case Doubling in most common case Doubling on genus 3 curves for even characteristic when h(x) = Other curves and comparison Arithmetic of Special Curves Koblitz curves Elliptic binary Koblitz curves Generalized Koblitz curves Alternative setup Scalar multiplication using endomorphisms GLV method Generalizations Combination of GLV and Koblitz curve strategies Curves with endomorphisms for identity-based parameters Trace zero varieties Background on trace zero varieties Arithmetic in G

8 xvii 16 Implementation of Pairings The basic algorithm The setting Preparation The pairing computation algorithm The case of nontrivial embedding degree k Comparison with the Weil pairing Elliptic curves The basic step The representation The pairing algorithm Example Hyperelliptic curves of genus The basic step Representation for k> Improving the pairing algorithm Elimination of divisions Choice of the representation Precomputations Specific improvements for elliptic curves Systems of coordinates Subfield computations Even embedding degree Example IV Point Counting 17 Point Counting on Elliptic and Hyperelliptic Curves Elementary methods Enumeration Subfield curves Square root algorithms Cartier Manin operator Overview of l-adic methods Schoof s algorithm Schoof Elkies Atkin s algorithm Modular polynomials Computing separable isogenies in finite fields of large characteristic Complete SEA algorithm Overview of p-adic methods Satoh s algorithm Arithmetic Geometric Mean algorithm Kedlaya s algorithm

9 xviii 18 Complex Multiplication CM for elliptic curves Summary of background Outline of the algorithm Computation of class polynomials Computation of norms The algorithm Experimental results CM for curves of genus Summary of background Outline of the algorithm CM-types and period matrices Computation of the class polynomials Finding a curve The algorithm CM for larger genera Strategy and difficulties in the general case Hyperelliptic curves with automorphisms The case of genus V Computation of Discrete Logarithms 19 Generic Algorithms for Computing Discrete Logarithms Introduction Brute force Chinese remaindering Baby-step giant-step Adaptive giant-step width Search in intervals and parallelization Congruence classes Pollard s rho method Cycle detection Application to DL More on random walks Parallelization Automorphisms of the group Pollard s kangaroo method The lambda method Parallelization Automorphisms of the group Index Calculus Introduction Arithmetical formations Examples of formations The algorithm On the relation search Parallelization of the relation search

10 xix On the linear algebra Filtering Automorphisms of the group An important example: finite fields Large primes One large prime Two large primes More large primes Index Calculus for Hyperelliptic Curves General algorithm Hyperelliptic involution Adleman DeMarrais Huang Enge Gaudry Curves of small genus Gaudry s algorithm Refined factor base Harvesting Large prime methods Single large prime Double large primes Transfer of Discrete Logarithms Transfer of discrete logarithms to F q -vector spaces Transfer of discrete logarithms by pairings Transfer of discrete logarithms by Weil descent Summary of background The GHS algorithm Odd characteristic Transfer via covers Index calculus method via hyperplane sections VI Applications 23 Algebraic Realizations of DL Systems Candidates for secure DL systems Groups with numeration and the DLP Ideal class groups and divisor class groups Examples: elliptic and hyperelliptic curves Conclusion Security of systems based on Pic 0 C Security under index calculus attacks Transfers by Galois theory Efficient systems Choice of the finite field Choice of genus and curve equation Special choices of curves and scalar multiplication Construction of systems

11 xx Heuristics of class group orders Finding groups of suitable size Protocols System parameters Protocols on Pic 0 C Summary Pairing-Based Cryptography Protocols Multiparty key exchange Identity-based cryptography Short signatures Realization Supersingular elliptic curves Supersingular hyperelliptic curves Ordinary curves with small embedding degree Performance Hash functions on the Jacobian Compositeness and Primality Testing Factoring Compositeness tests Trial division Fermat tests Rabin Miller test Lucas pseudoprime tests BPSW tests Primality tests Introduction Atkin Morain ECPP test APRCL Jacobi sum test Theoretical considerations and the AKS test Factoring Pollard s rho method Pollard s p 1 method Factoring with elliptic curves Fermat Morrison Brillhart approach VII Realization of Discrete Logarithm Systems 26 Fast Arithmetic in Hardware Design of cryptographic coprocessors Design criterions Complement representations of signed numbers The operation XY + Z Multiplication using left shifts Multiplication using right shifts Reducing the number of partial products Booth or signed digit encoding

12 xxi Advanced recoding techniques Accumulation of partial products Full adders Faster carry propagation Analysis of carry propagation Multi-operand operations Modular reduction in hardware Finite fields of characteristic Polynomial basis Normal basis Unified multipliers Modular inversion in hardware Smart Cards History Smart card properties Physical properties Electrical properties Memory Environment and software Smart card interfaces Transmission protocols Physical interfaces Types of smart cards Memory only cards (synchronous cards) Microprocessor cards (asynchronous cards) Practical Attacks on Smart Cards Introduction Invasive attacks Gaining access to the chip Reconstitution of the layers Reading the memories Probing FIB and test engineers scheme flaws Non-invasive attacks Timing attacks Power consumption analysis Electromagnetic radiation attacks Differential fault analysis (DFA) and fault injection attacks Mathematical Countermeasures against Side-Channel Attacks Countermeasures against simple SCA Dummy arithmetic instructions Unified addition formulas Montgomery arithmetic Countermeasures against differential SCA Implementation of DSCA Scalar randomization Randomization of group elements

13 xxii Randomization of the curve equation Countermeasures against Goubin type attacks Countermeasures against higher order differential SCA Countermeasures against timing attacks Countermeasures against fault attacks Countermeasures against simple fault analysis Countermeasures against differential fault analysis Conclusion on fault induction Countermeasures for special curves Countermeasures against SSCA on Koblitz curves Countermeasures against DSCA on Koblitz curves Countermeasures for GLV curves Random Numbers Generation and Testing Definition of a random sequence Random number generators History Properties of random number generators Types of random number generators Popular random number generators Testing of random number generators Testing a device Statistical (empirical) tests Some examples of statistical models on Σ n Hypothesis testings and random sequences Empirical test examples for binary sequences Random walk Runs Autocorrelation Pseudorandom number generators Relevant measures Pseudorandom number generators from curves Other applications References Notation Index General Index