here - Sites personnels de TELECOM ParisTech - TÃ©lÃ©com ParisTech

More documents

Recommendations

Info

154 Chapter 5. Complex multiplication and elliptic curvesThe main approaches to generate elliptic curves for cryptography are as follows [18, ChapterVI], [56, Section 23.4.2.a]:• Generate a random curve defined over a small base field, compute the roots of its Frobeniusendomorphism characteristic equation and deduce its number of points over any extensionfield — such curves are called subfield curves.• Generate a random curve defined over the target base field and compute its number ofpoints using generic methods, l-adic methods, or p-adic methods, as appropriate.• Choose an endomorphism ring, look for a suitable base field, compute the correspondingcurve using reduction of a class polynomial — these curves are called CM curves.We give a more precise description of the last method [56, Algorithm 18.5], [84, Algorithme 1.15],which is obviously of special interest in this chapter, in Algorithm 5.3. It is called the CM method.Algorithm 5.3: The CM methodInput: A discriminant ∆, the corresponding class polynomial H ∆ , and a desired bitsizeOutput: A prime power q and an elliptic curve satisfying the desired properties1 repeat2 repeat3 Choose a random q = p m of the desired bitsize4 until There exist integers t and u such that 4q = t 2 − u 2 ∆5 until n = q + 1 ± t verifies the desired properties6 Compute a root of the reduction modulo q of the class polynomial H ∆7 Build the corresponding curve E8 return (q, E)In Line 3, the finite field size q = p m is chosen such that:1. p splits completely as pO Q(√∆)= pp ′ in Q( √ ∆);2. p does not divide the conductor of O ∆ ;3. p is of order dividing m.The test in Line 4 is solved using Cornacchia’s algorithm [56, Algorithm 18.4], [18, AlgorithmVIII.1] which is described in Algorithm 5.4.In Line 6, it is often supposed that the class polynomial is precomputed, and so the complexityof its computation is not included in that of the CM method. Usually different class polynomialssuch as those using double η quotients [87], mentioned in Subsection 5.3.5, are used instead ofthe Hilbert class polynomial.In Line 7, the j-invariant of the curves should first be reconstructed from the root of thereduced class polynomial. This is typically done using modular polynomials which are supposed tobe precomputed as well and whose computation is at least as difficult as that of class polynomials.Afterwards, there exist at least two non-isomorphic curves over F q with the same j-invariant, sothe right one should be chosen.Finally, it should be noted that the curves which can be generated in practice using the CMmethod will have complex multiplication by an order of relatively small discriminant, whichmakes them somehow “special” and could lead to specific attacks against the discrete logarithmproblem.
5.4. Elliptic curves in cryptography 155Algorithm 5.4: Cornacchia’s algorithmInput: Co-prime positive integers d and nOutput: Positive integers x and y such that x 2 + y 2 d = n if they exist1 Compute a solution n/2 < r 0 < n to r0 2 ≡ −d (mod n)2 Write n = qr 0 + r 1 using the Euclidean algorithm3 Set k = 14 while r k ≥ √ n do5 Write r k = qr k+1 + r k+2 using the Euclidean algorithm6 k = k + 17 s =√n−r 2 kd8 if s ∈ Z then9 return (r k , s)10 return ∅5.4.2 The MOV/Frey–Rück attackPairings can be used to transport the discrete logarithm problem from the group of rationalpoints of an elliptic curve into the multiplicative subgroup of a finite field [18, Section V.2], [19,Section IX.9]. There exist subexponential algorithms to compute the discrete logarithm in finitefields. Hence, if the size of the base field does not grow too much, it is much more efficient tosolve the discrete logarithm in the target finite field rather than in the original group of pointsof the elliptic curve. This attack was first proposed by Menezes, Okamoto and Vanstone [192],using the Weil pairing, and by Frey and Rück [104], using the Tate pairing. It is described inAlgorithm 5.5. If E is an elliptic curve defined over F q of characteristic p and P ∈ E(F q ) is ofprime order l ≠ p, Q a multiple of P , we want to compute λ ∈ Z such that Q = [λ]P .Algorithm 5.5: The MOV/Frey–Rück AttackInput: P, Q ∈ E(F q ) such that P is of prime order l ≠ p and Q is a multiple of POutput: λ ∈ Z such that Q = [λ]P1 Compute k such that l|q k − 12 Compute S ∈ E(F q k) such that e(P, S) ≠ 13 ζ 1 ← e(P, S)4 ζ 2 ← e(Q, S)5 Compute λ such that ζ 2 = ζ λ 1 in F q k6 return λThe following proposition shows that the Tate pairing is already faster to compute than theWeil pairing.Proposition 5.4.1 ([10], [19, Theorem IX.12]). Suppose that l|#E(F q ) is prime, l ≠ p andl ̸ |q − 1. Then E[l] ⊂ E(F q k) if and only if l|q k − 1.To compute a Weil pairing, not only must two Tate pairings be computed, but the base fieldK(E[m]) is also larger than K(µ l ). In practice, more efficient pairing such as the eta or the atepairings [131] are used.It should be remarked that the discrete logarithm can be transported in a potentially strictsubfield F p ord l (p) of F q k [133]. The integer ord l (p) is the smallest integer such that F ∗ p ord l (p)
Page 1:
2012-ENST-003EDITE de ParisDoctorat
Page 4 and 5:
Jean-Pierre Flori: Boolean function
Page 7:
AbstractThe core of this thesis is
Page 11 and 12:
AcknowledgmentsVladimir. — Quand
Page 13 and 14:
ContentsList of symbols and notatio
Page 15 and 16:
Contentsxv4 Efficient characterizat
Page 17 and 18:
List of figures1.1 The filter model
Page 19 and 20:
List of symbols and notationGeneral
Page 21 and 22:
List of symbols and notationxxil(t)
Page 23 and 24:
List of symbols and notationxxiiidi
Page 25:
List of symbols and notationxxvu
Page 28 and 29:
2 Introduction1 Mathematics and cry
Page 30 and 31:
4 Introductiongiving more general b
Page 33 and 34:
Chapter 1Boolean functions incrypto
Page 35 and 36:
1.1. Cryptographic criteria for Boo
Page 37 and 38:
1.2. Families of Boolean functions
Page 39 and 40:
Page 41 and 42:
Page 43:
Page 46 and 47:
20 Chapter 2. On a conjecture about
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
Page 116 and 117:
Page 119:
Part IIBent functions and pointcoun
Page 122 and 123:
96 Chapter 3. Bent functions and al
Page 124 and 125:
98 Chapter 3. Bent functions and al
Page 126 and 127:
100 Chapter 3. Bent functions and a
Page 128 and 129:
102 Chapter 3. Bent functions and a
Page 130 and 131: 104 Chapter 3. Bent functions and a
Page 136 and 137: 110 Chapter 4. Efficient characteri
Page 155: Part IIIComplex multiplication and
Page 158 and 159: 132 Chapter 5. Complex multiplicati
Page 185 and 186: Chapter 6Complex multiplication in
Page 187 and 188: 6.1. Abelian varieties 1616.1 Abeli
Page 189 and 190: 6.1. Abelian varieties 163Theorem 6
Page 191 and 192: 6.1. Abelian varieties 165A homomor
Page 193 and 194: 6.1. Abelian varieties 1676.1.5 Hom
Page 195 and 196: 6.2. Class groups and units 169The
Page 197 and 198: 6.2. Class groups and units 171in [
Page 199 and 200: 6.3. Complex multiplication 173If t
Page 201 and 202: 6.3. Complex multiplication 175•
Page 203 and 204: 6.3. Complex multiplication 177We h
Page 205 and 206: 6.3. Complex multiplication 179pola
Page 207 and 208: 6.4. Class polynomials for genus 2
Page 209 and 210: 6.4. Class polynomials for genus 2
Page 211: Appendices
Page 214 and 215: Table A.3: Coefficients for d = 3,
Page 216 and 217: Table A.8: Coefficients for d = 8,
Page 218 and 219: 192 Bibliography[13] Elwyn Ralph Be
Page 220 and 221: 194 Bibliography[42] Claude Carlet,
Page 222 and 223: 196 Bibliography[72] Cunsheng Ding,
Page 224 and 225: 198 Bibliography[102] David Freeman
Page 226 and 227: 200 Bibliography[132] Marc Hindry a
Page 228 and 229: 202 Bibliography[161] Philippe Lang
Page 230 and 231:
204 Bibliography[191] Willi Meier a
Page 232 and 233:
206 Bibliography[222] Oscar Seymour
Page 234 and 235:
208 Bibliography[254] Marco Streng.
Page 236 and 237:
210 Bibliography[286] Chia-Fu Yu. T
Page 238 and 239:
212 IndexForm class group . . . . .
Page 240 and 241:
214 IndexKKloosterman sum . . . . .
Page 243 and 244:
Résumé longFauĆ.Werd’ iĚ beru
Page 245 and 246:
1. Des fonctions booléennes et d
Page 247 and 248:
Page 249 and 250:
Page 251 and 252:
Page 253 and 254:
2. Fonctions courbes et comptage de
Page 255 and 256:
Page 257 and 258:
Page 259 and 260:
Page 261 and 262:
3. Multiplication complexe et polyn
Page 263 and 264:
Page 265 and 266:
Page 267:
show all

here - Sites personnels de TELECOM ParisTech - TÃ©lÃ©com ParisTech

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?