EllipticCurvesandbilinearpairings资源-CSDN文库

需积分: 10 74 浏览量 2012-08-26 18:57:11 上传评论 1 收藏 237KB PDF 举报

资源推荐

资源详情

资源评论

Chapter 3

ELLIPTIC CURVES AND

BILINEAR PAIRINGS

3.1 Introduction

The complexity-theoretic foundation for modern public-key cryptography is based

on a class of hard problems: NP problems. An encryption algorithm should, on

the one hand, provide a legitimate user who is in possession of correct encryp-

tion/decryption keys with eﬃcient algorithms, i.e., polynomial-time, for encryption

and/or decryption, and on the other hand, pose an intractable problem for any

illegitimate person (a non-user, an adversary, an attacker or a cryptanalyst) who

tries to extract plaintext from ciphertext, or to construct a valid ciphertext without

using correct keys. Thus, a cryptographic key plays the role of an auxiliary input

to an NP problem. If necessary, the reader may review §2.5, in particular §2.5.6 for

the meaning of an auxiliary input to an NP problem.

In §2.5.6 we have listed and discussed a number of NP computational and de-

cisional problems which are suitable for, and have been widely used in, the con-

struction of modern public-key cryptographic algorithms and protocols. Most of

the problems listed there, e.g., problems (2-4) in Example 2.14, relate their in-

tractabilities to that of the integer factorization problem or that of the discrete

logarithm problem. In these cases, which we shall call “conventional public-key

cryptographic primitives”, the diﬃculty of the intractability is a sub-exponential

expression sub

exp(k) given in (2.5.9), here k is the security parameter of the algo-

rithm in question, which is usually the size of the public key parameter.

Thus, for a conventional public-key cryptographic primitive, the computational-

complexity asymmetry between a user and a non-user is poly(k) against sub

exp(k).

In fact, the diﬀerence between these two quantities is not desirably large for small

k. In order to make the asymmetry suﬃciently signiﬁcant, conventional public-key

cryptographic primitives all use rather large key parameters, i.e., large k. Nowa-

days, k = 1024 is widely considered the least setting for conventional public-key

cryptographic primitives. Consequently, legitimate users suﬀers a high computa-

tional cost.

Miller [?] and Koblitz [?] suggest to construct public-key cryptographic primi-

111

112 Elliptic Curves and Bilinear Pairings Chapter 3

tives using some calculations on elliptic curves.. These calculations will privite us

with a more diﬀerent asymmetry between legitimate users and non-users because

these calculations run polynomial time for users and exponential time for non-users.

Recently, elliptic curve also ﬁnds new and exciting applications in cryptography,

in particular in cryptographic protocols. This is from so-called bilinear pairing

of points over certain elliptic curves. Applying bilinear pairings, Diﬃe-Hellman,

a well-known class of hard computational problems, have easy decisional version,

that is, it is eﬃcient to answer the question whether a quadruple (a, b, c, d) is a

Diﬃe-Hellman instance (this is a hard decisional problem in the general case, see

Example 2.14). The diﬀerence between the decisional version and the computational

version of a cryptographically useful NP problem enable revolutionarily new ways

to do many things which were thought impossible not too long ago.

In this chapter we introduce elliptic curves and bilinear pairings. The material

to be provided here has a focus on bilinear pairings and forms a self-contained

foundation for our future study (in this book) of interesting cryptographic protocols

which apply bilinear pairing techniques.

3.1.1 Chapter Outline

§3.2 introduces elliptic curves over ﬁnite ﬁelds. §3.3 introduces bilinear pairing

techniques.

3.2 Elliptic Curves

Elliptic curves for cryptography are deﬁned over ﬁnite algebraic structures such as

ﬁnite ﬁelds. For ease of exposition, let us conﬁne ourselves to the easy case of prime

ﬁelds F

of characteristic p > 3. An elliptic curve over F

is the set of geometric

solutions P = (x, y) to an equation of the following form

E : y

= x

+ ax + b (3.2.1)

where a and b are elements in F

(p > 3) satisfying 4a

+ 27b

6≡ 0 (mod p).

have the points on E to form a group, an extra point denoted by O is included.

This extra point is called the point at inﬁnity and can be formulated as

O = (∞, ∞).

We write the set of all such points on E as

E(F

) = {P = (x, y) | x, y ∈ F

solved from (3.2.1) } ∪ {O}. (3.2.2)

This set of points form a group under a group operation which is conventionally

written additively using the notation “+” . We will deﬁne this operation in a

moment. We will use E in place of E(F

) whenever the omission of the presentation

of the underlying ﬁeld will not cause confusion.

Reason to be given after Deﬁnition 3.1.

Section 3.2. Elliptic Curves 113

Denote by f (x) the cubic polynomial in the right-hand side of (3.2.1). If f(x)

is reducible over F

then (ξ, 0) ∈ E where ξ ∈ F

is a zero, also called root, of f(x)

(i.e. f (ξ) ≡ 0 (mod p) and this is why f (x) is reducible over F

). We will see in

a moment that these points have order 2 under the group operation “+” . Since

f(x) is a cubic polynomial, there are at most three such points. Depending how

the cubic polynomial f(x) is reducible over F

, there is either one order-2 point or

there are three such points. We will see in Fig 3.1 in a moment that these order-2

points are in where the curve cuts the real axis.

All other points apart form O and (ξ, 0) are of the form (η, ±

f(η)) where

η ∈ F

and f(η) 6≡ 0 (mod p) is a quadratic residue element in F

(i.e., a square

number modulo p, see §2.11). Indeed, each quadratic residue element in F

has

two distinct square roots modulo p (see Corollary 2.4) and hence if (η,

f(η)) is a

solution, so is (η, −

f(η)).

To this end we know that the points on the curve E(F

) are O, (ξ, 0), (η,

f(η))

and (η, −

f(η)) for all ξ, η in F

satisfying that f(ξ) ≡ 0 (mod p) and f(η) is a

quadratic residue element in F

3.2.1 The Group Operation

The set of points on E deﬁned in (3.2.2) forms an abelian group under the operation

“+” deﬁned as follows.

Deﬁnition 3.1: Elliptic Curve Group Operation (Chord-and-Tangent Oper-

ation) Let P, Q ∈ E, ` be the line containing P and Q (tangent line to E if P = Q),

and R, the third point of intersection of ` with E. Let `

be the line connecting R

and O. Then P “+” Q is the point such that `

intersects E at R, O and P “+” Q.

We can now explain why we have required the coeﬃcients of the cubic polynomial

in (3.2.1) to satisfy 4a

+ 27b

6≡ 0 (mod p). Notice that

∆ = −4a

− 27b

is the discriminant of the cubic polynomial f(x) = x

+ ax + b. If ∆ ≡ 0 (mod p)

then f(x) ≡ 0 (mod p) has at least a double zero X (value which makes f(X) ≡

0 (mod p)) and clearly (X, 0) is on E. For E(x, y) = y

−x

−ax −b = 0, this point

satisﬁes

∂E

∂y

= 2y



y=0

∂E

∂x



x=X

= 0.

That is, (X, 0) is a singular point at which there is no unique tangent value. For

example, (X, 0) “+” (X, 0) is not uniquely deﬁned and this means a vialation of

Closure Axiom. Therefore, when ∆ ≡ 0 (mod p), (E, “+” ) cannot form a group.

Fig 3.1 illustrates the Chord-and-Tangent Operation Note, the illustration only

makes sense for a curve deﬁned over R. The top two curves are the case for ∆ < 0;

in this case the cubic polynomial has one real zero and so the curve cuts the real

Section 3.2. Elliptic Curves 115

For this equation to hold, ∞

must a “greater inﬁnity” than ∞

. Thus viewed

from the ﬁnite space, the point O is at the inﬁnitely far distance “in the north

pole direction.” That’s why the line connecting any ﬁnite point F and O should be

virtical. In §?? we will see a formal evidence for this informal explanation.

Let us now show that (E, “+” ) does form a group.

3.2.1.1 Identity and Inverse

For any P = (X, Y ) ∈ E, let us apply Deﬁnition 3.1 to a special case of Q being O

(since we have included O in E). For this case, line ` intersecting P and O is

` : x = X.

Since P ∈ E, f(X) = X

+ aX + b must be a quadratic residue in F

and therefore

−Y is the other square root of y

= f (X). That is, ` also intersects point R =

(X, −Y ) ∈ E. It is now clear that `

= `, i.e., `

intersects the same three points P ,

R and O as ` does. By Deﬁnition 3.1 we obtain

P = P “+” O

for any P ∈ E.

Denoting (X, −Y ) = “ − ”(X, Y ) = “ − ”P , similar to the above reasoning we

know “ − ”P is on the curve and

P “+” “ − ”P = O.

Thus under the operation “+” , O functions exactly the identity element of a group

does. We have therefore shown that (E, Eplus) satisﬁes Identity Axiom and Inverse

Axiom.

A special case of this special case is y

= −y

= 0. This is the case of S = (X, 0);

clearly we have S = “ − ”S or equivalently S “+” S = O. Therefore, such S is an

order-2 element. We have mentioned this special element earlier: it is a solution

of y

= f(x) ≡ 0 (mod p). Such special points only exist when f(x) ≡ 0 (mod p)

has zeros in F

, i.e., when f(x) is reducible over F

. Illustrated in Fig 3.1, order-2

points are those which are tangented by virtical lines.

3.2.1.2 Closure

We have shown that points P = (X, Y ) and Q = (X, −Y ) which are connected by

the same vertical line satisfy Closure Axiom.

Now let us consider the general case of P = (X

, Y

) and Q = (X

, Y

) being

connected by ` which is a non-vertical line. The formula for ` is

` : y − Y

= λ(x − X

) (3.2.3)

剩余30页未读，继续阅读

评论收藏

内容反馈

song2407

粉丝: 2
资源: 7

Elliptic Curves and bilinear pairings

最新资源

Elliptic Curves and bilinear pairings

Bilinear Pairings in Crytography

Elliptic Curves and Cryptography

modular elliptic curves and Fermat's last theorem

Rational points on elliptic curves

Counting points on elliptic curves over finite fields

Elliptic Curves-- Number Theory and Cryptography(Second Edition)

An Introduction to Elliptic Curves

论文研究-Efficient Pairing Computation on Elliptic Curves in Hessian form.pdf

椭圆曲线 数论与密码（完整版）Elliptic Curves.. Number Theory and Cryptography

The Arithmetic of Elliptic Curves 第二版 Silverman.J.H

Advanced Topics in the Arithmetic of Elliptic Curves Silverman(268s)

模块化椭圆曲线算法，第二版Algorithms for Modular Elliptic Curves, Second Edition

bazier.rar_elliptic curves

Use of Elliptic Curves in Cryptograph

An Elementary Introduction to Elliptic Curves

椭圆曲线 Elliptic Curves 2nd ed. - D. Husemoeller

handbook of elliptic and hyperelliptic curve cryptography

Batch Blind Signatures on Elliptic Curves

Elliptic_curve.pdf

论文研究-椭圆曲线密码体制中快速标量乘方法研究.pdf

python大作业 含爬虫、数据可视化、地图、报告、及源码（整和为一个文件）（2014-2020全国各地区原油加工量）.rar

仿真电路以及操作方法

【纯干货啊】华为IPD流程管理(完整版).pptx

可编程语言标准IEC61131-3中文版.pdf

OFDM完整仿真过程与教程.zip

信号与系统——保研复习资料.pdf

Landsat_WRS2.zip

最全的Visio形状/图形库

AxureRP9项目原型50套、案例20个、元件库1套.zip

最新资源

椭圆曲线数论与密码（完整版）Elliptic Curves.. Number Theory and Cryptography

python大作业含爬虫、数据可视化、地图、报告、及源码（整和为一个文件）（2014-2020全国各地区原油加工量）.rar