Elliptic Curve Cryptosystems: A Survey
Tallman Zacharia Nkgau School of Cornputer Science
McGill University, Montreal
August 1998
A Thesis Submitted to the Faculty of Graduate Studies and
Research in partial hilfilment of the requirements of the degree of
Master of Science in Cornputer Science
Copyright @ 1998 Tallman Zacharia Nkgau
National Library Bibliothèque nationale du Canada
Acquisitions and Acquisitions et Bibiiographic Services services bibliographiques 395 WeNington Street 395, rue Wellington Onawa ûN K1A ON4 Ottawa ON K I A ON4 Canada Canada
The author has granted a non- L'auteur a accordé une licence non exclusive licence allowing the exclusive permettant à la National Library of Canada to Bibliothèque nationale du Canada de reproduce, loan, distribute or sel reproduire, prêter, distribuer ou copies of this thesis in microforni, vendre des copies de cette thèse sous paper or electronic formats. la forme de microfiche/film, de
reproduction sur papier ou sur format électronique.
The author retahs ownership of the L'auteur conserve la propriété du copyright in this thesis. Neither the droit d'auteur qui protège cette thèse. thesis nor substantial extracts from it Ni la thèse ni des extraits substantiels may be printed or otherwise de celle-ci ne doivent être imprimés reproduced without the author's ou autrement reproduits sans son permission. autorisation.
Abstract Elliptic curves have been a subject of much mathematical study since early in the past century.
Recently, through the work of Koblitz and Miller. they have found application in the area of public-
key cryptography. The basic reason is that, elliptic curves over finite fields provide an abundance
of finite abelian groups which could be used as a bais for public-key cryptosystems. The objective
of this thesis is ta survey the field of elliptic curve public-key cryptopnphy as it exists now. with
an attempt to identify key ideas and contributions. We are particularly interested in elliptic curve
cryptosystems defined over Zp @ > 3 and prime) and the ring Z,, (n is a product of two large
distinct primes).
Résumé Beaucoup d'attention a déjà 6té porté sur l'étude mathdmatique des courbes elliptiques durant les
siiicles passés. RCcemment, grâce aux travaux de Koblitz et Miller. des applications dans le do-
maine de la cryptographie basée sur les clés publiques ont été trouvées. La raison principale de
ces avancdes est la faculte des courbes elliptiques basées sur des corps finis à fournir en quantité
des groupes abéliens finis qui peuvent Ctre a la base de système de cryptage à cl6 publique. Le
but de cette thkese est de passer en revue l'état actuel de la connaissance dans le domaine de la
cryptographie h clé publique basée sur les courbes elliptiques et. d'en faire ressortir les iddes et les
contributions majeures. Nous porterons tout particulieretnent notre attention sur les systèmes de
cryptage basés sur les courbes elliptiques définies sur L, @ > 3 et p est un nombre premier) et
l'anneau Zn (n étant un produit de deux grands nombres premiers qui ne sont pas égaux).
Acknowledgements Many thanks go to my supervisor. David Avis. for his patience, guidance. and motivation ihroughout
the writing of this thesis. Special thanks to Nigel Smart for sending me his paper on anomalous
curves. Kenji Koyama for helpful suggestions, and Chris Caldwell for sending me a list of prime
(proved prime) for rny experirnents. and to Chrislain Razafimahefa for translating the abstract to
French and for k i n g wch a friend. 1 am also gratehil to Steve Robbins. Kenji Imasaki, Ian Garton.
Vijay Sundaresan, Mike Soss, and Pnsad Kakulavmpu for Cnding time to hang out and make
McGill and Montreal the place to be. Also, thanks to Xiaoming Zhong and Ling Yong for dl those
Sunday rnoming dim surns. Lastly. a salute to a young man, Arne Louis Tebogo-Nkgau. for al1 the
inspiration, patience. and understanding al1 the years 1 have been away.
Contents
1 Introduction
2 Mathematical Preliminaries
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 NumberTheory
. . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Algorithm and their Complexity
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 More Number Theory
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Group and Field Theory
. . . . . . . . . . . . . . . . . . . . . . . . . 2.5 Core Number-Theoretic Algorithms
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6 Public-Key Cryptography
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . 1 RSA
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6.2 Attacks on RSA
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6.3 ElGamal
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6.4 Attacks on ElGamai
. . . . . . . . . . . . . . . . . 2.6.5 The di fie-Hellman Key Exchange Protocol
. . . . . . . . . . . . . . . . 2.6.6 Attacks on the Difie-Hellman Key Exchange
3 EIUptic Cumes
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Introduction to Elliptic Curves
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Addition Rule
. . . . . . . . . . . . . . 3.3 Computing the number of points on an elliptic curve. #E
. . . . . . . . . . . . . 3.4 The Elliptic Curve Discrete Logmithm Problem (ECDLP)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 Elliptic Curves Over Z,
4 Elliptic Cuwe Cryptosystems 51
. . . . . . . . . . . . . . . . . . . . . . . . 4.1 Elliptic Cuwe Cryptosystems Over Zp 51
. . . . . . . . . . . . . . . . . . . . . . . . 4.2 Elliptic Cuwe Cryptosystems Over Zn 58
. . . . . . . . . . . . . . . . . . . . . . . 4.3 Attacks on Elliptic Curve Cryptosystems 61
. . . . . . . . . . . . . . . . . . . . . . 4.4 Speiding Up Elliptic Curve Computations 62
. . . . . . . . . . . . . . . . . . . . . 4.5 Generating Computationally Secure Curves 69
5 Conclusion 72
List of Figures
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Algorithm EUCLID 10
. . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Algorithm W(TENDED-EUCLID 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Algorithm MOD-EXP 18
. . . . . . . . . . . . . . . . . . . . . 2.4 Decision Problem QUADRATIC-RESIDUE 19
. . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5 Decision Problem COMPOSITE 21
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6 AlgorithrnMILLER-RABIN 23
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.7 Decision Problem PRIMITIVE 24
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.8 Problem: FACTORING 24
. . . . . . . . . . . . . . . . . . . . . . . 2.9 The Discrete Logarithm Problem (DLP) 25
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.10 AlgorithmSQUARE-ROOT(p) 27
. . . . . . . . . . . . . . . . . . . . . . . . . 2.1 1 Computing Square Rwts Modulo n 28
. . . . . . . . . . . . . . . . . . . . . . . . . 2.12 The RSA Public-Key Cryptosystem 31
. . . . . . . . . . . . . . . . . . . . . . . 2.13 The ElGamal PublieKey Cryptosystem 33
. . . . . . . . . . . . . . . . . . . . . . . 2.14 Diffie-Hellman Key Exchange Protocol 35
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.15 The Diffie-Hellman problem 35
3.1 Geometric description of adding two distinct elliptic curve points . . . . . . . . . . 40 . . . . . . . . . . . . . . 3.2 Geomeinc description of doubling an elliptic curve point 41
. . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Algorithm MULTIPLE-ADDITION 47
. . . . . . . . . . . . . 3.4 The Elliptic Cuwe Disc~te Logarithm Problem (ECDLP) 48
. . . . . . . . . . . . . . . . 4.1 The Analog of the ElGamal Public Key Cryptosystem 52
. . . . . . . . . . . . . . . . . . . . . . . . 4.2 The Menezes-Vanstone Cryptosystem 54
iii
4.3 Menezes-Vanstone encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.4 Menezes-Vanstone decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.5 The Elliptic Curve Analog of the Diffie-Hellman Key Exchange Protocol . . . . . 57
4.6 The KMOV-scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.7 The Meyer et al . Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.8 Three speed up leveIs for elliptic curve opentions . . . . . . . . . . . . . . . . . . 63
4.9 The rnodified signed-digit (MSD) algorithm for computing kP . . . . . . . . . . . 65
4.10 Jedwab and Mitchell minimum MSD algorithm . . . . . . . . . . . . . . . . . . . 67
4.1 1 Laih and Kuo's algorithm for computing kP . . . . . . . . . . . . . . . . . . . . . 68
4.12 Koblitz's random curve selection method. W O M - C U R V E . . . . . . . . . . . 70
4.13 Koblitz's algorithm for generating curves of prime order. RANDOM-Cm-PRIME 70
List of Tables
. . . . . . . . . . . . . . . . . 1.1 rime complexities of primitive yithmetic operations 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Factoring Algorithms 25
. . . . . . . . . . . . . . . . . . . . . . 2.3 Algorithms for solving DISCRETE-LOG 26
. . . . . . . . . . . . . . . . . 3.1 points on the curve E : y2 = x3 + + + 19 over Z23 43
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Multiples of P = (4. 8) 44
. . . . . . . . . . . . . . . . . . . 3.3 Notational correspondence between 8, * and Ep 47
. . . . . . . . . . . . . . . . . 3.4 P o i n t s o n t h e ~ u r v e E : ~ ~ = ~ ~ + x + 1 2 o v e r Z ~ ~ 49
Chapter 1
Introduction
Cryptography is the art and science of communicating in the presence of adversaries. Two people,
we will cal1 Bob and Alice in keeping with tradition, wish to communicate privately, so that an
adversary, Oscar, cannot know what was communicated. Bob and Alice have to sent messages to
each over some communication channel, which could either be a telephone line, ii computer net-
work or any other feasible means of communication. Cryptography, for a long time has always been
within the realms of govemments and the military. This changed in 1976 with the seminal paper of
Diffie-Hellman [19], which i n d u c e d cryptography to the world of acadernia. One sohtion to this
need for communicating privately is for Bob and Alice to exchange a secret key, eK. Now, when
Bob wishes to send a message m (called "plaintext") to Alice. he sends c = eK(rn) . The effect
of computing eK (m) is to transform the original message in to "ciphertext" (something unintelligi-
ble). Alice retrieves the message by computing rn = e-l (eK (m) ) . As of necessity, the secret key
could be thought of as a one-tosne function f'rom the plaintext space to the ciphertext space. Com-
puting eK and e- lK is referred tu as "encryption" and "decryption". respectively. This scheme of
communication is usudty referred to as a 'private-key cryptosystem". Private-key cryptosystems,
however, have two drawbacks:
1. The secret key eK must k communicated over a secure channel. which might not always be
available.
n(n- 1) 2. in a network of n usea. secret keys could be quired. Privacy of keys could easily be
CHAPTER 1 . INTRODUCTION
compromised.
To overcome these deficiencies, Diffie and Hellman [19] proposed the use of "public-key cryptosys-
tems". In these schemes, each user's encryption key is put in a public directory of keys (like phone
numbers). Anybody can send a message to Bob by using his public key, say e ~ . Of course, this
implies that es should be computationdly infeasible to invert at any point of its domain. unless
y011 have some special information (the bYnp-door"), which makes it erisy to invert PB. The tnp-
door should only be known by Bob. Encryption hnctioiis satisfying these conditions are known as
"trap-door one-way functions" (TOF), and it was Diffie and Hellman who first proposed their use
in cryptography.
In their 1976 paper, Diffie and Hellman did not propose any public-key cryptosystem, this task
was ieft to another seminal paper, this time of Rivest, Shamir, and Adleman [69]. They proposed a
public-key cryptosystem. which now bears their names. RSA. based on factoring a large composite
integer. This now farnous cryptosystem goes by the name of RSA. Swn der, there was an explo-
sion of research in to public-key cryptopphy. A lot of cryptosystems were proposed and many
were broken (84. 731. Amongst al1 these cryptosysterns, the one proposed by ElGamal [20], based
on exponentiation in finite fields stoud out from the rest. Exponentiation in finite fields and factoring
large composite numbers are now the basis of many public-key cryptosystems.
The use of elliptic curves (in particular. the theory of elliptic curves defined over finite fields) in
public-key cryptography was discovered, independently, by Koblitz [29] and Miller [56] barely a
decade ago. Elliptic curves, in contrast, have been a subject of much mathematical study since the
dawn of the 19th century. Miller and Koblitz observed that elliptic curves defined over finite fields
provide an abundance of finite abelian gmups. Some cryptosysterns. for example. the ElGamal
cryptosystem, are based on multiplicative groups of finite fields. and in many ways elliptic curves
are natunl andogs of these groups. However, elliptic curves offer sevenl advantages over their
finite field counterparts:
More flexibility in choosing an elliptic cuve than in chwsing a finite field.
Elliptic curve public-key cryptosystems (over Zp(p > 3 and prime )) offer the highest stcength-
per-bit of any public-key cryptosystem.
0 Only elementary arithmetic operations are required. leading to faster implementations in hard-
ware and software, especially for elliptic curves over 9,.
The main disadvantage in implementing elliptic curve cryptosystems is usually the fact that a thor-
ough knowledge of the theory of elliptic curves over finite fields is required. A daunting task indeed.
The objective of this thesis is to survey the field of elliptic curve cryptography as it exists now.
with an atternpt to identify key ideas and contributions. We are particularly interested in elliptic
curves cryptosystems defined over Z,@ > 3 and prime) and the ring Zn (n is a product of two large
distinct primes). For elliptic curve cryptosystems over Fp. the reader is referred to Menezes [52].
A survey like this can not hope to contain al1 the important resuIts in the field, and some results will
only be glossed over. However. we hope chat what we have included is enough to please everybody.
So fiir, we only know of two surveys chat have been published, Menezes (521 and Saeki [7 11.
Menezes' survey was published in 1993 and with the rate at which research is going at now. it is
now king eclipsed by new results in the field. In fact. some of the curves that were proposed at that
time for use in cryptosystems have now k e n found not to be that secure [83]. Also, the emphasis
is on curves over Fp and it is more inclined to the theory of elliptic curves. Saeki's (1996) survey
does not cake in to account many results that were published around ttiat time. It also only discusses
the analog of the ElGamal cryptosystem. It is out opinion that the two surveys fall short of mnking
the field accessible (either because of a leaning towards theory or insufficient details) to senior
undergraduates of computer science and do not, for example. adquately discuss the speeding up
of elliptic curve operations, which is of paramount importance. It is our intention, with this survey,
to address this inadequacies. As such, our survey plows a fine line between theory and practical
implementation so as to mdce it accessible to the intended audience and at the sme time provide
sufticient details enabling it to be used in an undergraduate course in cryptography.
We begin by reviewing the mathematics underlying the cryptosystems discussed in this thesis.
A level of advanced undemua te in computer science is assumed of ceaden, however, a certain
arnount of mathematical maturity in handling mathematical concepts is desirable. We also give a
brief introduction to the field of public-key cryptography. Chapter 2 introduces elliptic curves and
their properties necessary for a hiIl understanding of the elliptic curve cryptosystems discussed in
Chapter 4 of this thesis. Chapter 4 also gives summaries of attacb on elliptic curve cryptosystems
as well as how to generate elliptic curves suitable for use in cryptosystems and how to speed up
elliptic curve arithmetic operations. We conclude by summarizing recent results and looking in to
the future of elfiptic curve cryptosystems in the field of public-key cryptography.
Chapter 2
Mathematical Preliminaries
Elliptic curve public key cryptography depends henvily on number-theoretic concepts. In this chap-
ter we introduce the necessaty mathematical concepts used in this thesis. Specifically, we give
a brief overview of concepts from number, group and field theoties and the uithmetic of elliptic
curves. Burton [ I l ] , Cohen [14], and Koblitz [29] have a more extensive review of elementary
number theory. For field and group theory, Roman [70] is an excellent source. We also give a brief
review of public-key cryptography. The proofs of most of the results in this chapter are omitted
since they are now considered folklore and c m be found in the references cited.
2.1 Number Theory
The set of al1 integers will be denoted by Z. FE, will denote the set of integen greater than i. chat is.
{i + 1, i + 2, . . .}; &. in this case. will then represent the positive integers. The cardinality of a set
S will be denoted by 1 S 1.
Dc&iition An equivalence relation on a set S is a b i n q relation - on S such thai for any x, y, z E
S, the following is tme :
2. i f s - y then y - x (symmetry)
3. if x - y and y - 8 then x - z (trwitivily)
Let - be an equivalence relation on a set S. Then P = {[s] 1 s E S } w here [s] = {u E S 1 s - u},
form a pcinition of S in the sense chat.
An element X E P is called an equivalence class of the partition P. It is assumed that the reader
is farniliar with many elementary facts about integen: one of which is the Wdl-Ordering Principle.
which States that, every non-empty set S of nonnegative integers (KI) contains a least element;
that is, there is some integer u E S such that u < s for al1 Y E S.
Theorem 2.1.1 (Division Algorithm)
Let a, 6 E Z, b > O, then there erist unique q, r E Z such that
The integers q and r are cafled the quotient and the remuirulrr in the division of a and 6, respectivefy
Corollary 2.1.2 ifa, b E Z, b # O. then there aist unique q, r E Z such that a = q + 6 + r, O < r < l b l .
If r = O, we say b divides a. and we denote this by b 1 a. Othenvise, we Say b does not divide a.
which we denote by b { a.
Definition Let a, b E Z, la1 + Ibl # O. The greatest common divisor of a and b. denoted by
GCD(a, 6). is the positive integer d siitisfying
2. ifcl aandc I6,thenc 5 d.
We should point out at this point that the greatest common divisor of any collection of integers, not
ail zero, aiways exists.
Theorem 2.1.3 (Extended Division Algorithm)
Given a, b E Z, la1 + Ibl # O, there erists x, E Z such thut GCD(a, b) = a x + b y.
Definition An integer n > 1 is called a prime number if its only positive divisors are 1 and n,
otherwise it is cailed composite.
Definition An integer n is said to be y-smuoth if al1 its prime factors are less or equai to y.
From this point onwards,we will follow the convention that al1 variables are integers unless other-
wise specified.
Theorem 2.1.4 Ifa(b. c and GCD(a, b) = 1. then olc
Comllary 2.1.5 Ifp is prime und plu b. then plu or p(b.
Definition Let a, b E &la1 + lbl # O, then a and b are said to be rrlutively prime whenever
GCD(a, b) = 1.
The following theorem finally gives us the ammunition we require to cdculate the greatest com-
mon divisor of two integers and can be easily be extended to a collection of integers, not al1 zero,
Theoreni 2.1.6 La a, b E Z. Ifa = q b + r for some g E Z, then GCD(o, b) = GCD(b, r ) .
Before giving any algorithms. we regress to give some definitions and notation we shall use in
discussing algorithms. More detailed information on algorithms can be found in Cormen et al. [17],
Rawlins [67], Ah0 et al. [3], and Wilf [91].
2.2 Algorithms and their Complexity
An algorithm. inforrnally, is a list of steps for solving a problem. The following properties of an
algorithm are usually of interest:
a Time Cornplexity, T(n)
a Space Complexity, S(n)
The argument n is the size of the input to the algorithm.
Definition (Big-Oh. O)
Let f and g be two functions f , g : No do IRW+. We Say f (n) = O(g(n) ) if there exists c, no E &
such that f (n) 5 cg(n) for al1 n 2 no. When f (n ) = O(g(n)) we say that g(n) is an (asymptotic)
upper bound for f (n).
Definition (Small-oh, O )
Let / and g be two functions f, g : NO + R+. We Say /(n) = o ( g ( n ) ) if l i ~ n ~ , ~ Lu g(n) = O ,
Definition We Say the mnning time of an algorithm is polynomial if its time complexity T(n)
= O(ne). for a constant c 3 1 (if c = 1 we usually say it is linear and if c = 2. we say it is
quadrutic); and we say it is exponenrial if T(n) = O (rn) . for a constant r > 1.
We are mostly interested in the asymptotic behavior of T(n), that is . its limiting behavior as the
input s i x of the algorithm increases (n -, oc). The functions T(n) and S(n) depends heavily on
the computation mode1 used and on the input encoding scheme used. Fortunately. it tums out bat
al1 "reasonable" input encoding schemes differ at most polynomidly from one ar'other. The input
to our algorithms will exclusively be integers. hence their binary equivalents will be used as input
to the algorithms. The "size" of the input will then be the number of binary digits used to encode
the input.
Since we will be working with rather "large" integen. the following bounds. given in Table 2.1,
for the primitive arithmetic operations will be uscd; where the input is two k-bit integers. Certiiinly
better algorithrns. with better time complexity bounds cm be use& but these bounds suffice for us.
We will. on numemus occasions discuss algorithms that depend only on the randorn random choices
they make. These kinds of algorithms are usually refemd to as mdomized algorithms. The ran-
domness usually arises from the assumption that the algorithm has access to a random number
generator. This of course is ever hardly the case. However. to simplify the andysis of the erpected
time complexity of the algorithm. it is usually assumed that the algorithm has access to a * b e "
random number generator. There are two different types of randornid algorithms:
C H . 2. MATHEMAï7CAL PRELIMINARLES
1 Operation 1 Time Complexity, T(n)
1 Multiplication, * 1 O (lgo2n)
Table 2.1 : Time complexities of primitive aithmetic opentions.
1. Las Vegas algorithms-they always give the correct solution (if they teminate)
2. Monte Carlo algorithms-they sornetimes give incorrect solutions, however, we are able to
bound the probabitity of failure.
The one good property of Monte Carlo algorithms is that, by running them reperitedly, with inde-
pendent randorn choices each tirne, the failure probability can be made Ûrtiitnnly srnall. Of course,
usually at the expense of running time.
2.3 More Number Theory
We are now ready to present our fint algorithm. The following dgorithm, given in Figure 2.1.
attributed to Euclid [28], is often used to compute the greatest common divisor of two integers.
The notation lxj denotes the greatest integer less or equai to x. Euclid's algorithm is ancient and
much has k e n written about it. Its time complexity c m be shown to be T(n) = 0(lg3n), see for
example. Knuth [28] and Koblitz [29]. However. a more caref'ul analysis of the operations involved
cm lower this to 0(lg2n) [28]. We shall use lgx to denote log2x.
Definition We Say rn E & is the least common multiple of a, 6 E Y, denoted by LCM(a, b). if it
satisfies
1. alm and blm
2. if alc and blc, with c E RI, then rn < c.
CHAPTER 2. MAT?iEMAï7CAL PRELMINARIES
Theorem 2.3.1 For ariy a, b € N GCD(a, b) * LCM(a, b ) = a -b.
Next we introduce the notion of congruence.
Definition Let a, b E Z and n E NI. Then, we say a and b are congruent modulo n, denoted by
a - b (mod n), if n ( (a - 6). The integer n is called the modulus.
It is easily seen that a r b (mod n) if and only if a and b leave the samc nonnegritive remainder
when divided by n. Hence. every integer is congruent modulo n to exactly one of O. 1.. . . .n - 1.
This set, of residues modulo n. is usually denoted by 2,. and the set Zn - (O}, is denotrd by Z*,.
The next theorems give some of the properties of rnodular arithmetic.
Theorem 2.3.2 Let n E Ni befired and a, 6 , c, d E Z. Then the following proprriies are sati$ed.
1. a G a (niod n)
2. ifa r 6 (mod n) the11 b = a (rnod n)
3. i fa = b (mod r r ) and b r c (mod n) then a a c (mod n)
5. i f ueb (modn) t h e n a + c r b+c(modn)anda-c=6#c(modn)
6. i / a = b (rnod n) thenak = bk (mod n) foranyk E Ki
The first three propenies imply that 2 is an equivalence relation on 8, for a fixed n E Y .
Theorem 2.3.3 ifc + o = c b ( rnod n) , then a n b ( rnod (n/d) ). where d = GCD(c, n).
Codlary 2.3.4 I f c *-a = c 6 (mod n) and GCD(c, n) = 1, then a = b (mod n).
Definition Let x E Zn. Then an element 2 E 2, such that z3 = 1 (mod n) is cdled the multi-
plicative inverse of x. and is denoted by x-'.
The next theorem theorem tells us when this multiplicutive inverse exists.
Theorem 2.3.5 Let x E Zn. Then, x has a multiplicative inverse 8 and only if GCD(n, x)= 1.
Furthemore, this multiplicative inverse is unique.
Corollary 2.3.6 Ifn is prime, then every x E Zen has a multiplicative inverse.
Most important to us, is computing the inverse of x(mod n) if it exists. Algorithm EXTENDED-
EUCLID, from Stinson [84], given in Figure 2.2. is often used to compute the inverse. It is based
on algorithm EUCLID.
The extended E~c!iC?an algorithm. as its name suggests. is an extension of Euclid's algonthm to
compute the greatest common divisor of two integers. As a result. its time complexity cm be shown
to be T(n) = 0(lg3(n)). the same as Euclid's aigorithm. Stinson [84] and Knuth [28] discuss it in
detail.
Theorem 2.3.7 Let a, b E Zn, n > 1 andfured. The linertr congruence ax = b (mod n ) has a
solution ifand only f d 1 6. where d = GCD(a, 71). If d 1 6, then there are d rnutually incongruent
solutions modulo n.
When b = 1. we have the special case of computing a- ' . Comllary 2.3.8 IfGCD(a, n)= 1, then the linear congruence ax i b (mod a) has a unique solu-
tion modulo n .
The next theorem extends the result of Theorem 2.3.7 to a system of iinear congruence equations.
Theorem 2.3.9 (Chinese Remainder Theorem)
Let ni, nz, . . . , n, E y such that GCD(ni, ni) = 1 for 1 5 i # j 5 r. Then the system of linear
congruences
x = al (mod nl)
x E a2 (mod n2)
x G a, (mod n,)
has a simultaneous solution. which is mique modulo n = ni . n2 nr, namely. 2 = al Ni
xl + a:! N2 x2 + - + + Nr xr (mod n), when Ni = n/n, and xk is the solution to
Nk . x i 1 (mod nt) .
input:^, n E &, such that a E Z*, and GCD(a, n) = 1.
Output: u = a-' (i.e. IL -*a z 1 (mod n)).
1. TL,-, e n
2. a0 +- a
3. to t O
4. t t l
5. q [ ~ L o / ~ o
7. While (r > O ) Do
(
temp t to - q 4
if (temp >_ O ) then
temp +- temp (mod n)
else
temp t- n - (-temp) (mod n )
t~ 4- t
t c temp
8. Return (t (mod n))
Figure 2.2: Algorithm EXTEND'ED-EUCLID
We will, however, employ the following corollary on numerous occasions.
Corollary 2.3.10 The mapping defined by
n: Zn + Zn, x a,, x + * * x Zn, where n and ni,. . . , n, are as in the theorem and n(x) = (2 (mod ni), x (rnod na), . . . . x (mod nr)). is a bijection.
Next. we give some well known facts from group and field theory that will be usehil for a full
understanding of this thesis.
2.4 Group and Field Theory
ûefinition A bina? oper<ition on a set A is a map from A x A to A. r: A x A -+ A.
Definition A group is a nonempty set G, together with a binary operation, *, on elements of G
satisfying the following properties:
1 . (assuciativi~) for al1 g, h, k E G, (g * k) * h = g * (h * k)
2. (idenriry) for each g E G, there exists an element é E G such that g * 6 = c * y
3. (Inverses) for each g E G, there exists an element g-l E G such that g * g-' = c = g-' * g
Definition A group G is nbelian, or cornmurative, if g * h = h * g for ail g, h E G .
The identity element is often denoted by 1. When G is abelian. the group operation is often denoted
by + and the identity by O. A group G is said to be finite if it contains only a finite number of
elements. The cardinality of a finite group G is called its order and is denoted by 1 G 1 or ord(G).
Definition A subgmup S of a group G is a subset of G that is also a group under the same operation
defined on G. We denote the fact that S is a subgroup of G by wnting S < G.
Interesting subgroups, of a group G. n e those generated by an element. g E G. That is. the set
< g >= {gn 1 n E Z}. The set < g > is usudly referred to as the cycfic subgmup genemted by g.
Definition Let G be a group.
1. If g E G. and if g" E for some k E 2. we say that k is an exponent of g.
2. An m E 25 for which gm = e for dl g E G is called the exponent of G.
The smallest positive exponent for g E G is cailed the order of g, denoted by md(< g >).
ûelnition A Anite gmup G is q d i c if and only if it has an elernent of order ord(G).
One way of looking at this is that, G is cyclic if and only if G =< g > for some g E G. in this case
we say g generates G. The following theorem gives us more information about the exponents.
Theorem 2.4.1 Let G b a gmup. g E G. Then k is an erponent of g ifand only ifk 1 ord(< g >).
Similarly. the expunents of G ore precisely the multiples of the smallest positive erponent of G.
In this review, we will mainly be working with b i t e abelian groups. so the next two theorems
chmcterize the smallest positive exponent for finite abelian groups.
Theorem 2.4.2 L.et G be a finite abelian gmup.
1. I/m is the maximum order of al1 elements in in. then gm = c for al1 g E G. Thus. the smallest
positive exponent of G is equal ro the d m u m order of al1 elements of G.
2. The smallest positive ixponent of G is equal to urd(G) ifand only if G is -lie.
3. ifG is cyclic. then evew siibgmup of G is cyclic.
4. If G = < g > is a cyclic gmup of oder n. then
1. For 1 5 k 5 n, md(< gk >) = -*j
2. I fd 1 n, then ord@&) = d H k = r i where GCD(r,d) = 1.
Theorem 2.4.3 Let G be a jinite g m p .
1. (Lagrange) For any S < G, md(S) 1 ord(G)
2. For any g E G, ord(< g >) 1 ord(G)
3. if G is a M i t e abelian gmup and ijfk 1 ord(G), then G has a subgmup of order k
4. (Cauchy) lford(G) is divisible by a prime p, rhen G contains an element of order p
5. I f p is o prime and ord(G) is divisible by pn. then G contains a subgmup of order pn
&!finition A ring is a nonempty set R, together with two binary operations on its elements. called
addition(dented by +). and multiplication (denoted by -). satisfying the following properties.
1. R is an ribelian group under t
3. (Distributivity) for al1 g, h, k E R, ( g + k ) . h = g . h + k . h and h . (g + k ) = h . + h . k
The ring R is called a ring wirh identig if there exists an etement 1 E R for which r . 1 = 1 . r = r
for al1 r E R. From this point onwards we will denote the identity of the group by 1. That is. c r 1.
Delnition Let R be a ring with identity. R is called field if the nonzero elements of R form an
abelian group under multiplication.
Definition A subring S of a ring R is a nonempty subset of R that is also a ring under the sarne
operations defined on R.
Definition A subfield E of a field F is a nonempty subset of F thrit is also a fietd under the same
operations defined on F. In this case. we say that F is an mension of E and we wnte E < F or
F > E.
Definition Let F be a field. The characteristic, char( F), of F is the smallest positive integer k (if it
exists) for which k 1 = 1 + 1 + + + l ( k times) = O. If it doesn't exist we say F has characteristic
O. In the former case F contains a copy of Zk, and in the latter. F coatains a copy of Q the rational
numbers.
The notion of finiteness extends to fields as well. Finite fields play a very important d e in cryptog-
raphy, and bellow we give some of the properties of finite fields that will be usefùl to us.
Theorem 2.4.4 Let F be a finite field.
1 . F has prime characteristic (we denote this by IFp)
2. F, the multiplicative gmup of all nonzem elements of F, is cyclic
3. F has sire q = pn. for some prime p and n E No. In this case we denore F &y F, or GF(q).
where the symbol G F stands for Galois Field, in honor of Evariste Galois.
Definition An element û E Fq that generates the cyclic group IF9' is called a prirnilivr rlmtrnf of
4.
It is not difficuit to ascertain that Z, is a field under addition and multiplication modulo p. Next, we
ptesent some number theoretic results w hose understanding benefi ts from the results above.
Definition (Euler phi function, 4)
Let n E NO, then the Euler phi function is defined to be
The next theorem gives some properties of the Euler phi function. in fact. the two properties com-
pletely determine 4.
Theorem 2.4.5
1. The Euler phi function is multiplicative, thut is $(mn) = #(m)d(n). when GCD(m, n) = 1.
2. #(pn) = pn-l ( p - 1). p prime. n E &.
Connected to Euler's phi function is the following theorem, also due to Euler, and its corollary.
Their prwfs rely heavily on Theorem 2.3.5 and Corollûry 2.3.6.
Theorem 2.4.6 (Euler's Theorem)
Ifcr, n E Z and GCD(a, n) = 1 ihen am(") = 1 (mod n).
ComUary 2.4.7 (Fermat's Theorem)
l f p is a prime MI dividing cr E W then a* s a (mod p).
Input: x,k,n where k,n E &,x E Zn
Output: y = xk (mod n)) Let kl-l . - = klko be the binary representation of k.
1. y c l
S. For i t- I - 1 downto O Do
I y t Y2 (mod n )
If k* = 1 Then
y t p x (rnod n)
1
Figure 2.3: Algorithm MOD-EXP
So fai; Our results have ken largely theoretical nther than the pnctical. However, we wish to be
able to compute y a rk (mod n), with x, k, n E P&J known. This is known as modulnr rrponenti-
otion. n i e algorithm given in Figure 2.3 can be used CO compute y n xk (mod n) for k > O and
z E Zn.
In many situations it is usehl to have solutions of the equation xn = 1 in Fq. This solutions
(mots) are usually called the nth mots of unity. Of interest. is the special case n = 2. Fim though.
a few definitions to get us started.
Definition Let p be an odd prime, and a # O E Z such that GCD(a, p) = 1. Then we say a is a
quaàratic residue modulo p, denoted by a E QR(p). where
QR@) = {x 1 x E Z, and there exist y E Zp such that Y* I x (mod p ) ) ,
if the quadratic congruence x2 = a ( mod p) has a solution in Z,. Othewise. a is called a quadrutic
nonresidue rnoàulo p.
It is easy to see that ifp = 3 (mod 4) and a E QR@) then dso p - a E QR@).
f Problem Instance: Field Z, and cr E Z,
1 Question: 1s a E QR@)?
Figure 3.4: Decision Problem QUADRATIC-RESIDUE
Definition Let p be an odd prime. For x € El we define the Legendre symboi Le(;) as follows:
Often we want to answer the question: 1s a E Z, a quadratic residue modulo p? To answer this
question and othen of interest, we first define the notion of a decision problem.
Definition A decision problem, il, is a problem whose solution is either "yes" or "no".
The above question cm now be cast as a decision problem, Figure 2.4.
At fiat glance, it seems that to solve the decision problem QUADRATIC-RESIDIE. we will
have to try al1 x E Zp. which could be time consuming for large p. But luckily, a result known
as Eider's criterion reduces this to just a modular exponentiation problem, which we have already
seen can be performed in ~ ( l ~ ~ ~ ) time.
Theorem 2.4.8 (Euler's criterion )
Let p be prime. Then a E QR(p) ifand only i f
P-r a 2 = 1 (modp).
Euler's criterion also gives us a way to compute the Legendre symbol, since it can easily be shown
that L( %) r a 9 (mod p) ; see. for example, Koblitz [29]. We also need to be able to generate
quadmttc residues. unfortunately. hem is no known deterministic polynomial time algorithm to do
this. But if the so called Riemnn Hyphesis holds, then generating a quadratic residue could be
done in deterministic polynomial time. We have to resoit to a randomized algorithm. in which we
randomly choose. independently. numbers in %,* and test hem using Euler's criterion. There are
precisely 9 quadntic residues in Z,'. This means that the probability of a failure is $. Next. we
define the genenlization of the Legendre symbol.
Definition Let n be an odd positive integer. and the prime factorization of n is ple' + p k e k . Let
x E N- 1 . The Jacobi symbol J( ) is defined to be
The Jacobi symbol. although looks imposing to compute. can in fact be computed in polynomial
time using the genenlization of the Law of Quadratic Reciprociry [29,61] given below [84].
ProperUes of the Jacobi s y m b d
Let n be an odd positive number. a, b E PJo.
3. If a m b (mod n). then J ( E ) = J ( ! )
4.
1 i f n s f l ( m o d 8 ) ,
n -1 ifn = f 3 ( m o d 8 )
5. (Law of Quadratic Recipmcity) If m is an odd positive integer, then
m [ - J ( $ ) ifn E m = 3 (mod4). J ( - ) = ' ' ( J ( + ) otherwise
Using these properties, an 0(lg3n) time algorihm cm be devised to compute the Jacobi symbol.
Note that only modular reductions and factoring out powers of two (using pmperty 1) are required
in the computation of the Jacobi symbol, as c m be seen from the example below. It is easy to see
that O(lg n) modular recluctions are perfonned.
\ Problern Instance: n E N2
Question: Is n composite?
Figure 2.5: Decision Problem COMPOSlTE
283 = (-1)~5(=) by propenies 3,4
Our next decision problem, COMPOSITE, presented in Figure 2.5. has been studied for quite a
long time. As a result, good randomized algonthms now exist for it.
Just like QUADRATIC-RESIDUE. the decision problem COMPOSITE hm no known detenninistic
polynomial tirne aigorithm for its solution. As almady mentioned. it has ken widely sîudied over
the centuries, though usually in the fom of a primality testing decision problem. Several random-
ized algorithms exists for it, though here we only briefiy describe the one by Miller and Rabin [84],
Figure 2.6.
The MILLER-RABIN algorithm is pehaps the most widely used and fast in practice. It can be
shown, Miller [ S I , that it has a failure probability of at most $. and usually it suffices to only repeat
it 32 times.
Another decision problem of interest to us is knowing whether a E Z,' is a primitive element
of Z,. It is presented in Figure 2.7.
The decision problem PRIMITIVE also has no known deterministic polynomial time algorithm.
However, the following resulr [28], which we record as a theorem proves to be useful.
Theorem 2.4.9 Let p be prime and p - 1 = ple1 . . . phe*. Then we have that a E Z,' is a primitive
element of Zp ifand only if
It is fairty rasy to show that there are +@ - 1) primitive elements in Z,'. This follows from the fact
that every ar E Zp' can be written as a = g'. where g E Zp8 is a generator of Zp* and O 5 i 5 p - 2.
Then, by Theorem 2.4.2, md(a) = dh, which implies that a is a primitive element if and
only if GCD(p - 1, i) = 1. Thus. it follows that then an 4(p - 1) primitive elements in Z,'. In
order to use Theorem 24.9, we have to know the factorization of p - 1. As will be shown in the
next section, this is no easy task for p large. Fortunately for us, in designing cryptosystems, we can
choose these large primes. Therefore, we would choose p so that the factorization of p - 1 is known.
Exampie We would choose a prime p = 2pl + 1, where pi is prime. Then for a E Z,', a f
f 1 ( rnod p) it can easily be venfied that a is a primitive element if and only if a 9 $ 1 ( mod p) .
Thus, if we know the factonzation of p - 1, a Las Vegas algorithm c m be employed to genente a
primitive element with the pmbability of a failure of 9. In our example above, this probability
is approximately 1 when p is large. Moreover, each a E Z,' can be tested for primitivity in
pdynomial time since there are O(1gp) prime factors of p - 1.
Input: n E N2
Output: 1 if n is composite and O, if prime.
1. reszllt + 1
2. Decompose n - 1 as 2' m
3. Choose a mdom cr E Zn*
4. b t am (mod n)
5 . If ( b = 1 (rnodn)) Then
result t O
Else
I i t O
While i 5 k. - 1 Do
If ( b E - 1 (mod n)) Then
I result t O
i t k
1 Else
b t b2 (mod n)
i + i + 1
1
6. Retum (result) .4
Figure 2.6: Algonihm MILLER-RABIN
r Problem instance: Field Zp and <r E Zp*
1 Question: 1s a a primitive element of Z,?
Figure 2.7: Decision Problem PRIMTMVE
Problem Instance: n E N2 and oâd.
1 Task: Find d l the prime factors of n. 1 Figure 2.8: Problem: FACTORING
2.5 Core Number-Theoretic Algorithms
In this section we discuss three number-theoretic algorithms that are central to most of the cryp-
tosysterns discussed in this survey. We do not give details about these dgorithms since a lot has
been written about thern. and refer the reader to the teferences cited. The complexity of each algo-
rithm is expressed with the following function:
where t is the input size. c is a constant and O < a < 1. Any algorithm having this tirne complexity
is said to be subexponenrial. Note that. if cr = O than the time complexity is polynomid in Ig 2. and
if a = 1 the time complexity is polynomid in x, thus hilly exponential in Igx. The notation. o(1).
stands for a hinction f (n) such that f(n) + O as n + m. The first problem we discuss. given in
Figure 2.8. is as old as the branch of number theory itself.
The pmblem. FACTORING. has been studied intensively for a long time, but so far it has managed
to remain elusive. even in the face of modem technology. However. several important and most
practicd algorithms. given in Table 2.2. have been designed for the problem.
The quadratic sieve algorithm. developed by Pomerance [Ml, is suitable for factoring general in-
tegea consisting of two large primes of about the sarne size. It has a heuristic running time of
1 Algorithm 1 Time Cornplexity
Table 2.2: Factoring Algorithms
f 1 Problem Instance: Finite group Z, where p is prime, a E Z,', a primitive element, and
p E Z,'. Task: Find the unique integer a E Zp-1 such that a' i ,8 (mod p).
The integer a is called the discrefe log of P. and is denoted by IgJ.
Figure 2.9: The Discrete Logarithm Problem (DLP)
L[n, 1, $1. The elliptic cuwe rnethod of factorization, invented by Lenstra Ir. [2 11. is an analogue
of Polld's (p - 1)-method [43,84] which is effective when n has a prime factor p such that p - 1
is y-smooth for srnail y. It has a heuristic time complexity of L[, p, fi, 41, where p is the smallest
prime factor of n. It is effective when there is an integer "close to" p that is 3-srnooth for smdl y.
Hence, it is more useful when the prime factors of n are of differing size. In fact, the largest factor
ever found with the elliptic curve method has 47 digits [82]. The nurnber field sieve [44] is the
most recent of the three algorithms and has a better asymptotic tirne complexity of L[n, 1.92, $1. It is particularly suited for factoring integers having around 150 digits or more and is fristest for
numbers of the form re k s (Cunningham numbers), with r and s small. Al1 these dgorithms c m
be parallelized. making them well suited for disaibuteci computing. In fact, RSA-130. a composite
integer with 130 digits, was factored in 1996 by a distnbuted implementation of the number field
sieve [42]. This is the current record for factoring algorithms.
The second problem, DISCRETE-LOG, given in Figure 2.9, has also been intensely studied and
is now believed to be equally as difficult to compute discrete logarithms modulo p as it is to factor an
integer n of the same size [50]. This is only h m comparing the r u ~ i n g times of the best algorithms
for both problems.
1 Algorithm 1 Time Cornplexity 1
Pohlig-Hellman
Index Calculus Method
1 Shank's Tirne-Memory Trade-Off
- - -
Tabte 2.3: Algorithms for solving DISCRETE-LOG
O (fi)
Seved algorithms now exist for the DLP. We list sorne of them in Table 3.3. Shank's time-memory
trade-off algorithm [78] computes a database of O(@) logarithms, requiring a storage space of
that amount. It quickly becomes impnctical for large p. The Pohlig-Hellman algorithm [64] also
has a time cornplexity in the order of fi, but it is more effective when p -- 1 = pi - 8 . piet
is y-smooth for small y. The index calculus method [43. 84, 291 bears ri lot of resemblance to
many of the best factoring algorithms and even has the same heuristic tirne complexity of L[p, 2, il. Recently, some variants of the index calculus method has been developed to solve the DLP. This
includes the linear sieve [16, 431 and Coppersmith's variant for the DLP over [Hl. In fact.
Coppersmith's algorithm is asymptotically the best in fields of chamteristic 2. It has a heuristic
time complexity of L[2", c, hl, where 1.3507 5 c 5 1.4047. To date. the number field sieve is
the fastest (asymptoticnlly) algorithm known. It has a time complexity similar to the its factoring
counterpart. Another important algorithm is the Gaussian integer scheme [Ml, which is similar to
the number field sieve but works only with quadratic number fields. A variant of the quadratic sieve
algorithm was recently used by Lercier and Joux [46] to compute discrete logarithms modulo a 90
digits prime. They used a distributed implementation of the algorithm.
The third problem we discuss, SQUARE-ROOT(p), is related to the decision problem QUADRATIC-
RESIDUE. We have already seen that the decision problem can be solved in polynomial time for p
prime. However, this only tells us whether a E Zp* is quadratic residue or not, and not how to find a
solution to the congruence x2 = a (mod p). There are several algorithms to solve this conpence
for p prime, but we shall be content with describing the algorithm h m Koblitz [29], presented in
Figure 2.10.
Input: p, prime and a, b E Z,' such that a E Q R b ) and 6 6( QR(p).
Output: x E 5' such that x2 = a (mod p).
1 . Compute cu and s such that p - 1 = 2a s where s odd.
3. r c a v ( r n o d p )
Compute j = jo + 2ji + 2* j2 + - -. + 2a-2ja-2 S U C ~ that
3 = b l j r is the desired square root of a( mod p ) , and ji = O or 1.
2 20-* 4. b i t + ( $ ) (modp)
5. If (bit = 1) Then
jo t O
Else
jo 4- 1
I 20-1-2
bi J O + ~ J ~ +..'+2'-'Ji- rl bit t ( l a 1 (mod P)
If (bit = 1) Then
jo e O
Else
jo + 1
}
7. Retum (x = bl j - r(mod p))
Figure 2.10: Algorithm SQUARE-RO(Yï'(p)
r 1. Cornpute the squrire root, ri , of a modulo pi, 1 5 i 5 k.
2. "Lift" ri CO a square root, T i , of a modulo pie'.
1 3. Use Theorem 2.3.9 and the fi's to compute a square mot of a modulo n.
Figure 2.1 1 : Computing Square Roots Modulo n
The algorithm SQUARE-ROOT(p) c m be shown to have 0(lg4n) time cornplexity [29]. The only
downside to the algorithm is that it requires a quadratic nonresidue, and we have already seen that
ihere is no known deterministic polynomial time algorithm for generating one, unless the Riemann
Hyporhesis holds. For more details on the algorithm. including its correctness, the reader is referred
to Koblitz [29]. However. at the same time, Bach [6] hiis showed the probability of a failure is
O(%) when the random numbers are chosen using a linear congruential function. He also showed
that the expected number of trials is about O(&). In experiments we performed, we were able
to find quadntic nonresidues in about 2 trials on average. We note that if p = 3 (mod 4), then the
square roots of a(rnod p) are easily given by z = fa" (mod p). The generai case of cornput-
ing square mots ( modn) is more complicated. In fact, it can be shown Motwani et al. 1611 that
computing square rwts modulo any n is as hard as factoring n. But. if the prime factors of n are
known, Say n = ptel p k e k . then, a square root of a( mod n) could be computed by the following
procedure in Figure 2.1 1.
Step 2 can be done in randomized polynomiai time; the reader is refend to Koblitz [Dl and Mot-
wani et al. [61] for more details.
2.6 Public-Key Cryptography
In this section we give a bnef review of public-key cryptography. A mon thorough exposition cm
be found in Stinson [84], Scheier [73], Rivest [68], and Salomaa [72]. Cryptography, informally,
is the art and science of communicating Ui the presence of adversaries. ' h o people, usually refend
to as Bob and Alice wish to communicate over an insecure channel in such a way chat the adversary,
Oscar. cannot understand what is being said. The information that Bob wants to send to Alice is
called "plaintext". Bob would then encrypt the plaintext, using a predetemined key, and send the
resulting "ciphertext" to Alice. Since the ciphertext is sent over an insecure communication channel,
Oscar can easily acquire a copy by eavesdropping. but cannot determine what the plaintext was; only
Alice. who knows the encryption key, cm decrypt the ciphertext and reconstruct the plaintext. We
begin. first, with some definitions and notation.
Definition A function. f (n). is said to be one-way if. given f ( 2 ) = r. it is computationolly infeasi-
ble to find any j (including i) such that f (j) = z. mat is, it is difficult to compute / - l ( r ) .
A publicly available one-way function has a number of useful applications. including storing of
passwords on a time-shared system and in cryptognphy, as we shail soon demonstrate.
Definition A trupdoor one-wq function (TOF), f (n), is like a one-way function except that there
also exist secret information (the trapdoor) that rnakes it easy to invert f at any point.
Factoring and exponentiation modulo p are examples of TOF's. As a result they form the bais
of many cryptosystems.
Definition A cryptusystem is a five-tuple (P, C, K, E, D) where
1. P is a finite set of possible plaintexts
2. C is a finite set of possible ciphertexts
3. K is a finite set of possible keys, also called the keyspace
4. E is a set of encryption rules, for each K E K. there is an encryption rule, eK E E, and
a decryption rule dk E D. Each ek: P + C and dK:C + P are 1-1 functions such that
d K ( e K ( x ) ) = X for d l X E 'P
A public-key cryptosystem is a cryptosystem where the encryption rule, e& is made public. and
the decryption rule , dK is kept pnvate. To use the system. Bob publishes his encryption key in the
"directory of public keys" (as in telephone directory) but keeps his decryption key private. Now, if
Alice wants to send a message, m. to Bob, she first looks up Bob's encryption key from "directory
of public keys", cornputes the ciphertext, c = e (m), and sends it to Bob. Only Bob can decrypt
the message since he is the only one who knows the decryption key, d K . For the cryptosystem to
be secure, no one should be able to derive Bob's decryption key in any feasible amount of time.
Hence, the encryption function should necessarily be a TOF, with the tnpdoor information built
into the decryption key. Anderson and Needharn [4] discusses robustness principles for public-key
cryptosystems.
Next we present three public-key cryptosystems which forms the bais of elliptic curve cryp-
tosystems to be discussed in the following chapters.
In 1977, Rivest, Sharir, and Adleman proposed a public-key cryptosystem (RSA) based on the fac-
toring problem [69]. This came after the seminal paper of Diffie and Hellman in 1976 [19]. who
were the first to corne up with the notion of a public-key cryptosystem. The RSA cryptosystem is
presented in Figure 2.12.
To show the correctness of the cryptosystem, we need to show that encryption and decryption are
inverse operations. Since ed i 1 (mod $(n)), we have ed = k#(n) + 1 for some k 2 1. Now
suppose z E 2, - (O). then
If I = O. then clearly, xed = x (mod p). Similarly, zed = x (mod q). nius by Theorem 2.3.9.
xed I x (mod n).
Encryption and decryption are just instances of modulo exponentiation, and can be done in 0(lg3n)
time. The set-up step can be done in probabilistic polynomial time, by using a Monte Car10 prime
Set-up
1. Genemte two "large" primes p, q such that p # p.
2. Compute n = pq and 4(n) = @ - 1) (q - 1).
3. Find e such that GCD(e, $(TL))= 1.
P = C = Zp*, K: = ((n, p, q, e , d): n = pq, p, q prime, ed I 1 (mod $(n)) }
Public Key: (e, n)
Private Key: ( d , p . q) where d = e-l (mod #(n))
Encryption
Given key, K = (n, p, q, e, d ) and message. rn E P. define
eK(m) = me (rnod n)
Decryption
Given ciphertext, c E En' define
Figure 2.12: The RSA Public-Key Cryptosystem
testing algorithm and the application of the Prime Number Theorem, which States that, the number
of primes not exceeding N is appmximately &. Thus. we need only randornly sample lg N odd
nurnbers to find one that is a probable prime. Silveman [82] discusses the generation of random.
stmng RSA primes. The method discussed only uses probabilistic primality testing algorithms.
Hence. it is feasible to genente b'primes" for RSA and other public-key cryptosystems.
The obvious attack on the RSA cryptosystem is to factor the modulus n. B y cuehilly selecting the
two primes p and q used in RSA, factoring algorithms cm be rendered ineffective. In particular, p
and q should roughly be of the same size (about 100 decimal digits) and neither p - 1 and q - 1
should be y-smooth for small y (they should have at lest one large prime factor). This will guard
against the Pollard rho-method and the eliiptic curve method of factoring. Since 71 hits almost 200
decimai digits, this also guards against the quadratic sieve algorithm. It is still not known whether
breakhg RSA is equivalent to factoring the modulus n. Another avenue for attacking RSA would
be to compute #(n) efficiently. But. computing 4(n) is polynomial-time equivalent to factoring n
since. if we knew d(n) we could solve for p and q from the equations
$(n) = @ - l)(q - 1) and n = pq.
In fact. these are the roots of i2 - (n +(n) + l )p+n = O. Hence, we cm not hope to make any head
way by tryiying to compute $(n). Yet another avenue is through computing the decryption exponent
d. However, it has k e n shown that any algorithm which cornputes the decryption exponent d
can be used as a subroutine (oracle) in a probabilistic algorithm to factor the modulus n C84.721.
Huber (241, by considering cycle length of the recursion c ct cdn))-l + l(mod n) (for suitable
c), gives two conditions which "safe" RSA modulus n must hlfill, by way of Fibonnaci numbers
(Fa = O, Fi = 1, and F,+l = Fj + Fj-i,j = 1,2,. . .). Lastly, we mention another possible attack
if RSA with a small encryption exponent e is used to send the sarne message to several recipients.
Hastad [23]. pioved that if the encryption exponent is e = 3 and the same message m is sent to
k 2 7 recipients. then it is possible to recover m. Currently, as already mentioned. the best atternpt
at factoring cornes from using networked cornputers, where the computation load is distnbuted over
a number of cornputers. Odlyzko's 1631 article on the hiture of integer factorizaiion is worih reading.
Set-up
1. Generate a "large" primes p such that the DLP in Z, is intractable
2. Choose a primitive element. o! E Z,'
F = Zp*, C = Zp* x Zp*, K = {@, a, a, p): P 3 au (mod p), a Zp*, mdomly chosen}
Public Key: @, a, 0)
Private Key: (a)
Encryption
Given key, K = @, a, a, P ) and message, m E P. define
eK(m, k) = (y l , y*) = (ak, mpk) (mod p) where k E Z,- i* is a secret mdom number
Decryption
Given ciphertext, c = (yi , y 4 E C define
Figure 2.13: The ElGamal Public-Key Cryptosystem
In 1985, ElGamal proposed a public-key cryptosystem b w d on the discrete logarithm problem [20].
This cryptosystem is p~sented in Figure 2.13.
The conectness of the ElGamal cryptosystem easily follows from the foilowing.
We should note here that, the ElGamal encryption is not deterministic as it uses a randomly selected
integer k in the encryption process. So its possible that a message unit could encrypt to different
ciphertext units. Clearly, encryption and decryption could be perfonned in ~ ( l ~ ~ ~ ) since they only
involve multiplication, modular exponentiation, and computing inverses modulo p. The set-up step
requires generating a prime p such that the DLP in Z,' is intractable. We already know, from setting
up RSA, that generating "probable" primes of a specified size is feasible. hence al1 that we need do
is to verify that the DLP is indeed intractable in the underlying field. This will be covered when we
discuss attacks on the ElGamal cryptosystem.
2.6.4 Attacks on ElGamal
Attacks on the ElGamai cryptosystem mainly corne from attempts to solve the DLP in Bnite groups.
In Our case, the group is the multiplicative group Z,'. Shank's algorithm and the Pollard ho-rnethod
are exponential and therefore not practical for large p. The Pohlig-Hellman algorithm requires p - 1
to be 3-smooth for small y and also the prime factonuition of p - 1. Otherwise. it too becomes
exponential. The index-calculus method, though subexponential, becomes impractical for large p.
Therefore. to thwart these attacks, p should be large and p - 1 should not be y-smooth for small y.
In 1984. Coppersmith [IS]. designed an efficient variant of the index calculus method for the fields
P p. But. it too becomes impractical for m 2 512. A more general algorithm for the DLP over
al1 finite fields was designed by Adleman and Demiirnis [II. It is subexponential. but for P 2 m .
Coppeamith's algorithm is more "efficient".
2.6.5 The Diffie-Hellman Key Exchange Pmtocol
The Diffie-Hellman key exchange pmtocol [19], as its name suggests. is used by two users of a
private-key cryptosystem (encryption and decryption rules are only known to the two users) to
exchange the private encryption key they are going to use. It is presented in Figure 2.14.
At the end of the protocol. both Bob and Alice have computed the same key. The protocol is based
on the Diffie-Hellman problem, Figure 2.15.
Set-up
1. Choose a "large" prime p such that the DLP in Z, is intractable
2. Choose a primitive element. a E Z,*
Public Key: @, a)
Key Exchange:
1 . Bob chooses b E Z,- at random
Figure 2.14: Diffie-Hellman Key Exchange Protocol
2. Bob computes ab(mod p) and sends it CO Alice
3. Alice chmses a E Zp- * at random
4. Alice computes cua(mod p) and sends it to Bob
5, Bob computes
K = (aa) ( mod p )
and Alice computes
( Pmblem Instance: Finite gmup Zp. when p ir prime. a E Z,*. a primitive elment. na. and I
Figure 2.15: The Diffie-Hellman problem
The Diffie-Hellman key exchange protocol only requires generating a large prime such that the
DLP in the underlying field is intractabfe, as a result, the sarne precautions as for the ElGamal
cryptosystem applies. The following theorem relates the security of the ElGamal cryptosystem to
that of the Diffie-Hellman problem.
Theorem 2.6.1 Breaking the ElGamal c~ptmystem is equivalent ta solving the Difie-Hellman
p r o b h .
P m f First, let us recall the ElGamal encryption and decryption. The key is given by
where B <ra (mod p ) . a E Z,' (a is secret and (p, a, B ) from the public key), and the encryption
i s
k e ~ ( t n , k ) = ( ~ 1 4 2 ) = (y1 s a (mod p ) , ~ = mak (mod p ) ) ,
and the decryption is
~ K ( Y I ~ Y*) = ~(yl")-' (mod pl.
Now. suppose we have an algorithm ADH to solve the Diffie-Hellman problern and we are given an
ElGamal encryption (yl1 M ). We wiil compute
Then. the decryption of (yi y2) can easily be cornputed as
1 x = y 2 ~ k - (rnod p).
Suppose we now have an algorithm AE that performs ElGmal decryption. That is, @en p, a, Pl y,, 92,
it cornputes
x = ~2(y l= ) - l bod p).
Now, given inputs pl a, B, and 7 we compute
Computing the inverse. AE@, a, P, -y, 1)-'. we get ra. which is what we want. Note that o =
h , P - 1
2.6.6 Attacks on the Diffie-Hellman Key Exchange
It is easy to see that if we could compute discrete logarithms efficiently, then we could break the
Diffie-Hellman key exchange protocol by solving two instances of the DLP. Therefore, attacks on
ElGamal can aiso be used against the Diffie-Hellman key exchange protocol. However, it is un-
known whether breaking the Diffie-Hellman key exchange protocol is equivalent to computing dis-
crete logarithms in the underlying field. In this direction. Maurer [49]. hm shown that under certain
conditions this is possible.
Chapter 3
Elliptic Curves
Elliptic curves have been a subject of much mathematical study for the Iûst century and there is a
v a t amount of Iiterature accumulated on them. Silverman [80] and Tate and Silverman [81] are
excellent sources for the theory of elliptic curves. Recently, they have found application in the
m a s of primality proving [5, 14.291, integer factorizaiion. cryptography [30. 561, pseudorandom
bit genention [27], and also played a role in proving Fermat's L a t Theorem [89, 901, In this
chapter. we give a bnef introduction to elliptic curves and some of their properties. necessary for
understanding the rest of this thesis.
3.1 Introduction to Eliiptic Curves
Definition (Non-Homogeneous Coordinates)
An elliptic curve, E, over a field F is the set
where ai, . . . , a6 E F, together with the point at infinity, 0.
If the field F = Z,, for p # 2 or 3 prime, die curve defined in the set (3.1) can be ceduceci to
y2 = x3 + ax + 6, ut b E Zp, by a linear change of variables. There exist comsponding equations
for the cases p = 2 or 3. In panicular. the case p = 2m, is of special interest since elliptic curve
operations over F2m cm be efficiently implemented [SS]. For the rest of the thesis we only consider
the case p > 3. prime. The point at infinity. 0. is best explained through homogeneous coordinates.
In homogeneous coordinates. the equation of the curve becomes
Points on this curve are defined as equivdence classes of triples (X, Y, 2) satisfying the equation.
where the equivalence relation - is defined as
if and only if there exists A E F such that X = AU, Y = XV and Z = XW. Then the point at
infinity is represented by (O, 1, O), because this represents the only solution of the homogeneous
equation for Z = O. To go back to non-homogeneous coordinates. we use the transformation + =
X/Z and y = Y / Z . We also define two pmperties of E pertaining to our case. The discriminant 3
of E is A = -16(4a3 -t 27b2) and the j-invariant is j = 1 7 2 8 y . The number of points on E.
including O. is denoted by # E. W o elliptic curves over the algebraic closure of iFp are said to be
isomorphic if and only if they have the sarne j-invariant.
Definition An elliptic curve. E, is said to be singular if A = O. othenvise ii is said to be non-
singii lar.
Definition An elliptic curve E, over the field IFq of q elements is said to be anomalous if # E, = q.
We are inte~sted only in non-singular curves. so we will assume that 4a3 + 27b2 # O (which
corresponds to the condition 4a3 + 27b2 f O (rnod p)). We will also use the notation E, Ep or
E,(a, b) to represent an elliptic curve over Z, (p > 3). There is a nile for adding two points on
an elliptic curve E to give a third elliptic curve point. Historically. it has k e n cailed addition. and
denoted by +. Together with this addition rule, the set of points on E f o n s an abelian group, with
O serving as its identity. Elliptic curve cryptosystems are constructeci based on ihis group.
3.2 Addition Rule
The addition rule is best explained geometrically. Let P = (xi, yi ) and Q = (x2, y2) be two
distinct points on an elliptic curve E. Then R = (x3, y3) = P + Q, is defined as follows. Let 1 be
Figure 3.1: Geometric description of adding two distinct elliptic curve points
the line through P and Q; this line intersects the curve in a third point we cal1 1. Then R is just the
reflection of I in the x-mis, as depicted in Figure 3.1.
If P = Q, then the double of P, R = ( x 3 , g 3 ) = 2P, is defined as follows. Here, kP =
P + --- + P, denotes the addition of a point P to itself k times. Let 1 be the tangent line to the
elliptic curve at P. This line intercepts the elliptic curve in a second point we cal1 1. Then R is just
the reflection of I in the x-axis, as depicted in Figure 3.2. The following algebraic formuiae for
adding points on an eHiptic curve, E, can now be easily derived from the geometric description. For
example, see Koblitz [29]. Let P = (si, yl), Q = (x2, y2) E E.
1. -P = O (negative of P)
2. P + Q = Q
1. -P = -(zl, yl) = (11, -yl) (negativeof P) and P + (-P) = O
2. if Q = -P then P + Q = O, othenvise
3. P + Q = (a3, y3) where
21 = x2 - X( - 22, y3 = X ( q - z3) - y,, where
It can br proven that the above addition rule indeed makes the points on an elliptic curve an abelian
group, But, proving associativity is not easy. We refer the reader to Tate and Silverrnan [8 11 for the
proofs. The following example demonstrates the addition rule on an elliptic curve.
Example Let E be the elliptic curve = z3 + x + 19 over &. The number of points. #E. on
E can easily be determined by simply looking at each possible x E &, computing y2 = x3 + 2 + 19 (mod 23) and solving for y. Theorem 2.4.8 is used to test whether x3 + x + 19 (mod 23) is
a quadmtic residue modulo p(= 23). That is, whether (x3 + 2 + 19 (mod 23) E QR(23)). The
results of the cornputations are given in Table 3.1
We see that #E = 19 (acniûlly 18 plus the point at infinity.0). and since #E is prime. the group
of points on E is cyclic and any point on E~xcept for 0. is a generator. For example. P = (4,8)
is a genentor as shown in Table 3.2.
(x3, y3) = P + Q is computed as:
For addition, let P = (3,161 and Q = (1 1,2), then R =
-14 - = 9(8)-' = 9(3) = 4 (rnod 23) 8
x3 = 4* - 3 - 11 = 2 (mod 23)
Table 3.1: Points on the curve E : = x3 + x + 19 over Z23
and
Table 3.2: Multiples of P = (4,8)
y3 = 4(3 - 2) - 16 = -12 = II (mod 23).
3.3 Computing the number of points on an elliptic curve, # E
Knowing the number of points on an elliptic curve is central to the design of elliptic curve cryptosys-
rems. as it can often give usehil information on the structure of the group. usehil to cryptanalysts. If
the prime p is small enough, brute force methods could be used to compute #E. But this becomes
impnctical for p with around 35 digits. There is a deterministic algorithm due to Schoof [75], that
computes # E in O(lggp) operations. Even with ment improvements to the algorithm [48,46]. the
algorithm becomes impractical for p with around 150 digits. The following Theorem. due to Hasse,
gives bounds on #E.
Theorem 33.1 (Hasse 's)
Let # E be the number of points on an elliptic curve de#ned over Zp p > 3 prime. Then
In fact. we can still say more about the number of points on an elliptic curve. Let Epr be an elliptic
curve over IL$,. . p > 3 prime and r 2 1, and N, = # E p r . Then, h m Hasse's theorem. we know
that the number of points on Ep over lFp (= Z,) is
[t c m be shown, Silverman [go], that,
where cr md /3 satisfy 1 - ax + = (1 - oz) (1 - Br). In other words, it is easy to compute Y,.
once Ni is known.
Definition Let #E, = q + 1 - t denote the order of an elliptic curve Eq over IFq (q = pk, k 2 l),
where t is as in Hasse's theorem. Then E, is said to be supersingular if p 1 t.
Tt is often of interest to cryptanalysts not only to know the number of points on an elliptic curve, but
also the structure of the group. The following theorem, Cassel [12], gives considerable information
on the group structure of E.
Theomn 3.3.2 Let E be an elliptic cuwe over Zp p prime. Then. there exist n 1 and n2 such that
E is isomorphic to Zn, x Zn,. where nin2 = #E, 712 1 nl. and nz 1 ( p - 1).
The above theorem says that, E is either cyclic or a product of two cyclic groups. UnfortunateIy.
computing the structure of E is not always easy. However. for some elliptic curves over Z,, we
can Say more about their stnicture. The next two lemma's from Koyama et al. [35] illustrates this
point. These lemma's are used in proving the correctness of elliptic curve cryptosystems proposed
by Koyama et al. [35].
Lemma 3.3.3 Let p(> 3) be a prime, p r 2 (mod 3). Then for b E Z,'. the elliptic curve
E: r x3 + b over Zp is cyclic and #E = p + 1.
Proof Fiat we show that #E = p + 1. Now, for p E 2 (mod 3). the mapping x ct x3 is a
permutation on Z,. Hence. for every b there are exactly 9 numbea z E Z, for which x3 + b E QR@). Also, for each such x there are two points on E. This points, together with O and
( v(-b), O), we get #E = p + 1. To prove that E is cyclic, we assume the contmy. Then. by
Theorem 3.3.2. we have that E is isomorphic to Zn, x Zn,, where nlnz = #E = p + 1 and
nz 1 (p - 1). A bit of algebn and Corollary 2.1.5 reveals that n2 = 2 and nl is even. Thus, the
group Zn, x Z2 musc have four elements P for which -P = P. But. only the points P = O and
P = ( 0) have - P = P. since the only points on E for which -P = P are those points
(3, y) with y = O (Note that -1 E 1 (mod 2)). This contradicts the fact that E is isomorphic to a
product of two cyclic gmups. hence. E must be cyclic.
Lemma 3.3.4 Let p(> 3 ) be a prime ruch h z t p a 3 (rnod 4 ) . Then. for a E Z,'. the elliptic
curve E: y' = x3 + az over Zp h m # E = p + 1 . Furthemore, E is qcl ic if a E QR@).
othenvise. E is isomorphic to Zp-. x Z2. '2
P m f Let f (x) = x3 + ax. Since /(-x) = /(x). f (x) is an odd hinction. Following Our dis-
cussion of algorithm SQUARE-ROOT@), p r 3 (mod 4) implies th* for every x € Z,'. exactly
one of z or - o E QR(p). Note that -1 $! QR@). Consider the pain [x, -r] for O c 2 5 9. For every such pair. either f ( ~ ) = /(-î) = O or f (z) E QR(p) or f (-x) E QR(p). In each
case, there are two points on E ûssociaied with the pair [s, -21. narnely. (Ix, O) , (z, f Jfo) or
(-2, f d m ) , respectively. This makes p - 1 points on E. Adding the points O and (0, O) gives
# E = p + 1. The proof of the last daim is similar to the proof given for Lemma 3.3.3. 1
There are rnany analogies between the group of points on an elliptic curve. E. over Zp and the
multiplicative group Z,'. We list some of these in Table 3.3.
The elliptic curve analog of exponeniiating by k in Z,' is repeated addition of r point to itself
k times, as seen in Table 3.3. We have seen how to compute $ (mod p) efficiently by using
algorithm MOD-EXP. The same algorithm can be adapted to compute kP, where P E Epr in
O(lg k lg3p). This aigorithm. MULTIPLE-ADDïllON. is presented in Fipre 3.3.
3.4 The Elliptic Cuwe Discrete Logarithm Problem (ECDLP)
The DLP, originally posed over Z,'. can in fact be posed over any group. Since the points on an
elliptic curve, E,, fom a group (an abelian group, to be more specific), they provide a perfect setting
for posing the DLP. This version of the DLP, called the elliptic curve discrete l o g a r i h problem
(ECDLP), is presenteâ in Figure 3.4.
Group
Elements
Operation
Arithmetic notation
Discrete logarithm problem
Multiplicative Group
ZP*
{1,2,...,~- l}
Multiplication modulo p
Elernents: g, h
Multiplication: gh
Inverse: h-L
Division: g/h or g(h) -' Exponentiation: gu
Given g and h = ga, find a
Elliptic Curve Group
E or Ep
Points (2, y) E E plus O
Addition modulo p
Elements: Pl Q
Addition: P + Q
Negative: -P
Subtnction: P - Q
Multiple: aP
GivenP and Q = aP, find a
Table 3.3: Notational conespondence between Z,' and Ep
Input: k, P where k, E Z,, P E E,
Output: kP
Let kl- 1 . kl ko be the binary representation of k.
1. Q t o
2. Fori t l - 1downtoODo
1 3. Retum (Q)
Figure 3.3: Algorithm MUL,TïPLE-ADDITION
Problem Instance: An elliptic curve E,. a point P E Ep of order N and a point Q E E,.
Task: Find a f ZN (if it exists) such that Q = aP.
Figure 3.4: The Elliptic Curve Discrete Logarithm Problern (ECDLP)
The ECDLP has received rnuch attention over the past decade from leading scholars around the
world, and no significant weaknesses have been reported. In fact, it is also conjectured to be harder
than the DLP and the factoring problem [88].
3.5 Elüptic Cuwes Over &
We now consider elliptic curves over the ring Zn, where n = pq is an odd squarefree integer, for
two distinct primes p and q (both > 3). An elliptic curve. &(a, b). over Zn is defined to be the set
of points (x, y) E Z,, x Zn such that yZ i x3 + ux + b (modn), together with the point at infinity.
O. An addition opention cm be defined on the points of &(a, 6) in the same way as addition
on Ep(a, b) by simply replacing operations in Z p with opedons in Zn. But, since division is not
always defined in Zn. points on E,,(a, 6 ) does not form a group. However, these problems can be
ovenome so as to allow us to consmict elliptic curve cryptosystems on E,(a, 6) . By Theorem 2.3.9
(more specificaiiy, Comiiary 2.3.10). any c E Zn can k uniqueîy represented by a pair of integers
[%, cq] where c, E 2, and cq E Zp. nius. every point P = (2, y) E &(a, 6) cm be uniquely
represented by a pair of points
such that Pp E Ep(a, 6 ) and Pq E Eq(a, b). with the convention that O is reptesented by [Opi Op].
where 0, and 0, are the points ai infinity on E,(a, b) and E,(a, b). respectively. It is now easy to
easy that when it is defined. ihen addition operation on En (a, b) is equivalent to the componentwise
addition operation on EP(a, 6) x Eq(a, b).
Exvmple Let p = 7, q = 5 (we use small primes just for illustration), and n = pg = 35. Let E be
Table 3.4: Points on the curve E : = x3 + x + 12 over Z35
QR(7)?
Yes
Yes
Yes
Yes
Yes
Yes
the elliptic curve y' = m3 +3x + 12 over Zn. Note that G C D ( ~ U ~ +2ïb2, n) = GCD(3996,35) = 1.
Table 3.4 gives the points on the E.
Consider the addition of points P = (G,34) and Q = (11,16). Since P # Q, we have to compute
the inverse of 11 - 6 in Z35. But GCD(5,35)= 5 > 1. Hence, the inverse does not exist, and in
fact we have found one of the factors of n, A simple caiculation cm show that the only points on
the curve (considered over Z5) are those with x = 1 and x = 2. Sirnilarly, when considered over
Z7, the only points on the curve are those with x = 1, x = 4, and x = 6. Of course. the point ai
infinity is. by definition, aiways included. A cross-product of these points (and using the Chinese
Remainder Theorem) gives precisely the points on Table 3.4.
QR(5)?
yes
yes
yes
yes
yes
yes
Note that the addition operation on E,(a, b) is undefined precisely when one of P, and P, is O. For
large p and p. it is highly (pmbability of it is very small) unlikely that the addition of two points on
&(a, 6 ) is undefined. Note chat if it were not negligible, trying to perform the undefined operation
(an inversion) would give a nontrivial factor of n. and ihis would be an effective factoring algorithm.
which is assurneci not to exist. Although we do not use the properties of a finite group directly, the
following lemma (from Koyama et al. [35]. but with our proof) give us a property of En (a, 6) which
is similar to that of a finite group.
Y
4, 11,24,31
1.6, 39.34
9, 16, 19,26
4,11,24,31
1,6,29,34
9, 16, 19.26
Lemma 3.5.1 Let E,,(a, 6) be an elliptic curve over Zn such thot G C D ( ~ U ~ + 27b2, n)= 1 and
n = pq @, q (> 3)prime). Let
CHAPTER 3. ELLiP77C CURVES
Then, for any P E En (a , b). and any k E Zn.
(k N, + l)P = Pover E,(a,b).
Proof Since N, = LCM(#E,(a, b ) , #E,(a, 6 ) ) . we have. by the division algorithm
where u,v E No. Therefore. NnP = u . #Ep(a, b)P = u (#Ep(a ,b)P) = Op. Similady.
N, P = v # E, (a , 6) P = O,. Hence it follows. by convention, that for any L E Zn
It is on this curves that RSA-type elliptic curve cryptosystems are constructed. deriving their secu-
nty, like RSA, from the factoring problem.
Chapter 4
Elliptic Curve Cryptosystems
The use of elliptic curves over finite fields for public key cryptognphy was first suggested by
Koblitz [30] and Miller [56]. They did not. at that time. invent new public key cryptosystems,
but rather presented analogs of the ElGamal cryptosystem and the Diffie-Hellman key exchmge
over elliptic curves. respectively. The security of these systems is derived from the difficulty of
solving the elliptic curve versions of the discrete logarithm problem ruid the Diffie-Hellman prob-
lem. In 1991. Menezes et al. [35], proposed the use of elliptic curves over the ring Zn, where n is
a product of two "large" and distinct primes. The security of the public key cryptosystems the pro-
posed is denved h m the difficulty of factoring the modulus n. In this chapter, we discuss elliptic
cuwe public key cryptosystems over the field Z, and the ring 25,. However. since there are many
cryptosystems proposed, we shall only discuss a few we hope will be representative of the field. We
first discuss elliptic cuwe cryptosystems over Z,.
4.1 Eiiiptic Cume Cryptosystems Over Z&
In this section, we present andogs of the ElGamal cryptosystem and the Diffie-Hellman key ex-
change. The ElGamal cryptosystems can be implemented in any group where the discrete logarithm
problern is intractable. In fact. the group need not be abelian (of course the subgmup used is cyclic).
The analog of the ElGamal cryptosystem is presented in Figure 4.1.
Set-up
1. Choose a "large" prime p and an elliptic cuwe Ep, such that the ECDLP in Ep is in-
tractable
2. Choose a point P E Ep (called the base point)
3. Choose a E Z',, and compute Q = aP
4. Choose an invertible function f such that, given rn E Z,', f (m) E E,. That is. given
rn E Zp* . the function f embeds rn on Ep, deterministically.
P = a,*$ = Ep x EplX:= {@,Ep,a,P,Q,/ ) :Q=aP}
Public Key: @, E, , P, Q, /)
Private Key: (a)
Encryption
Given key K = (pl Ep, a, P, Q, /) and message m E p , define
eK(rn, k ) = ( c l , c2) = (kP, Pm + kQ) where k E Zp* is a secret random nurnberP, = j(m)
Decry p tion
Given ciphertext c = ( c l , c2) E C define
Figure 4.1: The Analog of the ElGamal Public Key Cryptosystem
The correctness is easy to verify since,
cz - acl = Pm + kQ - a(kP) = P,, + k ( a P ) - a ( k P ) = Pm.
Now, since the function f is invertible, we cari derive the original message, m, by computing m =
rL(Prn)-
Encryption and decryption can be performed in O(lg(max(a, k))lg3p). If we knew the size of
the subgroup genented by P. then this bound could be repiaced by 0(lg'lp). The dificulty iies in
finding a curve Ep in which the ECDLP is intractable. However, by using some byproducts of the
elliptic curve primality proving algorithm of Atkin and Morain [5], Monin (591 showed that such
curves could be constructed in ~ ( l g ~ ~ ) (from heuristic analysis). The following papers also discuss
the construction of elliptic curves suitable for cryptosystems [3 1, 32,57, 58, 13, 41 1.
There are some practical difficulties in implementing this cryptosystem. Firstly, it has a message
expansion factor of 4 (4 elements of Z,' are generated from 1 (plaintext)). When the cryptosystem
is implemented in Z,'. it only has a message expansion factor of 2. The second problem is that. we
require a function (rlgorithm) to embed plaintext on Ep before encrypting it. Unfortunately. there
is no known convenient method for deterministically genemting points on Ep. In order to overcome
this shortcomings, Menezes and Vanstone [53], invented a more efficient variation, presented in
Figure 4.2.
The Menezes-Vanstone cryptosystem only uses the elliptic curve to "mask" the plaintext, as op-
posed to embedding it on the curve. Plaintext can be any element of Z,' x Z,'. thus vastly in-
creasing the plaintext space. It has a message expansion factor of 2, the same as in the original
ElGamai cryptosystem over Zp' Its correctness can easily be verified. and has the same time
complexity as first variation. Figure 4.3 and Figure 4.4 show the results encrypting the message
'*publict' using Arne Louis" public key p = 33333331, Ep: e x3 + 52022 + 5379352, P =
(33331773,8538162), a = 16839, Q = (27518663,635646).
That is, the message is intended for Arne Louis. Notice how quickly the ciphertext becomes
cumbersome.
Next, we discuss the Diffie-Hellman analog, presented in Figure 4.5.
' ~ e e an implementittion of the Menezes-Vanstom scheme at http:\\ www.cs.mcgiIl.criTnkgautzlcrypt.h~
7
Set-up
1. Choose a "large" prime p and an elliptic curve Ep, such that Ep contains a cyclic sub-
group. H. in which the ECDLP in Ep is intractable
2. Choose n point P E Ep (called the base point)
P = Z p * ~ ~ , ' . ~ = E , X ~ ~ ' X ~ , ' , ~ = { @ , E , , ~ , P , Q , ) : ( ~ = ~ P , ~ € ~ ~ * } ,
H =< P >(cyclic subgroup genented by P)
Public Key: @, E,, P, Q)
Private Key: (a)
Encryption
Given key K = ( p , Ep, a, P, Q) and message rn = (ml, m2) E P. define
w here
k E Zp* is a secret random number,
Figure 4.2: The Menezes-Vanstone Cryptosystem
Cip herText
Message publid .
Send To 1 Tlotlo Neo i !
i Clear 1 : end ~ e c o d e f
Figure 4.3: Menezes-Vanstone encrypt ion
Send TQ f Tlotlo Neo
Figure 4.4: Menezes-Vanstone decryption
Set-up
1. Choose a finite field IFq and an elliptic curve Ep defined over it
2. Choose a point P E Eg (of large order)
Public Key: (q, E,, P )
Key Exchange:
1. Bob chooses b E Z,' at random
1. Bob cornputes 6P and sends it to Alice
3. Alice chooses a E 23,' ai random
4. Alice computes aP and sends it to Bob
5. Bob cornputes
K = b(aP)
and Alice computes
Figure 4.5: The Elliptic Curve Analog of the Diffie-Hellman Key Exchange Protocol
After executing the protocol. both Bob and Alice have computed the same key. K = (ab) P. Notice
that. as in the original protocol. we do not need to know the order of the base point P. nor do we
need to know that it is a genentor. The security of this system is derived from the analog of the
Diffie-Hellman problern. That is. given LI = bP and V = aP. compute Q = (ab)P. where P is a
point on an elliptic curve E,. As of present. there is no known algorithm for solving this problern
other than solving two instances of the ECDLP.
4.2 Eliiptic Curve Cryptosystems Over &
In this section we describe cryptosystems proposed by Koyama et al. [35] and Meyer et al. [54]
over the ring Zn. First we discuss the KMOV-scheme of Koyama et al.. This scheme is presented
in Figure 4.6. The KMOV-scherne utilizes Lemma 3.3.3. We note here that the curves used are
supersingular and c m should be exercised if the KMOV-scheme is to be used. See comments on
algorithm RANDOM-CURVE-PRIME in Section 4.5.
The correctness of the algorithm easily follows from the facts that ed = 1 (mod N,) and that the
addition formula is independent of both a and b while the doubling formula is independent of b.
Encryption and decryption can clearly be performed in polynomial time since only elliptic curve
arîthrnetic is performed. Note that the minimum possible value fore is 5 because 2 1 N, and 3 1 N,
(from Lemma 3.3.3). Also, note that the KMOV-scheme is not based on a single group but on a
large ciass of groups (with the same order), and each curve is determined by the plaintext. The
secunty of the system is derived from the factoring problem, however. like in the RSA system. it is
not known whether bteaking the system is equivalent to factoring. Demytko [18] proposed a scheme
which has very little restriction on the types of elliptic curves and types of primes used. and has a
message expansion factor of 1. However. this flexibility cornes at the cost of having to use Schoof's
algorithm to compute the order of the curve.
Let P be a point on an elliptic curve E. then x ( P ) and y(P) would represent the xcoordinate
and y-coordinate of the point P. respectively. Also, type(x) = 1 if J ( R ) = +l and type(x) = O
if J ( 5 ) = -1. where J ( : ) is the Jacobi symbol. We also denote the least significant bit of x by
Isb(x). We are now ready to discuss the Meyer et al. scheme. It is presented in Figure 4.7.
Set-up
1. Choose large primes p and q such that p = q = 2(mod3)
2. Compute n = pq and N,, =LCM(#Ep(O, b), # E , ( O , 6)) where b is to be determined by
the plaintext to be transmitted.
3. Choose e such that GCD(e, N,)= 1.
P = Zn x Zn,C - En(O, b) , K = (@, q, Nn, d ) : d e-'(modN,)}
Public Key: (n, e )
Private Key: (d, p, q, N, )
Encryption
Given key K = ( p , q, N,, d ) and message m = (mz, TB,) E P. define
eK(rn) = e rn over En(O, b) , m E En(O, 6) andb mY2 - mZ3( modn)
Decryption
Given ciphertext c E C define
dK(c ) = d . c over EJO, b)
Figure 4.6: The KMOV-scheme
1. Choose large primes p and q such that p = q i 1 1 ( mod 12)
Public Key: (n)
Private Key: @, q )
Encryption
Given key K = ( p , q, n) and message m E P, define
X E Z*, is chosen at random,
P = (m', ~ r n ~ ) ,
o = X3 and b = (A' - l)m6 - am'
Oecryption
Given ciphertext c = (En (a, b ) , zq, t , 1 ) define
S U C ~ ihat type(yp) = t a d lsb(yq) = 1, and I = (1 5 i 5 S: a2 = ( y ( & ) ) 6 ( ~ ( ~ i ) ) - g ) md
Pi E E,(u, b) , 1 5 i 5 s S U C ~ that 2 -Pi = Q
Figure 4.7: The Meyer et al. Scheme
In this scheme the Jacobi symbol and the least significant bit are used to identify the proper square
mot of x E Z*, since by the Chinese Remainder Theorem, each square has exactiy four square
roots. Some remarks are in order for this scheme.
Remark
1. The encryption step may fail if G C D ( ~ U ~ + 276', n)> 1. Ln which case 4aJ + 27b2 = O(mod n) or a factor of n has k e n found. However. as already indicated. the probability of
this event is negligible.
2. The decryption step requires computing dl points Pi such thst 2 + Pi = Q, This invotves
finding roots of a degree 4 polynomial in Z, and Z,.
3. The set I must have only one element, and as such, Pr denotes the point with the index in 1.
In fact. Meyer et al. [54] showed that the pmbability that 1 I I> 1 and n can not be factored
is at rnost S. Since n is large, the prob~bility is negligible.
The correctness of the cryptosystem follows directly from the fact that 2 P = Q and
i2 = (VJ(P~))~(Z(P~))-~ (from the encryption step). The encryption step is cleariy polynomial and
the decryption step can be done in 0(lg3n) probabilistic time. This is probabilistic as a randomized
mot finding algorithm has to be employed, see for example, Shoup [79]. The decryption step,
compared to the KMOV-scheme decryption, seems to be a bit more involved.
Other RSA-like cryptosysterns have been proposed based on singular cubic curves + axy r x3(mod n), Koyama (34). and curves of smooth order, Vanstone and Zuccherato [86]. Koyama's
analysis of his cryptosystems indicate that they are twice as fast as RSA. whereas the other systems
are slower than RSA.
First. we discuss attacks on elliptic curve cryptosystems whose bais for security is the ECDLP. The
best dgorithms that are known for solving the ECDLP are the square. mot methods that apply to any
finite group G. and have a mnning time that is proportional to fi. where p is the square mot of the
largest prime factor of 1 G 1. These are just the anaiogs of the algorithms for the DLP. Hence. to
guard against these attacks, the group ordet should be prime or 1 G 1 -1 should not be y-smooth
for small y. However, Miller [56] argues that, it is unlikely that the index calculus methods could
be extended to the ECDLP, leaving only exponential algorithms for attacking the ECDLP. in 1993,
Menezes et al. [51] invented an dgorithm, MOV-reduction. that could use the Weil pairing [80] to
reduce the ECDLP in a curve Eq over the field F9 to the DLP in a suitable extension field IF,& of F9.
The DLP can then be solved by using the subexponential index calculus method. But the reduction
method is only applicable to supersingular curves. Hence, only non-supersingular curves should be
used.
Another class of curves to avoid are the anomalous curves. In 1997, Smart [83] showed that
anomalous are not safe for use in cryptosystems by describing a linear time aigorithm to solve the
DLP under the assumption that one knows the order of the group, which by definition is equal to
the order of the underlying group.
Currently, the most effective algorithm against the ECDLP seem to be the Pollard ho-method,
which takes about (n is the order of the group genented by the base point ) elliptic curve
addition steps [65). In 1993, van Oorschot and Wiener [85] showed how to patallelize the Pollard
ho-metfiod so that if r processors are used, then the expected number of steps taken by each proces- * n
sor before a single dixrete logarithm is obtained is e. Recently. a distributed implementation of
the Schoof-Elkies-Atkins algorithm [48] was used by Lercier and Joux [47] to compute the number
of points on an elliptic curve over F21663. This shows the power of distributed cornputing in solving
this seemingly intractable problem.
In the case of RSA-type elliptic curve cryptosystems, al1 attacks on the original RSA cryptosys-
tem are applicable, since they too derive their secutity from the factoring problem. Against the
Hastad attack, Kurosawa et al. [37] and Koyama [38] have shown that RSA-type elliptic curve
cryptosystems are more secure.
4.4 Speeding Up Elliptic Curve Computations
Elliptic curve cryptosystems, king public-key cryptosysterns. suffer from the same deficiencies
afkting ail other public-key cryptosystems. Specifically, they have relatively low bandwidth (slow
Level 1
Figure 4.8: Three speed up levels for elliptic curve opentions
- -
Level O L
speed and high message expansion factors) compared to conventional (private-key) cryptosystems.
In fact, this is the reason why up to now. conventional cryptosystems are still preferred over public-
key cryptosystems for bulk data encryption. Public-key cryptosystems are relegated for use in digital
signatures [69. 84](as opposed to hand written signatures) and distribution of secret keys for use in
conventional cryptosysterns [68, 841. However, it has not been proven that low bandwidth is a
necessary chmcteristic of public-key cryptosystems. But for now it seems that this is true since
no public-key cryptosystems has achieved the speed of conventional cryptosysterns like the Data
Encryption Standard (DES)(see Stinson [84] for more information on DES). A lot of research has
ken done and a lot written on impmving public-key cryptosystems. In this section we give a
summary of methods used to improve the speed of elliptic curve cryptosystems.
Speeding up elliptic curve operations can be divided in to three levels (or categories), as can be
seen in Figure 4.8.
At level O, we are mainly concemed with speeding up primitive operations: addition, subtrac-
tion. multiplication, and computing greater common divisors and inverses modulo p. This requim
the use of fast algorithms to perfom the primitive operations modulo p. For example. Jebelean's
Addition Subtraction Multiplication InverseIGCD + - *
(mod PI
CHAPTER 4. Er.r.iPï7C CURVE CRYPTOSYSTEMS 64
algorithm can be ernployed to perform long integer division in a field to speed up computing GCD's
and computing invetses [25]. Jebelean's algorithm is about two times slower than Karatsuba mul-
tiplication (a practical algorithm to perfonn long integer multiplication and asymptotically fast).
However, it is still quatiratic in the worst case. Weber [87], describes an accelerated integer GCD
algorithm. Level 1 is cornposed mainly of cornputing point addition and doubling on the curve effi-
ciently. In particular. the goal is to minimize the number of inversions perforrned as they are costly.
One way of doing this on elliptic curve was shown by Menezes [53], Beth and Schaeffer [7], and
Schroeppel et al. [77] in the fields iF2n using homogeneous cwrdinates. Recall that in homogeneous
coordinates the equation of the curve tecornes
Y'Z E x3 + ux2Z + bz3 (mod p).
Let Pi = ( X i , Yi, ZL) and P2 = (X2, Y2, 2 2 ) be on an elliptic curve E over IFp (p > 5). The
addition fonnulae for adding computing P3 = (X3, Y3, 2 3 ) = PL + P2, Pl # P2 now becornes [36]
where II = fiZl - Y&, V = X2Zi - X&,A = U * Z ~ Z ~ - V ~ T . and T = X2Z1 + Xi&.
The doubling fonnulae becomes
where S = Y&, W = 3xi2 + U Z ~ * , E = YIS, F = X I E . and H = w2 - 8F. By a c m -
ful counting of the multiplications performed (ignonng the multiplication of a point by a small
constant), one can show that we ~ q u i r e 15 multiplications when Pl # P2 and 12 multiplications
othenuise. These scheme only uses addition and multiplication to add two points on a curve. Only
one inversion is requireâ at the end to get a unique representation of the point (non-homogeneous
7
Input: k, P where k, E Zp, P E Ep
Output: kP
Let k = ki2' + ki- 2'- ' + - + k121 + kO be the rnodified signed-digit representation of k,
where ki E {-1,0,1},O 5 i $ 1
1. Q i- klP
2. For i t 1 - 1 downto O Do
t Q + 2 Q
Q + Q + k i P
}
3. Return (Q)
Figure 4.9: The rnodified signed-digit (MSD) algorithm for cornputing kP
coordinates). Of course. there is a memory trade-off in this scheme as stonge space is required for
intermediate results. Note that addition and subtmction of points on an elliptic curve are equivdent.
Another speed up option is to speed up inverse computations. Schroeppel et al. [77] give a fast algo-
rithm to compute inverses in E p a . How this impacts inverse computations in other fields remains
CO be seen.
At level 2, Our goal is to minimize the number of point addition and doublings used to compute
kP. Recall from our addition formulae for curves over IF, @ > 3) that. when P # Q. we perfortn
2 multiplications and 1 inversion. and when P = Q, we perform 3 multiplications and 1 inver-
sion. Now. cornputing kP using algorithm MULTIPLEADDITION. we use Llg k] doublings and
w ( k ) - 1 additions. where w ( x ) is the number of nonzero bits in the binary representation of x. The
following aigorithm, from Laih and Kuo 1391, presented in Figure 4.9, improves on this by using
the fact already rnentioned that, subtraction of points on an elliptic curve is as easy as addition. to
reduce the number of additions performed on computing kP.
It is easy to see that the algorithm uses 1 doublings and w ( k ) - 1 additions on Ep, where w(k) =
CI=, 1 lq 1. The goal now is to minimize w (k) so as to decnase the number of additions performed.
This stems fiom the fact that the modified signeddigit representation (addition-subtraction chain) of
an integer is not unique. Finding the minimum weight representation of an integer has been studied
by several researchers. Jedwab and Mitchell [26] designed an algorithm to And a minimum weight
representation of any integer k. It is presented in Figure 4.10.
Notice thrit the Jedwab and Mitchell algorithm returns a sparse representation. That is, no two
adjacent elements are nonzero.
Example For k = 15 (01 11 1 in binary). the algorithm retums 1000(- 1) as the minimum MSD
representation of 15 after just one iterdtion of the while loop. This corresponds to computing L5P =
(2(2(2(2(2P))))) - P . The binary method would compute 15P = (P + 2(P + 2(P + ( 2 P ) ) ) ) .
Morain and Olivos [60] used the MSD representation of k to compute kP using addit,. n and sub-
traction opentions. They construct two integen k_ and k+ such that k = k+ - k- and computing
k+ P and k-P require less operations than that of kP. They found their first algorithm to be d a -
tively 8.33% faster than the ordinary binary algorithm. Laih and Kuo [39] combined Jedwab and
Mitchell's algorithm with the M-ary algorithm of Koyama and Tsuruoka [36] to speed up cornputa-
tions of k P. The M-ary [36] algorithm consists of four phases
1. Finding a minimum weight MSD representation of h.
2. Splitting the representation into segments (windows).
3. Computing al1 the segments.
4. Concatenating al1 the segments.
Of course. Laih and Kuo's algorithm sacrifices storage space to achieve significant speed up since
precomputations of dP for small values of d are performed and stored. Their algorithm is presented
in Figure 4.1 1.
They found their aigorithm to be 12% faster on average than the ordinary addition-subtraction
chahs. Bos and Coster [9] and Koblitz [32] a h discuss these methods. Al1 of these algorithms
Input: k E &
Output: MSD(k) (minimum weight MSD representation of k)
1. k t m,2' + m,- 1 Y- l + + rn i2 + mo (ordinary binary representation of k)
2. While (consecutive pairs of nonzero elements remain) Do
(
Y t teast integer for which m, and ms+ 1 are nonzero
if (m, # rn,+ 1)then
(
rn, + -m,
ms+1 + 0
}
else
(
t t least integer for which mt # rn, and mt- 1 = mt-2 = . = %
if (mt = O) then
mt + ms
else
mt t O
rn, +- -ms
F o r i t - s + l t o t - 1 D o
mi + O
1 1
3. Retum MSD(k)
Figure 4.10: Iedwab and Mitchell minimum MSD algorithm
Input: k. P where k, E Z,, P E Ep
Output: kP
Let k = m,2' + m,- 12'- + - . . + mi2' + mo be the minimum MSD representation of k.
where mi E [-1,0,l},O 5 i 5 r.
t . Choose an appropriate window size w 5 r + 1 and precompute al1 elements of the fonn
dP such that -ZW 5 d 5 2W. where d is a sparse MSD representation.
2. Let t = r - w + 1 and let rk = rnt+,2 j be a span of w bits from k. Find s and
d such that 7fi = 2Sd where d is odd. Set Y = SS(dP) using one table look-up followed
by s doublings.
3. Stop if t = O. Othenvise, if = O the set t + t - 1, Y +- 2Y and repeat step 3.
4, If t 2 w, then set t + t - W. otherwise set w t- t and t t O.
5. Compute ~3, s, and d as in step 2 and set Y t 2" (2W'sY + d P ) and go to step 3.
6. Retum (Y )
Figure 4.1 1 : Laih and Kuo's algorithm for computing kP
C H . 4. ELLPTIC CURVE CRYPTOSYSTEMS 69
c m benefit from specially built processors to speed the computations. Menezes and Vanstone [53],
have noted that using optimal normal bases, Mullin et al. [62], arirhmetic in the field iF2n c m be
significantly sped up.
The usually relatively high message expansion factor of elliptic curves cm be lowered if instead
of msmitting the s and y coordinates of a point. one cransrnits only the x coordinate and a single
bit from the y coordinate. Since. as explained in Menezes and Vanstone [53], the y coordinate can
be recovered from that information. This would, for example, lower the message expansion factor
of the Menezes-Vanstone cryptosystem from 2 to #.
4.5 Generating Computationally Secure Curves
In this section we consider the construction of elliptic curves suitabie for use in elliptic curve cryp-
tosystems. We only consider curves over Zp@ > 3) and refer the reader to Lercier [45] and Beth
and Schaefer [7] for curves over Z2n. To avoid attacks from Shanks's algorithm, the Pollard 1410-
method. and the Pohlig-Hellman dgorithm, the order of the subgroup generated by the base point
P (cryptosystems are implemented over the cyclic subgroup generated by the base point) should be
large and not be y-smooth for small y. Of course. supersingular and anomalous curves should be
avoided. The first algorithm we consider, RANDOM-CURVE. is due to Koblitz [29]. It is presented
in Figure 4.1 2.
Koblitz's random curve selection method only makes sure chat the curve is not singular, otherwise,
everything is left to chance. This, is clearly not aâequate if we want to have confidence in the
security of our cryptosystem. But, despite this fact. it can still be used for generating curves for
the Diffie-Hellman and ElGamal schemes, as we do not need to know the number of points on the
curve and the order of the subgroup genented by the base point, Such schemes, however, should
not be used for encrypting sensitive data. To address these shortcomings, Koblitz 1331. designed
a procedure to genente curves immune against the exponential algonthms (Shanks's. Pollard ho-
method, Pohlig-Hellman) and the MOV-~duction. This algorithm. RANDOM-CURVE-PRIME, is
presented in Figure 4.13.
Input: A large prime p
Output: (a, 6 ) such that Ep(a, b) is an elliptic curve over Zp and P E Ep(a, b)
1. Repeat
Rÿndomly choose a, x, y E Zp
b t y' - (x3 + as) (modp)
Until 4a3 + 27b2 f O (modp)
1. Set base point P t (x, y) and Ep(a, 6) to = r3 + ax + b
3. Return ((a, b) , P )
Figure 4.12: Koblitz's random curve selection method, RANDOM-CURVE
/- --
Input: A large prime p
Output: (a, 6) such that E,(a, b) is an elliptic curve over Zp and P E Ep(a, 6)
1. Repeat
( (a, 6 ) , P) t RANDûM-CURVE(p)
Calculate N = #Ep (a, b) by Schoof s algorithm
Until N is prime and9 f l(modN), 1 5 j 5 lgZp
2. Retum ( (a, b) , P)
Figure 4.13: Koblitz's algorithm for generating curves of prime order. R-MMCURVE-PRIME
Algorithm RANDOM-CURVE-PRIME'S advantages are that:
It produces curves. Ep. of prime order. Hence, every point (except O) is a generator, making
the subgroup generated by the base point immune to the exponentid algorithms when p is
large.
The index-calculus method requires exponential tirne, since it cm be shown chat the index-
calculus method in IF'p* becomes hilly exponential if k 2 ldp, where k is the extension
degree required by the MOV-reduction (21. Hence, the generate curve is immune against the
reduction attack.
However. the algorithm uses Schoof's algorithm to compute the nurnber of points on the curve. As
we have aiready rnentioned, Schoof's algorithm is O(lggp). and even afier sevenl improvements by
Morain, Atkin, and others, it is still awkward to use when p is large. Therefore. it seems prudent to
avoid Schoof's algorithm. In particular. genenting curves of known order (without using Schoof's
algorithm) seerns more attractive. In fact, dgorithms have been designed specifically to build curves
of known order, although there is a pnce to be paid. It tums out that the algorithms require advanced
technical details that are beyond the scope of the thesis and most have exponential running tirne.
interested readers should see (59.4 1, 1 3,7,57,40].
Chapter 5
Conclusion
As already stated, elliptic curve public-key cryptosystems suffer from the same deficiency affecting
al1 other public-key cryptosystems. namely, that of low bandwidth. As such, they are slower than
private-key cryptosystems. and as a result. are currently used only in digital signatures and key
exchange schemes. However, they have offer several advantages over their counterparts:
a They offer the highest-strength-per-bit of any known public-key cryptosystem.
0 The ECDLP seems. at the present time. to be stronger thnn both the DLP and factoring. The
result of this is that elliptic curve cryptosystems cm offer the same level of cryptognphic
security as, for example. RSA, with smaller key size.
More flexibility in chmsing an elliptic curve than in chmsing a finite field.
a Elliptic curves, especially those defined over IF2. , lend themselves to efficient implementation
both in software and hardware [77,31,2,57].
The smailer key sizes in elliptic curve cryptosystems resutt in smaller system panmeters, smaller
public-key certificates, bandwidth savings, and most importantly, low cost implementations are
feasible in restricted computing environments such as smart cards and wireiess devices. For a
performance cornparison of public-key cryptosystems, see Wiener [Ml.
More recently, in 1988, Newbridge Microsystems Inc. in conjunction with Cryptech Systems
hc., Canada, manufactured a single chip device that implements various public-key cryptosystems
C m 5. CONCLUSION 73
based on arithmetic in the field IFpo3. Also. a \%SI device, requinng 11,000 gates. was built for
performing arithmetic operations in the field Fpss [2]. Harper et al. (221, describes a software
implementation of the ElGamal cryptosystem over the finite field F2iar. They reported encryption
rates of 2Kbitslsec or. a SUN-:! SPARC-station with public keys of 105 bits. Miyaji [57] presents
methods for selecting elliptic curves over prime fields suitable for implementing Schnorr's [74]
signature scheme on smart cards.
As a result of this success. standards for elliptic curve systems are currently king drafted by
various accredited standards bodies around the worid; some of this work is summarized below.
1. Elliptic curves over Z, and S n are included in the draft IEEE Pl363 standard (Standard
Specifications for hblic-Key Cryptogmphy), which includes encryption, signature, and key
agreement schemes.
2. Two work items by the National Standards Institute (ANSI) ASC X9 (Financial Services) are
on drafting elliptic curve systems: ANS1 X9.62, The Elliptic Curve Digital Signature Algo-
rithm (ECDSA); and ANS1 X9.63, Elliptic Curve Key Agreement and Transport Protocols.
3. The ATM (Asynchronous Transfer Mode) Forum Technical Cornmittee's Phase 1 ATM Secu-
rity Specification draft document aims at providing security mechanisms for ATM networks.
Security services provided include conldentiality, authentication, data integrity, and access
control. Elliptic curves systems are included in the vatiety of systems to be supported,
Certainly the use of elliptic curve systems by providers of information security is going to increase
as these drafts become officially adopted.
Advances in factoring and solving the ECDLP will always cast a dark shadow of these schernes.
These two problems' computationai complexity is as yet still unresolved. Advances in compu-
tational complexity would either result in the resolution of these problems or provide convincing
evidence of the strength of either. perhaps establishing, in the process a new paradigm for judging
ctyptognphic schemes. Recently, though, our ability to carry out large arithmetic computations
has grown steadily, using parallel machines and the novel idea of distributed computing, and now
pennits us to factor numbers with around 100 decimai digits and compute dixrete logarithms in Z,
with p having around 97 digits. At the same time, this implies that our cumnt schemes are only vul-
CHAPTER 5. CONCLUSION 74
nerable to a dramatic breakthrough in factoring and soiving the ECDLP. On the hand, Schroeppel et
al. [77] observed that, "As computing power increases. and the search capabilities of opponents
improve accordingly, it is cheaper to improve the security of elliptic cuwe methods than to improve
the security of modp meihods."
We have seen that the selection of elliptic curves for use in these cryptosystems must be per-
formed prudently, as some cutves are vulnerable to attacks.
The exact nature of the relationship between the DLP and the ECDLP is still unresolved. So
far. only the MOV-reduction has shed light in to this problem, though only for supeaingular curves.
It is imperative that more research be done to resolve the nature of this relationship. At the same
time, the search for other groups in which the DLP is intractable should continue. New metfiods
for speeding up arithmetic on elliptic curves should be investigated, particularly, that of computing
inverses in finite fields. A careful study of elliptic curves king proposed for use in cryptosystems
should be perfonned so as to avoid pitfalls in the future. Anomalous and supersingular curves corne
to mind.
It is also possible that new cryptosystems would be discovered that will supersede elliptic cuwe
systems, or a new method of computation developed chat would render factoring and the ECDLP
obsolete. In fact. Boneh and Lipton [8) extended a result of Shor's [76] to show thcit the ECDLP cm
be solved in quantum polynomial time on aquantum computer. Shor [76] had previously shown that
factoring and the DLP are solvable in random quantum polynomial time on a quantum computer.
A "quantum computer" is a computing device based on principles of quantum mechanics. for more
information see Brassard [IO].
But. at the present moment, elliptic curve cryptosystems are a good step towards achieving the
ultimate goal of information technology: a paperless office.
Bibliography
[ l j L. M. Adleman and 3. Demarrais. A Subexponential Algorithm for Discrete Logarithms over al1 Finite
Fields. Mathematics of Cornputarion, 6 l(2O3): 1- 15, 1993.
[2] G. B. Agnew, R. C. Mullin, and S. A. Vanstone. An Implementation of Elliptic Curve Cryptosystems
Over Fpa. IEEE Journal on Selected A r e a s in Communications, 1 1(5):804-8 13,1993.
[31 A. V. Aho, J. E. Hopcroft, and 3. D. Ullman. The Design and Analysis of Computer Algorithnu,
Addison-Wesley Pub. Co., 1974.
[4] R. Anderson and R. Needhm. Robustness Principles for Public Key Protocols. In Advances in
Cpptology-CRYPTO '95, volume LNCS 963, pages 236-247. Springer-Verlag New York Inc., 1995.
[5] A. O. L. Atkin and F, Morain. EiIiptic Curves and Primality Proving. Mathematics of Computation,
6 1 :29-68, 1993.
[6] E. Bach. Realistic Analysis of Some Randomized Algorithms. In Pmceedings of the l g t h Annual ACM
Symposium on the Theoty of Computing . pages 453-46 1, 1 987.
[7] T. Beth and F. Schaefer. Non Supersingular Elliptic Curves for Public Key Cryptosystems. In Advances
in Cryptology-EUROCRYPT '91, volume WCS 547, pages 317-327. Springer-Verlag New York Inc.,
1991.
[8] D. Boneh and R. Lipton. Quantum Cryptanalysis of Hidden Linear Functions. In Advunces in
Cryptology-CRYPTO '95, volume LNCS 963, pages 424437. Springer-Verlag New York Inc.. 1995.
[9] J. Bos and M. Coster. Addition Chain Heuristics. In Advarices in Cryptology-CRYPTO '89, volume
LNCS 435, pages 30407 . Springer-Verlag New York Inc., 1989.
[IO] G. Bnssatd. A Quantum Jump in Computer Science. In J. V. Leeuwen, editor, Computer Science
Today, volume LNCS 1000, pages 1- 14. Elsevier Science Publishers, 1995.
[11] D. M. Burton. Elementary Nuniber Theory 3rd Ed. Wm. C. Brown Publishers. 1994.
il27 J. W. S. Cassels. Diophantine Equations Witb Speciai Refennce to Elliptic Curves. Journul of The
London Mathematical Society, 4 1 : 193-29 1, 1966.
[13] J. Chao, K. Tanada. and S. Tsujii. Design of Elliptic Curves with Controllable Lower Boundary of
Extension Degree for Reduction Attacks. In Advances in Cryptology-CRYPTO '94, volume LNCS
839, pages 50-55. Springer-Verlag New York Inc., 1994.
[ 141 H. Cohen. A Course in Cornpututional Algebmic Number Theory. Springer-Verlag. 1993.
[ 151 D. Coppersmith. Fast Evduation of Logarithrns in Fields of Characteristic Two. lEEE Transactioris on
Information Theory, IT-30(4):587-594, 1984.
[16] D. Coppersmith, A. M. Odlyzko, and R. Schrmppel. Discrcte Logiirithrns in G F ( p ) . Algorithrnica,
1:l-15. 1986.
[17] T. H. Cormen, C. E. Leiserson, and R. L. Rivest. Intruduction to Algorithms. MIT Press. 1990.
[ I f i l N. Demytko. A New ElIiptic Curve Based Analogue Of RSA. In Advances in Cryptology-EUROCRYPT
'93, volume LNCS 765, pages 4049. Springer-Verlag New York Inc.. 1994.
[19] W. Diffie and M. Hellman. New Directions in Cryptognphy. IEEE Transactions on Information
Theory, IT-22(6):644-654,1976.
[201 T. ElGamal. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE
Transactions on information Theory, IT-3 1 (4):469472,1985.
[2 1 ] 1. H. W. Lenstra. Factoring lntegers With EHiptic Curves. Annals of Mathematics. 1 26:649-673, 1987.
[32] Ci, Harper, A. Mcnezes, and S. Vanstone. Public-Key Cryptosysterns With Very Smdl Key Lengths . In
Advances in Cryptology-EUROCRYPT '92, volume LNCS 658, pages 163-173. Springer-Verlag New
York Inc., 1993.
[23] J. Hastad. On Using RSA With Low Exponent in a Public Key Network. In Advances in Cryptology-
CRYPTO '85, volume LNCS 2 1 8, pages 403-408,1985.
1241 K. Huber. Some Considemtion Concerning The SeIection of RSA Moduli. In Advances in Cryprology-
EUROCRYPT '91, volume LNCS 547, pages 294-30 1. Springer-Verlag New York Inc., 199 1.
1251 T. Jebelean. Pnctical lnteger Division With Karatsuba Complexity. In fnternational Symposium on
Symbolic and Algebraic Computation-ISSAC '97, pages 339-34 1. ACM Press, 1997.
[26] 1. Jedwab and C. J. Mitchell. Minimum Weight Modified Signed-Digit Representations and Fast Expo-
nentiation. Electmriic Lerters, 25( 17): 1 17 1-1 173,1989.
[27] B. Kaliski. A Pseudomndom Bit Generator Based on ElIiptic Logzuithms . In Advances in Cryptology-
CRYPTO '86, volume LNCS 293, pages 84-103. Springer-Verlag New York Inc., 1987-
[28] D. E. Knutfr. The Art of Cornputer Pmgramming, Volume 2: Seminumerical Algorithms. Addison-
Wesley Pub. Co., 1969.
[29] N. Koblitz. A Course in Number Theory and Cryptogmphy. Springer-Verlag New York Inc., 1987.
[30] N. Koblitz. Elliptic Curvc Cryptosystems. Mathemutics of Computation, 48( 1 77):203-îO9,l987.
[3 1 1 N. Koblitz. Constructing Elliptic Curve Cryptosystems in Characteristic 2. In Advances in Cryptology-
CRYPTO '90, volume LNCS 537, pages 156-167. Springer-Verlag New York Inc., 1990.
[32] N. Koblitz. CM-Cumes Wtth Good Cryptognphic Properties. In Advances in Clptology-CRYPTO
'91, volume LNCS 576, pages 279-287. Springer-Verlag New York Inc., 199 1.
[33] N. Koblitz. Elliptic Curve Implementation of Zero-Knowledge BIobs, Journal of Cryptology, 4(3):207-
213, 1991.
1341 K. Koyama. Fast RSA-type Schemes Based on Singular Cubic Curves u' + a+g = z3(modn). In
Advances iri Cryptology-EUROCRYPT '95, voIume LNCS 92 1, pages 329-339. Springer-Verlag New
York Inc., 1995,
[35] K. Koyama, U. Maurer, T. Okamoto, and S. Vanstone. New Public Key Schemes Based on Elliptic
Cumes over the ring Z ,. In Advances in Cryptology-CR YPTO '91, volume LNCS 576, pages 252-266,
1991.
[36] K. Koyama and Y, Tsuruoka. Speeding Up Elliptic Cryptosystems Using a Signed Binary Window
Method. In Advarices iri Cryptology-CRYPTO '92, volume LNCS 740, pages 345-357. Springer-Verlag
New York Inc., 1992.
[37) K. Kurosawa, K. Okada, and S. Tsujii. Low Exponent Attack Against Elliptic Curve RSA. In Advances
in Ctyprology-ASIACRYPT '94, volume LNCS 9 17, pages 376-383. Springer-Verlag New York Inc.,
1995.
[38] H. Kuwakado and K. Koyama. Security of RSA-type Cryptosystems Over Elliptic Curves Against
Hastad Attack. Electmnics Leuers, 30(22): 1843- 1 844,1994.
[39] C. Laih and W. Kuo. Speeding Up The Computations of Elliptic Curve Cryptoschemes. Cornputers,
Mathematics and Applications, 33(5):29-36, 1997.
[40J K. Lam, S. Ling, and L. Hui. Efficient Generation of Elliptic Curve Cryptosystems . In Lecture Notes
in Computer Science, volume LNCS 1090, pages 4 1 1 4 16,1996.
[41] G. Lay and H. G. Zimmer. Constmcting Elliptic Curves With Given Group Order Ovet Large Finite
Fields. In Algorithmic Number Theory-AMS-I '94, volume LNCS 877, pages 25&263. Springcr-
Verlag New York Inc., 1994.
[42] A. K. Lensua. Factoring RSA-130, Email on the Number Theory Mailing List, Universitaet des
Saarlandes, 1996.
[43] A. K. Lenstra and I. H. W. Lensira. Algorithms in Number Theory. In J. V. Leeuwen, editor, Handbook
of Theoretical Computer Science, volume A: Algorithms and Complexity, pages 673-7 15. Elsevier
Science Publishers, 1990.
[44] A. K. Lenstra and J. H. W. Lenstra. The Development of the Number field Sieve, volume LNCS 1554.
Springer-Verlag New York Inc,, 1993.
(451 R. Lercier. Finding Good Random Elliptic Curves For Cryptosysterns Defined Over iF2n . In Lecture
Notes in Computer Science, volume LNCS 1233, pages 379-392,1997.
[46] R. Lercier and A. Joux. Counting Points on an Elliptic Over & l d 6 3 . Email an the Number Theory
Mailing List, Universitaet des Saarlandes, June, 1998.
[471 R. Lercier and A. Joux. Discrete Logarithms modp. Ernriil on the Numbcr Theory Mailing List,
Universitaet des Saarlandes, May, 1998.
[481 R. Lercier and E Morain. Counting The Number of Points on Elliptic Curves Over Finite Fields:
stmtegies and performances. In Advances iri Cryptofogy- EUROCRYPT '95, volume LNCS 92 1, pages
78-92. Springer-Verlag New York Inc,, 1995.
1491 U. M. Matirer, Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing
Discrete Logarithms . In Advances in Cqptology-CRYPTO '94, volume LNCS 839, pages 27 1-28 1.
Springer-Veriag New York Inc., 1994.
[SOI A. Menezes. Elliptic Curve Cryptosystems. In CqproBytes. Summer lY95, volume 1, pages 1-4. RSA
Laboriitories, 1995.
[5 11 A. Menezes, T. Okamoto, and S. Vanstone. Reducing Elliptic Curve Logarithms to Logarithms in a
Finite Field. In Pmceedings of the 2Yd Annual ACM Symposium on the Theow of Computing, pages
80-89, 1991.
[52] A. J. Menezes. Efliptic Cunw Public Key Crypiosystems. Kluwer Academic Publishers. 1993.
[53] A. J. Menezes and S. A. Vanstone. Eljiptic Curve Cryptosystems and Their Irnplemcntation. Joirrnal
of Cryptology, 6:209-224, 1993.
[54] B. Meyer and V. Muller. A Public Key Cryptosystem Based on Elliptic Curves over 2 /nZ Equivalent
to Factoring . In Advances in Cryptology-EUROCRYPT '96, pages 49-59, 1996.
[SS] G. L. Miller. Riemann's Hypothesis and Tests for Primality. Journal of Computer and System Science,
13:3W317, 1976.
[S6] V. S. Miller. Use of Elliptic Curves in Cryptography. In Advances in Cryptology-CRYPTO '85, volume
LNCS 2 18, pages 4 17426. Springer-Verlag New York Inc., 1986.
[57] A. Miyaji. Elliptic Curves Over iFp Suitable for Cryptosystems. In Advances in Cvptology-AUSCRYPT
'92. volume WCS 7 18, pages 479-49 1. Springer-Verlag New York Inc.. 1993.
[5 81 A. Mi y aji. On Secure and Fast Elliptic Curve Cryptosy stems Over F, . IElCE Transactions Fundamen-
tals, E77-A(4):630-635,1994.
[59] F. Morain. Building Cyclic Elliptic Curves Modulo Large Rimes. In Advances in Cryptology-
EUROCRYPT '91, volume LNCS 547, pages 328-336. Springer-Verlag New York Inc., 199 1.
[60] F. Morain and J. Olivos. Speeding Up The Computations on Elliptic Curves Using Addition-Subtraction
Chahs. Informatique ThPorique et Application/Theoretical Informatics and Applications. 24(6):53 1-
644, 1990.
[6 11 R. Motwani and P. Rhaghavan. Randomized Algorirhrns. Cambridge University Press, 1995.
[62) R. Mullin, 1. Onyszchuk, S. Vanstone, and R. Wilson. Optimal Normal Bases in GF(pn). Discrete
Applied Mathematics, 22: 149- 16 1, 1989.
[63] A. M. Odlyzko. The Future of lnteger Factorization. In Cryptdytes, Suninier 1995, volume 1. pages
5-9. RSA Lriboratories, 1995.
[641 S. C. Pohlig and M. Hellman. An Improved Algorithm for Computing Logarithms Over GF(p) and its
Cryptographie Significance. IEEE Transucrions on Informatiori Theory. IT-24: 1 0 6 - 1 10, 1978.
[65] S. Pollard. Monte Carlo Methods for Index Computation modp. Mathenurrics of Cornputation.
32:9 18-924, 1978.
[661 C. Pomerance. The Quadratic Sieve Factoring Algorithm. In T. Beth and 1. Ingemmson, editors,
Advances iri Cryptology, volume WCS 209, pages 169-182. Elsevier Science Publishers, 1985.
[67] G. J. E. Rawlins. Compared tu What? an introduction to the analysis of algorithnis. Computer Science
Press, 1992.
[68] R. L. Rivest. Cryptography. In J. V. Leeuwen, editor, Handbook of Thtorericul Computer Science,
volume A: Algorithms and Complexity, pages 7 17-767. Elsevier Science Publishers, 1990.
[691 R. L. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public-Key
Cryptosystems. Communication of the ACM, 2 l(2): 12& 126, 1978.
(701 S. Roman. Field Theory. Springer-Verlag New York Inc., 1995.
[7 11 M. Saeki. Elliptic Curve Cryptosystems. Master's thesis, McGill University, 1997.
[72] A. SaIomaa. Public-Key Cryptogmphy. 2nd Ed. Springer-Verlag New York Inc.. 1996.
[73] B. Schneier. Applied Cryptograpliy, 2nd Ed John Wiley & Sons Inc., 1996.
[74] C. Schnorr. Efficient Signature Genemtion By Smm Crirds. Journal of Cryptology, 4: 16 1- 174, 199 1.
[75] R. Schoof. Elliptic Curves Over Finite FieIds and the Computation of Square Rmts modp. Marhemat-
ics of Computation, 44( 1 70):483494,1985.
[76] P. W. Schor. Algorithms For Quantum Computation: Discrete Logarithms and Factoring. In Pm-
ceedings of the 35th Annual IEEE Symposium on Foundàtions of Computer Science, pages 124- 134,
1 994.
[77 R. Schroeppel, H. Ormm, S. O'Malley, and 0. Spatscheck. Fat Key Exchange With Elliptic Cwve
Systems. In Advances in Cryptology-CRYPTO '95, volume LNCS 963, pages 43-56. Springer-Verlag
New York Inc., 1995.
1781 D. Shanks. Class Number. A Theory of Factorization and Genen. In Pmceedings of the AMS Sympo-
sium on Pure Math, volume 20, pages 4 1 5 4 0 , 197 1.
[79) V. Shoup. A New Polynomial Factorization Algorithm and its Irnplementation. Journal of Symbolic
Cornpurarion, 20:363-397, 1995.
[80] J. H. Silverman. The Arirhmetic of Elliptic Curves. Springer-Verlag New York Inc., 1986.
[8 1 ] J. H. Silverman and J. Tate. Rational Points on Elliptic Curves. Springer-Veriag New York Inc., 1992.
[82] R. D. Silverman. Genemtion of Random, Strong RSA Primes. In CryptoBytes, Spring 1997, volume 3.
pages 9- 1 3. RSA Laboratories, 1997.
[83] N. P. Smart. The Discrete Logsuithm Problem on Elliptic Curves of Trace One. Email Correspondence,
1997.
[84] D. Stinson. Cryptography: rheory and practice. CRC Press Inc., 1995.
[85] P. van Oorschot rind M. Wiener. ParaIlel Collision Search With Application to Hash Functions and
Dismie Logarithrns. In 2nd ACM Conference on Computcr and Communications Security, 1994.
[861 S . A. Vanstone and R. J. Zucchento. Elliptic Curve Cryptosystem Using Curves of Smooth Order over
the ring Z ,,. IEEE Transactions on Information Theory, IT-43(4): 123 1- 1 237. 1997.
[87] K. Weber. The Accelerated Intcger GCD Algorithm. ACM Transacrions on Marhematical Sufiware,
21(1):111-122,1995.
[88] M. J. Wiener. Performance Camparison of Public-Key Cryptosystems. In CryptoBytes, Summer 1998,
volume 4, pages 1-5. RSA Laboratories, 1998.
[891 A. Wiles. Modulrv Elliptic Curves rind Fermat's L a t Theorem. Annals of Mathematics, 14 1 :443-55 1,
1995.
[go] A. Wilcs and R. Taylor. Ring-Theoretic Properties of Certain Hecke Algebras. Annals of Matheniatics,
14 1553-572.1995.
[QI] H. S. Wilf. Algorithm and Complerity. Rentice-Hall Inc., 1986.
