47 research outputs found
Accelerating the CM method
Given a prime q and a negative discriminant D, the CM method constructs an
elliptic curve E/\Fq by obtaining a root of the Hilbert class polynomial H_D(X)
modulo q. We consider an approach based on a decomposition of the ring class
field defined by H_D, which we adapt to a CRT setting. This yields two
algorithms, each of which obtains a root of H_D mod q without necessarily
computing any of its coefficients. Heuristically, our approach uses
asymptotically less time and space than the standard CM method for almost all
D. Under the GRH, and reasonable assumptions about the size of log q relative
to |D|, we achieve a space complexity of O((m+n)log q) bits, where mn=h(D),
which may be as small as O(|D|^(1/4)log q). The practical efficiency of the
algorithms is demonstrated using |D| > 10^16 and q ~ 2^256, and also |D| >
10^15 and q ~ 2^33220. These examples are both an order of magnitude larger
than the best previous results obtained with the CM method.Comment: 36 pages, minor edits, to appear in the LMS Journal of Computation
and Mathematic
Computing Hilbert class polynomials with the Chinese Remainder Theorem
We present a space-efficient algorithm to compute the Hilbert class
polynomial H_D(X) modulo a positive integer P, based on an explicit form of the
Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the
algorithm uses O(|D|^(1/2+o(1))log P) space and has an expected running time of
O(|D|^(1+o(1)). We describe practical optimizations that allow us to handle
larger discriminants than other methods, with |D| as large as 10^13 and h(D) up
to 10^6. We apply these results to construct pairing-friendly elliptic curves
of prime order, using the CM method.Comment: 37 pages, corrected a typo that misstated the heuristic complexit
Grained integers and applications to cryptography
To meet the requirements of the modern communication society, cryptographic techniques are of central importance. In modern cryptography, we try to build cryptographic primitives, whose security can be reduced to solving a particular number theoretic problem for which no fast algorithmic method is known by now. Thus, any advance in the understanding of the nature of such problems indirectly gives insight in the analysis of some of the most practical cryptographic techniques. In this work we analyze exactly this aspect much more deeply: How can we use some of the purely theoretical results in number theory to answer very practical questions on the security of widely used cryptographic algorithms and how can we use such results in concrete implementations? While trying to answer these kinds of security-related questions, we always think two-fold: From a cryptographic, security-ensuring perspective and from a cryptanalytic one. After we outlined -- with a special focus on the historical development of these results -- the necessary analytic and algorithmic foundations of number theory, we first delve into the question how point addition on certain elliptic curves can be done efficiently. The resulting formulas have their application in the cryptanalysis of crypto systems that are insecure if factoring integers can be done efficiently. The rest of the thesis is devoted to the study of integers, all of whose prime factors are neither too small nor too large. We show with the help of two applications how one can use the properties of such kinds of integers to answer very practical questions in the design and the analysis of cryptographic primitives: The optimization of a hardware-realization of the cofactorization step of the General Number Field Sieve and the analysis of different standardized key-generation algorithms
Primality Tests on Commutator Curves
Das Thema dieser Dissertation sind effiziente Primzahltests.
Zunächst wird die Kommutatorkurve eingeführt, die durch einen skalaren
Parameter in der zweidimensionalen speziellen linearen Gruppe bestimmt
wird. Nach Erforschung der Grundlagen dieser Kurve wird sie in verschiedene
Pseudoprimzahltests (z.B. Fermat-Test, Solovay-Strassen-Test) eingebunden.
Als wichtigster Pseudoprimzahltest ist dabei der Kommutatorkurventest zu
nennen. Es wird bewiesen, dass dieser Test nach einer festen Anzahl von
Probedivisionen (alle Primzahlen kleiner 80) das Ergebnis 'wahr' fĂĽr eine
zusammengesetzte Zahl mit einer Wahrscheinlichkeit ausgibt, die kleiner als
1/16 ist.
DarĂĽberhinaus wird bewiesen, dass der Miller-Primzahltest unter der Annahme
der Korrektheit der Erweiterten Riemannschen Hypothese zur ĂśberprĂĽfung
einer Zahl n nur noch fĂĽr alle Primzahlbasen kleiner als 3/2*ln(n)^2
durchgefĂĽhrt werden muss. Im Beweis des Primzahltests von G. L. Miller
konnte dabei die Notwendigkeit der Erweiterten Riemannschen Hypothese auf
nur noch ein SchlĂĽssellemma eingegrenzt werden.This thesis is about efficient primality tests.
First, the commutator curve which is described by one scalar parameter in
the two-dimensional special linear group will be introduced. After
fundamental research of of this curve, it will be included into different
compositeness tests (e.g. Fermat's test, Solovay-Strassen test). The most
important commutator test is the Commutator Curve Test. Besides, it will be
proved that this test after a fixed number of trial divisions (all prime
numbers up to 80) returns the result 'true' for a composite number with a
probability less than 1/16.
Moreover, it will be shown that Miller's test to check a number n only has
to be carried out for all prime bases less than 3/2*ln(n)^2. This happens
under the assumption that the Extended Riemann Hypothesis is true. The
necessity of the Extended Riemann Hypothesis to prove the primality test of
G. L. Miller can be reduced to a single key lemma