Presentation is loading. Please wait.

Presentation is loading. Please wait.

Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.

Published byMegan Scott Modified over 8 years ago

Similar presentations

Presentation on theme: "Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information."— Presentation transcript:

1 Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information and Communication Systems Engineering University of the Aegean

2 2 Why Elliptic Curves? More Efficient (smaller parameters) More Efficient (smaller parameters)Faster Less Power and Computational Consumption Cheaper Hardware (Less Silicon Area, Less Storage Memory)

3 3 Frequent Generation of ECs Requests different EC parameters (due to security requirements, vendor preferences/policy etc.) Frequent change of parameters calls for strict timing response constraints

4 4 Generation of ECs The goal is to determine the following parameters of an EC y 2 = x 3 + ax + b The order p of the finite field F p. The order m of the elliptic curve. The coefficients a and b.

5 5 Generation of secure ECs Cryptographic Strength suitable order m Suitable order m = nq where q a prime > 2 160 m  p p k ≢ 1 (mod m) for all 1  k  20 The above conditions guarantee resistance to all known attacks Sometimes, a prime m may be additionally required

6 6 Generation of ECs Point Counting methods: Rather slow (with ) ECs have to be tried before a prime order EC is found in F p Complex Multiplication (CM) method: Rather involved implementation, but more efficient first the order is selected and then the EC is constructed

7 7 Complex Multiplication method Input:a prime p Class polynomial Hilbert polynomial Transform the roots Construct the EC Determine D s.t. 4p=x 2 +Dy 2 for x,y integers EC order m=p+1  x Is the order m suitable? NO YES

8 8 Class field polynomials   Class field polynomials: polynomials with integer coefficients whose roots (class invariants) generate the Hilbert class field of the imaginary quadratic field K = Q( ).  Drawback  Drawback of Hilbert polynomials: large coefficients; time consuming construction; difficult to implement in devices of limited resources. much smaller  other class field polynomials: much smaller coefficients.

9 9 Class field polynomials Alternative class field polynomials: 1)Weber polynomials 2)M D,l (x) polynomials 3)M D,p1,p2 (x) polynomials or Double eta polynomials 4)Ramanujan polynomials T D (x) All are associated with a modular polynomial Φ(x, j) that transforms a root x of these polynomials to a root j of the Hilbert polynomial.

10 10 An example (D = 292) W 292 (x) = x 4 - 5x 3 - 10x 2 - 5x + 1 H 292 (x) = x 4 - 2062877098042830460800 x 3 - 93693622511929038759497066112000000x 2 + 45521551386379385369629968384000000000x 380259461042512404779990642688000000000000

11 11 Congruences for D D ≢ 0 mod 3 D  0 mod 3 d = D/4 if D  0 mod 4 d = D if D  3 mod 4 M D,l polynomials Ramanujan polynomials Double eta polynomials D  0 mod l Weber polynomials 1 2 or 6 3 5 7 d mod 8 1 2 or 6 3 5 7 d mod 8 D  11 mod 24

12 12 Hilbert polynomials satisfies the equation (primitive, reduced quadratic forms) D [ a, b, c] h THEOREM: A Hilbert polynomial with degree h, has exactly h roots modulo p if and only if the equation 4p=x 2 +Dy 2 has integer solutions.

13 13 Weber polynomials g is defined by the Weber functions f, f 1 and f 2 satisfies the equation [ a, b, c ] Dh or 3h (quadratic forms) The degree of Weber polynomials is 3 times larger than the degree of the corresponding Hilbert polynomials when D ≡ 3 mod 8.

14 14 M D,l (x) polynomials whereand e depends on l satisfies the equation (primitive, reduced quadratic forms) D [a, b, c] h [A, B, C] 2 transf. divisible by l each root R M is transformed to a Hilbert root R H with a modular equation:

15 15 M D,p1,p2 (x) polynomials where primes and satisfies the equation (primitive, reduced quadratic forms) D [a, b, c] h [A, B, C] 2 transf. each root R Md is transformed to a Hilbert root R H with a modular equation (which has large coefficients and degree at least 2 in R H ):

16 16 Ramanujan polynomials T D (x) THEOREM: The Ramanujan value t n is a class invariant for n  11 mod 24. Its minimal polynomial is equal to: satisfies the equation and the construction of the function t() is based on modular functions of level 72.

17 Precision Requirements Bit precision for the construction of polynomials EQUAL to logarithmic height of the polynomials 17 Bit precision for the Hilbert polynomials:

18 Precision Requirements “Efficiency” of a class invariant is measured by the asymptotic ratio of the logarithmic height of a root of the Hilbert polynomial to a root of the class invariant. Asymptotically, one can estimate the ratio of the logarithmic height h(j(τ)) of the algebraic integer j(τ) to the logarithmic height h(f(τ)) of the algebraic integer f(τ). Namely, 18

19 Precision Requirements Let H(P f ) be the logarithmic height of the minimal polynomial of the algebraic integer f(τ) and H(P j ) the logarithmic height of the corresponding Hilbert polynomial. Then, where m = 1 if f(τ) generates the Hilbert class field and m = extension degree when f(τ) generates an algebraic extension of the Hilbert class field. 19

20 Precision Requirements We can derive the precision requirements for the construction of every class polynomial by the equation In all cases m = 1, except when D ≡ 3 mod 8 for Weber polynomials. 20

21 Ramanujan polynomials The modular equation for Ramanujan polynomials is: Therefore, the value r(f) = 36. Also, since the degree of Ramanujan polynomials is equal to the degree of Hilbert polynomials, the value m = 1. Theoretically, there is a limit for r(f) ≤ 96. The best known value is r(f) = 72 for Weber polynomials with D ≡ 7 mod 8. 21

22 Precision Estimates 22

23 Precision Estimates 23

24 Precision Estimates 24

25 Experiments

26 26 Construction of polynomials (bit prec.)

27 27 Construction of polynomials (bit prec.)

28 28 Experimental observations The precision requirements for the construction of Ramanujan polynomials are on average 66%, 42%, 32% and 22% less than the precision requirements of M D,13 (x), Weber, M D,5,7 (x) and M D,3,13 (x) respectively. The percentages are much larger when other M D,l (x) and M D,p1,p2 (x) polynomials are used. The same ordering is true for the storage requirements of the polynomials with one exception: Weber polynomials.

29 29 Conclusions Ramanujan polynomials clearly outweigh all previously used polynomials when D ≡ 3 mod 8 and they are by far the best choice in the generation of prime order ECs. The congruence modulo 8 of the discriminant is crucial for the size of polynomials and this affects the efficiency of their construction.

30 Thank you for your attention!

Download ppt "Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information."

Similar presentations

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
Notes 6.6 Fundamental Theorem of Algebra

Notes 6.6 Fundamental Theorem of Algebra
The Complex Number System

The Complex Number System
Cryptography and Network Security

Cryptography and Network Security
Rational Root Theorem.

Rational Root Theorem.
SECTION 3.6 COMPLEX ZEROS; COMPLEX ZEROS; FUNDAMENTAL THEOREM OF ALGEBRA FUNDAMENTAL THEOREM OF ALGEBRA.

SECTION 3.6 COMPLEX ZEROS; COMPLEX ZEROS; FUNDAMENTAL THEOREM OF ALGEBRA FUNDAMENTAL THEOREM OF ALGEBRA.
Efficient generation of cryptographically strong elliptic curves Shahar Papini Michael Krel Instructor : Barukh Ziv 1.

Efficient generation of cryptographically strong elliptic curves Shahar Papini Michael Krel Instructor : Barukh Ziv 1.
1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel:03- 5742968, Fax : 886-3-572-3694.

1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Zeros of Polynomial Functions Section 2.5. Objectives Use the Factor Theorem to show that x-c is a factor a polynomial. Find all real zeros of a polynomial.

Zeros of Polynomial Functions Section 2.5. Objectives Use the Factor Theorem to show that x-c is a factor a polynomial. Find all real zeros of a polynomial.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
Forward Error Correction Steven Marx CSC45712/04/2001.

Forward Error Correction Steven Marx CSC45712/04/2001.
Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.

Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.
6.5 & 6.6 Theorems About Roots and the Fundamental Theorem of Algebra

6.5 & 6.6 Theorems About Roots and the Fundamental Theorem of Algebra
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.

1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
Zeros of Polynomial Functions

Zeros of Polynomial Functions
Solving Polynomial Equations. Fundamental Theorem of Algebra Every polynomial equation of degree n has n roots!

Solving Polynomial Equations. Fundamental Theorem of Algebra Every polynomial equation of degree n has n roots!
Section 5.6 – Complex Zeros; Fundamental Theorem of Algebra Complex Numbers Standard form of a complex number is: a + bi. Every complex polynomial function.

Section 5.6 – Complex Zeros; Fundamental Theorem of Algebra Complex Numbers Standard form of a complex number is: a + bi. Every complex polynomial function.
General Results for Polynomial Equations

General Results for Polynomial Equations

Similar presentations

Ads by Google