Example 5.19 Field - Modern Cryptography Theory & Practice pdf

We have seen that [X]x8₊_x4₊_x3₊_x_{+1 (in}_{Example 5.18}_{) is the set of all polynomials} modulo the irreducible polynomial x8₊_x4₊_x3₊_x_{+ 1 over} _{and has 2}8_{elements. Now we} know that is also a field of 28_{elements and can be represented by the following space}

where q is a root of (e.g.) the equation x8₊_x4₊_x3₊_x_{+ 1 = 0, and the scalars}

. Clearly, these two fields are isomorphic; in particular, we can also use a byte to represent an element in the latter representation of .

In Example 5.18 we mentioned that multiplication in is a bit complicated and needs modulo polynomial which requires the Euclid algorithm for polynomial division. Multiplication in spanned from polynomial basis can be easier: straightforward multiplying two elements and representing any resultant terms with qi_for_i_{> 7 using a linear combination of} the basis 1, q, …, q7_.

For example, let us compute '57' . '83', or

Since

we have the following linear combinations (notice –1 = 1 in ):

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing

cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography.

That is, we have '57' . '83' = 'C1'.

We now provide a remark as a summary on our study of finite fields.

. Remark 5.2

We have studied two methods for constructing finite fields: field modulo an irreducible polynomial

(§5.4.2) and field spanned from a polynomial basis (§5.4.3). In our study of finite fields we have

used to denote a field of the latter construction. However, under isomorphism, two fields of the same number of elements can be viewed without difference. Therefore from now on, we will denote by any finite field of q elements where q is a prime power.

5.4.4 Primitive Roots

We asserted in §4.5 that the complete factorization of n – 1 provides a piece of "internal information" (i.e., auxiliary input for verifying a problem in ) for answering whether n is prime with an efficient deterministic algorithm. Now with the knowledge of finite fields, that assertion can be easily proved.

. Theorem 5.11

The multiplicative group of field is cyclic.

Proof By Theorem 5.9(iii), the entire roots of polynomial xpn–1_{– 1 = 0 forms} _{. However,} the entire roots of this polynomial are the pn_{– 1 distinct (nontrivial) roots of 1, spread over the} unity circle. So there exists a (pn_{– 1)-th root of 1, which generates the group} _{. Hence}

is cyclic.

Definition 5.24: Primitive RootA multiplicative generator of the group is called a primitive root of field .

. Theorem 5.12

Let n be a positive integer with n – 1 = r1r2…rkas the complete prime factorization of n–1 (some of the prime factors may repeat). Then n is prime if and only if there exists a positive integer a < n such that an–1 _{1 (mod n) and a} (n–1)/r

i 1 (mod n) for i = 1, 2, …, k.

Proof ( ) If n is prime, then by Theorem 5.11, the group ( )*_{is cyclic and has a generator} which is an (n – 1)-th root of 1. Denoting by a this root, then a satisfies the conditions in the theorem statement.

( ) Let integer a < n satisfy the conditions in the theorem statement. Then a, a2_{, …,}_an_{–1 are}

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

Suppose otherwise aj_–i _{1 (mod n) for some i, j with 0 < j – i < n – 1; then by}_{Definition 5.9}

ord(a)|j – i|n – 1, contradicting to the conditions in the theorem statement. Now we know that a is a multiplicative group of n – 1 elements (multiplication modulo n). This group can contain at most f(n) elements. So f(n) = n – 1. Hence n is prime by definition of Euler's function (Definition 5.11).

Theorem 5.12 suggests an efficient algorithm for finding a primitive root modulo a prime p, i.e., a generator of the group . The algorithm is specified in Alg 5.1.

By Theorem 5.2(4), we know that in the group there are exactly f(p – 1) elements of order p – 1, and these elements are generators of the group. Therefore Alg 5.1 is expected to terminate in

(see e.g., page 65 of [198]) steps of recursive calls. Since the number of prime factors of p – 1 is bounded by logp, the time complexity of the algorithm is bounded by OB((log p)4log logp).

Algorithm 5.1: Random Primitive Root Modulo Prime

INPUT p: a prime; q1, q2, …, qk: all prime factors of p – 1;

OUTPUT g: a random primitive root modulo p.

PrimitiveRoot(p, q1, q2, …, qk)

pick g u [2, p – 1);

for ( i = 1, i++, k ) do if ( g(p–1)_/_q

i 1 (mod p) ) return( PrimitiveRoot(p, q1, q2, …, qk) );

return( g ).

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

5.5 Group Constructed Using Points on an Elliptic

Curve

A class of groups which are very important to modern cryptography is those constructed by points on elliptic curves. Miller [203] and Koblitz [166] originally suggest to use elliptic curve groups for realizing public-key cryptography.

Elliptic curves for cryptography are defined over finite algebraic structures such as finite fields. For ease of exposition, let us confine ourselves to the easy case of prime fields of

characteristic greater than 3. Such a curve is the set of geometric solutions P = (x, y) to an equation of the following form

Equation 5.5.1

where a and b are constants in (p > 3) satisfying (mod p)[a]. To have the points on E to form a group, an extra point denoted by O is included. This extra point is called the point at infinity and can be formulated as

[a]_{Reason to be given after}_{Definition 5.25}_.

So for the group format, we write

Equation 5.5.2

This set of points form a group under a group operation which is conventionally written additively using the notation "+" . We will define the operation in a moment.

Denote by f(x) the cubic polynomial in the right-hand side of (5.5.1). If f(x) is reducible over

then for being a zero of f(x) (i.e. f(§) 0 (mod p)), point (x, 0) E. We will see in a moment that these points have order 2 under the group operation "+" . Since f(x) is a cubic polynomial, there are at most three such points (either 1 or 3 depending on the reducibility of f(x) over ; answer why by doing Exercise 5.13).

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

residue element in (i.e., a square number modulo p, see §6.5). In such cases, for each such h, there are two distinct solutions for y (every quadratic residue element in has two square roots modulo p, see Corollary 6.2). Since f(h) is a constant, the two square roots will be

and – . Thus, we can denote by h, and – such two points of solutions.

To this end we know that the points on the curve are O, (x, 0), (h, ) and (h, – ) for all x, h in satisfying f(§) 0 (mod p) and f(h) being a quadratic residue in .

5.5.1 The Group Operation

The set E defined in (5.5.2) forms an abelian group under the operation "+" defined as follows.

Definition 5.25: Elliptic Curve Group Operation ("tangent and chord method")Let P, Q E, l be the line containing P and Q (tangent line to E if P = Q), and R, the third point of

intersection of l with E. Let l' be the line connecting R and O. Then P "+" Q is the point such that l' intersects E at R, O and P "+" Q.

For the moment let us suppose that under Definition 5.25, (E, "+") does form a group. We should first explain why we have required the coefficients of the cubic polynomial in (5.5.1) to satisfy 4a3_{+ 27b}2_{0 (mod}_p_{). Notice that}

is the discriminant of the cubic polynomial f(x) = x3₊_ax₊_b_{. If}_d_{= 0 then}_f₍_x_{) = 0 has at least} a double zero X (root which makes f(X) = 0) and clearly (X, 0) is on E. For F(x, y) = y2_–_x3_–_ax – b = 0, this point satisfies

That is, (X, 0) is a singular point at which there is no definition for a real tangent value. With the tangent-and-chord operation failing at the singular point (X, 0), E cannot be a group.

Fig 5.1 illustrates the tangent-and-chord operation. The top curve is the case of D < 0 (the cubic polynomial has only one real root) and the lower, D > 0. We have intentionally plotted the curves as dotted lines to indicate ) being a discrete set. The discrete points are called -rational points. Their number is finite (see (5.5.6) to be given in a moment).

In document Modern Cryptography Theory & Practice pdf (Page 193-197)