1. No category

Finite fields, Permutation Polynomials. Computational aspects with

Public Key Cryptography
Dhahran, March 1, 2004
Finite fields, Permutation Polynomials.
Computational aspects with applications to
public key cryptography
King Fahd University of Petroleum and Minerals
Dhahran, Saudi Arabia
Workshop on Industrial Mathematics
March 1, 2004
Università Roma Tre
0
Public Key Cryptography
Dhahran, March 1, 2004
Private key versus Public Key
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Private key versus Public Key
Università Roma Tre
0
Public Key Cryptography
Dhahran, March 1, 2004
Private key versus Public Key
Università Roma Tre
0
Public Key Cryptography
Dhahran, March 1, 2004
Classical General Examples of PKC
¶
·
¸
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Classical General Examples of PKC
¶ (1976) Diffie Hellmann Key exchange protocol
·
¸
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Classical General Examples of PKC
¶ (1976) Diffie Hellmann Key exchange protocol
IEEE Trans. Information Theory IT-22 (1976)
·
¸
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Classical General Examples of PKC
¶ (1976) Diffie Hellmann Key exchange protocol
IEEE Trans. Information Theory IT-22 (1976)
· (1983) Massey Omura Cryptosystem
¸
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Classical General Examples of PKC
¶ (1976) Diffie Hellmann Key exchange protocol
IEEE Trans. Information Theory IT-22 (1976)
· (1983) Massey Omura Cryptosystem
Proc. 4th Benelux Symposium on Information Theory (1983)
¸
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Classical General Examples of PKC
¶ (1976) Diffie Hellmann Key exchange protocol
IEEE Trans. Information Theory IT-22 (1976)
· (1983) Massey Omura Cryptosystem
Proc. 4th Benelux Symposium on Information Theory (1983)
¸ (1984) ElGamal Cryptosystem
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Classical General Examples of PKC
¶ (1976) Diffie Hellmann Key exchange protocol
IEEE Trans. Information Theory IT-22 (1976)
· (1983) Massey Omura Cryptosystem
Proc. 4th Benelux Symposium on Information Theory (1983)
¸ (1984) ElGamal Cryptosystem
IEEE Trans. Information Theory IT-31 (1985)
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Classical General Examples of PKC
¶ (1976) Diffie Hellmann Key exchange protocol
IEEE Trans. Information Theory IT-22 (1976)
· (1983) Massey Omura Cryptosystem
Proc. 4th Benelux Symposium on Information Theory (1983)
¸ (1984) ElGamal Cryptosystem
IEEE Trans. Information Theory IT-31 (1985)
Università Roma Tre
0
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 1/5
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 2/5
Università Roma Tre
2
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 2/5
¶
·
¸
¹
º
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 2/5
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
·
¸
¹
º
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 2/5
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Alice picks a secret a,
¸
¹
º
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 2/5
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Alice picks a secret a, 0 ≤ a ≤ p − 1
¸
¹
º
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 2/5
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Alice picks a secret a, 0 ≤ a ≤ p − 1
¸ Bob picks a secret b, 0 ≤ b ≤ p − 1
¹
º
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 2/5
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Alice picks a secret a, 0 ≤ a ≤ p − 1
¸ Bob picks a secret b, 0 ≤ b ≤ p − 1
¹ They compute and publish g a mod p (Alice) and g b mod p (Bob)
º
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 2/5
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Alice picks a secret a, 0 ≤ a ≤ p − 1
¸ Bob picks a secret b, 0 ≤ b ≤ p − 1
¹ They compute and publish g a mod p (Alice) and g b mod p (Bob)
º The common secret key is g ab mod p
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 2/5
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Alice picks a secret a, 0 ≤ a ≤ p − 1
¸ Bob picks a secret b, 0 ≤ b ≤ p − 1
¹ They compute and publish g a mod p (Alice) and g b mod p (Bob)
º The common secret key is g ab mod p
Università Roma Tre
0
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 2/5
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Alice picks a secret a, 0 ≤ a ≤ p − 1
¸ Bob picks a secret b, 0 ≤ b ≤ p − 1
¹ They compute and publish g a mod p (Alice) and g b mod p (Bob)
º The common secret key is g ab mod p
what is a generator of Z/pZ?
Università Roma Tre
0
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 3/5
+
+
+
+
+
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 3/5
+ A generator (or primitive root) g of a prime number p is a number
+
+
+
+
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 3/5
+ A generator (or primitive root) g of a prime number p is a number
whose powers mod p, generate 1, . . . , p − 1
+
+
+
+
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 3/5
+ A generator (or primitive root) g of a prime number p is a number
whose powers mod p, generate 1, . . . , p − 1
+ So g mod p, g 2 mod p, . . . , g p−1 mod p are all distinct,
+
+
+
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 3/5
+ A generator (or primitive root) g of a prime number p is a number
whose powers mod p, generate 1, . . . , p − 1
+ So g mod p, g 2 mod p, . . . , g p−1 mod p are all distinct,
i.e., a permutation of 1 through p − 1
+
+
+
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 3/5
+ A generator (or primitive root) g of a prime number p is a number
whose powers mod p, generate 1, . . . , p − 1
+ So g mod p, g 2 mod p, . . . , g p−1 mod p are all distinct,
i.e., a permutation of 1 through p − 1
+ In other words: for all b ∈ Z/pZ, b 6= 0,
+
+
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 3/5
+ A generator (or primitive root) g of a prime number p is a number
whose powers mod p, generate 1, . . . , p − 1
+ So g mod p, g 2 mod p, . . . , g p−1 mod p are all distinct,
i.e., a permutation of 1 through p − 1
+ In other words: for all b ∈ Z/pZ, b 6= 0,
there exists an exponent i ∈ {0, 1, . . . , p − 1} such that b = g i mod p
+
+
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 3/5
+ A generator (or primitive root) g of a prime number p is a number
whose powers mod p, generate 1, . . . , p − 1
+ So g mod p, g 2 mod p, . . . , g p−1 mod p are all distinct,
i.e., a permutation of 1 through p − 1
+ In other words: for all b ∈ Z/pZ, b 6= 0,
there exists an exponent i ∈ {0, 1, . . . , p − 1} such that b = g i mod p
+ Given b ∈ Z, exponent i above is
+
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 3/5
+ A generator (or primitive root) g of a prime number p is a number
whose powers mod p, generate 1, . . . , p − 1
+ So g mod p, g 2 mod p, . . . , g p−1 mod p are all distinct,
i.e., a permutation of 1 through p − 1
+ In other words: for all b ∈ Z/pZ, b 6= 0,
there exists an exponent i ∈ {0, 1, . . . , p − 1} such that b = g i mod p
+ Given b ∈ Z, exponent i above is
the discrete logarithm of b for base g modp
+
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 3/5
+ A generator (or primitive root) g of a prime number p is a number
whose powers mod p, generate 1, . . . , p − 1
+ So g mod p, g 2 mod p, . . . , g p−1 mod p are all distinct,
i.e., a permutation of 1 through p − 1
+ In other words: for all b ∈ Z/pZ, b 6= 0,
there exists an exponent i ∈ {0, 1, . . . , p − 1} such that b = g i mod p
+ Given b ∈ Z, exponent i above is
the discrete logarithm of b for base g modp
+ Computing discrete logs appears infeasible in general
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 4/5
Università Roma Tre
2
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 4/5
+
;
+
+
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 4/5
+ Eve knows g a , g b but would like to compute g ab ;
+
+
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 4/5
+ Eve knows g a , g b but would like to compute g ab ;
+ Eve could compute a discrete logarithm to find a and then (g b )a
+
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 4/5
+ Eve knows g a , g b but would like to compute g ab ;
+ Eve could compute a discrete logarithm to find a and then (g b )a
+ for given α, g, p, Eve should solve:
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 4/5
+ Eve knows g a , g b but would like to compute g ab ;
+ Eve could compute a discrete logarithm to find a and then (g b )a
+ for given α, g, p, Eve should solve:
g X ≡ α mod p
Università Roma Tre
0
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 5/5
Università Roma Tre
1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 5/5
A “criptographically meaningful size” example:
Università Roma Tre
0
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 5/5
A “criptographically meaningful size” example:
p = 370273307460967425842481081357528298315386585184169353328410050632472746552261503118421027658
721711241508544733578984012456938357678209461867245573821426204444288523552318347549870943602
1902398769259658537444365842890327
Università Roma Tre
-1
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 5/5
A “criptographically meaningful size” example:
p = 370273307460967425842481081357528298315386585184169353328410050632472746552261503118421027658
721711241508544733578984012456938357678209461867245573821426204444288523552318347549870943602
1902398769259658537444365842890327
g = 5
Università Roma Tre
-2
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 5/5
A “criptographically meaningful size” example:
p = 370273307460967425842481081357528298315386585184169353328410050632472746552261503118421027658
721711241508544733578984012456938357678209461867245573821426204444288523552318347549870943602
1902398769259658537444365842890327
g = 5
a = 230884090203989538822791747965302672267956566803890984719811170401834881423535241039556153839
50300790706016512170324186640960442741350790022942149093292104570603304669117473786798985
00024210343154844771162635809902530822
Università Roma Tre
-3
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 5/5
A “criptographically meaningful size” example:
p = 370273307460967425842481081357528298315386585184169353328410050632472746552261503118421027658
721711241508544733578984012456938357678209461867245573821426204444288523552318347549870943602
1902398769259658537444365842890327
g = 5
a = 230884090203989538822791747965302672267956566803890984719811170401834881423535241039556153839
50300790706016512170324186640960442741350790022942149093292104570603304669117473786798985
00024210343154844771162635809902530822
b = 202628627712040976052737350793757540205242681192017941068774728007392912193775762330719406560
04093331116419046740605076855604279856790686813698840332610088778267557488150882421959663
70518057438047030854128879946541952289
Università Roma Tre
-4
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 5/5
A “criptographically meaningful size” example:
p = 370273307460967425842481081357528298315386585184169353328410050632472746552261503118421027658
721711241508544733578984012456938357678209461867245573821426204444288523552318347549870943602
1902398769259658537444365842890327
g = 5
a = 230884090203989538822791747965302672267956566803890984719811170401834881423535241039556153839
50300790706016512170324186640960442741350790022942149093292104570603304669117473786798985
00024210343154844771162635809902530822
b = 202628627712040976052737350793757540205242681192017941068774728007392912193775762330719406560
04093331116419046740605076855604279856790686813698840332610088778267557488150882421959663
70518057438047030854128879946541952289
5a = 249451424107893262892484442575689156622349940771024747733612460962310329209496530481469732410
95957576012477323952872295620523253758143768040422343030840568653423985771858393578141665
18479146351026737882783508710913577680
Università Roma Tre
-5
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 5/5
A “criptographically meaningful size” example:
p = 370273307460967425842481081357528298315386585184169353328410050632472746552261503118421027658
721711241508544733578984012456938357678209461867245573821426204444288523552318347549870943602
1902398769259658537444365842890327
g = 5
a = 230884090203989538822791747965302672267956566803890984719811170401834881423535241039556153839
50300790706016512170324186640960442741350790022942149093292104570603304669117473786798985
00024210343154844771162635809902530822
b = 202628627712040976052737350793757540205242681192017941068774728007392912193775762330719406560
04093331116419046740605076855604279856790686813698840332610088778267557488150882421959663
70518057438047030854128879946541952289
5a = 249451424107893262892484442575689156622349940771024747733612460962310329209496530481469732410
95957576012477323952872295620523253758143768040422343030840568653423985771858393578141665
18479146351026737882783508710913577680
5b = 287293760357523957032946092556813694596882586743260552838382768832192594422702357607546631218
64001485395789301444617793223201594706097398360331195161213836214741498824201098331045762
16804562648795943563091024975401008295
Università Roma Tre
-6
Public Key Cryptography
Dhahran, March 1, 2004
Diffie–Hellmann key exchange 5/5
A “criptographically meaningful size” example:
p = 370273307460967425842481081357528298315386585184169353328410050632472746552261503118421027658
721711241508544733578984012456938357678209461867245573821426204444288523552318347549870943602
1902398769259658537444365842890327
g = 5
a = 230884090203989538822791747965302672267956566803890984719811170401834881423535241039556153839
50300790706016512170324186640960442741350790022942149093292104570603304669117473786798985
00024210343154844771162635809902530822
b = 202628627712040976052737350793757540205242681192017941068774728007392912193775762330719406560
04093331116419046740605076855604279856790686813698840332610088778267557488150882421959663
70518057438047030854128879946541952289
5a = 249451424107893262892484442575689156622349940771024747733612460962310329209496530481469732410
95957576012477323952872295620523253758143768040422343030840568653423985771858393578141665
18479146351026737882783508710913577680
5b = 287293760357523957032946092556813694596882586743260552838382768832192594422702357607546631218
64001485395789301444617793223201594706097398360331195161213836214741498824201098331045762
16804562648795943563091024975401008295
5ab = 36674172125349300306071275329964633749875664216293811088694156172838197865927916343627669411
4396823489217444401038685650925971812733853762885262933444987558589066268362684366645128712
2395082920958736911545732951584464496
Università Roma Tre
-7
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms Computation
Università Roma Tre
-6
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms Computation
Some classical algorithms:
Università Roma Tre
-7
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms Computation
Some classical algorithms:
,
,
,
,
Università Roma Tre
-8
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms Computation
Some classical algorithms:
, Shanks baby-step, giant step
,
,
,
Università Roma Tre
-8
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms Computation
Some classical algorithms:
, Shanks baby-step, giant step
Proc. 2nd Manitoba Conf. Numerical Mathematics (Winnipeg, 1972).
,
,
,
Università Roma Tre
-8
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms Computation
Some classical algorithms:
, Shanks baby-step, giant step
Proc. 2nd Manitoba Conf. Numerical Mathematics (Winnipeg, 1972).
, Pohlig–Hellmann Algorithm
,
,
Università Roma Tre
-8
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms Computation
Some classical algorithms:
, Shanks baby-step, giant step
Proc. 2nd Manitoba Conf. Numerical Mathematics (Winnipeg, 1972).
, Pohlig–Hellmann Algorithm
IEEE Trans. Information Theory IT-24 (1978).
,
,
Università Roma Tre
-8
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms Computation
Some classical algorithms:
, Shanks baby-step, giant step
Proc. 2nd Manitoba Conf. Numerical Mathematics (Winnipeg, 1972).
, Pohlig–Hellmann Algorithm
IEEE Trans. Information Theory IT-24 (1978).
, Index computation algorithm
,
Università Roma Tre
-8
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms Computation
Some classical algorithms:
, Shanks baby-step, giant step
Proc. 2nd Manitoba Conf. Numerical Mathematics (Winnipeg, 1972).
, Pohlig–Hellmann Algorithm
IEEE Trans. Information Theory IT-24 (1978).
, Index computation algorithm
, Sieving algorithms
Università Roma Tre
-8
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms Computation
Some classical algorithms:
, Shanks baby-step, giant step
Proc. 2nd Manitoba Conf. Numerical Mathematics (Winnipeg, 1972).
, Pohlig–Hellmann Algorithm
IEEE Trans. Information Theory IT-24 (1978).
, Index computation algorithm
, Sieving algorithms
La Macchia & Odlyzko, Designs Codes and Cryptography 1 (1991)
Università Roma Tre
-8
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms Computation
Some classical algorithms:
, Shanks baby-step, giant step
Proc. 2nd Manitoba Conf. Numerical Mathematics (Winnipeg, 1972).
, Pohlig–Hellmann Algorithm
IEEE Trans. Information Theory IT-24 (1978).
, Index computation algorithm
, Sieving algorithms
La Macchia & Odlyzko, Designs Codes and Cryptography 1 (1991)
NOTE: The last two are ”very special” for Z/pZ
Università Roma Tre
-9
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 1/2
A. Joux et R. Lercier, 1998.
Università Roma Tre
-8
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 1/2
A. Joux et R. Lercier, 1998.
p
=
b1089 πc + 156137
=
314159265358979323846264338327950288419716939937510582097494459230781640628620899862959619,
g = 2,
Università Roma Tre
-9
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 1/2
A. Joux et R. Lercier, 1998.
p
=
b1089 πc + 156137
=
314159265358979323846264338327950288419716939937510582097494459230781640628620899862959619,
g = 2,
y
=
b1089 ec
=
271828182845904523536028747135266249775724709369995957496696762772407663035354759457138217
Università Roma Tre
-10
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 1/2
A. Joux et R. Lercier, 1998.
p
=
b1089 πc + 156137
=
314159265358979323846264338327950288419716939937510582097494459230781640628620899862959619,
g = 2,
y
=
b1089 ec
=
271828182845904523536028747135266249775724709369995957496696762772407663035354759457138217
X
2
≡ y mod p
Università Roma Tre
-11
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 1/2
A. Joux et R. Lercier, 1998.
p
=
b1089 πc + 156137
=
314159265358979323846264338327950288419716939937510582097494459230781640628620899862959619,
g = 2,
y
=
b1089 ec
=
271828182845904523536028747135266249775724709369995957496696762772407663035354759457138217
X
2
≡ y mod p
y = g 1767138072114216962732048234071620272302057952449914157493844716677918658538374188101093 ,
Università Roma Tre
-12
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 1/2
A. Joux et R. Lercier, 1998.
p
=
b1089 πc + 156137
=
314159265358979323846264338327950288419716939937510582097494459230781640628620899862959619,
g = 2,
y
=
b1089 ec
=
271828182845904523536028747135266249775724709369995957496696762772407663035354759457138217
X
2
≡ y mod p
y = g 1767138072114216962732048234071620272302057952449914157493844716677918658538374188101093 ,
y + 1 = g 31160419870582697488207880919786823820449120001421617617058468654271221802926927230033421 ,
Università Roma Tre
-13
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 1/2
A. Joux et R. Lercier, 1998.
p
=
b1089 πc + 156137
=
314159265358979323846264338327950288419716939937510582097494459230781640628620899862959619,
g = 2,
y
=
b1089 ec
=
271828182845904523536028747135266249775724709369995957496696762772407663035354759457138217
X
2
≡ y mod p
y = g 1767138072114216962732048234071620272302057952449914157493844716677918658538374188101093 ,
y + 1 = g 31160419870582697488207880919786823820449120001421617617058468654271221802926927230033421 ,
y + 2 = g 308988329335044525333827764914501407237168034577534227927033783999866774252739278678837301 ,
Università Roma Tre
-14
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 1/2
A. Joux et R. Lercier, 1998.
p
=
b1089 πc + 156137
=
314159265358979323846264338327950288419716939937510582097494459230781640628620899862959619,
g = 2,
y
=
b1089 ec
=
271828182845904523536028747135266249775724709369995957496696762772407663035354759457138217
X
2
≡ y mod p
y = g 1767138072114216962732048234071620272302057952449914157493844716677918658538374188101093 ,
y + 1 = g 31160419870582697488207880919786823820449120001421617617058468654271221802926927230033421 ,
y + 2 = g 308988329335044525333827764914501407237168034577534227927033783999866774252739278678837301 ,
y + 3 = g 65806888002788380103712986883663253187183505405451188935055113209887949364255134815297846 ,
Università Roma Tre
-15
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 1/2
A. Joux et R. Lercier, 1998.
p
=
b1089 πc + 156137
=
314159265358979323846264338327950288419716939937510582097494459230781640628620899862959619,
g = 2,
y
=
b1089 ec
=
271828182845904523536028747135266249775724709369995957496696762772407663035354759457138217
X
2
≡ y mod p
y = g 1767138072114216962732048234071620272302057952449914157493844716677918658538374188101093 ,
y + 1 = g 31160419870582697488207880919786823820449120001421617617058468654271221802926927230033421 ,
y + 2 = g 308988329335044525333827764914501407237168034577534227927033783999866774252739278678837301 ,
y + 3 = g 65806888002788380103712986883663253187183505405451188935055113209887949364255134815297846 ,
y + 4 = g 40696010882128699199753165934604918894868490454360617887844587935353795462185105078977093
Università Roma Tre
-16
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 1/2
A. Joux et R. Lercier, 1998.
p
=
b1089 πc + 156137
=
314159265358979323846264338327950288419716939937510582097494459230781640628620899862959619,
g = 2,
y
=
b1089 ec
=
271828182845904523536028747135266249775724709369995957496696762772407663035354759457138217
X
2
≡ y mod p
y = g 1767138072114216962732048234071620272302057952449914157493844716677918658538374188101093 ,
y + 1 = g 31160419870582697488207880919786823820449120001421617617058468654271221802926927230033421 ,
y + 2 = g 308988329335044525333827764914501407237168034577534227927033783999866774252739278678837301 ,
y + 3 = g 65806888002788380103712986883663253187183505405451188935055113209887949364255134815297846 ,
y + 4 = g 40696010882128699199753165934604918894868490454360617887844587935353795462185105078977093
It took 4.5 months... on a Pentium PRO 180 MHz
Università Roma Tre
-17
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
Università Roma Tre
-16
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
Università Roma Tre
-17
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
¬
­
®
Università Roma Tre
-18
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
¬ 1999 p ∼
= 10100
­
®
Università Roma Tre
-18
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
¬ 1999 p ∼
= 10100
500MHz quadri-processors Dec Alpha Server
­
®
Università Roma Tre
-18
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
¬ 1999 p ∼
= 10100
500MHz quadri-processors Dec Alpha Server – 8.5 months;
­
®
Università Roma Tre
-18
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
¬ 1999 p ∼
= 10100
500MHz quadri-processors Dec Alpha Server – 8.5 months;
­ 2001 p ∼
= 10110
®
Università Roma Tre
-18
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
¬ 1999 p ∼
= 10100
500MHz quadri-processors Dec Alpha Server – 8.5 months;
­ 2001 p ∼
= 10110
525MHz quadri-processors Digital Alpha Server 8400
®
Università Roma Tre
-18
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
¬ 1999 p ∼
= 10100
500MHz quadri-processors Dec Alpha Server – 8.5 months;
­ 2001 p ∼
= 10110
525MHz quadri-processors Digital Alpha Server 8400 – 20 days;
®
Università Roma Tre
-18
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
¬ 1999 p ∼
= 10100
500MHz quadri-processors Dec Alpha Server – 8.5 months;
­ 2001 p ∼
= 10110
525MHz quadri-processors Digital Alpha Server 8400 – 20 days;
® 2001 p ∼
= 10120 ;
Università Roma Tre
-18
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
¬ 1999 p ∼
= 10100
500MHz quadri-processors Dec Alpha Server – 8.5 months;
­ 2001 p ∼
= 10110
525MHz quadri-processors Digital Alpha Server 8400 – 20 days;
® 2001 p ∼
= 10120 ; (Current Record!)
Università Roma Tre
-18
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
¬ 1999 p ∼
= 10100
500MHz quadri-processors Dec Alpha Server – 8.5 months;
­ 2001 p ∼
= 10110
525MHz quadri-processors Digital Alpha Server 8400 – 20 days;
® 2001 p ∼
= 10120 ; (Current Record!) 2.5 months
Università Roma Tre
-18
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
¬ 1999 p ∼
= 10100
500MHz quadri-processors Dec Alpha Server – 8.5 months;
­ 2001 p ∼
= 10110
525MHz quadri-processors Digital Alpha Server 8400 – 20 days;
® 2001 p ∼
= 10120 ; (Current Record!) 2.5 months
p = b10119 πc + 207819, g = 2
Università Roma Tre
-19
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
¬ 1999 p ∼
= 10100
500MHz quadri-processors Dec Alpha Server – 8.5 months;
­ 2001 p ∼
= 10110
525MHz quadri-processors Digital Alpha Server 8400 – 20 days;
® 2001 p ∼
= 10120 ; (Current Record!) 2.5 months
p = b10119 πc + 207819, g = 2
y = b10119 c
Università Roma Tre
-20
Public Key Cryptography
Dhahran, March 1, 2004
Discrete Logarithms computation Records 2/2
A. Joux et R. Lercier (CNRS / Ecole Polytechnique)
¬ 1999 p ∼
= 10100
500MHz quadri-processors Dec Alpha Server – 8.5 months;
­ 2001 p ∼
= 10110
525MHz quadri-processors Digital Alpha Server 8400 – 20 days;
® 2001 p ∼
= 10120 ; (Current Record!) 2.5 months
p = b10119 πc + 207819, g = 2
y = b10119 c
262112280685811387636008622038191827370390768520656974243035
y = g 380382193478767436018681449804940840373741641452864730765082 ,
Università Roma Tre
-21
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 1/2
Alice wants to sent a message x ∈ Z/pZ to Bob
Università Roma Tre
-20
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 1/2
Alice wants to sent a message x ∈ Z/pZ to Bob
SETUP:
Università Roma Tre
-21
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 1/2
Alice wants to sent a message x ∈ Z/pZ to Bob
SETUP:
¶
·
Università Roma Tre
-22
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 1/2
Alice wants to sent a message x ∈ Z/pZ to Bob
SETUP:
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
·
Università Roma Tre
-22
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 1/2
Alice wants to sent a message x ∈ Z/pZ to Bob
SETUP:
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Bob picks a secret b, 0 < b ≤ p − 1,
Università Roma Tre
-22
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 1/2
Alice wants to sent a message x ∈ Z/pZ to Bob
SETUP:
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Bob picks a secret b, 0 < b ≤ p − 1,
he computes β = g b mod p and publishes β
Università Roma Tre
-22
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 1/2
Alice wants to sent a message x ∈ Z/pZ to Bob
SETUP:
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Bob picks a secret b, 0 < b ≤ p − 1,
he computes β = g b mod p and publishes β
ENCRYPTION: (Alice)
Università Roma Tre
-23
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 1/2
Alice wants to sent a message x ∈ Z/pZ to Bob
SETUP:
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Bob picks a secret b, 0 < b ≤ p − 1,
he computes β = g b mod p and publishes β
ENCRYPTION: (Alice)
¬
­
®
Università Roma Tre
-24
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 1/2
Alice wants to sent a message x ∈ Z/pZ to Bob
SETUP:
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Bob picks a secret b, 0 < b ≤ p − 1,
he computes β = g b mod p and publishes β
ENCRYPTION: (Alice)
¬ Alice picks a secret k,
­
®
Università Roma Tre
-24
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 1/2
Alice wants to sent a message x ∈ Z/pZ to Bob
SETUP:
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Bob picks a secret b, 0 < b ≤ p − 1,
he computes β = g b mod p and publishes β
ENCRYPTION: (Alice)
¬ Alice picks a secret k, 0 < k ≤ p − 1
­
®
Università Roma Tre
-24
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 1/2
Alice wants to sent a message x ∈ Z/pZ to Bob
SETUP:
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Bob picks a secret b, 0 < b ≤ p − 1,
he computes β = g b mod p and publishes β
ENCRYPTION: (Alice)
¬ Alice picks a secret k, 0 < k ≤ p − 1
­ She computes α = g k mod p and γ = x · β a mod p
®
Università Roma Tre
-24
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 1/2
Alice wants to sent a message x ∈ Z/pZ to Bob
SETUP:
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Bob picks a secret b, 0 < b ≤ p − 1,
he computes β = g b mod p and publishes β
ENCRYPTION: (Alice)
¬ Alice picks a secret k, 0 < k ≤ p − 1
­ She computes α = g k mod p and γ = x · β a mod p
® The encrypted message is
Università Roma Tre
-24
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 1/2
Alice wants to sent a message x ∈ Z/pZ to Bob
SETUP:
¶ Alice and Bob agree on a prime p and a generator g in Z/pZ
· Bob picks a secret b, 0 < b ≤ p − 1,
he computes β = g b mod p and publishes β
ENCRYPTION: (Alice)
¬ Alice picks a secret k, 0 < k ≤ p − 1
­ She computes α = g k mod p and γ = x · β a mod p
® The encrypted message is
E(x) = (α, γ) ∈ Z/pZ × Z/pZ
Università Roma Tre
-24
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 2/2
Università Roma Tre
-23
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 2/2
DECRYPTION: (Bob)
Università Roma Tre
-24
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 2/2
DECRYPTION: (Bob)
¬
­
Università Roma Tre
-25
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 2/2
DECRYPTION: (Bob)
¬ Bob computes
­
Università Roma Tre
-25
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 2/2
DECRYPTION: (Bob)
¬ Bob computes
D(α, γ) = γ · αp−1−b mod p
­
Università Roma Tre
-25
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 2/2
DECRYPTION: (Bob)
¬ Bob computes
D(α, γ) = γ · αp−1−b mod p
­ It works because
Università Roma Tre
-25
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 2/2
DECRYPTION: (Bob)
¬ Bob computes
D(α, γ) = γ · αp−1−b mod p
­ It works because
D(E(x)) = D(α, γ) = x · g bk · g k(p−1−b) = x
Università Roma Tre
-25
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 2/2
DECRYPTION: (Bob)
¬ Bob computes
D(α, γ) = γ · αp−1−b mod p
­ It works because
since g k(p−1)
D(E(x)) = D(α, γ) = x · g bk · g k(p−1−b) = x
mod p = 1 by
Università Roma Tre
-25
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 2/2
DECRYPTION: (Bob)
¬ Bob computes
D(α, γ) = γ · αp−1−b mod p
­ It works because
since g k(p−1)
D(E(x)) = D(α, γ) = x · g bk · g k(p−1−b) = x
mod p = 1 by
Fermat Little Theorem If p is prime, p - a ∈ N
ap−1 ≡ 1 mod p
Università Roma Tre
-26
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 2/2
DECRYPTION: (Bob)
¬ Bob computes
D(α, γ) = γ · αp−1−b mod p
­ It works because
since g k(p−1)
D(E(x)) = D(α, γ) = x · g bk · g k(p−1−b) = x
mod p = 1 by
Fermat Little Theorem If p is prime, p - a ∈ N
ap−1 ≡ 1 mod p
Eve can decrypt the message if he can compute the discrete logarithm X,
Università Roma Tre
-27
Public Key Cryptography
Dhahran, March 1, 2004
ElGamal Cryptosystem 2/2
DECRYPTION: (Bob)
¬ Bob computes
D(α, γ) = γ · αp−1−b mod p
­ It works because
since g k(p−1)
D(E(x)) = D(α, γ) = x · g bk · g k(p−1−b) = x
mod p = 1 by
Fermat Little Theorem If p is prime, p - a ∈ N
ap−1 ≡ 1 mod p
Eve can decrypt the message if he can compute the discrete logarithm X,
β = g X mod p
Università Roma Tre
-28
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 1/2
Università Roma Tre
-27
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 1/2
Alice
Bob
Università Roma Tre
-28
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 1/2
Alice
Bob
¬
­
®
¯
°
Università Roma Tre
-29
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 1/2
Alice
Bob
¬ Alice and Bob each picks a secret key kA , kB ∈ {1, . . . , p − 1}
­
®
¯
°
Università Roma Tre
-29
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 1/2
Alice
Bob
¬ Alice and Bob each picks a secret key kA , kB ∈ {1, . . . , p − 1}
­ They compute lA , lB ∈ {1, . . . , p − 1} such that
®
¯
°
Università Roma Tre
-29
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 1/2
Alice
Bob
¬ Alice and Bob each picks a secret key kA , kB ∈ {1, . . . , p − 1}
­ They compute lA , lB ∈ {1, . . . , p − 1} such that
® kA lA = 1(modp − 1) and kB lB = 1(modp − 1)
¯
°
Università Roma Tre
-29
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 1/2
Alice
Bob
¬ Alice and Bob each picks a secret key kA , kB ∈ {1, . . . , p − 1}
­ They compute lA , lB ∈ {1, . . . , p − 1} such that
® kA lA = 1(modp − 1) and kB lB = 1(modp − 1)
¯ Alice key is (kA , lA ) (kA to lock and lA to unlock)
°
Università Roma Tre
-29
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 1/2
Alice
Bob
¬ Alice and Bob each picks a secret key kA , kB ∈ {1, . . . , p − 1}
­ They compute lA , lB ∈ {1, . . . , p − 1} such that
® kA lA = 1(modp − 1) and kB lB = 1(modp − 1)
¯ Alice key is (kA , lA ) (kA to lock and lA to unlock)
° Bob key is (kB , lB ) (kB to lock and lB to unlock)
Università Roma Tre
-29
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 2/2
Alice (kA , lA )
Bob (kB , lB )
Università Roma Tre
-28
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 2/2
Alice (kA , lA )
Bob (kB , lB )
¬
­
®
¯
Università Roma Tre
-29
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 2/2
Alice (kA , lA )
Bob (kB , lB )
¬ To send the message P , Alice computes and sends M = P kA mod p
­
®
¯
Università Roma Tre
-29
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 2/2
Alice (kA , lA )
Bob (kB , lB )
¬ To send the message P , Alice computes and sends M = P kA mod p
­ Bob computes and sends back N = M kB mod p
®
¯
Università Roma Tre
-29
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 2/2
Alice (kA , lA )
Bob (kB , lB )
¬ To send the message P , Alice computes and sends M = P kA mod p
­ Bob computes and sends back N = M kB mod p
® Alice computes L = N lA (mod p) and sends it back to Bob
¯
Università Roma Tre
-29
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 2/2
Alice (kA , lA )
Bob (kB , lB )
¬ To send the message P , Alice computes and sends M = P kA mod p
­ Bob computes and sends back N = M kB mod p
® Alice computes L = N lA (mod p) and sends it back to Bob
¯ Bob decrypt the message computing P = LlB (mod p)
Università Roma Tre
-29
Public Key Cryptography
Dhahran, March 1, 2004
Massey Omura 2/2
Alice (kA , lA )
Bob (kB , lB )
¬ To send the message P , Alice computes and sends M = P kA mod p
­ Bob computes and sends back N = M kB mod p
® Alice computes L = N lA (mod p) and sends it back to Bob
¯ Bob decrypt the message computing P = LlB (mod p)
It works: P = LlB = N lA lB = M kB lA lB = P kA kB lA lB by Fermat Little
Theorem
Università Roma Tre
-30
Public Key Cryptography
Dhahran, March 1, 2004
From Z/pZ to cyclic groups
Università Roma Tre
-29
Public Key Cryptography
Dhahran, March 1, 2004
From Z/pZ to cyclic groups
We can substitute Z/pZ with a set G where it is possible to compute powers
P a and there is a generator (there is g ∈ G such that for each α ∈ G, α = g i
for a suitable i); cyclic groups
Università Roma Tre
-30
Public Key Cryptography
Dhahran, March 1, 2004
From Z/pZ to cyclic groups
We can substitute Z/pZ with a set G where it is possible to compute powers
P a and there is a generator (there is g ∈ G such that for each α ∈ G, α = g i
for a suitable i); cyclic groups
Examples of cyclic groups
Università Roma Tre
-31
Public Key Cryptography
Dhahran, March 1, 2004
From Z/pZ to cyclic groups
We can substitute Z/pZ with a set G where it is possible to compute powers
P a and there is a generator (there is g ∈ G such that for each α ∈ G, α = g i
for a suitable i); cyclic groups
Examples of cyclic groups
¬
­
®
Università Roma Tre
-32
Public Key Cryptography
Dhahran, March 1, 2004
From Z/pZ to cyclic groups
We can substitute Z/pZ with a set G where it is possible to compute powers
P a and there is a generator (there is g ∈ G such that for each α ∈ G, α = g i
for a suitable i); cyclic groups
Examples of cyclic groups
¬ Elliptic curves modulo p
­
®
Università Roma Tre
-32
Public Key Cryptography
Dhahran, March 1, 2004
From Z/pZ to cyclic groups
We can substitute Z/pZ with a set G where it is possible to compute powers
P a and there is a generator (there is g ∈ G such that for each α ∈ G, α = g i
for a suitable i); cyclic groups
Examples of cyclic groups
¬ Elliptic curves modulo p
­ Multiplicative groups of Finite Fields
®
Università Roma Tre
-32
Public Key Cryptography
Dhahran, March 1, 2004
From Z/pZ to cyclic groups
We can substitute Z/pZ with a set G where it is possible to compute powers
P a and there is a generator (there is g ∈ G such that for each α ∈ G, α = g i
for a suitable i); cyclic groups
Examples of cyclic groups
¬ Elliptic curves modulo p
­ Multiplicative groups of Finite Fields
® Dickson Polynomials over finite fields
Università Roma Tre
-32
Public Key Cryptography
Dhahran, March 1, 2004
From Z/pZ to cyclic groups
We can substitute Z/pZ with a set G where it is possible to compute powers
P a and there is a generator (there is g ∈ G such that for each α ∈ G, α = g i
for a suitable i); cyclic groups
Examples of cyclic groups
¬ Elliptic curves modulo p
­ Multiplicative groups of Finite Fields
® Dickson Polynomials over finite fields
Università Roma Tre
-33
Public Key Cryptography
Dhahran, March 1, 2004
Finite Fields Università Roma Tre
-32
Public Key Cryptography
Dhahran, March 1, 2004
Finite Fields +
+
+
+
+
+
+
Università Roma Tre
-33
Public Key Cryptography
Dhahran, March 1, 2004
Finite Fields + Let Fp = Z/pZ = {0, 1, . . . , p − 1}
+
+
+
+
+
+
Università Roma Tre
(field if p prime)
-33
Public Key Cryptography
Dhahran, March 1, 2004
Finite Fields + Let Fp = Z/pZ = {0, 1, . . . , p − 1}
+ Given f ∈ Fp [x] irreducible (m = ∂(f ))
+
+
+
+
+
Università Roma Tre
(field if p prime)
-33
Public Key Cryptography
Dhahran, March 1, 2004
Finite Fields + Let Fp = Z/pZ = {0, 1, . . . , p − 1}
(field if p prime)
+ Given f ∈ Fp [x] irreducible (m = ∂(f ))
Fp [x]/(f ) = {a0 + a1 t + · · · + am−1 tm−1 | ai ∈ Fp }
+
+
+
+
+
Università Roma Tre
-33
Public Key Cryptography
Dhahran, March 1, 2004
Finite Fields + Let Fp = Z/pZ = {0, 1, . . . , p − 1}
(field if p prime)
+ Given f ∈ Fp [x] irreducible (m = ∂(f ))
Fp [x]/(f ) = {a0 + a1 t + · · · + am−1 tm−1 | ai ∈ Fp }
+ Fp [x]/(f ) is a field
+
+
+
+
Università Roma Tre
-33
Public Key Cryptography
Dhahran, March 1, 2004
Finite Fields + Let Fp = Z/pZ = {0, 1, . . . , p − 1}
(field if p prime)
+ Given f ∈ Fp [x] irreducible (m = ∂(f ))
Fp [x]/(f ) = {a0 + a1 t + · · · + am−1 tm−1 | ai ∈ Fp }
+ Fp [x]/(f ) is a field
(g1 ? g2 ∈ Fp [x]/(f ) is g1 g2 mod f )
+
+
+
+
Università Roma Tre
-33
Public Key Cryptography
Dhahran, March 1, 2004
Finite Fields + Let Fp = Z/pZ = {0, 1, . . . , p − 1}
(field if p prime)
+ Given f ∈ Fp [x] irreducible (m = ∂(f ))
Fp [x]/(f ) = {a0 + a1 t + · · · + am−1 tm−1 | ai ∈ Fp }
+ Fp [x]/(f ) is a field
(g1 ? g2 ∈ Fp [x]/(f ) is g1 g2 mod f )
+ Fp [x]/(f ) does not depend on f
+
+
+
Università Roma Tre
-33
Public Key Cryptography
Dhahran, March 1, 2004
Finite Fields + Let Fp = Z/pZ = {0, 1, . . . , p − 1}
(field if p prime)
+ Given f ∈ Fp [x] irreducible (m = ∂(f ))
Fp [x]/(f ) = {a0 + a1 t + · · · + am−1 tm−1 | ai ∈ Fp }
+ Fp [x]/(f ) is a field
(g1 ? g2 ∈ Fp [x]/(f ) is g1 g2 mod f )
+ Fp [x]/(f ) does not depend on f
(i.e. if h ∈ Fp [x] irreducible, ∂f = ∂h =
=
> Fp [x]/(f ) ∼
= Fp [x]/(h) )
+
+
+
Università Roma Tre
-33
Public Key Cryptography
Dhahran, March 1, 2004
Finite Fields + Let Fp = Z/pZ = {0, 1, . . . , p − 1}
(field if p prime)
+ Given f ∈ Fp [x] irreducible (m = ∂(f ))
Fp [x]/(f ) = {a0 + a1 t + · · · + am−1 tm−1 | ai ∈ Fp }
+ Fp [x]/(f ) is a field
(g1 ? g2 ∈ Fp [x]/(f ) is g1 g2 mod f )
+ Fp [x]/(f ) does not depend on f
(i.e. if h ∈ Fp [x] irreducible, ∂f = ∂h =
=
> Fp [x]/(f ) ∼
= Fp [x]/(h) )
+
Fpm = Fp [x]/(f )
+
+
Università Roma Tre
-33
Public Key Cryptography
Dhahran, March 1, 2004
Finite Fields + Let Fp = Z/pZ = {0, 1, . . . , p − 1}
(field if p prime)
+ Given f ∈ Fp [x] irreducible (m = ∂(f ))
Fp [x]/(f ) = {a0 + a1 t + · · · + am−1 tm−1 | ai ∈ Fp }
+ Fp [x]/(f ) is a field
(g1 ? g2 ∈ Fp [x]/(f ) is g1 g2 mod f )
+ Fp [x]/(f ) does not depend on f
(i.e. if h ∈ Fp [x] irreducible, ∂f = ∂h =
=
> Fp [x]/(f ) ∼
= Fp [x]/(h) )
+
Fpm = Fp [x]/(f )
any choice of f with m = ∂f is the same
+
+
Università Roma Tre
-33
Public Key Cryptography
Dhahran, March 1, 2004
Finite Fields + Let Fp = Z/pZ = {0, 1, . . . , p − 1}
(field if p prime)
+ Given f ∈ Fp [x] irreducible (m = ∂(f ))
Fp [x]/(f ) = {a0 + a1 t + · · · + am−1 tm−1 | ai ∈ Fp }
+ Fp [x]/(f ) is a field
(g1 ? g2 ∈ Fp [x]/(f ) is g1 g2 mod f )
+ Fp [x]/(f ) does not depend on f
(i.e. if h ∈ Fp [x] irreducible, ∂f = ∂h =
=
> Fp [x]/(f ) ∼
= Fp [x]/(h) )
+
Fpm = Fp [x]/(f )
any choice of f with m = ∂f is the same
+ |Fpm | = pm
+
Università Roma Tre
-33
Public Key Cryptography
Dhahran, March 1, 2004
Finite Fields + Let Fp = Z/pZ = {0, 1, . . . , p − 1}
(field if p prime)
+ Given f ∈ Fp [x] irreducible (m = ∂(f ))
Fp [x]/(f ) = {a0 + a1 t + · · · + am−1 tm−1 | ai ∈ Fp }
+ Fp [x]/(f ) is a field
(g1 ? g2 ∈ Fp [x]/(f ) is g1 g2 mod f )
+ Fp [x]/(f ) does not depend on f
(i.e. if h ∈ Fp [x] irreducible, ∂f = ∂h =
=
> Fp [x]/(f ) ∼
= Fp [x]/(h) )
+
Fpm = Fp [x]/(f )
any choice of f with m = ∂f is the same
+ |Fpm | = pm
+ F∗pm = Fpm \ {0} is a cyclic group under multiplication
Università Roma Tre
-33
Public Key Cryptography
Dhahran, March 1, 2004
Producing Fq
Università Roma Tre
-32
Public Key Cryptography
Dhahran, March 1, 2004
Producing Fq
Set q = pm
Università Roma Tre
-33
Public Key Cryptography
Dhahran, March 1, 2004
Producing Fq
Set q = pm
+
+
+
+
+
Università Roma Tre
-34
Public Key Cryptography
Dhahran, March 1, 2004
Producing Fq
Set q = pm
+ Produce Fq <
=
=
> find f ∈ Im (q)
+
+
+
+
Università Roma Tre
-34
Public Key Cryptography
Dhahran, March 1, 2004
Producing Fq
Set q = pm
+ Produce Fq <
=
=
> find f ∈ Im (q)
(Im (q) = {f ∈ Fp [x], f irreducible, ∂f = m})
+
+
+
+
Università Roma Tre
-34
Public Key Cryptography
Dhahran, March 1, 2004
Producing Fq
Set q = pm
+ Produce Fq <
=
=
> find f ∈ Im (q)
(Im (q) = {f ∈ Fp [x], f irreducible, ∂f = m})
X
d|Id (q)| = q m
+
d|m
+
+
+
Università Roma Tre
-34
Public Key Cryptography
Dhahran, March 1, 2004
Producing Fq
Set q = pm
+ Produce Fq <
=
=
> find f ∈ Im (q)
(Im (q) = {f ∈ Fp [x], f irreducible, ∂f = m})
X
d|Id (q)| = q m
+
d|m
+ |Im (q)| =
q m −q
m
(if m is prime)
+
+
Università Roma Tre
|Im (q)| ∼
qm
m
-34
Public Key Cryptography
Dhahran, March 1, 2004
Producing Fq
Set q = pm
+ Produce Fq <
=
=
> find f ∈ Im (q)
(Im (q) = {f ∈ Fp [x], f irreducible, ∂f = m})
X
d|Id (q)| = q m
+
d|m
+ |Im (q)| =
q m −q
m
(if m is prime)
+ Some fields of cryptographic size:
+
Università Roma Tre
|Im (q)| ∼
qm
m
-34
Public Key Cryptography
Dhahran, March 1, 2004
Producing Fq
Set q = pm
+ Produce Fq <
=
=
> find f ∈ Im (q)
(Im (q) = {f ∈ Fp [x], f irreducible, ∂f = m})
X
d|Id (q)| = q m
+
d|m
+ |Im (q)| =
q m −q
m
(if m is prime)
|Im (q)| ∼
+ Some fields of cryptographic size:
F2503 = F2 [x]/(x503 + x3 + 1), F532320 = F5323 [x]/(f )
+
Università Roma Tre
qm
m
-34
Public Key Cryptography
Dhahran, March 1, 2004
Producing Fq
Set q = pm
+ Produce Fq <
=
=
> find f ∈ Im (q)
(Im (q) = {f ∈ Fp [x], f irreducible, ∂f = m})
X
d|Id (q)| = q m
+
d|m
+ |Im (q)| =
q m −q
m
(if m is prime)
|Im (q)| ∼
qm
m
+ Some fields of cryptographic size:
F2503 = F2 [x]/(x503 + x3 + 1), F532320 = F5323 [x]/(f )
f = x20 + 1451x18 + 5202x17 + 752x16 + 3778x15 + 4598x14 + 2563x13 + 5275x12 + 4260x11 +
+
Università Roma Tre
-34
Public Key Cryptography
Dhahran, March 1, 2004
Producing Fq
Set q = pm
+ Produce Fq <
=
=
> find f ∈ Im (q)
(Im (q) = {f ∈ Fp [x], f irreducible, ∂f = m})
X
d|Id (q)| = q m
+
d|m
+ |Im (q)| =
q m −q
m
(if m is prime)
|Im (q)| ∼
qm
m
+ Some fields of cryptographic size:
F2503 = F2 [x]/(x503 + x3 + 1), F532320 = F5323 [x]/(f )
f = x20 + 1451x18 + 5202x17 + 752x16 + 3778x15 + 4598x14 + 2563x13 + 5275x12 + 4260x11 +
862x10 + 4659x9 + 3484x8 + 1510x7 + 4556x6 + 2317x5 + 2171x4 + 3100x3 + 4100x2 + 682x + 5110
+
Università Roma Tre
-34
Public Key Cryptography
Dhahran, March 1, 2004
Producing Fq
Set q = pm
+ Produce Fq <
=
=
> find f ∈ Im (q)
(Im (q) = {f ∈ Fp [x], f irreducible, ∂f = m})
X
d|Id (q)| = q m
+
d|m
+ |Im (q)| =
q m −q
m
(if m is prime)
|Im (q)| ∼
qm
m
+ Some fields of cryptographic size:
F2503 = F2 [x]/(x503 + x3 + 1), F532320 = F5323 [x]/(f )
f = x20 + 1451x18 + 5202x17 + 752x16 + 3778x15 + 4598x14 + 2563x13 + 5275x12 + 4260x11 +
862x10 + 4659x9 + 3484x8 + 1510x7 + 4556x6 + 2317x5 + 2171x4 + 3100x3 + 4100x2 + 682x + 5110
+ Good to find f sparse
Università Roma Tre
-34
Public Key Cryptography
Dhahran, March 1, 2004
Interpolation on Fq
Università Roma Tre
-33
Public Key Cryptography
Dhahran, March 1, 2004
Interpolation on Fq
Given h : Fq → Fq a function.
Università Roma Tre
-34
Public Key Cryptography
Dhahran, March 1, 2004
Interpolation on Fq
Given h : Fq → Fq a function.
h can always be interpolated with a polynomial in Fq [x] !
Università Roma Tre
-35
Public Key Cryptography
Dhahran, March 1, 2004
Interpolation on Fq
Given h : Fq → Fq a function.
h can always be interpolated with a polynomial in Fq [x] !
+ Lagrange interpolation
Università Roma Tre
-36
Public Key Cryptography
Dhahran, March 1, 2004
Interpolation on Fq
Given h : Fq → Fq a function.
h can always be interpolated with a polynomial in Fq [x] !
+ Lagrange interpolation
fh (x) =
X
c∈Fq
Y x−d
h(c)
∈ Fq [x]
c−d
d∈Fq
d6=c
Università Roma Tre
-37
Public Key Cryptography
Dhahran, March 1, 2004
Interpolation on Fq
Given h : Fq → Fq a function.
h can always be interpolated with a polynomial in Fq [x] !
+ Lagrange interpolation
fh (x) =
X
c∈Fq
Y x−d
h(c)
∈ Fq [x]
c−d
d∈Fq
d6=c
+ Finite fields interpolation
Università Roma Tre
-38
Public Key Cryptography
Dhahran, March 1, 2004
Interpolation on Fq
Given h : Fq → Fq a function.
h can always be interpolated with a polynomial in Fq [x] !
+ Lagrange interpolation
fh (x) =
X
c∈Fq
Y x−d
h(c)
∈ Fq [x]
c−d
d∈Fq
d6=c
+ Finite fields interpolation
fh (x) =
X
q−1
h(c) 1 − (x − c)
c∈Fq
Università Roma Tre
∈ Fq [x]
-39
Public Key Cryptography
Dhahran, March 1, 2004
Interpolation on Fq
Given h : Fq → Fq a function.
h can always be interpolated with a polynomial in Fq [x] !
+ Lagrange interpolation
fh (x) =
X
c∈Fq
Y x−d
h(c)
∈ Fq [x]
c−d
d∈Fq
d6=c
+ Finite fields interpolation
fh (x) =
X
q−1
h(c) 1 − (x − c)
∈ Fq [x]
c∈Fq

1 d 6= 0
dq−1 =
0 d = 0
Università Roma Tre
-40
Public Key Cryptography
Dhahran, March 1, 2004
More on interpolation in Fq
Università Roma Tre
-39
Public Key Cryptography
Dhahran, March 1, 2004
More on interpolation in Fq
+ If f1 , f2 ∈ Fq [x] with f1 (c) = f2 (c)∀c ∈ Fq ,
Università Roma Tre
-40
Public Key Cryptography
Dhahran, March 1, 2004
More on interpolation in Fq
+ If f1 , f2 ∈ Fq [x] with f1 (c) = f2 (c)∀c ∈ Fq ,
=
=
> xq − x | f1 (x) − f2 (x)
Università Roma Tre
-41
Public Key Cryptography
Dhahran, March 1, 2004
More on interpolation in Fq
+ If f1 , f2 ∈ Fq [x] with f1 (c) = f2 (c)∀c ∈ Fq ,
=
=
> xq − x | f1 (x) − f2 (x)
+ The interpolant polynomial is unique mod xq − x
Università Roma Tre
-42
Public Key Cryptography
Dhahran, March 1, 2004
More on interpolation in Fq
+ If f1 , f2 ∈ Fq [x] with f1 (c) = f2 (c)∀c ∈ Fq ,
=
=
> xq − x | f1 (x) − f2 (x)
+ The interpolant polynomial is unique mod xq − x
==
> unique with degree ≤ q − 1
Università Roma Tre
-43
Public Key Cryptography
Dhahran, March 1, 2004
More on interpolation in Fq
+ If f1 , f2 ∈ Fq [x] with f1 (c) = f2 (c)∀c ∈ Fq ,
=
=
> xq − x | f1 (x) − f2 (x)
+ The interpolant polynomial is unique mod xq − x
==
> unique with degree ≤ q − 1
+ If ch = #{c ∈ Fq | h(c) 6= c},
Università Roma Tre
-44
Public Key Cryptography
Dhahran, March 1, 2004
More on interpolation in Fq
+ If f1 , f2 ∈ Fq [x] with f1 (c) = f2 (c)∀c ∈ Fq ,
=
=
> xq − x | f1 (x) − f2 (x)
+ The interpolant polynomial is unique mod xq − x
==
> unique with degree ≤ q − 1
+ If ch = #{c ∈ Fq | h(c) 6= c},
q − ch ≤ ∂fh ≤ q − 2
Università Roma Tre
-45
Public Key Cryptography
Dhahran, March 1, 2004
More on interpolation in Fq
+ If f1 , f2 ∈ Fq [x] with f1 (c) = f2 (c)∀c ∈ Fq ,
=
=
> xq − x | f1 (x) − f2 (x)
+ The interpolant polynomial is unique mod xq − x
==
> unique with degree ≤ q − 1
+ If ch = #{c ∈ Fq | h(c) 6= c},
q − ch ≤ ∂fh ≤ q − 2
+ Problem. Find functions with sparse interpolation polynomial
Università Roma Tre
-46
Public Key Cryptography
Dhahran, March 1, 2004
More on interpolation in Fq
+ If f1 , f2 ∈ Fq [x] with f1 (c) = f2 (c)∀c ∈ Fq ,
=
=
> xq − x | f1 (x) − f2 (x)
+ The interpolant polynomial is unique mod xq − x
==
> unique with degree ≤ q − 1
+ If ch = #{c ∈ Fq | h(c) 6= c},
q − ch ≤ ∂fh ≤ q − 2
+ Problem. Find functions with sparse interpolation polynomial
Better if they are
Permutation polynomials
Università Roma Tre
-47
Public Key Cryptography
Dhahran, March 1, 2004
Permutation polynomials
Università Roma Tre
-46
Public Key Cryptography
Dhahran, March 1, 2004
Permutation polynomials
S(Fq ) = {σ : Fq → Fq | σ(1 : 1)}
Università Roma Tre
-47
Public Key Cryptography
Dhahran, March 1, 2004
Permutation polynomials
S(Fq ) = {σ : Fq → Fq | σ(1 : 1)}
permutations of Fq
Università Roma Tre
-48
Public Key Cryptography
Dhahran, March 1, 2004
Permutation polynomials
S(Fq ) = {σ : Fq → Fq | σ(1 : 1)}
permutations of Fq
+ f ∈ Fq [x] is called permutation polynomial (PP) if
Università Roma Tre
-49
Public Key Cryptography
Dhahran, March 1, 2004
Permutation polynomials
S(Fq ) = {σ : Fq → Fq | σ(1 : 1)}
permutations of Fq
+ f ∈ Fq [x] is called permutation polynomial (PP) if
“f (as a funtion) is a permutation”
Università Roma Tre
-50
Public Key Cryptography
Dhahran, March 1, 2004
Permutation polynomials
S(Fq ) = {σ : Fq → Fq | σ(1 : 1)}
permutations of Fq
+ f ∈ Fq [x] is called permutation polynomial (PP) if
“f (as a funtion) is a permutation”
(i.e. ∃σ ∈ S(Fq ), σ(c) = f (c) ∀c ∈ Fq )
Università Roma Tre
-51
Public Key Cryptography
Dhahran, March 1, 2004
Permutation polynomials
S(Fq ) = {σ : Fq → Fq | σ(1 : 1)}
permutations of Fq
+ f ∈ Fq [x] is called permutation polynomial (PP) if
“f (as a funtion) is a permutation”
(i.e. ∃σ ∈ S(Fq ), σ(c) = f (c) ∀c ∈ Fq )
P
q−1
+ If fσ (x) = c∈Fq σ(c) 1 − (x − c)
∈ Fq [x] =
=
>
Università Roma Tre
-52
Public Key Cryptography
Dhahran, March 1, 2004
Permutation polynomials
S(Fq ) = {σ : Fq → Fq | σ(1 : 1)}
permutations of Fq
+ f ∈ Fq [x] is called permutation polynomial (PP) if
“f (as a funtion) is a permutation”
(i.e. ∃σ ∈ S(Fq ), σ(c) = f (c) ∀c ∈ Fq )
P
q−1
+ If fσ (x) = c∈Fq σ(c) 1 − (x − c)
∈ Fq [x] =
=
>
f ∈ Fq [x] is PP <
=
=
> ∃σ ∈ S(Fq ), f ≡ fσ mod xq − x
Università Roma Tre
-53
Public Key Cryptography
Dhahran, March 1, 2004
Permutation polynomials
S(Fq ) = {σ : Fq → Fq | σ(1 : 1)}
permutations of Fq
+ f ∈ Fq [x] is called permutation polynomial (PP) if
“f (as a funtion) is a permutation”
(i.e. ∃σ ∈ S(Fq ), σ(c) = f (c) ∀c ∈ Fq )
P
q−1
+ If fσ (x) = c∈Fq σ(c) 1 − (x − c)
∈ Fq [x] =
=
>
f ∈ Fq [x] is PP <
=
=
> ∃σ ∈ S(Fq ), f ≡ fσ mod xq − x
+ Examples:
Università Roma Tre
-54
Public Key Cryptography
Dhahran, March 1, 2004
Permutation polynomials
S(Fq ) = {σ : Fq → Fq | σ(1 : 1)}
permutations of Fq
+ f ∈ Fq [x] is called permutation polynomial (PP) if
“f (as a funtion) is a permutation”
(i.e. ∃σ ∈ S(Fq ), σ(c) = f (c) ∀c ∈ Fq )
P
q−1
+ If fσ (x) = c∈Fq σ(c) 1 − (x − c)
∈ Fq [x] =
=
>
f ∈ Fq [x] is PP <
=
=
> ∃σ ∈ S(Fq ), f ≡ fσ mod xq − x
+ Examples:
.
.
Università Roma Tre
-55
Public Key Cryptography
Dhahran, March 1, 2004
Permutation polynomials
S(Fq ) = {σ : Fq → Fq | σ(1 : 1)}
permutations of Fq
+ f ∈ Fq [x] is called permutation polynomial (PP) if
“f (as a funtion) is a permutation”
(i.e. ∃σ ∈ S(Fq ), σ(c) = f (c) ∀c ∈ Fq )
P
q−1
+ If fσ (x) = c∈Fq σ(c) 1 − (x − c)
∈ Fq [x] =
=
>
f ∈ Fq [x] is PP <
=
=
> ∃σ ∈ S(Fq ), f ≡ fσ mod xq − x
+ Examples:
. ax + b,
a, b ∈ Fq , a 6= 0
.
Università Roma Tre
-55
Public Key Cryptography
Dhahran, March 1, 2004
Permutation polynomials
S(Fq ) = {σ : Fq → Fq | σ(1 : 1)}
permutations of Fq
+ f ∈ Fq [x] is called permutation polynomial (PP) if
“f (as a funtion) is a permutation”
(i.e. ∃σ ∈ S(Fq ), σ(c) = f (c) ∀c ∈ Fq )
P
q−1
+ If fσ (x) = c∈Fq σ(c) 1 − (x − c)
∈ Fq [x] =
=
>
f ∈ Fq [x] is PP <
=
=
> ∃σ ∈ S(Fq ), f ≡ fσ mod xq − x
+ Examples:
. ax + b,
. xk ,
a, b ∈ Fq , a 6= 0
(k, q − 1) = 1
Università Roma Tre
-55
Public Key Cryptography
Dhahran, March 1, 2004
More examples of PP
Università Roma Tre
-54
Public Key Cryptography
Dhahran, March 1, 2004
More examples of PP
. Composition. f ◦ g is PP
if f, g are PP
Università Roma Tre
-55
Public Key Cryptography
Dhahran, March 1, 2004
More examples of PP
. Composition. f ◦ g is PP
if f, g are PP
. x(q+m−1)/m + ax is a PP
if m|q − 1
Università Roma Tre
-56
Public Key Cryptography
Dhahran, March 1, 2004
More examples of PP
. Composition. f ◦ g is PP
if f, g are PP
. x(q+m−1)/m + ax is a PP
if m|q − 1
. Linearized Polynomials Let q = pm ,
Università Roma Tre
-57
Public Key Cryptography
Dhahran, March 1, 2004
More examples of PP
. Composition. f ◦ g is PP
if f, g are PP
. x(q+m−1)/m + ax is a PP
if m|q − 1
m
. Linearized Polynomials
Let
q
=
p
,
r−1
X
qs
L(x) =
αs x
(αs ∈ Fpm )
s=0
Università Roma Tre
-58
Public Key Cryptography
Dhahran, March 1, 2004
More examples of PP
. Composition. f ◦ g is PP
if f, g are PP
. x(q+m−1)/m + ax is a PP
if m|q − 1
m
. Linearized Polynomials
Let
q
=
p
,
r−1
X
qs
L(x) =
αs x
(αs ∈ Fpm )
s=0
ó
ó
Università Roma Tre
-59
Public Key Cryptography
Dhahran, March 1, 2004
More examples of PP
. Composition. f ◦ g is PP
if f, g are PP
. x(q+m−1)/m + ax is a PP
if m|q − 1
m
. Linearized Polynomials
Let
q
=
p
,
r−1
X
qs
L(x) =
αs x
(αs ∈ Fpm )
s=0
ó L(c1 + c2 ) = L(c1 ) + L(c2 )
ó
Università Roma Tre
-59
Public Key Cryptography
Dhahran, March 1, 2004
More examples of PP
. Composition. f ◦ g is PP
if f, g are PP
. x(q+m−1)/m + ax is a PP
if m|q − 1
m
. Linearized Polynomials
Let
q
=
p
,
r−1
X
qs
L(x) =
αs x
(αs ∈ Fpm )
s=0
ó L(c1 + c2 ) = L(c1 ) + L(c2 )
ó L ∈ GLm (Fp ) ⊂ S(Fpm ) <
=
=
>
qj
det(αi−j )
6= 0
Università Roma Tre
-59
Public Key Cryptography
Dhahran, March 1, 2004
More examples of PP
. Composition. f ◦ g is PP
if f, g are PP
. x(q+m−1)/m + ax is a PP
if m|q − 1
m
. Linearized Polynomials
Let
q
=
p
,
r−1
X
qs
L(x) =
αs x
(αs ∈ Fpm )
s=0
ó L(c1 + c2 ) = L(c1 ) + L(c2 )
qj
det(αi−j )
ó L ∈ GLm (Fp ) ⊂ S(Fpm ) <
=
=
>
6= 0
<
=
=
> L(x) = 0 has 1 solution
Università Roma Tre
-59
Public Key Cryptography
Dhahran, March 1, 2004
One more example of PP
Università Roma Tre
-58
Public Key Cryptography
Dhahran, March 1, 2004
One more example of PP
. Dickson Polynomials. If a ∈ Fq , k ∈ N
Università Roma Tre
-59
Public Key Cryptography
Dhahran, March 1, 2004
One more example of PP
. Dickson Polynomials. If a ∈ Fq , k ∈ N
[k/2]
X k k − j Dk (x, a) =
(−a)j xk−2j
k−j
j
j=0
Università Roma Tre
-60
Public Key Cryptography
Dhahran, March 1, 2004
One more example of PP
. Dickson Polynomials. If a ∈ Fq , k ∈ N
[k/2]
X k k − j Dk (x, a) =
(−a)j xk−2j
k−j
j
j=0
ó
ó
ó
Università Roma Tre
-61
Public Key Cryptography
Dhahran, March 1, 2004
One more example of PP
. Dickson Polynomials. If a ∈ Fq , k ∈ N
[k/2]
X k k − j Dk (x, a) =
(−a)j xk−2j
k−j
j
j=0
ó if a 6= 0, Dk (x, a) is a PP <
=
=
> (k, q 2 − 1) = 1
ó
ó
Università Roma Tre
-61
Public Key Cryptography
Dhahran, March 1, 2004
One more example of PP
. Dickson Polynomials. If a ∈ Fq , k ∈ N
[k/2]
X k k − j Dk (x, a) =
(−a)j xk−2j
k−j
j
j=0
ó if a 6= 0, Dk (x, a) is a PP <
=
=
> (k, q 2 − 1) = 1
ó Dk (x, 0) = xk is a PP <
=
=
> (k, q − 1) = 1
ó
Università Roma Tre
-61
Public Key Cryptography
Dhahran, March 1, 2004
One more example of PP
. Dickson Polynomials. If a ∈ Fq , k ∈ N
[k/2]
X k k − j Dk (x, a) =
(−a)j xk−2j
k−j
j
j=0
ó if a 6= 0, Dk (x, a) is a PP <
=
=
> (k, q 2 − 1) = 1
ó Dk (x, 0) = xk is a PP <
=
=
> (k, q − 1) = 1
ó Note: if (mn, q 2 − 1) = 1,
Università Roma Tre
-61
Public Key Cryptography
Dhahran, March 1, 2004
One more example of PP
. Dickson Polynomials. If a ∈ Fq , k ∈ N
[k/2]
X k k − j Dk (x, a) =
(−a)j xk−2j
k−j
j
j=0
ó if a 6= 0, Dk (x, a) is a PP <
=
=
> (k, q 2 − 1) = 1
ó Dk (x, 0) = xk is a PP <
=
=
> (k, q − 1) = 1
ó Note: if (mn, q 2 − 1) = 1,
Dm (Dn (x, ±1), ±1) = Dmn (x, ±1)
Università Roma Tre
-61
Public Key Cryptography
Dhahran, March 1, 2004
Dickson analogue of DH Key–exchange
Università Roma Tre
-60
Public Key Cryptography
Dhahran, March 1, 2004
Dickson analogue of DH Key–exchange
¬
­
®
¯
Università Roma Tre
-61
Public Key Cryptography
Dhahran, March 1, 2004
Dickson analogue of DH Key–exchange
¬ Alice and Bob agree on a finite field Fq , and a generator γ ∈ Fq
­
®
¯
Università Roma Tre
-61
Public Key Cryptography
Dhahran, March 1, 2004
Dickson analogue of DH Key–exchange
¬ Alice and Bob agree on a finite field Fq , and a generator γ ∈ Fq
­ Alice picks a secret a ∈ [0, q 2 − 1], Bob picks a secret b ∈ [0, q 2 − 1]
®
¯
Università Roma Tre
-61
Public Key Cryptography
Dhahran, March 1, 2004
Dickson analogue of DH Key–exchange
¬ Alice and Bob agree on a finite field Fq , and a generator γ ∈ Fq
­ Alice picks a secret a ∈ [0, q 2 − 1], Bob picks a secret b ∈ [0, q 2 − 1]
® They compute and publish Da (γ, 1) (Alice) and Db (γ, 1) (Bob)
¯
Università Roma Tre
-61
Public Key Cryptography
Dhahran, March 1, 2004
Dickson analogue of DH Key–exchange
¬ Alice and Bob agree on a finite field Fq , and a generator γ ∈ Fq
­ Alice picks a secret a ∈ [0, q 2 − 1], Bob picks a secret b ∈ [0, q 2 − 1]
® They compute and publish Da (γ, 1) (Alice) and Db (γ, 1) (Bob)
¯ The common secret key is
Università Roma Tre
-61
Public Key Cryptography
Dhahran, March 1, 2004
Dickson analogue of DH Key–exchange
¬ Alice and Bob agree on a finite field Fq , and a generator γ ∈ Fq
­ Alice picks a secret a ∈ [0, q 2 − 1], Bob picks a secret b ∈ [0, q 2 − 1]
® They compute and publish Da (γ, 1) (Alice) and Db (γ, 1) (Bob)
¯ The common secret key is
D (γ, 1) = Da (Db (γ, 1, 1)) = Db (Da (γ, 1, 1))
ab
Università Roma Tre
-62
Public Key Cryptography
Dhahran, March 1, 2004
Dickson analogue of DH Key–exchange
¬ Alice and Bob agree on a finite field Fq , and a generator γ ∈ Fq
­ Alice picks a secret a ∈ [0, q 2 − 1], Bob picks a secret b ∈ [0, q 2 − 1]
® They compute and publish Da (γ, 1) (Alice) and Db (γ, 1) (Bob)
¯ The common secret key is
D (γ, 1) = Da (Db (γ, 1, 1)) = Db (Da (γ, 1, 1))
ab
NOTE. There is a fast algorithm to compute the value of a Dickson polynomial at
an element of Fq
Università Roma Tre
-63
Public Key Cryptography
Dhahran, March 1, 2004
Dickson analogue of DH Key–exchange
¬ Alice and Bob agree on a finite field Fq , and a generator γ ∈ Fq
­ Alice picks a secret a ∈ [0, q 2 − 1], Bob picks a secret b ∈ [0, q 2 − 1]
® They compute and publish Da (γ, 1) (Alice) and Db (γ, 1) (Bob)
¯ The common secret key is
D (γ, 1) = Da (Db (γ, 1, 1)) = Db (Da (γ, 1, 1))
ab
NOTE. There is a fast algorithm to compute the value of a Dickson polynomial at
an element of Fq
Problem. Find new classes of PP
Università Roma Tre
-64
Public Key Cryptography
Dhahran, March 1, 2004
Enumeration of PP by degree
Università Roma Tre
-63
Public Key Cryptography
Dhahran, March 1, 2004
Enumeration of PP by degree
Nd (q) = {σ ∈ S(Fq ) | ∂(fσ ) = d}
Università Roma Tre
-64
Public Key Cryptography
Dhahran, March 1, 2004
Enumeration of PP by degree
Nd (q) = {σ ∈ S(Fq ) | ∂(fσ ) = d}
Problem. Compute Nd (q)
Università Roma Tre
-65
Public Key Cryptography
Dhahran, March 1, 2004
Enumeration of PP by degree
Nd (q) = {σ ∈ S(Fq ) | ∂(fσ ) = d}
Problem. Compute Nd (q)
+
+
+
+
+
Università Roma Tre
-66
Public Key Cryptography
Dhahran, March 1, 2004
Enumeration of PP by degree
Nd (q) = {σ ∈ S(Fq ) | ∂(fσ ) = d}
Problem. Compute Nd (q)
X
+
Nd (q) = q!
(∂fσ ≤ q − 2)
d≤q−2
+
+
+
+
Università Roma Tre
-66
Public Key Cryptography
Dhahran, March 1, 2004
Enumeration of PP by degree
Nd (q) = {σ ∈ S(Fq ) | ∂(fσ ) = d}
Problem. Compute Nd (q)
X
+
Nd (q) = q!
(∂fσ ≤ q − 2)
d≤q−2
+ N1 (q) = q(q − 1)
+
+
+
Università Roma Tre
-66
Public Key Cryptography
Dhahran, March 1, 2004
Enumeration of PP by degree
Nd (q) = {σ ∈ S(Fq ) | ∂(fσ ) = d}
Problem. Compute Nd (q)
X
+
Nd (q) = q!
(∂fσ ≤ q − 2)
d≤q−2
+ N1 (q) = q(q − 1)
+ Nd (q) = 0 if d|q − 1
(Hermite criterion)
+
+
Università Roma Tre
-66
Public Key Cryptography
Dhahran, March 1, 2004
Enumeration of PP by degree
Nd (q) = {σ ∈ S(Fq ) | ∂(fσ ) = d}
Problem. Compute Nd (q)
X
+
Nd (q) = q!
(∂fσ ≤ q − 2)
d≤q−2
+ N1 (q) = q(q − 1)
+ Nd (q) = 0 if d|q − 1
(Hermite criterion)
+ Nd (q) is known for d < 6
+
Università Roma Tre
-66
Public Key Cryptography
Dhahran, March 1, 2004
Enumeration of PP by degree
Nd (q) = {σ ∈ S(Fq ) | ∂(fσ ) = d}
Problem. Compute Nd (q)
X
+
Nd (q) = q!
(∂fσ ≤ q − 2)
d≤q−2
+ N1 (q) = q(q − 1)
+ Nd (q) = 0 if d|q − 1
(Hermite criterion)
+ Nd (q) is known for d < 6
+ Almost all permutation polynomials have degree q − 2
Università Roma Tre
-66
Public Key Cryptography
Dhahran, March 1, 2004
Enumeration of PP by degree
Nd (q) = {σ ∈ S(Fq ) | ∂(fσ ) = d}
Problem. Compute Nd (q)
X
+
Nd (q) = q!
(∂fσ ≤ q − 2)
d≤q−2
+ N1 (q) = q(q − 1)
+ Nd (q) = 0 if d|q − 1
(Hermite criterion)
+ Nd (q) is known for d < 6
+ Almost all permutation polynomials have degree q − 2
(S. Konyagin, FP – 2002) Mq = {σ ∈ S(Fq ) | ∂fσ < q − 2}
p
|#Mq − (q − 1)!| ≤ 2e/πq q/2
Università Roma Tre
-67
Public Key Cryptography
Dhahran, March 1, 2004
A recent result Università Roma Tre
-66
Public Key Cryptography
Dhahran, March 1, 2004
A recent result Nd = # {σ ∈ S(Fq ) | ∂(fσ ) < q − d − 1}
Università Roma Tre
-67
Public Key Cryptography
Dhahran, March 1, 2004
A recent result Nd = # {σ ∈ S(Fq ) | ∂(fσ ) < q − d − 1}
Theorem S. Konyagin, FP – 2003
Let α = (e − 2)/3e = 0.08808 · · · and d < αq. Then
(q−d)/2
q!
q
2d
Nd − ≤ 2d dq 2+q−d
.
qd q−d
d
It follows that
q!
Nd ∼ d
q
if d ≤ αq and α < 0.03983
Università Roma Tre
-68
Public Key Cryptography
Dhahran, March 1, 2004
Other ways of counting
If σ ∈ S(Fq ),
cσ = #{a ∈ Fq | σ(a) 6= a}
σ 6= id =
=
> q − cσ ≤ ∂fσ ≤ q − 2
(since fσ (x) − x has at least q − cσ roots)
Consequences.
+ 2–cycles have degree q − 2
+ 3–cycles have degree q − 2 or q − 3
+ k–cycles have degree in [q − k, q − 2]

2


 3 q(q − 1) q ≡ 1 mod 3
(Wells) #{σ ∈ 3–cyle, ∂(fσ ) = q − 3} = 0
q ≡ 0 mod 3


1
3 q(q − 1) q ≡ 0 mod 3
Università Roma Tre
-67
Public Key Cryptography
Dhahran, March 1, 2004
More enumeration functions + σ1 , σ2 conjugated ==
>
cσ1 = cσ2
+ C conjugation class of permutations
+ cC = #{ elements ∈ Fq moved by any σ ∈ C}
(i.e. cC = cσ for any σ ∈ C
+ C = [k]=k–cycles
==
>
q − cC ≤ fσ )
c[k] = k
+ Natural enumeration functions:
7 mC (q) = #{σ ∈ C, ∂fσ = q − cC }
7 MC (q) = #{σ ∈ C, ∂fσ < q − 2}
Università Roma Tre
(minimal degree)
(non-maximal degree)
-66
Public Key Cryptography
Dhahran, March 1, 2004
Permutation Classes with non maximal degree
Let C = (m1 , . . . , mt ) be the class of permutations with m1 1-cycles, . . ., mt
t-cycles. The number cC of elements in Fq moved by any element of C is
cC = 2m2 + 3m3 + · · · + tmt
MC (q) = #{σ ∈ C, ∂fσ < q − 2}
Theorem 1 (C. Malvenuto, FP - 2002). ∃N = NC ∈ N, f1 , · · · , fN ∈ Z[x],
fi monic, ∂fi = cC − 3 such that if q ≡ a mod N , then
q(q − 1)
MC (q) =
fa (q)
m2 !2m2 · · · mt !tmt
Università Roma Tre
-65
Public Key Cryptography
Dhahran, March 1, 2004
k–cycles with minimal degree
m[k] (q) = #{σ k–cycle, ∂fσ = q − k}
Theorem 2 (C. Malvenuto, FP - 2003).
* If q ≡ 1 mod k
==
>
ϕ(k)
m[k] (q) ≥
q(q − 1).
k
* If q = pf , p ≥ 2 · 3[k/3]−1
=
=
>
m[k] (q) ≤
(k − 1)!
q(q − 1).
k
Università Roma Tre
-64
Public Key Cryptography
Dhahran, March 1, 2004
Consequences of Theorem 1
MC (q)
1
1
)
= +O
#C
q
q2
) If C is fixed,
1
Prob(∂fσ < q − 2 | σ ∈ C) ∼
q
) If q = 2r , Cr is the conjugation class of r transposition,
MCr (q) =
q − 2(r − 1)(2r − 1)
q!
−
MCr−1 (q)
r
r!2 (q − 2r + 1)!
2r
) One can compute MC (q) for cC ≤ 6
Università Roma Tre
-63
Public Key Cryptography
Dhahran, March 1, 2004
Table 1. #cC ≤ 6, (q odd)
"
1
4 q(q
− 1) (q − 5 − 2η(−1) − 4η(−3))
=
1
8 q(q
− 1)(q − 4) {1 + η(−1)}
M[5] (q) =
1
5 q(q
− 1) q 2 − (9 − η(5) − 5η(−1) + 5η(−9)) q+
M[4] (q) =
" M[2
"
2] (q)
+26 + 5η(−7) + 15η(−3) + 15η(−1))
" M[2
3] (q)
=
1
6 q(q
− 1) q 2 − (9 + η(−3) + 3η(−1))q+
+(24 + 6η(−3) + 18η(−1) + 6η(−7))) +
η(−1)(1 − η(9))q(q − 5).
Università Roma Tre
-62
Public Key Cryptography
Dhahran, March 1, 2004
Table 2. #cC ≤ 6, (q even)
"
M[4] (2n ) =
1 n n
4 2 (2
− 1)(2n − 4)(1 + (−1)n )
n
2] (2 )
=
1 n n
8 2 (2
− 1)(2n − 2)
M[5] (2n ) =
1 n n
5 2 (2
− 1)(2n − 3 − (−1)n )(2n − 6 − 3(−1)n )
n
3] (2 )
1 n n
6 2 (2
− 1)(2n − 3 − (−1)n )(2n − 6).
" M[2
"
" M[2
=
Università Roma Tre
-61
Public Key Cryptography
Dhahran, March 1, 2004
Table 3. #cC = 6, (q odd, 3 - q)
M[6] (q)
=
q(q−1)
{q 3
6
− 14 q 2 + [68 − 6 η(5) − 6 η(50)]q−
[154 + 66 η(−3) + 93 η(−1) + 12 η(−2) + 54 η(−7)]}
M[4
2] (q)
=
q(q−1)
(q 3
8
− [14 − η(2)]q 2 +
[71 + 12 η(−1) + η(−2) + 4 η(−3) − 8 η(50)]q
−[148 + 100 η(−1) + 24 η(−2) + 44 η(−3) + 40 η(−7)])
M[3
3] (q)
=
q(q−1)
(q 3
18
− 13 q 2 + [62 + 9 η(−1) + 4 η(−3)]q
−[150 + 99 η(−1) + 42 η(−3) + 72 η(−7)])
M[2
2 2] (q)
=
q(q−1)
(q 3
48
− [14 + 3 η(−1)]q 2 + [70 + 36 η(−1) + 6 η(−2)]q
−[136 + 120 η(−1) + 48 η(−2) + 8 η(−3)])
Università Roma Tre
-60
Public Key Cryptography
Dhahran, March 1, 2004
Table 4. #cC = 6
n
M[6] (3 )
=
3n (3n −1)
{33n
6
− [14 + 2(−1)n ]32n + [71 + 39(−1)n ]3n −
[162 + 147(−1)n ]}
M[4
n
2] (3
)
=
3n (3n −1)
3n
{3
8
− [14 + 3 (−1)n ]32n + [72 + 40 (−1)n ]3n −
[164 + 140 (−1)n ]}
M[3
n
3] (3 )
=
3n (3n −1)
{(1
18
+ (−1)n ) 33 n − [14 + 15 (−1)n ]32 n +
[71 + 81 (−1)n ]3n − [150 + 171 (−1)n ]}
M[2
2
n
2] (3 )
=
3n (3n −1)
3n
{3
48
− [14 + 3(−1)n ]32n + [76 + 36(−1)n ]3n −
+[168 + 120(−1)n ]}
Università Roma Tre
-59
Public Key Cryptography
Dhahran, March 1, 2004
Table 5. #cC = 6
n
M[6] (2 )
=
2n (2n −1)
6
{(2n − 3 − (−1)n )(22n − (11 − (−1)n )2n +
(41 + 7(−1)n ))}
M[4
n
2] (2 )
=
2n (2n −1)
8
{(2n − 3 − (−1)n )(22n − 11 · 2n + 37 + (−1)n )}
M[3
n
3] (2 )
=
2n (2n −1)
18
{(2n − 3 − (−1)n )(22n −
(10 − (−1)n )2n + 45 − 3(−1)n ))}
M[2
2
n
2] (2 )
=
2n (2n −1)
48
{(2n − 2)(2n − 4)(2n − 8)}
Università Roma Tre
-58
Public Key Cryptography
Dhahran, March 1, 2004
Sketch of the Proof of Theorem 2. (1/3)
Step 1. Translate the problem into one on counting points of an algebraic
varieties
q(q − 1)
mk (q) =
nk (q)
k
where nk (q) = {σ ∈ [k] | ∂fσ = q − k, σ(0) = 1}.
Need to show |nk (q)| ≤ (k − 1)!. Now
X
q−1
fσ (x) =
σ(c) 1 − (x − c)
= A1 xq−2 + A2 xq−3 + · · · + Aq−1 .
c∈Fq
with Aj =
X
c∈Fq
j
σ(c)c =
X
c∈Fq
j
j−1
σ(c) c − c
X
=
(σ(c) − c)cj .
c∈Fq
σ(c)6=c
Università Roma Tre
-57
Public Key Cryptography
Dhahran, March 1, 2004
Sketch of the Proof of Theorem 2. (2/3)
If σ = (0, 1, x1 , x2 , . . . , xk−2 ) ∈ S(Fq ),
Aj (σ) = (1 − x1 ) + (x1 − x2 )xj1 + · · · (xk−2 − xk−2 )xjk−3 + xj+1
k−2 .
8>
>>
<
:
>>
>:
Def. (Affine k–th Silvia set)
Ak
(1 − x1 ) + x1 (x1 − x2 ) + · · · + xk−3 (xk−3 − xk−2 ) + x2k−2
=
0
(1 − x1 ) + x21 (x1 − x2 ) + · · · + x2k−3 (xk−3 − xk−2 ) + x3k−2
=
.
.
.
0
k−1
(1 − x1 ) + xk−2
(x1 − x2 ) + · · · + xk−2
1
k−3 (xk−3 − xk−2 ) + xk−2
=
0
nk (q) = #{x = (x1 , . . . , xk−2 ) ∈ Fk−2
| x ∈ Ak (Fq ), xi 6= xj } ≤ #Ak (Fq )
q
dimFq Ak = 0
Bezout Thm.
=
=
>
#A(Fq ) ≤ (k − 1)!
Università Roma Tre
-56
Public Key Cryptography
Dhahran, March 1, 2004
Sketch of the Proof of Theorem 2. (3/3)
Step 2.
Theorem. If K is an algebrically closed field,

0
or
char(K) =
> 2 · 3[k/3]−1 .
Then
dimK Ak = 0.
NOTE.
- Proof is based on finding projective hyperplanes disjoint from Ak
- There are examples of small values of q with dimK Ak > 0
Università Roma Tre
-55

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz