Introduction The Round Functions Results Generalizations of the Advanced Encryption Standard Kevin Bombardier1 , Matthew Cole2 , Thomas Morrell3 , Cory Scott4 Mentor: Dr. Liljana Babinkostova5 2012 REU Symposium in Mathematics 1 2 3 4 5 Introduction The Round Functions 1 Introduction Cryptosystems AES 2 The Round Functions Descriptions Parity 3 Results Multiple Rounds When is τ and τs not a group? Group generated by τs Our Generalization Future Work Results Introduction The Round Functions Cryptosystems A cryptosystem is an ordered 4-tuple (M, C, K, P) where Results Introduction The Round Functions Cryptosystems A cryptosystem is an ordered 4-tuple (M, C, K, P) where M is the message (state) space, Results Introduction The Round Functions Cryptosystems A cryptosystem is an ordered 4-tuple (M, C, K, P) where M is the message (state) space, C is the ciphertext space, Results Introduction The Round Functions Cryptosystems A cryptosystem is an ordered 4-tuple (M, C, K, P) where M is the message (state) space, C is the ciphertext space, K is the key space, and Results Introduction The Round Functions Cryptosystems A cryptosystem is an ordered 4-tuple (M, C, K, P) where M is the message (state) space, C is the ciphertext space, K is the key space, and For each K ∈ K, the mapping PK : M → C is invertible. Results Introduction The Round Functions Cryptosystems A cryptosystem is an ordered 4-tuple (M, C, K, P) where M is the message (state) space, C is the ciphertext space, K is the key space, and For each K ∈ K, the mapping PK : M → C is invertible. Two types of cryptosystems: Results Introduction The Round Functions Cryptosystems A cryptosystem is an ordered 4-tuple (M, C, K, P) where M is the message (state) space, C is the ciphertext space, K is the key space, and For each K ∈ K, the mapping PK : M → C is invertible. Two types of cryptosystems: Public-key Results Introduction The Round Functions Cryptosystems A cryptosystem is an ordered 4-tuple (M, C, K, P) where M is the message (state) space, C is the ciphertext space, K is the key space, and For each K ∈ K, the mapping PK : M → C is invertible. Two types of cryptosystems: Public-key Symmetric-key. Results Introduction The Round Functions The Advanced Encryption Standard After a lengthy contest1 , the cipher Rijndael was chosen as the Advanced Encryption Standard of the US government in 2001. 1 2 3 J. Daemen, and V. Rijmen, AES Proposal: Rijndael, 1998. Bogdanov, Khovratovich, and Rechberger, Biclique Cryptanalysis of the Full AES, 2011. Bogdanov and Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256, 2009. Results Introduction The Round Functions The Advanced Encryption Standard After a lengthy contest1 , the cipher Rijndael was chosen as the Advanced Encryption Standard of the US government in 2001. Rijndael replaced DES, the Data Encryption Standard, which had become vulnerable to attack. 1 2 3 J. Daemen, and V. Rijmen, AES Proposal: Rijndael, 1998. Bogdanov, Khovratovich, and Rechberger, Biclique Cryptanalysis of the Full AES, 2011. Bogdanov and Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256, 2009. Results Introduction The Round Functions The Advanced Encryption Standard After a lengthy contest1 , the cipher Rijndael was chosen as the Advanced Encryption Standard of the US government in 2001. Rijndael replaced DES, the Data Encryption Standard, which had become vulnerable to attack. There are attacks on AES, though none are yet practical2 . 1 2 3 J. Daemen, and V. Rijmen, AES Proposal: Rijndael, 1998. Bogdanov, Khovratovich, and Rechberger, Biclique Cryptanalysis of the Full AES, 2011. Bogdanov and Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256, 2009. Results Introduction The Round Functions The Advanced Encryption Standard After a lengthy contest1 , the cipher Rijndael was chosen as the Advanced Encryption Standard of the US government in 2001. Rijndael replaced DES, the Data Encryption Standard, which had become vulnerable to attack. There are attacks on AES, though none are yet practical2 . For example3 , key recovery in AES-256 (256 is one of three key sizes) currently has time complexity 2119 . 1 2 3 J. Daemen, and V. Rijmen, AES Proposal: Rijndael, 1998. Bogdanov, Khovratovich, and Rechberger, Biclique Cryptanalysis of the Full AES, 2011. Bogdanov and Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256, 2009. Results Introduction The Round Functions The Advanced Encryption Standard After a lengthy contest1 , the cipher Rijndael was chosen as the Advanced Encryption Standard of the US government in 2001. Rijndael replaced DES, the Data Encryption Standard, which had become vulnerable to attack. There are attacks on AES, though none are yet practical2 . For example3 , key recovery in AES-256 (256 is one of three key sizes) currently has time complexity 2119 . The security of DES can be augmented by multiple encryptions (Triple-DES). 1 2 3 J. Daemen, and V. Rijmen, AES Proposal: Rijndael, 1998. Bogdanov, Khovratovich, and Rechberger, Biclique Cryptanalysis of the Full AES, 2011. Bogdanov and Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256, 2009. Results Introduction The Round Functions The Advanced Encryption Standard After a lengthy contest1 , the cipher Rijndael was chosen as the Advanced Encryption Standard of the US government in 2001. Rijndael replaced DES, the Data Encryption Standard, which had become vulnerable to attack. There are attacks on AES, though none are yet practical2 . For example3 , key recovery in AES-256 (256 is one of three key sizes) currently has time complexity 2119 . The security of DES can be augmented by multiple encryptions (Triple-DES). Would the same technique augment the security of AES? 1 2 3 J. Daemen, and V. Rijmen, AES Proposal: Rijndael, 1998. Bogdanov, Khovratovich, and Rechberger, Biclique Cryptanalysis of the Full AES, 2011. Bogdanov and Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256, 2009. Results Introduction The Round Functions Advanced Encryption Standard Messages Classical AES is a set of permutations of the finite field M = GF(2128 ) ∼ = GF(28 )4×4 . Results Introduction The Round Functions Advanced Encryption Standard Messages Classical AES is a set of permutations of the finite field M = GF(2128 ) ∼ = GF(28 )4×4 . It is often helpful to visualize elements of this field as 4 × 4 matrices with entries consisting of 8 digits in base 2. Results Introduction The Round Functions Advanced Encryption Standard Messages Classical AES is a set of permutations of the finite field M = GF(2128 ) ∼ = GF(28 )4×4 . It is often helpful to visualize elements of this field as 4 × 4 matrices with entries consisting of 8 digits in base 2. We generalize AES to a set of permutations of the field M = GF(p r )mn . Results Introduction The Round Functions How Does AES Work? 4 4 J. Daemen and V. Rijmen, AES submission document on Rijndael, Version 2, (1999) Results Introduction The Round Functions How Does AES Work? 4 AES consists of several concurrent rounds (“round functions”) of each of four permutations: SubBytes (λ), ShiftRows (π), MixColumns (ρ), and AddRoundKey (σ[k]). 4 J. Daemen and V. Rijmen, AES submission document on Rijndael, Version 2, (1999) Results Introduction The Round Functions How Does AES Work? 4 AES consists of several concurrent rounds (“round functions”) of each of four permutations: SubBytes (λ), ShiftRows (π), MixColumns (ρ), and AddRoundKey (σ[k]). One round is T [k] := σ[k] ◦ ρ ◦ π ◦ λ. 4 J. Daemen and V. Rijmen, AES submission document on Rijndael, Version 2, (1999) Results Introduction The Round Functions How Does AES Work? 4 AES consists of several concurrent rounds (“round functions”) of each of four permutations: SubBytes (λ), ShiftRows (π), MixColumns (ρ), and AddRoundKey (σ[k]). One round is T [k] := σ[k] ◦ ρ ◦ π ◦ λ. Write τ := {T [k] : k ∈ K}. 4 J. Daemen and V. Rijmen, AES submission document on Rijndael, Version 2, (1999) Results Introduction The Round Functions Results SubBytes a0 a1 a2 a3 a‘0 a‘1 a‘2 a‘3 a4 a5 a6 a7 a‘4 a‘5 a‘6 a‘7 a8 a9 a10 a11 a‘8 a‘9 a‘10 a‘11 a12 a13 a14 a15 S-Box a‘12 a‘13 a‘14 a‘15 Introduction The Round Functions Results SubBytes a0 a1 a2 a3 a‘0 a‘1 a‘2 a‘3 a4 a5 a6 a7 a‘4 a‘5 a‘6 a‘7 a8 a9 a10 a11 a‘8 a‘9 a‘10 a‘11 a12 a13 a14 a15 S-Box a‘12 a‘13 a‘14 a‘15 SubBytes (λ) is the parallel application of mn ‘S-box’ permutations, each of which permutes one cell of the state matrix. Introduction The Round Functions Results SubBytes a0 a1 a2 a3 a‘0 a‘1 a‘2 a‘3 a4 a5 a6 a7 a‘4 a‘5 a‘6 a‘7 a8 a9 a10 a11 a‘8 a‘9 a‘10 a‘11 a12 a13 a14 a15 S-Box a‘12 a‘13 a‘14 a‘15 SubBytes (λ) is the parallel application of mn ‘S-box’ permutations, each of which permutes one cell of the state matrix. Each S-box permutes one element x ∈ GF(p r ) into ax −1 + b, where a, b ∈ GF(p r ) are fixed. Introduction The Round Functions Results SubBytes a0 a1 a2 a3 a‘0 a‘1 a‘2 a‘3 a4 a5 a6 a7 a‘4 a‘5 a‘6 a‘7 a8 a9 a10 a11 a‘8 a‘9 a‘10 a‘11 a12 a13 a14 a15 S-Box a‘12 a‘13 a‘14 a‘15 SubBytes (λ) is the parallel application of mn ‘S-box’ permutations, each of which permutes one cell of the state matrix. Each S-box permutes one element x ∈ GF(p r ) into ax −1 + b, where a, b ∈ GF(p r ) are fixed. The S-boxes remove linearity from AES. Introduction The Round Functions Results ShiftRows a0 a1 a2 a3 a‘0 a‘1 a‘2 a‘3 a4 a5 a6 a7 a‘4 a‘5 a‘6 a‘7 a8 a9 a10 a11 a‘8 a‘9 a‘10 a‘11 a12 a13 a14 a15 a‘12 a‘13 a‘14 a‘15 Introduction The Round Functions Results ShiftRows a0 a1 a2 a3 a‘0 a‘1 a‘2 a‘3 a4 a5 a6 a7 a‘4 a‘5 a‘6 a‘7 a8 a9 a10 a11 a‘8 a‘9 a‘10 a‘11 a12 a13 a14 a15 a‘12 a‘13 a‘14 a‘15 In the ShiftRows permutation (π), each cell is moved some number of spots to the left depending on which row it’s in. The length of shift ci for each row i can vary. Introduction The Round Functions Results MixColumns a0 a1 a2 a3 a‘0 a‘1 a‘2 a‘3 a4 a5 a6 a7 a‘4 a‘5 a‘6 a‘7 a8 a9 a10 a11 a‘8 a‘9 a‘10 a‘11 a12 a13 a14 a15 ⊗C a‘12 a‘13 a‘14 a‘15 Introduction The Round Functions Results MixColumns a0 a1 a2 a3 a‘0 a‘1 a‘2 a‘3 a4 a5 a6 a7 a‘4 a‘5 a‘6 a‘7 a8 a9 a10 a11 a‘8 a‘9 a‘10 a‘11 a12 a13 a14 a15 ⊗C a‘12 a‘13 a‘14 a‘15 MixColumns (ρ) multiplies each column by a fixed element C ∈ GF(p rm ). This is equivalent to multiplying each column by a matrix. Introduction The Round Functions Results MixColumns a0 a1 a2 a3 a‘0 a‘1 a‘2 a‘3 a4 a5 a6 a7 a‘4 a‘5 a‘6 a‘7 a8 a9 a10 a11 a‘8 a‘9 a‘10 a‘11 a12 a13 a14 a15 ⊗C a‘12 a‘13 a‘14 a‘15 MixColumns (ρ) multiplies each column by a fixed element C ∈ GF(p rm ). This is equivalent to multiplying each column by a matrix. ShiftRows and MixColumns diffuse the state. Introduction The Round Functions Results AddRoundKey a0 a1 a2 a3 a‘0 a‘1 a‘2 a‘3 a4 a5 a6 a7 a‘4 a‘5 a‘6 a‘7 a8 a9 a10 a11 a‘8 a‘9 a‘10 a‘11 a12 a13 a14 a15 a‘12 a‘13 a‘14 a‘15 ⊕ k0 k1 k2 k3 k4 k5 k6 k7 k8 k9 k10 k11 k12 k13 k14 k15 Introduction The Round Functions Results AddRoundKey a0 a1 a2 a3 a‘0 a‘1 a‘2 a‘3 a4 a5 a6 a7 a‘4 a‘5 a‘6 a‘7 a8 a9 a10 a11 a‘8 a‘9 a‘10 a‘11 a12 a13 a14 a15 a‘12 a‘13 a‘14 a‘15 ⊕ k0 k1 k2 k3 k4 k5 k6 k7 k8 k9 k10 k11 k12 k13 k14 k15 The AddRoundKey permutation (σ[k]) is an addition between the current state and the round key. Each round uses a distinct key. Introduction The Round Functions Parity: Why Does It Matter? Recall that the security of DES can be augmented by multiple encryptions (Triple-DES). Results Introduction The Round Functions Parity: Why Does It Matter? Recall that the security of DES can be augmented by multiple encryptions (Triple-DES). Would the same technique augment the security of AES? Results Introduction The Round Functions Parity: Why Does It Matter? Recall that the security of DES can be augmented by multiple encryptions (Triple-DES). Would the same technique augment the security of AES? It definitely would not if AES encryption functions formed a group. Results Introduction The Round Functions Parity: Why Does It Matter? Recall that the security of DES can be augmented by multiple encryptions (Triple-DES). Would the same technique augment the security of AES? It definitely would not if AES encryption functions formed a group. Permutation groups contain either all even permutations, or half even and half odd permutations. Results Introduction The Round Functions Parity: Why Does It Matter? Recall that the security of DES can be augmented by multiple encryptions (Triple-DES). Would the same technique augment the security of AES? It definitely would not if AES encryption functions formed a group. Permutation groups contain either all even permutations, or half even and half odd permutations. First consider the set of round functions τ . If there are conditions under which τ contains only odd permutations, then τ is not a group under those conditions! Results Introduction The Round Functions Parity: Why Does It Matter? Recall that the security of DES can be augmented by multiple encryptions (Triple-DES). Would the same technique augment the security of AES? It definitely would not if AES encryption functions formed a group. Permutation groups contain either all even permutations, or half even and half odd permutations. First consider the set of round functions τ . If there are conditions under which τ contains only odd permutations, then τ is not a group under those conditions! The parity test is inconclusive otherwise. Results Introduction The Round Functions Approach We sought the parity of the permutations σ[k], ρ, π, and λ. Results Introduction The Round Functions Approach We sought the parity of the permutations σ[k], ρ, π, and λ. Our tool was the following: Classical Theorem A permutation is odd if and only if it contains an odd number of even-length cycles. Results Introduction The Round Functions Parity Results We obtained the following results: Results Introduction The Round Functions Parity Results We obtained the following results: Theorem The ShiftRows function π is always an even permutation. Results Introduction The Round Functions Parity Results We obtained the following results: Theorem The ShiftRows function π is always an even permutation. Theorem The AddRoundKey function σ[k] is an even permutation for all k ∈ K, except in the trivial case r = m = n = 1, p = 2, k = 1. Results Introduction The Round Functions Parity Results We obtained the following results: Theorem The ShiftRows function π is always an even permutation. Theorem The AddRoundKey function σ[k] is an even permutation for all k ∈ K, except in the trivial case r = m = n = 1, p = 2, k = 1. Theorem The MixColumns function ρ is an odd permutation if and only if p, n, and (p rm − 1)/|hC i| are odd. Results Introduction The Round Functions Parity Results Cont’d We obtained the following results: Theorem The SubBytes function λ is an odd permutation if and only if p, m, and n are odd, and either: p ≡4 3, r is odd, and (p r − 1)/ |hai| is odd, OR either p ≡4 1 or r is even, and (p r − 1)/ |hai| is even. Results Introduction The Round Functions Parity Results Cont’d We obtained the following results: Theorem The SubBytes function λ is an odd permutation if and only if p, m, and n are odd, and either: p ≡4 3, r is odd, and (p r − 1)/ |hai| is odd, OR either p ≡4 1 or r is even, and (p r − 1)/ |hai| is even. So T [k] = σ[k] ◦ ρ ◦ π ◦ λ is an odd permutation if and only if λ or ρ is odd, but not both. Results Introduction The Round Functions Parity Results Cont’d We obtained the following results: Theorem The SubBytes function λ is an odd permutation if and only if p, m, and n are odd, and either: p ≡4 3, r is odd, and (p r − 1)/ |hai| is odd, OR either p ≡4 1 or r is even, and (p r − 1)/ |hai| is even. So T [k] = σ[k] ◦ ρ ◦ π ◦ λ is an odd permutation if and only if λ or ρ is odd, but not both. Since the parity of T [k] does not depend on k, Theorem All permutations in τ = {T [k] : k ∈ K} have the same parity. Results Introduction The Round Functions Notation We denote the set of 1-round AES permutations as τ := {T [k]|k ∈ K}. Results Introduction The Round Functions Notation We denote the set of 1-round AES permutations as τ := {T [k]|k ∈ K}. We denote the group generated by τ as Gτ := hτ i. Results Introduction The Round Functions Notation We denote the set of 1-round AES permutations as τ := {T [k]|k ∈ K}. We denote the group generated by τ as Gτ := hτ i. For any k ∈ K, we denote the generalized s-round AES permutation Ts [k] : GF (p r )mn → GF (p r )mn by Ts [k] := σ[ks+1 ] ◦ π ◦ λ ◦ (σ[ki ] ◦ ρ ◦ π ◦ λ)s−1 ◦ σ[k1 ] for 2 ≤ i ≤ s. Results Introduction The Round Functions Notation We denote the set of 1-round AES permutations as τ := {T [k]|k ∈ K}. We denote the group generated by τ as Gτ := hτ i. For any k ∈ K, we denote the generalized s-round AES permutation Ts [k] : GF (p r )mn → GF (p r )mn by Ts [k] := σ[ks+1 ] ◦ π ◦ λ ◦ (σ[ki ] ◦ ρ ◦ π ◦ λ)s−1 ◦ σ[k1 ] for 2 ≤ i ≤ s. We write the set of s-round AES permutations as τs := {Ts [k]|k ∈ K}. Results Introduction The Round Functions Notation We denote the set of 1-round AES permutations as τ := {T [k]|k ∈ K}. We denote the group generated by τ as Gτ := hτ i. For any k ∈ K, we denote the generalized s-round AES permutation Ts [k] : GF (p r )mn → GF (p r )mn by Ts [k] := σ[ks+1 ] ◦ π ◦ λ ◦ (σ[ki ] ◦ ρ ◦ π ◦ λ)s−1 ◦ σ[k1 ] for 2 ≤ i ≤ s. We write the set of s-round AES permutations as τs := {Ts [k]|k ∈ K}. We write the group generated by τs as Gτs := hτs i. Results Introduction The Round Functions Multiple Rounds By our parity theorem, for Ts [k] to be an odd permutation, one round function must be both odd and applied an odd number of times. Results Introduction The Round Functions Multiple Rounds By our parity theorem, for Ts [k] to be an odd permutation, one round function must be both odd and applied an odd number of times. So for λ, the number of rounds s must be odd. Results Introduction The Round Functions Multiple Rounds By our parity theorem, for Ts [k] to be an odd permutation, one round function must be both odd and applied an odd number of times. So for λ, the number of rounds s must be odd. For ρ, the number of rounds s must be even. Results Introduction The Round Functions Results When is s-round AES odd? Theorem For p = 2 and rmn > 1, Ts [k] is always even. a a In agreement with previous work: R. Sparr and R. Wernsdorf, Group theoretic properties of Rijndael-like ciphers, Discrete Applied Mathematics, 156 (2008), pp. 3139-3149. Introduction The Round Functions Results When is s-round AES odd? Theorem For p = 2 and rmn > 1, Ts [k] is always even. a a In agreement with previous work: R. Sparr and R. Wernsdorf, Group theoretic properties of Rijndael-like ciphers, Discrete Applied Mathematics, 156 (2008), pp. 3139-3149. Theorem When p is odd, Ts [k] has odd parity if and only if: s is even, and n and (p rm − 1)/|hC i| are odd, where ρ(x) = Cx, OR s, m, and n are odd, and either: p ≡4 3, r is odd, and (p r − 1)/ |hai| is odd, OR either p ≡4 1 or r is even, and (p r − 1)/ |hai| is even, where λ(x) = ax −1 + b. Introduction The Round Functions When is τ not a group? Classical Theorem Permutation groups contain either all even permutations, or half even and half odd permutations. Results Introduction The Round Functions When is τ not a group? Classical Theorem Permutation groups contain either all even permutations, or half even and half odd permutations. Recall that: τ := {T [k]|k ∈ K}. Results Introduction The Round Functions When is τ not a group? Classical Theorem Permutation groups contain either all even permutations, or half even and half odd permutations. Recall that: τ := {T [k]|k ∈ K}. τs := {Ts [k]|k ∈ K}. Results Introduction The Round Functions When is τ not a group? Classical Theorem Permutation groups contain either all even permutations, or half even and half odd permutations. Recall that: τ := {T [k]|k ∈ K}. τs := {Ts [k]|k ∈ K}. It follows from the above classical theorem that when τ and τs contain only odd permutations, then they cannot form groups. Results Introduction The Round Functions Motivation What are the groups generated by τ and τs respectively? Results Introduction The Round Functions Motivation What are the groups generated by τ and τs respectively? Generating a larger group can improve the security of the system, but it does not guarantee it. Results Introduction The Round Functions Motivation What are the groups generated by τ and τs respectively? Generating a larger group can improve the security of the system, but it does not guarantee it. The largest group that can be generated by τ and τs is Sprmn . Results Introduction The Round Functions Motivation What are the groups generated by τ and τs respectively? Generating a larger group can improve the security of the system, but it does not guarantee it. The largest group that can be generated by τ and τs is Sprmn . So when does Gτ = Sprmn and Gτs = Sprmn ? Results Introduction The Round Functions Transitivity Let G be a permutation group over a set X . Definition G is transitive if for all a, b ∈ X , there exists a σ ∈ G such that σ(a) = b. Results Introduction The Round Functions Transitivity Let G be a permutation group over a set X . Definition G is transitive if for all a, b ∈ X , there exists a σ ∈ G such that σ(a) = b. Lemma The group generated by 1-round AES functions over GF (p r )mn is transitive for all p, m, n, r . Results Introduction The Round Functions Primitivity Let G be a permutation group over a set X . Definition A block under G is a subset B = {b1 , . . . , bk } ⊂ X such that for all σ ∈ G , either σ(B) = B or σ(B) ∩ B = ∅. Results Introduction The Round Functions Primitivity Let G be a permutation group over a set X . Definition A block under G is a subset B = {b1 , . . . , bk } ⊂ X such that for all σ ∈ G , either σ(B) = B or σ(B) ∩ B = ∅. For any set X , the subsets ∅, X , and every element of X are called trivial blocks. Results Introduction The Round Functions Primitivity Let G be a permutation group over a set X . Definition A block under G is a subset B = {b1 , . . . , bk } ⊂ X such that for all σ ∈ G , either σ(B) = B or σ(B) ∩ B = ∅. For any set X , the subsets ∅, X , and every element of X are called trivial blocks. Definition G is primitive if G is transitive and there does not exist any nontrivial block of X under G . Results Introduction The Round Functions Primitivity Let G be a permutation group over a set X . Theorem If G is a primitive group of degree N containing an M-cycle where 2 ≤ M ≤ (N − M)!, then G is the alternating or symmetric group. a a D. M. Rodgers, Generating and covering the alternating of symmetric group, Communications in Algebra, 30(1), (2002) pp. 425-435. Results Introduction The Round Functions Our Generalization Theorem When r ≥ 5, mn ≥ 2, and gcd(c1 , . . . , cm , n) = 1, Gτ is primitive. Results Introduction The Round Functions Our Generalization Theorem When r ≥ 5, mn ≥ 2, and gcd(c1 , . . . , cm , n) = 1, Gτ is primitive. The proof of this theorem is very technical. We omit the details. Results Introduction The Round Functions Our Generalization Theorem Let τ be a set of AES round functions over GF (p r )mn . If r ≥ 5, mn ≥ 2, and gcd(c1 , . . . , cm , n) = 1, then Gτ is Aprmn when τ is a set of even permutations, and Sprmn when τ is a set of odd permutations. Results Introduction The Round Functions Multiple Rounds Classical Theorem For n ≥ 5, the only normal subgroups of Sn are Sn and An . Results Introduction The Round Functions Multiple Rounds Classical Theorem For n ≥ 5, the only normal subgroups of Sn are Sn and An . Lemma Gτs is a normal subgroup of Gτ . Results Introduction The Round Functions Multiple Rounds Classical Theorem For n ≥ 5, the only normal subgroups of Sn are Sn and An . Lemma Gτs is a normal subgroup of Gτ . Theorem If the group Gτ = Aprmn , then Gτs = Aprmn . If Gτ = Sprmn , then Gτs = Aprmn if s is even and Gτs = Sprmn if s is odd. Results Introduction The Round Functions Future Work The group generated by the set of s-round permutations which consider the key-schedule is a subgroup of Gτs . Results Introduction The Round Functions Future Work The group generated by the set of s-round permutations which consider the key-schedule is a subgroup of Gτs . What subgroup of Sprmn is this group? Results Introduction The Round Functions Future Work The group generated by the set of s-round permutations which consider the key-schedule is a subgroup of Gτs . What subgroup of Sprmn is this group? This sort of question is unknown even for classical AES. Results Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Elliptic Reciprocity Kevin Bombardier1 , Matthew Cole2 , Thomas Morrell3 , Cory Scott4 Mentor: Dr. Liljana Babinkostova5 2012 REU Symposium in Mathematics 1 2 3 4 5 Future Work Elliptic Curves Public Key Cryptography Elliptic Primes 1 Elliptic Curves Isomorphism 2 Public Key Cryptography Known attacks on ECDLP 3 Elliptic Primes 4 Elliptic Reciprocity 5 Lists and Cycles Elliptic Cycles Elliptic Lists 6 Future Work Elliptic Reciprocity Lists and Cycles Future Work Elliptic Curves Public Key Cryptography Elliptic Curve Basics Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Elliptic Curve Basics An elliptic or cubic curve is a smooth curve of the form E : y 2 = x 3 + Ax + B over some field of characteristic 6= 2 or 3. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Elliptic Curve Basics An elliptic or cubic curve is a smooth curve of the form E : y 2 = x 3 + Ax + B over some field of characteristic 6= 2 or 3. We specifically consider curves over finite fields, written E (Fp ) Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Elliptic Curve Basics An elliptic or cubic curve is a smooth curve of the form E : y 2 = x 3 + Ax + B over some field of characteristic 6= 2 or 3. We specifically consider curves over finite fields, written E (Fp ) Example of a curve over the reals: Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Hasse Interval When E is considered over a finite field, it has a finite number of points. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Hasse Interval When E is considered over a finite field, it has a finite number of points. The number of points, #E (Fp ), always falls within the Hasse interval, √ √ Hp = [p + 1 − 2 p, p + 1 + 2 p] . Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Hasse Interval When E is considered over a finite field, it has a finite number of points. The number of points, #E (Fp ), always falls within the Hasse interval, √ √ Hp = [p + 1 − 2 p, p + 1 + 2 p] . A basic reciprocity law holds: if q ∈ Hp , then p ∈ Hq . Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Curve Group Law Elliptic Reciprocity Lists and Cycles Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Elliptic Curve Group Law Theorem Under the above law, the points on an elliptic curve form an additive group. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Elliptic Curve Field Law? Question: Can we define a multiplication operation over the points on an elliptic curve? Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Elliptic Curve Field Law? Question: Can we define a multiplication operation over the points on an elliptic curve? Theorem Let E (Fp ) be an elliptic curve of prime order q. Then ∃ a multiplication operation ∗ such that (E (Fp ), ∗) ∼ = (Z× q ) and ∼ (E (Fp ), +, ∗) = (Zq , +, ×). Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Cayley Table α = (2, 7) (2, 7) (5, 2) (8, 3) (10, 2) (3, 6) (7, 9) (7, 2) (3, 5) (10, 9) (8, 8) (5, 9) (2, 4) (5, 2) (10, 2) (7, 9) (3, 5) (8, 8) (2, 4) (2, 7) (8, 3) (3, 6) (7, 2) (10, 9) (5, 9) (8, 3) (7, 9) (10, 9) (2, 4) (5, 2) (3, 6) (3, 5) (5, 9) (2, 7) (10, 2) (7, 2) (8, 8) (10, 2) (3, 5) (2, 4) (8, 3) (7, 2) (5, 9) (5, 2) (7, 9) (8, 8) (2, 7) (3, 6) (10, 9) (3, 6) (8, 8) (5, 2) (7, 2) (2, 4) (10, 2)(10, 9) (2, 7) (7, 9) (5, 9) (8, 3) (3, 5) (7, 9) (2, 4) (3, 6) (5, 9) (10, 2) (8, 8) (8, 3) (10, 9) (5, 2) (3, 5) (2, 7) (7, 2) (7, 2) (2, 7) (3, 5) (5, 2) (10, 9) (8, 3) (8, 8) (10, 2) (5, 9) (3, 6) (2, 4) (7, 9) (3, 5) (8, 3) (5, 9) (7, 9) (2, 7) (10, 9)(10, 2) (2, 4) (7, 2) (5, 2) (8, 8) (3, 6) (10, 9) (3, 6) (2, 7) (8, 8) (7, 9) (5, 2) (5, 9) (7, 2) (8, 3) (2, 4) (3, 5) (10, 2) (8, 8) (7, 2) (10, 2) (2, 7) (5, 9) (3, 5) (3, 6) (5, 2) (2, 4) (10, 9) (7, 9) (8, 3) (5, 9) (10, 9) (7, 2) (3, 6) (8, 3) (2, 7) (2, 4) (8, 8) (3, 5) (7, 9) (10, 2) (5, 2) (2, 4) (5, 9) (8, 8) (10, 9) (3, 5) (7, 2) (7, 9) (3, 6) (10, 2) (8, 3) (5, 2) (2, 7) Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Example: y 2 = x 3 + x + 6 (mod 11) Lists and Cycles Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Example: y 2 = x 3 + 21x + 11 (mod 41) Lists and Cycles Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Example: y 2 = x 3 + 35x + 9 (mod 61) Lists and Cycles Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Public Key Cryptography Elliptic curves are widely used in public-key cryptography. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Public Key Cryptography Elliptic curves are widely used in public-key cryptography. Given: an elliptic curve E , a point α on that curve Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Public Key Cryptography Elliptic curves are widely used in public-key cryptography. Given: an elliptic curve E , a point α on that curve easy to calculate kα for any integer k. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Public Key Cryptography Elliptic curves are widely used in public-key cryptography. Given: an elliptic curve E , a point α on that curve easy to calculate kα for any integer k. Given: an elliptic curve E , points α and β on that curve Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Public Key Cryptography Elliptic curves are widely used in public-key cryptography. Given: an elliptic curve E , a point α on that curve easy to calculate kα for any integer k. Given: an elliptic curve E , points α and β on that curve difficult to find some k such that β = kα. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Public Key Cryptography Elliptic curves are widely used in public-key cryptography. Given: an elliptic curve E , a point α on that curve easy to calculate kα for any integer k. Given: an elliptic curve E , points α and β on that curve difficult to find some k such that β = kα. This problem is called the Elliptic Curve Discrete Logarithm Problem (ECDLP), and its one-way computational difficulty gives rise to a method of Diffie-Hellman key exchange. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Diffie-Hellman1 1 New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Diffie-Hellman1 Alice and Bob want to communicate in secret from an observer, Eve, over a channel that Eve can read. 1 New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Diffie-Hellman1 Alice and Bob want to communicate in secret from an observer, Eve, over a channel that Eve can read. They agree on an elliptic curve and a point, α. 1 New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Diffie-Hellman1 Alice and Bob want to communicate in secret from an observer, Eve, over a channel that Eve can read. They agree on an elliptic curve and a point, α. Each of them picks a secret integer, k and l, respectively. 1 New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Diffie-Hellman1 Alice and Bob want to communicate in secret from an observer, Eve, over a channel that Eve can read. They agree on an elliptic curve and a point, α. Each of them picks a secret integer, k and l, respectively. Alice sends kα to Bob, and Bob sends lα to Alice. 1 New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Diffie-Hellman1 Alice and Bob want to communicate in secret from an observer, Eve, over a channel that Eve can read. They agree on an elliptic curve and a point, α. Each of them picks a secret integer, k and l, respectively. Alice sends kα to Bob, and Bob sends lα to Alice. Now they each calculate k · lα = l · kα. 1 New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Diffie-Hellman1 Alice and Bob want to communicate in secret from an observer, Eve, over a channel that Eve can read. They agree on an elliptic curve and a point, α. Each of them picks a secret integer, k and l, respectively. Alice sends kα to Bob, and Bob sends lα to Alice. Now they each calculate k · lα = l · kα. With only access to kα, lα, and α, Eve cannot recreate k · lα without solving the ECDLP. So Alice and Bob have a reliable shared secret. 1 New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Attacks on ECDLP Any attack that is useful against the integer DLP is also useful against the ECDLP. 2 S. Pohlig and M. Hellman (1978). ”An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance”. IEEE Transactions on Information Theory (24): 106110. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Attacks on ECDLP Any attack that is useful against the integer DLP is also useful against the ECDLP. The Silver-Pohlig-Hellman algorithm is a fast factoring algorithm when the order of the group is a smooth integer. 2 2 S. Pohlig and M. Hellman (1978). ”An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance”. IEEE Transactions on Information Theory (24): 106110. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Attacks on ECDLP Any attack that is useful against the integer DLP is also useful against the ECDLP. The Silver-Pohlig-Hellman algorithm is a fast factoring algorithm when the order of the group is a smooth integer. 2 Some ways of improving security: 2 S. Pohlig and M. Hellman (1978). ”An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance”. IEEE Transactions on Information Theory (24): 106110. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Attacks on ECDLP Any attack that is useful against the integer DLP is also useful against the ECDLP. The Silver-Pohlig-Hellman algorithm is a fast factoring algorithm when the order of the group is a smooth integer. 2 Some ways of improving security: Using curves of prime order 2 S. Pohlig and M. Hellman (1978). ”An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance”. IEEE Transactions on Information Theory (24): 106110. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Attacks on ECDLP Any attack that is useful against the integer DLP is also useful against the ECDLP. The Silver-Pohlig-Hellman algorithm is a fast factoring algorithm when the order of the group is a smooth integer. 2 Some ways of improving security: Using curves of prime order Large key sizes Attacks also exist for so-called anomalous primes. 2 S. Pohlig and M. Hellman (1978). ”An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance”. IEEE Transactions on Information Theory (24): 106110. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Elliptic Primes Definition An elliptic pair is an ordered pair of primes (p, q)d such that there exists an elliptic curve over√E /Fp with order q that has complex multiplication (CM) in Q( −d), where d ≡8 3 is a square-free positive integer. Definition An elliptic prime is a prime which is a member of at least one elliptic pair. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity The Law of Elliptic Reciprocity The Law of Elliptic Reciprocity If (p, q)d is an elliptic pair, then so too is (q, p)d . Lists and Cycles Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Elliptic Lists Definition An elliptic list (of length n) is an ordered n-tuple of primes [p1 , p2 , ..., pn ]d such that (p1 , p2 )d , (p2 , p3 )d , ..., (pn−1 , pn )d are all elliptic pairs. An elliptic list is proper if p1 , p2 , ..., pn are all distinct. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Elliptic Lists Definition An elliptic list (of length n) is an ordered n-tuple of primes [p1 , p2 , ..., pn ]d such that (p1 , p2 )d , (p2 , p3 )d , ..., (pn−1 , pn )d are all elliptic pairs. An elliptic list is proper if p1 , p2 , ..., pn are all distinct. Example (73, 67)3 , (67, 79)3 , (79, 97)3 , (97, 103)3 are all elliptic pairs, so [73, 67, 79, 97, 103]3 is a proper elliptic list. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Elliptic Lists Definition An elliptic list (of length n) is an ordered n-tuple of primes [p1 , p2 , ..., pn ]d such that (p1 , p2 )d , (p2 , p3 )d , ..., (pn−1 , pn )d are all elliptic pairs. An elliptic list is proper if p1 , p2 , ..., pn are all distinct. Example (73, 67)3 , (67, 79)3 , (79, 97)3 , (97, 103)3 are all elliptic pairs, so [73, 67, 79, 97, 103]3 is a proper elliptic list. [7, 13, 7]3 is an elliptic list which is not proper. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Elliptic Cycles Definition An elliptic cycle (of length n) is an ordered n-tuple of primes (p1 , p2 , ..., pn )d such that [p1 , p2 , ..., pn ]d is an elliptic list and (pn , p1 )d is an elliptic pair. An elliptic cycle is proper if p1 , p2 , ..., pn are all distinct. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Elliptic Cycles Definition An elliptic cycle (of length n) is an ordered n-tuple of primes (p1 , p2 , ..., pn )d such that [p1 , p2 , ..., pn ]d is an elliptic list and (pn , p1 )d is an elliptic pair. An elliptic cycle is proper if p1 , p2 , ..., pn are all distinct. Theorem The proper elliptic cycle of length n > 2 with the smallest primes is (274723, 275269, 276319, 276823, 276277, 275227)3 . It is generated by the curve E : y 2 = x 3 + 15. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Elliptic Cycles Theorem Let n ≥ 3. No proper elliptic cycle of length n exists, except for n = 6 over d = 3. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Elliptic Cycles Theorem Let n ≥ 3. No proper elliptic cycle of length n exists, except for n = 6 over d = 3. Conjecture An infinite number of proper elliptic cycles of length 6 exist. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Elliptic Cycles Theorem Let n ≥ 3. No proper elliptic cycle of length n exists, except for n = 6 over d = 3. Conjecture An infinite number of proper elliptic cycles of length 6 exist. We have the restriction that if (p1 , p2 , p3 , p4 , p5 , p6 )3 is a proper elliptic cycle with pi = ai2 + 3bi2 and ai ≡3 −1, then ai ≡7 −1 and 7|bi for all 1 ≤ i ≤ 6. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Two Results for Elliptic Lists over d = 3 Theorem Let [p1 , p2 , p3 , p4 , p5 ]3 be a proper elliptic list. Then p1 − p2 = p5 − p4 . Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Two Results for Elliptic Lists over d = 3 Theorem Let [p1 , p2 , p3 , p4 , p5 ]3 be a proper elliptic list. Then p1 − p2 = p5 − p4 . Theorem Let [p1 , p2 , p3 , p4 ]3 be a proper elliptic list. If p1 = a2 + 3b 2 with a ≡3 −1, then p4 = (−a − 2)2 + 3b 2 . Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Two Results for Elliptic Lists over d = 3 Theorem Let [p1 , p2 , p3 , p4 , p5 ]3 be a proper elliptic list. Then p1 − p2 = p5 − p4 . Theorem Let [p1 , p2 , p3 , p4 ]3 be a proper elliptic list. If p1 = a2 + 3b 2 with a ≡3 −1, then p4 = (−a − 2)2 + 3b 2 . Corollary The longest proper elliptic list over d = 3 is of length n = 6. All proper elliptic lists over d = 3 of length 6 are in fact proper elliptic cycles. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Results for Elliptic Lists over d 6= 3 Definition Define L(d) = max(n|[p1 , p2 , ..., pn ]d is a proper elliptic list). Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Results for Elliptic Lists over d 6= 3 Definition Define L(d) = max(n|[p1 , p2 , ..., pn ]d is a proper elliptic list). Theorem If d = 3, then L(d) = 6. Otherwise, let m be the smallest prime such that −d 6= −1. m Then L(d) ≤ m − 1. Elliptic Curves Public Key Cryptography Future Work Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Future Work We have seen that we can extend the group law into a ring law by defining multiplication on an elliptic curve. Is there an efficient way to compute this? Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Future Work We have seen that we can extend the group law into a ring law by defining multiplication on an elliptic curve. Is there an efficient way to compute this? For any given d, are there infinitely many elliptic primes? If so, what is their distribution? Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Future Work We have seen that we can extend the group law into a ring law by defining multiplication on an elliptic curve. Is there an efficient way to compute this? For any given d, are there infinitely many elliptic primes? If so, what is their distribution? Can we use the properties of elliptic pairs to generate elliptic curves of prime order more efficiently? Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Future Work We have seen that we can extend the group law into a ring law by defining multiplication on an elliptic curve. Is there an efficient way to compute this? For any given d, are there infinitely many elliptic primes? If so, what is their distribution? Can we use the properties of elliptic pairs to generate elliptic curves of prime order more efficiently? How is the function L(d) related to the class number h(−d)? Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Future Work We have seen that we can extend the group law into a ring law by defining multiplication on an elliptic curve. Is there an efficient way to compute this? For any given d, are there infinitely many elliptic primes? If so, what is their distribution? Can we use the properties of elliptic pairs to generate elliptic curves of prime order more efficiently? How is the function L(d) related to the class number h(−d)? Is L(d) unbounded as d → ∞? Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Future Work We have seen that we can extend the group law into a ring law by defining multiplication on an elliptic curve. Is there an efficient way to compute this? For any given d, are there infinitely many elliptic primes? If so, what is their distribution? Can we use the properties of elliptic pairs to generate elliptic curves of prime order more efficiently? How is the function L(d) related to the class number h(−d)? Is L(d) unbounded as d → ∞? Are there infinitely many proper elliptic 6-cycles over d = 3? Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles An Infinitude of Elliptic Primes? The Bouniakowsky Conjecture for quadratic polynomials would imply that for all positive integers d ≡8 3, there exist an infinite number of anomalous primes (primes p such that (p, p)d is an elliptic pair), and thus elliptic primes. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles An Infinitude of Elliptic Primes? The Bouniakowsky Conjecture for quadratic polynomials would imply that for all positive integers d ≡8 3, there exist an infinite number of anomalous primes (primes p such that (p, p)d is an elliptic pair), and thus elliptic primes. These primes aren’t especially useful for cryptographic applications, however. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles An Infinitude of Elliptic Primes? The Bouniakowsky Conjecture for quadratic polynomials would imply that for all positive integers d ≡8 3, there exist an infinite number of anomalous primes (primes p such that (p, p)d is an elliptic pair), and thus elliptic primes. These primes aren’t especially useful for cryptographic applications, however. Do there exist other sequences which generate an infinite number of elliptic primes? Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles An Infinitude of Elliptic Primes? The Bouniakowsky Conjecture for quadratic polynomials would imply that for all positive integers d ≡8 3, there exist an infinite number of anomalous primes (primes p such that (p, p)d is an elliptic pair), and thus elliptic primes. These primes aren’t especially useful for cryptographic applications, however. Do there exist other sequences which generate an infinite number of elliptic primes? a1 = 7 Y an = ak + 6 k<n Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles An Infinitude of Elliptic Primes? The Bouniakowsky Conjecture for quadratic polynomials would imply that for all positive integers d ≡8 3, there exist an infinite number of anomalous primes (primes p such that (p, p)d is an elliptic pair), and thus elliptic primes. These primes aren’t especially useful for cryptographic applications, however. Do there exist other sequences which generate an infinite number of elliptic primes? a1 = 7 Y an = ak + 6 k<n So far, every term in this (pairwise coprime) sequence seems to have a factor which is an elliptic prime over d = 3. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity The class number and L(d) Dirichlet (1839) proved that the class number is d X m −d h(−d) = −d m m=1 for d > 0, d 6= 1, 3. Lists and Cycles Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work The class number and L(d) Dirichlet (1839) proved that the class number is d X m −d h(−d) = −d m m=1 for d > 0, d 6= 1, 3. Because we only care about d ≡8 3, we can rewrite this as −dh(−d) = d X m=1 m m d = d X m=1 mχ(m). Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work The class number and L(d) Dirichlet (1839) proved that the class number is d X m −d h(−d) = −d m m=1 for d > 0, d 6= 1, 3. Because we only care about d ≡8 3, we can rewrite this as −dh(−d) = d X m=1 m m d = d X mχ(m). m=1 If M(d) is the smallest prime m such that χ(m) 6= −1, then L(d) = M(d) − f (d), f (d) > 0. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work The class number and L(d) Dirichlet (1839) proved that the class number is d X m −d h(−d) = −d m m=1 for d > 0, d 6= 1, 3. Because we only care about d ≡8 3, we can rewrite this as −dh(−d) = d X m=1 m m d = d X mχ(m). m=1 If M(d) is the smallest prime m such that χ(m) 6= −1, then L(d) = M(d) − f (d), f (d) > 0. When h(−d) = 1, f (d) = 1. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work The class number and L(d) Dirichlet (1839) proved that the class number is d X m −d h(−d) = −d m m=1 for d > 0, d 6= 1, 3. Because we only care about d ≡8 3, we can rewrite this as −dh(−d) = d X m=1 m m d = d X mχ(m). m=1 If M(d) is the smallest prime m such that χ(m) 6= −1, then L(d) = M(d) − f (d), f (d) > 0. When h(−d) = 1, f (d) = 1. Is there a relationship between f and h? Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Reasons to Believe the Answer is Yes The class number is also directly related to the number of primitive binary quadratic forms of a given fundamental discriminant −d. Future Work Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Reasons to Believe the Answer is Yes The class number is also directly related to the number of primitive binary quadratic forms of a given fundamental discriminant −d. Any prime which can be represented as 41 (a2 + db 2 ) for odd natural numbers a, b can be done so uniquely. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Reasons to Believe the Answer is Yes The class number is also directly related to the number of primitive binary quadratic forms of a given fundamental discriminant −d. Any prime which can be represented as 41 (a2 + db 2 ) for odd natural numbers a, b can be done so uniquely. It seems likely that increasing the class number h(−d) should decrease the probability that a number of the form 41 (a2 + db 2 ) is prime, let alone an elliptic prime over d. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Reasons to Believe the Answer is Yes Theorem (le Lionnais 1983) In the case of the sequence d+1 d+9 d+25 d+n2 4 , 4 , 4 , · · · , 4 , the first M(d) − 1 terms are prime if and only if h(−d) = 1. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work Reasons to Believe the Answer is Yes Theorem (le Lionnais 1983) In the case of the sequence d+1 d+9 d+25 d+n2 4 , 4 , 4 , · · · , 4 , the first M(d) − 1 terms are prime if and only if h(−d) = 1. As this corresponds to a particular elliptic list, it seems likely that class number should have some relation to the difference M(d) − L(d). Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Future Work References Berndt, Evans, and Willams, Gauss and Jacobi Sums, vol. 21 of Canadian Mathematical Society Series of Monographs and Advanced Texts. Wiley-Interscience, 1998. Bröker and Stevenhagen, “Constructing elliptic curves of prime order,” Contemporary Mathematics, 2007. Le Lionnais, F. Les nombres remarquables. Paris: Hermann, pp. 88 and 144, 1983. Silverberg, “Group order formulas for reductions of CM elliptic curves,” Contemporary Mathematics, 521 (2010), pp. 107-120. Silverman and Stange, “Amicable Pairs and Aliquot Cycles for Elliptic Curves,” Experimental Mathematics, 20:3 (2011), pp. 329-357. Washington, Number Theory: Elliptic Curves and Cryptography, vol. 50 of Discrete Mathematics and Its Applications. Chapman & Hall/CRC, 2nd ed., 2008. Elliptic Curves Public Key Cryptography Elliptic Primes Elliptic Reciprocity Lists and Cycles Acknowledgments Funding for this project is provided by the National Science Foundation (DMS 1062857) and by Boise State University. Future Work
© Copyright 2024 Paperzz