Introduction
The Round Functions
Results
Generalizations of the
Advanced Encryption Standard
Kevin Bombardier1 , Matthew Cole2 , Thomas Morrell3 ,
Cory Scott4
Mentor: Dr. Liljana Babinkostova5
2012 REU Symposium in Mathematics
1
2
3
4
5
Introduction
The Round Functions
1
Introduction
Cryptosystems
AES
2
The Round Functions
Descriptions
Parity
3
Results
Multiple Rounds
When is τ and τs not a group?
Group generated by τs
Our Generalization
Future Work
Results
Introduction
The Round Functions
Cryptosystems
A cryptosystem is an ordered 4-tuple (M, C, K, P) where
Results
Introduction
The Round Functions
Cryptosystems
A cryptosystem is an ordered 4-tuple (M, C, K, P) where
M is the message (state) space,
Results
Introduction
The Round Functions
Cryptosystems
A cryptosystem is an ordered 4-tuple (M, C, K, P) where
M is the message (state) space,
C is the ciphertext space,
Results
Introduction
The Round Functions
Cryptosystems
A cryptosystem is an ordered 4-tuple (M, C, K, P) where
M is the message (state) space,
C is the ciphertext space,
K is the key space, and
Results
Introduction
The Round Functions
Cryptosystems
A cryptosystem is an ordered 4-tuple (M, C, K, P) where
M is the message (state) space,
C is the ciphertext space,
K is the key space, and
For each K ∈ K, the mapping PK : M → C is invertible.
Results
Introduction
The Round Functions
Cryptosystems
A cryptosystem is an ordered 4-tuple (M, C, K, P) where
M is the message (state) space,
C is the ciphertext space,
K is the key space, and
For each K ∈ K, the mapping PK : M → C is invertible.
Two types of cryptosystems:
Results
Introduction
The Round Functions
Cryptosystems
A cryptosystem is an ordered 4-tuple (M, C, K, P) where
M is the message (state) space,
C is the ciphertext space,
K is the key space, and
For each K ∈ K, the mapping PK : M → C is invertible.
Two types of cryptosystems:
Public-key
Results
Introduction
The Round Functions
Cryptosystems
A cryptosystem is an ordered 4-tuple (M, C, K, P) where
M is the message (state) space,
C is the ciphertext space,
K is the key space, and
For each K ∈ K, the mapping PK : M → C is invertible.
Two types of cryptosystems:
Public-key
Symmetric-key.
Results
Introduction
The Round Functions
The Advanced Encryption Standard
After a lengthy contest1 , the cipher Rijndael was chosen as the
Advanced Encryption Standard of the US government in 2001.
1
2
3
J. Daemen, and V. Rijmen, AES Proposal: Rijndael, 1998.
Bogdanov, Khovratovich, and Rechberger, Biclique Cryptanalysis of the Full AES, 2011.
Bogdanov and Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256, 2009.
Results
Introduction
The Round Functions
The Advanced Encryption Standard
After a lengthy contest1 , the cipher Rijndael was chosen as the
Advanced Encryption Standard of the US government in 2001.
Rijndael replaced DES, the Data Encryption Standard, which
had become vulnerable to attack.
1
2
3
J. Daemen, and V. Rijmen, AES Proposal: Rijndael, 1998.
Bogdanov, Khovratovich, and Rechberger, Biclique Cryptanalysis of the Full AES, 2011.
Bogdanov and Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256, 2009.
Results
Introduction
The Round Functions
The Advanced Encryption Standard
After a lengthy contest1 , the cipher Rijndael was chosen as the
Advanced Encryption Standard of the US government in 2001.
Rijndael replaced DES, the Data Encryption Standard, which
had become vulnerable to attack.
There are attacks on AES, though none are yet practical2 .
1
2
3
J. Daemen, and V. Rijmen, AES Proposal: Rijndael, 1998.
Bogdanov, Khovratovich, and Rechberger, Biclique Cryptanalysis of the Full AES, 2011.
Bogdanov and Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256, 2009.
Results
Introduction
The Round Functions
The Advanced Encryption Standard
After a lengthy contest1 , the cipher Rijndael was chosen as the
Advanced Encryption Standard of the US government in 2001.
Rijndael replaced DES, the Data Encryption Standard, which
had become vulnerable to attack.
There are attacks on AES, though none are yet practical2 .
For example3 , key recovery in AES-256 (256 is one of three
key sizes) currently has time complexity 2119 .
1
2
3
J. Daemen, and V. Rijmen, AES Proposal: Rijndael, 1998.
Bogdanov, Khovratovich, and Rechberger, Biclique Cryptanalysis of the Full AES, 2011.
Bogdanov and Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256, 2009.
Results
Introduction
The Round Functions
The Advanced Encryption Standard
After a lengthy contest1 , the cipher Rijndael was chosen as the
Advanced Encryption Standard of the US government in 2001.
Rijndael replaced DES, the Data Encryption Standard, which
had become vulnerable to attack.
There are attacks on AES, though none are yet practical2 .
For example3 , key recovery in AES-256 (256 is one of three
key sizes) currently has time complexity 2119 .
The security of DES can be augmented by multiple
encryptions (Triple-DES).
1
2
3
J. Daemen, and V. Rijmen, AES Proposal: Rijndael, 1998.
Bogdanov, Khovratovich, and Rechberger, Biclique Cryptanalysis of the Full AES, 2011.
Bogdanov and Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256, 2009.
Results
Introduction
The Round Functions
The Advanced Encryption Standard
After a lengthy contest1 , the cipher Rijndael was chosen as the
Advanced Encryption Standard of the US government in 2001.
Rijndael replaced DES, the Data Encryption Standard, which
had become vulnerable to attack.
There are attacks on AES, though none are yet practical2 .
For example3 , key recovery in AES-256 (256 is one of three
key sizes) currently has time complexity 2119 .
The security of DES can be augmented by multiple
encryptions (Triple-DES).
Would the same technique augment the security of AES?
1
2
3
J. Daemen, and V. Rijmen, AES Proposal: Rijndael, 1998.
Bogdanov, Khovratovich, and Rechberger, Biclique Cryptanalysis of the Full AES, 2011.
Bogdanov and Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256, 2009.
Results
Introduction
The Round Functions
Advanced Encryption Standard Messages
Classical AES is a set of permutations of the finite field
M = GF(2128 ) ∼
= GF(28 )4×4 .
Results
Introduction
The Round Functions
Advanced Encryption Standard Messages
Classical AES is a set of permutations of the finite field
M = GF(2128 ) ∼
= GF(28 )4×4 .
It is often helpful to visualize elements of this field as 4 × 4
matrices with entries consisting of 8 digits in base 2.
Results
Introduction
The Round Functions
Advanced Encryption Standard Messages
Classical AES is a set of permutations of the finite field
M = GF(2128 ) ∼
= GF(28 )4×4 .
It is often helpful to visualize elements of this field as 4 × 4
matrices with entries consisting of 8 digits in base 2.
We generalize AES to a set of permutations of the field
M = GF(p r )mn .
Results
Introduction
The Round Functions
How Does AES Work?
4
4
J. Daemen and V. Rijmen, AES submission document on Rijndael, Version 2, (1999)
Results
Introduction
The Round Functions
How Does AES Work?
4
AES consists of several concurrent rounds (“round functions”) of
each of four permutations: SubBytes (λ), ShiftRows (π),
MixColumns (ρ), and AddRoundKey (σ[k]).
4
J. Daemen and V. Rijmen, AES submission document on Rijndael, Version 2, (1999)
Results
Introduction
The Round Functions
How Does AES Work?
4
AES consists of several concurrent rounds (“round functions”) of
each of four permutations: SubBytes (λ), ShiftRows (π),
MixColumns (ρ), and AddRoundKey (σ[k]).
One round is T [k] := σ[k] ◦ ρ ◦ π ◦ λ.
4
J. Daemen and V. Rijmen, AES submission document on Rijndael, Version 2, (1999)
Results
Introduction
The Round Functions
How Does AES Work?
4
AES consists of several concurrent rounds (“round functions”) of
each of four permutations: SubBytes (λ), ShiftRows (π),
MixColumns (ρ), and AddRoundKey (σ[k]).
One round is T [k] := σ[k] ◦ ρ ◦ π ◦ λ. Write τ := {T [k] : k ∈ K}.
4
J. Daemen and V. Rijmen, AES submission document on Rijndael, Version 2, (1999)
Results
Introduction
The Round Functions
Results
SubBytes
a0
a1
a2
a3
a‘0
a‘1
a‘2
a‘3
a4
a5
a6
a7
a‘4
a‘5
a‘6
a‘7
a8
a9
a10
a11
a‘8
a‘9
a‘10 a‘11
a12
a13
a14
a15
S-Box
a‘12 a‘13 a‘14 a‘15
Introduction
The Round Functions
Results
SubBytes
a0
a1
a2
a3
a‘0
a‘1
a‘2
a‘3
a4
a5
a6
a7
a‘4
a‘5
a‘6
a‘7
a8
a9
a10
a11
a‘8
a‘9
a‘10 a‘11
a12
a13
a14
a15
S-Box
a‘12 a‘13 a‘14 a‘15
SubBytes (λ) is the parallel application of mn ‘S-box’
permutations, each of which permutes one cell of the state matrix.
Introduction
The Round Functions
Results
SubBytes
a0
a1
a2
a3
a‘0
a‘1
a‘2
a‘3
a4
a5
a6
a7
a‘4
a‘5
a‘6
a‘7
a8
a9
a10
a11
a‘8
a‘9
a‘10 a‘11
a12
a13
a14
a15
S-Box
a‘12 a‘13 a‘14 a‘15
SubBytes (λ) is the parallel application of mn ‘S-box’
permutations, each of which permutes one cell of the state matrix.
Each S-box permutes one element x ∈ GF(p r ) into ax −1 + b,
where a, b ∈ GF(p r ) are fixed.
Introduction
The Round Functions
Results
SubBytes
a0
a1
a2
a3
a‘0
a‘1
a‘2
a‘3
a4
a5
a6
a7
a‘4
a‘5
a‘6
a‘7
a8
a9
a10
a11
a‘8
a‘9
a‘10 a‘11
a12
a13
a14
a15
S-Box
a‘12 a‘13 a‘14 a‘15
SubBytes (λ) is the parallel application of mn ‘S-box’
permutations, each of which permutes one cell of the state matrix.
Each S-box permutes one element x ∈ GF(p r ) into ax −1 + b,
where a, b ∈ GF(p r ) are fixed.
The S-boxes remove linearity from AES.
Introduction
The Round Functions
Results
ShiftRows
a0
a1
a2
a3
a‘0
a‘1
a‘2
a‘3
a4
a5
a6
a7
a‘4
a‘5
a‘6
a‘7
a8
a9
a10
a11
a‘8
a‘9
a‘10 a‘11
a12
a13
a14
a15
a‘12 a‘13 a‘14 a‘15
Introduction
The Round Functions
Results
ShiftRows
a0
a1
a2
a3
a‘0
a‘1
a‘2
a‘3
a4
a5
a6
a7
a‘4
a‘5
a‘6
a‘7
a8
a9
a10
a11
a‘8
a‘9
a‘10 a‘11
a12
a13
a14
a15
a‘12 a‘13 a‘14 a‘15
In the ShiftRows permutation (π), each cell is moved some number
of spots to the left depending on which row it’s in. The length of
shift ci for each row i can vary.
Introduction
The Round Functions
Results
MixColumns
a0
a1
a2
a3
a‘0
a‘1
a‘2
a‘3
a4
a5
a6
a7
a‘4
a‘5
a‘6
a‘7
a8
a9
a10
a11
a‘8
a‘9
a‘10 a‘11
a12
a13
a14
a15
⊗C
a‘12 a‘13 a‘14 a‘15
Introduction
The Round Functions
Results
MixColumns
a0
a1
a2
a3
a‘0
a‘1
a‘2
a‘3
a4
a5
a6
a7
a‘4
a‘5
a‘6
a‘7
a8
a9
a10
a11
a‘8
a‘9
a‘10 a‘11
a12
a13
a14
a15
⊗C
a‘12 a‘13 a‘14 a‘15
MixColumns (ρ) multiplies each column by a fixed element
C ∈ GF(p rm ). This is equivalent to multiplying each column by a
matrix.
Introduction
The Round Functions
Results
MixColumns
a0
a1
a2
a3
a‘0
a‘1
a‘2
a‘3
a4
a5
a6
a7
a‘4
a‘5
a‘6
a‘7
a8
a9
a10
a11
a‘8
a‘9
a‘10 a‘11
a12
a13
a14
a15
⊗C
a‘12 a‘13 a‘14 a‘15
MixColumns (ρ) multiplies each column by a fixed element
C ∈ GF(p rm ). This is equivalent to multiplying each column by a
matrix.
ShiftRows and MixColumns diffuse the state.
Introduction
The Round Functions
Results
AddRoundKey
a0
a1
a2
a3
a‘0
a‘1
a‘2
a‘3
a4
a5
a6
a7
a‘4
a‘5
a‘6
a‘7
a8
a9
a10
a11
a‘8
a‘9
a‘10 a‘11
a12
a13
a14
a15
a‘12 a‘13 a‘14 a‘15
⊕
k0
k1
k2
k3
k4
k5
k6
k7
k8
k9
k10
k11
k12
k13
k14
k15
Introduction
The Round Functions
Results
AddRoundKey
a0
a1
a2
a3
a‘0
a‘1
a‘2
a‘3
a4
a5
a6
a7
a‘4
a‘5
a‘6
a‘7
a8
a9
a10
a11
a‘8
a‘9
a‘10 a‘11
a12
a13
a14
a15
a‘12 a‘13 a‘14 a‘15
⊕
k0
k1
k2
k3
k4
k5
k6
k7
k8
k9
k10
k11
k12
k13
k14
k15
The AddRoundKey permutation (σ[k]) is an addition between the
current state and the round key. Each round uses a distinct key.
Introduction
The Round Functions
Parity: Why Does It Matter?
Recall that the security of DES can be augmented by multiple
encryptions (Triple-DES).
Results
Introduction
The Round Functions
Parity: Why Does It Matter?
Recall that the security of DES can be augmented by multiple
encryptions (Triple-DES).
Would the same technique augment the security of AES?
Results
Introduction
The Round Functions
Parity: Why Does It Matter?
Recall that the security of DES can be augmented by multiple
encryptions (Triple-DES).
Would the same technique augment the security of AES?
It definitely would not if AES encryption functions formed a
group.
Results
Introduction
The Round Functions
Parity: Why Does It Matter?
Recall that the security of DES can be augmented by multiple
encryptions (Triple-DES).
Would the same technique augment the security of AES?
It definitely would not if AES encryption functions formed a
group.
Permutation groups contain either all even permutations, or
half even and half odd permutations.
Results
Introduction
The Round Functions
Parity: Why Does It Matter?
Recall that the security of DES can be augmented by multiple
encryptions (Triple-DES).
Would the same technique augment the security of AES?
It definitely would not if AES encryption functions formed a
group.
Permutation groups contain either all even permutations, or
half even and half odd permutations.
First consider the set of round functions τ . If there are
conditions under which τ contains only odd permutations,
then τ is not a group under those conditions!
Results
Introduction
The Round Functions
Parity: Why Does It Matter?
Recall that the security of DES can be augmented by multiple
encryptions (Triple-DES).
Would the same technique augment the security of AES?
It definitely would not if AES encryption functions formed a
group.
Permutation groups contain either all even permutations, or
half even and half odd permutations.
First consider the set of round functions τ . If there are
conditions under which τ contains only odd permutations,
then τ is not a group under those conditions!
The parity test is inconclusive otherwise.
Results
Introduction
The Round Functions
Approach
We sought the parity of the permutations σ[k], ρ, π, and λ.
Results
Introduction
The Round Functions
Approach
We sought the parity of the permutations σ[k], ρ, π, and λ.
Our tool was the following:
Classical Theorem
A permutation is odd if and only if it contains an odd number of
even-length cycles.
Results
Introduction
The Round Functions
Parity Results
We obtained the following results:
Results
Introduction
The Round Functions
Parity Results
We obtained the following results:
Theorem
The ShiftRows function π is always an even permutation.
Results
Introduction
The Round Functions
Parity Results
We obtained the following results:
Theorem
The ShiftRows function π is always an even permutation.
Theorem
The AddRoundKey function σ[k] is an even permutation for all
k ∈ K, except in the trivial case r = m = n = 1, p = 2, k = 1.
Results
Introduction
The Round Functions
Parity Results
We obtained the following results:
Theorem
The ShiftRows function π is always an even permutation.
Theorem
The AddRoundKey function σ[k] is an even permutation for all
k ∈ K, except in the trivial case r = m = n = 1, p = 2, k = 1.
Theorem
The MixColumns function ρ is an odd permutation if and only if p,
n, and (p rm − 1)/|hC i| are odd.
Results
Introduction
The Round Functions
Parity Results Cont’d
We obtained the following results:
Theorem
The SubBytes function λ is an odd permutation if and only if
p, m, and n are odd, and either:
p ≡4 3, r is odd, and (p r − 1)/ |hai| is odd, OR
either p ≡4 1 or r is even, and (p r − 1)/ |hai| is even.
Results
Introduction
The Round Functions
Parity Results Cont’d
We obtained the following results:
Theorem
The SubBytes function λ is an odd permutation if and only if
p, m, and n are odd, and either:
p ≡4 3, r is odd, and (p r − 1)/ |hai| is odd, OR
either p ≡4 1 or r is even, and (p r − 1)/ |hai| is even.
So T [k] = σ[k] ◦ ρ ◦ π ◦ λ is an odd permutation if and only if λ or
ρ is odd, but not both.
Results
Introduction
The Round Functions
Parity Results Cont’d
We obtained the following results:
Theorem
The SubBytes function λ is an odd permutation if and only if
p, m, and n are odd, and either:
p ≡4 3, r is odd, and (p r − 1)/ |hai| is odd, OR
either p ≡4 1 or r is even, and (p r − 1)/ |hai| is even.
So T [k] = σ[k] ◦ ρ ◦ π ◦ λ is an odd permutation if and only if λ or
ρ is odd, but not both.
Since the parity of T [k] does not depend on k,
Theorem
All permutations in τ = {T [k] : k ∈ K} have the same parity.
Results
Introduction
The Round Functions
Notation
We denote the set of 1-round AES permutations as
τ := {T [k]|k ∈ K}.
Results
Introduction
The Round Functions
Notation
We denote the set of 1-round AES permutations as
τ := {T [k]|k ∈ K}.
We denote the group generated by τ as Gτ := hτ i.
Results
Introduction
The Round Functions
Notation
We denote the set of 1-round AES permutations as
τ := {T [k]|k ∈ K}.
We denote the group generated by τ as Gτ := hτ i.
For any k ∈ K, we denote the generalized s-round AES
permutation Ts [k] : GF (p r )mn → GF (p r )mn by
Ts [k] := σ[ks+1 ] ◦ π ◦ λ ◦ (σ[ki ] ◦ ρ ◦ π ◦ λ)s−1 ◦ σ[k1 ] for
2 ≤ i ≤ s.
Results
Introduction
The Round Functions
Notation
We denote the set of 1-round AES permutations as
τ := {T [k]|k ∈ K}.
We denote the group generated by τ as Gτ := hτ i.
For any k ∈ K, we denote the generalized s-round AES
permutation Ts [k] : GF (p r )mn → GF (p r )mn by
Ts [k] := σ[ks+1 ] ◦ π ◦ λ ◦ (σ[ki ] ◦ ρ ◦ π ◦ λ)s−1 ◦ σ[k1 ] for
2 ≤ i ≤ s.
We write the set of s-round AES permutations as
τs := {Ts [k]|k ∈ K}.
Results
Introduction
The Round Functions
Notation
We denote the set of 1-round AES permutations as
τ := {T [k]|k ∈ K}.
We denote the group generated by τ as Gτ := hτ i.
For any k ∈ K, we denote the generalized s-round AES
permutation Ts [k] : GF (p r )mn → GF (p r )mn by
Ts [k] := σ[ks+1 ] ◦ π ◦ λ ◦ (σ[ki ] ◦ ρ ◦ π ◦ λ)s−1 ◦ σ[k1 ] for
2 ≤ i ≤ s.
We write the set of s-round AES permutations as
τs := {Ts [k]|k ∈ K}.
We write the group generated by τs as Gτs := hτs i.
Results
Introduction
The Round Functions
Multiple Rounds
By our parity theorem, for Ts [k] to be an odd permutation,
one round function must be both odd and applied an odd
number of times.
Results
Introduction
The Round Functions
Multiple Rounds
By our parity theorem, for Ts [k] to be an odd permutation,
one round function must be both odd and applied an odd
number of times.
So for λ, the number of rounds s must be odd.
Results
Introduction
The Round Functions
Multiple Rounds
By our parity theorem, for Ts [k] to be an odd permutation,
one round function must be both odd and applied an odd
number of times.
So for λ, the number of rounds s must be odd.
For ρ, the number of rounds s must be even.
Results
Introduction
The Round Functions
Results
When is s-round AES odd?
Theorem
For p = 2 and rmn > 1, Ts [k] is always even.
a
a
In agreement with previous work: R. Sparr and R. Wernsdorf, Group theoretic properties of Rijndael-like
ciphers, Discrete Applied Mathematics, 156 (2008), pp. 3139-3149.
Introduction
The Round Functions
Results
When is s-round AES odd?
Theorem
For p = 2 and rmn > 1, Ts [k] is always even.
a
a
In agreement with previous work: R. Sparr and R. Wernsdorf, Group theoretic properties of Rijndael-like
ciphers, Discrete Applied Mathematics, 156 (2008), pp. 3139-3149.
Theorem
When p is odd, Ts [k] has odd parity if and only if:
s is even, and n and (p rm − 1)/|hC i| are odd, where
ρ(x) = Cx, OR
s, m, and n are odd, and either:
p ≡4 3, r is odd, and (p r − 1)/ |hai| is odd, OR
either p ≡4 1 or r is even, and (p r − 1)/ |hai| is even,
where λ(x) = ax −1 + b.
Introduction
The Round Functions
When is τ not a group?
Classical Theorem
Permutation groups contain either all even permutations, or half
even and half odd permutations.
Results
Introduction
The Round Functions
When is τ not a group?
Classical Theorem
Permutation groups contain either all even permutations, or half
even and half odd permutations.
Recall that:
τ := {T [k]|k ∈ K}.
Results
Introduction
The Round Functions
When is τ not a group?
Classical Theorem
Permutation groups contain either all even permutations, or half
even and half odd permutations.
Recall that:
τ := {T [k]|k ∈ K}.
τs := {Ts [k]|k ∈ K}.
Results
Introduction
The Round Functions
When is τ not a group?
Classical Theorem
Permutation groups contain either all even permutations, or half
even and half odd permutations.
Recall that:
τ := {T [k]|k ∈ K}.
τs := {Ts [k]|k ∈ K}.
It follows from the above classical theorem that when τ and τs
contain only odd permutations, then they cannot form groups.
Results
Introduction
The Round Functions
Motivation
What are the groups generated by τ and τs respectively?
Results
Introduction
The Round Functions
Motivation
What are the groups generated by τ and τs respectively?
Generating a larger group can improve the security of the
system, but it does not guarantee it.
Results
Introduction
The Round Functions
Motivation
What are the groups generated by τ and τs respectively?
Generating a larger group can improve the security of the
system, but it does not guarantee it.
The largest group that can be generated by τ and τs is Sprmn .
Results
Introduction
The Round Functions
Motivation
What are the groups generated by τ and τs respectively?
Generating a larger group can improve the security of the
system, but it does not guarantee it.
The largest group that can be generated by τ and τs is Sprmn .
So when does Gτ = Sprmn and Gτs = Sprmn ?
Results
Introduction
The Round Functions
Transitivity
Let G be a permutation group over a set X .
Definition
G is transitive if for all a, b ∈ X , there exists a σ ∈ G such that
σ(a) = b.
Results
Introduction
The Round Functions
Transitivity
Let G be a permutation group over a set X .
Definition
G is transitive if for all a, b ∈ X , there exists a σ ∈ G such that
σ(a) = b.
Lemma
The group generated by 1-round AES functions over GF (p r )mn is
transitive for all p, m, n, r .
Results
Introduction
The Round Functions
Primitivity
Let G be a permutation group over a set X .
Definition
A block under G is a subset B = {b1 , . . . , bk } ⊂ X such that for
all σ ∈ G , either σ(B) = B or σ(B) ∩ B = ∅.
Results
Introduction
The Round Functions
Primitivity
Let G be a permutation group over a set X .
Definition
A block under G is a subset B = {b1 , . . . , bk } ⊂ X such that for
all σ ∈ G , either σ(B) = B or σ(B) ∩ B = ∅.
For any set X , the subsets ∅, X , and every element of X are called
trivial blocks.
Results
Introduction
The Round Functions
Primitivity
Let G be a permutation group over a set X .
Definition
A block under G is a subset B = {b1 , . . . , bk } ⊂ X such that for
all σ ∈ G , either σ(B) = B or σ(B) ∩ B = ∅.
For any set X , the subsets ∅, X , and every element of X are called
trivial blocks.
Definition
G is primitive if G is transitive and there does not exist any
nontrivial block of X under G .
Results
Introduction
The Round Functions
Primitivity
Let G be a permutation group over a set X .
Theorem
If G is a primitive group of degree N containing an M-cycle where
2 ≤ M ≤ (N − M)!, then G is the alternating or symmetric group.
a
a
D. M. Rodgers, Generating and covering the alternating of symmetric group, Communications in Algebra,
30(1), (2002) pp. 425-435.
Results
Introduction
The Round Functions
Our Generalization
Theorem
When r ≥ 5, mn ≥ 2, and gcd(c1 , . . . , cm , n) = 1, Gτ is primitive.
Results
Introduction
The Round Functions
Our Generalization
Theorem
When r ≥ 5, mn ≥ 2, and gcd(c1 , . . . , cm , n) = 1, Gτ is primitive.
The proof of this theorem is very technical. We omit the details.
Results
Introduction
The Round Functions
Our Generalization
Theorem
Let τ be a set of AES round functions over GF (p r )mn . If r ≥ 5,
mn ≥ 2, and gcd(c1 , . . . , cm , n) = 1, then Gτ is Aprmn when τ is a
set of even permutations, and Sprmn when τ is a set of odd
permutations.
Results
Introduction
The Round Functions
Multiple Rounds
Classical Theorem
For n ≥ 5, the only normal subgroups of Sn are Sn and An .
Results
Introduction
The Round Functions
Multiple Rounds
Classical Theorem
For n ≥ 5, the only normal subgroups of Sn are Sn and An .
Lemma
Gτs is a normal subgroup of Gτ .
Results
Introduction
The Round Functions
Multiple Rounds
Classical Theorem
For n ≥ 5, the only normal subgroups of Sn are Sn and An .
Lemma
Gτs is a normal subgroup of Gτ .
Theorem
If the group Gτ = Aprmn , then Gτs = Aprmn . If Gτ = Sprmn , then
Gτs = Aprmn if s is even and Gτs = Sprmn if s is odd.
Results
Introduction
The Round Functions
Future Work
The group generated by the set of s-round permutations
which consider the key-schedule is a subgroup of Gτs .
Results
Introduction
The Round Functions
Future Work
The group generated by the set of s-round permutations
which consider the key-schedule is a subgroup of Gτs .
What subgroup of Sprmn is this group?
Results
Introduction
The Round Functions
Future Work
The group generated by the set of s-round permutations
which consider the key-schedule is a subgroup of Gτs .
What subgroup of Sprmn is this group?
This sort of question is unknown even for classical AES.
Results
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Elliptic Reciprocity
Kevin Bombardier1 , Matthew Cole2 , Thomas Morrell3 ,
Cory Scott4
Mentor: Dr. Liljana Babinkostova5
2012 REU Symposium in Mathematics
1
2
3
4
5
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
1
Elliptic Curves
Isomorphism
2
Public Key Cryptography
Known attacks on ECDLP
3
Elliptic Primes
4
Elliptic Reciprocity
5
Lists and Cycles
Elliptic Cycles
Elliptic Lists
6
Future Work
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Curve Basics
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Elliptic Curve Basics
An elliptic or cubic curve is a smooth curve of the form
E : y 2 = x 3 + Ax + B
over some field of characteristic 6= 2 or 3.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Curve Basics
An elliptic or cubic curve is a smooth curve of the form
E : y 2 = x 3 + Ax + B
over some field of characteristic 6= 2 or 3. We specifically consider
curves over finite fields, written E (Fp )
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Curve Basics
An elliptic or cubic curve is a smooth curve of the form
E : y 2 = x 3 + Ax + B
over some field of characteristic 6= 2 or 3. We specifically consider
curves over finite fields, written E (Fp )
Example of a curve over the reals:
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Hasse Interval
When E is considered over a finite field, it has a finite number of
points.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Hasse Interval
When E is considered over a finite field, it has a finite number of
points.
The number of points, #E (Fp ), always falls within the Hasse
interval,
√
√
Hp = [p + 1 − 2 p, p + 1 + 2 p] .
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Hasse Interval
When E is considered over a finite field, it has a finite number of
points.
The number of points, #E (Fp ), always falls within the Hasse
interval,
√
√
Hp = [p + 1 − 2 p, p + 1 + 2 p] .
A basic reciprocity law holds: if q ∈ Hp , then p ∈ Hq .
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Curve Group Law
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Elliptic Curve Group Law
Theorem
Under the above law, the points on an elliptic curve form an
additive group.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Curve Field Law?
Question: Can we define a multiplication operation over the points
on an elliptic curve?
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Curve Field Law?
Question: Can we define a multiplication operation over the points
on an elliptic curve?
Theorem
Let E (Fp ) be an elliptic curve of prime order q. Then ∃ a
multiplication operation ∗ such that (E (Fp ), ∗) ∼
= (Z×
q ) and
∼
(E (Fp ), +, ∗) = (Zq , +, ×).
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Cayley Table
α = (2, 7)
(2, 7) (5, 2) (8, 3) (10, 2) (3, 6) (7, 9) (7, 2) (3, 5) (10, 9) (8, 8) (5, 9) (2, 4)
(5, 2) (10, 2) (7, 9) (3, 5) (8, 8) (2, 4) (2, 7) (8, 3) (3, 6) (7, 2) (10, 9) (5, 9)
(8, 3) (7, 9) (10, 9) (2, 4) (5, 2) (3, 6) (3, 5) (5, 9) (2, 7) (10, 2) (7, 2) (8, 8)
(10, 2) (3, 5) (2, 4) (8, 3) (7, 2) (5, 9) (5, 2) (7, 9) (8, 8) (2, 7) (3, 6) (10, 9)
(3, 6) (8, 8) (5, 2) (7, 2) (2, 4) (10, 2)(10, 9) (2, 7) (7, 9) (5, 9) (8, 3) (3, 5)
(7, 9) (2, 4) (3, 6) (5, 9) (10, 2) (8, 8) (8, 3) (10, 9) (5, 2) (3, 5) (2, 7) (7, 2)
(7, 2) (2, 7) (3, 5) (5, 2) (10, 9) (8, 3) (8, 8) (10, 2) (5, 9) (3, 6) (2, 4) (7, 9)
(3, 5) (8, 3) (5, 9) (7, 9) (2, 7) (10, 9)(10, 2) (2, 4) (7, 2) (5, 2) (8, 8) (3, 6)
(10, 9) (3, 6) (2, 7) (8, 8) (7, 9) (5, 2) (5, 9) (7, 2) (8, 3) (2, 4) (3, 5) (10, 2)
(8, 8) (7, 2) (10, 2) (2, 7) (5, 9) (3, 5) (3, 6) (5, 2) (2, 4) (10, 9) (7, 9) (8, 3)
(5, 9) (10, 9) (7, 2) (3, 6) (8, 3) (2, 7) (2, 4) (8, 8) (3, 5) (7, 9) (10, 2) (5, 2)
(2, 4) (5, 9) (8, 8) (10, 9) (3, 5) (7, 2) (7, 9) (3, 6) (10, 2) (8, 3) (5, 2) (2, 7)
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Example: y 2 = x 3 + x + 6 (mod 11)
Lists and Cycles
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Example: y 2 = x 3 + 21x + 11 (mod 41)
Lists and Cycles
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Example: y 2 = x 3 + 35x + 9 (mod 61)
Lists and Cycles
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Public Key Cryptography
Elliptic curves are widely used in public-key cryptography.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Public Key Cryptography
Elliptic curves are widely used in public-key cryptography.
Given: an elliptic curve E , a point α on that curve
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Public Key Cryptography
Elliptic curves are widely used in public-key cryptography.
Given: an elliptic curve E , a point α on that curve
easy to calculate kα for any integer k.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Public Key Cryptography
Elliptic curves are widely used in public-key cryptography.
Given: an elliptic curve E , a point α on that curve
easy to calculate kα for any integer k.
Given: an elliptic curve E , points α and β on that curve
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Public Key Cryptography
Elliptic curves are widely used in public-key cryptography.
Given: an elliptic curve E , a point α on that curve
easy to calculate kα for any integer k.
Given: an elliptic curve E , points α and β on that curve
difficult to find some k such that β = kα.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Public Key Cryptography
Elliptic curves are widely used in public-key cryptography.
Given: an elliptic curve E , a point α on that curve
easy to calculate kα for any integer k.
Given: an elliptic curve E , points α and β on that curve
difficult to find some k such that β = kα.
This problem is called the Elliptic Curve Discrete Logarithm
Problem (ECDLP), and its one-way computational difficulty gives
rise to a method of Diffie-Hellman key exchange.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Diffie-Hellman1
1
New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE
Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Diffie-Hellman1
Alice and Bob want to communicate in secret from an
observer, Eve, over a channel that Eve can read.
1
New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE
Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Diffie-Hellman1
Alice and Bob want to communicate in secret from an
observer, Eve, over a channel that Eve can read.
They agree on an elliptic curve and a point, α.
1
New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE
Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Diffie-Hellman1
Alice and Bob want to communicate in secret from an
observer, Eve, over a channel that Eve can read.
They agree on an elliptic curve and a point, α.
Each of them picks a secret integer, k and l, respectively.
1
New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE
Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Diffie-Hellman1
Alice and Bob want to communicate in secret from an
observer, Eve, over a channel that Eve can read.
They agree on an elliptic curve and a point, α.
Each of them picks a secret integer, k and l, respectively.
Alice sends kα to Bob, and Bob sends lα to Alice.
1
New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE
Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Diffie-Hellman1
Alice and Bob want to communicate in secret from an
observer, Eve, over a channel that Eve can read.
They agree on an elliptic curve and a point, α.
Each of them picks a secret integer, k and l, respectively.
Alice sends kα to Bob, and Bob sends lα to Alice.
Now they each calculate k · lα = l · kα.
1
New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE
Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Diffie-Hellman1
Alice and Bob want to communicate in secret from an
observer, Eve, over a channel that Eve can read.
They agree on an elliptic curve and a point, α.
Each of them picks a secret integer, k and l, respectively.
Alice sends kα to Bob, and Bob sends lα to Alice.
Now they each calculate k · lα = l · kα.
With only access to kα, lα, and α, Eve cannot recreate k · lα
without solving the ECDLP. So Alice and Bob have a reliable
shared secret.
1
New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE
Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644654.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Attacks on ECDLP
Any attack that is useful against the integer DLP is also useful
against the ECDLP.
2
S. Pohlig and M. Hellman (1978). ”An Improved Algorithm for Computing
Logarithms over GF(p) and its Cryptographic Significance”. IEEE Transactions
on Information Theory (24): 106110.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Attacks on ECDLP
Any attack that is useful against the integer DLP is also useful
against the ECDLP.
The Silver-Pohlig-Hellman algorithm is a fast factoring algorithm
when the order of the group is a smooth integer. 2
2
S. Pohlig and M. Hellman (1978). ”An Improved Algorithm for Computing
Logarithms over GF(p) and its Cryptographic Significance”. IEEE Transactions
on Information Theory (24): 106110.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Attacks on ECDLP
Any attack that is useful against the integer DLP is also useful
against the ECDLP.
The Silver-Pohlig-Hellman algorithm is a fast factoring algorithm
when the order of the group is a smooth integer. 2
Some ways of improving security:
2
S. Pohlig and M. Hellman (1978). ”An Improved Algorithm for Computing
Logarithms over GF(p) and its Cryptographic Significance”. IEEE Transactions
on Information Theory (24): 106110.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Attacks on ECDLP
Any attack that is useful against the integer DLP is also useful
against the ECDLP.
The Silver-Pohlig-Hellman algorithm is a fast factoring algorithm
when the order of the group is a smooth integer. 2
Some ways of improving security:
Using curves of prime order
2
S. Pohlig and M. Hellman (1978). ”An Improved Algorithm for Computing
Logarithms over GF(p) and its Cryptographic Significance”. IEEE Transactions
on Information Theory (24): 106110.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Attacks on ECDLP
Any attack that is useful against the integer DLP is also useful
against the ECDLP.
The Silver-Pohlig-Hellman algorithm is a fast factoring algorithm
when the order of the group is a smooth integer. 2
Some ways of improving security:
Using curves of prime order
Large key sizes
Attacks also exist for so-called anomalous primes.
2
S. Pohlig and M. Hellman (1978). ”An Improved Algorithm for Computing
Logarithms over GF(p) and its Cryptographic Significance”. IEEE Transactions
on Information Theory (24): 106110.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Primes
Definition
An elliptic pair is an ordered pair of primes (p, q)d such that there
exists an elliptic curve over√E /Fp with order q that has complex
multiplication (CM) in Q( −d), where d ≡8 3 is a square-free
positive integer.
Definition
An elliptic prime is a prime which is a member of at least one
elliptic pair.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
The Law of Elliptic Reciprocity
The Law of Elliptic Reciprocity
If (p, q)d is an elliptic pair, then so too is (q, p)d .
Lists and Cycles
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Lists
Definition
An elliptic list (of length n) is an ordered n-tuple of primes
[p1 , p2 , ..., pn ]d such that (p1 , p2 )d , (p2 , p3 )d , ..., (pn−1 , pn )d are all
elliptic pairs. An elliptic list is proper if p1 , p2 , ..., pn are all
distinct.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Lists
Definition
An elliptic list (of length n) is an ordered n-tuple of primes
[p1 , p2 , ..., pn ]d such that (p1 , p2 )d , (p2 , p3 )d , ..., (pn−1 , pn )d are all
elliptic pairs. An elliptic list is proper if p1 , p2 , ..., pn are all
distinct.
Example
(73, 67)3 , (67, 79)3 , (79, 97)3 , (97, 103)3 are all elliptic pairs,
so [73, 67, 79, 97, 103]3 is a proper elliptic list.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Lists
Definition
An elliptic list (of length n) is an ordered n-tuple of primes
[p1 , p2 , ..., pn ]d such that (p1 , p2 )d , (p2 , p3 )d , ..., (pn−1 , pn )d are all
elliptic pairs. An elliptic list is proper if p1 , p2 , ..., pn are all
distinct.
Example
(73, 67)3 , (67, 79)3 , (79, 97)3 , (97, 103)3 are all elliptic pairs,
so [73, 67, 79, 97, 103]3 is a proper elliptic list.
[7, 13, 7]3 is an elliptic list which is not proper.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Elliptic Cycles
Definition
An elliptic cycle (of length n) is an ordered n-tuple of primes
(p1 , p2 , ..., pn )d such that [p1 , p2 , ..., pn ]d is an elliptic list and
(pn , p1 )d is an elliptic pair. An elliptic cycle is proper if
p1 , p2 , ..., pn are all distinct.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Cycles
Definition
An elliptic cycle (of length n) is an ordered n-tuple of primes
(p1 , p2 , ..., pn )d such that [p1 , p2 , ..., pn ]d is an elliptic list and
(pn , p1 )d is an elliptic pair. An elliptic cycle is proper if
p1 , p2 , ..., pn are all distinct.
Theorem
The proper elliptic cycle of length n > 2 with the smallest primes is
(274723, 275269, 276319, 276823, 276277, 275227)3 . It is
generated by the curve E : y 2 = x 3 + 15.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Elliptic Cycles
Theorem
Let n ≥ 3. No proper elliptic cycle of length n exists, except for
n = 6 over d = 3.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Elliptic Cycles
Theorem
Let n ≥ 3. No proper elliptic cycle of length n exists, except for
n = 6 over d = 3.
Conjecture
An infinite number of proper elliptic cycles of length 6 exist.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Cycles
Theorem
Let n ≥ 3. No proper elliptic cycle of length n exists, except for
n = 6 over d = 3.
Conjecture
An infinite number of proper elliptic cycles of length 6 exist.
We have the restriction that if (p1 , p2 , p3 , p4 , p5 , p6 )3 is a proper
elliptic cycle with pi = ai2 + 3bi2 and ai ≡3 −1, then ai ≡7 −1 and
7|bi for all 1 ≤ i ≤ 6.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Two Results for Elliptic Lists over d = 3
Theorem
Let [p1 , p2 , p3 , p4 , p5 ]3 be a proper elliptic list. Then
p1 − p2 = p5 − p4 .
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Two Results for Elliptic Lists over d = 3
Theorem
Let [p1 , p2 , p3 , p4 , p5 ]3 be a proper elliptic list. Then
p1 − p2 = p5 − p4 .
Theorem
Let [p1 , p2 , p3 , p4 ]3 be a proper elliptic list. If p1 = a2 + 3b 2 with
a ≡3 −1, then p4 = (−a − 2)2 + 3b 2 .
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Two Results for Elliptic Lists over d = 3
Theorem
Let [p1 , p2 , p3 , p4 , p5 ]3 be a proper elliptic list. Then
p1 − p2 = p5 − p4 .
Theorem
Let [p1 , p2 , p3 , p4 ]3 be a proper elliptic list. If p1 = a2 + 3b 2 with
a ≡3 −1, then p4 = (−a − 2)2 + 3b 2 .
Corollary
The longest proper elliptic list over d = 3 is of length n = 6. All
proper elliptic lists over d = 3 of length 6 are in fact proper elliptic
cycles.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Results for Elliptic Lists over d 6= 3
Definition
Define L(d) = max(n|[p1 , p2 , ..., pn ]d is a proper elliptic list).
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Results for Elliptic Lists over d 6= 3
Definition
Define L(d) = max(n|[p1 , p2 , ..., pn ]d is a proper elliptic list).
Theorem
If d = 3, then L(d) = 6. Otherwise, let m be the smallest prime
such that
−d
6= −1.
m
Then L(d) ≤ m − 1.
Elliptic Curves
Public Key Cryptography
Future Work
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Future Work
We have seen that we can extend the group law into a ring
law by defining multiplication on an elliptic curve. Is there an
efficient way to compute this?
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Future Work
We have seen that we can extend the group law into a ring
law by defining multiplication on an elliptic curve. Is there an
efficient way to compute this?
For any given d, are there infinitely many elliptic primes? If
so, what is their distribution?
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Future Work
We have seen that we can extend the group law into a ring
law by defining multiplication on an elliptic curve. Is there an
efficient way to compute this?
For any given d, are there infinitely many elliptic primes? If
so, what is their distribution?
Can we use the properties of elliptic pairs to generate elliptic
curves of prime order more efficiently?
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Future Work
We have seen that we can extend the group law into a ring
law by defining multiplication on an elliptic curve. Is there an
efficient way to compute this?
For any given d, are there infinitely many elliptic primes? If
so, what is their distribution?
Can we use the properties of elliptic pairs to generate elliptic
curves of prime order more efficiently?
How is the function L(d) related to the class number h(−d)?
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Future Work
We have seen that we can extend the group law into a ring
law by defining multiplication on an elliptic curve. Is there an
efficient way to compute this?
For any given d, are there infinitely many elliptic primes? If
so, what is their distribution?
Can we use the properties of elliptic pairs to generate elliptic
curves of prime order more efficiently?
How is the function L(d) related to the class number h(−d)?
Is L(d) unbounded as d → ∞?
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Future Work
We have seen that we can extend the group law into a ring
law by defining multiplication on an elliptic curve. Is there an
efficient way to compute this?
For any given d, are there infinitely many elliptic primes? If
so, what is their distribution?
Can we use the properties of elliptic pairs to generate elliptic
curves of prime order more efficiently?
How is the function L(d) related to the class number h(−d)?
Is L(d) unbounded as d → ∞?
Are there infinitely many proper elliptic 6-cycles over d = 3?
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
An Infinitude of Elliptic Primes?
The Bouniakowsky Conjecture for quadratic polynomials would
imply that for all positive integers d ≡8 3, there exist an infinite
number of anomalous primes (primes p such that (p, p)d is an
elliptic pair), and thus elliptic primes.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
An Infinitude of Elliptic Primes?
The Bouniakowsky Conjecture for quadratic polynomials would
imply that for all positive integers d ≡8 3, there exist an infinite
number of anomalous primes (primes p such that (p, p)d is an
elliptic pair), and thus elliptic primes. These primes aren’t
especially useful for cryptographic applications, however.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
An Infinitude of Elliptic Primes?
The Bouniakowsky Conjecture for quadratic polynomials would
imply that for all positive integers d ≡8 3, there exist an infinite
number of anomalous primes (primes p such that (p, p)d is an
elliptic pair), and thus elliptic primes. These primes aren’t
especially useful for cryptographic applications, however.
Do there exist other sequences which generate an infinite
number of elliptic primes?
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
An Infinitude of Elliptic Primes?
The Bouniakowsky Conjecture for quadratic polynomials would
imply that for all positive integers d ≡8 3, there exist an infinite
number of anomalous primes (primes p such that (p, p)d is an
elliptic pair), and thus elliptic primes. These primes aren’t
especially useful for cryptographic applications, however.
Do there exist other sequences which generate an infinite
number of elliptic primes?
a1 = 7
Y
an =
ak + 6
k<n
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
An Infinitude of Elliptic Primes?
The Bouniakowsky Conjecture for quadratic polynomials would
imply that for all positive integers d ≡8 3, there exist an infinite
number of anomalous primes (primes p such that (p, p)d is an
elliptic pair), and thus elliptic primes. These primes aren’t
especially useful for cryptographic applications, however.
Do there exist other sequences which generate an infinite
number of elliptic primes?
a1 = 7
Y
an =
ak + 6
k<n
So far, every term in this (pairwise coprime) sequence seems to
have a factor which is an elliptic prime over d = 3.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
The class number and L(d)
Dirichlet (1839) proved that the class number is
d
X
m −d
h(−d) =
−d
m
m=1
for d > 0, d 6= 1, 3.
Lists and Cycles
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
The class number and L(d)
Dirichlet (1839) proved that the class number is
d
X
m −d
h(−d) =
−d
m
m=1
for d > 0, d 6= 1, 3. Because we only care about d ≡8 3, we can
rewrite this as
−dh(−d) =
d
X
m=1
m
m
d
=
d
X
m=1
mχ(m).
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
The class number and L(d)
Dirichlet (1839) proved that the class number is
d
X
m −d
h(−d) =
−d
m
m=1
for d > 0, d 6= 1, 3. Because we only care about d ≡8 3, we can
rewrite this as
−dh(−d) =
d
X
m=1
m
m
d
=
d
X
mχ(m).
m=1
If M(d) is the smallest prime m such that χ(m) 6= −1, then
L(d) = M(d) − f (d), f (d) > 0.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
The class number and L(d)
Dirichlet (1839) proved that the class number is
d
X
m −d
h(−d) =
−d
m
m=1
for d > 0, d 6= 1, 3. Because we only care about d ≡8 3, we can
rewrite this as
−dh(−d) =
d
X
m=1
m
m
d
=
d
X
mχ(m).
m=1
If M(d) is the smallest prime m such that χ(m) 6= −1, then
L(d) = M(d) − f (d), f (d) > 0. When h(−d) = 1, f (d) = 1.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
The class number and L(d)
Dirichlet (1839) proved that the class number is
d
X
m −d
h(−d) =
−d
m
m=1
for d > 0, d 6= 1, 3. Because we only care about d ≡8 3, we can
rewrite this as
−dh(−d) =
d
X
m=1
m
m
d
=
d
X
mχ(m).
m=1
If M(d) is the smallest prime m such that χ(m) 6= −1, then
L(d) = M(d) − f (d), f (d) > 0. When h(−d) = 1, f (d) = 1.
Is there a relationship between f and h?
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Reasons to Believe the Answer is Yes
The class number is also directly related to the number of
primitive binary quadratic forms of a given fundamental
discriminant −d.
Future Work
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Reasons to Believe the Answer is Yes
The class number is also directly related to the number of
primitive binary quadratic forms of a given fundamental
discriminant −d.
Any prime which can be represented as 41 (a2 + db 2 ) for odd
natural numbers a, b can be done so uniquely.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Reasons to Believe the Answer is Yes
The class number is also directly related to the number of
primitive binary quadratic forms of a given fundamental
discriminant −d.
Any prime which can be represented as 41 (a2 + db 2 ) for odd
natural numbers a, b can be done so uniquely.
It seems likely that increasing the class number h(−d)
should decrease the probability that a number of the
form 41 (a2 + db 2 ) is prime, let alone an elliptic prime over
d.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Reasons to Believe the Answer is Yes
Theorem
(le Lionnais 1983) In the case of the sequence
d+1 d+9 d+25
d+n2
4 , 4 , 4 , · · · , 4 , the first M(d) − 1 terms are prime if
and only if h(−d) = 1.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
Reasons to Believe the Answer is Yes
Theorem
(le Lionnais 1983) In the case of the sequence
d+1 d+9 d+25
d+n2
4 , 4 , 4 , · · · , 4 , the first M(d) − 1 terms are prime if
and only if h(−d) = 1.
As this corresponds to a particular elliptic list, it seems likely that
class number should have some relation to the difference
M(d) − L(d).
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Future Work
References
Berndt, Evans, and Willams, Gauss and Jacobi Sums, vol. 21
of Canadian Mathematical Society Series of Monographs and
Advanced Texts. Wiley-Interscience, 1998.
Bröker and Stevenhagen, “Constructing elliptic curves of
prime order,” Contemporary Mathematics, 2007.
Le Lionnais, F. Les nombres remarquables. Paris: Hermann,
pp. 88 and 144, 1983.
Silverberg, “Group order formulas for reductions of CM elliptic
curves,” Contemporary Mathematics, 521 (2010), pp.
107-120.
Silverman and Stange, “Amicable Pairs and Aliquot Cycles for
Elliptic Curves,” Experimental Mathematics, 20:3 (2011), pp.
329-357.
Washington, Number Theory: Elliptic Curves and
Cryptography, vol. 50 of Discrete Mathematics and Its
Applications. Chapman & Hall/CRC, 2nd ed., 2008.
Elliptic Curves
Public Key Cryptography
Elliptic Primes
Elliptic Reciprocity
Lists and Cycles
Acknowledgments
Funding for this project is provided by the National Science
Foundation (DMS 1062857) and by Boise State University.
Future Work
© Copyright 2024 Paperzz