public-key cryptography theory and practice · 2010-11-22 · integer arithmetic arithmetic in...
TRANSCRIPT
![Page 1: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/1.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Public-key CryptographyTheory and Practice
Abhijit Das
Department of Computer Science and EngineeringIndian Institute of Technology Kharagpur
Chapter 3: Algebraic and Number-theoreticComputations
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 2: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/2.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Integer Arithmetic
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 3: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/3.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Integer Arithmetic
In cryptography, we deal with very large integers with fullprecision.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 4: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/4.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Integer Arithmetic
In cryptography, we deal with very large integers with fullprecision.
Standard data types in programming languages cannothandle big integers.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 5: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/5.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Integer Arithmetic
In cryptography, we deal with very large integers with fullprecision.
Standard data types in programming languages cannothandle big integers.
Special data types (like arrays of integers) are needed.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 6: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/6.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Integer Arithmetic
In cryptography, we deal with very large integers with fullprecision.
Standard data types in programming languages cannothandle big integers.
Special data types (like arrays of integers) are needed.
The arithmetic routines on these specific data types haveto be implemented.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 7: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/7.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Integer Arithmetic
In cryptography, we deal with very large integers with fullprecision.
Standard data types in programming languages cannothandle big integers.
Special data types (like arrays of integers) are needed.
The arithmetic routines on these specific data types haveto be implemented.
One may use an available library (like GMP).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 8: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/8.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Integer Arithmetic
In cryptography, we deal with very large integers with fullprecision.
Standard data types in programming languages cannothandle big integers.
Special data types (like arrays of integers) are needed.
The arithmetic routines on these specific data types haveto be implemented.
One may use an available library (like GMP).
Size of an integer n is O(log |n|).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 9: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/9.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Basic Integer Operations
Let a, b be two integer operands.
High-school algorithms
Operation Running timea + b O(max(log a, log b))a − b O(max(log a, log b))
ab O((log a)(log b))
a2 O(log2 a)(a quotb) and/or (a remb) O((log a)(log b))
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 10: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/10.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Basic Integer Operations
Let a, b be two integer operands.
High-school algorithms
Operation Running timea + b O(max(log a, log b))a − b O(max(log a, log b))
ab O((log a)(log b))
a2 O(log2 a)(a quotb) and/or (a remb) O((log a)(log b))
Fast multiplication: Assume a, b are of the same size s.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 11: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/11.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Basic Integer Operations
Let a, b be two integer operands.
High-school algorithms
Operation Running timea + b O(max(log a, log b))a − b O(max(log a, log b))
ab O((log a)(log b))
a2 O(log2 a)(a quotb) and/or (a remb) O((log a)(log b))
Fast multiplication: Assume a, b are of the same size s.
Karatsuba multiplication: O(s1.585)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 12: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/12.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Basic Integer Operations
Let a, b be two integer operands.
High-school algorithms
Operation Running timea + b O(max(log a, log b))a − b O(max(log a, log b))
ab O((log a)(log b))
a2 O(log2 a)(a quotb) and/or (a remb) O((log a)(log b))
Fast multiplication: Assume a, b are of the same size s.
Karatsuba multiplication: O(s1.585)
FFT multiplication: O(s log s)[not frequently used in cryptography]
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 13: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/13.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Binary GCD
To compute the GCD of two positive integers a and b.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 14: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/14.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Binary GCD
To compute the GCD of two positive integers a and b.
Write a = 2αa′ and b = 2βb′ with a′, b′ odd.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 15: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/15.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Binary GCD
To compute the GCD of two positive integers a and b.
Write a = 2αa′ and b = 2βb′ with a′, b′ odd.
gcd(a, b) = 2min(α,β) gcd(a′, b′).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 16: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/16.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Binary GCD
To compute the GCD of two positive integers a and b.
Write a = 2αa′ and b = 2βb′ with a′, b′ odd.
gcd(a, b) = 2min(α,β) gcd(a′, b′).
Assume that both a, b are odd and a > b.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 17: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/17.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Binary GCD
To compute the GCD of two positive integers a and b.
Write a = 2αa′ and b = 2βb′ with a′, b′ odd.
gcd(a, b) = 2min(α,β) gcd(a′, b′).
Assume that both a, b are odd and a > b.
gcd(a, b) = gcd(a − b, b).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 18: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/18.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Binary GCD
To compute the GCD of two positive integers a and b.
Write a = 2αa′ and b = 2βb′ with a′, b′ odd.
gcd(a, b) = 2min(α,β) gcd(a′, b′).
Assume that both a, b are odd and a > b.
gcd(a, b) = gcd(a − b, b).
Write a − b = 2γc with γ > 1 and c odd.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 19: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/19.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Binary GCD
To compute the GCD of two positive integers a and b.
Write a = 2αa′ and b = 2βb′ with a′, b′ odd.
gcd(a, b) = 2min(α,β) gcd(a′, b′).
Assume that both a, b are odd and a > b.
gcd(a, b) = gcd(a − b, b).
Write a − b = 2γc with γ > 1 and c odd.
Then, gcd(a, b) = gcd(c, b).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 20: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/20.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Binary GCD
To compute the GCD of two positive integers a and b.
Write a = 2αa′ and b = 2βb′ with a′, b′ odd.
gcd(a, b) = 2min(α,β) gcd(a′, b′).
Assume that both a, b are odd and a > b.
gcd(a, b) = gcd(a − b, b).
Write a − b = 2γc with γ > 1 and c odd.
Then, gcd(a, b) = gcd(c, b).
Repeat until one operand reduces to 0.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 21: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/21.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Binary GCD
To compute the GCD of two positive integers a and b.
Write a = 2αa′ and b = 2βb′ with a′, b′ odd.
gcd(a, b) = 2min(α,β) gcd(a′, b′).
Assume that both a, b are odd and a > b.
gcd(a, b) = gcd(a − b, b).
Write a − b = 2γc with γ > 1 and c odd.
Then, gcd(a, b) = gcd(c, b).
Repeat until one operand reduces to 0.
Running time of Euclidean gcd: O(max(log a, log b)3).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 22: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/22.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Binary GCD
To compute the GCD of two positive integers a and b.
Write a = 2αa′ and b = 2βb′ with a′, b′ odd.
gcd(a, b) = 2min(α,β) gcd(a′, b′).
Assume that both a, b are odd and a > b.
gcd(a, b) = gcd(a − b, b).
Write a − b = 2γc with γ > 1 and c odd.
Then, gcd(a, b) = gcd(c, b).
Repeat until one operand reduces to 0.
Running time of Euclidean gcd: O(max(log a, log b)3).
Running time of binary gcd: O(max(log a, log b)2).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 23: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/23.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD
To compute the GCD of two positive integers a and b.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 24: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/24.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD
To compute the GCD of two positive integers a and b.
Define three sequences ri , ui , vi .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 25: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/25.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD
To compute the GCD of two positive integers a and b.
Define three sequences ri , ui , vi .
Initialize:[
r0 = a, u0 = 1, v0 = 0,r1 = b, u1 = 0, v1 = 1.
]
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 26: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/26.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD
To compute the GCD of two positive integers a and b.
Define three sequences ri , ui , vi .
Initialize:[
r0 = a, u0 = 1, v0 = 0,r1 = b, u1 = 0, v1 = 1.
]
Iteration: For i = 2, 3, 4, . . ., do the following:
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 27: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/27.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD
To compute the GCD of two positive integers a and b.
Define three sequences ri , ui , vi .
Initialize:[
r0 = a, u0 = 1, v0 = 0,r1 = b, u1 = 0, v1 = 1.
]
Iteration: For i = 2, 3, 4, . . ., do the following:
Compute the quotient qi = ri−2 quotri−1.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 28: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/28.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD
To compute the GCD of two positive integers a and b.
Define three sequences ri , ui , vi .
Initialize:[
r0 = a, u0 = 1, v0 = 0,r1 = b, u1 = 0, v1 = 1.
]
Iteration: For i = 2, 3, 4, . . ., do the following:
Compute the quotient qi = ri−2 quotri−1.
Compute ri = ri−2 − qi ri−1.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 29: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/29.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD
To compute the GCD of two positive integers a and b.
Define three sequences ri , ui , vi .
Initialize:[
r0 = a, u0 = 1, v0 = 0,r1 = b, u1 = 0, v1 = 1.
]
Iteration: For i = 2, 3, 4, . . ., do the following:
Compute the quotient qi = ri−2 quotri−1.
Compute ri = ri−2 − qi ri−1.
Compute ui = ui−2 − qiui−1.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 30: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/30.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD
To compute the GCD of two positive integers a and b.
Define three sequences ri , ui , vi .
Initialize:[
r0 = a, u0 = 1, v0 = 0,r1 = b, u1 = 0, v1 = 1.
]
Iteration: For i = 2, 3, 4, . . ., do the following:
Compute the quotient qi = ri−2 quotri−1.
Compute ri = ri−2 − qi ri−1.
Compute ui = ui−2 − qiui−1.
Compute vi = vi−2 − qivi−1.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 31: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/31.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD
To compute the GCD of two positive integers a and b.
Define three sequences ri , ui , vi .
Initialize:[
r0 = a, u0 = 1, v0 = 0,r1 = b, u1 = 0, v1 = 1.
]
Iteration: For i = 2, 3, 4, . . ., do the following:
Compute the quotient qi = ri−2 quotri−1.
Compute ri = ri−2 − qi ri−1.
Compute ui = ui−2 − qiui−1.
Compute vi = vi−2 − qivi−1.
Break if ri = 0.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 32: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/32.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (contd.)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 33: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/33.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (contd.)
We maintain the invariance uia + vib = ri for all i .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 34: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/34.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (contd.)
We maintain the invariance uia + vib = ri for all i .
Suppose the loop terminates for i = j (that is, rj = 0).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 35: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/35.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (contd.)
We maintain the invariance uia + vib = ri for all i .
Suppose the loop terminates for i = j (that is, rj = 0).
gcd(a, b) = rj−1 = uj−1a + vj−1b.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 36: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/36.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (contd.)
We maintain the invariance uia + vib = ri for all i .
Suppose the loop terminates for i = j (that is, rj = 0).
gcd(a, b) = rj−1 = uj−1a + vj−1b.
One needs to remember the r , u, v values only from thetwo previous iterations.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 37: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/37.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (contd.)
We maintain the invariance uia + vib = ri for all i .
Suppose the loop terminates for i = j (that is, rj = 0).
gcd(a, b) = rj−1 = uj−1a + vj−1b.
One needs to remember the r , u, v values only from thetwo previous iterations.
One can compute only the r and u sequences in the loop.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 38: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/38.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (contd.)
We maintain the invariance uia + vib = ri for all i .
Suppose the loop terminates for i = j (that is, rj = 0).
gcd(a, b) = rj−1 = uj−1a + vj−1b.
One needs to remember the r , u, v values only from thetwo previous iterations.
One can compute only the r and u sequences in the loop.
One gets vj−1 = (rj−1 − uj−1a)/b.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 39: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/39.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (contd.)
We maintain the invariance uia + vib = ri for all i .
Suppose the loop terminates for i = j (that is, rj = 0).
gcd(a, b) = rj−1 = uj−1a + vj−1b.
One needs to remember the r , u, v values only from thetwo previous iterations.
One can compute only the r and u sequences in the loop.
One gets vj−1 = (rj−1 − uj−1a)/b.
The binary gcd algorithm can be similarly modified so as tocompute the u and v sequences maintaining the invariantuia + vib = ri for all i .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 40: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/40.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (Example)
To compute gcd(78, 21) = 78u + 21v .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 41: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/41.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (Example)
To compute gcd(78, 21) = 78u + 21v .
i qi ri ui vi uia + vib0 − 78 1 0 781 − 21 0 1 21
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 42: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/42.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (Example)
To compute gcd(78, 21) = 78u + 21v .
i qi ri ui vi uia + vib0 − 78 1 0 781 − 21 0 1 212 3 15 1 −3 15
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 43: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/43.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (Example)
To compute gcd(78, 21) = 78u + 21v .
i qi ri ui vi uia + vib0 − 78 1 0 781 − 21 0 1 212 3 15 1 −3 153 1 6 −1 4 6
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 44: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/44.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (Example)
To compute gcd(78, 21) = 78u + 21v .
i qi ri ui vi uia + vib0 − 78 1 0 781 − 21 0 1 212 3 15 1 −3 153 1 6 −1 4 64 2 3 3 −11 3
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 45: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/45.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (Example)
To compute gcd(78, 21) = 78u + 21v .
i qi ri ui vi uia + vib0 − 78 1 0 781 − 21 0 1 212 3 15 1 −3 153 1 6 −1 4 64 2 3 3 −11 35 2 0 −7 26 0
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 46: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/46.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Extended Euclidean GCD (Example)
To compute gcd(78, 21) = 78u + 21v .
i qi ri ui vi uia + vib0 − 78 1 0 781 − 21 0 1 212 3 15 1 −3 153 1 6 −1 4 64 2 3 3 −11 35 2 0 −7 26 0
Thus, gcd(78, 21) = 3 = 3 × 78 + (−11) × 21.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 47: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/47.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Integer Arithmetic
Let n ∈ N. Define Zn = {0, 1, 2, . . . , n − 1}.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 48: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/48.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Integer Arithmetic
Let n ∈ N. Define Zn = {0, 1, 2, . . . , n − 1}.
Addition: a + b (modn) =
{
a + b if a + b < n
a + b − n if a + b > n
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 49: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/49.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Integer Arithmetic
Let n ∈ N. Define Zn = {0, 1, 2, . . . , n − 1}.
Addition: a + b (modn) =
{
a + b if a + b < n
a + b − n if a + b > n
Subtraction: a − b (modn) =
{
a − b if a > b
a − b + n if a < b
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 50: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/50.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Integer Arithmetic
Let n ∈ N. Define Zn = {0, 1, 2, . . . , n − 1}.
Addition: a + b (modn) =
{
a + b if a + b < n
a + b − n if a + b > n
Subtraction: a − b (modn) =
{
a − b if a > b
a − b + n if a < b
Multiplication: ab (modn) = (ab) remn.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 51: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/51.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Integer Arithmetic
Let n ∈ N. Define Zn = {0, 1, 2, . . . , n − 1}.
Addition: a + b (modn) =
{
a + b if a + b < n
a + b − n if a + b > n
Subtraction: a − b (modn) =
{
a − b if a > b
a − b + n if a < b
Multiplication: ab (modn) = (ab) remn.
Inverse: a ∈ Z∗
n is invertible if and only if gcd(a, n) = 1.But then 1 = ua + vn for some integers u, v .Take a−1 ≡ u (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 52: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/52.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Example of Modular Arithmetic
Take n = 257, a = 127, b = 217.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 53: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/53.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Example of Modular Arithmetic
Take n = 257, a = 127, b = 217.
Addition: a + b = 344 > 257, soa + b ≡ 344 − 257 ≡ 87 (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 54: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/54.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Example of Modular Arithmetic
Take n = 257, a = 127, b = 217.
Addition: a + b = 344 > 257, soa + b ≡ 344 − 257 ≡ 87 (modn).
Subtraction: a − b = −90 < 0, soa − b ≡ −90 + 257 ≡ 167 (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 55: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/55.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Example of Modular Arithmetic
Take n = 257, a = 127, b = 217.
Addition: a + b = 344 > 257, soa + b ≡ 344 − 257 ≡ 87 (modn).
Subtraction: a − b = −90 < 0, soa − b ≡ −90 + 257 ≡ 167 (modn).
Multiplication:ab ≡ (127 × 217) rem257 ≡ 27559 rem257 ≡ 60 (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 56: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/56.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Example of Modular Arithmetic
Take n = 257, a = 127, b = 217.
Addition: a + b = 344 > 257, soa + b ≡ 344 − 257 ≡ 87 (modn).
Subtraction: a − b = −90 < 0, soa − b ≡ −90 + 257 ≡ 167 (modn).
Multiplication:ab ≡ (127 × 217) rem257 ≡ 27559 rem257 ≡ 60 (modn).
Inverse: gcd(b, n) = 1 = (−45)b + 38n, sob−1 ≡ −45 + 257 ≡ 212 (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 57: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/57.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Example of Modular Arithmetic
Take n = 257, a = 127, b = 217.
Addition: a + b = 344 > 257, soa + b ≡ 344 − 257 ≡ 87 (modn).
Subtraction: a − b = −90 < 0, soa − b ≡ −90 + 257 ≡ 167 (modn).
Multiplication:ab ≡ (127 × 217) rem257 ≡ 27559 rem257 ≡ 60 (modn).
Inverse: gcd(b, n) = 1 = (−45)b + 38n, sob−1 ≡ −45 + 257 ≡ 212 (modn).
Division:a/b ≡ ab−1 ≡ (127 × 212) rem257 ≡ 196 (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 58: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/58.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Exponentiation: Slow Algorithm
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 59: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/59.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Exponentiation: Slow Algorithm
Let n ∈ N, a ∈ Zn and e ∈ N0. To compute ae (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 60: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/60.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Exponentiation: Slow Algorithm
Let n ∈ N, a ∈ Zn and e ∈ N0. To compute ae (modn).
Compute a, a2, a3, . . . , ae successively by multiplying with amodulo n.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 61: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/61.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Exponentiation: Slow Algorithm
Let n ∈ N, a ∈ Zn and e ∈ N0. To compute ae (modn).
Compute a, a2, a3, . . . , ae successively by multiplying with amodulo n.
Example: n = 257, a = 127, e = 217.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 62: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/62.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Exponentiation: Slow Algorithm
Let n ∈ N, a ∈ Zn and e ∈ N0. To compute ae (modn).
Compute a, a2, a3, . . . , ae successively by multiplying with amodulo n.
Example: n = 257, a = 127, e = 217.
a2 ≡ a × a ≡ 195 (modn),
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 63: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/63.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Exponentiation: Slow Algorithm
Let n ∈ N, a ∈ Zn and e ∈ N0. To compute ae (modn).
Compute a, a2, a3, . . . , ae successively by multiplying with amodulo n.
Example: n = 257, a = 127, e = 217.
a2 ≡ a × a ≡ 195 (modn),
a3 ≡ a2 × a ≡ 195 × 127 ≡ 93 (modn),
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 64: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/64.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Exponentiation: Slow Algorithm
Let n ∈ N, a ∈ Zn and e ∈ N0. To compute ae (modn).
Compute a, a2, a3, . . . , ae successively by multiplying with amodulo n.
Example: n = 257, a = 127, e = 217.
a2 ≡ a × a ≡ 195 (modn),
a3 ≡ a2 × a ≡ 195 × 127 ≡ 93 (modn),
a4 ≡ a3 × a ≡ 93 × 127 ≡ 246 (modn),
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 65: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/65.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Exponentiation: Slow Algorithm
Let n ∈ N, a ∈ Zn and e ∈ N0. To compute ae (modn).
Compute a, a2, a3, . . . , ae successively by multiplying with amodulo n.
Example: n = 257, a = 127, e = 217.
a2 ≡ a × a ≡ 195 (modn),
a3 ≡ a2 × a ≡ 195 × 127 ≡ 93 (modn),
a4 ≡ a3 × a ≡ 93 × 127 ≡ 246 (modn),
· · ·
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 66: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/66.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Exponentiation: Slow Algorithm
Let n ∈ N, a ∈ Zn and e ∈ N0. To compute ae (modn).
Compute a, a2, a3, . . . , ae successively by multiplying with amodulo n.
Example: n = 257, a = 127, e = 217.
a2 ≡ a × a ≡ 195 (modn),
a3 ≡ a2 × a ≡ 195 × 127 ≡ 93 (modn),
a4 ≡ a3 × a ≡ 93 × 127 ≡ 246 (modn),
· · ·a216 ≡ a215 × a ≡ 131 × 127 ≡ 189 (modn),
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 67: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/67.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Modular Exponentiation: Slow Algorithm
Let n ∈ N, a ∈ Zn and e ∈ N0. To compute ae (modn).
Compute a, a2, a3, . . . , ae successively by multiplying with amodulo n.
Example: n = 257, a = 127, e = 217.
a2 ≡ a × a ≡ 195 (modn),
a3 ≡ a2 × a ≡ 195 × 127 ≡ 93 (modn),
a4 ≡ a3 × a ≡ 93 × 127 ≡ 246 (modn),
· · ·a216 ≡ a215 × a ≡ 131 × 127 ≡ 189 (modn),
a217 ≡ a216 × a ≡ 189 × 127 ≡ 102 (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 68: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/68.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation
To compute ae (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 69: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/69.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation
To compute ae (modn).
Binary representation: e = (el−1el−2 . . . e1e0)2 =el−12l−1 + el−22l−2 + · · · + e121 + e020.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 70: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/70.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation
To compute ae (modn).
Binary representation: e = (el−1el−2 . . . e1e0)2 =el−12l−1 + el−22l−2 + · · · + e121 + e020.
ae ≡(
a2l−1)el−1
(
a2l−2)el−2 · · ·
(
a21)e1
(
a20)e0
(modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 71: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/71.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation
To compute ae (modn).
Binary representation: e = (el−1el−2 . . . e1e0)2 =el−12l−1 + el−22l−2 + · · · + e121 + e020.
ae ≡(
a2l−1)el−1
(
a2l−2)el−2 · · ·
(
a21)e1
(
a20)e0
(modn).
Compute a, a2, a22, a23
, . . . , a2l−1and multiply those a2i
modulo n for which ei = 1. Also for i > 1, we have
a2i ≡(
a2i−1)2
(modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 72: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/72.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation (Example)
Take n = 257, a = 127, e = 217.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 73: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/73.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation (Example)
Take n = 257, a = 127, e = 217.
e = (11011001)2 = 27 + 26 + 24 + 23 + 20. Soae ≡ a27
a26a24
a23a20
(modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 74: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/74.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation (Example)
Take n = 257, a = 127, e = 217.
e = (11011001)2 = 27 + 26 + 24 + 23 + 20. Soae ≡ a27
a26a24
a23a20
(modn).
a2 ≡ 195 (modn),
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 75: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/75.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation (Example)
Take n = 257, a = 127, e = 217.
e = (11011001)2 = 27 + 26 + 24 + 23 + 20. Soae ≡ a27
a26a24
a23a20
(modn).
a2 ≡ 195 (modn), a22 ≡ (195)2 ≡ 246 (modn),
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 76: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/76.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation (Example)
Take n = 257, a = 127, e = 217.
e = (11011001)2 = 27 + 26 + 24 + 23 + 20. Soae ≡ a27
a26a24
a23a20
(modn).
a2 ≡ 195 (modn), a22 ≡ (195)2 ≡ 246 (modn),a23 ≡ (246)2 ≡ 121 (modn),
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 77: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/77.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation (Example)
Take n = 257, a = 127, e = 217.
e = (11011001)2 = 27 + 26 + 24 + 23 + 20. Soae ≡ a27
a26a24
a23a20
(modn).
a2 ≡ 195 (modn), a22 ≡ (195)2 ≡ 246 (modn),a23 ≡ (246)2 ≡ 121 (modn), a24 ≡ (121)2 ≡ 249 (modn),
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 78: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/78.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation (Example)
Take n = 257, a = 127, e = 217.
e = (11011001)2 = 27 + 26 + 24 + 23 + 20. Soae ≡ a27
a26a24
a23a20
(modn).
a2 ≡ 195 (modn), a22 ≡ (195)2 ≡ 246 (modn),a23 ≡ (246)2 ≡ 121 (modn), a24 ≡ (121)2 ≡ 249 (modn),a25 ≡ (249)2 ≡ 64 (modn),
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 79: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/79.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation (Example)
Take n = 257, a = 127, e = 217.
e = (11011001)2 = 27 + 26 + 24 + 23 + 20. Soae ≡ a27
a26a24
a23a20
(modn).
a2 ≡ 195 (modn), a22 ≡ (195)2 ≡ 246 (modn),a23 ≡ (246)2 ≡ 121 (modn), a24 ≡ (121)2 ≡ 249 (modn),a25 ≡ (249)2 ≡ 64 (modn), a26 ≡ (64)2 ≡ 241 (modn) and
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 80: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/80.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation (Example)
Take n = 257, a = 127, e = 217.
e = (11011001)2 = 27 + 26 + 24 + 23 + 20. Soae ≡ a27
a26a24
a23a20
(modn).
a2 ≡ 195 (modn), a22 ≡ (195)2 ≡ 246 (modn),a23 ≡ (246)2 ≡ 121 (modn), a24 ≡ (121)2 ≡ 249 (modn),a25 ≡ (249)2 ≡ 64 (modn), a26 ≡ (64)2 ≡ 241 (modn) anda27 ≡ (241)2 ≡ 256 (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 81: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/81.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Right-to-left Modular Exponentiation (Example)
Take n = 257, a = 127, e = 217.
e = (11011001)2 = 27 + 26 + 24 + 23 + 20. Soae ≡ a27
a26a24
a23a20
(modn).
a2 ≡ 195 (modn), a22 ≡ (195)2 ≡ 246 (modn),a23 ≡ (246)2 ≡ 121 (modn), a24 ≡ (121)2 ≡ 249 (modn),a25 ≡ (249)2 ≡ 64 (modn), a26 ≡ (64)2 ≡ 241 (modn) anda27 ≡ (241)2 ≡ 256 (modn).
ae ≡ 256 × 241 × 249 × 121 × 127 ≡ 102 (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 82: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/82.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation
To compute ae (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 83: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/83.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation
To compute ae (modn).
Binary representation: e = (el−1el−2 . . . e1e0)2 =el−12l−1 + el−22l−2 + · · · + e121 + e020.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 84: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/84.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation
To compute ae (modn).
Binary representation: e = (el−1el−2 . . . e1e0)2 =el−12l−1 + el−22l−2 + · · · + e121 + e020.
Define ǫi = (el−1el−2 . . . ei)2 for i = l , l − 1, l − 2, . . . , 0.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 85: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/85.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation
To compute ae (modn).
Binary representation: e = (el−1el−2 . . . e1e0)2 =el−12l−1 + el−22l−2 + · · · + e121 + e020.
Define ǫi = (el−1el−2 . . . ei)2 for i = l , l − 1, l − 2, . . . , 0.
ǫl = 0, and ǫi = 2ǫi+1 + ei for i < l .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 86: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/86.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation
To compute ae (modn).
Binary representation: e = (el−1el−2 . . . e1e0)2 =el−12l−1 + el−22l−2 + · · · + e121 + e020.
Define ǫi = (el−1el−2 . . . ei)2 for i = l , l − 1, l − 2, . . . , 0.
ǫl = 0, and ǫi = 2ǫi+1 + ei for i < l .
aǫl ≡ 1 (modn) and aǫi ≡ (aǫi+1)2 × aei (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 87: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/87.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation
To compute ae (modn).
Binary representation: e = (el−1el−2 . . . e1e0)2 =el−12l−1 + el−22l−2 + · · · + e121 + e020.
Define ǫi = (el−1el−2 . . . ei)2 for i = l , l − 1, l − 2, . . . , 0.
ǫl = 0, and ǫi = 2ǫi+1 + ei for i < l .
aǫl ≡ 1 (modn) and aǫi ≡ (aǫi+1)2 × aei (modn).
Finally, ǫ0 = e, so output aǫ0 (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 88: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/88.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation
To compute ae (modn).
Binary representation: e = (el−1el−2 . . . e1e0)2 =el−12l−1 + el−22l−2 + · · · + e121 + e020.
Define ǫi = (el−1el−2 . . . ei)2 for i = l , l − 1, l − 2, . . . , 0.
ǫl = 0, and ǫi = 2ǫi+1 + ei for i < l .
aǫl ≡ 1 (modn) and aǫi ≡ (aǫi+1)2 × aei (modn).
Finally, ǫ0 = e, so output aǫ0 (modn).
Initialize product to 1 (corresponds to i = l).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 89: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/89.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation
To compute ae (modn).
Binary representation: e = (el−1el−2 . . . e1e0)2 =el−12l−1 + el−22l−2 + · · · + e121 + e020.
Define ǫi = (el−1el−2 . . . ei)2 for i = l , l − 1, l − 2, . . . , 0.
ǫl = 0, and ǫi = 2ǫi+1 + ei for i < l .
aǫl ≡ 1 (modn) and aǫi ≡ (aǫi+1)2 × aei (modn).
Finally, ǫ0 = e, so output aǫ0 (modn).
Initialize product to 1 (corresponds to i = l).
For i = l − 1, l − 2, . . . , 1, 0, square product .If ei = 1, then multiply product by a.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 90: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/90.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation
To compute ae (modn).
Binary representation: e = (el−1el−2 . . . e1e0)2 =el−12l−1 + el−22l−2 + · · · + e121 + e020.
Define ǫi = (el−1el−2 . . . ei)2 for i = l , l − 1, l − 2, . . . , 0.
ǫl = 0, and ǫi = 2ǫi+1 + ei for i < l .
aǫl ≡ 1 (modn) and aǫi ≡ (aǫi+1)2 × aei (modn).
Finally, ǫ0 = e, so output aǫ0 (modn).
Initialize product to 1 (corresponds to i = l).
For i = l − 1, l − 2, . . . , 1, 0, square product .If ei = 1, then multiply product by a.
Square-and-(conditionally)-multiply algorithm
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 91: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/91.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation (Example)
Take n = 257, a = 127 and e = 217.We have the binary representation: e = (11011001)2.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 92: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/92.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation (Example)
Take n = 257, a = 127 and e = 217.We have the binary representation: e = (11011001)2.
i ei ǫi aǫi (modn)
8 − 0 1
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 93: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/93.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation (Example)
Take n = 257, a = 127 and e = 217.We have the binary representation: e = (11011001)2.
i ei ǫi aǫi (modn)
8 − 0 17 1 (1)2 = 1 12 × 127 ≡ 127 (modn)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 94: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/94.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation (Example)
Take n = 257, a = 127 and e = 217.We have the binary representation: e = (11011001)2.
i ei ǫi aǫi (modn)
8 − 0 17 1 (1)2 = 1 12 × 127 ≡ 127 (modn)
6 1 (11)2 = 3 1272 × 127 ≡ 93 (modn)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 95: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/95.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation (Example)
Take n = 257, a = 127 and e = 217.We have the binary representation: e = (11011001)2.
i ei ǫi aǫi (modn)
8 − 0 17 1 (1)2 = 1 12 × 127 ≡ 127 (modn)
6 1 (11)2 = 3 1272 × 127 ≡ 93 (modn)
5 0 (110)2 = 6 932 ≡ 168 (modn)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 96: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/96.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation (Example)
Take n = 257, a = 127 and e = 217.We have the binary representation: e = (11011001)2.
i ei ǫi aǫi (modn)
8 − 0 17 1 (1)2 = 1 12 × 127 ≡ 127 (modn)
6 1 (11)2 = 3 1272 × 127 ≡ 93 (modn)
5 0 (110)2 = 6 932 ≡ 168 (modn)4 1 (1101)2 = 13 1682 × 127 ≡ 69 (modn)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 97: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/97.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation (Example)
Take n = 257, a = 127 and e = 217.We have the binary representation: e = (11011001)2.
i ei ǫi aǫi (modn)
8 − 0 17 1 (1)2 = 1 12 × 127 ≡ 127 (modn)
6 1 (11)2 = 3 1272 × 127 ≡ 93 (modn)
5 0 (110)2 = 6 932 ≡ 168 (modn)4 1 (1101)2 = 13 1682 × 127 ≡ 69 (modn)
3 1 (11011)2 = 27 692 × 127 ≡ 183 (modn)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 98: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/98.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation (Example)
Take n = 257, a = 127 and e = 217.We have the binary representation: e = (11011001)2.
i ei ǫi aǫi (modn)
8 − 0 17 1 (1)2 = 1 12 × 127 ≡ 127 (modn)
6 1 (11)2 = 3 1272 × 127 ≡ 93 (modn)
5 0 (110)2 = 6 932 ≡ 168 (modn)4 1 (1101)2 = 13 1682 × 127 ≡ 69 (modn)
3 1 (11011)2 = 27 692 × 127 ≡ 183 (modn)2 0 (110110)2 = 54 1832 ≡ 79 (modn)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 99: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/99.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation (Example)
Take n = 257, a = 127 and e = 217.We have the binary representation: e = (11011001)2.
i ei ǫi aǫi (modn)
8 − 0 17 1 (1)2 = 1 12 × 127 ≡ 127 (modn)
6 1 (11)2 = 3 1272 × 127 ≡ 93 (modn)
5 0 (110)2 = 6 932 ≡ 168 (modn)4 1 (1101)2 = 13 1682 × 127 ≡ 69 (modn)
3 1 (11011)2 = 27 692 × 127 ≡ 183 (modn)2 0 (110110)2 = 54 1832 ≡ 79 (modn)
1 0 (1101100)2 = 108 792 ≡ 73 (modn)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 100: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/100.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Left-to-right Modular Exponentiation (Example)
Take n = 257, a = 127 and e = 217.We have the binary representation: e = (11011001)2.
i ei ǫi aǫi (modn)
8 − 0 17 1 (1)2 = 1 12 × 127 ≡ 127 (modn)
6 1 (11)2 = 3 1272 × 127 ≡ 93 (modn)
5 0 (110)2 = 6 932 ≡ 168 (modn)4 1 (1101)2 = 13 1682 × 127 ≡ 69 (modn)
3 1 (11011)2 = 27 692 × 127 ≡ 183 (modn)2 0 (110110)2 = 54 1832 ≡ 79 (modn)
1 0 (1101100)2 = 108 792 ≡ 73 (modn)
0 1 (11011001)2 = 217 732 × 127 ≡ 102 (modn)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 101: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/101.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Primality Testing
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 102: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/102.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Primality Testing
A fundamental problem in computational number theory.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 103: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/103.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Primality Testing
A fundamental problem in computational number theory.
Probabilistic (that is, randomized) algorithms solve theproblem reasonably efficiently with arbitrarily smallprobability of error.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 104: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/104.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Primality Testing
A fundamental problem in computational number theory.
Probabilistic (that is, randomized) algorithms solve theproblem reasonably efficiently with arbitrarily smallprobability of error.
Some of these probabilistic algorithms can be converted todeterministic polynomial-time algorithms under certainunproven assumptions (Extended Riemann Hypothesis).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 105: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/105.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Primality Testing
A fundamental problem in computational number theory.
Probabilistic (that is, randomized) algorithms solve theproblem reasonably efficiently with arbitrarily smallprobability of error.
Some of these probabilistic algorithms can be converted todeterministic polynomial-time algorithms under certainunproven assumptions (Extended Riemann Hypothesis).
The first known deterministic polynomial-time algorithmwith proofs not dependent on any conjectures is fromAgarwal, Kayal and Saxena (2002).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 106: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/106.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Primality Testing
A fundamental problem in computational number theory.
Probabilistic (that is, randomized) algorithms solve theproblem reasonably efficiently with arbitrarily smallprobability of error.
Some of these probabilistic algorithms can be converted todeterministic polynomial-time algorithms under certainunproven assumptions (Extended Riemann Hypothesis).
The first known deterministic polynomial-time algorithmwith proofs not dependent on any conjectures is fromAgarwal, Kayal and Saxena (2002).
The AKS algorithm is not yet practical.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 107: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/107.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 108: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/108.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test
Fermat’s little theorem: If n is prime, then an−1 ≡ 1 (modn)for all a coprime to n.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 109: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/109.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test
Fermat’s little theorem: If n is prime, then an−1 ≡ 1 (modn)for all a coprime to n.The converse is not true: 635−1 ≡ (62)17 ≡ 1 (mod35).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 110: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/110.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test
Fermat’s little theorem: If n is prime, then an−1 ≡ 1 (modn)for all a coprime to n.The converse is not true: 635−1 ≡ (62)17 ≡ 1 (mod35).However, 835−1 ≡ 29 6≡ 1 (mod35). So, 6 fails to prove thecompositeness of 35, but 8 proves it.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 111: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/111.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test
Fermat’s little theorem: If n is prime, then an−1 ≡ 1 (modn)for all a coprime to n.The converse is not true: 635−1 ≡ (62)17 ≡ 1 (mod35).However, 835−1 ≡ 29 6≡ 1 (mod35). So, 6 fails to prove thecompositeness of 35, but 8 proves it.An integer n is called a pseudoprime to a base a withgcd(a, n) = 1, if an−1 ≡ 1 (modn).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 112: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/112.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test
Fermat’s little theorem: If n is prime, then an−1 ≡ 1 (modn)for all a coprime to n.The converse is not true: 635−1 ≡ (62)17 ≡ 1 (mod35).However, 835−1 ≡ 29 6≡ 1 (mod35). So, 6 fails to prove thecompositeness of 35, but 8 proves it.An integer n is called a pseudoprime to a base a withgcd(a, n) = 1, if an−1 ≡ 1 (modn).A prime is a pseudoprime to every coprime base.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 113: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/113.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test
Fermat’s little theorem: If n is prime, then an−1 ≡ 1 (modn)for all a coprime to n.The converse is not true: 635−1 ≡ (62)17 ≡ 1 (mod35).However, 835−1 ≡ 29 6≡ 1 (mod35). So, 6 fails to prove thecompositeness of 35, but 8 proves it.An integer n is called a pseudoprime to a base a withgcd(a, n) = 1, if an−1 ≡ 1 (modn).A prime is a pseudoprime to every coprime base.A prime has no witnesses to its compositeness.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 114: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/114.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test
Fermat’s little theorem: If n is prime, then an−1 ≡ 1 (modn)for all a coprime to n.The converse is not true: 635−1 ≡ (62)17 ≡ 1 (mod35).However, 835−1 ≡ 29 6≡ 1 (mod35). So, 6 fails to prove thecompositeness of 35, but 8 proves it.An integer n is called a pseudoprime to a base a withgcd(a, n) = 1, if an−1 ≡ 1 (modn).A prime is a pseudoprime to every coprime base.A prime has no witnesses to its compositeness.If a composite integer n is not a pseudoprime to somebase, then n is not a pseudoprime to at least half of thebases in Z
∗
n.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 115: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/115.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test
Fermat’s little theorem: If n is prime, then an−1 ≡ 1 (modn)for all a coprime to n.The converse is not true: 635−1 ≡ (62)17 ≡ 1 (mod35).However, 835−1 ≡ 29 6≡ 1 (mod35). So, 6 fails to prove thecompositeness of 35, but 8 proves it.An integer n is called a pseudoprime to a base a withgcd(a, n) = 1, if an−1 ≡ 1 (modn).A prime is a pseudoprime to every coprime base.A prime has no witnesses to its compositeness.If a composite integer n is not a pseudoprime to somebase, then n is not a pseudoprime to at least half of thebases in Z
∗
n.In that case, the density of witnesses for thecompositeness of n is at least 1/2.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 116: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/116.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test (contd.)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 117: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/117.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test (contd.)
Choose t random bases a1, a2, . . . , at ∈ Z∗
n.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 118: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/118.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test (contd.)
Choose t random bases a1, a2, . . . , at ∈ Z∗
n.
If an−1i ≡ 1 (modn) for all i , declare n as prime.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 119: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/119.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test (contd.)
Choose t random bases a1, a2, . . . , at ∈ Z∗
n.
If an−1i ≡ 1 (modn) for all i , declare n as prime.
If an−1i 6≡ 1 (modn) for some i , declare n as composite.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 120: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/120.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test (contd.)
Choose t random bases a1, a2, . . . , at ∈ Z∗
n.
If an−1i ≡ 1 (modn) for all i , declare n as prime.
If an−1i 6≡ 1 (modn) for some i , declare n as composite.
If this test declares n as composite, there is no error.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 121: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/121.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test (contd.)
Choose t random bases a1, a2, . . . , at ∈ Z∗
n.
If an−1i ≡ 1 (modn) for all i , declare n as prime.
If an−1i 6≡ 1 (modn) for some i , declare n as composite.
If this test declares n as composite, there is no error.
If this test declares n as prime, there may be an error.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 122: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/122.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test (contd.)
Choose t random bases a1, a2, . . . , at ∈ Z∗
n.
If an−1i ≡ 1 (modn) for all i , declare n as prime.
If an−1i 6≡ 1 (modn) for some i , declare n as composite.
If this test declares n as composite, there is no error.
If this test declares n as prime, there may be an error.
If n has (at least) one witness for its compositeness, thenthe probability of error is 6 1/2t .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 123: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/123.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Fermat Test (contd.)
Choose t random bases a1, a2, . . . , at ∈ Z∗
n.
If an−1i ≡ 1 (modn) for all i , declare n as prime.
If an−1i 6≡ 1 (modn) for some i , declare n as composite.
If this test declares n as composite, there is no error.
If this test declares n as prime, there may be an error.
If n has (at least) one witness for its compositeness, thenthe probability of error is 6 1/2t .
By choosing t suitably, this probability can be made verylow.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 124: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/124.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Carmichael Numbers
There exist composite integers which have no (coprime)witnesses of compositeness.
These are called Carmichael numbers.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 125: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/125.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Carmichael Numbers
There exist composite integers which have no (coprime)witnesses of compositeness.
These are called Carmichael numbers.
Although not common, Carmichael numbers are infinite innumber.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 126: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/126.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Carmichael Numbers
There exist composite integers which have no (coprime)witnesses of compositeness.
These are called Carmichael numbers.
Although not common, Carmichael numbers are infinite innumber.
The smallest Carmichael number is 561 = 3 × 11 × 17.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 127: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/127.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Carmichael Numbers
There exist composite integers which have no (coprime)witnesses of compositeness.
These are called Carmichael numbers.
Although not common, Carmichael numbers are infinite innumber.
The smallest Carmichael number is 561 = 3 × 11 × 17.
A Carmichael number must be odd, square-free, and theproduct of at least three (distinct) primes.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 128: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/128.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Carmichael Numbers
There exist composite integers which have no (coprime)witnesses of compositeness.
These are called Carmichael numbers.
Although not common, Carmichael numbers are infinite innumber.
The smallest Carmichael number is 561 = 3 × 11 × 17.
A Carmichael number must be odd, square-free, and theproduct of at least three (distinct) primes.
For every prime divisor p of a Carmichael number n, wemust have (p − 1) | (n − 1).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 129: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/129.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Euler (or Solovay-Strassen) Test
An integer n ∈ N is called an Euler pseudoprime or aSolovay-Strassen pseudoprime to base a (with gcd(a, n) = 1)
if a(n−1)/2 ≡(a
n
)
(modn), where(a
n
)
is the Jacobi symbol.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 130: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/130.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Euler (or Solovay-Strassen) Test
An integer n ∈ N is called an Euler pseudoprime or aSolovay-Strassen pseudoprime to base a (with gcd(a, n) = 1)
if a(n−1)/2 ≡(a
n
)
(modn), where(a
n
)
is the Jacobi symbol.
If n is an Euler pseudoprime to base a, then n is also a(Fermat) pseudoprime to base a. The converse is not true.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 131: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/131.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Euler (or Solovay-Strassen) Test
An integer n ∈ N is called an Euler pseudoprime or aSolovay-Strassen pseudoprime to base a (with gcd(a, n) = 1)
if a(n−1)/2 ≡(a
n
)
(modn), where(a
n
)
is the Jacobi symbol.
If n is an Euler pseudoprime to base a, then n is also a(Fermat) pseudoprime to base a. The converse is not true.
By Euler’s criterion, a prime is Euler pseudoprime to allcoprime bases.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 132: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/132.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Euler (or Solovay-Strassen) Test
An integer n ∈ N is called an Euler pseudoprime or aSolovay-Strassen pseudoprime to base a (with gcd(a, n) = 1)
if a(n−1)/2 ≡(a
n
)
(modn), where(a
n
)
is the Jacobi symbol.
If n is an Euler pseudoprime to base a, then n is also a(Fermat) pseudoprime to base a. The converse is not true.
By Euler’s criterion, a prime is Euler pseudoprime to allcoprime bases.
A composite integer n is Euler pseudoprime to at most halfthe bases in Z
∗
n.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 133: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/133.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Euler (or Solovay-Strassen) Test
An integer n ∈ N is called an Euler pseudoprime or aSolovay-Strassen pseudoprime to base a (with gcd(a, n) = 1)
if a(n−1)/2 ≡(a
n
)
(modn), where(a
n
)
is the Jacobi symbol.
If n is an Euler pseudoprime to base a, then n is also a(Fermat) pseudoprime to base a. The converse is not true.
By Euler’s criterion, a prime is Euler pseudoprime to allcoprime bases.
A composite integer n is Euler pseudoprime to at most halfthe bases in Z
∗
n.
Even Carmichael numbers possess compositenesswitnesses under the revised criterion.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 134: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/134.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Euler (or Solovay-Strassen) Test
An integer n ∈ N is called an Euler pseudoprime or aSolovay-Strassen pseudoprime to base a (with gcd(a, n) = 1)
if a(n−1)/2 ≡(a
n
)
(modn), where(a
n
)
is the Jacobi symbol.
If n is an Euler pseudoprime to base a, then n is also a(Fermat) pseudoprime to base a. The converse is not true.
By Euler’s criterion, a prime is Euler pseudoprime to allcoprime bases.
A composite integer n is Euler pseudoprime to at most halfthe bases in Z
∗
n.
Even Carmichael numbers possess compositenesswitnesses under the revised criterion.
Example: 5(561−1)/2 ≡ 67 (mod561), whereas( 5
561
)
= 1.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 135: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/135.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 136: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/136.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test
An odd prime has exactly two modular square roots of 1.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 137: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/137.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test
An odd prime has exactly two modular square roots of 1.
An odd composite integer which is not a prime power hasat least four modular square roots of 1.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 138: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/138.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test
An odd prime has exactly two modular square roots of 1.
An odd composite integer which is not a prime power hasat least four modular square roots of 1.
Suppose an−1 ≡ 1 (modn) (with gcd(a, n) = 1).Write n − 1 = 2rn′ with n′ odd and r ∈ N.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 139: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/139.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test
An odd prime has exactly two modular square roots of 1.
An odd composite integer which is not a prime power hasat least four modular square roots of 1.
Suppose an−1 ≡ 1 (modn) (with gcd(a, n) = 1).Write n − 1 = 2rn′ with n′ odd and r ∈ N.
Consider the sequence bi ≡ (an′
)2i(modn) for
i = 0, 1, 2, . . . , r .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 140: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/140.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test
An odd prime has exactly two modular square roots of 1.
An odd composite integer which is not a prime power hasat least four modular square roots of 1.
Suppose an−1 ≡ 1 (modn) (with gcd(a, n) = 1).Write n − 1 = 2rn′ with n′ odd and r ∈ N.
Consider the sequence bi ≡ (an′
)2i(modn) for
i = 0, 1, 2, . . . , r .
We have br ≡ 1 (modn).Let j be the smallest index with bj ≡ 1 (modn).Suppose j > 0. Then bj−1 is a modular square root of 1.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 141: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/141.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test
An odd prime has exactly two modular square roots of 1.
An odd composite integer which is not a prime power hasat least four modular square roots of 1.
Suppose an−1 ≡ 1 (modn) (with gcd(a, n) = 1).Write n − 1 = 2rn′ with n′ odd and r ∈ N.
Consider the sequence bi ≡ (an′
)2i(modn) for
i = 0, 1, 2, . . . , r .
We have br ≡ 1 (modn).Let j be the smallest index with bj ≡ 1 (modn).Suppose j > 0. Then bj−1 is a modular square root of 1.
If bj−1 6≡ −1 (modn), then n is composite.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 142: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/142.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test
An odd prime has exactly two modular square roots of 1.
An odd composite integer which is not a prime power hasat least four modular square roots of 1.
Suppose an−1 ≡ 1 (modn) (with gcd(a, n) = 1).Write n − 1 = 2rn′ with n′ odd and r ∈ N.
Consider the sequence bi ≡ (an′
)2i(modn) for
i = 0, 1, 2, . . . , r .
We have br ≡ 1 (modn).Let j be the smallest index with bj ≡ 1 (modn).Suppose j > 0. Then bj−1 is a modular square root of 1.
If bj−1 6≡ −1 (modn), then n is composite.
Compute b0 by modular exponentiation, and then computebi ≡ b2
i−1 (modn) for i = 1, 2, . . . .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 143: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/143.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test (contd.)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 144: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/144.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test (contd.)
n is called a Miller-Rabin pseudoprime or a strongpseudoprime to the base a, if b0 ≡ 1 (modn) orbj−1 ≡ −1 (modn) for some j ∈ {1, 2, . . . , r}.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 145: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/145.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test (contd.)
n is called a Miller-Rabin pseudoprime or a strongpseudoprime to the base a, if b0 ≡ 1 (modn) orbj−1 ≡ −1 (modn) for some j ∈ {1, 2, . . . , r}.A strong pseudoprime is also an Euler pseudoprime (butnot conversely) and so a Fermat pseudoprime.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 146: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/146.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test (contd.)
n is called a Miller-Rabin pseudoprime or a strongpseudoprime to the base a, if b0 ≡ 1 (modn) orbj−1 ≡ −1 (modn) for some j ∈ {1, 2, . . . , r}.A strong pseudoprime is also an Euler pseudoprime (butnot conversely) and so a Fermat pseudoprime.If n is an odd composite integer (but not a prime power),then n is a strong pseudoprime to at most 1/4-th of thebases in Z
∗
n.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 147: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/147.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test (contd.)
n is called a Miller-Rabin pseudoprime or a strongpseudoprime to the base a, if b0 ≡ 1 (modn) orbj−1 ≡ −1 (modn) for some j ∈ {1, 2, . . . , r}.A strong pseudoprime is also an Euler pseudoprime (butnot conversely) and so a Fermat pseudoprime.If n is an odd composite integer (but not a prime power),then n is a strong pseudoprime to at most 1/4-th of thebases in Z
∗
n.This is true even for Carmichael numbers.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 148: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/148.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test (contd.)
n is called a Miller-Rabin pseudoprime or a strongpseudoprime to the base a, if b0 ≡ 1 (modn) orbj−1 ≡ −1 (modn) for some j ∈ {1, 2, . . . , r}.A strong pseudoprime is also an Euler pseudoprime (butnot conversely) and so a Fermat pseudoprime.If n is an odd composite integer (but not a prime power),then n is a strong pseudoprime to at most 1/4-th of thebases in Z
∗
n.This is true even for Carmichael numbers.
Example: n = 561 = 24 × 35 + 1, so r = 4 and n′ = 35.For the base a = 2, we have:
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 149: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/149.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test (contd.)
n is called a Miller-Rabin pseudoprime or a strongpseudoprime to the base a, if b0 ≡ 1 (modn) orbj−1 ≡ −1 (modn) for some j ∈ {1, 2, . . . , r}.A strong pseudoprime is also an Euler pseudoprime (butnot conversely) and so a Fermat pseudoprime.If n is an odd composite integer (but not a prime power),then n is a strong pseudoprime to at most 1/4-th of thebases in Z
∗
n.This is true even for Carmichael numbers.
Example: n = 561 = 24 × 35 + 1, so r = 4 and n′ = 35.For the base a = 2, we have:b0 ≡ an′ ≡ 263 (modn),
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 150: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/150.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test (contd.)
n is called a Miller-Rabin pseudoprime or a strongpseudoprime to the base a, if b0 ≡ 1 (modn) orbj−1 ≡ −1 (modn) for some j ∈ {1, 2, . . . , r}.A strong pseudoprime is also an Euler pseudoprime (butnot conversely) and so a Fermat pseudoprime.If n is an odd composite integer (but not a prime power),then n is a strong pseudoprime to at most 1/4-th of thebases in Z
∗
n.This is true even for Carmichael numbers.
Example: n = 561 = 24 × 35 + 1, so r = 4 and n′ = 35.For the base a = 2, we have:b0 ≡ an′ ≡ 263 (modn), b1 ≡ a2n′ ≡ 166 (modn),
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 151: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/151.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test (contd.)
n is called a Miller-Rabin pseudoprime or a strongpseudoprime to the base a, if b0 ≡ 1 (modn) orbj−1 ≡ −1 (modn) for some j ∈ {1, 2, . . . , r}.A strong pseudoprime is also an Euler pseudoprime (butnot conversely) and so a Fermat pseudoprime.If n is an odd composite integer (but not a prime power),then n is a strong pseudoprime to at most 1/4-th of thebases in Z
∗
n.This is true even for Carmichael numbers.
Example: n = 561 = 24 × 35 + 1, so r = 4 and n′ = 35.For the base a = 2, we have:b0 ≡ an′ ≡ 263 (modn), b1 ≡ a2n′ ≡ 166 (modn),b2 ≡ a22n′ ≡ 67 (modn),
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 152: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/152.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
Miller-Rabin Test (contd.)
n is called a Miller-Rabin pseudoprime or a strongpseudoprime to the base a, if b0 ≡ 1 (modn) orbj−1 ≡ −1 (modn) for some j ∈ {1, 2, . . . , r}.A strong pseudoprime is also an Euler pseudoprime (butnot conversely) and so a Fermat pseudoprime.If n is an odd composite integer (but not a prime power),then n is a strong pseudoprime to at most 1/4-th of thebases in Z
∗
n.This is true even for Carmichael numbers.
Example: n = 561 = 24 × 35 + 1, so r = 4 and n′ = 35.For the base a = 2, we have:b0 ≡ an′ ≡ 263 (modn), b1 ≡ a2n′ ≡ 166 (modn),b2 ≡ a22n′ ≡ 67 (modn), b3 ≡ a23n′ ≡ 1 (modn).Thus, 67 is a non-trivial square root of 1 modulo 561.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 153: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/153.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
The Agarwal-Kayal-Saxena (AKS) Test
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 154: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/154.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
The Agarwal-Kayal-Saxena (AKS) Test
Deterministic test, unconditionally polynomial-time.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 155: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/155.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
The Agarwal-Kayal-Saxena (AKS) Test
Deterministic test, unconditionally polynomial-time.
(x + a)n ≡ xn + a (modn) (for every a) if and only if n isprime.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 156: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/156.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
The Agarwal-Kayal-Saxena (AKS) Test
Deterministic test, unconditionally polynomial-time.
(x + a)n ≡ xn + a (modn) (for every a) if and only if n isprime.
Compute (x + a)n and xn + a modulo n and some suitablychosen polynomials x r − 1 with small r .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 157: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/157.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
The Agarwal-Kayal-Saxena (AKS) Test
Deterministic test, unconditionally polynomial-time.
(x + a)n ≡ xn + a (modn) (for every a) if and only if n isprime.
Compute (x + a)n and xn + a modulo n and some suitablychosen polynomials x r − 1 with small r .
A suitable r = O(ln6 n) can be found. For this r , at most2√
r ln n values of a need to be tried.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 158: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/158.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
The Agarwal-Kayal-Saxena (AKS) Test
Deterministic test, unconditionally polynomial-time.
(x + a)n ≡ xn + a (modn) (for every a) if and only if n isprime.
Compute (x + a)n and xn + a modulo n and some suitablychosen polynomials x r − 1 with small r .
A suitable r = O(ln6 n) can be found. For this r , at most2√
r ln n values of a need to be tried.
The original AKS algorithm runs in O (̃ln12 n) time.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 159: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/159.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
The Agarwal-Kayal-Saxena (AKS) Test
Deterministic test, unconditionally polynomial-time.
(x + a)n ≡ xn + a (modn) (for every a) if and only if n isprime.
Compute (x + a)n and xn + a modulo n and some suitablychosen polynomials x r − 1 with small r .
A suitable r = O(ln6 n) can be found. For this r , at most2√
r ln n values of a need to be tried.
The original AKS algorithm runs in O (̃ln12 n) time.
Lenstra and Pomerance’s improvement reduces therunning time to O (̃ln6 n).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 160: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/160.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
How to Choose Cryptographic Primes?
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 161: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/161.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
How to Choose Cryptographic Primes?
Primes are abundant in nature (N).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 162: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/162.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
How to Choose Cryptographic Primes?
Primes are abundant in nature (N).A random search quickly gives t-bit primes. O(t) randomvalues need to be tried. Performance increases severaltimes by using sieving techniques.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 163: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/163.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
How to Choose Cryptographic Primes?
Primes are abundant in nature (N).A random search quickly gives t-bit primes. O(t) randomvalues need to be tried. Performance increases severaltimes by using sieving techniques.Random primes are not necessarily secure forcryptographic use.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 164: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/164.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
How to Choose Cryptographic Primes?
Primes are abundant in nature (N).A random search quickly gives t-bit primes. O(t) randomvalues need to be tried. Performance increases severaltimes by using sieving techniques.Random primes are not necessarily secure forcryptographic use.A safe prime p is an odd prime with (p − 1)/2 prime.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 165: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/165.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
How to Choose Cryptographic Primes?
Primes are abundant in nature (N).A random search quickly gives t-bit primes. O(t) randomvalues need to be tried. Performance increases severaltimes by using sieving techniques.Random primes are not necessarily secure forcryptographic use.A safe prime p is an odd prime with (p − 1)/2 prime.A strong prime p is an odd prime, such that
p − 1 has a large prime divisor (call it q),p + 1 has a large prime divisor, andq − 1 has a large prime divisor.
Here, “large” means “of bit length > 160”.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 166: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/166.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
GCDModular ExponentiationPrimality Testing
How to Choose Cryptographic Primes?
Primes are abundant in nature (N).A random search quickly gives t-bit primes. O(t) randomvalues need to be tried. Performance increases severaltimes by using sieving techniques.Random primes are not necessarily secure forcryptographic use.A safe prime p is an odd prime with (p − 1)/2 prime.A strong prime p is an odd prime, such that
p − 1 has a large prime divisor (call it q),p + 1 has a large prime divisor, andq − 1 has a large prime divisor.
Here, “large” means “of bit length > 160”.The search for random primes can be modified to generatesafe and strong primes.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 167: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/167.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Arithmetic in Finite Fields
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 168: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/168.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Arithmetic in Finite Fields
The most practical finite fields are the prime fields Fp andthe fields F2n of characteristic 2.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 169: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/169.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Arithmetic in Finite Fields
The most practical finite fields are the prime fields Fp andthe fields F2n of characteristic 2.
The arithmetic of Fp is integer arithmetic modulo p.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 170: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/170.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Arithmetic in Finite Fields
The most practical finite fields are the prime fields Fp andthe fields F2n of characteristic 2.
The arithmetic of Fp is integer arithmetic modulo p.
The arithmetic of F2n = F2(θ) (with f (θ) = 0) is polynomialarithmetic modulo 2 and the defining polynomial f (x).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 171: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/171.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Arithmetic in Finite Fields
The most practical finite fields are the prime fields Fp andthe fields F2n of characteristic 2.
The arithmetic of Fp is integer arithmetic modulo p.
The arithmetic of F2n = F2(θ) (with f (θ) = 0) is polynomialarithmetic modulo 2 and the defining polynomial f (x).
In cryptographic protocols, the extension degrees n maybe several thousands.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 172: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/172.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Arithmetic in Finite Fields
The most practical finite fields are the prime fields Fp andthe fields F2n of characteristic 2.
The arithmetic of Fp is integer arithmetic modulo p.
The arithmetic of F2n = F2(θ) (with f (θ) = 0) is polynomialarithmetic modulo 2 and the defining polynomial f (x).
In cryptographic protocols, the extension degrees n maybe several thousands.
It is necessary to study the arithmetic of such bigpolynomials.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 173: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/173.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Polynomial Arithmetic
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 174: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/174.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Polynomial Arithmetic
The coefficients of polynomials over F2 are bits.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 175: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/175.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Polynomial Arithmetic
The coefficients of polynomials over F2 are bits.Multiple coefficients are packed in a single machine word.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 176: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/176.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Polynomial Arithmetic
The coefficients of polynomials over F2 are bits.Multiple coefficients are packed in a single machine word.Addition is the word-by-word XOR operation.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 177: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/177.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Polynomial Arithmetic
The coefficients of polynomials over F2 are bits.Multiple coefficients are packed in a single machine word.Addition is the word-by-word XOR operation.For multiplication, shift and XOR.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 178: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/178.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Polynomial Arithmetic
The coefficients of polynomials over F2 are bits.Multiple coefficients are packed in a single machine word.Addition is the word-by-word XOR operation.For multiplication, shift and XOR.Euclidean division is again a shift-and-subtract algorithm.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 179: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/179.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Polynomial Arithmetic
The coefficients of polynomials over F2 are bits.Multiple coefficients are packed in a single machine word.Addition is the word-by-word XOR operation.For multiplication, shift and XOR.Euclidean division is again a shift-and-subtract algorithm.GCD can be computed by repeated Euclidean division.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 180: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/180.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Polynomial Arithmetic
The coefficients of polynomials over F2 are bits.Multiple coefficients are packed in a single machine word.Addition is the word-by-word XOR operation.For multiplication, shift and XOR.Euclidean division is again a shift-and-subtract algorithm.GCD can be computed by repeated Euclidean division.Modular inverse is available from extended gcdcomputation.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 181: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/181.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Polynomial Arithmetic
The coefficients of polynomials over F2 are bits.Multiple coefficients are packed in a single machine word.Addition is the word-by-word XOR operation.For multiplication, shift and XOR.Euclidean division is again a shift-and-subtract algorithm.GCD can be computed by repeated Euclidean division.Modular inverse is available from extended gcdcomputation.
Running times: Let the operands be f (x), g(x) ∈ F2[x ].f (x) + g(x) O(max(deg f (x), deg g(x))
f (x)g(x) O(deg f (x) × deg g(x))f (x) quotg(x) and/or f (x) remg(x) O(deg f (x) × deg g(x))
gcd(f (x), g(x)) O(max(deg f (x), deg g(x))3)
g(x)−1 (mod f (x)) O(max(deg f (x), deg g(x))3)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 182: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/182.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Irreducible Polynomials
Representation of F2n requires an irreducible polynomial.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 183: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/183.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Irreducible Polynomials
Representation of F2n requires an irreducible polynomial.
Testing irreducibility of f (x) ∈ F2[x ] with deg f (x) = n:
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 184: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/184.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Irreducible Polynomials
Representation of F2n requires an irreducible polynomial.
Testing irreducibility of f (x) ∈ F2[x ] with deg f (x) = n:
For i = 1, 2, 3, . . . , ⌊n/2⌋, compute di(x) = gcd(x2i−x , f (x)).If all di(x) = 1, declare f (x) as irreducible.If some di(x) 6= 1, declare f (x) as reducible.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 185: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/185.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Irreducible Polynomials
Representation of F2n requires an irreducible polynomial.
Testing irreducibility of f (x) ∈ F2[x ] with deg f (x) = n:
For i = 1, 2, 3, . . . , ⌊n/2⌋, compute di(x) = gcd(x2i−x , f (x)).If all di(x) = 1, declare f (x) as irreducible.If some di(x) 6= 1, declare f (x) as reducible.
x2iare computed iteratively modulo f (x) in order to keep their
degree low (that is, less than deg f (x)).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 186: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/186.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Irreducible Polynomials
Representation of F2n requires an irreducible polynomial.
Testing irreducibility of f (x) ∈ F2[x ] with deg f (x) = n:
For i = 1, 2, 3, . . . , ⌊n/2⌋, compute di(x) = gcd(x2i−x , f (x)).If all di(x) = 1, declare f (x) as irreducible.If some di(x) 6= 1, declare f (x) as reducible.
x2iare computed iteratively modulo f (x) in order to keep their
degree low (that is, less than deg f (x)).
Locating random irreducible polynomial of degree n:
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 187: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/187.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Irreducible Polynomials
Representation of F2n requires an irreducible polynomial.
Testing irreducibility of f (x) ∈ F2[x ] with deg f (x) = n:
For i = 1, 2, 3, . . . , ⌊n/2⌋, compute di(x) = gcd(x2i−x , f (x)).If all di(x) = 1, declare f (x) as irreducible.If some di(x) 6= 1, declare f (x) as reducible.
x2iare computed iteratively modulo f (x) in order to keep their
degree low (that is, less than deg f (x)).
Locating random irreducible polynomial of degree n:
Generate random polynomials of degree n,until an irreducible polynomial is generated.
The density of irreducible polynomials is about 1/n in the set ofall monic polynomials in F2[x ] of degree n.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 188: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/188.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Primitive elements
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 189: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/189.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Primitive elements
F∗
q is cyclic.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 190: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/190.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Primitive elements
F∗
q is cyclic.
The density of primitive elements in F∗
q isφ(q − 1)/(q − 1) > 1/(6 ln ln(q − 1)) for q > 7.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 191: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/191.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Primitive elements
F∗
q is cyclic.
The density of primitive elements in F∗
q isφ(q − 1)/(q − 1) > 1/(6 ln ln(q − 1)) for q > 7.
Checking for primitive elements requires the factorizationof q − 1. Let q − 1 = pe1
1 pe22 · · · pet
t .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 192: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/192.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Primitive elements
F∗
q is cyclic.
The density of primitive elements in F∗
q isφ(q − 1)/(q − 1) > 1/(6 ln ln(q − 1)) for q > 7.
Checking for primitive elements requires the factorizationof q − 1. Let q − 1 = pe1
1 pe22 · · · pet
t .
An element a ∈ F∗
q is primitive if and only if a(q−1)/pi 6= 1 forall i = 1, 2, . . . , t .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 193: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/193.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Good Finite Fields for Cryptography
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 194: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/194.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Good Finite Fields for Cryptography
Cryptosystems based on the finite field discrete logarithmproblem use Fq with |q| > 1024.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 195: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/195.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Good Finite Fields for Cryptography
Cryptosystems based on the finite field discrete logarithmproblem use Fq with |q| > 1024.
For fast implementation, one takes q = p ∈ P or q = 2n.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 196: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/196.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Good Finite Fields for Cryptography
Cryptosystems based on the finite field discrete logarithmproblem use Fq with |q| > 1024.
For fast implementation, one takes q = p ∈ P or q = 2n.
One needs generators of F∗
q. This requires thefactorization of q − 1. This is an impractical requirement.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 197: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/197.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Good Finite Fields for Cryptography
Cryptosystems based on the finite field discrete logarithmproblem use Fq with |q| > 1024.
For fast implementation, one takes q = p ∈ P or q = 2n.
One needs generators of F∗
q. This requires thefactorization of q − 1. This is an impractical requirement.
Elements of F∗
q with prime orders r > 2160 often suffice.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 198: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/198.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Good Finite Fields for Cryptography
Cryptosystems based on the finite field discrete logarithmproblem use Fq with |q| > 1024.
For fast implementation, one takes q = p ∈ P or q = 2n.
One needs generators of F∗
q. This requires thefactorization of q − 1. This is an impractical requirement.
Elements of F∗
q with prime orders r > 2160 often suffice.
For the field Fp, the prime p can be so chosen that p − 1has a large prime divisor r . Safe and strong primes may beused.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 199: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/199.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Good Finite Fields for Cryptography
Cryptosystems based on the finite field discrete logarithmproblem use Fq with |q| > 1024.
For fast implementation, one takes q = p ∈ P or q = 2n.
One needs generators of F∗
q. This requires thefactorization of q − 1. This is an impractical requirement.
Elements of F∗
q with prime orders r > 2160 often suffice.
For the field Fp, the prime p can be so chosen that p − 1has a large prime divisor r . Safe and strong primes may beused.
For F2n , we have no choice but to factor 2n − 1. For somevalues of n, a complete or partial knowledge of thefactorization of 2n − 1 may aid the choice of a suitable r .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 200: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/200.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Suitably Large Prime Factors of 2n − 1
Examples
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 201: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/201.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Suitably Large Prime Factors of 2n − 1
Examples
21279 − 1 = r is a 1279-bit prime.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 202: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/202.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Suitably Large Prime Factors of 2n − 1
Examples
21279 − 1 = r is a 1279-bit prime.
21223 − 1 = 2447 × 31799 × 439191833149903 × r , where r isan 1149-bit prime.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 203: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/203.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Suitably Large Prime Factors of 2n − 1
Examples
21279 − 1 = r is a 1279-bit prime.
21223 − 1 = 2447 × 31799 × 439191833149903 × r , where r isan 1149-bit prime.
21489 − 1 = 71473 × 27201739919 × 51028917464688167 ×13822844053570368983 × r × m, where r =122163266112900081138309323835006063277267764895871is a 167-bit prime, and m is an 1153-bit composite integer withunknown factorization.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 204: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/204.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Elements of Large Orders in F∗q
Let r be a prime divisor of q − 1 with |r | > 160.Goal: To obtain an element α ∈ F
∗
q with ordα = r .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 205: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/205.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Elements of Large Orders in F∗q
Let r be a prime divisor of q − 1 with |r | > 160.Goal: To obtain an element α ∈ F
∗
q with ordα = r .
Mathematical facts
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 206: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/206.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Elements of Large Orders in F∗q
Let r be a prime divisor of q − 1 with |r | > 160.Goal: To obtain an element α ∈ F
∗
q with ordα = r .
Mathematical facts
F∗
q is cyclic and contains a unique subgroup H of order r .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 207: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/207.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Elements of Large Orders in F∗q
Let r be a prime divisor of q − 1 with |r | > 160.Goal: To obtain an element α ∈ F
∗
q with ordα = r .
Mathematical facts
F∗
q is cyclic and contains a unique subgroup H of order r .
An element α of F∗
q is in H if and only if αr = 1.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 208: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/208.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Elements of Large Orders in F∗q
Let r be a prime divisor of q − 1 with |r | > 160.Goal: To obtain an element α ∈ F
∗
q with ordα = r .
Mathematical facts
F∗
q is cyclic and contains a unique subgroup H of order r .
An element α of F∗
q is in H if and only if αr = 1.
Since r is prime, every non-identity element of H is agenerator of H.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 209: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/209.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Elements of Large Orders in F∗q
Let r be a prime divisor of q − 1 with |r | > 160.Goal: To obtain an element α ∈ F
∗
q with ordα = r .
Mathematical facts
F∗
q is cyclic and contains a unique subgroup H of order r .
An element α of F∗
q is in H if and only if αr = 1.
Since r is prime, every non-identity element of H is agenerator of H.
Search for α
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 210: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/210.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Elements of Large Orders in F∗q
Let r be a prime divisor of q − 1 with |r | > 160.Goal: To obtain an element α ∈ F
∗
q with ordα = r .
Mathematical facts
F∗
q is cyclic and contains a unique subgroup H of order r .
An element α of F∗
q is in H if and only if αr = 1.
Since r is prime, every non-identity element of H is agenerator of H.
Search for α
Choose β randomly from F∗
q.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 211: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/211.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Elements of Large Orders in F∗q
Let r be a prime divisor of q − 1 with |r | > 160.Goal: To obtain an element α ∈ F
∗
q with ordα = r .
Mathematical facts
F∗
q is cyclic and contains a unique subgroup H of order r .
An element α of F∗
q is in H if and only if αr = 1.
Since r is prime, every non-identity element of H is agenerator of H.
Search for α
Choose β randomly from F∗
q.
Set α = β(q−1)/r .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 212: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/212.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Elements of Large Orders in F∗q
Let r be a prime divisor of q − 1 with |r | > 160.Goal: To obtain an element α ∈ F
∗
q with ordα = r .
Mathematical facts
F∗
q is cyclic and contains a unique subgroup H of order r .
An element α of F∗
q is in H if and only if αr = 1.
Since r is prime, every non-identity element of H is agenerator of H.
Search for α
Choose β randomly from F∗
q.
Set α = β(q−1)/r .
If α 6= 1, return α, else choose another β and repeat.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 213: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/213.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Factoring Polynomials Over Finite Fields
To factor f (x) ∈ Fq[x ] with deg f (x) = d . Let q = pn.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 214: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/214.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Factoring Polynomials Over Finite Fields
To factor f (x) ∈ Fq[x ] with deg f (x) = d . Let q = pn.
No deterministic polynomial-time algorithm is known.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 215: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/215.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Factoring Polynomials Over Finite Fields
To factor f (x) ∈ Fq[x ] with deg f (x) = d . Let q = pn.
No deterministic polynomial-time algorithm is known.
Polynomial-time randomized algorithms are known.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 216: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/216.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Factoring Polynomials Over Finite Fields
To factor f (x) ∈ Fq[x ] with deg f (x) = d . Let q = pn.
No deterministic polynomial-time algorithm is known.
Polynomial-time randomized algorithms are known.A common approach is to use the following three steps.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 217: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/217.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Factoring Polynomials Over Finite Fields
To factor f (x) ∈ Fq[x ] with deg f (x) = d . Let q = pn.
No deterministic polynomial-time algorithm is known.
Polynomial-time randomized algorithms are known.A common approach is to use the following three steps.
Square-free factorization (SFF): Express f (x) as aproduct of square-free polynomials.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 218: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/218.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Factoring Polynomials Over Finite Fields
To factor f (x) ∈ Fq[x ] with deg f (x) = d . Let q = pn.
No deterministic polynomial-time algorithm is known.
Polynomial-time randomized algorithms are known.A common approach is to use the following three steps.
Square-free factorization (SFF): Express f (x) as aproduct of square-free polynomials.Distinct-degree factorization (DDF): Let f (x) besquare-free. Express f (x) = f1(x)f2(x) · · · fd (x), where fi(x)is the product of irreducible factors of f (x) of degree i.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 219: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/219.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Factoring Polynomials Over Finite Fields
To factor f (x) ∈ Fq[x ] with deg f (x) = d . Let q = pn.
No deterministic polynomial-time algorithm is known.
Polynomial-time randomized algorithms are known.A common approach is to use the following three steps.
Square-free factorization (SFF): Express f (x) as aproduct of square-free polynomials.Distinct-degree factorization (DDF): Let f (x) besquare-free. Express f (x) = f1(x)f2(x) · · · fd (x), where fi(x)is the product of irreducible factors of f (x) of degree i.Equal-degree factorization (EDF): Let f (x) be asquare-free product of irreducible polynomials of the sameknown degree. Determine all these irreducible factors.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 220: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/220.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Factoring Polynomials Over Finite Fields
To factor f (x) ∈ Fq[x ] with deg f (x) = d . Let q = pn.
No deterministic polynomial-time algorithm is known.
Polynomial-time randomized algorithms are known.A common approach is to use the following three steps.
Square-free factorization (SFF): Express f (x) as aproduct of square-free polynomials.Distinct-degree factorization (DDF): Let f (x) besquare-free. Express f (x) = f1(x)f2(x) · · · fd (x), where fi(x)is the product of irreducible factors of f (x) of degree i.Equal-degree factorization (EDF): Let f (x) be asquare-free product of irreducible polynomials of the sameknown degree. Determine all these irreducible factors.
The only probabilistic part is EDF.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 221: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/221.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Square-free Factorization (SFF)
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 222: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/222.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Square-free Factorization (SFF)
Compute the formal derivative f ′(x).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 223: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/223.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Square-free Factorization (SFF)
Compute the formal derivative f ′(x).
If f ′(x) = 0, then f (x) must be of the form
a1xpe1 + a2xpe2 + · · · + akxpek .
Write f (x) = g(x)p, where
g(x) = apn−1
1 xe1 + apn−1
2 xe2 + · · · + apn−1
k xek .
Recursively compute the SFF of g(x).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 224: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/224.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Square-free Factorization (SFF)
Compute the formal derivative f ′(x).
If f ′(x) = 0, then f (x) must be of the form
a1xpe1 + a2xpe2 + · · · + akxpek .
Write f (x) = g(x)p, where
g(x) = apn−1
1 xe1 + apn−1
2 xe2 + · · · + apn−1
k xek .
Recursively compute the SFF of g(x).
If f ′(x) 6= 0, then f (x)/ gcd(f (x), f ′(x)) is square-free.
Recursively compute the SFF of gcd(f (x), f ′(x)).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 225: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/225.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Distinct-degree Factorization (DDF)
Let f (x) ∈ Fq = Fpn be a square-free polynomial of degree d .Goal: To write f (x) = f1(x)f2(x) · · · fd (x), where fi(x) is theproduct of irreducible factors of f (x) of degree i .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 226: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/226.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Distinct-degree Factorization (DDF)
Let f (x) ∈ Fq = Fpn be a square-free polynomial of degree d .Goal: To write f (x) = f1(x)f2(x) · · · fd (x), where fi(x) is theproduct of irreducible factors of f (x) of degree i .
xqi − x is the product of all monic irreducible polynomialsof Fq[x ] with degrees dividing i .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 227: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/227.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Distinct-degree Factorization (DDF)
Let f (x) ∈ Fq = Fpn be a square-free polynomial of degree d .Goal: To write f (x) = f1(x)f2(x) · · · fd (x), where fi(x) is theproduct of irreducible factors of f (x) of degree i .
xqi − x is the product of all monic irreducible polynomialsof Fq[x ] with degrees dividing i .
gcd(f (x), xqi − x) is the product of all irreducible factors off (x) with degrees dividing i .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 228: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/228.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Distinct-degree Factorization (DDF)
Let f (x) ∈ Fq = Fpn be a square-free polynomial of degree d .Goal: To write f (x) = f1(x)f2(x) · · · fd (x), where fi(x) is theproduct of irreducible factors of f (x) of degree i .
xqi − x is the product of all monic irreducible polynomialsof Fq[x ] with degrees dividing i .
gcd(f (x), xqi − x) is the product of all irreducible factors off (x) with degrees dividing i .
gcd(f (x)/(f1(x)f2(x) · · · fi−1(x)), xqi − x) is the product of allirreducible factors of f (x) of degree equal to i .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 229: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/229.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Distinct-degree Factorization (DDF)
Let f (x) ∈ Fq = Fpn be a square-free polynomial of degree d .Goal: To write f (x) = f1(x)f2(x) · · · fd (x), where fi(x) is theproduct of irreducible factors of f (x) of degree i .
xqi − x is the product of all monic irreducible polynomialsof Fq[x ] with degrees dividing i .
gcd(f (x), xqi − x) is the product of all irreducible factors off (x) with degrees dividing i .
gcd(f (x)/(f1(x)f2(x) · · · fi−1(x)), xqi − x) is the product of allirreducible factors of f (x) of degree equal to i .For i = 1, 2, 3, . . ., do the following:
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 230: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/230.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Distinct-degree Factorization (DDF)
Let f (x) ∈ Fq = Fpn be a square-free polynomial of degree d .Goal: To write f (x) = f1(x)f2(x) · · · fd (x), where fi(x) is theproduct of irreducible factors of f (x) of degree i .
xqi − x is the product of all monic irreducible polynomialsof Fq[x ] with degrees dividing i .
gcd(f (x), xqi − x) is the product of all irreducible factors off (x) with degrees dividing i .
gcd(f (x)/(f1(x)f2(x) · · · fi−1(x)), xqi − x) is the product of allirreducible factors of f (x) of degree equal to i .For i = 1, 2, 3, . . ., do the following:
Compute gi(x) ≡ xqi − x (mod f (x)).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 231: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/231.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Distinct-degree Factorization (DDF)
Let f (x) ∈ Fq = Fpn be a square-free polynomial of degree d .Goal: To write f (x) = f1(x)f2(x) · · · fd (x), where fi(x) is theproduct of irreducible factors of f (x) of degree i .
xqi − x is the product of all monic irreducible polynomialsof Fq[x ] with degrees dividing i .
gcd(f (x), xqi − x) is the product of all irreducible factors off (x) with degrees dividing i .
gcd(f (x)/(f1(x)f2(x) · · · fi−1(x)), xqi − x) is the product of allirreducible factors of f (x) of degree equal to i .For i = 1, 2, 3, . . ., do the following:
Compute gi(x) ≡ xqi − x (mod f (x)).Compute fi(x) = gcd(f (x), gi (x)).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 232: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/232.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Distinct-degree Factorization (DDF)
Let f (x) ∈ Fq = Fpn be a square-free polynomial of degree d .Goal: To write f (x) = f1(x)f2(x) · · · fd (x), where fi(x) is theproduct of irreducible factors of f (x) of degree i .
xqi − x is the product of all monic irreducible polynomialsof Fq[x ] with degrees dividing i .
gcd(f (x), xqi − x) is the product of all irreducible factors off (x) with degrees dividing i .
gcd(f (x)/(f1(x)f2(x) · · · fi−1(x)), xqi − x) is the product of allirreducible factors of f (x) of degree equal to i .For i = 1, 2, 3, . . ., do the following:
Compute gi(x) ≡ xqi − x (mod f (x)).Compute fi(x) = gcd(f (x), gi (x)).Replace f (x) by f (x)/fi(x).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 233: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/233.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Distinct-degree Factorization (DDF)
Let f (x) ∈ Fq = Fpn be a square-free polynomial of degree d .Goal: To write f (x) = f1(x)f2(x) · · · fd (x), where fi(x) is theproduct of irreducible factors of f (x) of degree i .
xqi − x is the product of all monic irreducible polynomialsof Fq[x ] with degrees dividing i .
gcd(f (x), xqi − x) is the product of all irreducible factors off (x) with degrees dividing i .
gcd(f (x)/(f1(x)f2(x) · · · fi−1(x)), xqi − x) is the product of allirreducible factors of f (x) of degree equal to i .For i = 1, 2, 3, . . ., do the following:
Compute gi(x) ≡ xqi − x (mod f (x)).Compute fi(x) = gcd(f (x), gi (x)).Replace f (x) by f (x)/fi(x).If f (x) = 1, break.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 234: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/234.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (EDF)
Let f (x) ∈ Fq [x ] be a square-free polynomial of degree d witheach irreducible factor of degree δ.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 235: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/235.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (EDF)
Let f (x) ∈ Fq [x ] be a square-free polynomial of degree d witheach irreducible factor of degree δ.
Case 1: q is odd.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 236: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/236.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (EDF)
Let f (x) ∈ Fq [x ] be a square-free polynomial of degree d witheach irreducible factor of degree δ.
Case 1: q is odd.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 237: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/237.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (EDF)
Let f (x) ∈ Fq [x ] be a square-free polynomial of degree d witheach irreducible factor of degree δ.
Case 1: q is odd.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
xqδ − x | g(x)qδ − g(x), so f (x) | g(x)qδ − g(x).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 238: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/238.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (EDF)
Let f (x) ∈ Fq [x ] be a square-free polynomial of degree d witheach irreducible factor of degree δ.
Case 1: q is odd.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
xqδ − x | g(x)qδ − g(x), so f (x) | g(x)qδ − g(x).
g(x)qδ − g(x) = g(x)(g(x)(qδ−1)/2 − 1)(g(x)(q
δ−1)/2 + 1).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 239: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/239.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (EDF)
Let f (x) ∈ Fq [x ] be a square-free polynomial of degree d witheach irreducible factor of degree δ.
Case 1: q is odd.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
xqδ − x | g(x)qδ − g(x), so f (x) | g(x)qδ − g(x).
g(x)qδ − g(x) = g(x)(g(x)(qδ−1)/2 − 1)(g(x)(q
δ−1)/2 + 1).
Compute h(x) = gcd(f (x), g(x)(qδ−1)/2 − 1).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 240: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/240.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (EDF)
Let f (x) ∈ Fq [x ] be a square-free polynomial of degree d witheach irreducible factor of degree δ.
Case 1: q is odd.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
xqδ − x | g(x)qδ − g(x), so f (x) | g(x)qδ − g(x).
g(x)qδ − g(x) = g(x)(g(x)(qδ−1)/2 − 1)(g(x)(q
δ−1)/2 + 1).
Compute h(x) = gcd(f (x), g(x)(qδ−1)/2 − 1).
h(x) is a non-trivial factor of f (x) with probability 1/2.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 241: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/241.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (EDF)
Let f (x) ∈ Fq [x ] be a square-free polynomial of degree d witheach irreducible factor of degree δ.
Case 1: q is odd.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
xqδ − x | g(x)qδ − g(x), so f (x) | g(x)qδ − g(x).
g(x)qδ − g(x) = g(x)(g(x)(qδ−1)/2 − 1)(g(x)(q
δ−1)/2 + 1).
Compute h(x) = gcd(f (x), g(x)(qδ−1)/2 − 1).
h(x) is a non-trivial factor of f (x) with probability 1/2.
If a non-trivial split is obtained, recursively compute theEDF of h(x) and f (x)/h(x).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 242: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/242.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (EDF)
Let f (x) ∈ Fq [x ] be a square-free polynomial of degree d witheach irreducible factor of degree δ.
Case 1: q is odd.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
xqδ − x | g(x)qδ − g(x), so f (x) | g(x)qδ − g(x).
g(x)qδ − g(x) = g(x)(g(x)(qδ−1)/2 − 1)(g(x)(q
δ−1)/2 + 1).
Compute h(x) = gcd(f (x), g(x)(qδ−1)/2 − 1).
h(x) is a non-trivial factor of f (x) with probability 1/2.
If a non-trivial split is obtained, recursively compute theEDF of h(x) and f (x)/h(x).
Otherwise, choose a different g(x) and repeat the abovesteps.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 243: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/243.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (contd.)
Case 2: q = 2n.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 244: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/244.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (contd.)
Case 2: q = 2n.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 245: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/245.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (contd.)
Case 2: q = 2n.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
xqδ
+ x | g(x)qδ
+ g(x), so f (x) | g(x)qδ
+ g(x).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 246: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/246.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (contd.)
Case 2: q = 2n.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
xqδ
+ x | g(x)qδ
+ g(x), so f (x) | g(x)qδ
+ g(x).
g(x)qδ
+ g(x) = g1(x)(g1(x) + 1), where
g1(x) = g(x)2nδ−1+ g(x)2nδ−2
+ · · · + g(x)2 + g(x).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 247: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/247.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (contd.)
Case 2: q = 2n.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
xqδ
+ x | g(x)qδ
+ g(x), so f (x) | g(x)qδ
+ g(x).
g(x)qδ
+ g(x) = g1(x)(g1(x) + 1), where
g1(x) = g(x)2nδ−1+ g(x)2nδ−2
+ · · · + g(x)2 + g(x).
Compute h(x) = gcd(f (x), g1(x)).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 248: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/248.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (contd.)
Case 2: q = 2n.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
xqδ
+ x | g(x)qδ
+ g(x), so f (x) | g(x)qδ
+ g(x).
g(x)qδ
+ g(x) = g1(x)(g1(x) + 1), where
g1(x) = g(x)2nδ−1+ g(x)2nδ−2
+ · · · + g(x)2 + g(x).
Compute h(x) = gcd(f (x), g1(x)).
h(x) is a non-trivial factor of f (x) with probability 1/2.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 249: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/249.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (contd.)
Case 2: q = 2n.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
xqδ
+ x | g(x)qδ
+ g(x), so f (x) | g(x)qδ
+ g(x).
g(x)qδ
+ g(x) = g1(x)(g1(x) + 1), where
g1(x) = g(x)2nδ−1+ g(x)2nδ−2
+ · · · + g(x)2 + g(x).
Compute h(x) = gcd(f (x), g1(x)).
h(x) is a non-trivial factor of f (x) with probability 1/2.
If a non-trivial split is obtained, recursively compute theEDF of h(x) and f (x)/h(x).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 250: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/250.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Equal-degree Factorization (contd.)
Case 2: q = 2n.
Take a random polynomial g(x) ∈ Fq[x ] of small degree.
xqδ
+ x | g(x)qδ
+ g(x), so f (x) | g(x)qδ
+ g(x).
g(x)qδ
+ g(x) = g1(x)(g1(x) + 1), where
g1(x) = g(x)2nδ−1+ g(x)2nδ−2
+ · · · + g(x)2 + g(x).
Compute h(x) = gcd(f (x), g1(x)).
h(x) is a non-trivial factor of f (x) with probability 1/2.
If a non-trivial split is obtained, recursively compute theEDF of h(x) and f (x)/h(x).
Otherwise, choose a different g(x) and repeat the abovesteps.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 251: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/251.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Finding Roots of Polynomials Over Finite Fields
Let f (x) ∈ Fq [x ] be a non-constant polynomial.Goal: To compute all the roots of f (x) in Fq.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 252: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/252.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Finding Roots of Polynomials Over Finite Fields
Let f (x) ∈ Fq [x ] be a non-constant polynomial.Goal: To compute all the roots of f (x) in Fq.
Use a special case of the polynomial factoring algorithm.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 253: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/253.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Finding Roots of Polynomials Over Finite Fields
Let f (x) ∈ Fq [x ] be a non-constant polynomial.Goal: To compute all the roots of f (x) in Fq.
Use a special case of the polynomial factoring algorithm.
Compute f1(x) = gcd(f (x), xq − x), where xq − x iscomputed modulo f (x).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 254: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/254.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Finding Roots of Polynomials Over Finite Fields
Let f (x) ∈ Fq [x ] be a non-constant polynomial.Goal: To compute all the roots of f (x) in Fq.
Use a special case of the polynomial factoring algorithm.
Compute f1(x) = gcd(f (x), xq − x), where xq − x iscomputed modulo f (x).
f1(x) is the product of all (pairwise distinct) linear factors off (x), that is, f1(x) has exactly the same roots as f (x).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 255: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/255.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Finding Roots of Polynomials Over Finite Fields
Let f (x) ∈ Fq [x ] be a non-constant polynomial.Goal: To compute all the roots of f (x) in Fq.
Use a special case of the polynomial factoring algorithm.
Compute f1(x) = gcd(f (x), xq − x), where xq − x iscomputed modulo f (x).
f1(x) is the product of all (pairwise distinct) linear factors off (x), that is, f1(x) has exactly the same roots as f (x).
Call EDF on f1(x) with δ = 1.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 256: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/256.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Polynomial ArithmeticGood Finite Fields for CryptographyPolynomial Factoring and Root Finding
Finding Roots of Polynomials Over Finite Fields
Let f (x) ∈ Fq [x ] be a non-constant polynomial.Goal: To compute all the roots of f (x) in Fq.
Use a special case of the polynomial factoring algorithm.
Compute f1(x) = gcd(f (x), xq − x), where xq − x iscomputed modulo f (x).
f1(x) is the product of all (pairwise distinct) linear factors off (x), that is, f1(x) has exactly the same roots as f (x).
Call EDF on f1(x) with δ = 1.
In the EDF, one typically chooses g(x) = x + b for randomb ∈ Fq.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 257: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/257.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Arithmetic of Elliptic Curves
Let E be an elliptic curve defined over Fq.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 258: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/258.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Arithmetic of Elliptic Curves
Let E be an elliptic curve defined over Fq.
Each finite point in E(Fq) is represented by a pair of fieldelements and takes O(log q) space.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 259: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/259.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Arithmetic of Elliptic Curves
Let E be an elliptic curve defined over Fq.
Each finite point in E(Fq) is represented by a pair of fieldelements and takes O(log q) space.
Point addition and doubling require a few operations in thefield Fq.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 260: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/260.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Arithmetic of Elliptic Curves
Let E be an elliptic curve defined over Fq.
Each finite point in E(Fq) is represented by a pair of fieldelements and takes O(log q) space.
Point addition and doubling require a few operations in thefield Fq.
Computation of mP for m ∈ N and P ∈ E(Fq) is theadditive analog of modular exponentiation and can beperformed by a repeated double-and-add algorithm.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 261: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/261.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Arithmetic of Elliptic Curves
Let E be an elliptic curve defined over Fq.
Each finite point in E(Fq) is represented by a pair of fieldelements and takes O(log q) space.
Point addition and doubling require a few operations in thefield Fq.
Computation of mP for m ∈ N and P ∈ E(Fq) is theadditive analog of modular exponentiation and can beperformed by a repeated double-and-add algorithm.
A random finite point (h, k) ∈ E(Fq) can be computed byfirst choosing h and then solving a quadratic equation in k .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 262: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/262.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Point Counting
For selecting cryptographically good elliptic curves E over Fq,we need to count the size of E(Fq).
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 263: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/263.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Point Counting
For selecting cryptographically good elliptic curves E over Fq,we need to count the size of E(Fq).
The SEA (Schoof-Elkies-Atkins) algorithm is used.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 264: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/264.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Point Counting
For selecting cryptographically good elliptic curves E over Fq,we need to count the size of E(Fq).
The SEA (Schoof-Elkies-Atkins) algorithm is used.
The algorithm is reasonably efficient for prime fields.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 265: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/265.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Point Counting
For selecting cryptographically good elliptic curves E over Fq,we need to count the size of E(Fq).
The SEA (Schoof-Elkies-Atkins) algorithm is used.
The algorithm is reasonably efficient for prime fields.
|E(Fq)| = q + 1 − t with −2√
q 6 t 6 2√
q.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 266: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/266.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Point Counting
For selecting cryptographically good elliptic curves E over Fq,we need to count the size of E(Fq).
The SEA (Schoof-Elkies-Atkins) algorithm is used.
The algorithm is reasonably efficient for prime fields.
|E(Fq)| = q + 1 − t with −2√
q 6 t 6 2√
q.
Choose small primes p1, p2, . . . , pr with p1p2 · · · pr > 4√
q.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 267: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/267.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Point Counting
For selecting cryptographically good elliptic curves E over Fq,we need to count the size of E(Fq).
The SEA (Schoof-Elkies-Atkins) algorithm is used.
The algorithm is reasonably efficient for prime fields.
|E(Fq)| = q + 1 − t with −2√
q 6 t 6 2√
q.
Choose small primes p1, p2, . . . , pr with p1p2 · · · pr > 4√
q.
Determine t modulo each pi .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 268: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/268.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Point Counting
For selecting cryptographically good elliptic curves E over Fq,we need to count the size of E(Fq).
The SEA (Schoof-Elkies-Atkins) algorithm is used.
The algorithm is reasonably efficient for prime fields.
|E(Fq)| = q + 1 − t with −2√
q 6 t 6 2√
q.
Choose small primes p1, p2, . . . , pr with p1p2 · · · pr > 4√
q.
Determine t modulo each pi .
Combine these values by CRT.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 269: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/269.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Point Counting
For selecting cryptographically good elliptic curves E over Fq,we need to count the size of E(Fq).
The SEA (Schoof-Elkies-Atkins) algorithm is used.
The algorithm is reasonably efficient for prime fields.
|E(Fq)| = q + 1 − t with −2√
q 6 t 6 2√
q.
Choose small primes p1, p2, . . . , pr with p1p2 · · · pr > 4√
q.
Determine t modulo each pi .
Combine these values by CRT.
This gives a unique value of t in the range−2
√q 6 t 6 2
√q.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 270: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/270.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Good Elliptic Curves for Cryptography
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 271: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/271.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Good Elliptic Curves for Cryptography
First, choose a ground field Fq. Security requirementsdemand |q| in the range 160–300 bits.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 272: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/272.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Good Elliptic Curves for Cryptography
First, choose a ground field Fq. Security requirementsdemand |q| in the range 160–300 bits.
Randomly select an elliptic curve E over Fq.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 273: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/273.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Good Elliptic Curves for Cryptography
First, choose a ground field Fq. Security requirementsdemand |q| in the range 160–300 bits.
Randomly select an elliptic curve E over Fq.
Determine |E(Fq)|.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 274: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/274.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Good Elliptic Curves for Cryptography
First, choose a ground field Fq. Security requirementsdemand |q| in the range 160–300 bits.
Randomly select an elliptic curve E over Fq.
Determine |E(Fq)|.If E is anomalous or supersingular, choose another E andrepeat.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 275: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/275.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Good Elliptic Curves for Cryptography
First, choose a ground field Fq. Security requirementsdemand |q| in the range 160–300 bits.
Randomly select an elliptic curve E over Fq.
Determine |E(Fq)|.If E is anomalous or supersingular, choose another E andrepeat.
Factor |E(Fq)|, and check whether E has a point of primeorder r > 2160.
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 276: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/276.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Good Elliptic Curves for Cryptography
First, choose a ground field Fq. Security requirementsdemand |q| in the range 160–300 bits.
Randomly select an elliptic curve E over Fq.
Determine |E(Fq)|.If E is anomalous or supersingular, choose another E andrepeat.
Factor |E(Fq)|, and check whether E has a point of primeorder r > 2160.
If so, return E .
Public-key Cryptography: Theory and Practice Abhijit Das
![Page 277: Public-key Cryptography Theory and Practice · 2010-11-22 · Integer Arithmetic Arithmetic in Finite Fields Arithmetic of Elliptic Curves GCD Modular Exponentiation Primality Testing](https://reader033.vdocuments.site/reader033/viewer/2022050409/5f8697605ac95c54fa7bd4b4/html5/thumbnails/277.jpg)
Integer ArithmeticArithmetic in Finite Fields
Arithmetic of Elliptic Curves
Point CountingGood Elliptic Curves for Cryptography
Good Elliptic Curves for Cryptography
First, choose a ground field Fq. Security requirementsdemand |q| in the range 160–300 bits.
Randomly select an elliptic curve E over Fq.
Determine |E(Fq)|.If E is anomalous or supersingular, choose another E andrepeat.
Factor |E(Fq)|, and check whether E has a point of primeorder r > 2160.
If so, return E .
Otherwise, choose another E and repeat.
Public-key Cryptography: Theory and Practice Abhijit Das