Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work...
-
Upload
megan-scott -
Category
Documents
-
view
214 -
download
0
Transcript of Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work...
![Page 1: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/1.jpg)
Selecting Class Polynomials for the Generation of Elliptic Curves
Elisavet Konstantinou
joint work with Aristides Kontogeorgis
Department of Information and Communication Systems Engineering
University of the Aegean
![Page 2: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/2.jpg)
2
Why Elliptic Curves?
More Efficient (smaller parameters)
Faster
Less Power and Computational Consumption
Cheaper Hardware (Less Silicon Area, Less
Storage Memory)
![Page 3: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/3.jpg)
3
Frequent Generation of ECsRequests different EC parameters
(due to security requirements, vendor preferences/policy etc.)
Frequent change of parameters calls for strict timing response constraints
![Page 4: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/4.jpg)
4
Generation of ECs
The goal is to determine the following parameters of an EC
y2 = x3 + ax + b
The order p of the finite field Fp.
The order m of the elliptic curve.The coefficients a and b.
![Page 5: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/5.jpg)
5
Generation of secure ECs
Cryptographic Strength suitable order m
Suitable order m = nq where q a prime > 2160
m p pk ≢ 1 (mod m) for all 1 k 20
The above conditions guarantee resistance to all known attacks
Sometimes, a prime m may be additionally required
![Page 6: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/6.jpg)
6
Generation of ECs
Point Counting methods: Rather slow
(with )
ECs have to be tried before a prime order EC is found in Fp
Complex Multiplication (CM) method: Rather involved implementation, but more efficient
first the order is selected and then the EC is constructed
p
cp
log62.044.0 pc
![Page 7: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/7.jpg)
7
Complex Multiplication method Input:a prime p
Class polynomial Hilbert polynomial
Transform the roots
Construct the EC
Determine D s.t. 4p=x2+Dy2 for x,y integers
EC order m=p+1 x
Is the order m suitable?
NO YES
![Page 8: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/8.jpg)
8
Class field polynomials
Class field polynomials: polynomials with integer coefficients whose roots (class invariants) generate the Hilbert class field of the imaginary quadratic field K = Q( ).
Drawback of Hilbert polynomials: large coefficients; time consuming construction; difficult to implement in devices of limited resources.
other class field polynomials: much smaller coefficients.
D
![Page 9: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/9.jpg)
9
Class field polynomials
Alternative class field polynomials:
1) Weber polynomials
2) MD,l(x) polynomials
3) MD,p1,p2(x) polynomials or Double eta polynomials
4) Ramanujan polynomials TD(x)
All are associated with a modular polynomial Φ(x, j) that transforms a root x of these polynomials to a root j of the Hilbert polynomial.
![Page 10: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/10.jpg)
10
An example (D = 292)
W292(x) = x4 - 5x3 - 10x2 - 5x + 1
H292(x) = x4 - 2062877098042830460800 x3 - 93693622511929038759497066112000000x2 +
45521551386379385369629968384000000000x 380259461042512404779990642688000000000000
![Page 11: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/11.jpg)
11
Congruences for D
D ≢ 0 mod 3 D 0 mod 3
d = D/4
if D 0 mod 4
d = D
if D 3 mod 4
MD,l polynomials Ramanujan polynomials Double eta polynomials
D 0 mod l
Weber polynomials
1
2 or 6
3
5
7
d mod 8
1
2 or 6
3
5
7
d mod 8
1,121
p
D
p
DD 11 mod 24
![Page 12: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/12.jpg)
12
Hilbert polynomials
))(()( jxxH D
a
Db
2
satisfies the equation 02 cbxax
(primitive, reduced quadratic forms)
D [a, b, c] h
THEOREM:
A Hilbert polynomial with degree h, has exactly h roots modulo p if
and only if the equation 4p=x2+Dy2 has integer solutions.
![Page 13: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/13.jpg)
13
Weber polynomials
l
D lgxxW ))(()(
a
Dbl
g is defined by the Weber functions f, f1 and f2
satisfies the equation 022 cbxax
[a, b, c]D h or 3h
(quadratic forms)
The degree of Weber polynomials is 3 times larger than thedegree of the corresponding Hilbert polynomials when D ≡ 3 mod 8.
![Page 14: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/14.jpg)
14
MD,l(x) polynomials
Q
QellD mxxM
))(()(,
A
DBQ 2
where 13,7,5,3l and e depends on l
satisfies the equation 02 CBxAx
(primitive, reduced quadratic forms)D [a, b, c] h[A, B, C]
2 transf.
divisible by l
each root RM is transformed to a Hilbert root
RH with a modular equation:
0),( HMl RR
![Page 15: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/15.jpg)
15
MD,p1,p2(x) polynomials
Q
QppppD mxxM
))(()( 2,12,1,
A
DBQ 2
where 21, pp primes and
satisfies the equation 02 CBxAx
(primitive, reduced quadratic forms)D [a, b, c] h[A, B, C]
2 transf.
each root RMd is transformed to a Hilbert root
RH with a modular equation (which has large coefficients and degree at least 2 in RH ):
0),(2,1 HMdpp RR
11
p
D
12
p
D
)1)(1(24 21 pp
![Page 16: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/16.jpg)
16
Ramanujan polynomials TD(x)
THEOREM:
The Ramanujan value tn is a class invariant for n 11 mod 24.
Its minimal polynomial is equal to:
))(()( txxTD
a
Db
2
satisfies the equation 02 cbxax and the construction
of the function t() is based on modular functions of level 72.
![Page 17: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/17.jpg)
Precision Requirements
Bit precision for the construction of polynomials EQUAL to logarithmic height of the polynomials
17
011
1)( axaxaxaxg hh
hh
ihi
a2,...,0
logmax
Bit precision for the Hilbert polynomials:
],,[
1
2ln33)(Pr
CBA A
DDecH
![Page 18: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/18.jpg)
Precision Requirements
“Efficiency” of a class invariant is measured by the asymptotic ratio of the logarithmic height of a root of the Hilbert polynomial to a root of the class invariant.
Asymptotically, one can estimate the ratio of the logarithmic height h(j(τ)) of the algebraic integer j(τ) to the logarithmic height h(f(τ)) of the algebraic integer f(τ). Namely,
18
![Page 19: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/19.jpg)
Precision Requirements
Let H(Pf) be the logarithmic height of the minimal polynomial of the algebraic integer f(τ) and H(Pj) the logarithmic height of the corresponding Hilbert polynomial. Then,
where m = 1 if f(τ) generates the Hilbert class field and
m = extension degree when f(τ) generates an algebraic extension of the Hilbert class field.
19
m
fr
jf
jf
PH
PH
j
f
f
j )(
),(deg
),(deg
)(
)(
![Page 20: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/20.jpg)
Precision Requirements
We can derive the precision requirements for the construction of every class polynomial by the equation
In all cases m = 1, except when D ≡ 3 mod 8 for Weber polynomials.
20
],,[
1
2ln)( CBA A
D
fr
m
![Page 21: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/21.jpg)
Ramanujan polynomials
The modular equation for Ramanujan polynomials is:
Therefore, the value r(f) = 36. Also, since the degree of Ramanujan polynomials is equal to the degree of Hilbert polynomials, the value m = 1.
Theoretically, there is a limit for r(f) ≤ 96. The best known value is r(f) = 72 for Weber polynomials with D ≡ 7 mod 8.
21
0)276(),( 183612 HTTTHTT RRRRRR
![Page 22: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/22.jpg)
Precision Estimates
22
![Page 23: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/23.jpg)
Precision Estimates
23
![Page 24: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/24.jpg)
Precision Estimates
24
![Page 25: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/25.jpg)
Experiments
![Page 26: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/26.jpg)
26
Construction of polynomials (bit prec.)
![Page 27: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/27.jpg)
27
Construction of polynomials (bit prec.)
![Page 28: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/28.jpg)
28
Experimental observations
The precision requirements for the construction of Ramanujan polynomials are on average 66%, 42%, 32% and 22% less than the precision requirements of MD,13(x), Weber, MD,5,7(x) and MD,3,13(x) respectively. The percentages are much larger when other MD,l(x)
and MD,p1,p2(x) polynomials are used.
The same ordering is true for the storage requirements of the polynomials with one exception: Weber polynomials.
13,7,5,13,3, DDD MWeberMMRamanujan
![Page 29: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/29.jpg)
29
Conclusions
Ramanujan polynomials clearly outweigh all previously used polynomials when D ≡ 3 mod 8 and they are by far the best choice in the generation of prime order ECs.
The congruence modulo 8 of the discriminant is crucial for the size of polynomials and this affects the efficiency of their construction.
![Page 30: Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.](https://reader036.fdocuments.in/reader036/viewer/2022062718/56649e965503460f94b9a242/html5/thumbnails/30.jpg)
Thank you for your attention!