Gerhard Frey holds a chair for number theory at the Institute for Experimental Mathematics at the University of Duisburg-Essen, Germany. His research interests are number theory and arithmetic geometry as well as applications in coding theory and cryptography.

List of Algorithms

Preface

On the other hand, for elliptic curves, no subexponential algorithm is known for the DLP, and this is also the case for Jacobians of small-kind curves. In other words, the only attacks that the DLP is known to work on all elliptic curves are generic (see Chapter 19).

Aim of the book

In the case where G= (Z/nZ)∗ it can be shown that subexponential methods used for factorization can be adapted to give subexponential methods for DLP inG, so that the security of such methods is analogous to the security of RSA, and in a special needs very large keys. This is bad from an algorithmic point of view, but it is certainly very good news for cryptography, as it means that it can use much smaller keys than in cryptosystems like RSA for which subexponential attacks exist.

Mathematical background

The reader may be primarily interested in the mathematical parts, and how some fairly abstract mathematical concepts are transformed into very practical algorithms. On the other hand, the reader may be primarily interested in having the algorithms implemented as quickly as possible.

Algorithms and their implementation

In Part IV of the book, it is more difficult to separate background from implementation. In Chapter 21 it is implemented in the most efficient way known today for hyperelliptic curves.

Applications

Realization of Discrete Logarithm systems

Acknowledgments

Introduction to Public-Key Cryptography

• Cryptography
• Complexity
• Public-key cryptography
• Factorization and primality
• Primality
• Complexity of factoring
• Discrete logarithm systems
• Generic discrete logarithm systems
• Discrete logarithm systems with bilinear structure
• Protocols
• Diffie–Hellman key exchange
• Asymmetric Diffie–Hellman and ElGamal encryption
• Signature scheme of ElGamal-type
• Tripartite key exchange
• Other problems

Example 1.2 The problem of finding the square root of 16 is a computational problem, while the question of whether 4 is a square root of 16 is a decision problem. If the resource considered is the execution time (respectively the memory consumption) of the algorithm, then f measures the time complexity (respectively space complexity).

Mathematical Background

Algebraic Background

Elementary algebraic structures

• Groups
• Rings
• Fields
• Vector spaces

Creates a commutative group with respect to +. is associative and has a unit element1, which is different from 0, the unit e+. i) The ring is said to be commutative, if the law×is commutative. ii) A commutative ringR such that for allx, y∈R, equalityaxy= 0 implies thatx= 0 ory= 0 is called an integral domain. Domain idealIisprincipalI = aRandRis principal domain ideal ideal (PID) if it is an integral domain and if every ideal of the principal Ris.

Introduction to number theory

• Extension of fields
• Algebraic closure
• Galois theory
• Number fields

If it is not an algebraic extension over K(x), then setting x1=xwe can find x2, a transcendental element of L/K(x1) which is not in K(x1), and similarly construct an inclusion of K(X1 , X2) in L. An algebraic number is called an integral superZor, an algebraic integer is a zero of a monic polynomial with coefficients in Z. The set of all algebraic integers of Against the addition and multiplication of Kis a ring, called the ring of the integer of Cand is marked with OK. i) If K =Q(θ) is of degree, then the ring OK is aZ-module with an integral basis, which is a set of integral elements{α1,.

Finite fields

• First properties
• Algebraic extensions of a finite field
• Finite field representations
• a Polynomial representation
• b Normal basis representation
• c Dual basis representation
• Finite field characters
• a The Legendre symbol
• b The Legendre–Kronecker–Jacobi symbol

This result can be proved using the uniqueness of the splitting field Xpd−X in the algebraic closure Z/pZ. With these settings, the reciprocity law (2.6) can be extended to any odd integer spandq and leads to an efficient method for computing the Legendre symbol, cf. The Legendre symbol can be extended to the Kronecker–Jacobi symbol if m(X) is not irreducible.

Background on p -adic Numbers

Zaij ∈I, let pij :Z/piZ→Z/pjZ be natural projections given by the reduction modulomopj, then (Z/piZ,{pij}j∈I) is a directed family. Proposition 3.6 An elementz ∈ Zp is invertible if and only if z is not in the core of p1.

Complete discrete valuation rings and fields

• First properties
• Lifting a solution of a polynomial equation

From now on, we restrict ourselves to completing the discrete valuation ring of characteristic0 with a bounded residual field. By Theorem 3.15, any such ring can be viewed as the valuation ring of an algebraic extension of Qp. By repeating this lemma, we obtain an algorithm to calculate a factor of a polynomial given R by a factor moduloM.

• Unramified extensions
• Totally ramified extensions
• Multiplicative system of representatives
• Witt vectors

Proposition 3.26 There exists a unique system of representatives ω that commutes to the pth power, i.e. for all x∈ K, ω(xp) = ω(x)p. The representative system defined in this way is exactly a unique system that commutes with the p-th power. Let π be a uniform element of R and let ω be a multiplicative system of KinR representatives commuting to the pth power.

Background on Curves and Jacobians

Algebraic varieties

• Affine and projective varieties
• a Projective space
• b Affine space
• c Varieties and dimension
• d Relations between affine and projective space

So a subset S⊂Pn(K) is closed with respect to the Zariski topology associated with the projective space overKif it is the set of simultaneous zeros of homogeneous polynomials lying inK[X0,. Example 4.3 The point set of the projective spacePn and the empty set ∅ are closed sets, since they are the roots of the constant polynomials 0 and 1. Example 4.13 Let V be an affine variety, i.e. a closed set in some An, where the defining idealI is prime inK[x].

Function fields

• Morphisms of affine varieties
• Rational maps of affine varieties
• Regular functions
• Generalization to projective varieties

We want to define maps between affine varieties that are continuous with respect to Zariski topologies. In fact, we can construct a set of morphisms in an aK-algebra in the usual way by adding and multiplying values. Again, we easily check whether the morphisms are continuous with respect to the Zariski topology and map varieties to varieties.

Abelian varieties

• Algebraic groups
• Birational group laws
• Homomorphisms of abelian varieties
• Isomorphisms and isogenies
• Points of finite order and Tate modules
• Background on -adic representations
• Complex multiplication

We can use a classification theorem which yields that G is an extension of an abelian variety with an affine (i.e. the underlying variety is affine) algebraic group. Due to the following results, we can think of abelian varieties behaving like abelian groups. i) The image Im(ϕ)ofϕis a subvariant of B, which becomes an abelian variety by restricting the addition law of B, i.e. it is an abelian subvariant of B. ii) The kernelker(ϕ)ofϕis by definition the inverse image of 0B . We assume that A, Bare abelian varieties over K. i) The mapϕ∈HomK(A,B) is anisogenic if and only if Im(ϕ) = Bandker(ϕ) is finite. ii) The morphism ϕ is anisomorphism if and only if there is a ψ ∈ HomK(B,A) with ϕ◦ψ= IdBandψ◦ϕ= IdA. iii).

Arithmetic of curves

• Local rings and smoothness
• a Elliptic curves
• b Hyperelliptic curves
• c Differentials
• Divisor class group
• The Jacobian variety of curves
• Jacobian variety of elliptic curves and group law
• a Division polynomials
• Ideal class group
• a Relation between divisor and ideal class groups
• Class groups of hyperelliptic curves

It is equal to the order of GK Pi of one of the corresponding points on C. Define φ: JC(K)→Cl(O) according to the following rule: take in the divisor class c a representative D of the form D = D − g P ∞,Deffective. Due to the considerations of the previous section, these curves satisfy that the ideal class group and the divisor class group are isomorphic.

Mumford representation)

In fact, Artin generalized the theory of ideal classes of imaginary quadratic number fields, due to Gauß, to hyperelliptic function fields that connect ideal classes of Omet reduced quadratic forms of discriminantf(x) and the addition⊕ to the composition of such forms. We are now in a position to use the results obtained in the previous section and describe the divisor class group of Using the ideal class group of the affine part. This ideal lies in the class of the product of the ideal classes but is usually not yet reduced.

Varieties over Special Fields

Varieties over the field of complex numbers

• Analytic varieties

In particular, it follows that the set of zeros and poles of the meromorphic functions onU does not have a limit point in U. There exists an algebraic projective variety V ⊂ Pn such that the induced analytic variety is equal toVan, and the field of meromorphic functions in degree Vanha's transcendence, so it is equal to K(V). Then Cg/Λ is compact and locally isomorphic (as a topological space) to the unit ball on Cg.

Abel–Jacobi)

• Complex tori and abelian varieties
• a The complex theory of elliptic curves
• b Elliptic curves with complex multiplication The ring
• a Periods and invariants
• Varieties over finite fields
• The Frobenius morphism
• The characteristic polynomial of the Frobenius endomorphism
• The theorem of Hasse–Weil for Jacobians
• Tate’s isogeny theorem

The invariants must therefore be algebraic expressions in the coefficients of the equation defining C. If so, we want to find the equation of the corresponding curve given in the form. The setKΦ is a set of representatives of the isomorphism classes of primarily polarized abelian varieties of CM type (K,Φ).

Background on Pairings

• General duality results
• The Tate pairing
• Pairings over local fields
• The local Tate pairing
• The Lichtenbaum pairing on Jacobian varieties
• An explicit pairing
• The Tate–Lichtenbaum pairing
• Size of the embedding degree

We will begin by providing the general background to the construction of the Tate pairing. The value of the Tate pairing is then inH2(G(Kn/K), Kn∗)[n], and elementary calculations with cohomology groups give that this group is isomorphic (canonically by the choice ofτ) toF∗qk/. The corresponding discrete logarithm inE(Fq)[] can be reduced to the discrete logarithm inF∗qk[] using Tate–.

Background on Weil Descent

• Affine Weil descent
• The projective Weil descent
• Descent by Galois theory
• Zariski closed subsets inside of the Weil descent
• Hyperplane sections
• Trace zero varieties
• Covers of curves
• The GHS approach

Using the functorality property of the Weil descent (or by direct computation in the appropriate coordinates, as in the examples), we conclude that we can glue the affine varieties Wi together in the projective space (which is the Weil descent PnL). The advantage of this approach is the explicit definition of the Weil descent with Eqs. It is the intersection of the Weil restriction V with the affine hyperplanes defined by yi,j= 0; (i, j)∈J.

Cohomological Background on Point Counting

General principle

• Zeta function and the Weil conjectures
• Cohomology and Lefschetz fixed point formula

Weil's dream was to imitate this situation for varieties in finite fields, i.e., to construct a good theory of cohomology (necessarily over a zero characteristic field) such that the number of fixed points of the Frobenius morphism is given by a Lefschetz fixed point formula. The rationality of the zeta function of any algebraic variety was established in 1960 by Dwork [DWO1960] using p-adic methods. Grothendieck introduced -adic cohomology groups Hi(X,Q) (see [SGA 4]), which he used to prove rationality and the functional equation of the zeta function.

Overview of -adic methods

However, for elliptic curves, the above algorithm can be significantly improved by restricting to the subgroup JC[ ], which is the degree isogeny kernel.

Overview of pppppppp -adic methods

• Serre–Tate canonical lift
• Monsky–Washnitzer cohomology

Thus, the point counting algorithms based on the canonical lift proceed in two phases: in the first phase, a sufficiently accurate approximation of the canonical lift of JC (or its invariants) is calculated, and in the second phase, the action of the lifted Frobenius endomorphism Fis computed on D0(Ac,Qq). In this section we will specialize in the Monsky-Washnitzer cohomology formalism, as described in the seminal papers of Monsky and Washnitzer [MOWA1968, MON1968, MON1971], to smooth out curves in the affine plane. Further details can be found in the lectures of Monsky [MON1970] and in the overview of van der Put [PUT1986].

Elementary Arithmetic

Exponentiation

• Generic methods
• Binary methods
• Sliding window method
• Signed-digit recoding
• Multi-exponentiation
• Fixed exponent
• Introduction to addition chains
• Short addition chains search
• Exponentiation using addition chains
• Fixed base point
• Yao’s method
• i) The term

OUTPUT: The signed-binary representation of nin nonadjacent form(n−1. . n0)NAF. i) Algorithm 9.14 subtracts n from 3n with the rule0−1 = 1 and discards the least significant digit of the result. Instead of calculating xn00enxn11 separately and then multiplying these terms, it is proposed in [ELG1985] to adapt Algorithm 9.1 in the following way to get xn00xn11 in one round. A careful search reveals a chain of length 10 as can be seen in the following table, which shows the execution of Algorithm 9.43 while computing x450 x361 x72 with it.