El circo y su proyección internacional Los años de esplendor

Popular books on modern cryptography include those of Schneier [409], Menezes, van Oorschot and Vanstone [319], Stinson [454], and Ferguson and Schneier [136]. These books describe the basic symmetric-key and public-key mechanisms outlined in §1.1 including symmetric-key encryption schemes, MAC algorithms, public-key encryp- tion schemes, and digital signature schemes. Practical considerations with deploying public-key cryptography on a large scale are discussed in the books of Ford and Baum [145], Adams and Lloyd [2], and Housley and Polk [200].

§1.2

The notion of public-key cryptography was introduced by Diffie and Hellman [121] and independently by Merkle [321]. A lucid account of its early history and development is given by Diffie [120]; for a popular narrative, see Levy’s book [290]. Diffie and Hell- man presented their key agreement algorithm using exponentiation in the multiplicative group of the integers modulo a prime, and described public-key encryption and digital signature schemes using generic trapdoor one-way functions. The first concrete real- ization of a public-key encryption scheme was the knapsack scheme of Merkle and Hellman [322]. This scheme, and its many variants that have been proposed, have been shown to be insecure.

The RSA public-key encryption and signature schemes are due to Rivest, Shamir and Adleman [391].

ElGamal [131] was the first to propose public-key encryption and signature schemes based on the hardness of the discrete logarithm problem. The Digital Signature Algo- rithm, specified in FIPS 186 [139], was invented by Kravitz [268]. Smith and Skinner [443], Gong and Harn [176], and Lenstra and Verheul [283] showed, respectively, how the elements of the subgroup of order p+1 ofF∗_p2, the subgroup of order p2+p+1

ofF∗_p3, and the subgroup of order p2−p+1 ofF∗_p6, can be compactly represented. In

their systems, more commonly known as LUC, GH, and XTR, respectively, subgroup elements have representations that are smaller than the representations of field elements by factors of 2, 1.5 and 3, respectively.

Koblitz [250] and Miller [325] in 1985 independently proposed using the group of points on an elliptic curve defined over a finite field to devise discrete logarithm cryp- tographic schemes. Two books devoted to the study of elliptic curve cryptography are those of Menezes [313] and Blake, Seroussi and Smart [49] published in 1993 and 1999, respectively. The books by Enge [132] and Washington [474] focus on the mathematics relevant to elliptic curve cryptography.

Other applications of elliptic curves include the integer factorization algorithm of Lenstra [285] which is notable for its ability to quickly find any small prime factors of an integer, the primality proving algorithm of Goldwasser and Kilian [173], and the

pseudorandom bit generators proposed by Kaliski [233]. Koyama, Maurer, Okamoto and Vanstone [267] showed how elliptic curves defined over the integers modulo a composite integer ncould be used to design RSA-like cryptographic schemes where the order of the elliptic curve group is the trapdoor. The hardness of factoring n is necessary for these schemes to be secure, and hence n should be the same bitlength as the modulus used in RSA systems. The work of several people including Kuro- sawa, Okada and Tsujii [273], Pinch [374], Kaliski [236] and Bleichenbacher [52] has shown that these elliptic curve analogues offer no significant advantages over their RSA counterparts.

There have been many other proposals for using finite groups in discrete logarithm cryptographic schemes. These include the group of units of the integers modulo a com- posite integer by McCurley [310], the jacobian of a hyperelliptic curve over a finite field by Koblitz [251], the jacobian of a superelliptic curve over a finite field by Galbraith, Paulus and Smart [157], and the class group of an imaginary quadratic number field by Buchmann and Williams [80]. Buchmann and Williams [81] (see also Scheidler, Buch- mann and Williams [405]) showed how a real quadratic number field which yields a structure that is ‘almost’ a group can be used to design discrete logarithm schemes. Analogous structures for real quadratic congruence function fields were studied by Scheidler, Stein and Williams [406], and M¨uller, Vanstone and Zuccherato [336]. §1.3

The number field sieve (NFS) for factoring integers was first proposed by Pollard [380], and is described in the book edited by Lenstra and Lenstra [280]. Cavallar et al. [87] report on their factorization using the NFS of a 512-bit RSA modulus.

Pollard’s rho algorithm is due to Pollard [379]. The number field sieve (NFS) for com- puting discrete logarithms in prime fields was proposed by Gordon [178] and improved by Schirokauer [408]. Joux and Lercier [228] discuss further improvements that were used in their computation in 2001 of discrete logarithms in a 397-bit (120-decimal digit) prime field. The fastest algorithm for computing discrete logarithms in binary fields is due to Coppersmith [102]. The algorithm was implemented by Thom´e [460] who succeeded in 2001 in computing logarithms in the 607-bit fieldF₂607.

The Certicom ECCp-109 challenge [88] was solved in 2002 by a team of contribu- tors led by Chris Monico. The method used was the parallelized version of Pollard’s rho algorithm as proposed by van Oorschot and Wiener [463]. The ECCp-109 chal- lenge asked for the solution of an ECDLP instance in an elliptic curve defined over a 109-bit prime field. The effort took 549 days and had contributions from over 10,000 workstations on the Internet.

The equivalent key sizes for ECC and DSA parameters in Table 1.1 are from FIPS 186- 2 [140] and NIST Special Publication 800-56 [342]. These comparisons are generally in agreement with those of Lenstra and Verheul [284] and Lenstra [279], who also consider cost-equivalent key sizes. Customized hardware designs for lowering the full

cost of the matrix stage were proposed and analyzed by Bernstein [41], Wiener [481], and Lenstra, Shamir, Tomlinson and Tromer [282]. Customized hardware designs for lowering the full cost of sieving were proposed by Shamir [421] (see also Lenstra and Shamir [281]), Geiselmann and Steinwandt [169], and Shamir and Tromer [423]. Shamir and Tromer [423] estimate that the sieving stage for a 1024-bit RSA modulus can be completed in less than a year by a machine that would cost about US $10 million to build, and that the matrix stage is easier.

§1.4

Readers can stay abreast of the latest developments in elliptic curve cryptography and related areas by studying the proceedings of the annual cryptography conferences including ASIACRYPT, CRYPTO, EUROCRYPT, INDOCRYPT, the Workshop on Cryptographic Hardware and Embedded Systems (CHES), the International Workshop on Practice and Theory in Public Key Cryptography (PKC), and the biennial Algorith- mic Number Theory Symposium (ANTS). The proceedings of all these conferences are published by Springer-Verlag in theirLecture Notes in Computer Scienceseries, and are conveniently available online at http://link.springer.de/link/service/series/0558/. Another important repository for the latest research articles in cryptography is the Cryptology ePrint Archive website at http://eprint.iacr.org/.

CHAPTER

2

Finite Field Arithmetic

The efficient implementation of finite field arithmetic is an important prerequisite in elliptic curve systems because curve operations are performed using arithmetic op- erations in the underlying field. §2.1 provides an informal introduction to the theory of finite fields. Three kinds of fields that are especially amenable for the efficient implementation of elliptic curve systems are prime fields, binary fields, and optimal extension fields. Efficient algorithms for software implementation of addition, subtrac- tion, multiplication and inversion in these fields are discussed at length in §2.2, §2.3, and §2.4, respectively. Hardware implementation is considered in §5.2 and chapter notes and references are provided in §2.5.

2.1

Introduction to finite fields

Fieldsare abstractions of familiar number systems (such as the rational numbersQ, the real numbersR, and the complex numbersC) and their essential properties. They con- sist of a setFtogether with two operations, addition (denoted by+) and multiplication (denoted by·), that satisfy the usual arithmetic properties:

(i) (F,+)is an abelian group with (additive) identity denoted by 0.

(ii) (F\ {0},·)is an abelian group with (multiplicative) identity denoted by 1. (iii) The distributive law holds:(a+b)·c=a·c+b·cfor alla,b,c∈F. If the setFis finite, then the field is said to befinite.

This section presents basic facts about finite fields. Other properties will be presented throughout the book as needed.

Field operations

A fieldFis equipped with two operations, addition and multiplication.Subtractionof field elements is defined in terms of addition: fora,b∈F,a−b=a+(−b)where

−bis the unique element inFsuch thatb+(−b)=0 (−bis called thenegativeofb). Similarly,divisionof field elements is defined in terms of multiplication: fora,b∈F

withb =0,a/b=a·b−1whereb−1is the unique element inFsuch thatb·b−1=1. (b−1is called theinverseofb.)

Existence and uniqueness

Theorder of a finite field is the number of elements in the field. There exists a finite fieldFof orderq if and only ifq is a prime power, i.e.,q= pm where pis a prime number called thecharacteristicofF, andm is a positive integer. Ifm=1, thenFis called aprime field. Ifm≥2, thenFis called anextension field. For any prime power

q, there is essentially only one finite field of orderq; informally, this means that any two finite fields of orderq are structurally the same except that the labeling used to represent the field elements may be different (cf. Example 2.3). We say that any two finite fields of orderqareisomorphicand denote such a field byFq.

Prime fields

Let p be a prime number. The integers modulo p, consisting of the integers

{0,1,2,...,p−1} with addition and multiplication performed modulo p, is a finite field of order p. We shall denote this field byFpand call pthemodulusofFp. For any integera,amod pshall denote the unique integer remainderr, 0≤r≤p−1, obtained upon dividingaby p; this operation is calledreduction modulo p.

Example 2.1(prime fieldF29) The elements ofF29are{0,1,2,...,28}. The following are some examples of arithmetic operations inF29.

(i) Addition: 17+20=8 since 37 mod 29=8. (ii) Subtraction: 17−20=26 since−3 mod 29=26. (iii) Multiplication: 17·20=21 since 340 mod 29=21. (iv) Inversion: 17−1=12 since 17·12 mod 29=1.

Binary fields

Finite fields of order 2mare calledbinary fieldsorcharacteristic-two finite fields. One way to constructF2m _{is to use apolynomial basis representation. Here, the elements}

of F2m _{are the binary polynomials (polynomials whose coefficients are in the field} F2= {0,1}) of degree at mostm−1:

An irreducible binary polynomial f(z)of degreemis chosen (such a polynomial exists for anym and can be efficiently found; see §A.1). Irreducibility of f(z)means that

f(z)cannot be factored as a product of binary polynomials each of degree less than

m. Addition of field elements is the usual addition of polynomials, with coefficient arithmetic performed modulo 2. Multiplication of field elements is performed modulo thereduction polynomial f(z). For any binary polynomiala(z),a(z)mod f(z)shall denote the unique remainder polynomialr(z)of degree less thanmobtained upon long division ofa(z)by f(z); this operation is calledreduction modulo f(z).

Example 2.2(binary fieldF24) The elements ofF24are the 16 binary polynomials of

degree at most 3:

0 z2 z3 z3+z2

1 z2+1 z3+1 z3+z2+1

z z2+z z3+z z3+z2+z

z+1 z2+z+1 z3+z+1 z3+z2+z+1.

The following are some examples of arithmetic operations in F₂4 with reduction

polynomial f(z)=z4+z+1.

(i) Addition:(z3+z2+1)+(z2+z+1)=z3+z.

(ii) Subtraction:(z3+z2+1)−(z2+z+1)=z3+z. (Note that since−1=1 inF2, we have−a=afor alla∈F2m.)

(iii) Multiplication:(z3_+z2_+1)·(z2_+z+1)=z2_{+1 since} (z3+z2+1)·(z2+z+1)=z5+z+1 and

(z5+z+1)mod(z4+z+1)=z2+1.

(iv) Inversion:(z3+z2+1)−1=z2since(z3+z2+1)·z2mod(z4+z+1)=1. Example 2.3(isomorphic fields) There are three irreducible binary polynomials of de- gree 4, namely f1(z)=z4+z+1, f2(z)=z4+z3+1 and f3(z)=z4+z3+z2+z+1.

Each of these reduction polynomials can be used to construct the fieldF₂4; let’s call

the resulting fieldsK1,K2andK3. The field elements ofK1,K2andK3are the same

16 binary polynomials of degree at most 3. Superficially, these fields appear to be dif- ferent, e.g.,z3·z=z+1 in K1,z3·z=z3+1 in K2, and z3·z=z3+z2+z+1 in K3. However, all fields of a given order are isomorphic—that is, the differences are

only in the labeling of the elements. An isomorphism betweenK1andK2may be con-

structed by findingc∈K2 such that f1(c)≡0 (mod f2)and then extending z→c

to an isomorphismϕ:K1→K2; the choices forcarez2+z,z2+z+1,z3+z2, and z3+z2+1.

Extension fields

The polynomial basis representation for binary fields can be generalized to all exten- sion fields as follows. Let p be a prime andm ≥2. Let Fp[z]denote the set of all polynomials in the variablezwith coefficients fromFp. Let f(z), thereduction poly-

nomial, be an irreducible polynomial of degreeminFp[z]—such a polynomial exists for any pandmand can be efficiently found (see §A.1). Irreducibility of f(z)means that f(z)cannot be factored as a product of polynomials inFp[z]each of degree less thanm. The elements ofFpm are the polynomials inFp[z]of degree at mostm−1:

Fpm = {am−1zm−1+am−2zm−2+ ··· +a2z2+a1z+a0 : ai ∈Fp}.

Addition of field elements is the usual addition of polynomials, with coefficient arith- metic performed in Fp. Multiplication of field elements is performed modulo the polynomial f(z).

Example 2.4(an extension field) Letp=251 andm=5. The polynomial f(z)=z5+ z4+12z3+9z2+7 is irreducible inF251[z]and thus can serve as reduction polynomial for the construction ofF₂₅₁5, the finite field of order 2515. The elements ofF₂₅₁5 are

the polynomials inF251[z]of degree at most 4.

The following are some examples of arithmetic operations inF₂₅₁5. Leta=123z4+

76z2+7z+4 andb=196z4+12z3+225z2+76. (i) Addition:a+b=68z4+12z3+50z2+7z+80. (ii) Subtraction:a−b=178z4+239z3+102z2+7z+179. (iii) Multiplication:a·b=117z4+151z3+117z2+182z+217. (iv) Inversion:a−1=109z4+111z3+250z2+98z+85.

Subfields of a finite field

A subset k of a field K is a subfield of K if k is itself a field with respect to the operations of K. In this instance, K is said to be anextension fieldofk. The subfields of a finite field can be easily characterized. A finite fieldFpmhas precisely one subfield of orderpl_{for each positive divisorlofm; the elements of this subfield are the elements}

a∈Fpm satisfyingap

l

=a. Conversely, every subfield ofFpm has order pl for some positive divisorlofm.

Bases of a finite field

The finite fieldFqn can be viewed as a vector space over its subfieldFq. Here, vectors are elements ofFqn, scalars are elements ofFq, vector addition is the addition operation inFqn, and scalar multiplication is the multiplication inF_qn ofF_q-elements withF_qn-

IfB= {b1,b2,...,bn}is a basis, thena∈Fqncan be uniquely represented by ann-

tuple(a1,a2,...,an)ofFq-elements wherea=a1b1+a2b2+···+anbn. For example, in the polynomial basis representation of the fieldFpm described above,F_pm is anm-

dimensional vector space overFpand{zm−1,zm−2,...,z2,z,1}is a basis forFpm over

Fp.

Multiplicative group of a finite field

The nonzero elements of a finite field Fq, denoted F∗q, form a cyclic group under multiplication. Hence there exist elementsb∈F∗_q calledgeneratorssuch that

F∗q= {bi:0≤i≤q−2}.

Theorder ofa∈F∗_q is the smallest positive integert such that at =1. Since F∗_q is a cyclic group, it follows thatt is a divisor ofq−1.