Results 1 
3 of
3
A Method for Obtaining Digital Signatures and PublicKey Cryptosystems
 Communications of the ACM
, 1978
"... An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: 1. Couriers or other secure means are not needed to transmit keys, since a message can be enciphered usin ..."
Abstract

Cited by 2895 (30 self)
 Add to MetaCart
An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: 1. Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intended recipient. Only he can decipher the message, since only he knows the corresponding decryption key. 2. A message can be "signed" using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in "electronic mail" and "electronic funds transfer" systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two lar...
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013
"... We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring integers, we first present an older algorithm of Pollard that motivates the ECM approach. 12.1 Pollard p − 1 method In 1974, Pollard introduced a ra ..."
Abstract
 Add to MetaCart
We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring integers, we first present an older algorithm of Pollard that motivates the ECM approach. 12.1 Pollard p − 1 method In 1974, Pollard introduced a randomized (Monte Carlo) algorithm for factoring integers [6]. It makes use of a smoothness parameter B. Algorithm 12.1 (Pollard p − 1 factorization). Input: An integer N to be factored and a smoothness bound B. Output: A proper divisor of N or failure. 1. Pick a random integer a ∈ [1, N − 1]. 2. If d = gcd(a, N) is not 1 then return d. 3. Set b = a and for each prime ℓ ≤ B: a. Set b = b ℓe mod N, where ℓ e−1 < N ≤ ℓ e. b. If d = gcd(b − 1, N) is not 1 then return d if d < N or failure if d = N. 4. Return failure Rather than using a fixed bound B, we could simply let the algorithm keep running through primes ℓ until it either succeeds or fails in step 3b. But in practice one typically uses a very small smoothness bound B and switches to a different algorithm if the p − 1 method fail. In any case, it is convenient to have B fixed for the purposes of analysis. Theorem 12.2. Let p and q be prime divisors of N, and let ℓp and ℓq be the largest prime divisors of p − 1 and q − 1, respectively. If ℓp ≤ B and ℓp < ℓq then Algorithm 12.1 succeeds with probability at least 1 − 1 ℓq. Proof. If a ≡ 0 mod p then the algorithm succeeds in step 2, so we may assume a ⊥ p. When the algorithm reaches ℓ = ℓp in step 3 we have b = am, where m = ∏ ℓ≤ℓp ℓe is a multiple of p − 1. By Fermat’s little theorem b = am ≡ 1 mod p and therefore p divides b − 1. But ℓq does not divide m, so with probability at least 1 − 1 we have b ≡ 1 mod q, ℓq in which case 1 < gcd(b − 1, N) < N in step 3b and the algorithm succeeds. For most values of N, the Algorithm 12.1 is guaranteed to succeed if it uses the smoothness bound B = √ N. But it will still fail if N is a prime power, or if the largest prime dividing p − 1 is the same for every prime factor p of N. In the best case, the algorithm can succeed very quickly. As demonstrated in the Sage worksheet