## Computational Methods in Public Key Cryptology (2002)

Citations: | 1 - 1 self |

### BibTeX

@MISC{Lenstra02computationalmethods,

author = {Arjen K. Lenstra},

title = { Computational Methods in Public Key Cryptology},

year = {2002}

}

### OpenURL

### Abstract

These notes informally review the most common methods from computational number theory that have applications in public key cryptology.

### Citations

2902 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...done in polynomial time [103]. Believing that factoring and computing discrete logarithms are hard problems implies belief in the impossibility of quantum computing [38]. 2.2 RSA The RSA cryptosystem =-=[98]-=- is named after its inventors Rivest, Shamir, and Adleman. It relies for its security on the diculty of the integer factoring problem. Each user generates two distinct large primes p and q (Section 3.... |

2701 | New Directions in Cryptography - Diffie, Hellman - 1976 |

2464 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1997
(Show Context)
Citation Context ...d to use a single key both for encryption and signature purposes. In practical applications many other peculiarities must be dealt with. They are not taken into account in the descriptions below, see =-=[76]-=-. 2.1 Problems that are widely believed to be hard So far only two supposedly hard problems have found widespread applications in public key cryptography: 1. Integer factorization: given a positive co... |

1110 |
A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- El-Gamal
- 1985
(Show Context)
Citation Context ...y of protocols Let g be a publicly known generator of an appropriately chosen group of known order. Let h = g t for a publicly known h and secret integer t. ElGamal encryption and signature protocols =-=[39-=-] based on a public key consisting of (g; h) come in many dierent variations. Basic variants are as follows. Encryption. A message m # #g# intended for the owner of public key (g; h) is encrypted as (... |

843 |
An Introduction to the Theory of Numbers
- Hardy, Wright
- 2005
(Show Context)
Citation Context ...mial-time in n and p) plus the actual sieving time. The latter can be expressed as X {(p;r): p#P} L p # 2L X p#P 1 p = Ln [1=2; 1] 43 because P p#P 1 p is proportional to log log(L n [1=2; 1=2]) (see =-=[46]-=-) and disappears in the o(1). The matrix is sparse again. It can be processed in time Ln [1=2; 1=2] 2 = Ln [1=2; 1]. The total (heuristic) expected runtime of Pomerance 's quadratic sieve factoring me... |

818 |
The arithmetic of elliptic curves
- Silverman
- 1986
(Show Context)
Citation Context ...ic curves are becoming increasingly common in cryptography. These notes focus on the very basics of elliptic curves overselds of characteristic > 3. For a more general and complete treatment refer to =-=[9, 106-=-]. 3.7.1 Elliptic curves and elliptic curve groups. Let p > 3 be prime. Any pair a; b # F p ` such that 4a 3 + 27b 2 #= 0 denes an elliptic curve E a;b over F p ` . Let E = E a;b be an elliptic curve ... |

806 | Algorithms for quantum computation: Discrete logarithms and factoring
- Shor
- 1994
(Show Context)
Citation Context ...Thus, also the alleged diculty of the discrete logarithm problems referred to above is just a belief. On a quantum computer, factoring and computing discrete logarithms can be done in polynomial time =-=[103]-=-. Believing that factoring and computing discrete logarithms are hard problems implies belief in the impossibility of quantum computing [38]. 2.2 RSA The RSA cryptosystem [98] is named after its inven... |

691 |
Elliptic curve cryptosystems
- Koblitz
- 1997
(Show Context)
Citation Context ... used to represent the subgroup elements. Another popular group where the discrete logarithm problem may be sufciently hard is the group of points of a properly chosen elliptic curve over asniteseld [=-=56, 77]-=-. This has the advantage that the methods from Section 4.2 do not seem to apply. Therefore it is generally believed that thesniteseld can be chosen much smaller than in the earlier example where g # F... |

675 |
The Art of Computer Programming, volume 2: Seminumerical Algorithms
- Knuth
- 1988
(Show Context)
Citation Context ...e of the computational tools for arithmetic on integers that are required to implement the methods from Sections 2.2, 2.3, and 2.4. For a more complete treatment, including runtime analyses, refer to =-=[8, 53, 72, 76]-=-. 3.1 Integer arithmetic The primes used in realistic implementations of number theoretic cryptographic protocols (Section 2) may be many hundreds, and even thousands, of bits long. Thus, the elements... |

581 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...n the size of the largest prime factor of p ` - 1 (Section 4.1), the size of p ` itself, and the characteristicsp of F p ` (Section 4.2). Alternatively, g may just generate a subgroup of F # p ` (see =-=[101]-=-). In that case the security depends on the size of the largest prime factor of the order of g (which divides p ` - 1), the characteristic p, and the size of p d for the smallest d # ` (and dividing `... |

528 |
Uses of elliptic curves in cryptography
- Miller
- 2011
(Show Context)
Citation Context ... used to represent the subgroup elements. Another popular group where the discrete logarithm problem may be sufciently hard is the group of points of a properly chosen elliptic curve over asniteseld [=-=56, 77]-=-. This has the advantage that the methods from Section 4.2 do not seem to apply. Therefore it is generally believed that thesniteseld can be chosen much smaller than in the earlier example where g # F... |

413 |
Modular Multiplication Without Trial Division
- Montgomery
- 1985
(Show Context)
Citation Context ...ften costly (and cumbersome to implement in hardware), various faster methods have been developed to perform calculations in Z=mZ. The most popular of these methods is so-called Montgomery arithmetic =-=[78]-=-, as described in Section 3.2 below. 3.1.1 Remark on moduli of a special form. Computing the remainder modulo m of the intermediate result uv can be done quickly (and faster than using Montgomery arit... |

406 | Introduction to finite fields and their applications - Lidl, Neiderreiter - 1994 |

300 | An improved algorithm for computing logarithms over GF(p) and its cryptographic significance
- Pohlig, Hellman
- 1978
(Show Context)
Citation Context ...r each cyclotomic polynomial [7]. However, in view of the elliptic curve factoring method (4.2.3) and as argued in [99] all these precautions do not make sense. 4.1.3 The Silver-Pohlig-Hellman method =-=[87]-=-. Just as p dividing n can be found easily if p - 1 is the product of small primes, discrete logarithms in #g# can be computed easily if order(g) has just small factors. Assume that order(g) is compos... |

289 | On the importance of checking cryptographic protocols for faults
- Boneh, DeMillo, et al.
- 1997
(Show Context)
Citation Context ...private exponents have been shown to make RSA susceptible to attacks [11, 113]. A computational error made in the RSA private operation (decryption and signature generation) may reveal the secret key =-=[10]-=-. These operations should therefore always be checked for correctness. This can be done by applying the corresponding public operation to the result and checking that the outcome is as expected. So-ca... |

248 |
New directions in cryptography
- e, Hellman
- 1976
(Show Context)
Citation Context ...ied out by two communicating parties to create a shared key. This must be done in such a way that an eavesdropper does not gain any information about the key being generated. The Die-Hellman protocol =-=[36]-=- is a key agreement protocol. It is not an encryption or signature scheme. Let g be a publicly known generator of an appropriately chosen group of known order. To create a shared key, parties A and B ... |

233 |
Factoring Integers with Elliptic Curves
- Lenstra
- 1987
(Show Context)
Citation Context ...ws: X ` - 1 = Y 1#d#`;d dividing ` d (X): 29 3.7 Elliptic curve arithmetic Elliptic curves were introduced in cryptanalysis with the invention of the elliptic curve factoring method (4.2.3) in 1984 [=-=71]-=-. This triggered applications of elliptic curves in cryptography and primality testing. Early cryptographic applications concentrated on elliptic curves overselds of characteristic 2. This restriction... |

230 |
Monte Carlo methods for index computation (mod p
- Pollard
- 1978
(Show Context)
Citation Context ... that it requires storage for p order(g) elements of G. Pollard's rho method, described in 4.1.5 below, requires hardly any storage and achieves essentially the same speed. 4.1.5 Pollard's rho method =-=[89]-=-. The probability that among a group of 23 randomly selected people at least two people have the same birthday is more than 50%. This probability is much higher than most people would expect. It is th... |

220 | bounds for discrete logarithms and related problems
- Shoup, Lower
- 1997
(Show Context)
Citation Context ...oment at least, nothing more than that. Computing discrete logarithms, on the other hand, can be proved to be hard. The proof, however, applies only to an abstract setting without practical relevance =-=[84, 104]-=-. Thus, also the alleged diculty of the discrete logarithm problems referred to above is just a belief. On a quantum computer, factoring and computing discrete logarithms can be done in polynomial tim... |

201 |
A subexponential algorithm for discrete logarithms over all finite fields
- Adleman, DeMarrais
- 1993
(Show Context)
Citation Context ...me p dividing n, and #E p (F p ) behaves as a random integer close to p + 1 (see 3.7.6). Based on 4.2.2 with r = 1, = 1, s = 1=2, ands= p 1=2 it is not unreasonable to assume that #E p (F p ) = L p [=-=1; 1]-=- is L p [1=2; p 1=2]-smooth with probability L p [1=2; - p 1=2]. Thus, for asxed p, once every L p [1=2; p 1=2] random elliptic curves over Z=nZ one expects tosnd a curve for which the group order #E ... |

186 |
Speeding the Pollard and elliptic curve methods of factorization
- Montgomery
- 1987
(Show Context)
Citation Context ...le whenever the sum P + Q of P and Q must be computed. This condition makes it impossible to use the ordinary square and multiply exponentiation (Remark 3.7.2) to compute scalar products. Refer 31 to =-=[13, 79]-=- for detailed descriptions of the Montgomery model and a suitable algorithm to compute a scalar multiplication in this case. Refer to [25] for a comparison of various elliptic curve point representati... |

179 | Solving sparse linear equations over finite fields - Wiedemann - 1986 |

178 |
Small solutions to polynomial equations, and low exponent RSA vulnerabilities
- Coppersmith
- 1997
(Show Context)
Citation Context ...onent e is usually chosen to be small. This is done to make the public operations (encryption and signature verication) fast. Care should be taken with the use of small public exponents, as shown in [=-=29, 30, 28, 47]-=-. The secret exponent d corresponding to a small e is in general of the same order of magnitude as n. There are applications for which a small d (and thus large e) would be attractive. However, small ... |

170 | Elliptic curves over finite fields and the computation of square roots mod p - Schoof - 1985 |

159 |
elliptic curves in cryptography
- blake, seroussi, et al.
- 1999
(Show Context)
Citation Context ...ic curves are becoming increasingly common in cryptography. These notes focus on the very basics of elliptic curves overselds of characteristic > 3. For a more general and complete treatment refer to =-=[9, 106-=-]. 3.7.1 Elliptic curves and elliptic curve groups. Let p > 3 be prime. Any pair a; b # F p ` such that 4a 3 + 27b 2 #= 0 denes an elliptic curve E a;b over F p ` . Let E = E a;b be an elliptic curve ... |

154 | A survey of fast exponentiation methods
- Gordon
- 1998
(Show Context)
Citation Context ...ion. 3.4 Exponentiation As shown in Section 2 exponentiation is of central importance for many public key cryptosystems. In this subsection the most important exponentiation methods are sketched. See =-=[44]-=- for a complete treatment. Let g be an element of some group G that is written multiplicatively (with the notation as in Section 2.1). Suppose that g e # G must be computed, for some positive integer ... |

146 | Parallel Collision Search with Cryptanalytic Applications
- Oorschot, Wiener
- 1999
(Show Context)
Citation Context ... starting at its own point w 1 = g e h d for random e; d, a speed-up of a factor # m can be expected. A parallelization that achieves a speed-up of a factor m when run on m processors is described in =-=[11-=-2]. Dene distinguished points as elements of #g# that occur with relatively low probability and that have easily recognizable characteristics. Let each processor start at its own randomly selected po... |

143 | T.: Efficient elliptic curve exponentiation using mixed coordinates
- Cohen, Miyaji, et al.
- 1998
(Show Context)
Citation Context ...e same time as in the general case. As a result it is reasonable to assume that the time required for a Montgomery squaring is 80% of the time required for a Montgomery product, with the same modulus =-=[25]-=-. 3.2.5 Conversion to Montgomery representation. Given u # Z=mZ, its Montgomery representation ~ u can be computed as the Montgomery product of u and R 2 mod m. This follows from the fact that the Mon... |

141 | Cryptanalysis of short RSA secret exponents
- Wiener
- 1990
(Show Context)
Citation Context ...he same order of magnitude as n. There are applications for which a small d (and thus large e) would be attractive. However, small private exponents have been shown to make RSA susceptible to attacks =-=[11, 113]-=-. A computational error made in the RSA private operation (decryption and signature generation) may reveal the secret key [10]. These operations should therefore always be checked for correctness. Thi... |

126 | The Development of the Number Field Sieve - Lenstra, Lenstra - 1993 |

120 | NTRU: A ringbased public key cryptosystem
- Hoffstein, Pipher, et al.
(Show Context)
Citation Context ...f and g have d coecients equal to 1, another d coecients equal to (-1 mod q), and N-2d zero coecients. Due to the way h is constructed, it is known that such f and g exist. The encryption scheme NTRU =-=[48]-=- and the signature scheme NSS [49] are meant to rely on this problem of recovering f and g from h. This problem can be seen as a lattice shortest vector problem [32]. It was not designed as such. NSS ... |

115 | An algebraic method for public-key cryptography
- Anshel, Anshel, et al.
- 1999
(Show Context)
Citation Context ...at rely for their security on the diculty of the following conjugacy problem in Bn : given x; y # Bn such that y = bxb -1 for some unknown b # Bm with m # n,snd a # Bm such that y = axa -1 . See also =-=[5]-=-. 9 3 Basic Computational Methods This section reviews some of the computational tools for arithmetic on integers that are required to implement the methods from Sections 2.2, 2.3, and 2.4. For a more... |

114 | Cryptanalysis of RSA with private key d less than
- Boneh, Durfee
(Show Context)
Citation Context ...he same order of magnitude as n. There are applications for which a small d (and thus large e) would be attractive. However, small private exponents have been shown to make RSA susceptible to attacks =-=[11, 113]-=-. A computational error made in the RSA private operation (decryption and signature generation) may reveal the secret key [10]. These operations should therefore always be checked for correctness. Thi... |

95 | New publickey cryptosystem using braid groups - Ko, Lee, et al. - 2000 |

92 |
S.: A fast algorithm for computing multiplicative inverses in GF (2 m ) using normal bases
- Itoh, Tsujii
- 1988
(Show Context)
Citation Context ...mal bases for odd characteristics. For a denition of an optimal basis and characteristic 2 existence results and constructions, see for instance [75]. 3.6.4 Inversion using normal bases. As shown in [=-=50]-=-, normal bases can be used for the computation of inverses in F # p ` . Let p be odd and x # F # p ` then x -1 = (x r ) -1 x r-1 for any integer r. The choice r = p ` -1 p-1 makes the computation of x... |

89 | Fast evaluation of logarithms in fields of characteristic two - Coppersmith - 1984 |

87 |
Finding a small root of a univariate modular equation
- Coppersmith
- 1996
(Show Context)
Citation Context ...onent e is usually chosen to be small. This is done to make the public operations (encryption and signature verication) fast. Care should be taken with the use of small public exponents, as shown in [=-=29, 30, 28, 47]-=-. The secret exponent d corresponding to a small e is in general of the same order of magnitude as n. There are applications for which a small d (and thus large e) would be attractive. However, small ... |

80 | The XTR public key system
- Lenstra, Verheul
- 2000
(Show Context)
Citation Context ...e groups (or subgroups thereof) in which the discrete logarithm problem is believed to be intractable. For appropriately chosen subgroups compression methods based on traces such as LUC [109] and XTR =-=[70-=-] can be used to represent the subgroup elements. Another popular group where the discrete logarithm problem may be sufciently hard is the group of points of a properly chosen elliptic curve over asni... |

78 | LowExponent RSA with Related Messages
- Coppersmith, Franklin, et al.
- 1996
(Show Context)
Citation Context ...onent e is usually chosen to be small. This is done to make the public operations (encryption and signature verication) fast. Care should be taken with the use of small public exponents, as shown in [=-=29, 30, 28, 47]-=-. The secret exponent d corresponding to a small e is in general of the same order of magnitude as n. There are applications for which a small d (and thus large e) would be attractive. However, small ... |

76 | Solving Simultaneous Modular Equations of Low Degree
- Hastad
- 1988
(Show Context)
Citation Context |

75 |
The multiple polynomial quadratic sieve
- Silverman
- 1987
(Show Context)
Citation Context ...the smaller the `yield' becomes. Davis and Holdridge were thesrst to propose the use of more polynomials [34]. A somewhat more practical but similar solution was independently suggested by Montgomery =-=[92, 107]-=-. As a result a virtually unlimited amount of equally useful polynomials can be generated, each playing the role of f(X) in the description above. As soon as one would be sieving too far away from the... |

74 |
On a problem of Oppenheim concerning Factorisatio Numerorum
- Canfield, os, et al.
- 1983
(Show Context)
Citation Context ... # p ` . 4.2.2 Smoothness. Integers. A positive integer is B-smooth (or simply smooth if B is clear from the context) if all its prime factors are # B. Let ;s; r; s # R>0 with ss# 1. It follows from [=-=19, -=-35] that a random positive integer # L x [r; ] is L x [s;s]-smooth with probability L x [r - s; -(r - s)=]; for x ##: Polynomials over F p . Assume that, as in 3.6.1, elements of F # p ` with p prime ... |

74 | Algorithms for black-box fields and their application to cryptography (extended abstract - Boneh, Lipton - 1996 |

72 |
Theorems on factorization and primality testing
- Pollard
(Show Context)
Citation Context ...ccession, until g t = h. This takes at most order(g) multiplications in G. There are no realistic practical applications of this method, unless order(g) is very small. 34 4.1.2 Pollard's p - 1 method =-=[88]-=-. According to Fermat's little theorem (see 3.5.2), a p-1 # 1 mod p for prime p and any integer a not divisible by p. It follows that a k # 1 mod p if k is an integer multiple of p - 1. Furthermore, i... |

72 | Solving large sparse linear systems over finite fields - LaMacchia, Odlyzko - 1991 |

71 | There are infinitely many Carmichael numbers - Alford, Granville, et al. - 1994 |

66 |
Fast exponentiation with precomputation
- Brickell, Gordon, et al.
- 1992
(Show Context)
Citation Context ...y square and multiply exponentiation in general (i.e., not forsxed g): it is reduced from L squarings and about L 2 multiplications to L 2 + L 2 = L squarings and about 3L 8 multiplications in G. See =-=[18]-=- for more involved and ecient precomputation methods. Exponentiation with signed exponent representation. Let e = P L-1 i=0 e i 2 i be the binary representation of an L-bit exponent. Any block of k+1 ... |

66 |
Complexity of a Determinate Algorithm for the Discrete Logarithm
- NECHAEV
- 1994
(Show Context)
Citation Context ...oment at least, nothing more than that. Computing discrete logarithms, on the other hand, can be proved to be hard. The proof, however, applies only to an abstract setting without practical relevance =-=[84, 104]-=-. Thus, also the alleged diculty of the discrete logarithm problems referred to above is just a belief. On a quantum computer, factoring and computing discrete logarithms can be done in polynomial tim... |

65 | Separating decision Diffie-Hellman from Diffie-Hellman in cryptographic groups - Joux, Nguyen |

63 | Discrete Logarithms in GF(p) Using the Number Field Sieve - Gordon - 1993 |