## Primality Proving with Elliptic Curves

Citations: | 6 - 0 self |

### BibTeX

@MISC{Théry_primalityproving,

author = {Laurent Théry and Guillaume Hanrot and Thème Sym and Laurent Théry and Guillaume Hanrot},

title = {Primality Proving with Elliptic Curves},

year = {}

}

### OpenURL

### Abstract

de recherche ISSN 0249-6399 ISRN INRIA/RR--6155--FR+ENG

### Citations

820 |
The Arithmetic of Elliptic Curves
- Silverman
(Show Context)
Citation Context ... C and P a point of C(K). RR n° 6155s4 L. Théry and G. Hanrot This definition is not very tractable in practice, and the following characterization, which follows easily from the Riemann-Roch Theorem =-=[21]-=-, is rather used as a definition. Proposition. Every elliptic curve over K admits an affine plane model of the form y 2 + a1xy + a3y = x 3 + a2x 2 + a4x + a6, (1) where the distinguished point of the ... |

106 |
Handbook of elliptic and hyperelliptic curve cryptography”, Chapman
- Cohen, Frey
- 2007
(Show Context)
Citation Context ... They are also commonly used in algorithmic number theory since the mid 80’s for factoring integers [15] or proving primality [8], but have also made their way more recently in cryptography, see e.g. =-=[5]-=-. It is then natural to try formalising them inside a proof system. In this work, the main property we are interested in is their group structure. The difficult part of the formalisation is in proving... |

69 | Almost All Primes Can Be Quickly Certified
- Goldwasser, Kilian
- 1986
(Show Context)
Citation Context ...ous application is, without any doubt, the proof of Fermat’s last theorem. They are also commonly used in algorithmic number theory since the mid 80’s for factoring integers [15] or proving primality =-=[8]-=-, but have also made their way more recently in cryptography, see e.g. [5]. It is then natural to try formalising them inside a proof system. In this work, the main property we are interested in is th... |

68 | HOL Light: A tutorial introduction
- Harrison
- 1996
(Show Context)
Citation Context ...r unsuccessful attempts, John Harrison revitalised our interest showing us that he could automatically solve the equation of the x component of the generic case in less than 3 minutes inside HOLLIGHT =-=[12]-=- with his integrated version of RR n° 6155s16 L. Théry and G. Hanrot Buchberger algorithm. Bruno Barras and Benjamin Grégoire helped us with their expertise in integrating thefield tactic into COQ. Fi... |

45 | Using reflection to build efficient and certified decision procedures
- Boutin
- 1997
(Show Context)
Citation Context ...ression, calling the tactic field[H1 H2] attempts to solve the goal F = 0 using the rewriting rules H1 and H2. The three procedures have been defined inside the COQ logic using the two-level approach =-=[1]-=-. Their correctness can then be stated inside the proof system and formally proved. This ensures once and for all applications that thefield tactic only performs valid simplifications. A key aspect of... |

27 |
Introduction to Gröbner bases
- Buchberger
- 1998
(Show Context)
Citation Context ... 1 and unfold the definition of addition, we get the conditional equation to be satisfied given in Figure 1. We can now transform this equation into a polynomial one and then use Buchberger algorithm =-=[3]-=- to check that the equation is satisfied. This is where the computer algebra system comes into play. Integrating Buchberger algorithm in INRIAsPrimality Proving with Elliptic Curves 7 a safe way insid... |

14 | B.: A computational approach to pocklington certificates in type theory
- Grégoire, Théry, et al.
- 2006
(Show Context)
Citation Context ...the property that it can be easily checked, whereas generating it is usually cpu-intensive. We have already played with the idea of prime certificates and in particular of Pocklington certificates in =-=[9, 10]-=-. This allows us to prove the primality of some large numbers like the millennium prime (a prime number with exactly 2000 digits discovered by John Cosgrave) or the 27 th Mersenne prime 2 44497 − 1. T... |

10 |
A Purely Functional Library for Modular Arithmetic and Its Application to Certifying Large Prime Numbers
- Grégoire, Théry
- 2006
(Show Context)
Citation Context ...the property that it can be easily checked, whereas generating it is usually cpu-intensive. We have already played with the idea of prime certificates and in particular of Pocklington certificates in =-=[9, 10]-=-. This allows us to prove the primality of some large numbers like the millennium prime (a prime number with exactly 2000 digits discovered by John Cosgrave) or the 27 th Mersenne prime 2 44497 − 1. T... |

8 | Complex quantifier elimination in HOL
- Harrison
(Show Context)
Citation Context ... where the computer algebra system comes into play. Integrating Buchberger algorithm in INRIAsPrimality Proving with Elliptic Curves 7 a safe way inside a prover is possible and has already been done =-=[6, 13]-=-, but cases 1 ÷ 3 can be decided by a much simpler strategy. To illustrate this strategy, let us consider a more elementary example, i.e. the proof that the addition is internal in the tangent case. I... |

6 |
Lenstra Jr. Factoring integers with elliptic curves
- Hendrik
- 1987
(Show Context)
Citation Context ...alisations. Their most famous application is, without any doubt, the proof of Fermat’s last theorem. They are also commonly used in algorithmic number theory since the mid 80’s for factoring integers =-=[15]-=- or proving primality [8], but have also made their way more recently in cryptography, see e.g. [5]. It is then natural to try formalising them inside a proof system. In this work, the main property w... |

4 |
The CAML Numbers Reference Manual
- Ménissier-Morain
- 1992
(Show Context)
Citation Context ...le, in our case, to verify a 250-digit number in less than a minute. We have also experienced with extracting our code to OCAML [16] and linking it with the arbitrary-precision integer library BIGNUM =-=[20]-=-. We got in this case an even bigger speed-up since checking one of our 250-digit numbers only takes 0.2 second and we were capable to check in 36 seconds the millennium prime, a prime with 2000 decim... |

2 |
Grégoire and Assia Mahboubi. Proving ring equalities done right in Coq
- Benjamin
(Show Context)
Citation Context ...e polynomial expressions (second step) and a procedure to normalise rational expressions (first step). The procedure to normalise polynomial expressions was already present in COQ and is described in =-=[11]-=-. Its main characteristic is to use an internal representation of polynomials in Horner form. This representation is unique up to variable ordering. Given a polynomial P and a variable x, we write P a... |

1 |
Cocoa: Computations in commutative algebra. Available athttp://cocoa.dima.unige.it
- Capani, Niesi, et al.
(Show Context)
Citation Context ... point is that some of these equalities (exactly 3) are so huge that they cannot be reasonably handled by a human being. In his paper, Stefan Friedl advocates the use of a computer algebra like COCOA =-=[4]-=- to check these equalities. Reflecting these computations inside the proof system is the main difficulty of the formal proof. In this paper, we explain how this has been done inside the proof system C... |

1 |
Gb: une procédure de décision pour le système Coq
- Créci, Pottier
- 2004
(Show Context)
Citation Context ... where the computer algebra system comes into play. Integrating Buchberger algorithm in INRIAsPrimality Proving with Elliptic Curves 7 a safe way inside a prover is possible and has already been done =-=[6, 13]-=-, but cases 1 ÷ 3 can be decided by a much simpler strategy. To illustrate this strategy, let us consider a more elementary example, i.e. the proof that the addition is internal in the tangent case. I... |

1 |
An elementary proof of the group law for elliptic curves. Excerpt from undergraduate thesis
- Friedl
- 1998
(Show Context)
Citation Context ...ssociativity. In our formal proof, we follow an elementary algebraic approach that is particularly suited to proof systems. Our main source of inspiration has been the proof proposed by Stefan Friedl =-=[7]-=-. The proof is very technical and consists in massaging equalities over an abstract field under various conditions. The only sour point is that some of these equalities (exactly 3) are so huge that th... |

1 |
Formalized elliptic curve cryptography. Available at http://www.cl.cam.ac.uk/~jeh1004/research/talks/ elliptic-talk.pdf
- Hurd
(Show Context)
Citation Context ...as proposed for ACL2 in [2] with a monadic approach. 5 Acknowledgments Many people made this work possible. Joe Hurd was the first to draw our attention to formalising elliptic curves inside a prover =-=[14]-=-. After unsuccessful attempts, John Harrison revitalised our interest showing us that he could automatically solve the equation of the x component of the generic case in less than 3 minutes inside HOL... |

1 |
Objective Caml. Available athttp://pauillac.inria.fr/ocaml
- Leroy
- 1997
(Show Context)
Citation Context ... arithmetic exhibit a speed-up of 80. Such speed-up would make it possible, in our case, to verify a 250-digit number in less than a minute. We have also experienced with extracting our code to OCAML =-=[16]-=- and linking it with the arbitrary-precision integer library BIGNUM [20]. We got in this case an even bigger speed-up since checking one of our 250-digit numbers only takes 0.2 second and we were capa... |

1 |
primality proving. Available at http://www.ellipsa.net
- PRIMO
(Show Context)
Citation Context ...our library there are predefined theorems for the first 5000 prime numbers. Our elliptic certificates slightly differ from the standard ones to accommodate the certificates produced by the tool PRIMO =-=[17]-=-. An elliptic certificate is composed of seven elements: {N, A, B, x1, y1, n0, [(q1, α1), . . .,(qn, αn)]}: - N is the number to be proved prime; - A and B are the parameters of the elliptic curve y 2... |

1 |
Certificate for (((((((((2 3
- Morain
(Show Context)
Citation Context ...rime and can be found in polynomial time. At the moment, the largest prime for which an elliptic certificate has been generated has 20562 decimal digits. Ten days are needed to verify its certificate =-=[18]-=-. The paper is organised as follows. In Section 2, we recall what elliptic curves are and explain how their group structure has been formally established. In Section 3, we focus on prime certificate a... |

1 |
La primalité en temps polynomial, d’après
- Morain
(Show Context)
Citation Context ...icient way is to use the theory of complex multiplication, after Atkin and Morain. For a more extensive bibliography, the interested reader can refer to the nice survey of primality proving by Morain =-=[19]-=-. The idea behind the formal proof of Proposition 2 is to relate computations with projective coordinates done in Z/NZ with the same computations with standard coordinates done in Z/qZ when q is a pri... |

1 |
Proving the group law for elliptic curves formally
- Théry
- 2007
(Show Context)
Citation Context ...uter element, −p is the opposite of p, and the addition is commutative directly from the definitions. Proving associativity is rather technical. A detailed description of the formal proof is given in =-=[23]-=-. Here, we only sketch the proof and discuss the most interesting issues. As the definition of addition contains five cases, the proof heavily relies on case analysis. The addition p1 + p2 is trivial ... |