#2 (IISEC)

Similar documents
:00-16:10


index calculus

日本内科学会雑誌第98巻第3号

2 2 ( M2) ( )


日本内科学会雑誌第102巻第10号

プリント

Łñ“’‘‚2004


K 2 X = 4 MWG(f), X P 2 F, υ 0 : X P 2 2,, {f λ : X λ P 1 } λ Λ NS(X λ ), (υ 0 ) λ : X λ P 2 ( 1) X 6, f λ K X + F, f ( 1), n, n 1 (cf [10]) X, f : X


第101回 日本美容外科学会誌/nbgkp‐01(大扉)

tnbp59-20_Web:P1/ky108679509610002943

27巻3号/FUJSYU03‐107(プログラム)

パーキンソン病治療ガイドライン2002

本文27/A(CD-ROM

y = x 4 y = x 8 3 y = x 4 y = x 3. 4 f(x) = x y = f(x) 4 x =,, 3, 4, 5 5 f(x) f() = f() = 3 f(3) = 3 4 f(4) = 4 *3 S S = f() + f() + f(3) + f(4) () *4

ネットワークユーティリティ説明書

<91818C E90B690EA97708CF696B188F58D758DC0838A815B83742E706466>

I. (CREMONA ) : Cremona [C],., modular form f E f. 1., modular X H 1 (X, Q). modular symbol M-symbol, ( ) modular symbol., notation. H = { z = x

スケーリング理論とはなにか? - --尺度を変えて見えること--

プログラム

SAMA- SUKU-RU Contents p-adic families of Eisenstein series (modular form) Hecke Eisenstein Eisenstein p T

Block cipher

< C D928696CA5F E706466>


Ł\”ƒ-2005

日本内科学会雑誌第101巻第12号

07N


p...{..P01-48(TF)

研修コーナー

tnbp59-21_Web:P2/ky132379509610002944

211 ‚æ2fiúŒÚ

Skew-Frobenius IISEC, JANT18 1

パーキンソン病治療ガイドライン2002

日本内科学会雑誌第97巻第7号

dプログラム_1

SQUFOF NTT Shanks SQUFOF SQUFOF Pentium III Pentium 4 SQUFOF 2.03 (Pentium 4 2.0GHz Willamette) N UBASIC 50 / 200 [


seminar0220a.dvi

日本内科学会雑誌第98巻第4号

_0212_68<5A66><4EBA><79D1>_<6821><4E86><FF08><30C8><30F3><30DC><306A><3057><FF09>.pdf

放射線専門医認定試験(2009・20回)/HOHS‐01(基礎一次)

2 H23 BioS (i) data d1; input group patno t sex censor; cards;

waseda2010a-jukaiki1-main.dvi

08_眞鍋.indd

analog-control-mod : 2007/2/4(8:44) 2 E8 P M () r e K P ( ) T I u K M T M K D E8.: DC PID K D E8. (E8.) P M () E8.2 K P D () ( T ) (E8.2) K M T M K, T

30


M M M M

01.ai

., White-Box, White-Box. White-Box.,, White-Box., Maple [11], 2. 1, QE, QE, 1 Redlog [7], QEPCAD [9], SyNRAC [8] 3 QE., 2 Brown White-Box. 3 White-Box

楕円曲線暗号と RSA 暗号の安全性比較

12/1 ( ) GLM, R MCMC, WinBUGS 12/2 ( ) WinBUGS WinBUGS 12/2 ( ) : 12/3 ( ) :? ( :51 ) 2/ 71

sakigake1.dvi

Kullback-Leibler

snkp-14-2/ky347084220200019175

icml10yomikai.key

43-03‘o’ì’¹‘®”q37†`51†i„¤‰ƒ…m†[…g†j.pwd

φ 4 Minimal subtraction scheme 2-loop ε 2008 (University of Tokyo) (Atsuo Kuniba) version 21/Apr/ Formulas Γ( n + ɛ) = ( 1)n (1 n! ɛ + ψ(n + 1)

(I) GotoBALS, kkimur/charpoly.html 2

ISO/IEC 9798プロトコルの安全性評価

コンピュータ概論

Gauss Fuchs rigid rigid rigid Nicholas Katz Rigid local systems [6] Fuchs Katz Crawley- Boevey[1] [7] Katz rigid rigid Katz middle convolu

第85 回日本感染症学会総会学術集会後抄録(III)

PDF


2011 Future University Hakodate 2011 System Information Science Practice Group Report Project Name Visualization of Code-Breaking RSA Group Name RSA C


Contents P. P. 1

1980年代半ば,米国中西部のモデル 理論,そして未来-モデル理論賛歌

/22 R MCMC R R MCMC? 3. Gibbs sampler : kubo/

( )

資料5:聖ウルスラ学院英智小・中学校 提出資料(1)

output2010本文.indd

a m 1 mod p a km 1 mod p k<s 1.6. n > 1 n 1= s m, (m, = 1 a n n a m 1 mod n a km 1 mod n k<sn a 1.7. n > 1 n 1= s m, (m, = 1 r n ν = min ord (p 1 (1 B

V(x) m e V 0 cos x π x π V(x) = x < π, x > π V 0 (i) x = 0 (V(x) V 0 (1 x 2 /2)) n n d 2 f dξ 2ξ d f 2 dξ + 2n f = 0 H n (ξ) (ii) H

卓球の試合への興味度に関する確率論的分析


スポーツ科学 20年度/01 目次


一般演題(ポスター)

Kumagai09-hi-2.indd


kokyuroku.dvi

D-brane K 1, 2 ( ) 1 K D-brane K K D-brane Witten [1] D-brane K K K K D-brane D-brane K RR BPS D-brane

JSP58-program


LCR e ix LC AM m k x m x x > 0 x < 0 F x > 0 x < 0 F = k x (k > 0) k x = x(t)

untitled

基礎から学ぶトラヒック理論 サンプルページ この本の定価 判型などは, 以下の URL からご覧いただけます. このサンプルページの内容は, 初版 1 刷発行時のものです.


I A A441 : April 15, 2013 Version : 1.1 I Kawahira, Tomoki TA (Shigehiro, Yoshida )

2/ ERATO

自動残差修正機能付き GBiCGSTAB$(s,L)$法 (科学技術計算アルゴリズムの数理的基盤と展開)

2 G(k) e ikx = (ik) n x n n! n=0 (k ) ( ) X n = ( i) n n k n G(k) k=0 F (k) ln G(k) = ln e ikx n κ n F (k) = F (k) (ik) n n= n! κ n κ n = ( i) n n k n

A B C D E F G H J K L M 1A : 45 1A : 00 1A : 15 1A : 30 1A : 45 1A : 00 1B1030 1B1045 1C1030

Twist knot orbifold Chern-Simons

Transcription:

#2 (IISEC) 2007 10 6

E Y 2 = F (X) E(F p ) E : Y 2 = F (X) = X 3 + AX + B, A, B F p E(F p ) = {(x, y) F 2 p y2 = F (x)} {P } P : E(F p ) E F p - Given: E/F p : EC, P E(F p ), Q P Find: x Z/NZ s.t. Q = [x]p n := #E(F p ) E(F p ) n p + 1 2 p n p + 1 + 2 p (x, P ) Q x = (x k 1 x k 2... x 1 x 0 ) 2, Q = 0 i<k[2 x i]p, k = O(log p) A, B n n p (P, Q) x P E(F p ) N := # P N n 2

4 Square-root Generic Algo. N = O(p) Square-root N Pohlig-Hellman + {baby-step giant-step, Pollard s rho, lambda} Pohlig-Hellman Silver 1978 Pohlig Hellman Non-Generic Algo. 1. 2. rho 3. 4. Menezes-Okamoto-Vanstone SSSA Index calculus

6 1 m 1, m 2 Z, gcd(m 1, m 2 ) = 1, x 1, x 2 Z, 0 x i < m i x x i mod m i x Z s.t. x 0 x < m 1 m 2 x = ((m 1 1 mod m 2)(x 2 x 1 ) mod m 2 )m 1 + x 1 O((log(m 1 m 2 )) 2 ) bit-operations N N = 1 i r l e i i [N/l e i i ]Q = [N/le i i x]p, i = 1,..., r # [N/l e i i ]P = le i i

8 Q i := [N/l e i i ]Q, P i := [N/l e i i ]P x i [0, l e i i for i [1, r] 1] s.t. Q i = P x i i x i, l e i i x x i mod l e i i for i [1, r] gcd(l e i i, le j j ) = 1 for i j 2 Given: E/F p : EC, l: prime, e N s.t. l e N, P E(F p ) s.t. # P = l e, Q P Find: x [0, l e 1] s.t. Q = [x]p P i, Q i, x i, l i, e i P, Q, x, l, e x O ( (log p) 2) bit-operations

e > 1 f Z 0 < f < e Q = [l f v + u]p Q = [x]p, 0 x < l e Q [u]p = [l f v]p = [v][l f ]P u, v Z s.t. x = l f v + u, 0 u < l f, 0 v < l e f [l e f ]Q = [(l e f )x]p = [(l e f )(l f v + u)]p = [(l e f l f v + l e f u)]p = [(l e v + l e f u)]p = [l e f u]p = [u][l e f ]P # b lf = l e f < l e 1: [l e f ]Q = [u][l e f ]P u 2: Q [u]p = [v][l f ]P v 3: x = l f v + u # [l e f ]P = l f < l e e = 1 f f e/2 10

1 step [l e f ]Q, [l e f ]P, [u]p, [l f ]P 4 [l e ]P : O(log l e ) = O(e log l)e(f p )-ops. Q = [x]p, # P = l Given: E/F p : EC, l: prime, P E(F p ) s.t. # P = l, Q P Find: x [0, l e 1] s.t. Q = [x]p + 2 O(l) T (l, e) = O(e log l) + 2T (l, e/2) = O(e log e log l + et (l, 1)) Square-root Baby-step giant-step Deterministic algo. e = 1 Pollard rho / lambda Monte Carlo algo. : O(1) 12

Rho/lambda Birthday Paradox S : set, n 0 = #S 23 r 1 : ( r n 0 i + 1 r = 1 i 1 ) i=1 n 0 i=1 n 0 1/2 ( r 1 1 364 365 363 365 343 365 = 0.507... < exp i 1 ) i=1 n 0 1 + x e x 365 = 19.104... r = exp i 1 = exp i=1 ( ( n 0 r(r 1) 2n 0 exp 2n 0 ( ) r = 2(log 2)n 0 exp r2 = 0.5 2n 0 r2 O( n 0 ) 14 ) )

16 Rho Algorithm 1 Pollard s rho.alpha Input: E/F p : EC, l: prime, P E(F p ) s.t. # P = l, Q P Output: x [0, l 1] s.t. Q = [x]p 1: i := 0 2: repeat 3: i := i + 1 4: Choose α i, β i [0, l 1] randomly 5: R i = [α i ]P + [β i ]Q 6: until j s.t. 1 j < i, R j = R i 7: x = (α i α j )(β j β i ) 1 mod l /*α i + β i x α j + β j x mod l*/ 8: Output x and terminate : O( l) : O( l) Beta 4: Choose α i, β i [0, l 1] randomly 5: R i = [α i ]Q + [β i ]P W S 1, S 2, S 3 #S 1 #S 2 #S 3, P = S 1 S 2 S 3, S 1 S 2 = S 2 S 3 = S 3 S 1 = R i = W (R i 1 ) = R i 1 + P, if R i 1 S 1 [2]R i 1, if R i 1 S 2 R i 1 + Q, if R i 1 S 3

18 R i = W (R i 1 ) = α i = W α (α i 1 ) = β i = W β (β i 1 ) = R i 1 + P, if R i 1 S 1 [2]R i 1, if R i 1 S 2 R i 1 + Q, if R i 1 S 3 α i 1 + 1, if R i 1 S 1 2α i 1, if R i 1 S 2 α i 1, if R i 1 S 3 β i 1, if R i 1 S 1 2β i 1, if R i 1 S 2 β i 1 + 1, if R i 1 S 3 Algorithm 2 Pollard s rho.beta Input: E/F p : EC, l: prime, P E(F p ) s.t. # P = l, Q P Output: x [0, l 1] s.t. Q = [x]p 1: i := 1 2: Choose α 1, β 1 [0, l 1] randomly 3: R 1 = [α 1 ]P + [β 1 ]Q 4: repeat 5: i := i + 1 6: R i = W (R i 1 ) 7: α i = W α (α i 1 ), β i = W β (β i 1 ) 8: until j s.t. 1 j < i, c j = c i 9: x = (α i α j )(β j β i ) 1 mod l 10: Output x and terminate : O( l) : O( l)

20 Beta alpha Algorithm 3 Pollard s rho method Input: E/F p : EC, l: prime, P E(F p ) s.t. # P = l, Q P Output: x [0, l 1] s.t. Q = [x]p j = 2i i 3 4 5 6 7 8 9 j 12 13 14 15 16 17 18 i 10 11 12 13 14 15 16 17 j 18 19 20 21 22 23 24 25 10 11 12 13 14 15 16 26 27 28 29 30 31 32 1: Choose α 1, β 1 [0, l 1] randomly 2: R 1 = [α 1 ]P + [β 1 ]Q 3: R 2 = W (R 1 ) 4: α 2 = W α (α 1 ), β 2 = W β (β 1 ) 5: while R 1 R 2 do 6: R 1 = W (R 1 ) 7: α 1 = W α (α 1 ), β 1 = W β (β 1 ) 8: R 2 = W (W (c 2 )) 9: α 2 = W α (W α (α 2 )), β 2 = W β (W β (β 2 )) 10: x = (α 2 α 1 )(β 1 β 2 ) 1 mod l 11: Output x and terminate : O( l) : O(1)

P E(F p ) P S 3 S 1 ; 0 X(P ) < p/3 S 2 ; p/3 X(P ) < 2p/3 ; 2p/3 X(P ) < p p = 31 S 1 : [0, 10], S 2 : [11, 20], S 3 : [21, 30] E/F p : Y 2 = X 3 + 10X + 22 #E(F p ) = 37: P = (10, 3), Q = (9, 10) α 1 = 35, β 1 = 36 R 1 = [α]p + [β]q i R i α i β i 1 (30, 13) S 3 35 36 2 (11, 3) S 2 35 0 3 (3, 19) S 1 33 0 4 (15, 4) S 2 34 0 5 (21, 17) S 3 31 0 6 (5, 13) S 1 31 1 7 (20, 17) S 2 32 1 8 (29, 11) S 3 27 2 9 (3, 12) S 1 27 3 10 (7, 2) S 1 28 3 11 (21, 14) S 3 29 3 12 (8, 11) S 1 29 4 13 (29, 11) S 3 30 4 14 (3, 12) S 1 30 5 15 (7, 2) S 1 31 5 16 (21, 14) S 3 32 5 17 (8, 11) S 1 32 6 18 (29, 11) S 3 33 6 19 (3, 12) S 1 33 7 20 (7, 2) S 1 34 7 21 (21, 14) S 3 35 7 22

24 l e α 14 α 9 β 9 α 14 α 15 α 10 β 10 α 15 α 15 α 11 β 11 α 15 α 20 α 10 β 10 α 20 mod 37 [17]P = Q 30 27 3 5 31 28 3 5 32 29 3 5 34 28 3 7 17 mod 37 T (l, e) = O(e log l) + T (l, e/2) = O(e log e log l + et (l, 1)) = O ( e ( log e log l + l )) = e l fore = O(2 l/ log l ) e log e log l fore = Ω(2 l/ log l ) # P T # P = l e O(e l) ; # b O(e log e log l) ; # b

Square-root T (N) = N = 1 i r 1 i r l e i i ) O (e i l i E(F p )-ops. i e i = 1 128 bit l 2 256 T (N) = ) O ( l i 1 i r = O( l)e(f p )-ops., l := max(l i ) l #E(F p ) Square-root l #E(F p ) G O( l) E(F p )-ops. 80 bit l 2 160 l #E(F p ) 80 bit l 160 bit 128 bit l 256 bit #E(F p ) #E(F p ) = cl, # P = l P c: small constant. 26

28 p = 2 160 47 E/F p : Y 2 = X 3 + AX + B A = 1419587478389183342895449 556703480177911999181832 B = 1370276796320878164248991 66044478248449528373717 E(F p ) = {P, (3, 55907912945587879110990166 1839949961707046542132), (3, 55907912945587879110990166 1839949961707046542132),... } #E(F p ) = 146150163733090291820 3687023423038479648987 002960 (161bit) = 2 4 5 23 1277 711713 1801867 2045011 4738031 38408653 1303287809 i l i e i log 2 l i 1 2 4 1 2 5 1 3 3 23 1 5 4 1277 1 11 5 711713 1 20 6 1801867 1 21 7 2045011 1 21 8 4738031 1 23 9 38408653 1 26 10 1303287809 1 31

30 For l 1 = 2, e 1 = 4 P = (68877725316734917430550420 3634807500170063433889, 10818195495524631221456171 53762479400729821670608) N := # P = #E(F p ) [N/l i ]P P for i = 1,..., 10 Q = (3, 559079129455878791109901 661839949961707046542132) Find x s.t. Q = [x]p P 1 = [N/l e 1 1 ]P = (12180858054680521922633 89671268297866637785070783, 137024357844751571954304 6637992697157748583844582) Q 1 = [N/l e 1 1 ]Q = (13053574756422264436371 50075874346449066599286139, 918498003406678847422986 552214801965456185529002) Find x 1 [0, 2 4 1] s.t. Q 1 = [x 1 ]P 1

Q 11 = [u]p 11 1: [l e f ]Q = [u][l e f ]P # P 11 = l f 1 = 4 u 2: Q [u]p = [v][l f ˆf = f/2 = 1 ]P v 3: x = l f v + u f = e 1 /2 = 2 P 11 = [l e 1 f 1 ]P 1 = [4]P 1 = (101370728297058356849061 2136378940057879000334514, 1063366667305951199949601 774367450923795168631284) P 12 = [l f ˆf 1 ]P 11 = [2]P 11 = (4226055817864884638391297 86239210404525029853209, 0) Q 12 = [l f ˆf 1 ]Q 11 = [2]Q 11 = (4226055817864884638391297 86239210404525029853209, 0) Q 12 = [û]p 12 û = 1 Q 11 = [l e 1 f 1 ]Q 1 = [4]Q 1 = (101370728297058356849061 2136378940057879000334514, 1063366667305951199949601 774367450923795168631284) P 13 = [l ˆf 1 ]P 11 = [2]P 11 = P 12 Q 13 = Q 12 [û]p 12 = P Q 13 = [ˆv]P 13 ˆv = 0 u = l ˆf 1ˆv + û = 1 32

1: [l e f ]Q = [u][l e f ]P u 2: Q [u]p = [v][l f ]P v 3: x = l f v + u P 14 = [l f 1 ]P 1 = [4]P 1 = (101370728297058356849061 2136378940057879000334514, 1063366667305951199949601 774367450923795168631284) Q 14 = Q 1 [u]p 1 = Q 1 P 1 = (101370728297058356849061 2136378940057879000334514, 1063366667305951199949601 774367450923795168631284) Q 14 = [v]p 14 v = 1 x 1 = l f 1 v + u = 22 + 1 = 5 Rho part i l e 1 i / log 2 l i x i sec./stps. 1 2 4 5 1 2 5 3.07 3 3 3 23 20.10 5 7 4 1277 293.11 11 55 5 711713 532349.20 20 387 6 1801867 1686283.44 21 1457 7 2045011 531538.34 21 1105 8 4738031 1517838.62 23 2350 9 38408653 22671833 3.2 26 14945 10 1303287809 1094987215 8.9 31 42617.07 +.10 +.11 +.20 +.44 +.34 +.62 + 3.2 + 8.9 14sec. on Magma/efficēon 1G 34

36 CRT part x 5 mod 16 3 mod 5 20 mod 23 293 mod 1277 532349 mod 711713 1686283 mod 1801867 531538 mod 2045011 1517838 mod 4738031 22671833 mod 38408653 1094987215 mod 1303287809 I. Blake, G. Seroussi, and N. Smart. Elliptic Curves in Cryptography. Number 265 in London Mathematical Society Lecture Note Series. Cambridge U. P., 1999. H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen, and F. Vercauteren. Handbook of elliptic and hyperelliptic curve cryptography. Chapman & Hall/CRC, 2005. A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of applied cryptography. CRC Press, 1997. V. Shoup. A computational introduction to number theory and algebra. Cambridge University Press, 2005. x 743799732436366136546362638 012460649291492098213 mod N

2024 © docsplayer.net プライバシー | 利用規約 | フィードバック