ebook img

Algorithms for the Elliptic Curve Discrete Logarithm and the Approximate Common Divisor Problem ... PDF

101 Pages·2016·0.69 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Algorithms for the Elliptic Curve Discrete Logarithm and the Approximate Common Divisor Problem ...

Algorithms for the Elliptic Curve Discrete Logarithm and the Approximate Common Divisor Problem Shishay Welay Gebregiyorgis AThesisSubmittedinFulfillmentoftheRequirements fortheDegreeofDoctorofPhilosophyin Mathematics TheUniversityofAuckland January2016 Abstract Public key cryptosystems such as Diffie-Hellman key exchange and homomorphic encryption over the integers are based on the assumption that the Discrete Logarithm Problem (DLP) and the Approximate CommonDivisor(ACD)problemarehardrespectively. Thesecomputationalassumptionscanbetestedby developingimprovedalgorithmstosolvethem. The DLP for elliptic curves defined over certain finite fields is believed to be hard. The best current algorithm for this problem is Pollard rho. The most promising new idea for attacking the DLP over these curves is the index calculus algorithm, since it solves the DLP for finite fields in subexponential time. It is importanttounderstandthisclassofalgorithms. Westudytheindexcalculusalgorithmbasedonsummation polynomials. This reduces the DLP to solving systems of multivariate polynomial equations. We explain recent research on exploiting symmetries arising from points of small order. The use of such symmetries canbeusedtospeedupsolvingthesystemofpolynomialequations,andhencespeedupthealgorithm. WegiveanimprovedindexcalculusalgorithmforsolvingtheDLPforbinaryellipticcurves. Despiteour improvedideas,ourexperimentssuggestthatPollardrhoisstillthebestalgorithmfortheDLPinpractice. Wediscussandanalyseanewideacalledthe“splittingtechnique”,whichdoesnotmakeuseofsymmetries. Wefinallysuggestanewdefinitionofthefactorbasetobringtheprobabilityoffindingarelationcloseto1. Toextendthenotionofsymmetriesweinvestigatetheuseofanautomorphismofellipticcurvesdefined overafieldofcharacteristic3tospeeduptheindexcalculusalgorithm. Ourfindingisthatanautomorphism speedsupthealgorithm,butnottotheextentthatwewouldwish. Finallywereview,compareandpreciselyanalysesomeexistingalgorithmstosolvetheACDproblem. Our experiments show that the Cohn-Heninger algorithm is slower than the orthogonal lattice based ap- proach. WeproposeapreprocessingoftheACDinstancestospeedupthesealgorithms. Weexplainthatthe preprocessingdoesnotseemtothreatentheACDprobleminpractice. Acknowledgements I like to thank to my PhD supervisor Steven Galbraith for supporting me during my three years stay in theUniversityofAuckland. Hedidnotonlysupervisemebutalsohetaughtmehowtobeanindependent selfconfidentresearcher. Aboveall,specialappreciationgoestohimforourcollaborativeworkinmyfirst publishedpaperontheresultsinChapter3. IalsoliketothankArkadiiSlinko,BenMartin,IgorKlepfortheircommentsandsuggestions. My work has been supported by the University of Auckland. The University of Auckland did not only provide me materials needed for my PhD program but also for awarding me a University of Auckland DoctoralScholarship. SoIreallyliketothanktoallstaffinthisgreatUniversity. Finally huge thanks goes to my family for supporting me in all ways. All the work is dedicated to my amazingfamily. Contents 1 CryptographyandComputationalAssumptions 3 1.1 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 TheintegerfactorizationproblemandRSAcryptosystem . . . . . . . . . . . . . . . . . . . 5 1.3 Integerfactorizationalgorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.1 Pollardp−1algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.2 Theellipticcurvefactorizationmethod . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3.3 Thequadraticsievefactorizationmethod . . . . . . . . . . . . . . . . . . . . . . . 7 1.4 ThediscretelogarithmproblemandElgamalcryptosystem . . . . . . . . . . . . . . . . . . 8 1.5 Algorithmsforsolvingthediscretelogarithmproblem . . . . . . . . . . . . . . . . . . . . 10 1.5.1 Thebaby-step-giant-stepalgorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.5.2 ThePohlig-Hellmanalgorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.5.3 ThePollardrhoalgorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.5.4 Theindexcalculusmethod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2 EllipticCurvesandSummationPolynomials 13 2.1 Computationalalgebraicgeometry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.1.1 Idealsandaffinevarieties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.1.2 Gro¨bnerbasis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.1.3 Invarianttheory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.1.4 SolvingpolynomialsystemswithsymmetriesusingGro¨bnerbasis . . . . . . . . . . 20 2.2 Ellipticcurves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.2.1 Ellipticcurvedefinition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.2.2 Ellipticcurverepresentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.2.3 Theellipticcurvediscretelogarithmproblem(ECDLP) . . . . . . . . . . . . . . . . 27 2.3 Summationpolynomials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.3.1 Summationpolynomialsdefinition . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.3.2 Weildescentofanellipticcurve . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.3.3 Theindexcalculusalgorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.3.4 Resolutionofpolynomialsystemsusingsymmetries . . . . . . . . . . . . . . . . . 38 3 IndexCalculusAlgorithmtoSolvetheDLPforBinaryEdwardsCurve 40 3.1 SummationpolynomialsofbinaryEdwardscurve . . . . . . . . . . . . . . . . . . . . . . . 41 3.1.1 Factorbasedefinition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 3.1.2 WeildescentofbinaryEdwardscurve . . . . . . . . . . . . . . . . . . . . . . . . . 44 3.2 Symmetriestospeedupresolutionofpolynomialsystems . . . . . . . . . . . . . . . . . . 45 1 3.2.1 Theactionofsymmetricgroup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 3.2.2 Theactionofapointoforder2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 3.2.3 Theactionofpointsoforder4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 3.3 Indexcalculusalgorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 3.4 Breakingsymmetryinthefactorbase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 3.5 Gro¨bnerbasisversusSATsolverscomparison . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.6 Experimentalresults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 3.7 SplittingmethodtosolveDLPforbinarycurves . . . . . . . . . . . . . . . . . . . . . . . . 57 4 TheDLPforSupersingularTernaryCurves 60 4.1 Ellipticcurveoverafieldofcharacteristicthree . . . . . . . . . . . . . . . . . . . . . . . . 60 4.2 Automorphismsandresolutionofpointdecompositionproblem . . . . . . . . . . . . . . . 61 4.3 Invariantringsundertheautomorphismandsymmetricgroups . . . . . . . . . . . . . . . . 62 5 TheApproximateCommonDivisorProblemandLattices 65 5.1 Latticesandcomputationalassumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 5.1.1 AlgorithmstosolveCVPandSVP . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 5.1.2 SolvingKnapsackproblem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 5.2 Algorithmstosolvetheapproximatecommondivisorproblem . . . . . . . . . . . . . . . . 71 5.2.1 Exhaustivesearch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 5.2.2 SimultaneousDiophantineapproximation . . . . . . . . . . . . . . . . . . . . . . . 74 5.2.3 Orthogonalvectorstocommondivisors(NS-Approach) . . . . . . . . . . . . . . . 76 5.2.4 Orthogonalvectorstoerrorterms(NS*-Approach) . . . . . . . . . . . . . . . . . . 80 5.2.5 Multivariatepolynomialequationsmethod(CH-Approach) . . . . . . . . . . . . . . 82 5.3 ComparisonofalgorithmsfortheACDproblem . . . . . . . . . . . . . . . . . . . . . . . . 85 5.3.1 Experimentalobservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 5.4 Pre-processingoftheACDsamples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 2 Chapter 1 Cryptography and Computational Assumptions Contents 1.1 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 TheintegerfactorizationproblemandRSAcryptosystem . . . . . . . . . . . . . . . . 5 1.3 Integerfactorizationalgorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.1 Pollardp−1algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.2 Theellipticcurvefactorizationmethod . . . . . . . . . . . . . . . . . . . . . . . 7 1.3.3 Thequadraticsievefactorizationmethod . . . . . . . . . . . . . . . . . . . . . . 7 1.4 ThediscretelogarithmproblemandElgamalcryptosystem . . . . . . . . . . . . . . . 8 1.5 Algorithmsforsolvingthediscretelogarithmproblem . . . . . . . . . . . . . . . . . . 10 1.5.1 Thebaby-step-giant-stepalgorithm . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.5.2 ThePohlig-Hellmanalgorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.5.3 ThePollardrhoalgorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.5.4 Theindexcalculusmethod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Secure cryptosystems are built using computational problems that are believed to be hard. The RSA and Diffie-Hellman key exchange are based on the assumption that the integer factorization and discrete logarithmproblemsarehardrespectively. Ifwecanbreaktheunderlyingassumption,thenthecryptosystem isnotsecureanymore. Inthisregard,weareinterestedintryingtosolvetheunderlyinghardcomputational problemsofcryptosystems. Ifthecomputationalproblemisintrinsicallyeasy,wecanprovideanalgorithm to solve the problem in polynomial time. If however the computational problem is intrinsically difficult, we would wish to show that there is no algorithm that solves the problem. The lack of proof showing that there is no efficient algorithm to solve the underlying hard computational problems in many cryptosytems is our motivation for our research. We test computational assumptions by developing improved algorithms tosolvethem. Wegiveasummaryoftheexistingalgorithmstosolvetheintegerfactorizationanddiscrete logarithmproblems. 3 1.1 Cryptography Cryptography deals with securing communication channels, electronic transactions, sensitive data and othercriticalinformationsuchasmedicalrecords. Itisconcernedwithdesigningacyptosystemoracryp- tographic system that is capable of providing services likes confidentiality, authenticity, integrity and non- repudiation. By confidentiality we mean that a cryptosystem is intended to allow access to sensitive data or information only to authorized users. Authenticity refers to the ability of a cryptosystem to validate the sourceofdataorigin. Integrityreferstotheassuranceofacryptosystemthatamessagewasnotmodifiedin transit intentionally or unintentionally through insertions, deletion, or modification. Non-repudation refers to the ability of the cryptosystem to provide evidence in case a dispute arises by a sender claiming that he/shedidnotsendthedata. Nowadays, our daily secure digital communications are involving a cryptosystem. For example in cellular communications, internet and browsers. More interestingly, the heart of the digital currency Bit- coin[Nak09]isacryptosystem. Socryptographyplaysagreatroleinourdailylives. There are two branches of cryptography, namely symmetric and asymmetric. Symmetric cryptography dealswithdesigningcryptosystems(encryptionfunctions,cryptographichashfunctions,messageauthenti- cationcodesetc.) basedontraditionaldesignmethodologiesundertheassumptionthatasharedkey,which isanessentialpartofacryptosystem,isavailablebetweencommunicatingparties. Asymmetriccryptosys- tem is composed of two transformation functions, an encryption E and a decryption function D . The k k encryption function E takes a message m and a key k and produces a ciphertext c. The decryption func- k tion does the inverse, that is it takes a ciphertext c and a key k and recovers the original message m. The two functions are assumed to be available publicly. If two communicating parties Alice and Bob want to communicate securely under this cryptosystem, they need to agree on a common key K beforehand in a safe way. If the key k is compromised then the cryptosystem gives no security. The main drawback of A symmetriccryptographyiskeymanagementanddistribution. Asymmetric cryptography, known as public key cryptography, uses hard computational problems to design a cryptosystem, which allows two or more parties to communicate securely over unsecured chan- nels without the need for prior key agreement. There are several functionalities provided by public key cryptographysuchasencryption,signatures,keyexchangeandidentificationservices. In public key cryptography, two keys are generated. A private key s and a public key p . Every user k k willhavetwokeys. Theprivatekeyiskeptsecretwhereasthepublickeyispublishedinadirectorysothat any one else has access to it. The computational assumption is that given the public key p , it is hard to k determinetheprivatekeys . k IfAlicewantstosendasensitivemessagetoBoboveraninsecurechannel,Aliceobtainsthepublickey p ofBobandusesittoencryptthemessage. Bobuponreceivingtheencryptedmessageuseshisprivatekey k s to decrypt the message. We require the encryption function to be easily computable but hard to invert. k Functionswhichareeasytocomputebuthardtoinvertarecalledone-wayfunctions. Definition 1.1.1. (One-way functions) Let k be a security parameter and n be a function of k. Let f be f : {0,1}∗ (cid:55)→ {0,1}∗ . Thenf isaone-wayfunctionif 1. f is easy to compute. For all n and x ∈ {0,1}n, there is a deterministic polynomial time algorithm f suchthatf (x) = f(x). eval eval 2. f ishardtoinvert. ForallprobabilisticpolynomialtimealgorithmsA, (cid:20) (cid:21) 1 Pr x ← {0,1}n,y = f(x),x(cid:48) ← A(1n,y) | f(x(cid:48)) = y < . 2k 4 Inadditiontotheone-waynesspropertyoftheencryptionfunction,wealsorequireBob,whopossesthe privatekeys todecryptthemessage. Soweallowthedecryptiontobepossibleusingatrapdoor, asecret k informationthatallowstoeasilyinverttheencryptionfunction. Suchfunctionsarecalledone-waytrapdoor functions. Theseone-waytrapdoorfunctionsarethebuildingblocksofmoderncryptosystemsbasedoncomputa- tionalnumbertheoreticassumptionssuchastheintegerfactorizationanddiscretelogarithmproblems. 1.2 The integer factorization problem and RSA cryptosystem Definition 1.2.1. (Integer Factorization Problem) Let N be a positive composite integer. The integer fac- torizationproblemistofindtheprimefactorizationofN andwriteN as k (cid:89) N = pei, i i=1 wheree ≥ 1andtheprimesp arepair-wiseco-prime. i i The integer factorization problem is a well-studied problem and it is one of the number theoretic com- putational problems believed to be a candidate for one-way function. The RSA [RSA78] public key cryp- tosystem is based on the intractability assumption of factoring a large composite integer N = pq, where p andq aretwodistinctprimes. TheintegerN iscalledmodulus. The “naive” RSA cryptosystem is composed of the following algorithmic functions (See Chapter 24 Section1page486of[Gal12]). KeyGen(k): On input a security parameter k, the probabilistic polynomial time key generation algorithm KeyGen(k) generates two distinct primes p and q of size approximatelyk/2 bits each and sets N = pq. It choosesarandomintegereco-primetop−1andq−1suchthatp,q (cid:54)≡ 1 (mod e),andcomputesd = e−1 (mod λ(N)), where λ(N) = LCM(p−1,q −1) is the Carmichael lambda function. The key generation algorithm then outputs s = (N,d) as the private key and p = (N,e) as the public key. Note that LCM k k standsforleastcommonmultiple. Encrypt(p ,m): LetP = C = Z∗ betheplaintextandciphertextspaces. Thepolynomialtimeencryption k N algorithm Encrypt(p ,m) takes the public key p , and m ∈ P as input and outputs c = me (mod N), k k wherec ∈ C istheencryptionofthemessagem. Decrypt(c,s ): The deterministic polynomial time decryption algorithm Decrypt(c,s ) takes the private k k keys andtheciphertextcasinputandoutputsm = cd (mod N). Itisrequiredthat k Decrypt(Encrypt(p ,m),s ) = m. k k Sign(m,s ): On input the private key parameter s and a message m. The probabilistic polynomial time k k signing algorithm Sign(m,s ) outputs s = md (mod N), a signature of the message m. Note that there k attacks such as a chosen-plaintext and a chosen-ciphertext against this plain signature scheme. An actual signaturealgorithmusespaddingschemesandhashfunctions. Verify(m,s,p ): Oninputthepublickeyparameterp ,thesignatures,andthemessagem,thedeterministic k k 5 polynomial time verification algorithm Verify(m,s,p ) computes m˜ ≡ se (mod n) and outputs valid if k m˜ = motherwisereturnsinvalid. For encryption algorithm to be fast, it is tempting to take the public key e to be small such as e ∈ {24+1,216+1}. TheRabincryptosystemisaspecialtypeofRSAcryptosystemwithe = 2andtheprimes pandqareselectedtosatisfyp ≡ q ≡ 3 (mod 4)tosimplifycomputations. WerefertoChapter24Section 2page491of[Gal12]fordetails. Toencryptamessagemgiventhepublicparametersp = (N,e),wecomputec ≡ me (mod N). The k corresponding private key s = (N,d) acts as a trapdoor. Where as in the signature scheme, the holder of k the private key parameters signs a message or a document using the private key parameters. One can then verifythatindeedthemessageordocumentissignedbywhoclaimtobethelegitimatesigner. Definition1.2.2. (RSAProblem)Letc ≡ me (mod N),whereN = pq isaproductoftwodistinctprimes. The RSA problem is to recover m given c and the public key parameters p = (N,e). In other words, the k RSAproblemiscomputingtheeth rootmoduloN. Iffactoringiseasy,clearlybreakingtheRSAcryptosystemiseasytoo. WefactorN togetitstwoprime factors p and q, and we compute λ(N) = LCM(p − 1,q − 1). Finally we recover d by computing e−1 (mod λ(N))usingextendedeuclideanalgorithm. SoinorderfortheRSAcryptosystemtobesecure,pand q shouldbelargeprimessuchthatitiscomputationalinfeasibletofactorN withcurrentmethods. 1.3 Integer factorization algorithms 1.3.1 Pollardp−1algorithm Definition1.3.1. (B-Smooth)LetN = (cid:81)r pei beapositiveinteger,wherethep aredistinctprimesand i=1 i i e ≥ 1. LetB besomepositiveinteger. Ifp ≤ B for1 ≤ i ≤ r,thenN iscalledB-Smoothandifpei ≤ B i i i for1 ≤ i ≤ r,thenN iscalledB-PowerSmooth. Let p be a prime divisor of N and B be a smoothness bound. The idea behind the Pollard p − 1 algorithm[Pol74]isifp−1isB-PowerSmooth,thenwecanfindanon-trivialfactorofN. Indeedifp−1 isB-PowerSmooth,then(p−1) | B!. WerefertoChapter12Section3ofthebook[Gal12]andChapter5 Section6ofthebook[Sti56]forreference. Leta ∈ Z/NZbearandomelement. Supposeb = a,thePollardp−1algorithmiterativelycomputes b ← bj (mod N) for 2 ≤ j ≤ B. Attheendoftheiteration,weobservethatb ≡ aB! (mod N). Sincep | N,wehaveb ≡ aB! (mod p). By Fermat’slittletheoremaB! ≡ 1 (mod p)andhence, b ≡ aB! ≡ 1 (mod p) =⇒ p | (b−1). Since p divides both N and b − 1, with high probability we can find a non-trivial factor d (cid:54)= {1,N} by computing d = GCD(b−1,N). 6 Lemma1.3.2. LetN beanoddcompositeintegerandBbeaboundforsmoothness. ThenthePollardp−1 factorizationalgorithmhasatotalcomplexityof (cid:18) (cid:19) O BlogB(logN)2+(logN)3 bitoperations. TherunningtimeofthePollardp−1algorithmisexponentialinB. SoitiseffectiveforsmallboundB. ThisrestrictsN tohaveaprimefactorpsuchthatp−1hassmallprimefactors. Thismakesitimpractical forfactoringanRSAmodulusN. 1.3.2 Theellipticcurvefactorizationmethod Theellipticcurvefactorizationmethod[Len87]usesthesameconceptsasthePollardp−1factorization algorithm. Instead of working with the group Z∗ as in the Pollard p−1 factorization algorithm, we work N overanellipticcurve. Therequirementthatp−1isB-Smoothisalsorelaxedwiththismethod. Let N = pq where p and q are prime factors, the elliptic curve factorization method proceeds by randomly choosing x , y , and a from the set {2,··· ,N − 1} to form a random elliptic curve E (see 1 1 Chapter2Section2.2forellipticcurvedefinition) E : y2z = x3+axz2+bz3 overZ/NZsuchthatb = y2−x3−ax (mod N). NotethatbytheChineseremaindertheorem 1 1 1 E(Z ) ≡ E(F )×E(F ). N p q We observe that P = (x : y : 1) is a point on the elliptic curve E. The algorithm sets Q = P and 1 1 iterativelycomputes Q ← [j]Q for 2 ≤ j ≤ B. At the end of the iteration, we get Q = [B!]P ∈ E(F ). We hope #E(F ) to be B-Smooth so that p p #E(F ) | B!whichimpliesQwillbetheidentityelement(0 : 1 : 0). Sincethezcoordinateiszero,itmust p be the case that p | z. With high probability computing GCD(z,N) gives a non-trivial factor of N, where GCDstandsforgreatestcommondivisor. Lemma1.3.3. LetN beanoddcompositepositiveintegeranddenotebypthesmallestprimefactorofN. Theellipticcurvefactorizationmethodhasanasymptoticcomplexityof (cid:18) √ (cid:19) O e(1+o(1)) 2lnplnlnp(logN)2 bitoperations. Unlike the Pollard p − 1 algorithm, if the elliptic factorization method fails, we can pick a different ellipticcurveanditislikelythateventually#E(F )isB-smooth. p 1.3.3 Thequadraticsievefactorizationmethod Let N be an RSA modulus that we like to factor. The idea of the quadratic sieve factorization algo- rithm [CP05] is based on the observation, if x2 ≡ y2 (mod N) such that x (cid:54)= ±y, then GCD(x−y,N) andGCD(x+y,N)arenon-trivialfactorsofN. Inthiscase,wehave (x−y)(x+y) ≡ 0 (mod N) =⇒ N | (x−y)(x+y). 7

Description:
important to understand this class of algorithms. We study the index calculus We explain 1.5 Algorithms for solving the discrete logarithm problem 4.3 Invariant rings under the automorphism and symmetric groups . r(log r)2. ) group arithmetic operations in G. 1.5.4 The index calculus method.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.