Progress in Computer Science and Applied Logic Volume 20 Editor John C. Cherniavsky, National Science Foundation Associate Editors Robert Constable, Cornell University Jean Gallier, University of Pennsylvania Richard Platek, Cornell University Richard Statman, Carnegie-Mellon University C r y p t o g r a p hy a nd C o m p u t a t i o n al N u m b er T h e o ry Kwok-Yan Lam Igor Shparlinski Huaxiong Wang Chaoping Xing Editors Springer Basel AG Editors: Kwok-Yan Lam Igor Shparlinski Department of Computer Science Department of Computing National University of Singapore Macquarie University 2 Science Drive 2 NSW 2109 Singapore 117543 Australia e-mail: [email protected] e-mail: [email protected] Huaxiong Wang Chaoping Xing Department of Computer Science Department of Mathematics University of Wollongong National University of Singapore NSW 2522 2 Science Drive 2 Australia Singapore 117543 e-mail: [email protected] e-mail: [email protected] 2000 Mathematics Subject Classification 11 Yxx, 1 lTxx, 94Axx, 68P25 A CIP catalogue record for this book is available from the Library of Congress, Washington D.C., USA Deutsche Bibliothek Cataloging-in-Publication Data Cryptography and computational number theory : workshop in Singapore 1999 / Kwok-Yan Lam ed. - Basel; Boston ; Berlin : Birkhäuser, 2001 (Progress in computer science and applied logic ; Vol. 20) ISBN 978-3-0348-9507-1 ISBN 978-3-0348-8295-8 (eBook) DOI 10.1007/978-3-0348-8295-8 This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, broadcasting, reproduction on microfilms or in other ways, and storage in data banks. For any kind of use whatsoever, permission from the copyright owner must be obtained. © 2001 Springer Basel AG Originally published by Birkhäuser Verlag, Basel in 2001 Member of the BertelsmannSpringer Publishing Group Printed on acid-free paper produced of chlorine-free pulp. TCF «> 98765432 1 Contents Preface ................................................................... Vll Computational Number Theory c. Alonso, J. Gutierrez and R. Rubio On the Dimension and the Number of Parameters of a Unirational Variety ............................................. 3 A. Conflitti On Elements of High Order in Finite Fields .......................... 11 C. Ding, D.R. Kohel and S. Ling Counting the Number of Points on Affine Diagonal Curves........... 15 J. Friedlander, C. Pomemnce and I.E. Shparlinski Small Values of the Carmichael Function and Cryptographic Applications .......................................... 25 J. von zur Gathen and F. Pappalardi Density Estimates Related to Gauss Periods 33 W. Han Distribution of the Coefficients of Primitive Polynomials over Finite Fields ....................................... 43 J. Hoffstein and D. Lieman The Distribution of the Quadratic Symbol in Function Fields and a Faster Mathematical Stream Cipher ........................... 59 D. Kohel Rational Groups of Elliptic Curves Suitable for Cryptography ........ 69 K. Y. Lam and F. Sica Effective Determination of the Proportion of Split Primes in Number Fields....................................... 81 P. Mihalescu Algorithms for Generating, Testing and Proving Primes: A Survey............................................................ 93 R. Pemlta Elliptic Curve Factorization Using a "Partially Oblivious" Function ....................................... 123 A.J. van der Poorten The Hermite-Serret Algorithm and 122 + 332 ........................ 129 C.P. Xing Applications of Algebraic Curves to Constructions of Sequences ...... 137 vi Contents Cryptography N. Alexandris, M. Burmester, V. Chrissikopoulos and Y. Desmedt Designated 2-Verifier Proofs and their Application to Electronic Commerce ............................................. 149 E. Dawson, L. Simpson and J. Golic Divide and Conquer Attacks on Certain Irregularly Clocked Stream Ciphers...................................................... 165 A. De Bonis and A. De Santis New Results on the Randomness of Visual Cryptography Schemes ....................................... 187 D. Gollmann Authentication - Myths and Misconceptions ......................... 203 M.1. Gonzales Vasco and M. Naslund A Survey of Bit-security and Hard Core Functions ................... 227 M.1. Gonzales Vasco and I.E. Shparlinski On the Security of Diffie-Hellman Bits ............................... 257 J. Hoffstein and J.H. Silverman Polynomial Rings and Efficient Public Key Authentication II ........ 269 P. Mihalescu Security of Biased Sources for Cryptographic Keys ................... 287 M. Naslund and A. Russell Achieving Optimal Fairness from Biased Coinflips .................... 303 P.Q. Nguyen The Dark Side of the Hidden Number Problem: Lattice Attacks on DSA ............................................. 321 P.Q. Nguyen, I.E. Shparlinski and J. Stern Distribution of Modular Sums and the Security of the Server Aided Exponentiation .................................... 331 R. Safavi-Naini and W. Susilo A General Construction for Fail-Stop Signatures using Authentication Codes .......................................... 343 R. Safavi-Naini and H. Wang Robust Additive Secret Sharing Schemes over Zm .................... 357 R.D. Silverman RSA Public Key Validation .......................................... 369 Preface This volume contains the refereed proceedings of the Workshop on Cryptography and Computational Number Theory, CCNT'99, which has been held in Singapore during the week of November 22-26, 1999. The workshop was organized by the Centre for Systems Security of the Na tional University of Singapore. We gratefully acknowledge the financial support from the Singapore National Science and Technology Board under the grant num ber RP960668/M. The idea for this workshop grew out of the recognition of the recent, rapid development in various areas of cryptography and computational number the ory. The event followed the concept of the research programs at such well-known research institutions as the Newton Institute (UK), Oberwolfach and Dagstuhl (Germany), and Luminy (France). Accordingly, there were only invited lectures at the workshop with plenty of time for informal discussions. It was hoped and successfully achieved that the meeting would encourage and stimulate further research in information and computer security as well as in the design and implementation of number theoretic cryptosystems and other related areas. Another goal of the meeting was to stimulate collaboration and more active interaction between mathematicians, computer scientists, practical cryptographers and engineers in academia, industry and government. Talks concerning many different aspects of cryptography and computational number theory such as theory, techniques, applications and practical experiences were given. Some other related areas of number theory and computer science were covered as well. These include but are not limited to talks devoted to o new cryptographic systems and protocols; o new attacks on the existing cryptosystems; o new cryptographic paradigms such as visual and audio cryptography; o pseudorandom number generator and stream cipher; o primality proving and integer factorization; o fast algorithms; o cryptographic aspects of the theory of elliptic and higher genus curves; o polynomials over finite fields; o analytical number theory. Some of the talks, and their associated papers, were surveys giving comprehensive state-of-the-art outlines of some number theoretic research areas of significance to cryptography. Some were descriptions of new original results and ideas for which this workshop provided the first forum where they were publicly presented. viii Preface The contents of this volume reflects the whole variety of the topics which have been considered at the workshop. We believe it will provide a valuable con tribution to and stimulate further progress of cryptography and computational number theory. The Organizers: Kwok-Yan Lam (National University of Singapore) Igor Shparlinski (Macquarie University, Australia) Huaxiong Wang (University of Wollongong, Australia) Chaoping Xing (National University of Singapore) Computational N umber Theory Progress in Computer Science and Applied Logic, Vol. 20 © 2001 Birkhauser Verlag Basel/Switzerland On the Dimension and the Number of Parameters of a Unirational Variety Cesar Alonso, Jaime Gutierrez, and Rosario Rubio Abstract. In this paper we study the relation between the dimension of a parametric variety and the number of parameters. We present an algorithm to reparameterize a variety in order to obtain a parameterization where the number of parameters equals the dimension of the variety. 1. Introduction Let OC be an algebraically closed field of characteristic zero and T = (T1, ... , T m) indeterminates over IK. Following the notation of [5], given n rational functions in OC(T) FlN(T) FnN(T) F1(T) = FID(T)"" , Fn(T) = FnD(T); we consider W = Ul<i<n V(FiD(T)) c OCm, where V(FiD(T)) is the zero set of the polynomial FiD(T) Eo OC[T], and the map rp: (OCm - W) ---+ ocn such that: rp(h, ... ,tm) = (F1(tl,'" ,tm), ... ,Fn(h, ... ,tm)). An affine variety V <;;; OCn is a parametric or unirational variety if there exists a collection of rational functions F = {F1( T), ... , Fn (T)} such that V is the Zariski closure of rp(OCm - W). The set F is a parameterization of V. Most affine varieties cannot be parameterized in the sense described above. In general, it is difficult to tell whether a given variety is unirational or not. It is well known that any parametric variety is irreducible; in fact, the coordinate ring of V is isomorphic to OC[ Fl (T), ... , Fn (T)], that is, OC[Xl,'" , xnl/I(V) ~ OC[Fl (T), ... , Fn(T)], where I(V) is the polynomial ideal of V. So, the dimension of V is the transcen dence degree of OC(Fl (T), ... , Fn(T)) over OC, that is, d = dim(V) = trans.degoc (OC( Fl (T), ... , Fn (T)). A parameterization F is called faithful if OC( Fl (T), ... , Fn (T)]) = OC(T). In geometric terms, it means there exist a one to one map from points of the variety to values of the parameters T, except an algebraic set of dimension d - 1. If the parameterization is not faithful, naturally we would ask whether we can