Pairing Pseudoprimes - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Pairing Pseudoprimes

Description:

(aP,bQ) = (bP,aQ) = (P,Q)ab. This property permits IBE and many other useful crypto protocols. ... Good news its inflation proof. Bad news you have to ... – PowerPoint PPT presentation

Number of Views:26
Avg rating:3.0/5.0
Slides: 20
Provided by: Mik7178
Category:

less

Transcript and Presenter's Notes

Title: Pairing Pseudoprimes


1
Pairing Pseudoprimes
  • Michael Scott

2
Summary of the talk
  • What is a pseudoprime?
  • What is a pairing?
  • What is a pairing pseudoprime?

3
What is a pseudoprime 1
  • Start with a condition which is always true for a
    prime n.
  • For example Fermats Little Thereom
  • an-1 mod n 1, which is true for all prime n.
  • Try and turn this around to create a primality
    proof.
  • So n is prime iff an-1 mod n 1 ???

4
What is a pseudoprime 2
  • Alas no. As a primality test it is fooled by
    pseudoprimes.
  • So try a different value for a?
  • Carmichael numbers (eg 561) fool this test for
    any a.
  • Many other primality tests exist, but for most
    pseudoprimes are known to exist and have been
    found.

5
What is a pseudoprime 3
  • Some tests do exist for which there is no known
    pseudoprime
  • A Lucas test combined with a SPRP test to the
    base 2 admits no known pseudoprimes in fact a
    prize of 620 if one is found.

6
What is a pseudoprime 4
  • True Primality proofs do exist, but they are
    complex and rather slow (ECPP, APRT-CL), and not
    strictly polynomial time.
  • Recently and famously Agrawal, Kayal and Saxena
    (AKS) discover a polynomial time primality
    proving algorithm but still too slow in
    practise ?

7
What is a pseudoprime 5
  • However in the AKS paper there is this
    conjecture-

8
What is a pseudoprime 6
  • This is quite simple and fast, and again there
    are no known pseudoprimes, although Lenstra and
    Pomerance give an argument that pseudoprimes do
    in fact exist (and that the conjecture is false).
  • There is still a need in crypto for a small,
    fast, simple prime prover (say to prove that p
    and q are really prime for RSA in a small
    embedded processor)

9
What is a pairing 1
  • There is the Weil pairing, the Tate pairing (and
    now the ?T pairing !)
  • Takes as parameters two linearly independent r
    torsion points.
  • Evaluates as an element of Fpk and an r-th root
    of unity, where k is the embedding degree
  • Denoted ê(P,Q) on supersingular curves

10
What is a pairing 2
  • The pairing has lots of useful structure and many
    interesting properties, primarily the property of
    bilinearity
  • ê(aP,bQ) ê(bP,aQ) ê(P,Q)ab
  • This property permits IBE and many other useful
    crypto protocols.

11
What is a pairing pseudoprime 1
  • We have the following condition-
  • If ngt3 is a prime and n 3 mod 4 then the
    elliptic curve y2x3-ax mod n is supersingular,
    and has an embedding degree of 2 (Menezes).
  • The Tate pairing is well-defined on this curve.
  • The number of points on the curve is n1

12
What is a pairing pseudoprime 2
  • Can this be turned around to give a good
    primality test for n3 mod 4 ??
  • The bilinearity property is only guaranteed if n
    is prime
  • So contruct a primality test and implement it,
    and try to find pseudoprimes (hopefully cant
    find any!)

13
What is a pairing pseudoprime 3
  • Classic pairing algorithm may fail with a
    composite n using affine coordinates for the
    points. (Could detect these failures and declare
    n a composite, but that would be cheating!) So
    implement an inversion-free projective-coordinate
    version of the Tate pairing.

14
What is a pairing pseudoprime 4
  • The pairing pseudoprime test Initialization
    phase
  • Choose a curve parameter a and an initial point
    P. (One simple idea choose a rational point on
    the curve, for example choose a12, P(-2,4).
    Observe that this point is on the curve y2x3-ax
    for any n.)

15
What is a pairing pseudoprime 5
  • Input number ngt3 and n 3 mod 4
  • If gcd(a,n) ? 1 declare n composite and exit
  • If P is of order 2 or of order 4 then try another
    P and goto 1.
  • If ê(P,P)n1 ? 1 declare n composite and exit
  • If ê(P,P)2 ? ê(2P,P) or ê(P,P)2 ? ê(P,2P) declare
    n composite and exit.
  • Declare n as a probable prime.

16
What is a pairing pseudoprime 6
  • Note that line 4 is very like a Fermat test
    this eliminates most non-primes
  • The simple bilinearity test seems to eliminate
    any composites that survive.
  • The idea can be extended to n2 mod 3 using the
    other supersingular curve y2x3b

17
What is a pairing pseudoprime 7
  • Numerical results tested up to 109
  • No pseudoprimes found (so far!)
  • The test can be stressed by trying a different
    curve parameter a and a different point P.
  • Can you find a pseudoprime for any a or P ???
  • Test program from ftp//ftp.computing.dcu.ie/pub/r
    esources/crypto/isap.cpp

18
What is a pairing pseudoprime 7
  • Reward of one pint of Guinness for first person
    to succeed in finding a pairing pseudoprime!!!
  • Good news its inflation proof.
  • Bad news you have to come to Ireland to
    collect.

19
The End
  • I am not making any extravagant claims!
  • Pairing Pseudoprimes probably do exist!
  • The test is described in the context of pairings,
    so maybe something can be proved about it or
    about some variant of it?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Pairing Pseudoprimes" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!