pair
https://github.com/stefano81/dcpabe.git
Over prime fields, we call an elliptic curve E supersingular if #E(Fq) = q+1
(Weil reciprocity). Let f and g be non-zero functions on a curve such that (f) and (g) have disjoint supports. Then f(div(g)) = g(div(f)).
the entire group of points of order r on E(Fq), called the r-torsion, which is denoted by E[r] and defined as E[r] = {P ∈ E : [r]P = O}.
r | (q ^ k − 1)
http://gas.dia.unisa.it/projects/jpbc/docs/ecpg.html#TypeA1
A: y2 = x3 + x
f_param
struct fields:
q: The curve is defined over Fq r: The order of the curve. b: E: y^2= x^3 + b beta: A quadratic nonresidue in Fq: used in quadratic extension. alpha0, alpha1: x^6 + alpha0 + alpha1 sqrt(beta) is irreducible: used in sextic extension.
Consider E/F1021 : y 2 = x 3 + 905x + 100, with group order #E(Fq) = 966 = 2 · 3 · 7 · 23, and generator P = (1006, 416). Suppose we are presented with an instance of the ECDLP: namely, we are given Q = (612, 827), and we seek to find k such that [k]P = Q. For the sake of the example, suppose our best “attack” is trivial: trying every multiple [i]P of P until we hit the correct one (i = k). Rather than seeking i in the full group (2 ≤ i ≤ 965), we can map the instance into each prime order subgroup by multiplying by the appropriate cofactor, and then solve for kj ≡ k mod j, j ∈ {2, 3, 7, 23}. For j = 2, we have Pj = P2 = [966/2]P = [483](1006, 416) = (174, 0), and Qj = Q2 = [483](612, 827) = (174, 0), so Q2 = [k2]P2 gives k2 = 1. For j = 3, we have P3 = [322]P = (147, 933) and Q3 = [322]P = O, so Q3 = [k3]P3 gives k3 = 3. For j = 7, we have P7 = [138]P = (906, 201) and Q7 = [138]Q = (906, 201), so Q7 = [k7]P7 gives k7 = 1. For j = 23, we have P23 = [42]P = (890, 665) and Q23 = [42]Q = (68, 281). For Q23 = [k23]P23, we exhaust k23 ∈ {1, .., 22} to see that k23 = 20. Now, we can use the Chinese Remainder Theorem to solve k ≡ k2 = 1 mod 2; k ≡ k3 = 0 mod 3; k ≡ k7 = 1 mod 7; k ≡ k23 = 20 mod 23, which gives k ≡ 687 mod #E, solving the ECDLP instance
We show an application of the algorithm in the cyclic group Z ∗ 29 of order q = 29 − 1 = 28. Take g = 2 and y = 17. We set t = 5 and compute 2 0 = 1, 2 5 = 3, 2 10 = 9, 2 15 = 27, 2 20 = 23, 2 25 = 11. 294 Introduction to Modern Cryptography ALGORITHM 8.5 The baby-step/giant-step algorithm Input: Elements g ∈ G and y ∈ hgi; the order q of g Output: logg y t := b √q c for i = 0 to bq/tc: compute gi := g i·t sort the pairs (i, gi) by their second component for i = 0 to t: compute yi := y · g i if yi = gk for some k, return [kt − i mod q] (We omit the “mod 29” since it is understood that operations are in the group Z ∗ 29.) Then compute 17·2 0 = 17, 17·2 1 = 5, 17·2 2 = 10, 17·2 3 = 20, 17·2 4 = 11, 17·2 5 = 22, and notice that 2 25 = 11 = 17 · 2 4 . We thus have log2 17 = 25 − 4 = 21.
|#E(Fq) − (q + 1)| ≤ 2 √q.