椭圆曲线加密数学基础
椭圆加密数学基础
有限群
- 记有一个集合\(S\), 及定义在\(S\)上的满足如下性质的二元运算\(\oplus\), 则\((S,\oplus)\)称为群:
- 封闭性: 对\(\forall a, b\in S\), 有\(a\oplus b \in S\).
- 单位元: 存在一个唯一的元素\(e \in S\), 满足\(\forall a \in S, e\oplus a = a\oplus e = a\), \(e\)称为该群的单位元;
- 结合律: \(\forall a, b, c \in S\), 满足\((a\oplus b)\oplus c=a\oplus(b\oplus c)\);
- 逆元: \(\forall a \in S\), 存在唯一的\(b \in S\), 满足\(a\oplus b = b\oplus a = e\);
- 记有一群\((S, \oplus)\):
- 若\(\forall a, b\in S\), 满足\(a\oplus b = b\oplus a\), 则该群称为交换群;
- 若\(|S|<\infty\), 则该群称为有限群;
- 记有一交换群\((S, \oplus)\). 若存在一种二元运算\(\odot\)满足以下性质, 则称其为环:
- 封闭性: 若\(\forall a,b \in S\), 满足\(a \odot c \in S\);
- 分配律: 若\(\forall a,b,c \in S\), 满足\(a\odot (b \oplus c) = (a\odot b)\oplus (a\odot c), (a \oplus b)\odot c = (a \odot c)\oplus (b\odot c)\);
- 记有一个环\((S, \oplus, \odot)\), 若其满足如下性质, 则称其为域:
- 对于\(\odot\)运算, 存在唯一的单位元\(g\), 满足\(g\in S, g\ne e, \forall a, a\odot g = g\odot a = a\);
- 对于\(\odot\)运算存在逆元, 对于\(\forall a\in S \land a \ne e\), 存在唯一的\(b\in S, a\odot b = b\odot a = g\);
- 对于\(\odot\)运算满足交换律, 即\(\forall a,b\in S, a\odot b = b\odot a\);
数论相关;
域\(F_q\)
记有一个正整数\(q\)
域\(F_p\)
- 若\(q \gt e\), 则整数集合\(F_p = \{0,1,2,\dots,q-1\}, p=q\)是一个域, 记为素数域\(F_p\), 其中:
- 定义\(\oplus\)运算为: \(\forall a,b \in F_p, a \oplus b = (a + b) \mod p\);
- 定义\(\odot\)运算为: \(\forall a,b \in F_p, a\odot b = (a \cdot b) \mod p\);
- \(e = 0\);
- \(g = 1\);
域\(F_{2^m}\)
若\(q = 2^m\), m是素数, 则长度为\(m\)的位字符串集合\(F_{2^m}\)是一个域;
\(F_{2^m}\)的多项式基表示
在\(F_2\)上的域\(F_{2^m}\)由度为\(m\)的不可约多项式\(f(x)\)定义, 多项式集\(\{x^{m-1}, x^{m-2},\dots,x,1\}\)构成了在\(F_2\)上的域\(F_{2^m}\)的基, \(a\in F_{2^M}, a=(a_{m-1}a_{m-2}\dots a_1 a_0), a(x) = a_{m-1}x^{m-1} + a_{m-2}x^{m-2}+\dots + a_1 x^1 + a_0\);
- \(\oplus\)定义为: \(\forall a,b\in F_{2^m}, a\oplus b = a \veebar b\). 这里的\(\veebar\)表示异或, 后续在不影响理解的情况下异或也会用符号\(\oplus\)表示;
- \(\odot\)定义为: \(\forall a,b\in F_{2^m}, a\odot b = r, r(x)=(a(x) \cdot b(x)) / f(x)\);
- \(e = 0\dots 00\);
- \(g = 0\dots 01\);
对于约化多项式\(f(x)\), 常用的由以下几种形式:
- 三项式: \(f(x) = x^m + x^k + 1, 1\le k \le m-1\);
- 五项式: \(f(x) = x^m + x^{k_3} + x^{k_2} + x^{k_1} + 1, \quad 1 \le k_1 \le k_2 \le k_3 \le m-1,\quad m \ge 4\);
\(F_{2^m}\)的高斯规范基表示
\(F_2\)上的域\(F_{2^m}\)的规范基形式为 \(N=\{\alpha,\alpha^2,\alpha^{2^2},\dots,\alpha^{2^{m-1}}\}, a\in F_{2^m}, a=(a_0 a_1\dots a_{m-1})\), 对于给定的素数\(m\)和偶正整数\(T\), 域\(F_{2^m}\)最多有一个类型为T的高斯规范基, 记作\(F_{2^m}\)的Type T型高斯规范基;
- \(\oplus\): \(\forall a,b \in F_{2^m}, a\oplus b = a \veebar b\);
- \(e=0\dots 00\);
- \(g = 1\dots 11\);
- \(\odot\):
- \(p = T\cdot m + 1\);
- 生成一个阶为\(T\)的整数\(u, |<u> \mod p|=T\);
- 计算序列\(F(1),F(2),\dots,F(p-1)\):
- \(w = 1\):
for j in 0..=(T-1):- \(n = w\);
for i in 0..=(m-1):- \(F(n) = i\);
- \(n = 2\cdot n \mod p\);
- \(w = u\cdot w\mod p\);
- \(c_0 = \sum_{k=1}^{p-2}a_{F(k+1)}b_{F(p-k)} = F(a,b)\);
- \(c=(c_0c_1\dots c_{m-1})=a\odot b=(a_0a_1\dots a_{m-1})\cdot (b_0b_1\dots b_{m-1})\):
- \(u=(u_0u_1\dots u_{m-1})=(a_0a_1\dots a_{m-1})\);
- \(v=(v_0v_1\dots v_{m-1})=(b_0b_1\dots b_{m-1})\);
for k in 0..=(m-1):- \(c_k=F(u,v)\);
- \(u = u \lll u, v = v \lll v\), \(\lll\)表示循环左移;
对于给定的素数\(m, T, T\mod 2 = 0\), \(F_{2^m}\)存在\(T\)型高斯规范基的存在可以通过如下算法判断:
- \(p = T\cdot m + 1\);
return false, if \(p\)不是素数;- 计算\(<2> \mod p\)的阶\(k\);
- \(h = T\cdot m / k\);
- \(d = gcd(h,m)\);
return d=1;
椭圆曲线
记有椭圆曲线\(y^2=x^3+ax+b\), 无穷远点记为\(\mathcal{O}\), 那么可定义如下运算:
- 记\((x_1, y_1), (x_2, y_2)\)为曲线上的两点:
- 定义\(\mathcal{O}+\mathcal{O}=\mathcal{O}\);
- 若\((x_2, y_2)\)为无穷远点\(\mathcal{O}\), 则定义\((x_1,y_1)+\mathcal{O}=(x_1,y_1)\);
- 若\(x_1\ne x_2\), 那么连接这两点的直线与曲线的交点记为\((x_3,y_3)\), 则定义加法运算有: \((x_1,y_1)+(x_2,y_2)=(x_3,-y_3)\);
- 若\(x_1=x_2, y_1\ne -y_2\), 那么定义逆元\((x_1,y_1)+(x_1,-y_1)=\mathcal{O}\);
- 若\((x_1, y_1), (x_2,y2)\)为曲线上的同一点, 那么曲线在该点的切线与曲线的交点记为\((x_3,y_3)\), 则定义二倍运算有: \(2(x_1,y_1)=(x_3,-y_3)\);
注: 下文中域元素的\(+, \cdot\), 对应的是上文中相应域中定义的\(\oplus, \odot\);
定义在域\(F_p\)的椭圆曲线
记有椭圆曲线\(y^2=x^3+ax+b\), 那么由等式\(y^2=x^3+ax+b\mod p, \{\forall a,b\in F_p, 4a^3+27b^2\not\equiv 0\mod p\}\)所有解\((x,y), x,y\in F_p\)及\(\mathcal{O}\)组成的集合记为\(E(F_p)\), 那么\(E(F_p)\)在如下二元运算定义下满足是一个有限交换群:
- \(\mathcal{O} + \mathcal{O} = \mathcal{O}\), \(\mathcal{O}\)即为该群的单位元;
- \((x,y)+\mathcal{O}=\mathcal{O}+(x,y), \forall (x,y) \in E(F_p)\);
- \((x,y)+(x,-y)=\mathcal{O}, \forall (x,y) \in E(F_p)\), 群中元素\((x,y)\)的逆\(-(x,y)\)即为\((x,-y)\);
- \(\forall (x_1, y_1) \in E(F_p), \forall (x_2,y_2) \in E(F_p), x_1\ne x_2\), 则有加法运算\((x_1,y_1)+(x_2,y_2)=(x_3,y_3)\). 其中, \(x_3\equiv \lambda^2-x_1-x_2\mod p, y_3\equiv \lambda(x_1-x_3)-y_1 \mod p, \lambda\equiv \frac{y_2-y_1}{x_2-x_1} \mod p\);
- \(\forall (x_1,y_1)\in E(F_p), y_1\ne 0\), 有加法运算\(2(x_1,y_1) = (x_1,y_1)+(x_1,y_1)=(x_3,y_3)\). 其中, \(x_3\equiv\lambda^2 - 2x_1 \mod p, y_3 \equiv\lambda(x_1-x_3)-y_1\mod p, \lambda\equiv\frac{3x_1^2+a}{2y_1}\mod p\);
Hasse定理: 交换群\(E(F_p)\)中的点的个数满足\(p+1-2\sqrt{p}\le \#(E(F_p)) \le p+1+2\sqrt{p}\);
Hasse定理: 交换群\(E(F_p)\)中的点的个数满足\(p+1-2\sqrt{p}\le |E(F_p)| \le p+1+2\sqrt{p}\);
若\(|E(F_p)| = p + 1\), 那么\(E(F_p)\)称为是超奇异的, 否则称为非超奇异的. ANS X9.62中规定的椭圆曲线是非超奇异的;
注: 约束条件\(4a^3+27b^2\not\equiv \mod p\)是群\(F_p\)上椭圆公式光滑的判别式, 见求解一元三次方程的求解: 卡尔丹公式;
定义在域\(F_{2^m}\)上的椭圆曲线
由如上等式解的集合\((x,y),x,y\in F_{2^m}\)及\(\mathcal{O}\)所组成的集合\(E(F_{2^m})\)在如下二元运算定义下满足是一个有限交换群:
- \(\mathcal{O} + \mathcal{O} = \mathcal{O}\), \(\mathcal{O}\)即为该群的单位元;
- \((x,y)+\mathcal{O}=\mathcal{O}+(x,y), \forall (x,y) \in E(F_{2^m})\);
- \((x,y)+(x,x+y)=\mathcal{O}, \forall (x,y) \in E(F_{2^m})\), 群中元素\((x,y)\)的逆\(-(x,y)\)即为\((x,-y)\);
- \(\forall (x_1, y_1) \in E(F_{2^m}), \forall (x_2,y_2) \in E(F_{2^m}), x_1\ne x_2\), 则有加法运算\((x_1,y_1)+(x_2,y_2)=(x_3,y_3)\). 其中, \(x_3= \lambda^2+\lambda+x_1+x_2+a\ \in\ F_{2^m}, y_3= \lambda(x_1+x_3)+x_3+y_1\ \in\ F_{2^m}, \lambda=\frac{y_2+y_1}{x_2+x_1}\ \in\ F_{2^m}\);
- \(\forall (x_1,y_1)\in E(F_p), x_1\ne 0\), 有加法运算\(2(x_1,y_1) = (x_1,y_1)+(x_1,y_1)=(x_3,y_3)\). 其中, \(x_3=\lambda^2 + \lambda + a\ \in \ F_{2^m}, y_3 = (\lambda+1)x_3 + x_1^{2}\ \in\ F_{2^m}, \lambda=x_1+\frac{y_1}{x_1}\ \in\ F_{2^m}\);
Hasse定理: 交换群\(E(F_p)\)中的点的个数满足\(2^m+1-2\sqrt{2^m}\le \#(E(F_{2^m})) \le 2^m+1+2\sqrt{2^m}\);
有限域和模运算
有限域上的幂运算
记\(b \in F_q, a \in N^+\), 求\(x=b^a\):
- \(t = a \mod (q - 1)\);
- \(t = 0\):
- \(x = 1\);
- \(t \ne 0\):
- \(t = t_r || t_{r-1} || \dots || t_1 || t_0, t_r = 1\);
- \(x = b\);
for i in (r-1)..=0:- \(x = x^2\);
- \(t_i = 1\):
- \(x = b\cdot x\)
有限域上的逆运算
记\(b \in F_q, b \ne e\), 求\(b\cdot c = g, c \in F_q\), 这里\(c\)就称为\(b\)的逆\(b^{-1}=c\):
- \(c = b^{q-2}\)
Lucas序列的生成
记\(P, Q\)是非零整数, \(P, Q\)的Lucas序列定义为:
- \(U_0 = 0, U_1 = 1, U_k = P\cdot U_{k-1} - Q\cdot U_{k-2}, k \ge 2\);
- \(V_0 = 2, V_1 = P, V_k = P\cdot V_{k-1} - Q\cdot V_{k-2}, k\ge 2\);
若有限域为\(F_p\), 则给定\(k\), 求\(U_k, V_k\)的快速算法:
- \(\Delta = P^2 - 4\cdot Q\);
- \(k = k_r || k_{r-1}||\dots || k_1 ||k_0, k_r = 1\);
- \(U = 1, V = P\);
for i in (r-1)..0:- \((U, V) = (U\cdot V\mod p, (V^2 + \Delta\cdot U^2)/2 \mod p)\);
- if \(k_i = 1\):
- \((U, V) = ((P\cdot U + V)/2 \mod p, (P\cdot U + \Delta\cdot U)/2 \mod p)\);
- 输出\((U, V)\);
素数模的平方根
记有奇素数\(p\), 整数\(0\le b \lt p\), 求其模的平方根\(y^2 \equiv b \mod p\);
若\(b = 0\), 则\(y= 0\). 若\(b \ne 0\), 则\(b\)有0个或2个模\(p\)的平方根(存在平方根\(y\), 则另一个平方根为\(p-y\)).
- \(p \equiv 3 \mod 4\):
- \(p = 4\cdot u + 3, u \in N^+\);
- \(y = b^{u+1} \mod p\);
- \(z = y^2 \mod p\);
- \(b = z\):
- \(y\)
- \(b \ne z\):
- 不存在模的平方根;
- \(p \equiv 5 \mod 8, p = 8\cdot u + 5, u \in N^+\):
- \(\gamma = (2\cdot b)^u \mod p\);
- \(i = 2\cdot g \cdot \gamma^2\mod p\);
- \(y = b \cdot \gamma \cdot (i-1)\mod p\);
- \(z = y^2 \mod p\);
- \(b = z\):
- \(y\);
- \(b \ne z\):
- 不存在模的平方根;
- \(p \equiv 1 \mod 4, p = 4\cdot u + 1, u \in N^+\):
- \(Q = b\);
loop:- 随机生成一个整数\(0\le P < p\);
- 计算Lucas序列\(U = U_{2\cdot u+1} \mod p, V = V_{2\cdot u + 1} \mod p\);
- \(V^2 \equiv 4\cdot Q \mod p\):
- \(y = V/2\) and
break;
- \(y = V/2\) and
- \(U \not\equiv \pm 1 \mod p\):
- 不存在模的平方根,
break;
- 不存在模的平方根,
迹和半迹函数
记有域元素\(\alpha in F_{2^m}\), 则迹定义为\(Tr(\alpha) = \alpha + \alpha^2 + \alpha^{2^2} + \dots + \alpha^{2^{m-1}}\), 半迹定义为\(Hf(\alpha) = \alpha^{4^0} + \alpha^{4^1} + \alpha^{4^2} + \dots + \alpha^{4^{(m-1)/2}}\). \(F_{2^m}\)的一半元素的迹是0, 另一半元素的迹是1;
若采用多项式基的形式表示\(F_{2^m}\)的元素, 则迹\(Tr\)和半迹\(Hf\)的计算如下:
- \(Tr = \alpha, Hf = \alpha\);
for i in 1..=(m-1):- \(Tr = Tr^2 + \alpha\);
for i in 1..=(m-1)/2:- \(Hf = Hf^2\);
- \(Hf = Hf^2 + \alpha\);
\(F_{2^m}\)上的二次等式求解
记有\(\beta \in F_{2^m}\), 求解等式\(z^2 + z = \beta\), 等式的解的个数为\(2-2\cdot Tr(\beta)\). 若\(\beta = 0\), 则\(z=0,1\). 若\(\beta \ne 0\), 且存在解\(z\), 则另一个解为\(z+1\);
- 若\(F_{2^m}\)的元素使用规范基表示:
- \(\beta = \beta_0||\beta_1||\dots || \beta_{m-1}\);
- \(z_0 = 0\);
for i in 1..=(m-1):- \(z_i = z_{i-1}\oplus \beta_i\);
- \(z = z_0 || z_1 ||\dots || z_{m-1}\);
- \(\gamma = z^2 + z\);
- \(\gamma = \beta\):
- \(z\);
- \(\gamma \ne \beta\):
- 不存在解;
- 若\(F_{2^m}\)的元素使用多项式基表示:
- \(z = Hf(\beta)\);
- \(\gamma = z^2 + z\);
- \(\gamma = \beta\):
- \(z\);
- \(\gamma \ne \beta\):
- 不存在解;
验证生成子的阶的合法性
记有素数\(p\), \(1\lt b\lt p, k\in N^+\), 验证\(k\)是否是\(<b> \mod p\)的阶:
- 找出\(k\)的素除数集\(D\);
- \(g^k \not\equiv 1\mod p\):
return false;
for i in D:- \(g^{k/l} \equiv 1\mod p\):
return false;
- \(g^{k/l} \equiv 1\mod p\):
return true;
生成子阶的计算
记有素数\(p\), \(1\lt b\lt p\), 求\(<b> \mod p\)的阶:
- \(a = b, j = 1\);
loop:- \(a = a\cdot b\mod p, j = j + 1\);
- \(a \le 1\):
break;
- 输出\(j\);
求指定阶数的生成子
记有素数\(p\), 和可整除\(p-1\)的整数\(T\), 求阶数为\(T\)的生成子\(u, u\in F_p\):
loop:- 随机生成一个整数\(1 \lt b \lt p\);
- 计算\(<b>\mod p\)的阶\(k\);
- if \(k = n\cdot T, n\in N^+\):
break;
- \(u = g^{k/T} \mod p\);
有限域上的多项式
有限域上的多项式GCD求解
记有多项式\(f(t), g(t)\ne 0\), 它们的系数在\(F_q\)中, \(GCD(f(t), g(t))\)求解如下:
- \(a(t) = f(t), b(t) = g(t)\);
while b(t) != 0:- \(c(t) = remainder(a(t)/b(t))\);
- \(a(t) = b(t)\);
- \(b(t) = c(t)\);
- 记\(\alpha\)为\(a(t)\)最高次幂的系数;
- 输出\(\alpha^{-1}\cdot a(t)\);
计算\(F_{2^m}\)上的不可约多项式的根
记\(f(t)\)是度为\(m\)的不可约多项式, 则其在\(F_{2^m}\)上有\(m\)个非重根, 可按如下方法随机计算出其一个根:
- \(g(t) = f(t)\);
while deg(g(t)) > 1:- 随机选择一个元素\(u\in F_{2^m}\);
- \(c(t) = u\cdot t\);
for i in 1..(m-1):- $c(t) = (c(t)^2 + u\cdot t)\mod g(t);
- \(h(t) = gcd(c(t), g(t))\);
- if !(\(h(t)\)是常量或\(deg(g) = deg(h)\)):
- if \(2\cdot deg(h)\gt deg(g)\):
- \(g(t) = g(t) /h(t)\);
- else:
- \(g(t) = h(t)\);
- if \(2\cdot deg(h)\gt deg(g)\):
- 输出\(g(0)\);
数论相关
数论相关;
Jacobi符号的计算
记有素数\(p, p\gt 2\), 和整数\(a, a\in Z\), 则Legendre符号\((\frac{a}{p})\)定义为:
- 若\(p\)整除\(a\), 则为0. 否则:
- 若\(\exists x \in Z, a \equiv x^2\mod p\), 则为1;
- 若\(\not\exists x \in Z, a \equiv x^2\mod p\), 则为-1;
Jacobi符号是Legendre符号的推广, 记有\(a, a\in Z\), 和奇数\(n, n\gt 1, n= \prod_{i=1}^t p_i^{e_i}\), \(p_i\)是素数, 则Jacobi符号定义为\((\frac{a}{n}) = \prod_{i=1}^t (\frac{a}{p_i})^{e_i}\). 其中, \((\frac{a}{p_i})\)为Legendre符号. Jacobi符号的计算如;:
- \(gcd(a, n)\gt 1\):
return 0;
- \(x = a, y=n, J = 1\);
loop:- \(x = x\mod y\);
- if \(x \gt y/2\):
- \(x = y-x\);
- if \(y\equiv 3 \mod 4\):
- \(J = -J\);
while x > 4 && x % 4 = 0:- \(x = x/4\);
- if \(x > 2\)且\(x%2 = 0\):
- \(x = x/2\);
- if \(y \equiv \pm 3\mod 8\):
- \(J = -J\);
- if \(x = 1\):
break J;
- if \(x \equiv 3\mod 4\)且\(y\equiv 3\mod 4\):
- \(J = -J\);
- \(swap(x,y)\);
注: 若\(n=q\), 则Jacobi符号\((\frac{a}{p})=a^{(p-1)/2}\mod p\);
求正整数模2的次幂的平方根
记有整数\(r>2\), 和正整数\(a, a < 2^r, a\equiv 1\mod 8\), 求\(b^2 \equiv a \mod 2^r, b \lt 2^{r-2}\):
- \(h = 1\);
- \(b = 1\);
for j in 2..=(r-2):- if \(h_{j+1}\ne a_{j+1}\)(\(h_{j+1}\)表示\(h\)第\(j+1\)位):
- \(b_j = 1\);
- if \(j \lt r/2\):
- \(h = (h+2^{j+1}b-2^{2j}) \mod 2^r\);
- if \(j \ge r/2\):
- \(h = (h + 2^{j+1}b) \mod 2^r\);
- if \(h_{j+1}\ne a_{j+1}\)(\(h_{j+1}\)表示\(h\)第\(j+1\)位):
- if \(b_{r-2} =1\):
- \(b = 2^{r-1}-b\);
多项式的幂模
记有正整数\(k, k\in N^{+}\), 多项式\(f(t), m(t)\), 多项式的系数在域\(F_q\)中, 则\(f(t)^k \mod m(t)\)可计算如下:
- \(k = k_r || k_{r-1} || \dots || k_1 || k_0, k_r = 1\);
- \(u(t) = f(t) \mod m(t)\);
for i in (r-1)..=0:- \(u(t)=u(t)^2 \mod m(t)\);
- \(k_i = 1\):
- \(u(t) = u(t)\cdot f(t) \mod m(t)\);
- 输出\(u(t)\);
参考资料
- Standars for Efficient Cryptography 1 (SEC1: Elliptic Curve Cryptography), Daniel R.L.Brown;
- 算法导论(3th), Thomas H.Cormen;
- ANS x9.62;
