Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

ppp

VIEWS: 0 PAGES: 19

									Pairing Pseudoprimes

     Michael Scott
        Summary of the talk
• What is a pseudoprime?
• What is a pairing?
• What is a “pairing pseudoprime”?
     What is a pseudoprime 1
• Start with a condition which is always true
  for a prime n.
• For example Fermats Little Thereom
• an-1 mod n = 1, which is true for all prime
  n.
• Try and “turn this around” to create a
  primality proof.
• So n is prime iff an-1 mod n = 1 ???
     What is a pseudoprime 2
• Alas no. As a primality test it is fooled by
  pseudoprimes.
• So try a different value for a?
• Carmichael numbers (eg 561) fool this test
  for any a.
• Many other “primality tests” exist, but for
  most pseudoprimes are known to exist
  and have been found.
     What is a pseudoprime 3
• Some tests do exist for which there is no
  known pseudoprime
• A Lucas test combined with a SPRP test
  to the base 2 admits no known
  pseudoprimes – in fact a prize of $620 if
  one is found.
     What is a pseudoprime 4
• True Primality proofs do exist, but they are
  complex and rather slow (ECPP, APRT-
  CL), and not strictly polynomial time.
• Recently and famously Agrawal, Kayal
  and Saxena (AKS) discover a polynomial
  time primality proving algorithm – but still
  too slow in practise L
     What is a pseudoprime 5
• However in the AKS paper there is this
  conjecture:-
     What is a pseudoprime 6
• This is quite simple and fast, and again
  there are no known pseudoprimes,
  although Lenstra and Pomerance give an
  argument that pseudoprimes do in fact
  exist (and that the conjecture is false).
• There is still a need in crypto for a small,
  fast, simple prime prover (say to prove that
  p and q are really prime for RSA in a small
  embedded processor)
         What is a pairing 1
• There is the Weil pairing, the Tate pairing
  (and now the ηT pairing !)
• Takes as parameters two linearly
  independent r – torsion points.
• Evaluates as an element of Fpk and an r-th
  root of unity, where k is the embedding
  degree
• Denoted ê(P,Q) on supersingular curves
         What is a pairing 2
• The pairing has lots of useful structure and
  many interesting properties, primarily the
  property of bilinearity

• ê(aP,bQ) =ê(bP,aQ) = ê(P,Q)ab

• This property permits IBE and many other
  useful crypto protocols.
What is a pairing pseudoprime 1
• We have the following condition:-
• If n>3 is a prime and n = 3 mod 4 then
  the elliptic curve y2=x3-ax mod n is
  supersingular, and has an embedding
  degree of 2 (Menezes).
• The Tate pairing is well-defined on this
  curve.
• The number of points on the curve is n+1
What is a pairing pseudoprime 2
• Can this be “turned around” to give a good
  primality test for n=3 mod 4 ??
• The bilinearity property is only guaranteed
  if n is prime…
• So contruct a primality test and implement
  it, and try to find pseudoprimes (hopefully
  can’t find any!)
What is a pairing pseudoprime 3
 Classic pairing algorithm may fail with a
 composite n using affine coordinates for
 the points. (Could detect these failures
 and declare n a composite, but that would
 be cheating!) So implement an inversion-
 free projective-coordinate version of the
 Tate pairing.
What is a pairing pseudoprime 4
  The pairing pseudoprime test –
  Initialization phase

  Choose a curve parameter a and an
  initial point P. (One simple idea – choose
  a rational point on the curve, for example
  choose a=12, P(-2,4). Observe that this
  point is on the curve y2=x3-ax for any n.)
What is a pairing pseudoprime 5
•   Input number n>3 and n = 3 mod 4
•   If gcd(a,n) ≠ 1 declare n composite and exit
•   If P is of order 2 or of order 4 then try another
    P and goto 1.
•   If ê(P,P)n+1 ≠ 1 declare n composite and exit
•   If ê(P,P)2 ≠ ê(2P,P) or ê(P,P)2 ≠ ê(P,2P)
    declare n composite and exit.
•   Declare n as a probable prime.
What is a pairing pseudoprime 6
• Note that line 4 is very like a Fermat test –
  this eliminates most non-primes
• The simple bilinearity test seems to
  eliminate any composites that survive.
• The idea can be extended to n=2 mod 3
  using the “other” supersingular curve
  y2=x3+b
What is a pairing pseudoprime 7
• Numerical results – tested up to 109
• No pseudoprimes found (so far!)
• The test can be “stressed” by trying a different
  curve parameter a and a different point P.
• Can you find a pseudoprime for any a or P ???
• Test program from
  ftp://ftp.computing.dcu.ie/pub/resources/crypto/is
  ap.cpp
What is a pairing pseudoprime 7
• Reward of one pint of Guinness for first
  person to succeed in finding a pairing
  pseudoprime!!!
• Good news – its inflation proof.
• Bad news – you have to come to Ireland to
  collect.
                The End
• I am not making any extravagant claims!
• Pairing Pseudoprimes probably do exist!
• The test is described in the context of
  pairings, so maybe something can be
  proved about it or about some variant of
  it?

								
To top