VIEWS: 0 PAGES: 19 POSTED ON: 9/28/2013
Pairing Pseudoprimes Michael Scott Summary of the talk • What is a pseudoprime? • What is a pairing? • What is a “pairing pseudoprime”? What is a pseudoprime 1 • Start with a condition which is always true for a prime n. • For example Fermats Little Thereom • an-1 mod n = 1, which is true for all prime n. • Try and “turn this around” to create a primality proof. • So n is prime iff an-1 mod n = 1 ??? What is a pseudoprime 2 • Alas no. As a primality test it is fooled by pseudoprimes. • So try a different value for a? • Carmichael numbers (eg 561) fool this test for any a. • Many other “primality tests” exist, but for most pseudoprimes are known to exist and have been found. What is a pseudoprime 3 • Some tests do exist for which there is no known pseudoprime • A Lucas test combined with a SPRP test to the base 2 admits no known pseudoprimes – in fact a prize of $620 if one is found. What is a pseudoprime 4 • True Primality proofs do exist, but they are complex and rather slow (ECPP, APRT- CL), and not strictly polynomial time. • Recently and famously Agrawal, Kayal and Saxena (AKS) discover a polynomial time primality proving algorithm – but still too slow in practise L What is a pseudoprime 5 • However in the AKS paper there is this conjecture:- What is a pseudoprime 6 • This is quite simple and fast, and again there are no known pseudoprimes, although Lenstra and Pomerance give an argument that pseudoprimes do in fact exist (and that the conjecture is false). • There is still a need in crypto for a small, fast, simple prime prover (say to prove that p and q are really prime for RSA in a small embedded processor) What is a pairing 1 • There is the Weil pairing, the Tate pairing (and now the ηT pairing !) • Takes as parameters two linearly independent r – torsion points. • Evaluates as an element of Fpk and an r-th root of unity, where k is the embedding degree • Denoted ê(P,Q) on supersingular curves What is a pairing 2 • The pairing has lots of useful structure and many interesting properties, primarily the property of bilinearity • ê(aP,bQ) =ê(bP,aQ) = ê(P,Q)ab • This property permits IBE and many other useful crypto protocols. What is a pairing pseudoprime 1 • We have the following condition:- • If n>3 is a prime and n = 3 mod 4 then the elliptic curve y2=x3-ax mod n is supersingular, and has an embedding degree of 2 (Menezes). • The Tate pairing is well-defined on this curve. • The number of points on the curve is n+1 What is a pairing pseudoprime 2 • Can this be “turned around” to give a good primality test for n=3 mod 4 ?? • The bilinearity property is only guaranteed if n is prime… • So contruct a primality test and implement it, and try to find pseudoprimes (hopefully can’t find any!) What is a pairing pseudoprime 3 Classic pairing algorithm may fail with a composite n using affine coordinates for the points. (Could detect these failures and declare n a composite, but that would be cheating!) So implement an inversion- free projective-coordinate version of the Tate pairing. What is a pairing pseudoprime 4 The pairing pseudoprime test – Initialization phase Choose a curve parameter a and an initial point P. (One simple idea – choose a rational point on the curve, for example choose a=12, P(-2,4). Observe that this point is on the curve y2=x3-ax for any n.) What is a pairing pseudoprime 5 • Input number n>3 and n = 3 mod 4 • If gcd(a,n) ≠ 1 declare n composite and exit • If P is of order 2 or of order 4 then try another P and goto 1. • If ê(P,P)n+1 ≠ 1 declare n composite and exit • If ê(P,P)2 ≠ ê(2P,P) or ê(P,P)2 ≠ ê(P,2P) declare n composite and exit. • Declare n as a probable prime. What is a pairing pseudoprime 6 • Note that line 4 is very like a Fermat test – this eliminates most non-primes • The simple bilinearity test seems to eliminate any composites that survive. • The idea can be extended to n=2 mod 3 using the “other” supersingular curve y2=x3+b What is a pairing pseudoprime 7 • Numerical results – tested up to 109 • No pseudoprimes found (so far!) • The test can be “stressed” by trying a different curve parameter a and a different point P. • Can you find a pseudoprime for any a or P ??? • Test program from ftp://ftp.computing.dcu.ie/pub/resources/crypto/is ap.cpp What is a pairing pseudoprime 7 • Reward of one pint of Guinness for first person to succeed in finding a pairing pseudoprime!!! • Good news – its inflation proof. • Bad news – you have to come to Ireland to collect. The End • I am not making any extravagant claims! • Pairing Pseudoprimes probably do exist! • The test is described in the context of pairings, so maybe something can be proved about it or about some variant of it?