Elliptic curve primality

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In mathematics elliptic curve primality testing techniques are among the quickest and most widely used methods in primality proving.[1] It is an idea forwarded by Shafi Goldwasser and Joe Kilian in 1986 and turned into an algorithm by A. O. L. Atkin the same year. The algorithm was altered and improved by several collaborators subsequently, and notably by Atkin and François Morain (de), in 1993.[2] The concept of using elliptic curves in factorization had been developed by H. W. Lenstra in 1985, and the implications for its use in primality testing (and proving) followed quickly.

Primality testing is a field that has been around since the time of Fermat, in whose time most algorithms were based on factoring, which become unwieldy with large input; modern algorithms treat the problems of determining whether a number is prime and what its factors are separately. It became of practical importance with the advent of modern cryptography. Although many current tests result in a probabilistic output (N is either shown composite, or probably prime, such as with the Baillie–PSW primality test or the Miller–Rabin test), the elliptic curve test proves primality (or compositeness) with a quickly verifiable certificate.[3]

Elliptic curve primality proving provides an alternative to (among others) the Pocklington primality test, which can be difficult to implement in practice. The elliptic curve primality tests are based on criteria analogous to the Pocklington criterion, on which that test is based,[4] where the group (\mathbb{Z}/n\mathbb{Z})^* is replaced by E(\mathbb{Z}/n\mathbb{Z}), and E is a properly chosen elliptic curve. We will now state a proposition on which to base our test, which is analogous to the Pocklington criterion, and gives rise to the Goldwasser–Kilian–Atkin form of the elliptic curve primality test.

Elliptic curve primality proving[edit]

It is a general-purpose algorithm, meaning it does not depend on the number being of a special form. ECPP is currently in practice the fastest known algorithm for testing the primality of general numbers, but the worst-case execution time is not known. ECPP heuristically runs in time:[5]

 O((\log n)^{5+\varepsilon})\,

for some \varepsilon > 0. This exponent may be decreased to 4+\varepsilon for some versions by heuristic arguments. ECPP works the same way as most other primality tests do, finding a group and showing its size is such that p is prime. For ECPP the group is an elliptic curve over a finite set of quadratic forms such that p-1 is trivial to factor over the group.

ECPP generates an AtkinGoldwasser–Kilian–Morain certificate of primality by recursion and then attempts to verify the certificate. The step that takes the most CPU time is the certificate generation, because factoring over a class field must be performed. The certificate can be verified quickly, allowing a check of operation to take very little time.

As of 2011 the largest prime [6] that has been proved with ECPP method is the 26,643-digits prime value of the Ramanujan tau function: [7]

LR(157,2207) = \tau\left(157^{2206}\right).

The distributed computation with fastECPP software by François Morain started in January 2011 and ended in April 2011. The total CPU time is equal to 2355 hours.[8]

Proposition[edit]

Let N be a positive integer, and E be the set which is defined by the equation y^2 = x^3 + ax + b \pmod{N}. Consider E over \mathbb{Z}/N\mathbb{Z}, use the usual addition law on E, and write 0 for the neutral element on E.

Let m be an integer. If there is a prime q which divides m, and is greater than (N^{1/4}+1)^2 and there exists a point P on E such that

(1) mP = 0

(2) (m/q)P is defined and not equal to 0

Then N is prime.

Proof[edit]

If N is composite, then there exists a prime p \le \sqrt{N} that divides N. Define E_p as the elliptic curve defined by the same equation as E but evaluated modulo p rather than modulo N. Define m_p as the order of the group E_p. By Hasse's theorem on elliptic curves we know

m_p \le p+1+2\sqrt{p} = (\sqrt{p} + 1)^2 \le (N^{1/4} + 1)^2 < q

and thus \gcd{(q,m_p)}=1 and there exists an integer u with the property that

uq \equiv 1 \pmod{m_p}

Let P_p be the point P evaluated modulo p. Thus, on E_p we have

(m/q)P_p = uq(m/q)P_p = umP_p = 0 \,

by (1), as mP_p is calculated using the same method as mP, except modulo p rather than modulo N (and p \mid N).

This contradicts (2), because if (m/q)P is defined and not equal to 0 (mod N), then the same method calculated modulo p instead of modulo N will yield

(m/q)P_p \ne 0 [9]

Goldwasser–Kilian algorithm[edit]

From this proposition an algorithm can be constructed to prove an integer, N, is prime. This is done as follows:

Choose three integers at random, a, x, y and set

b \equiv y^2 - x^3 - ax \pmod{N}

Now P = (x,y) is a point on E, where we have that E is defined by y^2 = x^3 + ax + b. Next we need an algorithm to count the number of points on E. Applied to E, this algorithm (Koblitz and others suggest Schoof's algorithm) produces a number m which is the number of points on curve E over FN, provided N is prime. Next we have a criterion for deciding whether our curve E is acceptable.

If we can write m in the form m = kq where  k \ge 2 is a small integer and q a probable prime (it has passed some previous probabilistic primality test, for example), then we do not discard E. If it is not possible to write m in this form, we discard our curve and randomly select another triple (a, x, y) to start over.

Assuming we find a curve which passes the criterion, proceed to calculate mP and kP. If at any stage in the calculation we encounter an undefined expression (from calculating the multiples of P or in our point counting algorithm), it gives us a non-trivial factor of N.

If mP \neq 0 it is clear that N is not prime, because if N were prime then E would have order m, and any element of E would become 0 on multiplication by m. If kP = 0 then we have hit a dead-end and must start again with a different triple.

Now if mP = 0 and kP \neq 0 then our previous proposition tells us that N is prime. However there is one possible problem, which is the primality of q. This must be verified, using the same algorithm. So we have described a down-run procedure, where the primality of N can be proven through the primality of q and indeed smaller 'probable primes' until we have reached certain primes and are finished.[10][11]

Problems with the algorithm[edit]

Atkin and Morain state "the problem with GK is that Schoof's algorithm seems almost impossible to implement.[3] It is very slow and cumbersome to count all of the points on E using Schoof's algorithm, which is the preferred algorithm for the Goldwasser–Kilian algorithm. However, the original algorithm by Schoof is not efficient enough to provide the number of points in short time.[12] These comments have to be seen in the historical context, before the improvements by Elkies and Atkin to Schoof's method.

A second problem Koblitz notes is the difficulty of finding the curve E whose number of points is of the form kq, as above. There is no known theorem which guarantees we can find a suitable E in polynomially many attempts. The distribution of primes on the Hasse interval [p+1-2\sqrt{p},p+1+2\sqrt{p}], which contains m, is not the same as the distribution of primes in the group orders, counting curves with multiplity. However, this is not a significant problem in practice.[9]

Atkin–Morain elliptic curve primality test (ECPP)[edit]

In a 1993 paper, Atkin and Morain described an algorithm ECPP which avoided the trouble of relying on a cumbersome point counting algorithm (Schoof's). The algorithm still relies on the proposition stated above, but rather than randomly generating elliptic curves and searching for a proper m, their idea was to construct a curve E where the number of points is easy to compute. Complex multiplication is key in the construction of the curve.

Now, given an N for which primality needs to be proven we need to find a suitable m and q, just as in the Goldwasser–Kilian test, that will fulfill the proposition and prove the primality of N. (Of course, a point P and the curve itself, E, must also be found.)

ECPP uses complex multiplication to construct the curve E, doing so in a way that allows for m (the number of points on E) to be easily computed. We will now describe this method:

Utilization of complex multiplication requires a negative discriminant, D, such that D can be written as the product of two elements D = \pi \bar{\pi}, or completely equivalently, we can write the equation:

a^2 + |D|b^2 = 4N \,

For some a, b. If we can describe N in terms of either of these forms, we can create an elliptic curve E on \mathbb{Z}/N\mathbb{Z} with complex multiplication (described in detail below), and the number of points is given by:

|E(\mathbb{Z}/N\mathbb{Z})| = N + 1 - \pi - \bar{\pi} = N + 1 - a. \,

For N to split into two the two elements, we need that \left(\frac{D}{N}\right) = 1 (where \left(\frac{D}{N}\right) denotes the Legendre symbol). This is a necessary condition, and we achieve sufficiency if the class number h(D) of the order in \mathbb{Q}(\sqrt{D}) is 1. This happens for only 13 values of D, which are the elements of {−3, −4, −7, −8, −11, −12, −16, −19, −27, −28, −43, −67, −163}

The test[edit]

Pick discriminants D in sequence of increasing h(D). For each D check if \left(\frac{D}{N}\right) = 1 and whether 4N can be written as:

a^2 + |D|b^2 = 4N \,

This part can be verified using Cornacchia's algorithm. Once acceptable D and a have been discovered, calculate m = N + 1 - a. Now if m has a prime factor q of size

q>(N^{1/4}+1)^2

use the complex multiplication method to construct the curve E and a point P on it. Then we can use our proposition to verify the primality of N. Note that if m does not have a large prime factor or cannot be factored quickly enough, another choice of D can be made.[1]

Complex multiplication method[edit]

For completeness, we will provide an overview of complex multiplication, the way in which an elliptic curve can be created, given our D (which can be written as a product of two elements).

Assume first that D \neq -3 and D \neq -4 (these cases are much more easily done). It is necessary to calculate the elliptic j-invariants of the h(D) classes of the order of discriminant D as complex numbers. There are several formulas to calculate these.

Next create the monic polynomial H_D(X), which has roots corresponding to the h(D) values. Note, that H_D(X) is the class polynomial. From complex multiplication theory, we know that H_D(X) has integer coefficients, which allows us to estimate these coefficients accurately enough to discover their true values.

Now, if N is prime, CM tells us that H_D(X) splits modulo N into a product of h(D) linear factors, based on the fact that D was chosen so that N splits as the product of two elements. Now if j is one of the h(D) roots modulo N we can define E as:

y^2 = x^3 - 3kc^{2r}x + 2kc^{3r},\text{ where } k = \frac{j}{j-1728},

c is any quadratic nonresidue mod N, and r is either 0 or 1.

Given a root j there are only two possible nonisomorphic choices of E, one for each choice of r. We have the cardinality of these curves as

|E(\mathbb{Z}/N\mathbb{Z})| = N+1-a or |E(\mathbb{Z}/N\mathbb{Z})| = N+1+a[1][11][13]

Discussion[edit]

Just as with the Goldwasser–Killian test, this one leads to a down-run procedure. Again, the culprit is q. Once we find a q that works, we must check it to be prime, so in fact we are doing the whole test now for q. Then again we may have to perform the test for factors of q. This leads to a nested certificate where at each level we have an elliptic curve E, an m and the prime in doubt, q.

Example of Atkin–Morain ECPP[edit]

We construct an example to prove that N = 167 is prime using the Atkin–Morain ECPP test. First proceed through the set of 13 possible discriminants, testing whether the Legendre Symbol (D/N) = 1, and if 4N can be written as  4N = a^2 + |D|b^2.

For our example D = −43 is chosen. This is because (D/N) = (-43/167) = 1 and also, using Cornacchia's algorithm, we know that 4\cdot (167) = 25^2 + (43)(1^2) and thus a = 25 and b = 1.

The next step is to calculate m. This is easily done as m = N + 1 - a which yields  m = 167 + 1 - 25 = 143. Next we need to find a probable prime divisor of m, which was referred to as q. It must satisfy the condition that q>(N^{1/4}+1)^2

Now in this case, m = 143 = 11*13. So unfortunately we cannot choose 11 or 13 as our q, for it does not satisfy the necessary inequality. We are saved, however, by an analogous proposition to that which we stated before the Goldwasser–Kilian algorithm, which comes from a paper by Morain.[14] It states, that given our m, we look for an s which divides m, s>(N^{1/4}+1)^2, but is not necessarily prime, and check whether, for each p_i which divides s

m/p_iP \neq P_\infty

for some point P on our yet to be constructed curve.

If s satisfies the inequality, and its prime factors satisfy the above, then N is prime.

So in our case, we choose s = m = 143. Thus our possible p_i's are 11 and 13. First, it is clear that 143 >(167^{1/4}+1)^2, and so we need only check the values of

(143/11)P = 13P \text{ and }(143/13)P = 11P.

But before we can do this, we must construct our curve, and choose a point P. In order to construct the curve, we make use of complex multiplication. In our case we compute the J-invariant

j \equiv -960^3 \pmod{167} \equiv 107 \pmod{167}. \,

Next we compute k = \frac{j}{1728-j} \pmod{167} \equiv 158 \pmod{167} and we know our elliptic curve is of the form:

y^2 = x^3 + 3kc^2x + 2kc^3,

where k is as described previously and c a non-square in \mathbb{F}_{167}. So we can begin with

r = 0, 3k \equiv 140 \pmod{167}, 2k \equiv 149 \pmod{167} which yields

E: y^2 = x^3 + 140x + 149 \pmod{167}

Now, utilizing the point P = (6,6) on E it can be verified that 143P = P_\infty.

It is simple to check that 13(6, 6) = (12, 65) and 11P = (140, 147), and so, by Morain's proposition, N is prime.

Complexity and running times[edit]

Goldwasser and Kilian's elliptic curve primality proving algorithm terminates in expected polynomial time for at least

1 - O\left(2^{-N\frac{1}{\log \log n}}\right)

of prime inputs.

Conjecture[edit]

Let \pi(x) be the number of primes smaller than x

\exists c_1, c_2 > 0: \pi(x+\sqrt{x}) - \pi(x) \ge \frac{c_2\sqrt{x}}{\log^{c_1}x}

for sufficiently large x.

If one accepts this conjecture then the Goldwasser–Kilian algorithm terminates in expected polynomial time for every input. Also, if our N is of length k, then the algorithm creates a certificate of size O(k^2) that can be verified in O(k^4).[15]

Now consider another conjecture, which will give us a bound on the total time of the algorithm.

Conjecture 2[edit]

Suppose there exist positive constants c_1 and c_2 such that the amount of primes in the interval

[x, x+\sqrt{2x}], x \ge 2 is larger than c_1\sqrt{x}(\log x)^{-c_2}

Then the Goldwasser Kilian algorithm proves the primality of N in an expected time of

O(\log^{10 + c_2} n)[14]

For the Atkin–Morain algorithm, the running time stated is

O((\log N)^{6+\epsilon}) for some \epsilon > 0[3]

Primes of special form[edit]

For some forms of numbers, it is possible to find 'short-cuts' to a primality proof. This is the case for the Mersenne numbers. In fact, due to their special structure, which allows for easier verification of primality, the largest known prime number is a Mersenne number.[16] There has been a method in use for some time to verify primality of Mersenne numbers, known as the Lucas–Lehmer test. This test does not rely on elliptic curves. However we present a result where numbers of the form N = 2^kn - 1 where k,n \in \mathbb{Z}, k \ge 2, n odd can be proven prime (or composite) using elliptic curves. Of course this will also provide a method for proving primality of Mersenne numbers, which correspond to the case where n = 1. It should be noted that there is a method in place for testing this form of number without elliptic curves (with a limitation on the size of k) known as the Lucas–Lehmer–Riesel test. The following method is drawn from the paper Primality Test for 2^kn - 1 using Elliptic Curves, by Yu Tsumura.[17]

Group structure of E(FN)[edit]

We take E as our elliptic curve, where E is of the form y^2 = x^3 - mx for m \in \mathbb{Z}, m \equiv 0 \pmod{p}, where p \equiv 3 \pmod{4} is prime, and p+1 = 2^kn, k \in \mathbb{Z}, k \ge 2, n odd.

Theorem 1[edit]

#E(\mathbb{F}_p) = p+1[4]

Theorem 2[edit]

E(\mathbb{F}_p) \cong \mathbb{Z}_{2^kn} or

E(\mathbb{F}_p) \cong \mathbb{Z}_2 \oplus \mathbb{Z}_{2^{k-1}n}

Depending on whether or not m is a quadratic residue modulo p.

Theorem 3[edit]

Let p \equiv 3\pmod{4} be prime, E, k, n, m as above. Take Q = (x,y) on E, x a quadratic nonresidue modulo p.

Then the order of Q is divisible by 2^k in the cyclic group E(\mathbb{F}_p) \cong \mathbb{Z}_{2^{k}n}.

First we will present the case where n is relatively small with respect to 2^k, and this will require one more theorem.

Theorem 4[edit]

Choose a \lambda > 1. E, k, n, m are specified as above with the added restrictions that

n \le \sqrt{p}/\lambda and \lambda\sqrt{p} > (p^{1/4} + 1)^2 \,

p is a prime if and only if there exists a Q = (x,y) which is on E, such that the

\gcd{(S_i,p)} = 1 for i = 1, 2, ...,k − 1 and S_k \equiv 0\pmod{p}

where S_i is a sequence with initial value S_0 = x

The algorithm[edit]

We provide the following algorithm, which relies mainly on Theorems 3 and 4. To verify the primality of a given number N, perform the following steps:

(1) Chose x \in \mathbb{Z} such that (\frac{x}{N}) = -1, and find y such that (\frac{x^3-y^2}{N}) = 1

Take m = \frac{x^3-y^2}{x} \pmod{N}

Then Q' = (x,y) is on E: y^2=x^3-mx where m \equiv 0\pmod{N}

Calculate Q = mQ'. If Q = P_\infty then N is composite, otherwise proceed to (2).

(2) Set S_i as the sequence with initial value Q. Calculate S_i for i = 1,2,..., k − 1

If \gcd({S_i,N})>1 for an i, where 1 \le i \le k-1 then N is composite. Otherwise, proceed to (3).

(3) If S_k \equiv 0 \pmod{N} then N is prime. Otherwise, N is composite. This completes the test.

Justification of the algorithm[edit]

In (1), and elliptic curve, E is picked, along with a point Q on E, such that the x-coordinate of Q is a quadratic nonresidue. We can say

\left(\frac{m}{N}\right) = \left(\frac{\frac{x^3-y^2}{x}}{N}\right) = \left(\frac{x}{N}\right)\left(\frac{x^3-y^2}{N}\right) = -1\cdot 1=-1.

Thus, if N is prime, Q' has order divisible by 2^k, by Theorem 3, and therefore the order of Q' is 2^kd d | n.

This means Q = nQ' has order 2^k. Therefore, if (1) concludes that N is composite, it truly is composite. (2) and (3) check if Q has order 2^k. Thus, if (2) or (3) conclude N is composite, it is composite.

Now, if the algorithm concludes that N is prime, then that means S_1 satisfies the condition of Theorem 4, and so N is truly prime.

There is an algorithm as well for when n is large, however for this we refer to the aforementioned article.[17]

References[edit]

  1. ^ a b c Henri Cohen, Gerhard Frey, ed. (2006). Handbook of Elliptic and Hyperelliptic Curve Cryptography. Boca Raton: Chapman & Hall/CRC. 
  2. ^ Top, Jaap, Elliptic Curve Primality Proving, http://www.math.rug.nl/~top/atkin.pdf
  3. ^ a b c Atkin, A.O.L., Morain, F., Elliptic Curves and Primality Proving, http://www.iai.uni-bonn.de/~adrian/ecpp/1992-atkin-morain-elliptic.pdf
  4. ^ a b Washington, Lawrence C., Elliptic Curves: Number Theory and Cryptography, Chapman & Hall/CRC, 2003
  5. ^ Lenstra, Jr., A. K.; Lenstra, Jr., H. W. (1990). "Algorithms in number theory". Handbook of Theoretical Computer Science: Algorithms and Complexity (Amsterdam and New York: The MIT Press) A: 673–715. 
  6. ^ Caldwell, Chris. The Top Twenty: Elliptic Curve Primality Proof from the Prime Pages.
  7. ^ Lygeros N., Rozier O. (2013). "Odd prime values of the Ramanujan tau function". Ramanujan Journal. doi:10.1007/s11139-012-9420-8. 
  8. ^ Morain F. Some primes proven by my programs. 
  9. ^ a b Koblitz, Neal, Introduction to Number Theory and Cryptography, 2nd Ed, Springer, 1994
  10. ^ http://www.mast.queensu.ca/~math418/m418oh/m418oh27.pdf
  11. ^ a b Blake, Ian F., Seroussi, Gadiel, Smart, Nigel Paul, Elliptic Curves in Cryptography, Cambridge University Press, 1999
  12. ^ Lenstra, Hendrik W., Efficient Algorithms in Number Theory, https://openaccess.leidenuniv.nl/bitstream/1887/2141/1/346_081.pdf
  13. ^ http://algo.inria.fr/seminars/sem97-98/morain.html
  14. ^ a b Morain, Francois, Implementation of the Atkin–Goldwasser–Kilian Primality Testing Algorithm, https://eprints.kfupm.edu.sa/44864/1/44864.pdf
  15. ^ Goldwasser, Shafi, Kilian, Joe, Almost All Primes Can Be Quickly Certified, http://www.iai.uni-bonn.de/~adrian/ecpp/p316-goldwasser.pdf
  16. ^ http://primes.utm.edu/notes/by_year.html
  17. ^ a b Tsumura, Yu, Primality Tests for 2^kn - 1 Using Elliptic Curves, arXiv:0912.5279v1

External links[edit]