原文来自wiki

翻译参照Bing在线翻译

－ － 部分翻译

Elliptic curve cryptography

From Wikipedia, the free encyclopedia

Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz^{[ 1]} and Victor S. Miller^{[ 2]} in 1985.

Elliptic curves are also used in several integer factorization algorithms that have applications in cryptography, such as Lenstra elliptic curve factorization.

椭圆曲线加密技术 (ECC) 是一种基于椭圆曲线的代数在有限域上的公共密钥加密技术。
基于因数分解问题的因数分解密码系统，典型代表为RSA；

基于离散对数问题的离散对数密码系统，典型代表为DSA;

基于椭圆曲线离散对数问题的椭圆曲线密码系统（ECC）;

{以上非原创。}

[edit] Introduction   介绍

Public-key cryptography is based on the intractability of certain mathematical problems. Early public-key systems, such as the RSA algorithm , are secure assuming that it is difficult to factor an integer with two large prime factors. For elliptic-curve-based protocols, it is assumed that finding the discrete logarithm of an elliptic curve element is infeasible. The size of the elliptic curve determines the difficulty of the problem. It is believed that a smaller group can be used to obtain the same level of security as RSA-based systems. Using a small group reduces storage and transmission requirements.

An elliptic curve is a plane curve which consists of the points satisfying the equation

y ² = x ³ + a x + b ,

along with a distinguished point at infinity, denoted . This set forms an Abelian group, with the point at infinity as identity element. If the coordinates x and y are chosen from a finite field, the solutions form a finite abelian group.

As for other popular public key cryptosystems, no mathematical proof of difficulty has been published for ECC as of 2009^[update] . However, the U.S. National Security Agency has endorsed ECC technology by including it in its Suite B set of recommended algorithms and allows their use for protecting information classified up to top secret with 384-bit keys.^{[ 3]} Although the RSA patent has expired, there are patents in force covering certain aspects of ECC implementation, though some argue that a practical ECC key exchange system can be implemented without infringing them.^{[ 4]}

公共密钥加密技术基于某些极端的数学问题。

基于椭圆曲线的协议中假定无法发现椭圆曲线元素的离散对数。

特征值P=2时，有  y ² + xy = x ³ + a x ² + b

                      或  y ² + ay = x ³ + b x  + c

特征值P=3时，有 y ² = x ³ + b(1) x ² +b(2)x + b(3) 。

特征值P!=2,3时，有   y ²  = x ³ + a x  +b

{同样非原创} 

[edit] Cryptographic schemes    加密方案

Several RSA-based protocols have been adapted to elliptic curves, replacing the group with an elliptic curve:

• the Elliptic Curve Diffie-Hellman key agreement scheme is based on the Diffie-Hellman scheme,
• the Elliptic Curve Digital Signature Algorithm is based on the Digital Signature Algorithm,
• the ECMQV key agreement scheme is based on the MQV key agreement scheme.

At the RSA Conference 2005, the National Security Agency (NSA) announced Suite B which exclusively uses ECC for digital signature generation and key exchange. The suite is intended to protect both classified and unclassified national security systems and information.^{[ 5]}

Recently, a large number of cryptographic primitives based on bilinear mappings on various elliptic curve groups, such as the Weil and Tate pairings, have been introduced. Schemes based on these primitives provide efficient identity-based encryption as well as pairing-based signatures, signcryption, key agreement , and proxy re-encryption [1] .

[edit] Implementation considerations   实施注意事要

Although the details of each particular elliptic curve scheme are described in the article referenced above some common implementation considerations are discussed here.

[edit] Domain parameters   域参数

To use ECC all parties must agree on all the elements defining the elliptic curve, that is, the domain parameters of the scheme. The field is defined by p in the prime case and the pair of m and f in the binary case. The elliptic curve is defined by the constants a and b used in its defining equation. Finally, the cyclic subgroup is defined by its generator (aka. base point ) G . For cryptographic application the order of G , that is the smallest non-negative number n such that n G = O , must be prime. Since n is the size of a subgroup of it follows from the Lagrange’s theorem that the number is an integer. In cryptographic applications this number h , called the cofactor , at least must be small ( ) and, preferably, h = 1 . Let us summarize: in the prime case the domain parameters are (p ,a ,b ,G ,n ,h ) and in the binary case they are (m ,f ,a ,b ,G ,n ,h ) .

Unless there is an assurance that domain parameters were generated by a party trusted with respect to their use, the domain parameters must be validated before use.

The generation of domain parameters is not usually done by each participant since this involves counting the number of points on a curve which is time-consuming and troublesome to implement. As a result several standard bodies published domain parameters of elliptic curves for several common field sizes:

• NIST, Recommended Elliptic Curves for Government Use
• SECG, SEC 2: Recommended Elliptic Curve Domain Parameters

Test vectors are also available [2] .

If one (despite the said above) wants to build his own domain parameters he should select the underlying field and then use one of the following strategies to find a curve with appropriate (i.e., near prime) number of points using one of the following methods:

• select a random curve and use a general point-counting algorithm, for example, Schoof’s algorithm or Schoof-Elkies-Atkin algorithm ,
• select a random curve from a family which allows easy calculation of the number of points (e.g., Koblitz curves), or
• select the number of points and generate a curve with this number of points using complex multiplication technique.^{[ 6]}

Several classes of curves are weak and shall be avoided:

• curves over with non-prime m are vulnerable to Weil descent attacks.^{[ 7] [ 8]}
• curves such that n divides p ^B − 1 (where p is the characteristic of the field – q for a prime field, or 2 for a binary field) for sufficiently small B are vulnerable to MOV attack^{[ 9] [ 10]} which applies usual DLP in a small degree extension field of to solve ECDLP. The bound B should be chosen so that discrete logarithms in the field are at least as difficult to compute as discrete logs on the elliptic curve .^{[ 11]}
• curves such that are vulnerable to the attack that maps the points on the curve to the additive group of ^{[ 12] [ 13] [ 14]}

       SECI 及 IEEE P1363 工作草案中 定义椭圆曲线域参数由一个六元偶  T= ( P ,a ,b ,G ,n ,h ) 组成。

       其中我们使用 P 表示 有限域 Eq , 或者 m 表示 F2m

       二元素 a,b属于Fq

       由此可以确定一条椭圆曲线，g表示一个基点，n为其对应的阶。 h=#E(Fq)/n, 为一个小整数。

[edit] Key sizes   密钥大小

Since all the fastest known algorithms that allow to solve the ECDLP (baby-step giant-step, Pollard’s rho, etc.), need steps, it follows that the size of the underlying field shall be roughly twice the security parameter. For example, for 128-bit security one needs a curve over , where . This can be contrasted with finite-field cryptography (e.g., DSA) which requires^{[ 15]} 3072-bit public keys and 256-bit private keys, and integer factorization cryptography (e.g., RSA ) which requires 3072-bit public and private keys. The hardest ECC scheme (publicly) broken to date had a 109-bit key (that is about 55 bits of security). For the prime field case, it was broken near the beginning of 2003 using over 10,000 Pentium class PCs running continuously for over 540 days (see [3] ). For the binary field case, it was broken in April 2004 using 2600 computers for 17 months (see [4] ).

一般的，我们可以认为，当Q的长度为160bit时，其安全性相当于RSA使用1024bit长的密码。

[edit] Projective coordinates  投影坐标

A close examination of the addition rules shows that in order to add two points one needs not only several additions and multiplications in but also an inversion operation. The inversion (for given find such that x y = 1 ) is one to two orders of magnitude slower^{[ 16]} than multiplication. Fortunately, points on a curve can be represented in different coordinate systems which do not require an inversion operation to add two points. Several such systems were proposed: in the projective system each point is represented by three coordinates (X ,Y ,Z ) using the following relation: , ; in the Jacobian system a point is also represented with three coordinates (X ,Y ,Z ) , but a different relation is used: , ; in the López-Dahab system the relation is , ; in the modified Jacobian system the same relations are used but four coordinates are stored and used for calculations (X ,Y ,Z ,a Z ⁴ ) ; and in the Chudnovsky Jacobian system five coordinates are used (X ,Y ,Z ,Z ² ,Z ³ ) . Note that there may be different naming conventions, for example, IEEE P1363-2000 standard uses “projective coordinates” to refer to what is commonly called Jacobian coordinates. An additional speed-up is possible if mixed coordinates are used.^{[ 17]}

[edit] Fast reduction (NIST curves)  快速缩小 － － 还是叫 Fast reduction吧..

Reduction modulo p (which is needed for addition and multiplication) can be executed much faster if the prime p is a pseudo-Mersenne prime that is , for example, p = 2⁵²¹ − 1 or p = 2²⁵⁶ − 2³² − 2⁹ − 2⁸ − 2⁷ − 2⁶ − 2⁴ − 1 . Compared to Barrett reduction there can be an order of magnitude speed-up.^{[ 18]} The curves over with pseudo-Mersenne p are recommended by NIST. Yet another advantage of the NIST curves is the fact that they use a = − 3 which improves addition in Jacobian coordinates.

The speedup here is a practical rather than theoretical one, and derives from the fact that the moduli of numbers against numbers near powers of two can be performed efficiently by computers operating on binary numbers with bitwise operations.

[edit] NIST-recommended elliptic curves  NIST 推荐椭圆曲线方法

NIST recommends fifteen elliptic curves. Specifically, FIPS 186-2 has ten recommended finite fields. There are five prime fields for p 192 , p 224 , p 256 , p 384 and p 521 . For each of the prime fields one elliptic curve is recommended. There are five binary fields for 2¹⁶³ , 2²³³ , 2²⁸³ , 2⁴⁰⁹ , and 2⁵⁷¹ . For each of the binary fields one elliptic curve and one Koblitz curve was selected. Thus five prime curves and ten binary curves. The curves were chosen for optimal security and implementation efficiency.^{[ 19]}

  推荐了几种椭圆曲线。

[edit] Side-channel attacks  侧信道攻击

Unlike DLP systems (where it is possible to use the same procedure for squaring and multiplication) the EC addition is significantly different for doubling (P = Q ) and general addition ( ) depending on the coordinate system used. Consequently, it is important to counteract side channel attacks (e.g., timing or simple/differential power analysis attacks) using, for example, fixed pattern window (aka. comb) methods^{[ 20]} (note that this does not increase the computation time). Another concern for ECC-systems is the danger of fault attacks, especially when running on smart cards, see for example Biehl et. al^{[ 21]} .

Certicom ECC 以及 因子分解竞赛

[edit] Patents  ….

At least one ECC scheme (ECMQV ) and some implementation techniques are covered by patents. Uncertainty about the availability of unencumbered ECC has limited the acceptance of ECC.

确实热.. － － 怎么还有点囧…..

另: ubuntu在时钟首选项处位置页可以添加自己的位置,支持显示天气功能。{地址可以直接输入中文  如."武汉"}

<html>

<head>

<script type="text/javascript">

function getCookie(c_name)   //   提取 cookies中 c_name=OOXX 中的OOXX 无则返回""

{

   if (document.cookie.length>0)

    {

      c_start=document.cookie.indexOf(c_name + "=")        //indexOf 相当于 strchr

      if (c_start!=-1)                                            

        {

        c_start=c_start + c_name.length+1

        c_end=document.cookie.indexOf(";",c_start)

        if (c_end==-1) c_end=document.cookie.length

            return unescape(document.cookie.substring(c_start,c_end))

        }

    }

    return ""

}

function setCookie(c_name,value,expiredays)        //   c_name=escape(value);GMT时间

{

var exdate=new Date()

 exdate.setDate(exdate.getDate()+expiredays)       //  escape 是为了能方便存入流的特殊符号转换函数

    document.cookie=

    c_name+ "="+escape(value)

   +((expiredays==null) ? "" : "; expires="+exdate.toGMTString())      

}

function checkCookie()                            // 检查

{

    username=getCookie(‘username’)

    if (username!=null && username!="")

      {

          alert(‘Welcome again ‘+username+’!’)}

    else

        {

         username=prompt(‘Please enter your name:’,"")

          if (username!=null && username!="")

          {

             setCookie(‘username’,username,365)

          }

        }

}

function clearCookie()    //自己加的清除cookies 试了直接 document.cookie="" 无效…有更好的方法么?

{

  try{

     document.cookie="username="

     }

  catch(err)

 {

    txt = "error\n\n"

        confirm(txt)

 }

 

}

</script>

</head>

<body onLoad="checkCookie()">

<input type="button" onclick="clearCookie()" value="清除Cookie" />

</body>

</html>

   中午看了点《深入OOXX》， 继续之前看的很糊涂的二进制码关于补码反码的问题。

   现在有点头绪，写点。

#include <stdio.h>

#include <stdlib.h>

int outit(unsigned char * ptr,int n)

{

    int i;

    for(i=0;i<n;i++)

    {

        printf("%.2X ",*(ptr+i));

    }

    printf("\n");

    return 0;

}

int main()

{

    int test;

    do

    {

    printf(" Input :\n");

    scanf("%d",&test);

    outit((unsigned char *)&test,sizeof(test));

    } while (1);

}

 测试2进制码的程序。

 跟着书上写的想下去，会出现一点思维上的迷糊，因为我们平时记住的补码＝反码＋1；

 因该把这个归于捷径而不是我们思维的方法，补码的真正意义是在于将最高位（比如8421的8）看作负(即-8)

 然后于其他各个位的权值相加。

 如 1011 计算思路 -8＋2＋1 ＝ 5

 然而编译器处理你输入的数是有一定的方法。下次继续写。

#define ABORT do { \

    fflush(stdout); \

    fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \

    ERR_print_errors_fp(stderr); \

    EXIT(1); \

} while (0)

简单使用

  if (!ctx) ABORT;

   对一个结构体的部分特殊free，写了一个函数处理，复杂，NB。

   如此境界….  

     有时朋友希望我能帮忙,做一些事情,理由无非是他不擅长而我在行.

     那时总是很想拒绝的.

     今天闲着无聊逛{top},想起以前pongba写的文章,转载一回。

这个世界上永远都有一个解决问题的最简单之道：就是叫别人帮忙。但是同样也有一条公理：没有免费的午餐。自己什么也不肯做，只想让别人帮忙，不仅不实际，而且对自己的思维锻炼和问题解决能力没有任何长远好处。

这里特别地说一点，关于一些”很基础”的问题，我观察发现，提问这些基础问题的朋友其实总是有一个更大的问题在背后：那就是就算别人帮你解决了这个问题，你还是会遇到其他基础问题，比如如果你想用一门语言，但却不先去看一下基本的ABCD，直接操起IDE就想写代码，编译出错了然后就把错误扔上来问怎么回事，就算别人告诉你了，后面你还是会继续遇到一大摞ABCD问题，实质上真正的问题是基本功就没有做，想要一步登天，或者想要别人手把手全程陪伴你，怎么可能？有人会argue说：那为什么我不可以询问我应该看哪些资料呢？问题是如果你需要看的是基础资料，那么其实很简单，把领域关键词往 Wikipedia上一扔，到相关页面看Reference部分，就能够看到最靠谱最权威的参考。或者把领域关键词往Amazon甚至Douban上一扔也可以查到哪些书比较经典，剩下的就是阅读和动手了，遇到不明白的问题第一步应该是去问资料，我想绝大多数人应该都能判断自己的问题是否能在资料上找到吧？我发现大多数问题都可以规约为查合适的资料的问题，而查合适的资料又是很简单的事情：我一直使用的就是 Wikipedia/Amazon/Google ，从来是无往不利。

而需要用到分析问题的能力的时候：对于一些更为practical的问题，我观察发现有同学不会分析问题，而不会分析问题又是因为平素分析问题太少（恶性循环），总是想”最快”的解决问题，问题是容易的路越走越难，困难的路越走越容易。遇到问题是很好的锻炼的机会，如果别人帮你分析解决，你就等于将这样的机会扔掉，是很可惜的。

  不久前到china-pub定了《深入理解计算机系统》(computer ooxx..)

  前些日子无聊翻了几页，收获颇多，琢磨着这本可以看很久…

  临近期末人有点颓废，

                考完高数那天下午花了5小时通了braid,一个可以有能力回到过去的人寻找公主的故事，

                游戏最后说，现实世界是不能时间倒流的，它比喻的主人公是参加曼哈顿计划制造核弹的人。

  末尾记下来点什么

   早上看书瞄到了掩码的概念，想起网络连接设置里的掩码设置，没有深入了解，百科了一下，估计是网络分层用。

   -0是真是假？ 有空检查下。

   剩下C和数逻,考完后给家长打个电话..

刚刚看到,YYD去了交大ACM班,wish.

谷歌真的被阴谋陷害了吗？

 于 09-6-27 通过 月光博客 作者：williamlong (williamlong)

 这里仅转载文字,图片麻烦摆架月光博客
 原先爆出google被陷害时我便有些怀疑

 目前为止也不好说了，网上很多东西还是要眼见为实，甚至眼见都不一定为实。

 自己保持冷静才是最重要的。

    　这两天看到Google Docs上有匿名人士写的一篇文章，称根据谷歌趋势和Google
   Insights来分析，谷歌上搜索“儿子”后出现的低俗内容都是之前人为刷关键字形成的，为了验证真伪，我也通过使用Google Trends和Google
    insights对“儿子”这个关键词进行了分析。
   
    　　根据Google
     Trends的显示，“儿子”的搜索量在6月17日的时候还非常低，在18日的时候就开始上扬，6月19日达到了顶峰，而央视新闻联播和焦点访谈抨击谷歌的节目正好是在6月18日晚上播出，因此“儿子”的搜索量剧增完全有可能是因为大量观众看完新闻后进行的搜索而产生的，我记得我自己当时看完新闻后就搜索过两次，相信对此关注的网民都会进行一番搜索，从而导致其搜索量的剧增。而下面的新闻引用量的增长恰好和上面的搜索量同步，说明新闻媒体也是在6月19日才大量报道这一新闻的。
      Google Trends上关于“儿子”的三十天搜索数据
  
     Google Trends上关于“儿子”的“搜索建议关键词”的三十天搜索数据
     
    　　更新：支持Google的网友的主要根据是下面这张图，这也是比较令我困惑的地方，从这张图上看，的确是这几个关键字从11号开始搜索量上升，并且持续到17号，并且只有北京地区有同时搜索这几个关键词的行为。
        　　按道理来说，Google Insights应该和Google Trends的数据是相同的，但是同样的关键字，我在Google
   Trends上进行查询，却是另一个结果，Google
    Trends显示这几个关键词在17号的搜索还是0，18号开始猛增，同时搜索城市包括北京、广州、上海三个城市，这两个系统按道理来说都是调用Google的数据中心，为什么同一个数据却出现不同的结果，这也是令我困惑的地方。
  
   
     　　因此，说谷歌搜索“儿子”的信息是“刷”出来的，并没有足够的证据，恰恰相反，反面的证据倒是不少，我在2007年2月，谷歌“搜索建议”刚刚上线的时候，我就曾经截过一幅图，下图就是那时候搜索“儿子”所产生的“搜索建议”，说明搜索这个关键词的确有些问题。
    
　　对于新闻联播和焦点访谈的报道模式以及采访形式，很多人都很反感，因为其对于Google的不良信息有很多夸大其辞和片面的说法，并且后来还出现Google被域名劫持的事件，令大家都很气愤，但是己所不欲、勿施于人，如果我们采用CCTV的形式来反驳CCTV，甚至用一些片面或者带有倾向性的言论进行误导，这反而可能会使事情变得更糟，他们说的谎话已经够多了，如果我们也用谎话来回击他们，那和他们有什么不同呢？