Post on 31-Mar-2015
Discrete Methods in Mathematical InformaticsLecture 3: Other Applications of Elliptic Curve
23h October 2012
Vorapong Suppakitpaisarnhttp://www-imai.is.s.u-tokyo.ac.jp/~mr_t_dtone/
vorapong@mist.i.u-tokyo.ac.jp, Eng. 6 Room 363
Download: Lecture 1: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture1.pptxLecture 2: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture2.pptxLecture 3: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture3.pptx
Course Information (Many Changes from Last Week)
10/9 – Elliptic Curve I (2 Exercises)
(What is Elliptic Curve?)
10/16 – Elliptic Curve II (1 Exercises)
(Elliptic Curve Cryptography[1])
10/23 – Elliptic Curve III (3 Exercises)
(Elliptic Curve Cryptography[2])
10/30 – Cancelled
11/7 – Online Algorithm I (Prof. Han)
11/14 – Online Algorithm II (Prof. Han)
11/21 – Elliptic Curve IV (2 Exercises)
(ECC Implementation I)
11/28 – Elliptic Curve V (2 Exercises)
(ECC Implementation II)
12/4 – Cancelled
From 12/11 – To be Announced
Schedule
For my part, you need to submit 2 Reports.
- Report 1: Select 3 from 6 exercises in Elliptic Curve I –
III
Submission Deadline: 14 November
- Report 2: Select 2 from 4 exercises in Elliptic Curve IV –
V
Submission Deadline: TBD
- Submit your report at Department of Mathematical
Informatics’ office
[1st
floor of this building]
Grading
From Last Lecture…•
Scalar Multiplication on Elliptic Curve
S = P + P + … + P = rP
when r1 is positive integer, S,P is a member of the curve
•Double-and-add method
•Let r = 14 = (01110)2
Compute rP = 14P r = 14 = (0 1 1 1 0)2 P 3P 7P 14P
6P2P 14P
3 – 1 = 2 Point Additions
4 – 1 = 3 Point Doubles
r times
O
Given P, aP - Compute a.
Discrete Logarithm Problem
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Pollard’s Method [Pollard 1978]
12110 )(,...,)(,)(
kk
pp
PPfPPfPPf
)E():E(f FF Function Random
0P1P2P3P4P
56P
57P
58P
)( NO[Teske, 1998]
(Semi-)Objective
lk PPlk that such Find
)E(PPRS pF 00.1 random for
(Semi-) Algorithm
1) or until times for
Do
mm
kk
kk
PPRSm
RffPffPR
SfPfPS
(21
)1(22
1
))(())((
)()(.2
)( NOm(Real-)Objective
aaPP,Q Find , Given
Function f for Discrete Log
jinp SSnSSSFE ,20,...)( 21
ii
iii
ii
SRMRRf
QbPaM
,bn, ai
if
Define
integer, positive random a be 1 Let
)(
00000.1 ,baQbPaPRS random for (Real-)Algorithm
00 , bddacc RSRS
bbd,daacc
,S,f(R)SR
bddaccSS
f(f(R))RSfS
jiRRjiRR
ji
iSSiSSi
If
If
, Do
,,
)(.2
]QdPcRQdPcS RRSS ,[
RS until
Pdd
ccQ
PccQdd
QdPcQdPc
RS
SR
SRRS
RRSS
)()(
.3
Examples
QbPaPRS 000.1 00 , bddacc RSRS
bbd,daacc
,S,f(R)SR
bddaccSS
f(f(R))RSfS
jiRRjiRR
ji
iSSiSSi
If
If
, Do
,,
)(.2
]QdPcRQdPcS RRSS ,[
RS until
Pdd
ccQ
PccQdd
QdPcQdPc
RS
SR
SRRS
RRSS
)()(
.3
Example
aaPQP
NxxyyxE
Find
,
),959,413(),1,0(
1067}1|),{()( 3210931093
FF
Algorithm
jinp SSnSSSFE ,20,...)( 21
ii
iii
ii
SRMRRf
QbPaM
,bn, ai
if
Define
integer, positive random a be 1 Let
)(
3mod),( ixSyx i if
QPM
QPMQPM
619
,179,34
2
10
.,3mod2326
)69,326(53
20
0
SP
QPP
Since
)589,727()2122(
)619()53()( 2001
QP
QPQPMPPfP
),...,938,523(),951,1006(),337,895(
),...,938,523(),951,1006(),903,473(
),260,1070(),365,560(),589,727(),69,326(
595857
654
3210
PPP
PPP
PPPP
QPPQPP 620685,4688 585
QP 574597
PP
PaPQ
499)4994271067(
764597597
QQbaQaP )11067(57459711067574 ba )411,764(),( ba
Exercise
. that Prove
and
33, is order the whichin curveelliptic on point a be Let (a)
P}P,P,{Z}kP|kP{Q
QP
P,Q
26154114
,62
Exercise 4
1
11 mod1
,),gcd(,
abc}ZkP|kd
N{cPQ
d
Nbbb
dNbbQaP
NP,Q
where that Prove
that such integer an is
, is order the whichin curveelliptic on point a be Let (b)
The Pohlig-Hellman Method [Pohlig, Hellman 1978]
aaPQP
NxyyxE
Find
,
),239,277(),19,60(
600}1|),{()( 32599599
FF
Q600
PPbPPbaPQ
a
200200600)13(200200200
,3mod1
If
PPbPPbaPQ
a
400400600)23(200200200
,3mod2
If
bPPbaPQ
a
600)3(200200200
,3mod0 If
bPPbaPQ
a
600)5(120120120
,5mod0 If
PPbPPbaPQ
a
120120600)15(120120120
,5mod1
If
PQa
PQa
PQa
480120,5mod4
360120,5mod3
240120,5mod2
If
If
If
iPQQia 1,5mod Let
5mod0,1 ccPQ where
,25mod0c.bPb)P(cPQ 60025242424 1
PPbP
PbcPQ
c
120120600
)525(242424
25mod5
1
,
PQc 240245mod10 12 ,
PQc 360245mod15 12 ,
PQc 480245mod20 12 ,
.25mod
.25mod
,5mod
jia
jiac
ia
and
that Suppose
The Pohlig-Hellman Method [cont.]ne
nee
p pppNE ...||)(|| 21
21F
Given P, Q = aP - Compute a.
(Real-)Problem
Given P, Q = aP - Compute a mod pkek
(Semi-)Problem
Properties
Pp
NiP
p
NibNP
Pibpp
NaP
p
NQ
p
N
pia
kk
kkkk
i
If
)(
,mod.1
Algorithm
Pp
Nipi
kk
compute all For ,0.1
Qp
N
k
Compute .2
k
, that such Find
pia
Pp
NiQ
p
Ni
kk
mod
.3
Pp
NjP
p
NjbNP
Pjpbpp
NcP
p
NQ
p
N
cPiPaPiPQQ
pjpa-ice
kk
kk
kkk
kkk
, If
)(
,mod1.2
2
2212
1
2
121
1.4
Qp
NQ-iPQ
e
k
k
compute , Let
Terminate. If
2
12
mod
.5
kk
kk
pijpa
Pp
NjQ
p
Nj
, that such Find
132
2.6
Qp
NP-iPjpQQ
e
k
k
k
compute , Let
Terminate. If
32
13
mod
.7
kkk
kk
pijplpa
Pp
NlQ
p
Nl
, that such Find
...
The Pohlig-Hellman Method [cont.]
aaPQP
NxyyxE
Find
,
),239,277(),19,60(
600}1|),{()( 32599599
FF
)420,84(480),465,491(360
),134,491(240),179,84(120
PP
PPAlgorithm
Pp
Nipi
kk
compute all For ,0.1
Qp
N
k
Compute .2
k
, that such Find
pia
Pp
NiQ
p
Ni
kk
mod
.3
121
1.4
Qp
NQ-iPQ
e
k
k
compute , Let
Terminate. If
2
12
mod
.5
kk
kk
pijpa
Pp
NjQ
p
Nj
, that such Find
23 532600
Given P, Q = aP - Compute a mod pkek
)179,84(1205
600 QQ
5mod1,1 ai
)465,491(245
600
),129,130(1
112
1
PQQ
25mod16
5mod)153(,3 2
a
aj
Chinese Remainder TheoremaaPQP
NxyyxE
Find
,
),239,277(),19,60(
600}1|),{()( 32599599
FF
23 532600
Given P, Q = aP - Compute a mod pkek
(Semi-)Problem
23 5mod16,3mod2,2mod2 aaa
Chinese Remainder
Theorem
jimm
nimxa
ji
ii
all for that such
for that Suppose
1),gcd(
1mod
n
iimM
1
Let
Mxax mod that such Find
nnn m
Mba
m
Mba
m
Mbax ...
222
111
ii
i mm
Mb mod1
where
232
31 5,3,82 mmm
.2425
600,200
3
600,75
8
600
221
m
M
m
M
m
M
24,25mod15762424
2,3mod14002002
3,8mod1225753
3
2
1
b
b
b 600mod26610466
242416200227532
x
x
)19,60(266266)239,277( PQ
16,2,2 321 aaa
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Three-Pass Protocol [Shamir 1980]
Private Key Cryptography
Key Agreement
Protocol
k k
M
Encryption
Algorithm
Ek(M) Ek(M)
Decryption
Algorithm
Dk(Ek(M)) = M
Three-pass Protocol
k1 k2
M
Ek1(M)
Encryption
Algorithm
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))Ek2 ( Ek1 (M))
Decryption
Algorithm
Ek2 (M)=Dk1 ( Ek2 ( Ek1 (M))) Ek2(M)
Super-Decryption
Algorithm
M
Massey-Omura Protocol [Massey, Omura 1986]
Three-pass Protocol
k1 k2
M
Ek1(M)
Encryption
Algorithm
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))Ek2 ( Ek1 (M))
Decryption
Algorithm
Ek2(M)
Super-Decryption
Algorithm
M
Massey-Omura Protocol
Encryption
Algorithm
Super-Encryption
Algorithm
Decryption
Algorithm
Ek2(M)
Super-Decryption
Algorithm
Nk of prime-co - 1Nk of prime-co 2NEM p order with)(F
Mk1 Mk1
)( 12 MkkMkk 21
)MkkkMk 211
12 ()(
Nkk
k
mod1)(
)(
11
1
11
at such integer an is
)MkkM 21
2 ()(
Massey-Omura Protocol [cont.]Massey-Omura Protocol
Encryption
Algorithm
Super-Encryption
Algorithm
Decryption
Algorithm
Ek2(M)
Super-Decryption
Algorithm
Nk of prime-co - 1Nk of prime-co 2NEM p order with)(F
Mk1 Mk1
)( 12 MkkMkk 21
)MkkkMk 211
12 ()(
Nkk
k
mod1)(
)(
11
1
11
that such integer an is
)MkkM 21
2 ()(
Example
9)()1,0( order withpEM F}xx{(x,y)|y}{)E( 132
5 F
2 1k 7 2kEncryption
Algorithm
(4,2)2(0,1) Mk1 (4,2)
Super-Encryption
Algorithm
(3,1)7(4,2) )( 12 Mkk(3,1)Decryption
Algorithm
11
1 )()5(2
9mod11052
k
(4,3)5(3,1)
)
MkkkMk 21
112 ()(
(4,3)Super-Decryption
Algorithm
(0,1)4(4,3)
)
MkkM 2
12 ()(
Massey-Omura Protocol [cont.]Integer Point on Elliptic Curve
encode to want weinteger positive a be Let m99100100 m x m )E(F(x,y) p that such Find
BAxxsyx 32 that such Find1212 )/(p-
p syys if some for F
.4mod3 41)/(psyp , If
Point on Elliptic Curve
Integer
100
)(),(
xm
Eyx p
to
decoded is F
zzvvz
vv-zvvz
vv-
xx
yy
yy
x
yxx,y p
pp
pp
p
p
p
p
)/(p
p
24/)1(2
22
2
24/)1(
2/)1(
222/)1(
21
2
,
1
1
4mod3
thatShow , all for Suppose (g)
some for thatshow all for Suppose (f)
all for thatShow (e)
thatShow (d)
thatShow (c)
thatShow (b)
thatShow (a)
Suppose . number, prime a be Let
Z
ZZ
Z
FExercise 4 Exercise 5
xx )/(p 21 thatShow (a)
pF
pF
pF
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Public Key Cryptography
Private Key Cryptography
Key Agreement
Protocol
k k
M
Encryption
Algorithm
Ek(M) Ek(M)
Decryption
Algorithm
Dk(Ek(M)) = M
Public Key Cryptography
kpub,kpri
Certificate Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M) Ekpub (M)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M
ElGamal Public Key Encryption [ElGamal 1985]
Public Key Cryptography
kpub,kpri
Certificate Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M) Ekpub (M)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M
sksPBPk
sEP
pripub
p
,,
),( ZF
Certificate Authority
(CA)
sPBPkpub ,
)( pEM FZk
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Ekpub(M) = M1,M2
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 = M
ElGamal PKE
MskPSPkMkPskBMsMM )()()(12
ElGamal Public Key Encryption (cont.)
sksPBPk
sEP
pripub
p
,,
),( ZF
Certificate Authority
(CA)
sPBPkpub ,
)( pEM FZk
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Ekpub(M) = M1,M2
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 =
M
ElGamal PKE
Example
9)()1,0( order withpEM F}xx{(x,y)|y}{)E( 132
5 F
)1,3()1,0(5
)1,0(
),(
5,5
sPB
P
BPk
sks
pub
pri))1,3(),1,0(( BPkpub
)()2,4( pEM F7k
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP = 7(0,1) = (4,3),
M2 = M + kB = (4,2)+7(3,1)
= (0,1)
Ekpub(M) = M1,M2
M1 = (4,3)
M2 = (0,1)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 = (0,1)-
5(4,3)
= (4,2)
ElGamal Public Key Encryption (cont.)
sksPBPk
sEP
pripub
p
,,
),( ZF
Certificate Authority
(CA)
sPBPkpub ,
)( pEM FZk
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Ekpub(M) = M1,M2
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 = M
ElGamal PKE
Given P, sP (public key), kP, M + skP,
Find M.
ElGamal Problem Ver. I
Given P, sP
Find s.
Discrete Log.
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Digital Signature [Diffie, Hellman 1976]
Alice is sending a message M to Bob
1. Bob can be sure that the sender is really Alice.
2. Alice cannot refuse that she did send the message
3. No one can send a message claiming that they are Alice.
Objective
Digital Signature
kpri,kpub
Certificate Authority
(CA)
kpub
M
Signing
Algorithm
M,Skpri(M) M, Skpri(M)
Verification
Algorithm
Vkpub (Skpri(M)) = M ?
Public Key Cryptography
kpub,kpri
Certificate Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M) Ekpub (M)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M
ElGamal Digital Signatures [ElGamal 1985]
Digital Signature
kpri,kpub
Certificate Authority
(CA)
kpub
M
Signing
Algorithm
M,Skpri(M) M, Skpri(M)
Verification
Algorithm
Skpri(M)) is
signed by Alice???
ElGamal’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
m
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkAR
R
RR
),(
),()(, sRMSMprik ),()(, sRMSM
prik
Verification
Algorithm
???mAsRBxR
mAAaxmaAxkAsaAxsRBx RRRR )()(
ElGamal Digital Signatures (cont.)
ElGamal’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
m
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkAR
R
RR
),(
),()(, sRMSmprik ),()(, sRMSm
prik
Verification
Algorithm
???mAsRBxR
Example
9)()1,0( order withpEM F}xx{(x,y)|y}{)E( 132
5 F
)2,4())1,0(2
),(
2
),()1,0(,2
aAB
BAk
ak
EAa
pub
pri
p
where
F
7
5
k
m
Integer Random
Message
Signing
Algorithm
6(-3)(4)
7
425
4
)3,4(7
k
axms
x
AkAR
R
R
)6),3,4((
),()(
,5
sRMS
m
prik
Verification
Algorithm
), (
), () , (
sRBxR
13
4240
)3,4(6)2,4(4
ElGamal Digital Signatures (cont.)ElGamal’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
m
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkAR
R
RR
),(
),()(, sRMSmprik ),()(, sRMSm
prik
Verification
Algorithm
???mAsRBxR
Given A, B=aA (public key), m (message),
m‘ (forged message)
Find R,s such that
ElGamal Problem Ver. II
Given P, sP
Find s.
Discrete Log.
AmsRBxR '
Exercise
Given A, B=aA (public key), m (message),
m‘ (forged message)
Find R,s such that
ElGamal Problem Ver. II
Given P, sP
Find s.
Discrete Log.
AmsRBxR '
message. signed valid a is thatShow
Let Assume
withinteger an be Let . message signed valid the
produce to used is scheme signature ElGamal the that Suppose
(m',R',s')
Nxmxm
NhxsxshRyxR
NxNh
h),s),y(x(m,R
RR
RRRR
R
RR
).(mod)('
),(mod)(',),('
.1),gcd(.1),gcd(
1'
11'''
Exercise 6
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Digital Signature Algorithm [Vanstone 1992]
ElGamal’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
m
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkPR
R
RR
),(
),()(, sRMSMprik ),()(, sRMSM
prik
Verification
Algorithm
???mAsRBxR
DSA’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
m
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkPR
R
RR
),(
),()(, sRMSMprik ),()(, sRMSM
prik
Verification
Algorithm
???
???
ARm
sB
m
x
mAsRBx
R
R
3 Scalar Multiplications
2 Scalar Multiplications
Exercise
. that Prove
and 33, is order the whichin curveelliptic on point a be Let (a)
P}P,P,{Z}kP|kP{Q
QPP,Q
26154114
,62
Exercise 4
1
11 mod1
,),gcd(,
abc}ZkP|kd
N{cPQ
d
Nbbb
dNbbQaPNP,Q
where that Prove
that such integer an is
, is order the whichin curveelliptic on point a be Let (b)
zzvvz
vv-zvvz
vv-
xx
yy
yy
x
yxx,y p
pp
pp
p
p
p
p
)/(p
p
24/)1(2
22
2
24/)1(
2/)1(
222/)1(
21
2
,
1
1
4mod3
thatShow , all for Suppose (g)
some for thatshow all for Suppose (f)
all for thatShow (e)
thatShow (d)
thatShow (c)
thatShow (b)
thatShow (a)
Suppose . number, prime a be Let
Z
ZZ
Z
FExercise 4 Exercise 5
xx )/(p 21 thatShow (a)
pF
pF
pF
Exercise
message. signed valid a is thatShow
Let Assume
withinteger an be Let . message signed valid the
produce to used is scheme signature ElGamal the that Suppose
(m',R',s')
Nxmxm
NhxsxshRyxR
NxNh
h),s),y(x(m,R
RR
RRRR
R
RR
).(mod)('
),(mod)(',),('
.1),gcd(.1),gcd(
1'
11'''
Exercise 6
Pairing-Based Cryptography
G)E()e:E( pp FF FunctionBilinear Function
abQPebQaPe ),(),( QP, If 1),( QPe
Diffie-Hellman Exchange Protocol
1. Generate P 2 E(F)
2. Generate positive
integers a
3. Receive Q = bP
4. Compute aQ = abP
1. Receive P
2. Receive S = aP
3. Generate positive
integer b
4. Compute bS = abP
P
aP
bP
A
L
I
C
E
B
O
B
Three-Parties DHE
ALICE
B
O
B
C
H
A
L
I
E
a, aP
b, bP c, cP
bPaP
cP
ALICE
B
O
B
C
H
A
L
I
E
a, aP, bP
b, bP
cP
c, cP
aP
bcPabP
acP
Three-Parties DHE with Pairing
ALICE
B
O
B
C
H
A
L
I
E
a, aP
b, bP c, cP
bPaP
cP
bP
cP
aP abcabc
bc
PPePPe
PPecPbPe
),()),((
),(),(
Thank you for your attention
Please feel free to ask questions or comment.