elliptic curve cryptography

Elliptic Curve Cryptography

Kelly Bresnahan

March 24, 2016

Table Of Contents

1 Elliptic Curve Cryptography (ECC)

IntroductionPros and Cons of Elliptic CurvesDefinition of an Elliptic CurveOperations on Elliptic CurvesHasse’s BoundRepresenting PlaintextElliptic Curve Diffie-Hellman Key ExchangeElGamal Digital Signatures using Elliptic CurvesIdentity-Base Encryption Using ECC

Introduction

Miller and Koblitz (independently) introduced ellipticcurves into cryptography in the mid-1980s

Elliptic Curve Cryptography algorithms entered wide usebetween 2004 and 2005

Based on the discrete logarithm problem, i.e.determining an integer 1 ≤ k ≤ p − 1 such that

gk = b (mod p)

Why use ECC?

Pros

Smaller keys can be used to achieve the same security asan RSA or discrete logarithm system

160-256 bit vs 1024-3072 bit

Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key

ConsSecurity is achieved only if cryptographically strong ellipticcurves are used

Why use ECC?

ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system

160-256 bit vs 1024-3072 bit

Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key

ConsSecurity is achieved only if cryptographically strong ellipticcurves are used

Why use ECC?

ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system

160-256 bit vs 1024-3072 bit

Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key

ConsSecurity is achieved only if cryptographically strong ellipticcurves are used

Why use ECC?

ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system

160-256 bit vs 1024-3072 bit

Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemes

ECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key

ConsSecurity is achieved only if cryptographically strong ellipticcurves are used

Why use ECC?

ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system

160-256 bit vs 1024-3072 bit

Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit key

The energy needed to break an RSA key is much smallerthan an ECC key

ConsSecurity is achieved only if cryptographically strong ellipticcurves are used

Why use ECC?

ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system

160-256 bit vs 1024-3072 bit

Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key

ConsSecurity is achieved only if cryptographically strong ellipticcurves are used

Why use ECC?

ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system

160-256 bit vs 1024-3072 bit

Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key

Cons

Security is achieved only if cryptographically strong ellipticcurves are used

Why use ECC?

ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system

160-256 bit vs 1024-3072 bit

Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key

ConsSecurity is achieved only if cryptographically strong ellipticcurves are used

Definition of Elliptic Curves

Definition: An elliptic curve is the graph of the equation

E : y2 = x3 + ax2 + bx + c

where a, b, and c are elements from the base field K ofcharacteristic not equal to 2.

Note: We’ll also include the point (∞,∞), denoted ∞

Examples of Elliptic Curves over R

Figure: y2 = x3 + x Figure: y2 = x3 + 73

Operations on Elliptic Curves

Point Addition

Operations on Elliptic Curves (cont)

Point Doubling

Operations on Elliptic Curves (cont)

How do we add a point P with ∞?

Operations on Elliptic Curves (cont)

How do we add a point P with ∞?

Operations on Elliptic Curves (cont)

Therefore, the points on E form an abelian group underaddition where

1 ∞ is the additive identity

2 The inverse of the point P = (x , y) is −P = (x ,−y)

3 P − Q = P + (−Q)

Elliptic Curve in R

Same Curve (mod p)

Adding Points on E

Suppose E is defined as y2 ≡ x3 + 4x + 4 (mod 5).Let P1 = (1, 2) and P2 = (4, 3). Then

(1, 2) + (4, 3) = (4, 2)

Doubling Points on P

Suppose E is defined as y2 ≡ x3 + 2x + 2 (mod 17).Let P = (5, 1). Then

2P = (6, 3)

Addition Law

If E is given by E : y2 = x3 + bx + c (mod p) we define

(x3, y3) = (x1, y1) + (x2, y2)

as

x3 = s2 − x1 − x2 (mod p) and

y3 = s(x1 − x3)− y1 (mod p)

where

s =

y2−y1x2−x1

(mod p), if P 6= Q

3x1+b2y1

(mod p), if P = Q

Cardinality

Question: What is the order of the group (E ,+) (mod p), i.e.how many point are on E?

Hasse’s Bound: Given an elliptic curve E modulo p, thenumber of points on E , denoted #E , is bounded by

p + 1− 2√p ≤ #E ≤ p + 1 + 2

√p

Cardinality

Question: What is the order of the group (E ,+) (mod p), i.e.how many point are on E?

Hasse’s Bound: Given an elliptic curve E modulo p, thenumber of points on E , denoted #E , is bounded by

p + 1− 2√p ≤ #E ≤ p + 1 + 2

√p

Elliptic Curves (mod p)

The Discrete Logarithm Problem for Elliptic Curves:

Given an elliptic curve E and two points A and B on E , thediscrete log problem for elliptic curves is finding an integer1 ≤ d ≤ #E such that

P + P + · · ·+ P︸ ︷︷ ︸d times

= dP = T

In cryptosystems d is the private key and T is the public key

Elliptic Curves (mod p)

The Discrete Logarithm Problem for Elliptic Curves:

Given an elliptic curve E and two points A and B on E , thediscrete log problem for elliptic curves is finding an integer1 ≤ d ≤ #E such that

P + P + · · ·+ P︸ ︷︷ ︸d times

= dP = T

In cryptosystems d is the private key and T is the public key

Representing Plaintext

We need a method for encoding a message as point on anelliptic curve.

The Bad News: Currently there is no known polynomial time,deterministic algorithm for writing points on an arbitraryelliptic curve.

The Good News: There are fast probabilistic methods forfinding points

With appropriately chosen parameters, the probability offailure can be made arbitrarily small.

Representing Plaintext

We need a method for encoding a message as point on anelliptic curve.

The Bad News: Currently there is no known polynomial time,deterministic algorithm for writing points on an arbitraryelliptic curve.

The Good News: There are fast probabilistic methods forfinding points

With appropriately chosen parameters, the probability offailure can be made arbitrarily small.

Representing Plaintext

We need a method for encoding a message as point on anelliptic curve.

The Bad News: Currently there is no known polynomial time,deterministic algorithm for writing points on an arbitraryelliptic curve.

The Good News: There are fast probabilistic methods forfinding points

With appropriately chosen parameters, the probability offailure can be made arbitrarily small.

Representing Plaintext

We need a method for encoding a message as point on anelliptic curve.

The Bad News: Currently there is no known polynomial time,deterministic algorithm for writing points on an arbitraryelliptic curve.

The Good News: There are fast probabilistic methods forfinding points

With appropriately chosen parameters, the probability offailure can be made arbitrarily small.

Representing Plaintext

Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.

Idea: Embed m as the x-coordinate of a point on E

The Bad News: There is only a 50% chance thatm3 + bm + c is a square modulo p

Question: How can we guarantee a higher success rate?

Answer: We’ll adjoin a few bits at the end of m and adjustthem until we get a number x such that x3 + bx + c is a square(mod p)

Representing Plaintext

Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.

Idea: Embed m as the x-coordinate of a point on E

The Bad News: There is only a 50% chance thatm3 + bm + c is a square modulo p

Question: How can we guarantee a higher success rate?

Answer: We’ll adjoin a few bits at the end of m and adjustthem until we get a number x such that x3 + bx + c is a square(mod p)

Representing Plaintext

Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.

Idea: Embed m as the x-coordinate of a point on E

The Bad News: There is only a 50% chance thatm3 + bm + c is a square modulo p

Question: How can we guarantee a higher success rate?

Answer: We’ll adjoin a few bits at the end of m and adjustthem until we get a number x such that x3 + bx + c is a square(mod p)

Representing Plaintext

Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.

Idea: Embed m as the x-coordinate of a point on E

The Bad News: There is only a 50% chance thatm3 + bm + c is a square modulo p

Question: How can we guarantee a higher success rate?

Answer: We’ll adjoin a few bits at the end of m and adjustthem until we get a number x such that x3 + bx + c is a square(mod p)

Representing Plaintext

Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.

Idea: Embed m as the x-coordinate of a point on E

The Bad News: There is only a 50% chance thatm3 + bm + c is a square modulo p

Question: How can we guarantee a higher success rate?

Answer: We’ll adjoin a few bits at the end of m and adjustthem until we get a number x such that x3 + bx + c is a square(mod p)

Koblitz’s Method

Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.

Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable

Assume that (m + 1)K < p and let x = mK + j

For j = 0, 1, 2, . . . ,K − 1,

- Compute x3 + bx + c and try to calculate the square root(mod p)

- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1

- If we reach j = K , then we have failed to map a messageto a point on E

Koblitz’s Method

Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.

Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable

Assume that (m + 1)K < p and let x = mK + j

For j = 0, 1, 2, . . . ,K − 1,

- Compute x3 + bx + c and try to calculate the square root(mod p)

- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1

- If we reach j = K , then we have failed to map a messageto a point on E

Koblitz’s Method

Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.

Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable

Assume that (m + 1)K < p and let x = mK + j

For j = 0, 1, 2, . . . ,K − 1,

- Compute x3 + bx + c and try to calculate the square root(mod p)

- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1

- If we reach j = K , then we have failed to map a messageto a point on E

Koblitz’s Method

Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.

Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable

Assume that (m + 1)K < p and let x = mK + j

For j = 0, 1, 2, . . . ,K − 1,

- Compute x3 + bx + c and try to calculate the square root(mod p)

- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1

- If we reach j = K , then we have failed to map a messageto a point on E

Koblitz’s Method

Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.

Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable

Assume that (m + 1)K < p and let x = mK + j

For j = 0, 1, 2, . . . ,K − 1,

- Compute x3 + bx + c and try to calculate the square root(mod p)

- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1

- If we reach j = K , then we have failed to map a messageto a point on E

Koblitz’s Method

Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.

Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable

Assume that (m + 1)K < p and let x = mK + j

For j = 0, 1, 2, . . . ,K − 1,

- Compute x3 + bx + c and try to calculate the square root(mod p)

- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1

- If we reach j = K , then we have failed to map a messageto a point on E

Koblitz’s Method

Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.

Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable

Assume that (m + 1)K < p and let x = mK + j

For j = 0, 1, 2, . . . ,K − 1,

- Compute x3 + bx + c and try to calculate the square root(mod p)

- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1

- If we reach j = K , then we have failed to map a messageto a point on E

Decoding

Note: Because x3 + bx + c is a square approximately half ofthe time and we try x = mK + j at most K times, we haveabout 1/2K chance of failure.

To recover the original message from Pm = (x , y), we calculate

m =⌊ x

K

⌋Second Note: Decoding requires that (m + 1)K < p

Decoding

Note: Because x3 + bx + c is a square approximately half ofthe time and we try x = mK + j at most K times, we haveabout 1/2K chance of failure.

To recover the original message from Pm = (x , y), we calculate

m =⌊ x

K

⌋Second Note: Decoding requires that (m + 1)K < p

Elliptic Curve Diffie-Hellman Key Exchange(ECDH)

Suppose that Alice and Bob want to exchange a key

1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .

2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret

3 Alice publishes the point A = kaP and sends it to Bob

4 Bob publishes the point B = kbP and sends it to Alice

5 Alice takes Bob’s point B and computes ka(B)

6 Similarly, Bob computes kb(A)

7 Because the group (E ,+) is abelian,

ka(B) = ka(kbP) = kb(kaP) = kb(A),

so Alice and Bob have the same key

Elliptic Curve Diffie-Hellman Key Exchange(ECDH)

Suppose that Alice and Bob want to exchange a key

1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .

2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret

3 Alice publishes the point A = kaP and sends it to Bob

4 Bob publishes the point B = kbP and sends it to Alice

5 Alice takes Bob’s point B and computes ka(B)

6 Similarly, Bob computes kb(A)

7 Because the group (E ,+) is abelian,

ka(B) = ka(kbP) = kb(kaP) = kb(A),

so Alice and Bob have the same key

Elliptic Curve Diffie-Hellman Key Exchange(ECDH)

Suppose that Alice and Bob want to exchange a key

1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .

2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret

3 Alice publishes the point A = kaP and sends it to Bob

4 Bob publishes the point B = kbP and sends it to Alice

5 Alice takes Bob’s point B and computes ka(B)

6 Similarly, Bob computes kb(A)

7 Because the group (E ,+) is abelian,

ka(B) = ka(kbP) = kb(kaP) = kb(A),

so Alice and Bob have the same key

Elliptic Curve Diffie-Hellman Key Exchange(ECDH)

Suppose that Alice and Bob want to exchange a key

1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .

2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret

3 Alice publishes the point A = kaP and sends it to Bob

4 Bob publishes the point B = kbP and sends it to Alice

5 Alice takes Bob’s point B and computes ka(B)

6 Similarly, Bob computes kb(A)

7 Because the group (E ,+) is abelian,

ka(B) = ka(kbP) = kb(kaP) = kb(A),

so Alice and Bob have the same key

Elliptic Curve Diffie-Hellman Key Exchange(ECDH)

Suppose that Alice and Bob want to exchange a key

1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .

2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret

3 Alice publishes the point A = kaP and sends it to Bob

4 Bob publishes the point B = kbP and sends it to Alice

5 Alice takes Bob’s point B and computes ka(B)

6 Similarly, Bob computes kb(A)

7 Because the group (E ,+) is abelian,

ka(B) = ka(kbP) = kb(kaP) = kb(A),

so Alice and Bob have the same key

Elliptic Curve Diffie-Hellman Key Exchange(ECDH)

Suppose that Alice and Bob want to exchange a key

1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .

2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret

3 Alice publishes the point A = kaP and sends it to Bob

4 Bob publishes the point B = kbP and sends it to Alice

5 Alice takes Bob’s point B and computes ka(B)

6 Similarly, Bob computes kb(A)

7 Because the group (E ,+) is abelian,

ka(B) = ka(kbP) = kb(kaP) = kb(A),

so Alice and Bob have the same key

Elliptic Curve Diffie-Hellman Key Exchange(ECDH)

Suppose that Alice and Bob want to exchange a key

1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .

2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret

3 Alice publishes the point A = kaP and sends it to Bob

4 Bob publishes the point B = kbP and sends it to Alice

5 Alice takes Bob’s point B and computes ka(B)

6 Similarly, Bob computes kb(A)

7 Because the group (E ,+) is abelian,

ka(B) = ka(kbP) = kb(kaP) = kb(A),

so Alice and Bob have the same key

Elliptic Curve Diffie-Hellman Key Exchange(ECDH)

Suppose that Alice and Bob want to exchange a key

1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .

2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret

3 Alice publishes the point A = kaP and sends it to Bob

4 Bob publishes the point B = kbP and sends it to Alice

5 Alice takes Bob’s point B and computes ka(B)

6 Similarly, Bob computes kb(A)

7 Because the group (E ,+) is abelian,

ka(B) = ka(kbP) = kb(kaP) = kb(A),

so Alice and Bob have the same key

ElGamal Elliptic Curve Digital Signature Algorithm(ECDSA)

Suppose that Alice wants to sign a message, m, for Bob toverify.

To set up the system, we

1 Fix an Elliptic Curve E (mod p) where p is large prime

2 Fix a base point A on E

3 Assume that the message represented as a number msatisfies

0 ≤ m ≤ #E

4 Alice chooses a private integer a and computes B = aA

Now (p,E ,#E ,A,B) are made public while a is private.

ElGamal Elliptic Curve Digital Signature Algorithm(ECDSA)

Suppose that Alice wants to sign a message, m, for Bob toverify.To set up the system, we

1 Fix an Elliptic Curve E (mod p) where p is large prime

2 Fix a base point A on E

3 Assume that the message represented as a number msatisfies

0 ≤ m ≤ #E

4 Alice chooses a private integer a and computes B = aA

Now (p,E ,#E ,A,B) are made public while a is private.

ElGamal Elliptic Curve Digital Signature Algorithm(ECDSA)

Suppose that Alice wants to sign a message, m, for Bob toverify.To set up the system, we

1 Fix an Elliptic Curve E (mod p) where p is large prime

2 Fix a base point A on E

3 Assume that the message represented as a number msatisfies

0 ≤ m ≤ #E

4 Alice chooses a private integer a and computes B = aA

Now (p,E ,#E ,A,B) are made public while a is private.

ElGamal Elliptic Curve Digital Signature Algorithm(ECDSA)

Suppose that Alice wants to sign a message, m, for Bob toverify.To set up the system, we

1 Fix an Elliptic Curve E (mod p) where p is large prime

2 Fix a base point A on E

3 Assume that the message represented as a number msatisfies

0 ≤ m ≤ #E

4 Alice chooses a private integer a and computes B = aA

Now (p,E ,#E ,A,B) are made public while a is private.

ElGamal Elliptic Curve Digital Signature Algorithm(ECDSA)

Suppose that Alice wants to sign a message, m, for Bob toverify.To set up the system, we

1 Fix an Elliptic Curve E (mod p) where p is large prime

2 Fix a base point A on E

3 Assume that the message represented as a number msatisfies

0 ≤ m ≤ #E

4 Alice chooses a private integer a and computes B = aA

Now (p,E ,#E ,A,B) are made public while a is private.

ElGamal Elliptic Curve Digital Signature Algorithm(ECDSA)

Suppose that Alice wants to sign a message, m, for Bob toverify.To set up the system, we

1 Fix an Elliptic Curve E (mod p) where p is large prime

2 Fix a base point A on E

3 Assume that the message represented as a number msatisfies

0 ≤ m ≤ #E

4 Alice chooses a private integer a and computes B = aA

Now (p,E ,#E ,A,B) are made public while a is private.

El Gamal ECDSA: Signing a Message

Now Alice wants to sign the message, so she

1 chooses a random 1 ≤ k ≤ #E with gcd(k ,#E ) = 1,

2 computes kA ≡ R = (x , y),

3 computes s ≡ k−1(m − ax) mod #E ,

4 sends the signed message (m,R, s) to Bob for verification,

El Gamal ECDSA: Signing a Message

Now Alice wants to sign the message, so she

1 chooses a random 1 ≤ k ≤ #E with gcd(k ,#E ) = 1,

2 computes kA ≡ R = (x , y),

3 computes s ≡ k−1(m − ax) mod #E ,

4 sends the signed message (m,R, s) to Bob for verification,

El Gamal ECDSA: Signing a Message

Now Alice wants to sign the message, so she

1 chooses a random 1 ≤ k ≤ #E with gcd(k ,#E ) = 1,

2 computes kA ≡ R = (x , y),

3 computes s ≡ k−1(m − ax) mod #E ,

4 sends the signed message (m,R, s) to Bob for verification,

El Gamal ECDSA: Signing a Message

Now Alice wants to sign the message, so she

1 chooses a random 1 ≤ k ≤ #E with gcd(k ,#E ) = 1,

2 computes kA ≡ R = (x , y),

3 computes s ≡ k−1(m − ax) mod #E ,

4 sends the signed message (m,R, s) to Bob for verification,

El Gamal ECDSA: Signing a Message

Now Alice wants to sign the message, so she

1 chooses a random 1 ≤ k ≤ #E with gcd(k ,#E ) = 1,

2 computes kA ≡ R = (x , y),

3 computes s ≡ k−1(m − ax) mod #E ,

4 sends the signed message (m,R, s) to Bob for verification,

El Gamal ECDSA: Verifying a Message

To verify Alice’s message, Bob

1 downloads Alice’s public info and (p,E ,#E ,A,B),

2 computes v1 ≡ xB + sR and v2 ≡ mA

The signature is valid only if v1 = v2

El Gamal ECDSA: Verifying a Message

To verify Alice’s message, Bob

1 downloads Alice’s public info and (p,E ,#E ,A,B),

2 computes v1 ≡ xB + sR and v2 ≡ mA

The signature is valid only if v1 = v2

El Gamal ECDSA: Verifying a Message

To verify Alice’s message, Bob

1 downloads Alice’s public info and (p,E ,#E ,A,B),

2 computes v1 ≡ xB + sR and v2 ≡ mA

The signature is valid only if v1 = v2

Why does this work?

We know that

v1 = xB + sR

= xaA + (k−1(m − ax))(kA)

= xaA + (m − ax)A

= mA

≡ v2

Why does this work?

We know that

v1 = xB + sR

= xaA + (k−1(m − ax))(kA)

= xaA + (m − ax)A

= mA

≡ v2

Why does this work?

We know that

v1 = xB + sR

= xaA + (k−1(m − ax))(kA)

= xaA + (m − ax)A

= mA

≡ v2

Why does this work?

We know that

v1 = xB + sR

= xaA + (k−1(m − ax))(kA)

= xaA + (m − ax)A

= mA

≡ v2

Why does this work?

We know that

v1 = xB + sR

= xaA + (k−1(m − ax))(kA)

= xaA + (m − ax)A

= mA

≡ v2

Identity-Based Encryption

In most public key systems, when Alice wants to send amessage to Bob, she looks up his public key in a directory andthen encrypts her message. However, how does she know thatthe information has not been modified by Eve and the publickey listed for Bob is Eve’s key?!

Wouldn’t it be nice to have a system where Bob’s publicidentification information (like his email address) serves as thepublic key?

Identity-Based Encryption

In most public key systems, when Alice wants to send amessage to Bob, she looks up his public key in a directory andthen encrypts her message. However, how does she know thatthe information has not been modified by Eve and the publickey listed for Bob is Eve’s key?!

Wouldn’t it be nice to have a system where Bob’s publicidentification information (like his email address) serves as thepublic key?

Setting up the Cryptosystem

First, let p be a prime of the form 6q− 1 where q is also prime.Then for the elliptic curve E : y2 = x3 + 1 (mod p), we knowthat

There is a point P0 6=∞ such that qP0 =∞.

There is a function e such that

- e maps pairs of points (aP0, bP0) to qth roots of unity- e satisfies the bilinearity property

e(aP0, bP0) = e(P0,P0)ab

for all a and b- Given P = kP0 and Q = mP0, e(P,Q) can be computed

quickly from the coordinates P and Q- e(P0,P0) 6= 1, so it is a nontrivial root of unity

Setting up the Cryptosystem

First, let p be a prime of the form 6q− 1 where q is also prime.Then for the elliptic curve E : y2 = x3 + 1 (mod p), we knowthat

There is a point P0 6=∞ such that qP0 =∞.

There is a function e such that

- e maps pairs of points (aP0, bP0) to qth roots of unity- e satisfies the bilinearity property

e(aP0, bP0) = e(P0,P0)ab

for all a and b- Given P = kP0 and Q = mP0, e(P,Q) can be computed

quickly from the coordinates P and Q- e(P0,P0) 6= 1, so it is a nontrivial root of unity

Setting up the Cryptosystem

First, let p be a prime of the form 6q− 1 where q is also prime.Then for the elliptic curve E : y2 = x3 + 1 (mod p), we knowthat

There is a point P0 6=∞ such that qP0 =∞.

There is a function e such that

- e maps pairs of points (aP0, bP0) to qth roots of unity

- e satisfies the bilinearity property

e(aP0, bP0) = e(P0,P0)ab

for all a and b- Given P = kP0 and Q = mP0, e(P,Q) can be computed

quickly from the coordinates P and Q- e(P0,P0) 6= 1, so it is a nontrivial root of unity

Setting up the Cryptosystem

First, let p be a prime of the form 6q− 1 where q is also prime.Then for the elliptic curve E : y2 = x3 + 1 (mod p), we knowthat

There is a point P0 6=∞ such that qP0 =∞.

There is a function e such that

- e maps pairs of points (aP0, bP0) to qth roots of unity- e satisfies the bilinearity property

e(aP0, bP0) = e(P0,P0)ab

for all a and b

- Given P = kP0 and Q = mP0, e(P,Q) can be computedquickly from the coordinates P and Q

- e(P0,P0) 6= 1, so it is a nontrivial root of unity

Setting up the Cryptosystem

First, let p be a prime of the form 6q− 1 where q is also prime.Then for the elliptic curve E : y2 = x3 + 1 (mod p), we knowthat

There is a point P0 6=∞ such that qP0 =∞.

There is a function e such that

- e maps pairs of points (aP0, bP0) to qth roots of unity- e satisfies the bilinearity property

e(aP0, bP0) = e(P0,P0)ab

for all a and b- Given P = kP0 and Q = mP0, e(P,Q) can be computed

quickly from the coordinates P and Q

- e(P0,P0) 6= 1, so it is a nontrivial root of unity

Setting up the Cryptosystem

First, let p be a prime of the form 6q− 1 where q is also prime.Then for the elliptic curve E : y2 = x3 + 1 (mod p), we knowthat

There is a point P0 6=∞ such that qP0 =∞.

There is a function e such that

- e maps pairs of points (aP0, bP0) to qth roots of unity- e satisfies the bilinearity property

e(aP0, bP0) = e(P0,P0)ab

for all a and b- Given P = kP0 and Q = mP0, e(P,Q) can be computed

quickly from the coordinates P and Q- e(P0,P0) 6= 1, so it is a nontrivial root of unity

Setting up the Cryptosystem (cont)

We need two public hash functions:

H1 : {arb. length binary string} −→ kP0

for k ∈ ZH2 : {qth root of unity} −→ {binary strings of length n}where n is the length of the message to be sent

Setting up the Cryptosystem (cont)

We need two public hash functions:

H1 : {arb. length binary string} −→ kP0

for k ∈ ZH2 : {qth root of unity} −→ {binary strings of length n}where n is the length of the message to be sent

Setting up the System

To set up the system, we need a Trusted Authority, Arthur.Arthur does the following:

He chooses a secret integer s

He computes P1 = sP0, which is made public

For each User, Arthur finds the user’s ID (written as abinary string) and computes

DUser = sH1(ID),

which is a point on E

Arthur sends DUser to each user, who keeps it secret. Hethen discards DUser

Setting up the System

To set up the system, we need a Trusted Authority, Arthur.Arthur does the following:

He chooses a secret integer s

He computes P1 = sP0, which is made public

For each User, Arthur finds the user’s ID (written as abinary string) and computes

DUser = sH1(ID),

which is a point on E

Arthur sends DUser to each user, who keeps it secret. Hethen discards DUser

Setting up the System

To set up the system, we need a Trusted Authority, Arthur.Arthur does the following:

He chooses a secret integer s

He computes P1 = sP0, which is made public

For each User, Arthur finds the user’s ID (written as abinary string) and computes

DUser = sH1(ID),

which is a point on E

Arthur sends DUser to each user, who keeps it secret. Hethen discards DUser

Setting up the System

To set up the system, we need a Trusted Authority, Arthur.Arthur does the following:

He chooses a secret integer s

He computes P1 = sP0, which is made public

For each User, Arthur finds the user’s ID (written as abinary string) and computes

DUser = sH1(ID),

which is a point on E

Arthur sends DUser to each user, who keeps it secret. Hethen discards DUser

Setting up the System

To set up the system, we need a Trusted Authority, Arthur.Arthur does the following:

He chooses a secret integer s

He computes P1 = sP0, which is made public

For each User, Arthur finds the user’s ID (written as abinary string) and computes

DUser = sH1(ID),

which is a point on E

Arthur sends DUser to each user, who keeps it secret. Hethen discards DUser

Sending a Message

Suppose Alice wants to send a message m to Bob and supposethat m is of binary length n.Bob’s ID is bob@computer.com, so Alice does the following:

1 She computes g ≡ e(H1(bob@computer .com),P1), a qthroot of unity

2 She chooses a random integer r 6= 0 (mod q) andcomputes

t ≡ m ⊕ H2(g r )

where ⊕ is the XOR cipher.

3 She sends Bob the ciphertext

c ≡ (rP0, t),

where rP0 on E and t is a binary string of length n

Sending a Message

Suppose Alice wants to send a message m to Bob and supposethat m is of binary length n.Bob’s ID is bob@computer.com, so Alice does the following:

1 She computes g ≡ e(H1(bob@computer .com),P1), a qthroot of unity

2 She chooses a random integer r 6= 0 (mod q) andcomputes

t ≡ m ⊕ H2(g r )

where ⊕ is the XOR cipher.

3 She sends Bob the ciphertext

c ≡ (rP0, t),

where rP0 on E and t is a binary string of length n

Sending a Message

Suppose Alice wants to send a message m to Bob and supposethat m is of binary length n.Bob’s ID is bob@computer.com, so Alice does the following:

1 She computes g ≡ e(H1(bob@computer .com),P1), a qthroot of unity

2 She chooses a random integer r 6= 0 (mod q) andcomputes

t ≡ m ⊕ H2(g r )

where ⊕ is the XOR cipher.

3 She sends Bob the ciphertext

c ≡ (rP0, t),

where rP0 on E and t is a binary string of length n

Sending a Message

Suppose Alice wants to send a message m to Bob and supposethat m is of binary length n.Bob’s ID is bob@computer.com, so Alice does the following:

1 She computes g ≡ e(H1(bob@computer .com),P1), a qthroot of unity

2 She chooses a random integer r 6= 0 (mod q) andcomputes

t ≡ m ⊕ H2(g r )

where ⊕ is the XOR cipher.

3 She sends Bob the ciphertext

c ≡ (rP0, t),

where rP0 on E and t is a binary string of length n

Recovering the Message

Bob receives the pair (U, v) where U is a point on E and v is abinary string of length n. Then he does the following:

1 He computes h ≡ e(DBob,U), which is a qth root of unity

2 He recovers the message by

m = v ⊕ H2(h)

Recovering the Message

Bob receives the pair (U, v) where U is a point on E and v is abinary string of length n. Then he does the following:

1 He computes h ≡ e(DBob,U), which is a qth root of unity

2 He recovers the message by

m = v ⊕ H2(h)

Recovering the Message

Bob receives the pair (U, v) where U is a point on E and v is abinary string of length n. Then he does the following:

1 He computes h ≡ e(DBob,U), which is a qth root of unity

2 He recovers the message by

m = v ⊕ H2(h)

Why does this work?

If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).

Since DBob = sH1(bob@computer .com),

h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)

= e(H1(bob@computer .com),P0)rs

= e(H1(bob@computer .com), sP0)r

= e(H1(bob@computer .com),P1)r

≡ g r

Therefore,

t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m

Why does this work?

If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).Since DBob = sH1(bob@computer .com),

h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)

= e(H1(bob@computer .com),P0)rs

= e(H1(bob@computer .com), sP0)r

= e(H1(bob@computer .com),P1)r

≡ g r

Therefore,

t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m

Why does this work?

If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).Since DBob = sH1(bob@computer .com),

h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)

= e(H1(bob@computer .com),P0)rs

= e(H1(bob@computer .com), sP0)r

= e(H1(bob@computer .com),P1)r

≡ g r

Therefore,

t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m

Why does this work?

If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).Since DBob = sH1(bob@computer .com),

h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)

= e(H1(bob@computer .com),P0)rs

= e(H1(bob@computer .com), sP0)r

= e(H1(bob@computer .com),P1)r

≡ g r

Therefore,

t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m

Why does this work?

If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).Since DBob = sH1(bob@computer .com),

h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)

= e(H1(bob@computer .com),P0)rs

= e(H1(bob@computer .com), sP0)r

= e(H1(bob@computer .com),P1)r

≡ g r

Therefore,

t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m

Why does this work?

If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).Since DBob = sH1(bob@computer .com),

h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)

= e(H1(bob@computer .com),P0)rs

= e(H1(bob@computer .com), sP0)r

= e(H1(bob@computer .com),P1)r

≡ g r

Therefore,

t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m

Why does this work?

If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).Since DBob = sH1(bob@computer .com),

h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)

= e(H1(bob@computer .com),P0)rs

= e(H1(bob@computer .com), sP0)r

= e(H1(bob@computer .com),P1)r

≡ g r

Therefore,

t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m

Any Questions?