![Page 1: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/1.jpg)
Discrete Methods in Mathematical InformaticsLecture 3: Other Applications of Elliptic Curve
23h October 2012
Vorapong Suppakitpaisarnhttp://www-imai.is.s.u-tokyo.ac.jp/~mr_t_dtone/
[email protected], Eng. 6 Room 363
Download: Lecture 1: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture1.pptxLecture 2: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture2.pptxLecture 3: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture3.pptx
![Page 2: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/2.jpg)
Course Information (Many Changes from Last Week)
10/9 – Elliptic Curve I (2 Exercises)
(What is Elliptic Curve?)
10/16 – Elliptic Curve II (1 Exercises)
(Elliptic Curve Cryptography[1])
10/23 – Elliptic Curve III (3 Exercises)
(Elliptic Curve Cryptography[2])
10/30 – Cancelled
11/7 – Online Algorithm I (Prof. Han)
11/14 – Online Algorithm II (Prof. Han)
11/21 – Elliptic Curve IV (2 Exercises)
(ECC Implementation I)
11/28 – Elliptic Curve V (2 Exercises)
(ECC Implementation II)
12/4 – Cancelled
From 12/11 – To be Announced
Schedule
For my part, you need to submit 2 Reports.
- Report 1: Select 3 from 6 exercises in Elliptic Curve I –
III
Submission Deadline: 14 November
- Report 2: Select 2 from 4 exercises in Elliptic Curve IV –
V
Submission Deadline: TBD
- Submit your report at Department of Mathematical
Informatics’ office
[1st
floor of this building]
Grading
![Page 3: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/3.jpg)
From Last Lecture…•
Scalar Multiplication on Elliptic Curve
S = P + P + … + P = rP
when r1 is positive integer, S,P is a member of the curve
•Double-and-add method
•Let r = 14 = (01110)2
Compute rP = 14P r = 14 = (0 1 1 1 0)2 P 3P 7P 14P
6P2P 14P
3 – 1 = 2 Point Additions
4 – 1 = 3 Point Doubles
r times
O
Given P, aP - Compute a.
Discrete Logarithm Problem
![Page 4: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/4.jpg)
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
![Page 5: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/5.jpg)
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
![Page 6: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/6.jpg)
Pollard’s Method [Pollard 1978]
12110 )(,...,)(,)(
kk
pp
PPfPPfPPf
)E():E(f FF Function Random
0P1P2P3P4P
56P
57P
58P
)( NO[Teske, 1998]
(Semi-)Objective
lk PPlk that such Find
)E(PPRS pF 00.1 random for
(Semi-) Algorithm
1) or until times for
Do
mm
kk
kk
PPRSm
RffPffPR
SfPfPS
(21
)1(22
1
))(())((
)()(.2
)( NOm(Real-)Objective
aaPP,Q Find , Given
Function f for Discrete Log
jinp SSnSSSFE ,20,...)( 21
ii
iii
ii
SRMRRf
QbPaM
,bn, ai
if
Define
integer, positive random a be 1 Let
)(
00000.1 ,baQbPaPRS random for (Real-)Algorithm
00 , bddacc RSRS
bbd,daacc
,S,f(R)SR
bddaccSS
f(f(R))RSfS
jiRRjiRR
ji
iSSiSSi
If
If
, Do
,,
)(.2
]QdPcRQdPcS RRSS ,[
RS until
Pdd
ccQ
PccQdd
QdPcQdPc
RS
SR
SRRS
RRSS
)()(
.3
![Page 7: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/7.jpg)
Examples
QbPaPRS 000.1 00 , bddacc RSRS
bbd,daacc
,S,f(R)SR
bddaccSS
f(f(R))RSfS
jiRRjiRR
ji
iSSiSSi
If
If
, Do
,,
)(.2
]QdPcRQdPcS RRSS ,[
RS until
Pdd
ccQ
PccQdd
QdPcQdPc
RS
SR
SRRS
RRSS
)()(
.3
Example
aaPQP
NxxyyxE
Find
,
),959,413(),1,0(
1067}1|),{()( 3210931093
FF
Algorithm
jinp SSnSSSFE ,20,...)( 21
ii
iii
ii
SRMRRf
QbPaM
,bn, ai
if
Define
integer, positive random a be 1 Let
)(
3mod),( ixSyx i if
QPM
QPMQPM
619
,179,34
2
10
.,3mod2326
)69,326(53
20
0
SP
QPP
Since
)589,727()2122(
)619()53()( 2001
QP
QPQPMPPfP
),...,938,523(),951,1006(),337,895(
),...,938,523(),951,1006(),903,473(
),260,1070(),365,560(),589,727(),69,326(
595857
654
3210
PPP
PPP
PPPP
QPPQPP 620685,4688 585
QP 574597
PP
PaPQ
499)4994271067(
764597597
QQbaQaP )11067(57459711067574 ba )411,764(),( ba
![Page 8: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/8.jpg)
Exercise
. that Prove
and
33, is order the whichin curveelliptic on point a be Let (a)
P}P,P,{Z}kP|kP{Q
QP
P,Q
26154114
,62
Exercise 4
1
11 mod1
,),gcd(,
abc}ZkP|kd
N{cPQ
d
Nbbb
dNbbQaP
NP,Q
where that Prove
that such integer an is
, is order the whichin curveelliptic on point a be Let (b)
![Page 9: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/9.jpg)
The Pohlig-Hellman Method [Pohlig, Hellman 1978]
aaPQP
NxyyxE
Find
,
),239,277(),19,60(
600}1|),{()( 32599599
FF
Q600
PPbPPbaPQ
a
200200600)13(200200200
,3mod1
If
PPbPPbaPQ
a
400400600)23(200200200
,3mod2
If
bPPbaPQ
a
600)3(200200200
,3mod0 If
bPPbaPQ
a
600)5(120120120
,5mod0 If
PPbPPbaPQ
a
120120600)15(120120120
,5mod1
If
PQa
PQa
PQa
480120,5mod4
360120,5mod3
240120,5mod2
If
If
If
iPQQia 1,5mod Let
5mod0,1 ccPQ where
,25mod0c.bPb)P(cPQ 60025242424 1
PPbP
PbcPQ
c
120120600
)525(242424
25mod5
1
,
PQc 240245mod10 12 ,
PQc 360245mod15 12 ,
PQc 480245mod20 12 ,
.25mod
.25mod
,5mod
jia
jiac
ia
and
that Suppose
![Page 10: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/10.jpg)
The Pohlig-Hellman Method [cont.]ne
nee
p pppNE ...||)(|| 21
21F
Given P, Q = aP - Compute a.
(Real-)Problem
Given P, Q = aP - Compute a mod pkek
(Semi-)Problem
Properties
Pp
NiP
p
NibNP
Pibpp
NaP
p
NQ
p
N
pia
kk
kkkk
i
If
)(
,mod.1
Algorithm
Pp
Nipi
kk
compute all For ,0.1
Qp
N
k
Compute .2
k
, that such Find
pia
Pp
NiQ
p
Ni
kk
mod
.3
Pp
NjP
p
NjbNP
Pjpbpp
NcP
p
NQ
p
N
cPiPaPiPQQ
pjpa-ice
kk
kk
kkk
kkk
, If
)(
,mod1.2
2
2212
1
2
121
1.4
Qp
NQ-iPQ
e
k
k
compute , Let
Terminate. If
2
12
mod
.5
kk
kk
pijpa
Pp
NjQ
p
Nj
, that such Find
132
2.6
Qp
NP-iPjpQQ
e
k
k
k
compute , Let
Terminate. If
32
13
mod
.7
kkk
kk
pijplpa
Pp
NlQ
p
Nl
, that such Find
...
![Page 11: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/11.jpg)
The Pohlig-Hellman Method [cont.]
aaPQP
NxyyxE
Find
,
),239,277(),19,60(
600}1|),{()( 32599599
FF
)420,84(480),465,491(360
),134,491(240),179,84(120
PP
PPAlgorithm
Pp
Nipi
kk
compute all For ,0.1
Qp
N
k
Compute .2
k
, that such Find
pia
Pp
NiQ
p
Ni
kk
mod
.3
121
1.4
Qp
NQ-iPQ
e
k
k
compute , Let
Terminate. If
2
12
mod
.5
kk
kk
pijpa
Pp
NjQ
p
Nj
, that such Find
23 532600
Given P, Q = aP - Compute a mod pkek
)179,84(1205
600 QQ
5mod1,1 ai
)465,491(245
600
),129,130(1
112
1
PQQ
25mod16
5mod)153(,3 2
a
aj
![Page 12: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/12.jpg)
Chinese Remainder TheoremaaPQP
NxyyxE
Find
,
),239,277(),19,60(
600}1|),{()( 32599599
FF
23 532600
Given P, Q = aP - Compute a mod pkek
(Semi-)Problem
23 5mod16,3mod2,2mod2 aaa
Chinese Remainder
Theorem
jimm
nimxa
ji
ii
all for that such
for that Suppose
1),gcd(
1mod
n
iimM
1
Let
Mxax mod that such Find
nnn m
Mba
m
Mba
m
Mbax ...
222
111
ii
i mm
Mb mod1
where
232
31 5,3,82 mmm
.2425
600,200
3
600,75
8
600
221
m
M
m
M
m
M
24,25mod15762424
2,3mod14002002
3,8mod1225753
3
2
1
b
b
b 600mod26610466
242416200227532
x
x
)19,60(266266)239,277( PQ
16,2,2 321 aaa
![Page 13: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/13.jpg)
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
![Page 14: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/14.jpg)
Three-Pass Protocol [Shamir 1980]
Private Key Cryptography
Key Agreement
Protocol
k k
M
Encryption
Algorithm
Ek(M) Ek(M)
Decryption
Algorithm
Dk(Ek(M)) = M
Three-pass Protocol
k1 k2
M
Ek1(M)
Encryption
Algorithm
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))Ek2 ( Ek1 (M))
Decryption
Algorithm
Ek2 (M)=Dk1 ( Ek2 ( Ek1 (M))) Ek2(M)
Super-Decryption
Algorithm
M
![Page 15: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/15.jpg)
Massey-Omura Protocol [Massey, Omura 1986]
Three-pass Protocol
k1 k2
M
Ek1(M)
Encryption
Algorithm
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))Ek2 ( Ek1 (M))
Decryption
Algorithm
Ek2(M)
Super-Decryption
Algorithm
M
Massey-Omura Protocol
Encryption
Algorithm
Super-Encryption
Algorithm
Decryption
Algorithm
Ek2(M)
Super-Decryption
Algorithm
Nk of prime-co - 1Nk of prime-co 2NEM p order with)(F
Mk1 Mk1
)( 12 MkkMkk 21
)MkkkMk 211
12 ()(
Nkk
k
mod1)(
)(
11
1
11
at such integer an is
)MkkM 21
2 ()(
![Page 16: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/16.jpg)
Massey-Omura Protocol [cont.]Massey-Omura Protocol
Encryption
Algorithm
Super-Encryption
Algorithm
Decryption
Algorithm
Ek2(M)
Super-Decryption
Algorithm
Nk of prime-co - 1Nk of prime-co 2NEM p order with)(F
Mk1 Mk1
)( 12 MkkMkk 21
)MkkkMk 211
12 ()(
Nkk
k
mod1)(
)(
11
1
11
that such integer an is
)MkkM 21
2 ()(
Example
9)()1,0( order withpEM F}xx{(x,y)|y}{)E( 132
5 F
2 1k 7 2kEncryption
Algorithm
(4,2)2(0,1) Mk1 (4,2)
Super-Encryption
Algorithm
(3,1)7(4,2) )( 12 Mkk(3,1)Decryption
Algorithm
11
1 )()5(2
9mod11052
k
(4,3)5(3,1)
)
MkkkMk 21
112 ()(
(4,3)Super-Decryption
Algorithm
(0,1)4(4,3)
)
MkkM 2
12 ()(
![Page 17: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/17.jpg)
Massey-Omura Protocol [cont.]Integer Point on Elliptic Curve
encode to want weinteger positive a be Let m99100100 m x m )E(F(x,y) p that such Find
BAxxsyx 32 that such Find1212 )/(p-
p syys if some for F
.4mod3 41)/(psyp , If
Point on Elliptic Curve
Integer
100
)(),(
xm
Eyx p
to
decoded is F
zzvvz
vv-zvvz
vv-
xx
yy
yy
x
yxx,y p
pp
pp
p
p
p
p
)/(p
p
24/)1(2
22
2
24/)1(
2/)1(
222/)1(
21
2
,
1
1
4mod3
thatShow , all for Suppose (g)
some for thatshow all for Suppose (f)
all for thatShow (e)
thatShow (d)
thatShow (c)
thatShow (b)
thatShow (a)
Suppose . number, prime a be Let
Z
ZZ
Z
FExercise 4 Exercise 5
xx )/(p 21 thatShow (a)
pF
pF
pF
![Page 18: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/18.jpg)
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
![Page 19: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/19.jpg)
Public Key Cryptography
Private Key Cryptography
Key Agreement
Protocol
k k
M
Encryption
Algorithm
Ek(M) Ek(M)
Decryption
Algorithm
Dk(Ek(M)) = M
Public Key Cryptography
kpub,kpri
Certificate Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M) Ekpub (M)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M
![Page 20: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/20.jpg)
ElGamal Public Key Encryption [ElGamal 1985]
Public Key Cryptography
kpub,kpri
Certificate Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M) Ekpub (M)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M
sksPBPk
sEP
pripub
p
,,
),( ZF
Certificate Authority
(CA)
sPBPkpub ,
)( pEM FZk
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Ekpub(M) = M1,M2
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 = M
ElGamal PKE
MskPSPkMkPskBMsMM )()()(12
![Page 21: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/21.jpg)
ElGamal Public Key Encryption (cont.)
sksPBPk
sEP
pripub
p
,,
),( ZF
Certificate Authority
(CA)
sPBPkpub ,
)( pEM FZk
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Ekpub(M) = M1,M2
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 =
M
ElGamal PKE
Example
9)()1,0( order withpEM F}xx{(x,y)|y}{)E( 132
5 F
)1,3()1,0(5
)1,0(
),(
5,5
sPB
P
BPk
sks
pub
pri))1,3(),1,0(( BPkpub
)()2,4( pEM F7k
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP = 7(0,1) = (4,3),
M2 = M + kB = (4,2)+7(3,1)
= (0,1)
Ekpub(M) = M1,M2
M1 = (4,3)
M2 = (0,1)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 = (0,1)-
5(4,3)
= (4,2)
![Page 22: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/22.jpg)
ElGamal Public Key Encryption (cont.)
sksPBPk
sEP
pripub
p
,,
),( ZF
Certificate Authority
(CA)
sPBPkpub ,
)( pEM FZk
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Ekpub(M) = M1,M2
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 = M
ElGamal PKE
Given P, sP (public key), kP, M + skP,
Find M.
ElGamal Problem Ver. I
Given P, sP
Find s.
Discrete Log.
![Page 23: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/23.jpg)
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
![Page 24: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/24.jpg)
Digital Signature [Diffie, Hellman 1976]
Alice is sending a message M to Bob
1. Bob can be sure that the sender is really Alice.
2. Alice cannot refuse that she did send the message
3. No one can send a message claiming that they are Alice.
Objective
Digital Signature
kpri,kpub
Certificate Authority
(CA)
kpub
M
Signing
Algorithm
M,Skpri(M) M, Skpri(M)
Verification
Algorithm
Vkpub (Skpri(M)) = M ?
Public Key Cryptography
kpub,kpri
Certificate Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M) Ekpub (M)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M
![Page 25: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/25.jpg)
ElGamal Digital Signatures [ElGamal 1985]
Digital Signature
kpri,kpub
Certificate Authority
(CA)
kpub
M
Signing
Algorithm
M,Skpri(M) M, Skpri(M)
Verification
Algorithm
Skpri(M)) is
signed by Alice???
ElGamal’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
m
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkAR
R
RR
),(
),()(, sRMSMprik ),()(, sRMSM
prik
Verification
Algorithm
???mAsRBxR
mAAaxmaAxkAsaAxsRBx RRRR )()(
![Page 26: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/26.jpg)
ElGamal Digital Signatures (cont.)
ElGamal’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
m
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkAR
R
RR
),(
),()(, sRMSmprik ),()(, sRMSm
prik
Verification
Algorithm
???mAsRBxR
Example
9)()1,0( order withpEM F}xx{(x,y)|y}{)E( 132
5 F
)2,4())1,0(2
),(
2
),()1,0(,2
aAB
BAk
ak
EAa
pub
pri
p
where
F
7
5
k
m
Integer Random
Message
Signing
Algorithm
6(-3)(4)
7
425
4
)3,4(7
k
axms
x
AkAR
R
R
)6),3,4((
),()(
,5
sRMS
m
prik
Verification
Algorithm
), (
), () , (
sRBxR
13
4240
)3,4(6)2,4(4
![Page 27: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/27.jpg)
ElGamal Digital Signatures (cont.)ElGamal’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
m
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkAR
R
RR
),(
),()(, sRMSmprik ),()(, sRMSm
prik
Verification
Algorithm
???mAsRBxR
Given A, B=aA (public key), m (message),
m‘ (forged message)
Find R,s such that
ElGamal Problem Ver. II
Given P, sP
Find s.
Discrete Log.
AmsRBxR '
![Page 28: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/28.jpg)
Exercise
Given A, B=aA (public key), m (message),
m‘ (forged message)
Find R,s such that
ElGamal Problem Ver. II
Given P, sP
Find s.
Discrete Log.
AmsRBxR '
message. signed valid a is thatShow
Let Assume
withinteger an be Let . message signed valid the
produce to used is scheme signature ElGamal the that Suppose
(m',R',s')
Nxmxm
NhxsxshRyxR
NxNh
h),s),y(x(m,R
RR
RRRR
R
RR
).(mod)('
),(mod)(',),('
.1),gcd(.1),gcd(
1'
11'''
Exercise 6
![Page 29: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/29.jpg)
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
![Page 30: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/30.jpg)
Digital Signature Algorithm [Vanstone 1992]
ElGamal’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
m
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkPR
R
RR
),(
),()(, sRMSMprik ),()(, sRMSM
prik
Verification
Algorithm
???mAsRBxR
DSA’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
m
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkPR
R
RR
),(
),()(, sRMSMprik ),()(, sRMSM
prik
Verification
Algorithm
???
???
ARm
sB
m
x
mAsRBx
R
R
3 Scalar Multiplications
2 Scalar Multiplications
![Page 31: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/31.jpg)
Exercise
. that Prove
and 33, is order the whichin curveelliptic on point a be Let (a)
P}P,P,{Z}kP|kP{Q
QPP,Q
26154114
,62
Exercise 4
1
11 mod1
,),gcd(,
abc}ZkP|kd
N{cPQ
d
Nbbb
dNbbQaPNP,Q
where that Prove
that such integer an is
, is order the whichin curveelliptic on point a be Let (b)
zzvvz
vv-zvvz
vv-
xx
yy
yy
x
yxx,y p
pp
pp
p
p
p
p
)/(p
p
24/)1(2
22
2
24/)1(
2/)1(
222/)1(
21
2
,
1
1
4mod3
thatShow , all for Suppose (g)
some for thatshow all for Suppose (f)
all for thatShow (e)
thatShow (d)
thatShow (c)
thatShow (b)
thatShow (a)
Suppose . number, prime a be Let
Z
ZZ
Z
FExercise 4 Exercise 5
xx )/(p 21 thatShow (a)
pF
pF
pF
![Page 32: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/32.jpg)
Exercise
message. signed valid a is thatShow
Let Assume
withinteger an be Let . message signed valid the
produce to used is scheme signature ElGamal the that Suppose
(m',R',s')
Nxmxm
NhxsxshRyxR
NxNh
h),s),y(x(m,R
RR
RRRR
R
RR
).(mod)('
),(mod)(',),('
.1),gcd(.1),gcd(
1'
11'''
Exercise 6
![Page 33: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/33.jpg)
Pairing-Based Cryptography
G)E()e:E( pp FF FunctionBilinear Function
abQPebQaPe ),(),( QP, If 1),( QPe
Diffie-Hellman Exchange Protocol
1. Generate P 2 E(F)
2. Generate positive
integers a
3. Receive Q = bP
4. Compute aQ = abP
1. Receive P
2. Receive S = aP
3. Generate positive
integer b
4. Compute bS = abP
P
aP
bP
A
L
I
C
E
B
O
B
Three-Parties DHE
ALICE
B
O
B
C
H
A
L
I
E
a, aP
b, bP c, cP
bPaP
cP
ALICE
B
O
B
C
H
A
L
I
E
a, aP, bP
b, bP
cP
c, cP
aP
bcPabP
acP
Three-Parties DHE with Pairing
ALICE
B
O
B
C
H
A
L
I
E
a, aP
b, bP c, cP
bPaP
cP
bP
cP
aP abcabc
bc
PPePPe
PPecPbPe
),()),((
),(),(
![Page 34: Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23 h October 2012 Vorapong Suppakitpaisarn mr_t_dtone](https://reader036.vdocuments.mx/reader036/viewer/2022081602/5519d1fc550346443e8b4acd/html5/thumbnails/34.jpg)
Thank you for your attention
Please feel free to ask questions or comment.