elliptic curve cryptography
TRANSCRIPT
Elliptic Curve Cryptography
Kelly Bresnahan
March 24, 2016
Table Of Contents
1 Elliptic Curve Cryptography (ECC)
IntroductionPros and Cons of Elliptic CurvesDefinition of an Elliptic CurveOperations on Elliptic CurvesHasse’s BoundRepresenting PlaintextElliptic Curve Diffie-Hellman Key ExchangeElGamal Digital Signatures using Elliptic CurvesIdentity-Base Encryption Using ECC
Introduction
Miller and Koblitz (independently) introduced ellipticcurves into cryptography in the mid-1980s
Elliptic Curve Cryptography algorithms entered wide usebetween 2004 and 2005
Based on the discrete logarithm problem, i.e.determining an integer 1 ≤ k ≤ p − 1 such that
gk = b (mod p)
Why use ECC?
Pros
Smaller keys can be used to achieve the same security asan RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit
Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key
ConsSecurity is achieved only if cryptographically strong ellipticcurves are used
Why use ECC?
ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit
Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key
ConsSecurity is achieved only if cryptographically strong ellipticcurves are used
Why use ECC?
ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit
Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key
ConsSecurity is achieved only if cryptographically strong ellipticcurves are used
Why use ECC?
ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit
Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemes
ECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key
ConsSecurity is achieved only if cryptographically strong ellipticcurves are used
Why use ECC?
ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit
Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smallerthan an ECC key
ConsSecurity is achieved only if cryptographically strong ellipticcurves are used
Why use ECC?
ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit
Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key
ConsSecurity is achieved only if cryptographically strong ellipticcurves are used
Why use ECC?
ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit
Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key
Cons
Security is achieved only if cryptographically strong ellipticcurves are used
Why use ECC?
ProsSmaller keys can be used to achieve the same security asan RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit
Only generic attacks are known against ECC in comparisonto other systems such as RSA and discrete logarithm (DL)schemesECDSA signature with a 256-bit key is over 20 times fasterthan an RSA signature with a 2,048-bit keyThe energy needed to break an RSA key is much smallerthan an ECC key
ConsSecurity is achieved only if cryptographically strong ellipticcurves are used
Definition of Elliptic Curves
Definition: An elliptic curve is the graph of the equation
E : y2 = x3 + ax2 + bx + c
where a, b, and c are elements from the base field K ofcharacteristic not equal to 2.
Note: We’ll also include the point (∞,∞), denoted ∞
Examples of Elliptic Curves over R
Figure: y2 = x3 + x Figure: y2 = x3 + 73
Operations on Elliptic Curves
Point Addition
Operations on Elliptic Curves (cont)
Point Doubling
Operations on Elliptic Curves (cont)
How do we add a point P with ∞?
Operations on Elliptic Curves (cont)
How do we add a point P with ∞?
Operations on Elliptic Curves (cont)
Therefore, the points on E form an abelian group underaddition where
1 ∞ is the additive identity
2 The inverse of the point P = (x , y) is −P = (x ,−y)
3 P − Q = P + (−Q)
Elliptic Curve in R
Same Curve (mod p)
Adding Points on E
Suppose E is defined as y2 ≡ x3 + 4x + 4 (mod 5).Let P1 = (1, 2) and P2 = (4, 3). Then
(1, 2) + (4, 3) = (4, 2)
Doubling Points on P
Suppose E is defined as y2 ≡ x3 + 2x + 2 (mod 17).Let P = (5, 1). Then
2P = (6, 3)
Addition Law
If E is given by E : y2 = x3 + bx + c (mod p) we define
(x3, y3) = (x1, y1) + (x2, y2)
as
x3 = s2 − x1 − x2 (mod p) and
y3 = s(x1 − x3)− y1 (mod p)
where
s =
y2−y1x2−x1
(mod p), if P 6= Q
3x1+b2y1
(mod p), if P = Q
Cardinality
Question: What is the order of the group (E ,+) (mod p), i.e.how many point are on E?
Hasse’s Bound: Given an elliptic curve E modulo p, thenumber of points on E , denoted #E , is bounded by
p + 1− 2√p ≤ #E ≤ p + 1 + 2
√p
Cardinality
Question: What is the order of the group (E ,+) (mod p), i.e.how many point are on E?
Hasse’s Bound: Given an elliptic curve E modulo p, thenumber of points on E , denoted #E , is bounded by
p + 1− 2√p ≤ #E ≤ p + 1 + 2
√p
Elliptic Curves (mod p)
The Discrete Logarithm Problem for Elliptic Curves:
Given an elliptic curve E and two points A and B on E , thediscrete log problem for elliptic curves is finding an integer1 ≤ d ≤ #E such that
P + P + · · ·+ P︸ ︷︷ ︸d times
= dP = T
In cryptosystems d is the private key and T is the public key
Elliptic Curves (mod p)
The Discrete Logarithm Problem for Elliptic Curves:
Given an elliptic curve E and two points A and B on E , thediscrete log problem for elliptic curves is finding an integer1 ≤ d ≤ #E such that
P + P + · · ·+ P︸ ︷︷ ︸d times
= dP = T
In cryptosystems d is the private key and T is the public key
Representing Plaintext
We need a method for encoding a message as point on anelliptic curve.
The Bad News: Currently there is no known polynomial time,deterministic algorithm for writing points on an arbitraryelliptic curve.
The Good News: There are fast probabilistic methods forfinding points
With appropriately chosen parameters, the probability offailure can be made arbitrarily small.
Representing Plaintext
We need a method for encoding a message as point on anelliptic curve.
The Bad News: Currently there is no known polynomial time,deterministic algorithm for writing points on an arbitraryelliptic curve.
The Good News: There are fast probabilistic methods forfinding points
With appropriately chosen parameters, the probability offailure can be made arbitrarily small.
Representing Plaintext
We need a method for encoding a message as point on anelliptic curve.
The Bad News: Currently there is no known polynomial time,deterministic algorithm for writing points on an arbitraryelliptic curve.
The Good News: There are fast probabilistic methods forfinding points
With appropriately chosen parameters, the probability offailure can be made arbitrarily small.
Representing Plaintext
We need a method for encoding a message as point on anelliptic curve.
The Bad News: Currently there is no known polynomial time,deterministic algorithm for writing points on an arbitraryelliptic curve.
The Good News: There are fast probabilistic methods forfinding points
With appropriately chosen parameters, the probability offailure can be made arbitrarily small.
Representing Plaintext
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.
Idea: Embed m as the x-coordinate of a point on E
The Bad News: There is only a 50% chance thatm3 + bm + c is a square modulo p
Question: How can we guarantee a higher success rate?
Answer: We’ll adjoin a few bits at the end of m and adjustthem until we get a number x such that x3 + bx + c is a square(mod p)
Representing Plaintext
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.
Idea: Embed m as the x-coordinate of a point on E
The Bad News: There is only a 50% chance thatm3 + bm + c is a square modulo p
Question: How can we guarantee a higher success rate?
Answer: We’ll adjoin a few bits at the end of m and adjustthem until we get a number x such that x3 + bx + c is a square(mod p)
Representing Plaintext
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.
Idea: Embed m as the x-coordinate of a point on E
The Bad News: There is only a 50% chance thatm3 + bm + c is a square modulo p
Question: How can we guarantee a higher success rate?
Answer: We’ll adjoin a few bits at the end of m and adjustthem until we get a number x such that x3 + bx + c is a square(mod p)
Representing Plaintext
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.
Idea: Embed m as the x-coordinate of a point on E
The Bad News: There is only a 50% chance thatm3 + bm + c is a square modulo p
Question: How can we guarantee a higher success rate?
Answer: We’ll adjoin a few bits at the end of m and adjustthem until we get a number x such that x3 + bx + c is a square(mod p)
Representing Plaintext
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.
Idea: Embed m as the x-coordinate of a point on E
The Bad News: There is only a 50% chance thatm3 + bm + c is a square modulo p
Question: How can we guarantee a higher success rate?
Answer: We’ll adjoin a few bits at the end of m and adjustthem until we get a number x such that x3 + bx + c is a square(mod p)
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.
Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable
Assume that (m + 1)K < p and let x = mK + j
For j = 0, 1, 2, . . . ,K − 1,
- Compute x3 + bx + c and try to calculate the square root(mod p)
- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1
- If we reach j = K , then we have failed to map a messageto a point on E
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.
Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable
Assume that (m + 1)K < p and let x = mK + j
For j = 0, 1, 2, . . . ,K − 1,
- Compute x3 + bx + c and try to calculate the square root(mod p)
- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1
- If we reach j = K , then we have failed to map a messageto a point on E
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.
Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable
Assume that (m + 1)K < p and let x = mK + j
For j = 0, 1, 2, . . . ,K − 1,
- Compute x3 + bx + c and try to calculate the square root(mod p)
- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1
- If we reach j = K , then we have failed to map a messageto a point on E
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.
Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable
Assume that (m + 1)K < p and let x = mK + j
For j = 0, 1, 2, . . . ,K − 1,
- Compute x3 + bx + c and try to calculate the square root(mod p)
- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1
- If we reach j = K , then we have failed to map a messageto a point on E
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.
Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable
Assume that (m + 1)K < p and let x = mK + j
For j = 0, 1, 2, . . . ,K − 1,
- Compute x3 + bx + c and try to calculate the square root(mod p)
- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1
- If we reach j = K , then we have failed to map a messageto a point on E
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.
Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable
Assume that (m + 1)K < p and let x = mK + j
For j = 0, 1, 2, . . . ,K − 1,
- Compute x3 + bx + c and try to calculate the square root(mod p)
- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1
- If we reach j = K , then we have failed to map a messageto a point on E
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and letm be the message represented as a number.
Let K ∈ Z be large enough such that a failure rate of1/2K is acceptable
Assume that (m + 1)K < p and let x = mK + j
For j = 0, 1, 2, . . . ,K − 1,
- Compute x3 + bx + c and try to calculate the square root(mod p)
- If x3 + bx + c is a square, then we send m to Pm = (x , y),otherwise increment j by 1
- If we reach j = K , then we have failed to map a messageto a point on E
Decoding
Note: Because x3 + bx + c is a square approximately half ofthe time and we try x = mK + j at most K times, we haveabout 1/2K chance of failure.
To recover the original message from Pm = (x , y), we calculate
m =⌊ x
K
⌋Second Note: Decoding requires that (m + 1)K < p
Decoding
Note: Because x3 + bx + c is a square approximately half ofthe time and we try x = mK + j at most K times, we haveabout 1/2K chance of failure.
To recover the original message from Pm = (x , y), we calculate
m =⌊ x
K
⌋Second Note: Decoding requires that (m + 1)K < p
Elliptic Curve Diffie-Hellman Key Exchange(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .
2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret
3 Alice publishes the point A = kaP and sends it to Bob
4 Bob publishes the point B = kbP and sends it to Alice
5 Alice takes Bob’s point B and computes ka(B)
6 Similarly, Bob computes kb(A)
7 Because the group (E ,+) is abelian,
ka(B) = ka(kbP) = kb(kaP) = kb(A),
so Alice and Bob have the same key
Elliptic Curve Diffie-Hellman Key Exchange(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .
2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret
3 Alice publishes the point A = kaP and sends it to Bob
4 Bob publishes the point B = kbP and sends it to Alice
5 Alice takes Bob’s point B and computes ka(B)
6 Similarly, Bob computes kb(A)
7 Because the group (E ,+) is abelian,
ka(B) = ka(kbP) = kb(kaP) = kb(A),
so Alice and Bob have the same key
Elliptic Curve Diffie-Hellman Key Exchange(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .
2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret
3 Alice publishes the point A = kaP and sends it to Bob
4 Bob publishes the point B = kbP and sends it to Alice
5 Alice takes Bob’s point B and computes ka(B)
6 Similarly, Bob computes kb(A)
7 Because the group (E ,+) is abelian,
ka(B) = ka(kbP) = kb(kaP) = kb(A),
so Alice and Bob have the same key
Elliptic Curve Diffie-Hellman Key Exchange(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .
2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret
3 Alice publishes the point A = kaP and sends it to Bob
4 Bob publishes the point B = kbP and sends it to Alice
5 Alice takes Bob’s point B and computes ka(B)
6 Similarly, Bob computes kb(A)
7 Because the group (E ,+) is abelian,
ka(B) = ka(kbP) = kb(kaP) = kb(A),
so Alice and Bob have the same key
Elliptic Curve Diffie-Hellman Key Exchange(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .
2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret
3 Alice publishes the point A = kaP and sends it to Bob
4 Bob publishes the point B = kbP and sends it to Alice
5 Alice takes Bob’s point B and computes ka(B)
6 Similarly, Bob computes kb(A)
7 Because the group (E ,+) is abelian,
ka(B) = ka(kbP) = kb(kaP) = kb(A),
so Alice and Bob have the same key
Elliptic Curve Diffie-Hellman Key Exchange(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .
2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret
3 Alice publishes the point A = kaP and sends it to Bob
4 Bob publishes the point B = kbP and sends it to Alice
5 Alice takes Bob’s point B and computes ka(B)
6 Similarly, Bob computes kb(A)
7 Because the group (E ,+) is abelian,
ka(B) = ka(kbP) = kb(kaP) = kb(A),
so Alice and Bob have the same key
Elliptic Curve Diffie-Hellman Key Exchange(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .
2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret
3 Alice publishes the point A = kaP and sends it to Bob
4 Bob publishes the point B = kbP and sends it to Alice
5 Alice takes Bob’s point B and computes ka(B)
6 Similarly, Bob computes kb(A)
7 Because the group (E ,+) is abelian,
ka(B) = ka(kbP) = kb(kaP) = kb(A),
so Alice and Bob have the same key
Elliptic Curve Diffie-Hellman Key Exchange(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime p, the elliptic curveE : y2 ≡ x3 + ax + b (mod p), and a base point P on E .
2 Alice randomly chooses an integer ka and Bob randomlychooses an integer kb, which they keep secret
3 Alice publishes the point A = kaP and sends it to Bob
4 Bob publishes the point B = kbP and sends it to Alice
5 Alice takes Bob’s point B and computes ka(B)
6 Similarly, Bob computes kb(A)
7 Because the group (E ,+) is abelian,
ka(B) = ka(kbP) = kb(kaP) = kb(A),
so Alice and Bob have the same key
ElGamal Elliptic Curve Digital Signature Algorithm(ECDSA)
Suppose that Alice wants to sign a message, m, for Bob toverify.
To set up the system, we
1 Fix an Elliptic Curve E (mod p) where p is large prime
2 Fix a base point A on E
3 Assume that the message represented as a number msatisfies
0 ≤ m ≤ #E
4 Alice chooses a private integer a and computes B = aA
Now (p,E ,#E ,A,B) are made public while a is private.
ElGamal Elliptic Curve Digital Signature Algorithm(ECDSA)
Suppose that Alice wants to sign a message, m, for Bob toverify.To set up the system, we
1 Fix an Elliptic Curve E (mod p) where p is large prime
2 Fix a base point A on E
3 Assume that the message represented as a number msatisfies
0 ≤ m ≤ #E
4 Alice chooses a private integer a and computes B = aA
Now (p,E ,#E ,A,B) are made public while a is private.
ElGamal Elliptic Curve Digital Signature Algorithm(ECDSA)
Suppose that Alice wants to sign a message, m, for Bob toverify.To set up the system, we
1 Fix an Elliptic Curve E (mod p) where p is large prime
2 Fix a base point A on E
3 Assume that the message represented as a number msatisfies
0 ≤ m ≤ #E
4 Alice chooses a private integer a and computes B = aA
Now (p,E ,#E ,A,B) are made public while a is private.
ElGamal Elliptic Curve Digital Signature Algorithm(ECDSA)
Suppose that Alice wants to sign a message, m, for Bob toverify.To set up the system, we
1 Fix an Elliptic Curve E (mod p) where p is large prime
2 Fix a base point A on E
3 Assume that the message represented as a number msatisfies
0 ≤ m ≤ #E
4 Alice chooses a private integer a and computes B = aA
Now (p,E ,#E ,A,B) are made public while a is private.
ElGamal Elliptic Curve Digital Signature Algorithm(ECDSA)
Suppose that Alice wants to sign a message, m, for Bob toverify.To set up the system, we
1 Fix an Elliptic Curve E (mod p) where p is large prime
2 Fix a base point A on E
3 Assume that the message represented as a number msatisfies
0 ≤ m ≤ #E
4 Alice chooses a private integer a and computes B = aA
Now (p,E ,#E ,A,B) are made public while a is private.
ElGamal Elliptic Curve Digital Signature Algorithm(ECDSA)
Suppose that Alice wants to sign a message, m, for Bob toverify.To set up the system, we
1 Fix an Elliptic Curve E (mod p) where p is large prime
2 Fix a base point A on E
3 Assume that the message represented as a number msatisfies
0 ≤ m ≤ #E
4 Alice chooses a private integer a and computes B = aA
Now (p,E ,#E ,A,B) are made public while a is private.
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1 chooses a random 1 ≤ k ≤ #E with gcd(k ,#E ) = 1,
2 computes kA ≡ R = (x , y),
3 computes s ≡ k−1(m − ax) mod #E ,
4 sends the signed message (m,R, s) to Bob for verification,
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1 chooses a random 1 ≤ k ≤ #E with gcd(k ,#E ) = 1,
2 computes kA ≡ R = (x , y),
3 computes s ≡ k−1(m − ax) mod #E ,
4 sends the signed message (m,R, s) to Bob for verification,
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1 chooses a random 1 ≤ k ≤ #E with gcd(k ,#E ) = 1,
2 computes kA ≡ R = (x , y),
3 computes s ≡ k−1(m − ax) mod #E ,
4 sends the signed message (m,R, s) to Bob for verification,
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1 chooses a random 1 ≤ k ≤ #E with gcd(k ,#E ) = 1,
2 computes kA ≡ R = (x , y),
3 computes s ≡ k−1(m − ax) mod #E ,
4 sends the signed message (m,R, s) to Bob for verification,
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1 chooses a random 1 ≤ k ≤ #E with gcd(k ,#E ) = 1,
2 computes kA ≡ R = (x , y),
3 computes s ≡ k−1(m − ax) mod #E ,
4 sends the signed message (m,R, s) to Bob for verification,
El Gamal ECDSA: Verifying a Message
To verify Alice’s message, Bob
1 downloads Alice’s public info and (p,E ,#E ,A,B),
2 computes v1 ≡ xB + sR and v2 ≡ mA
The signature is valid only if v1 = v2
El Gamal ECDSA: Verifying a Message
To verify Alice’s message, Bob
1 downloads Alice’s public info and (p,E ,#E ,A,B),
2 computes v1 ≡ xB + sR and v2 ≡ mA
The signature is valid only if v1 = v2
El Gamal ECDSA: Verifying a Message
To verify Alice’s message, Bob
1 downloads Alice’s public info and (p,E ,#E ,A,B),
2 computes v1 ≡ xB + sR and v2 ≡ mA
The signature is valid only if v1 = v2
Why does this work?
We know that
v1 = xB + sR
= xaA + (k−1(m − ax))(kA)
= xaA + (m − ax)A
= mA
≡ v2
Why does this work?
We know that
v1 = xB + sR
= xaA + (k−1(m − ax))(kA)
= xaA + (m − ax)A
= mA
≡ v2
Why does this work?
We know that
v1 = xB + sR
= xaA + (k−1(m − ax))(kA)
= xaA + (m − ax)A
= mA
≡ v2
Why does this work?
We know that
v1 = xB + sR
= xaA + (k−1(m − ax))(kA)
= xaA + (m − ax)A
= mA
≡ v2
Why does this work?
We know that
v1 = xB + sR
= xaA + (k−1(m − ax))(kA)
= xaA + (m − ax)A
= mA
≡ v2
Identity-Based Encryption
In most public key systems, when Alice wants to send amessage to Bob, she looks up his public key in a directory andthen encrypts her message. However, how does she know thatthe information has not been modified by Eve and the publickey listed for Bob is Eve’s key?!
Wouldn’t it be nice to have a system where Bob’s publicidentification information (like his email address) serves as thepublic key?
Identity-Based Encryption
In most public key systems, when Alice wants to send amessage to Bob, she looks up his public key in a directory andthen encrypts her message. However, how does she know thatthe information has not been modified by Eve and the publickey listed for Bob is Eve’s key?!
Wouldn’t it be nice to have a system where Bob’s publicidentification information (like his email address) serves as thepublic key?
Setting up the Cryptosystem
First, let p be a prime of the form 6q− 1 where q is also prime.Then for the elliptic curve E : y2 = x3 + 1 (mod p), we knowthat
There is a point P0 6=∞ such that qP0 =∞.
There is a function e such that
- e maps pairs of points (aP0, bP0) to qth roots of unity- e satisfies the bilinearity property
e(aP0, bP0) = e(P0,P0)ab
for all a and b- Given P = kP0 and Q = mP0, e(P,Q) can be computed
quickly from the coordinates P and Q- e(P0,P0) 6= 1, so it is a nontrivial root of unity
Setting up the Cryptosystem
First, let p be a prime of the form 6q− 1 where q is also prime.Then for the elliptic curve E : y2 = x3 + 1 (mod p), we knowthat
There is a point P0 6=∞ such that qP0 =∞.
There is a function e such that
- e maps pairs of points (aP0, bP0) to qth roots of unity- e satisfies the bilinearity property
e(aP0, bP0) = e(P0,P0)ab
for all a and b- Given P = kP0 and Q = mP0, e(P,Q) can be computed
quickly from the coordinates P and Q- e(P0,P0) 6= 1, so it is a nontrivial root of unity
Setting up the Cryptosystem
First, let p be a prime of the form 6q− 1 where q is also prime.Then for the elliptic curve E : y2 = x3 + 1 (mod p), we knowthat
There is a point P0 6=∞ such that qP0 =∞.
There is a function e such that
- e maps pairs of points (aP0, bP0) to qth roots of unity
- e satisfies the bilinearity property
e(aP0, bP0) = e(P0,P0)ab
for all a and b- Given P = kP0 and Q = mP0, e(P,Q) can be computed
quickly from the coordinates P and Q- e(P0,P0) 6= 1, so it is a nontrivial root of unity
Setting up the Cryptosystem
First, let p be a prime of the form 6q− 1 where q is also prime.Then for the elliptic curve E : y2 = x3 + 1 (mod p), we knowthat
There is a point P0 6=∞ such that qP0 =∞.
There is a function e such that
- e maps pairs of points (aP0, bP0) to qth roots of unity- e satisfies the bilinearity property
e(aP0, bP0) = e(P0,P0)ab
for all a and b
- Given P = kP0 and Q = mP0, e(P,Q) can be computedquickly from the coordinates P and Q
- e(P0,P0) 6= 1, so it is a nontrivial root of unity
Setting up the Cryptosystem
First, let p be a prime of the form 6q− 1 where q is also prime.Then for the elliptic curve E : y2 = x3 + 1 (mod p), we knowthat
There is a point P0 6=∞ such that qP0 =∞.
There is a function e such that
- e maps pairs of points (aP0, bP0) to qth roots of unity- e satisfies the bilinearity property
e(aP0, bP0) = e(P0,P0)ab
for all a and b- Given P = kP0 and Q = mP0, e(P,Q) can be computed
quickly from the coordinates P and Q
- e(P0,P0) 6= 1, so it is a nontrivial root of unity
Setting up the Cryptosystem
First, let p be a prime of the form 6q− 1 where q is also prime.Then for the elliptic curve E : y2 = x3 + 1 (mod p), we knowthat
There is a point P0 6=∞ such that qP0 =∞.
There is a function e such that
- e maps pairs of points (aP0, bP0) to qth roots of unity- e satisfies the bilinearity property
e(aP0, bP0) = e(P0,P0)ab
for all a and b- Given P = kP0 and Q = mP0, e(P,Q) can be computed
quickly from the coordinates P and Q- e(P0,P0) 6= 1, so it is a nontrivial root of unity
Setting up the Cryptosystem (cont)
We need two public hash functions:
H1 : {arb. length binary string} −→ kP0
for k ∈ ZH2 : {qth root of unity} −→ {binary strings of length n}where n is the length of the message to be sent
Setting up the Cryptosystem (cont)
We need two public hash functions:
H1 : {arb. length binary string} −→ kP0
for k ∈ ZH2 : {qth root of unity} −→ {binary strings of length n}where n is the length of the message to be sent
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.Arthur does the following:
He chooses a secret integer s
He computes P1 = sP0, which is made public
For each User, Arthur finds the user’s ID (written as abinary string) and computes
DUser = sH1(ID),
which is a point on E
Arthur sends DUser to each user, who keeps it secret. Hethen discards DUser
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.Arthur does the following:
He chooses a secret integer s
He computes P1 = sP0, which is made public
For each User, Arthur finds the user’s ID (written as abinary string) and computes
DUser = sH1(ID),
which is a point on E
Arthur sends DUser to each user, who keeps it secret. Hethen discards DUser
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.Arthur does the following:
He chooses a secret integer s
He computes P1 = sP0, which is made public
For each User, Arthur finds the user’s ID (written as abinary string) and computes
DUser = sH1(ID),
which is a point on E
Arthur sends DUser to each user, who keeps it secret. Hethen discards DUser
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.Arthur does the following:
He chooses a secret integer s
He computes P1 = sP0, which is made public
For each User, Arthur finds the user’s ID (written as abinary string) and computes
DUser = sH1(ID),
which is a point on E
Arthur sends DUser to each user, who keeps it secret. Hethen discards DUser
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.Arthur does the following:
He chooses a secret integer s
He computes P1 = sP0, which is made public
For each User, Arthur finds the user’s ID (written as abinary string) and computes
DUser = sH1(ID),
which is a point on E
Arthur sends DUser to each user, who keeps it secret. Hethen discards DUser
Sending a Message
Suppose Alice wants to send a message m to Bob and supposethat m is of binary length n.Bob’s ID is [email protected], so Alice does the following:
1 She computes g ≡ e(H1(bob@computer .com),P1), a qthroot of unity
2 She chooses a random integer r 6= 0 (mod q) andcomputes
t ≡ m ⊕ H2(g r )
where ⊕ is the XOR cipher.
3 She sends Bob the ciphertext
c ≡ (rP0, t),
where rP0 on E and t is a binary string of length n
Sending a Message
Suppose Alice wants to send a message m to Bob and supposethat m is of binary length n.Bob’s ID is [email protected], so Alice does the following:
1 She computes g ≡ e(H1(bob@computer .com),P1), a qthroot of unity
2 She chooses a random integer r 6= 0 (mod q) andcomputes
t ≡ m ⊕ H2(g r )
where ⊕ is the XOR cipher.
3 She sends Bob the ciphertext
c ≡ (rP0, t),
where rP0 on E and t is a binary string of length n
Sending a Message
Suppose Alice wants to send a message m to Bob and supposethat m is of binary length n.Bob’s ID is [email protected], so Alice does the following:
1 She computes g ≡ e(H1(bob@computer .com),P1), a qthroot of unity
2 She chooses a random integer r 6= 0 (mod q) andcomputes
t ≡ m ⊕ H2(g r )
where ⊕ is the XOR cipher.
3 She sends Bob the ciphertext
c ≡ (rP0, t),
where rP0 on E and t is a binary string of length n
Sending a Message
Suppose Alice wants to send a message m to Bob and supposethat m is of binary length n.Bob’s ID is [email protected], so Alice does the following:
1 She computes g ≡ e(H1(bob@computer .com),P1), a qthroot of unity
2 She chooses a random integer r 6= 0 (mod q) andcomputes
t ≡ m ⊕ H2(g r )
where ⊕ is the XOR cipher.
3 She sends Bob the ciphertext
c ≡ (rP0, t),
where rP0 on E and t is a binary string of length n
Recovering the Message
Bob receives the pair (U, v) where U is a point on E and v is abinary string of length n. Then he does the following:
1 He computes h ≡ e(DBob,U), which is a qth root of unity
2 He recovers the message by
m = v ⊕ H2(h)
Recovering the Message
Bob receives the pair (U, v) where U is a point on E and v is abinary string of length n. Then he does the following:
1 He computes h ≡ e(DBob,U), which is a qth root of unity
2 He recovers the message by
m = v ⊕ H2(h)
Recovering the Message
Bob receives the pair (U, v) where U is a point on E and v is abinary string of length n. Then he does the following:
1 He computes h ≡ e(DBob,U), which is a qth root of unity
2 He recovers the message by
m = v ⊕ H2(h)
Why does this work?
If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).
Since DBob = sH1(bob@computer .com),
h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)
= e(H1(bob@computer .com),P0)rs
= e(H1(bob@computer .com), sP0)r
= e(H1(bob@computer .com),P1)r
≡ g r
Therefore,
t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m
Why does this work?
If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).Since DBob = sH1(bob@computer .com),
h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)
= e(H1(bob@computer .com),P0)rs
= e(H1(bob@computer .com), sP0)r
= e(H1(bob@computer .com),P1)r
≡ g r
Therefore,
t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m
Why does this work?
If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).Since DBob = sH1(bob@computer .com),
h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)
= e(H1(bob@computer .com),P0)rs
= e(H1(bob@computer .com), sP0)r
= e(H1(bob@computer .com),P1)r
≡ g r
Therefore,
t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m
Why does this work?
If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).Since DBob = sH1(bob@computer .com),
h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)
= e(H1(bob@computer .com),P0)rs
= e(H1(bob@computer .com), sP0)r
= e(H1(bob@computer .com),P1)r
≡ g r
Therefore,
t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m
Why does this work?
If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).Since DBob = sH1(bob@computer .com),
h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)
= e(H1(bob@computer .com),P0)rs
= e(H1(bob@computer .com), sP0)r
= e(H1(bob@computer .com),P1)r
≡ g r
Therefore,
t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m
Why does this work?
If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).Since DBob = sH1(bob@computer .com),
h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)
= e(H1(bob@computer .com),P0)rs
= e(H1(bob@computer .com), sP0)r
= e(H1(bob@computer .com),P1)r
≡ g r
Therefore,
t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m
Why does this work?
If encryption is performed correction, U = rP0 andv = t = m ⊕ H2(g).Since DBob = sH1(bob@computer .com),
h ≡ e(DBob, rP0) = e(sH1(bob@computer .com), rP0)
= e(H1(bob@computer .com),P0)rs
= e(H1(bob@computer .com), sP0)r
= e(H1(bob@computer .com),P1)r
≡ g r
Therefore,
t ⊕ H2(h) = t ⊕ H2(g r ) = (m ⊕ H2(g r ))⊕ H2(g r ) = m
Any Questions?