introduction to elliptic curve...
TRANSCRIPT
![Page 1: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/1.jpg)
Introduction toElliptic Curve Cryptography
Anupam Datta
18-733
![Page 2: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/2.jpg)
Elliptic Curve Cryptography
β’ Public Key Cryptosystem
β’ Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptographyβ Groups / Number Theory Basis
β Additive group based on curves
β’ What is the point?β Less efficient attacks exist so we can use smaller keys
than discrete log / RSA based cryptography
![Page 3: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/3.jpg)
Computing Dlog in (Zp)*(n-bit prime p)
Best known algorithm (GNFS): run time exp( )
cipher key size modulus size80 bits 1024 bits128 bits 3072 bits256 bits (AES) 15360 bits
As a result: slow transition away from (mod p) to elliptic curves
Elliptic Curvegroup size
160 bits
256 bits
512 bits
![Page 4: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/4.jpg)
Discrete Logs
β’ Let π = 2π + 1 where π, π are large primes
β’ β€π is the group of integers modulo π
β’ β€π = 2π
β’ πΊπ = ππ β€π is the quadratic residue subgroup of β€π
β’ ππ β€π = π, subgroup of prime order
β’ Every element π β πΊπ is a generator, pick a random one
β’ Pick secret π₯, compute ππ₯πππ π
β’ Public: π, π, π, ππ₯ Secret: π₯
β’ Discrete Log Assumption: Given Public it is hard to find Secret
![Page 5: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/5.jpg)
Outline
β’ Elliptic curves over reals
β’ Elliptic curves over ππ
β’ ECDH and ECDSA
![Page 6: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/6.jpg)
Elliptic Curves
β’ Consider the following equation:π¦2 = π₯3 + ππ₯ + π
β’ Idea: we pick (π, π) and form a group which is a set containing all of the points that satisfy the equation
β’ This group will be defined with a very special addition operation which introduces an additional imaginary point
![Page 7: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/7.jpg)
Example
![Page 8: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/8.jpg)
Not all curves are valid elliptic curves
β’ Left: π¦2 = π₯3 has a βcuspβ
β’ Right: π¦2 = π₯3 β 3π₯ + 2 has a βself intersectionβ
β’ In general we require: 4π3 + 27π2 β 0
β’ Observation: curves are symmetric about the point π¦ = 0
![Page 9: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/9.jpg)
Elliptic Curves as a Group
β’ Groups are sets defined over some operation with some structure / properties
β’ πΊ = π₯, π¦ : π¦2 = π₯3 + ππ₯ + π
β’ Define an operation denoted by β+β such that:
β’ If π1, π2 β πΊ, π1 + π2 β πΊ (Closure)
β’ π1 + π2 + π3 = π1 + (π2 + π3) (Associative)
β’ β0 π . π‘. βπ π + 0 = 0 + π = π (Identity)
β’ βπ βπβ1 π . π‘. π + πβ1 = 0 (Inverse)
β Curves will form an abelian group
β’ π1 + π2 = π2 + π1 (Communitive)
![Page 10: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/10.jpg)
The Group Operation
β’ Not typical point-wise addition!
β’ What is this 0 element?
β π¦2 = π₯3 + ππ₯ + π does not include (0, 0) if π β 0
β’ How do we know inverses exist if we donβt know what the 0 element is?
β’ How do we maintain closure?
β π₯, π¦ + π₯, π¦ = 2π₯, 2π¦ for typical pointwise addition which in general does not lie on the curve
![Page 11: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/11.jpg)
The Group Operation
β’ Let π, π, π β πΊ, such that a line passes through all of them, then group operation is:
π + π + π = 0
β’ This is strange, we have a relationship between points that lie along but no clear notion of traditional addition
β’ We can use the relationship to define a more traditional form of addition:
π + π = βπ
![Page 12: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/12.jpg)
The Group Operationβ’ π + π = βπ
β’ π = π₯π , π¦π , βπ = π₯π , βπ¦πβ’ What happens if we want to compute
β π + π ?β’ What third point on the curve lies
on the line defined by (π , βπ )?
β’ We say this is the point defined at infinity, we denote it by 0, and it is the additive identity
β’ βπ + π = 0
β’ Adjust our definition of the group:β’ πΊ = π₯, π¦ : π¦2 = π₯3 + ππ₯ + π βͺ {0}
![Page 13: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/13.jpg)
The Group Operation (Geometric)
β’ Given πΊ = π₯, π¦ : π¦2 = π₯3 + ππ₯ + π βͺ {0}, calculate π + πβ Geometrically, figure out the third point π such that a line goes through π,π, π and then
set P + π = βπ
β’ What could possibly go wrong?β P or Q could be 0
β’ 0 Is the identity under the group operation, so π + 0 = 0 + π = π
β P = -Qβ’ This is the case of βπ + π = 0 which was defined by the vertical line
β P = Qβ’ Imagine tangent to P, use that to find R. π + π = βπ describes the line tangent to π that intersects at π
β There is no 3rd pointβ’ This occurs when the line is tangent to exactly one of π or π. Suppose the line is tangent to π, then from before
we have π + π = βπ which gives us π + π = βπ
β’ If line is tangent to π, then π + π = βπ which would give us π + π = βπ
![Page 14: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/14.jpg)
Algebraic Solution
β’ Let π β π, line defined by π, π has slope
π =π¦π β π¦π
π₯π β π₯π
β’ Intersection with point π = xR, yR :
β π₯π = π2 β π₯π β π₯π
β π¦π = π¦π +π π₯π β π₯π = yQ +m xR β xQ
β’ How would we check that this is correct?β Check if π₯π , π¦π β πΊ, if it is then correct with high probability
![Page 15: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/15.jpg)
Multiplication
β’ We have defined addition, so now we can define multiplication
β’ π β π = π + π + β¦+ π π β π‘ππππ
β’ Inefficient for multiplying by large numbers
β’ Use doubling algorithm, analogue of repeated squaring algorithm for exponentiation
β’ Calculate 19 (6 Additions):β A = 1+1 = 2
β B = A + A = 2 + 2 = 4
β C = B + B = 4 + 4 = 8
β D = C + C = 16
β 19 = D + A + 1
![Page 16: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/16.jpg)
Back to Discrete Logs
β’ In the discrete log setting, exponentiation was easy, but logs were hard
β ππ₯ β Easy, logπ ππ₯ β Hard
β’ In the elliptic curve setting, multiplication is easy but division is hard
β We still call division βlogarithmβ even though its really division here
β’ We used the asymmetry of these operations in the discrete log setting to do key exchange / encryption, can do a similar thing with elliptic curves
![Page 17: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/17.jpg)
Fields
β’ A field is a set π½ with two operations (+,Γ) that has the following properties:
β π½ is an abelian group under +
β The non-zero elements of π½ are an abelian group under Γ
β π π + π = ππ + ππ βπ, π, π β π½ (Distributive)
![Page 18: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/18.jpg)
Elliptic Curves Over a Field
β’ Note: β€πβ (+,Γ) is a field when π is prime
β’ Refine the definition of the curve group again:
β’ πΊ =π₯, π¦ β π½π
2: π¦2 = π₯3 + ππ₯ + π πππ π
4π3ΩΏ + 27π2 β 0 πππ πβͺ {0}
β’ Curves are now defined only at discrete points and not over the smooth lines that we had before
![Page 19: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/19.jpg)
Elliptic Curves Over a Field
π¦2 = π₯3 β 7π₯ + 10 πππ π where π = 19, 97, 127, 487
![Page 20: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/20.jpg)
Operation for Curves Over a Field
Curve π¦2 = π₯3 β π₯ + 3 (πππ 127), π = 16, 20 , π = (41, 120)
![Page 21: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/21.jpg)
Operation for Curves Over a Field
β’ The addition operation that we defined before works exactly the same on curves defined over a field
β’ All of the special cases are handled exactly the same as before
β’ Intersection with point π = xR, yR still computed as:
β π₯π = π2 β π₯π β π₯ππππ π
β π¦π = π¦π +π π₯π β π₯π πππ π = yQ +m xR β xQ πππ π
![Page 22: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/22.jpg)
Order of Elliptic Curve Group
β’ # of unique points in the group
β Could simply try and count them, but there are too many for this to be possible
β’ Efficient algorithms for computing this exist
![Page 23: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/23.jpg)
Subgroups of Elliptic Curve Groups
β’ In the discrete log setting, we selected a generator π and computed π0, π1, β¦ πππ π
β’ This group generated by the generator had an order that divided the order of the parent group by Lagrangeβs Theorem
β’ In Elliptic Curves we can select a point P which is like a generator and compute 0π, π, 2π, 3π,β¦ πππ π, we call this a Base Point
β’ This operation will also generate a cyclic subgroup of the Elliptic curve group whose order divides the order of the parent group
![Page 24: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/24.jpg)
Subgroups of Elliptic Curve Groups
β’ Suppose we pick a point, π, how can we find the order of the subgroup generated by π?
β’ Let N be the order of the parent group
β’ Let π = π1π1π2
π2 β¦ be the prime factorization of N
β’ Let n be the order of the subgroup
β’ Idea: take all divisors of N, given by the prime factorization, and sort them smallest to largest, call them n. The order of the subgroup is the smallest n such that nP = 0.
![Page 25: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/25.jpg)
Finding Base Point With High Order
β’ We will want to find a base point that generates a subgroup with prime order that is as high as possible
β’ Let β =π
πwe will call β the cofactor of the subgroup
β’ Let π be the largest prime factor in the prime factorization of π
β’ ππ = 0 because π is an integer multiple of any point π
β’ π βπ = 0 by re-writing π = πβ
β’ This tells us that the point βπ = πΊ has order π unless πΊ = 0
β’ πΊ is a generator of a cyclic subgroup of prime order π
![Page 26: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/26.jpg)
ECDH β Elliptic Curve Diffie-Hellman
β’ Regular Diffie-Hellman:β Alice has secret π and computes ππ
β Bob has secret π and computes ππ
β They exchange and compute πππ
β Key insight: it is hard for an adversary to compute πππ from ππ, ππ
β’ ECDH Setting, Public Parameters: π, π, π, πΊ, π, β
β π = large prime
β (π, π) = coefficients in π¦2 = π₯3 + ππ₯ + π
β πΊ = base point that generates subgroup of large prime order
β π = order of the subgroup
β β = cofactor of the subgroup
![Page 27: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/27.jpg)
ECDH β Elliptic Curve Diffie-Hellman
β’ Alice: ππ΄ βπ β€π, π»π΄ = ππ΄πΊ
β’ Bob: ππ΅ βπ β€π, π»π΅ = ππ΅πΊ
β’ Alice -> Bob: π»π΄β’ Bob -> Alice: π»π΅
β’ Alice: ππ΄π»π΅ = ππ΄ππ΅πΊ
β’ Bob: ππ΅π»π΄ = ππ΅ππ΄πΊ
β’ Say π = ππ΄ππ΅πΊ is the shared secret, can use it to derive a symmetric key
![Page 28: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/28.jpg)
ECDSA β Elliptic Curve Digital Signature Algorithm
β’ Public Information: π, π, π, πΊ, π, β
β’ Aliceβs Private Key: ππ΄β’ Aliceβs Public Key: π»π΄ = ππ΄πΊ
β’ Alice signs a message π β β€π by performing the following:
β π βπ β€πβ π = ππΊ = (π₯π , π¦π)
β π = π₯π πππ π, if π = 0 start over
β π = πβ1 π + πππ΄ πππ π, if π = 0 start over
β Output signature (π , π)
![Page 29: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/29.jpg)
ECDSA β Elliptic Curve Digital Signature Algorithm
β’ Bob can verify a message signed by performing the following:β Bob gets π, π , π, π»π΄
β Calculate π’1 = π β1π πππ π, π’2 = π β1π πππ π
β Calculate π = π’1πΊ + π’2π»π΄β Valid if and only if π = π₯π πππ π
![Page 30: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/30.jpg)
ECDSA β Elliptic Curve Digital Signature Algorithm
β’ Check that the algorithm is correct:
β π = π’1πΊ + π’2π»π΄ = π’1πΊ + π’2ππ΄πΊ = π’1 + π’2ππ΄ πΊ
β π = π β1π + π β1πππ΄ πΊ = π β1 π + πππ΄ πΊ
β π = πβ1 π + πππ΄ β π = π β1 π + πππ΄
β π = π β1 π + πππ΄ πΊ = ππΊ β Thus the signature will verify correctly
![Page 31: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/31.jpg)
Acknowledgments
β’ Many slides created by Kyle Soska (TA for 18733 in Spring 2016)
![Page 32: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/32.jpg)
Pairing Based Cryptography
β’ Computational Diffie-Hellman
β Given π, ππ, ππ compute πππ
β’ Decisional Diffie-Hellman
β Given π, ππ, ππ, cant tell πππ apart from random element ππ for random π
β’ Let πΊ1, πΊ2, πΊπ be groups of prime order π, then a bilinear pairing denoted π is an operation that maps from πΊ1 Γ πΊ2 β πΊπ such that
β’ βπ, π β π½π , βπ β πΊ1, βπ β πΊ2 π ππ, ππ = π π, π ππ β 1
β’ Idea: We can use pairing based cryptography to create a situation where Computational Diffie-Hellman is hard, but Decisional Diffie-Hellman is easy
![Page 33: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/33.jpg)
Pairing Based Cryptography
β’ Computational Diffie-Hellman
β Given π, ππ, ππ compute πππ
β’ Decisional Diffie-Hellman
β Given π, ππ, ππ, cant tell πππ apart from random element ππ for random π
β’ Suppose an adversary has ππ , ππ, ππ§, where ππ§ is randomly either πππ or ππ for π random. How can he check which one he has?
β π ππ , ππ = π π, π ππ = π π, πππ
β Adversary computes π π, ππ§ =? π ππ, ππ
![Page 34: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/34.jpg)
Pairing Based Signatures (Boneh et al.)
β’ π₯ βπ β€π
β’ Private Key: π₯, Public Key: ππ₯
β’ Sign message m by hashing it yielding β = π»(π) and signing the hash as π = βπ₯
β’ Verify (π, π) as π π, π =? π π» π , ππ₯
β π π, π = π βπ₯ , π = π π» π π₯, π = π π» π , π π₯ = π π» π , ππ₯
![Page 35: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/35.jpg)
Twists Of Elliptic Curves
β’ Suppose you have an elliptic curve πΈ[π] over some field π½
β’ A twist of πΈ[π] another elliptic curve over a field extension of π½
β’ A twist of πΈ[π] will be isomorphic to πΈ[π], namely it will have the same order, and there is a 1-1 onto mapping between them
![Page 36: Introduction to Elliptic Curve Cryptographycourse.ece.cmu.edu/~ece733/lectures/21-intro-ecc.pdfPairing Based Cryptography β’ Computational Diffie-Hellman βGiven π,π ,π](https://reader035.vdocuments.mx/reader035/viewer/2022063019/5fe0af2f0d9f7d6f55796fe4/html5/thumbnails/36.jpg)
Other Notes
β’ Weil Pairing is a well studied paring where the groups πΊ are elliptic curves
β’ There are many standardized elliptic curve groupsβ π¦2 + π₯π¦ = π₯3 + ππ₯2 + 1 over π½2π, π = prime and π = 0 or 1β’ Koblitz Curves, very fast addition and multiplication
β π₯2 + π¦2 = 1 + ππ₯2π¦2 where π = 0 or 1β’ Edwards Curves, point addition is the same in all cases, and
reasonably fast