vorapong suppakitpaisarn mr_t_dtone
DESCRIPTION
Discrete Methods in Mathematical Informatics Lecture 3 : Other Applications of Elliptic Curve 23 h October 2012. Vorapong Suppakitpaisarn http://www-imai.is.s.u-tokyo.ac.jp/~mr_t_dtone/ [email protected] , Eng. 6 Room 363 - PowerPoint PPT PresentationTRANSCRIPT
Discrete Methods in Mathematical InformaticsLecture 3: Other Applications of Elliptic Curve
23h October 2012
Vorapong Suppakitpaisarnhttp://www-imai.is.s.u-tokyo.ac.jp/~mr_t_dtone/
[email protected], Eng. 6 Room 363
Download: Lecture 1: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture1.pptxLecture 2: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture2.pptxLecture 3: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture3.pptx
Course Information (Many Changes from Last Week)
10/9 – Elliptic Curve I (2 Exercises)
(What is Elliptic Curve?)
10/16 – Elliptic Curve II (1 Exercises)
(Elliptic Curve Cryptography[1])
10/23 – Elliptic Curve III (3 Exercises)
(Elliptic Curve Cryptography[2])
10/30 – Cancelled
11/7 – Online Algorithm I (Prof. Han)
11/14 – Online Algorithm II (Prof. Han)
11/21 – Elliptic Curve IV (2 Exercises)
(ECC Implementation I)
11/28 – Elliptic Curve V (2 Exercises)
(ECC Implementation II)
12/4 – Cancelled
From 12/11 – To be Announced
Schedule
For my part, you need to submit 2 Reports.
- Report 1: Select 3 from 6 exercises in Elliptic Curve I –
III
Submission Deadline: 14 November
- Report 2: Select 2 from 4 exercises in Elliptic Curve IV –
V
Submission Deadline: TBD
- Submit your report at Department of Mathematical
Informatics’ office
[1st
floor of this building]
Grading
From Last Lecture…•
Scalar Multiplication on Elliptic Curve
S = P + P + … + P = rP
when r1 is positive integer, S,P is a member of the curve
•Double-and-add method
•Let r = 14 = (01110)2
Compute rP = 14P r = 14 = (0 1 1 1 0)2 P 3P 7P 14P
6P2P 14P
3 – 1 = 2 Point Additions
4 – 1 = 3 Point Doubles
r times
O
Given P, aP - Compute a.
Discrete Logarithm Problem
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Pollard’s Method [Pollard 1978]
12110 )(,...,)(,)(
kk
pp
PPfPPfPPf)E():E(f FF Function Random
0P1P2P3P4P
56P57P58P
)( NO[Teske, 1998]
(Semi-)Objective
lk PPlk that such Find
)E(PPRS pF 00.1 random for (Semi-) Algorithm
1) or until times for
Do
mm
kk
kk
PPRSm
RffPffPRSfPfPS
(21
)1(22
1
))(())(()()(.2
)( NOm(Real-)Objective
aaPP,Q Find , Given
Function f for Discrete Log
jinp SSnSSSFE ,20,...)( 21
ii
iii
ii
SRMRRfQbPaM
,bn, ai
if Define
integer, positive random a be 1 Let
)(
00000.1 ,baQbPaPRS random for (Real-)Algorithm
00 , bddacc RSRS
bbd,daacc,S,f(R)SR
bddaccSSf(f(R))RSfS
jiRRjiRR
ji
iSSiSSi
If If
, Do,,
)(.2
]QdPcRQdPcS RRSS ,[RS until
PddccQ
PccQddQdPcQdPc
RS
SR
SRRS
RRSS
)()(.3
Examples
QbPaPRS 000.1 00 , bddacc RSRS
bbd,daacc,S,f(R)SR
bddaccSSf(f(R))RSfS
jiRRjiRR
ji
iSSiSSi
If If
, Do,,
)(.2
]QdPcRQdPcS RRSS ,[RS until
PddccQ
PccQddQdPcQdPc
RS
SR
SRRS
RRSS
)()(.3
Example
aaPQPNxxyyxE
Find ,
),959,413(),1,0(1067}1|),{()( 32
10931093
FF
Algorithm
jinp SSnSSSFE ,20,...)( 21
ii
iii
ii
SRMRRfQbPaM
,bn, ai
if Define
integer, positive random a be 1 Let
)(
3mod),( ixSyx i if
QPMQPMQPM
619,179,34
2
10
.,3mod2326)69,326(53
20
0
SPQPP
Since
)589,727()2122()619()53()( 2001
QPQPQPMPPfP
),...,938,523(),951,1006(),337,895(),...,938,523(),951,1006(),903,473(
),260,1070(),365,560(),589,727(),69,326(
595857
654
3210
PPPPPP
PPPP
QPPQPP 620685,4688 585
QP 574597
PPPaPQ499)4994271067(
764597597
QQbaQaP )11067(57459711067574 ba )411,764(),( ba
Exercise
. that Prove and
33, is order the whichin curveelliptic on point a be Let (a)
P}P,P,{Z}kP|kP{Q QP
P,Q
26154114,62
Exercise 4
1
11 mod1
,),gcd(,
abc}ZkP|kdN{cPQ
dNbbb
dNbbQaPNP,Q
where that Prove
that such integer an is
, is order the whichin curveelliptic on point a be Let (b)
The Pohlig-Hellman Method [Pohlig, Hellman 1978]
aaPQPNxyyxE
Find ,
),239,277(),19,60(600}1|),{()( 32
599599
FF
Q600
PPbPPbaPQa
200200600)13(200200200,3mod1
If
PPbPPbaPQa
400400600)23(200200200,3mod2
If
bPPbaPQa
600)3(200200200,3mod0 If
bPPbaPQa
600)5(120120120,5mod0 If
PPbPPbaPQa
120120600)15(120120120,5mod1
If
PQaPQaPQa
480120,5mod4360120,5mod3240120,5mod2
If If If
iPQQia 1,5mod Let5mod0,1 ccPQ where
,25mod0c.bPb)P(cPQ 60025242424 1
PPbPPbcPQ
c
120120600)525(242424
25mod5
1
,
PQc 240245mod10 12 ,
PQc 360245mod15 12 ,
PQc 480245mod20 12 ,
.25mod.25mod,5mod
jiajiac
ia
and
that Suppose
The Pohlig-Hellman Method [cont.]ne
nee
p pppNE ...||)(|| 2121F
Given P, Q = aP - Compute a.
(Real-)Problem
Given P, Q = aP - Compute a mod pkek
(Semi-)Problem
Properties
PpNiP
pNibNP
PibppNaP
pNQ
pN
pia
kk
kkkk
i
If
)(
,mod.1
Algorithm
PpNipi
kk
compute all For ,0.1
QpN
k
Compute .2
k
, that such Find
pia
PpNiQ
pNi
kk
mod
.3
PpNjP
pNjbNP
PjpbppNcP
pNQ
pN
cPiPaPiPQQpjpa-ice
kk
kkkkk
kkk
, If
)(
,mod1.2
22212
1
2
121
1.4
QpNQ-iPQ
e
k
k
compute , Let
Terminate. If
2
12
mod
.5
kk
kk
pijpa
PpNjQ
pNj
, that such Find
132
2.6
QpNP-iPjpQQ
e
kk
k
compute , Let
Terminate. If
32
13
mod
.7
kkk
kk
pijplpa
PpNlQ
pNl
, that such Find
...
The Pohlig-Hellman Method [cont.]
aaPQPNxyyxE
Find ,
),239,277(),19,60(600}1|),{()( 32
599599
FF
)420,84(480),465,491(360),134,491(240),179,84(120
PPPP
Algorithm
PpNipi
kk
compute all For ,0.1
QpN
k
Compute .2
k
, that such Find
pia
PpNiQ
pNi
kk
mod
.3
121
1.4
QpNQ-iPQ
e
k
k
compute , Let
Terminate. If
2
12
mod
.5
kk
kk
pijpa
PpNjQ
pNj
, that such Find
23 532600
Given P, Q = aP - Compute a mod pkek
)179,84(1205600
5mod1,1 ai
)465,491(245600
),129,130(1
112
1
PQQ
25mod165mod)153(,3 2
aaj
Chinese Remainder TheoremaaPQP
NxyyxE Find
,),239,277(),19,60(
600}1|),{()( 32599599
FF
23 532600
Given P, Q = aP - Compute a mod pkek
(Semi-)Problem
23 5mod16,3mod2,2mod2 aaa
Chinese Remainder
Theorem
jimmnimxa
ji
ii
all for that such for that Suppose
1),gcd(1mod
n
iimM
1
Let
Mxax mod that such Find
nnn m
MbamMba
mMbax ...
222
111
ii
i mmMb mod1
where
232
31 5,3,82 mmm
.2425600,200
3600,75
8600
221
mM
mM
mM
24,25mod157624242,3mod140020023,8mod1225753
3
2
1
bb
b 600mod26610466242416200227532
xx
)19,60(266266)239,277( PQ
16,2,2 321 aaa
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Three-Pass Protocol [Shamir 1980]
Private Key Cryptography
Key Agreement
Protocol
k k
M
Encryption
Algorithm
Ek(M) Ek(M)
Decryption
Algorithm
Dk(Ek(M)) = M
Three-pass Protocol
k1 k2
M
Ek1(M)
Encryption
Algorithm
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))Ek2 ( Ek1 (M))
Decryption
Algorithm
Ek2 (M)=Dk1 ( Ek2 ( Ek1 (M))) Ek2(M)
Super-Decryption
Algorithm
M
Massey-Omura Protocol [Massey, Omura 1986]
Three-pass Protocol
k1 k2
M
Ek1(M)
Encryption
Algorithm
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))Ek2 ( Ek1 (M))
Decryption
Algorithm
Ek2(M)
Super-Decryption
Algorithm
M
Massey-Omura Protocol
Encryption
Algorithm
Super-Encryption
Algorithm
Decryption
Algorithm
Ek2(M)
Super-Decryption
Algorithm
Nk of prime-co - 1Nk of prime-co 2NEM p order with)(F
Mk1 Mk1
)( 12 MkkMkk 21
)MkkkMk 211
12 ()(
Nkkk
mod1)(
)(
11
1
11
at such integer an is
)MkkM 21
2 ()(
Massey-Omura Protocol [cont.]Massey-Omura Protocol
Encryption
Algorithm
Super-Encryption
Algorithm
Decryption
Algorithm
Ek2(M)
Super-Decryption
Algorithm
Nk of prime-co - 1Nk of prime-co 2NEM p order with)(F
Mk1 Mk1
)( 12 MkkMkk 21
)MkkkMk 211
12 ()(
Nkkk
mod1)(
)(
11
1
11
that such integer an is
)MkkM 21
2 ()(
Example
9)()1,0( order withpEM F}xx{(x,y)|y}{)E( 132
5 F
2 1k 7 2kEncryption
Algorithm
(4,2)2(0,1) Mk1 (4,2)Super-Encryption
Algorithm
(3,1)7(4,2) )( 12 Mkk(3,1)Decryption
Algorithm
11
1 )()5(2
9mod11052
k
(4,3)5(3,1) )
MkkkMk 21
112 ()(
(4,3)Super-Decryption
Algorithm
(0,1)4(4,3) )
MkkM 2
12 ()(
Massey-Omura Protocol [cont.]Integer Point on Elliptic Curve
encode to want weinteger positive a be Let m99100100 m x m )E(F(x,y) p that such Find
BAxxsyx 32 that such Find1212 )/(p-
p syys if some for F.4mod3 41)/(psyp , If
Point on Elliptic Curve
Integer
100
)(),(
xm
Eyx p
to
decoded is F
zzvvz
vv-zvvz
vv-xx
yyyy
x
yxx,y p
pp
pp
p
p
p
p
)/(p
p
24/)1(2
22
2
24/)1(
2/)1(
222/)1(
21
2
,
1
1
4mod3
thatShow , all for Suppose (g)
some for thatshow all for Suppose (f)
all for thatShow (e)
thatShow (d)
thatShow (c)
thatShow (b)
thatShow (a)
Suppose . number, prime a be Let
Z
ZZZ
FExercise 4 Exercise 5
xx )/(p 21 thatShow (a)
pF
pF
pF
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Public Key Cryptography
Private Key Cryptography
Key Agreement
Protocol
k k
M
Encryption
Algorithm
Ek(M) Ek(M)
Decryption
Algorithm
Dk(Ek(M)) = M
Public Key Cryptography
kpub,kpri
Certificate Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M) Ekpub (M)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M
ElGamal Public Key Encryption [ElGamal 1985]
Public Key Cryptography
kpub,kpri
Certificate Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M) Ekpub (M)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M
sksPBPksEP
pripub
p
,,
),( ZF
Certificate Authority
(CA)
sPBPkpub ,
)( pEM FZk
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Ekpub(M) = M1,M2
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 = M
ElGamal PKE
MskPSPkMkPskBMsMM )()()(12
ElGamal Public Key Encryption (cont.)
sksPBPksEP
pripub
p
,,
),( ZF
Certificate Authority
(CA)
sPBPkpub ,
)( pEM FZk
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Ekpub(M) = M1,M2
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 =
M
ElGamal PKE
Example
9)()1,0( order withpEM F}xx{(x,y)|y}{)E( 132
5 F
)1,3()1,0(5)1,0(
),(
5,5
sPBP
BPksks
pub
pri))1,3(),1,0(( BPkpub
)()2,4( pEM F7k
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP = 7(0,1) = (4,3),
M2 = M + kB = (4,2)+7(3,1)
= (0,1)
Ekpub(M) = M1,M2
M1 = (4,3)
M2 = (0,1)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 = (0,1)-
5(4,3)
= (4,2)
ElGamal Public Key Encryption (cont.)
sksPBPksEP
pripub
p
,,
),( ZF
Certificate Authority
(CA)
sPBPkpub ,
)( pEM FZk
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Ekpub(M) = M1,M2
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 = M
ElGamal PKE
Given P, sP (public key), kP, M + skP,
Find M.
ElGamal Problem Ver. I
Given P, sP
Find s.
Discrete Log.
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Digital Signature [Diffie, Hellman 1976]
Alice is sending a message M to Bob
1. Bob can be sure that the sender is really Alice.
2. Alice cannot refuse that she did send the message
3. No one can send a message claiming that they are Alice.
Objective
Digital Signature
kpri,kpub
Certificate Authority
(CA)
kpub
M
Signing
Algorithm
M,Skpri(M) M, Skpri(M)
Verification
Algorithm
Vkpub (Skpri(M)) = M ?
Public Key Cryptography
kpub,kpri
Certificate Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M) Ekpub (M)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M
ElGamal Digital Signatures [ElGamal 1985]
Digital Signature
kpri,kpub
Certificate Authority
(CA)
kpub
M
Signing
Algorithm
M,Skpri(M) M, Skpri(M)
Verification
Algorithm
Skpri(M)) is
signed by Alice???
ElGamal’s Protocol
),(,
)(,
aABAkakEAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
km
Integer Random Message Z
Signing
Algorithm
kaxms
yxkAR
R
RR
),(
),()(, sRMSMprik ),()(, sRMSM
prik
Verification
Algorithm
???mAsRBxR
mAAaxmaAxkAsaAxsRBx RRRR )()(
ElGamal Digital Signatures (cont.)ElGamal’s Protocol
),(,
)(,
aABAkakEAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
km
Integer Random Message Z
Signing
Algorithm
kaxms
yxkAR
R
RR
),(
),()(, sRMSmprik ),()(, sRMSm
prik
Verification
Algorithm
???mAsRBxR
Example
9)()1,0( order withpEM F}xx{(x,y)|y}{)E( 132
5 F
)2,4())1,0(2
),(
2
),()1,0(,2
aABBAk
akEAa
pub
pri
p
where
F
75
km
Integer Random Message
Signing
Algorithm
6(-3)(4)
7425
4)3,4(7
kaxms
xAkAR
R
R
)6),3,4((
),()(,5
sRMSm
prik
Verification
Algorithm
), ( ), () , (
sRBxR
134240)3,4(6)2,4(4
ElGamal Digital Signatures (cont.)ElGamal’s Protocol
),(,
)(,
aABAkakEAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
km
Integer Random Message Z
Signing
Algorithm
kaxms
yxkAR
R
RR
),(
),()(, sRMSmprik ),()(, sRMSm
prik
Verification
Algorithm
???mAsRBxR
Given A, B=aA (public key), m (message),
m‘ (forged message)
Find R,s such that
ElGamal Problem Ver. II
Given P, sP
Find s.
Discrete Log.
AmsRBxR '
ExerciseGiven A, B=aA (public key), m (message),
m‘ (forged message)
Find R,s such that
ElGamal Problem Ver. II
Given P, sP
Find s.
Discrete Log.
AmsRBxR '
message. signed valid a is thatShow
Let Assume withinteger an be Let . message signed valid the
produce to used is scheme signature ElGamal the that Suppose
(m',R',s')
NxmxmNhxsxshRyxR
NxNhh),s),y(x(m,R
RR
RRRR
R
RR
).(mod)('
),(mod)(',),('
.1),gcd(.1),gcd(
1'
11'''
Exercise 6
Overview
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Digital Signature Algorithm [Vanstone 1992]
ElGamal’s Protocol
),(,
)(,
aABAkakEAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
km
Integer Random Message Z
Signing
Algorithm
kaxms
yxkPR
R
RR
),(
),()(, sRMSMprik ),()(, sRMSM
prik
Verification
Algorithm
???mAsRBxR
DSA’s Protocol
),(,
)(,
aABAkakEAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
km
Integer Random Message Z
Signing
Algorithm
kaxms
yxkPR
R
RR
),(
),()(, sRMSMprik ),()(, sRMSM
prik
Verification
Algorithm
???
???
ARmsB
mx
mAsRBx
R
R
3 Scalar Multiplications
2 Scalar Multiplications
Exercise
. that Prove and 33, is order the whichin curveelliptic on point a be Let (a)
P}P,P,{Z}kP|kP{Q QPP,Q
26154114,62
Exercise 4
1
11 mod1
,),gcd(,
abc}ZkP|kdN{cPQ
dNbbb
dNbbQaPNP,Q
where that Prove
that such integer an is
, is order the whichin curveelliptic on point a be Let (b)
zzvvz
vv-zvvz
vv-xx
yyyy
x
yxx,y p
pp
pp
p
p
p
p
)/(p
p
24/)1(2
22
2
24/)1(
2/)1(
222/)1(
21
2
,
1
1
4mod3
thatShow , all for Suppose (g)
some for thatshow all for Suppose (f)
all for thatShow (e)
thatShow (d)
thatShow (c)
thatShow (b)
thatShow (a)
Suppose . number, prime a be Let
Z
ZZZ
FExercise 4 Exercise 5
xx )/(p 21 thatShow (a)
pF
pF
pF
Exercise
message. signed valid a is thatShow
Let Assume withinteger an be Let . message signed valid the
produce to used is scheme signature ElGamal the that Suppose
(m',R',s')
NxmxmNhxsxshRyxR
NxNhh),s),y(x(m,R
RR
RRRR
R
RR
).(mod)('
),(mod)(',),('
.1),gcd(.1),gcd(
1'
11'''
Exercise 6
Pairing-Based Cryptography
G)E()e:E( pp FF FunctionBilinear Function
abQPebQaPe ),(),( QP, If 1),( QPe
Diffie-Hellman Exchange Protocol
1. Generate P 2 E(F)
2. Generate positive
integers a
3. Receive Q = bP
4. Compute aQ = abP
1. Receive P
2. Receive S = aP
3. Generate positive
integer b
4. Compute bS = abP
P
aP
bP
A
L
I
C
E
B
O
B
Three-Parties DHE
ALICE
B
O
B
C
H
A
L
I
E
a, aP
b, bP c, cP
bPaP
cP
ALICE
B
O
B
C
H
A
L
I
E
a, aP, bP
b, bP
cP
c, cP
aP
bcPabP
acP
Three-Parties DHE with Pairing
ALICE
B
O
B
C
H
A
L
I
E
a, aP
b, bP c, cP
bPaP
cP
bP
cP
aP abcabc
bc
PPePPePPecPbPe
),()),((
),(),(
Thank you for your attentionPlease feel free to ask questions or comment.