vorapong suppakitpaisarn mr_t_dtone
DESCRIPTION
Discrete Methods in Mathematical Informatics Lecture 2 : Elliptic Curve Cryptography 16 th October 2012. Vorapong Suppakitpaisarn http://www-imai.is.s.u-tokyo.ac.jp/~mr_t_dtone/ [email protected] , Eng. 6 Room 363 - PowerPoint PPT PresentationTRANSCRIPT
Discrete Methods in Mathematical InformaticsLecture 2: Elliptic Curve Cryptography
16th October 2012
Vorapong Suppakitpaisarnhttp://www-imai.is.s.u-tokyo.ac.jp/~mr_t_dtone/
[email protected], Eng. 6 Room 363
Download: Lecture 1: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture1.pptxLecture 2: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture2.pptx
Course Information (Many Changes from Last Week)
10/9 – Elliptic Curve I (2 Exercises)
(What is Elliptic Curve?)
10/16 – Elliptic Curve II (2 Exercises)
(Elliptic Curve Cryptography)
10/23 – Elliptic Curve III (2 Exercises)
(Primality Testing and Factoring)
10/30 – Cancelled
11/7 – Online Algorithm I (Prof. Han)
11/14 – Online Algorithm II (Prof. Han)
11/21 – Elliptic Curve IV (2 Exercises)
(ECC Implementation I)
11/28 – Elliptic Curve V (2 Exercises)
(ECC Implementation II)
12/4 – Cancelled
From 12/11 – To be Announced
Schedule
For my part, you need to submit 2 Reports.
- Report 1: Select 3 from 6 exercises in Elliptic Curve I –
III
Submission Deadline: 14 November
- Report 2: Select 2 from 4 exercises in Elliptic Curve IV –
V
Submission Deadline: TBD
- Submit your report at Department of Mathematical
Informatics’ office
[1st
floor of this building]
Grading
From Last Lecture…
Point Addition Point Double
Weierstrass Equation:
A = -4, B = 4 A = -4, B = 4
-
BAxxy 32
1133
212
3
12
12
33
2211
)(
),(
),(),,(
yxxmy
xxmx
xx
yym
yxQP
yxQyxP
where
1133
12
3
21
33
11
)(
2
2
3
),(2
),(
yxxmy
xmx
y
Axm
yxPPP
yxP
where
Cryptography• Methods or Algorithms for Secure Communication
Alice BobM
E(M)
Encryption
Algorithm
E(M)
E(M)Decryption
Algorithm
M
Slow
Memory
Usage
RSA
(the most
popular
algorithm)
Elliptic
Curve
Crypto-
graphy
Optimize
and Analyze
FastFaster Algorithms Using Less
Memory
(assuming the same key size)
Some Progress on Elliptic Curve Cryptography
1976 Introduction of Elliptic Curve Cryptography (ECC)
2000’s Researchers Began to Interest in ECC Because of Its Memory Consumption is better than RSA
2002 Implementation of ECC in OpenSSL
2008 Publication of Standard Defining the Use of ECC
http://tools.ietf.org/html/rfc5246#ref-ECDSA
2011 Google Introduce ECC to be the default algorithm for its
https web page
2012 Joux and Vitse successfully break 151 bits
of ECC
[Joux, Vitsa, EUROCRYPT2012, June 2012]
(While 768 bits of RSA is broken by Kleinjung et al. in 2010)
[Kleinjung et al., CRYPTO2010, 2010]
Overview
Basics
Prime Field & Elliptic CurveDiffie-Hellman Key Exchange
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Overview
Basics
Prime Field & Elliptic CurveDiffie-Hellman Key Exchange
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
ElGamal Digital
Signatures
Prime Field Fp• p is prime number. [Let p = 7 in this slide]• Consider a set {0, 1, …, p – 1}
Addition
37mod1055
321
)(
f
f
f pbaba
:Example
mod
Subtraction
67mod121
055
)(
f
f
f pbaba
:Example
mod
Multiplication
47mod2555
221
)(
f
f
f pabba
:Example
mod
Exponentiation
27mod625)4,5(exp
17mod2)3,2(exp
)(),(exp
3
f
f
kf paka
k
:Example
mod
number natural a be Let
Theorem] Little sFermat'
exp
any For:Note
f
[
1)1,(
110
pa
},...,p-,{a
Prime Field Fp(cont.)
Multiplicative
Inverse
1
)(
ba
bainv
f
f
if
• p is prime number. [Let p = 7 in this slide]• Consider a set {0, 1, …, p – 1}
Real Number?
5 of
inverse tivemultiplica the
is 5
1 Then, 2.0
15
15
Prime Field F7
17mod3666
17mod1535
17mod824
17mod1553
17mod842
17mod111
f
f
f
f
f
f
6)6(,3)5(
2)4(,5)3(
4)2(,1)1(
ff
ff
ff
InvInv
InvInv
InvInvTheorem
1121
121
ba} ,...,n-,{b
},...,n-,{a
f that such
oneexactly exists there , all For
Proof
equation. the satisfying integers
exists there then ,
:Existence
b,k
(a,p)
ab - pk
pk ab
pab
1gcd
1
1
mod1
pa(b-c)
ppcbpa
pcbaacab
pab,ac
cb
by divided not is
and Since
and Let :Uniqueness
},0{]1,1[]1,1[
mod0)(
mod1
Prime Field Fp(cont.)
Multiplicative
Inverse
1
)(
ba
bainv
f
f
if
Real Number?
5 of
inverse tivemultiplica the
is 5
1 Then, 2.0
15
15
Prime Field F7
17mod3666
17mod1535
17mod824
17mod1553
17mod842
17mod111
f
f
f
f
f
f
6)6(,3)5(
2)4(,5)3(
4)2(,1)1(
ff
ff
ff
InvInv
InvInv
InvInv
Division
)(binvaba ff
Real Number?
2.15
16)5(656 inv
Prime Field F7
47mod18
36)5(656
ffff inv
Elliptic Curve with Prime Field
B}Axx|y{(x,y)}{)E( ppp 32FFF
Elliptic Curve
Example, p = 5, A = 1, B = 1
13 xxx
35mod31 15mod112 15mod313 45mod694
2yy
15mod11 45mod42 45mod93 15mod164
(0,1),(0,4)
15mod10 05mod00
(2,1),(2,4) (3,1),(3,4) (4,2),(4,3)
||E(Fp)||=9
Hasse’s Theorem (Hasse 1936)
ppFEpp p 2)1(||)(||2)1(
Elliptic Curve with Prime Field (cont.)
1133
12
3
21
33
11
)(
2
2
3
),(2
),(
yxxmy
xmx
y
Axm
yxPPP
yxP
where
B}Axx|y{(x,y)}{)E( ppp 32FFF
Elliptic Curve
Example, p = 5, A = 1, B = 1
25mod13
5mod)1)04(3(
45mod9
5mod)023(
3)2(112
103
)1,0(
3
23
2
y
x
Invm
P
)2,4()1,0(2)1,0()1,0(
Point Double
Scalar Multiplication• Scalar Multiplication on Elliptic Curve
S = P + P + … + P = rP
when r1 is positive integer, S,P is a member of the curve• Double-and-add method• Let r = 14 = (01110)2
Compute rP = 14P r = 14 = (0 1 1 1 0)2
P 3P 7P 14P
6P2P 14P
3 – 1 = 2 Point Additions
4 – 1 = 3 Point Doubles
r times
O
) If :(Hint
)E( 2.
(2,1)3(0,1) 1.
that Prove
CurveElliptic Given
5
L)||, k | ||E(kP
kk
}xx|y{(x,y)}{)E(
}91|)1,0({
132555
F
FFFExercise 3
Overview
Basics
Prime Field & Elliptic CurveDiffie-Hellman Key Exchange
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
ElGamal Digital
Signatures
Private Key Cryptography
Private Key Cryptography
Key Agreement
Protocol
k k
M
Encryption
Algorithm
Ek(M) Ek(M)
Decryption
Algorithm
Dk(Ek(M)) = M
Data Encryption Scheme (DES) (Developed by IBM in 1970’s)
Advanced Encryption Scheme (AES)
(Daemen, Rijmen 2002)
Diffie-Hellman
Key Exchange (Diffie, Hellman
1976)
One-Time Pad
k = 01101 k = 01101
M = 10100
Encryption
Algorithm
11001
1010001101
M k (M) Ek 11001 (M)Ek
Decryption
Algorithm
M
k(M) E(M)) (ED kkk
10100
1100101101
Diffie-Hellman Key Exchange
1. Generate P 2 E(F)
2. Generate positive integers a
3. Receive Q = bP
4. Compute aQ = abP
1. Receive P
2. Receive S = aP
3. Generate positive integer b
4. Compute bS = abP
P
aP
bP
Key
A
L
I
C
E
B
O
B
Eve knows P, aP, bP,
but not abP
Given P, aP, and bP,
Compute abP.
Diffie-Hellman Problem
Given P, aP
Compute a.
Discrete Logarithm Problem
Overview
Basics
Prime Field & Elliptic CurveDiffie-Hellman Key Exchange
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
ElGamal Digital
Signatures
Baby Step, Giant Step[Shanks 1971]
Given P, Q = aP compute a.
Discrete Logarithm Problem
0 1 2 …
…
………
………
………
………
………
… … N-1
1-N
N 1N 2N 1-N2
NN )1( 1 )1(NN
Baby Step, Giant Step
table. hash in points all Store
all for all Compute
N
NiiP 0.1
table. hash the in
some match point the until
for Compute
iP
PNQ-j
NjPNQ-j 0.2
Pre-Computation
Q
iNja .3
curveelliptic of order the is N
)(
)(
NO
NO
:Memory
:Time
Baby Step
Giant Step
Example
54}12|),{()( 324141 NxxyyxE ,FF
a
aPQP
Find
)40,30(),1,0(
)9,26(7),28,20(6),23,23(5),38,38(4
)23,8(3),39,1(2),1,0(1,0
8
PPPP
PPPP
N
)9,26(82),25,9(81),40,30(80 PQPQPQ
PQ
PPQ
23
782
Pollard’s Method [Pollard 1978]
12110 )(,...,)(,)(
kk
pp
PPfPPfPPf
)E():E(f FF Function Random
0P1P2P3P4P
56P
57P
58P
)( NO[Teske, 1998]
(Semi-)Objective
lk PPlk that such Find
)E(PPRS pF 00.1 random for
(Semi-) Algorithm
1) or until times for
Do
mm
kk
kk
PPRSm
RffPffPR
SfPfPS
(21
)1(22
1
))(())((
)()(.2
)( NOm(Real-)Objective
aaPP,Q Find , Given
Function f for Discrete Log
jinp SSnSSSFE ,20,...)( 21
ii
iii
ii
SRMRRf
QbPaM
,bn, ai
if
Define
integer, positive random a be 1 Let
)(
00000.1 ,baQbPaPRS random for (Real-)Algorithm
00 , bddacc RSRS
bbd,daacc
,S,f(R)SR
bddaccSS
f(f(R))RSfS
jiRRjiRR
ji
iSSiSSi
If
If
, Do
,,
)(.2
]QdPcRQdPcS RRSS ,[
RS until
Pdd
ccQ
PccQdd
QdPcQdPc
RS
SR
SRRS
RRSS
)()(
.3
Examples
QbPaPRS 000.1 00 , bddacc RSRS
bbd,daacc
,S,f(R)SR
bddaccSS
f(f(R))RSfS
jiRRjiRR
ji
iSSiSSi
If
If
, Do
,,
)(.2
]QdPcRQdPcS RRSS ,[
RS until
Pdd
ccQ
PccQdd
QdPcQdPc
RS
SR
SRRS
RRSS
)()(
.3
Example
aaPQP
NxxyyxE
Find
,
),959,413(),1,0(
1067}1|),{()( 3210931093
FF
Algorithm
jinp SSnSSSFE ,20,...)( 21
ii
iii
ii
SRMRRf
QbPaM
,bn, ai
if
Define
integer, positive random a be 1 Let
)(
3mod),( ixSyx i if
QPM
QPMQPM
619
,179,34
2
10
.,3mod2326
)69,326(53
20
0
SP
QPP
Since
)589,727()2122(
)619()53()( 2001
QP
QPQPMPPfP
),...,938,523(),951,1006(),337,895(
),...,938,523(),951,1006(),903,473(
),260,1070(),365,560(),589,727(),69,326(
595857
654
3210
PPP
PPP
PPPP
QPPQPP 620685,4688 585
PQ 597574
PP-
Q 499574
597
Overview
Basics
Prime Field & Elliptic CurveDiffie-Hellman Key Exchange
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
ElGamal Digital
Signatures
Three-Pass Protocol [Shamir 1980]
Private Key Cryptography
Key Agreement
Protocol
k k
M
Encryption
Algorithm
Ek(M) Ek(M)
Decryption
Algorithm
Dk(Ek(M)) = M
Three-pass Protocol
k1 k2
M
Ek1(M)
Encryption
Algorithm
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))Ek2 ( Ek1 (M))
Decryption
Algorithm
Ek2 (M)=Dk1 ( Ek2 ( Ek1 (M))) Ek2(M)
Super-Decryption
Algorithm
M
Massey-Omura Protocol [Massey, Omura 1986]
Three-pass Protocol
k1 k2
M
Ek1(M)
Encryption
Algorithm
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))Ek2 ( Ek1 (M))
Decryption
Algorithm
Ek2(M)
Super-Decryption
Algorithm
M
Massey-Omura Protocol
Encryption
Algorithm
Super-Encryption
Algorithm
Decryption
Algorithm
Ek2(M)
Super-Decryption
Algorithm
M
Z1k Z2k)( pEM F
Mk1 Mk1
)( 12 MkkMkk 21
)MkkkMk 211
12 ()(
Massey-Omura Protocol [cont.]
Given k1P, k2P, k1k2P,Compute P.
Massey-Omura ProblemMassey-Omura Protocol
Encryption
Algorithm
Super-Encryption
Algorithm
Decryption
Algorithm
Ek2(M)
Super-Decryption
Algorithm
M
Z1k Z2k)( pEM F
Mk1 Mk1
)( 12 MkkMkk 21
)MkkkMk 211
12 ()(
Given P, aP Compute a.
Discrete Log Problem
Integer Point on Elliptic Curve
encode to wantwe
integer positive a be Let m
99100100 m x m )E(F(x,y) p that such Find
BAxxsyx 32 that such Find
Point on Elliptic Curve Integer
100
)(),(x
mEyx p to decoded is F
1212 )/(p-p syys if some for F
.4mod3 41)/(psyp , If
ExerciseInteger Point on Elliptic Curve
encode to wantwe
integer positive a be Let m
99100100 m x m )E(F(x,y) p that such Find
BAxxsyx 32 that such Find1212 )/(p-
p syys if some for F
.4mod3 41)/(psyp , If
zzvvz
vv-zvvz
vv-
xx
yy
yy
x
yxx,y p
pp
pp
p
p
p
p
)/(p
p
24/)1(2
22
2
24/)1(
2/)1(
222/)1(
21
2
,
1
1
4mod3
thatShow , all for Suppose (g)
some for thatshow all for Suppose (f)
all for thatShow (e)
thatShow (d)
thatShow (c)
thatShow (b)
thatShow (a)
Suppose . number, prime a be Let
Z
ZZ
Z
FExercise 4 Exercise 5
xx )/(p 21 thatShow (a)
pF
pF
pF
Overview
Basics
Prime Field & Elliptic CurveDiffie-Hellman Key Exchange
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
ElGamal Digital
Signatures
Public Key Cryptography
Private Key Cryptography
Key Agreement
Protocol
k k
M
Encryption
Algorithm
Ek(M) Ek(M)
Decryption
Algorithm
Dk(Ek(M)) = M
Public Key Cryptography
kpub,kpri
Certificate Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M) Ekpub (M)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M
ElGamal Public Key Encryption [ElGamal 1985]
Public Key Cryptography
kpub,kpri
Certificate Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M) Ekpub (M)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M
sksPBPk
sEP
pripub
p
,,
),( ZF
Certificate Authority
(CA)
sPBPkpub ,
)( pEM FZk
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Ekpub(M) = M1,M2
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 = M
ElGamal PKE
MskPSPkMkPskBMsMM )()()(12
ElGamal Public Key Encryption (cont.)
sksPBPk
sEP
pripub
p
,,
),( ZF
Certificate Authority
(CA)
sPBPkpub ,
)( pEM FZk
Encryption
Algorithm
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Ekpub(M) = M1,M2
Decryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1 = M
ElGamal PKE
Given P, sP (public key), kP, M + skP,
Find M.
ElGamal Problem Ver. I
Given P, sP
Find s.
Discrete Log.
Overview
Basics
Prime Field & Elliptic CurveDiffie-Hellman Key Exchange
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
ElGamal Digital
Signatures
Digital Signature [Diffie, Hellman 1976]
Alice is sending a message M to Bob
1. Bob can be sure that the sender is really Alice.
2. Alice cannot refuse that she did send the message
3. No one can send a message claiming that they are Alice.
Objective
Digital Signature
kpri,kpub
Certificate Authority
(CA)
kpub
M
Signing
Algorithm
M,Skpri(M) M, Skpri(M)
Verification
Algorithm
Vkpub (Skpri(M)) = M ?
Public Key Cryptography
kpub,kpri
Certificate Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M) Ekpub (M)
Decryption
Algorithm
Dkpri (Ekpub (M)) = M
ElGamal Digital Signatures [ElGamal 1985]
Digital Signature
kpri,kpub
Certificate Authority
(CA)
kpub
M
Signing
Algorithm
M,Skpri(M) M, Skpri(M)
Verification
Algorithm
Skpri(M)) is
signed by Alice???
ElGamal’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
M
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkPR
R
RR
),(
),()(, sRMSMprik ),()(, sRMSM
prik
Verification
Algorithm
???mAsRBxR
mAAaxmaAxkAsaAxsRBx RRRR )()(
ElGamal Digital Signatures (cont.)ElGamal’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
m
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkPR
R
RR
),(
),()(, sRMSMprik ),()(, sRMSM
prik
Verification
Algorithm
???mAsRBxR
Given A, B=aA (public key), m (message),
Find R,s such that
ElGamal Problem Ver. II
Given P, sP
Find s.
Discrete Log.
mAsRBxR
Overview
Basics
Prime Field & Elliptic CurveDiffie-Hellman Key Exchange
Discrete Logarithm
Problem
Massey-Omura
Encryption
ElGamal Public Key
Encryption
ElGamal Digital
Signatures
Digital Signature Algorithm
(DSA)
Digital Signature Algorithm [Vanstone 1992]
ElGamal’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
m
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkPR
R
RR
),(
),()(, sRMSMprik ),()(, sRMSM
prik
Verification
Algorithm
???mAsRBxR
DSA’s Protocol
),(,
)(,
aABAkak
EAa
pubpri
p
FZ
Certificate Authority
(CA)
kpub=(A,B)
k
m
Integer Random
Message Z
Signing
Algorithm
k
axms
yxkPR
R
RR
),(
),()(, sRMSMprik ),()(, sRMSM
prik
Verification
Algorithm
???
???
ARm
sB
m
x
mAsRBx
R
R
3 Scalar Multiplications
2 Scalar Multiplications
Today’s Exercises
) If :(Hint
)E( 2.
(2,1)3(0,1) 1.
that Prove
CurveElliptic Given
5
L)||, k | ||E(kP
kk
}xx|y{(x,y)}{)E(
}91|)1,0({
132555
F
FFFExercise 3
zz
vv-zvvz
vv-
xx
yy
yy
x
yxx,y p
p
pp
p
p
p
p
)/(p
p
24/)1(
22
2
24/)1(
2/)1(
222/)1(
21
2
,
1
1
4mod3
thatShow (g)
some for thatshow all for Suppose (f)
all for thatShow (e)
thatShow (d)
thatShow (c)
thatShow (b)
thatShow (a)
Suppose . number, prime a be Let
ZZ
Z
FExercise 4
Course Information (Many Changes from Last Week)
10/9 – Elliptic Curve I (2 Exercises)
(What is Elliptic Curve?)
10/16 – Elliptic Curve II (2 Exercises)
(Elliptic Curve Cryptography)
10/23 – Elliptic Curve III (2 Exercises)
(Primality Testing and Factoring)
10/30 – Cancelled
11/7 – Online Algorithm I (Prof. Han)
11/14 – Online Algorithm II (Prof. Han)
11/21 – Elliptic Curve IV (2 Exercises)
(ECC Implementation I)
11/28 – Elliptic Curve V (2 Exercises)
(ECC Implementation II)
12/4 – Cancelled
From 12/11 – To be Announced
Schedule
For my part, you need to submit 2 Reports.
- Report 1: Select 3 from 6 exercises in Elliptic Curve I –
III
Submission Deadline: 14 November
- Report 2: Select 2 from 4 exercises in Elliptic Curve IV –
V
Submission Deadline: TBD
- Submit your report at Department of Mathematical
Informatics’ office
[1st
floor of this building]
Grading
Thank you for your attention
Please feel free to ask questions or comment.