Discrete Methods in Mathematical InformaticsLecture 3: Other Applications of Elliptic Curve

23h October 2012

Vorapong Suppakitpaisarnhttp://www-imai.is.s.u-tokyo.ac.jp/~mr_t_dtone/

vorapong@mist.i.u-tokyo.ac.jp, Eng. 6 Room 363

Download: Lecture 1: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture1.pptxLecture 2: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture2.pptxLecture 3: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture3.pptx

Course Information (Many Changes from Last Week)

10/9 – Elliptic Curve I (2 Exercises)

(What is Elliptic Curve?)

10/16 – Elliptic Curve II (1 Exercises)

(Elliptic Curve Cryptography[1])

10/23 – Elliptic Curve III (3 Exercises)

(Elliptic Curve Cryptography[2])

10/30 – Cancelled

11/7 – Online Algorithm I (Prof. Han)

11/14 – Online Algorithm II (Prof. Han)

11/21 – Elliptic Curve IV (2 Exercises)

(ECC Implementation I)

11/28 – Elliptic Curve V (2 Exercises)

(ECC Implementation II)

12/4 – Cancelled

From 12/11 – To be Announced

Schedule

For my part, you need to submit 2 Reports.

- Report 1: Select 3 from 6 exercises in Elliptic Curve I –

III

Submission Deadline: 14 November

- Report 2: Select 2 from 4 exercises in Elliptic Curve IV –

V

Submission Deadline: TBD

- Submit your report at Department of Mathematical

Informatics’ office

[1st

floor of this building]

Grading

From Last Lecture…•

Scalar Multiplication on Elliptic Curve

S = P + P + … + P = rP

when r1 is positive integer, S,P is a member of the curve

•Double-and-add method

•Let r = 14 = (01110)2

Compute rP = 14P r = 14 = (0 1 1 1 0)2 P 3P 7P 14P

6P2P 14P

3 – 1 = 2 Point Additions

4 – 1 = 3 Point Doubles

r times

O

Given P, aP - Compute a.

Discrete Logarithm Problem

Overview

Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

Digital Signature Algorithm

(DSA)

Overview

Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

Digital Signature Algorithm

(DSA)

Pollard’s Method [Pollard 1978]

12110 )(,...,)(,)(

kk

pp

PPfPPfPPf)E():E(f FF Function Random

0P1P2P3P4P

56P57P58P

)( NO[Teske, 1998]

(Semi-)Objective

lk PPlk that such Find

)E(PPRS pF 00.1 random for (Semi-) Algorithm

1) or until times for

Do

mm

kk

kk

PPRSm

RffPffPRSfPfPS

(21

)1(22

1

))(())(()()(.2

)( NOm(Real-)Objective

aaPP,Q Find , Given

Function f for Discrete Log

jinp SSnSSSFE ,20,...)( 21

ii

iii

ii

SRMRRfQbPaM

,bn, ai

if Define

integer, positive random a be 1 Let

)(

00000.1 ,baQbPaPRS random for (Real-)Algorithm

00 , bddacc RSRS

bbd,daacc,S,f(R)SR

bddaccSSf(f(R))RSfS

jiRRjiRR

ji

iSSiSSi

If If

, Do,,

)(.2

]QdPcRQdPcS RRSS ,[RS until

PddccQ

PccQddQdPcQdPc

RS

SR

SRRS

RRSS

)()(.3

Examples

QbPaPRS 000.1 00 , bddacc RSRS

bbd,daacc,S,f(R)SR

bddaccSSf(f(R))RSfS

jiRRjiRR

ji

iSSiSSi

If If

, Do,,

)(.2

]QdPcRQdPcS RRSS ,[RS until

PddccQ

PccQddQdPcQdPc

RS

SR

SRRS

RRSS

)()(.3

Example

aaPQPNxxyyxE

Find ,

),959,413(),1,0(1067}1|),{()( 32

10931093

FF

Algorithm

jinp SSnSSSFE ,20,...)( 21

ii

iii

ii

SRMRRfQbPaM

,bn, ai

if Define

integer, positive random a be 1 Let

)(

3mod),( ixSyx i if

QPMQPMQPM

619,179,34

2

10

.,3mod2326)69,326(53

20

0

SPQPP

Since

)589,727()2122()619()53()( 2001

QPQPQPMPPfP

),...,938,523(),951,1006(),337,895(),...,938,523(),951,1006(),903,473(

),260,1070(),365,560(),589,727(),69,326(

595857

654

3210

PPPPPP

PPPP

QPPQPP 620685,4688 585

QP 574597

PPPaPQ499)4994271067(

764597597

QQbaQaP )11067(57459711067574 ba )411,764(),( ba

Exercise

. that Prove and

33, is order the whichin curveelliptic on point a be Let (a)

P}P,P,{Z}kP|kP{Q QP

P,Q

26154114,62

Exercise 4

1

11 mod1

,),gcd(,

abc}ZkP|kdN{cPQ

dNbbb

dNbbQaPNP,Q

where that Prove

that such integer an is

, is order the whichin curveelliptic on point a be Let (b)

The Pohlig-Hellman Method [Pohlig, Hellman 1978]

aaPQPNxyyxE

Find ,

),239,277(),19,60(600}1|),{()( 32

599599

FF

Q600

PPbPPbaPQa

200200600)13(200200200,3mod1

If

PPbPPbaPQa

400400600)23(200200200,3mod2

If

bPPbaPQa

600)3(200200200,3mod0 If

bPPbaPQa

600)5(120120120,5mod0 If

PPbPPbaPQa

120120600)15(120120120,5mod1

If

PQaPQaPQa

480120,5mod4360120,5mod3240120,5mod2

If If If

iPQQia 1,5mod Let5mod0,1 ccPQ where

,25mod0c.bPb)P(cPQ 60025242424 1

PPbPPbcPQ

c

120120600)525(242424

25mod5

1

,

PQc 240245mod10 12 ,

PQc 360245mod15 12 ,

PQc 480245mod20 12 ,

.25mod.25mod,5mod

jiajiac

ia

and

that Suppose

The Pohlig-Hellman Method [cont.]ne

nee

p pppNE ...||)(|| 2121F

Given P, Q = aP - Compute a.

(Real-)Problem

Given P, Q = aP - Compute a mod pkek

(Semi-)Problem

Properties

PpNiP

pNibNP

PibppNaP

pNQ

pN

pia

kk

kkkk

i

If

)(

,mod.1

Algorithm

PpNipi

kk

compute all For ,0.1

QpN

k

Compute .2

k

, that such Find

pia

PpNiQ

pNi

kk

mod

.3

PpNjP

pNjbNP

PjpbppNcP

pNQ

pN

cPiPaPiPQQpjpa-ice

kk

kkkkk

kkk

, If

)(

,mod1.2

22212

1

2

121

1.4

QpNQ-iPQ

e

k

k

compute , Let

Terminate. If

2

12

mod

.5

kk

kk

pijpa

PpNjQ

pNj

, that such Find

132

2.6

QpNP-iPjpQQ

e

kk

k

compute , Let

Terminate. If

32

13

mod

.7

kkk

kk

pijplpa

PpNlQ

pNl

, that such Find

...

The Pohlig-Hellman Method [cont.]

aaPQPNxyyxE

Find ,

),239,277(),19,60(600}1|),{()( 32

599599

FF

)420,84(480),465,491(360),134,491(240),179,84(120

PPPP

Algorithm

PpNipi

kk

compute all For ,0.1

QpN

k

Compute .2

k

, that such Find

pia

PpNiQ

pNi

kk

mod

.3

121

1.4

QpNQ-iPQ

e

k

k

compute , Let

Terminate. If

2

12

mod

.5

kk

kk

pijpa

PpNjQ

pNj

, that such Find

23 532600

Given P, Q = aP - Compute a mod pkek

)179,84(1205600

QQ

5mod1,1 ai

)465,491(245600

),129,130(1

112

1

QQ

PQQ

25mod165mod)153(,3 2

aaj

Chinese Remainder TheoremaaPQP

NxyyxE Find

,),239,277(),19,60(

600}1|),{()( 32599599

FF

23 532600

Given P, Q = aP - Compute a mod pkek

(Semi-)Problem

23 5mod16,3mod2,2mod2 aaa

Chinese Remainder

Theorem

jimmnimxa

ji

ii

all for that such for that Suppose

1),gcd(1mod

n

iimM

1

Let

Mxax mod that such Find

nnn m

MbamMba

mMbax ...

222

111

ii

i mmMb mod1

where

232

31 5,3,82 mmm

.2425600,200

3600,75

8600

221

mM

mM

mM

24,25mod157624242,3mod140020023,8mod1225753

3

2

1

bb

b 600mod26610466242416200227532

xx

)19,60(266266)239,277( PQ

16,2,2 321 aaa

Overview

Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

Digital Signature Algorithm

(DSA)

Three-Pass Protocol [Shamir 1980]

Private Key Cryptography

Key Agreement

Protocol

k k

M

Encryption

Algorithm

Ek(M) Ek(M)

Decryption

Algorithm

Dk(Ek(M)) = M

Three-pass Protocol

k1 k2

M

Ek1(M)

Encryption

Algorithm

Ek1 (M)

Super-Encryption

Algorithm

Ek2 ( Ek1 (M))Ek2 ( Ek1 (M))

Decryption

Algorithm

Ek2 (M)=Dk1 ( Ek2 ( Ek1 (M))) Ek2(M)

Super-Decryption

Algorithm

M

Massey-Omura Protocol [Massey, Omura 1986]

Three-pass Protocol

k1 k2

M

Ek1(M)

Encryption

Algorithm

Ek1 (M)

Super-Encryption

Algorithm

Ek2 ( Ek1 (M))Ek2 ( Ek1 (M))

Decryption

Algorithm

Ek2(M)

Super-Decryption

Algorithm

M

Massey-Omura Protocol

Encryption

Algorithm

Super-Encryption

Algorithm

Decryption

Algorithm

Ek2(M)

Super-Decryption

Algorithm

Nk of prime-co - 1Nk of prime-co 2NEM p order with)(F

Mk1 Mk1

)( 12 MkkMkk 21

)MkkkMk 211

12 ()(

Nkkk

mod1)(

)(

11

1

11

at such integer an is

)MkkM 21

2 ()(

Massey-Omura Protocol [cont.]Massey-Omura Protocol

Encryption

Algorithm

Super-Encryption

Algorithm

Decryption

Algorithm

Ek2(M)

Super-Decryption

Algorithm

Nk of prime-co - 1Nk of prime-co 2NEM p order with)(F

Mk1 Mk1

)( 12 MkkMkk 21

)MkkkMk 211

12 ()(

Nkkk

mod1)(

)(

11

1

11

that such integer an is

)MkkM 21

2 ()(

Example

9)()1,0( order withpEM F}xx{(x,y)|y}{)E( 132

5 F

2 1k 7 2kEncryption

Algorithm

(4,2)2(0,1) Mk1 (4,2)Super-Encryption

Algorithm

(3,1)7(4,2) )( 12 Mkk(3,1)Decryption

Algorithm

11

1 )()5(2

9mod11052

k

(4,3)5(3,1) )

MkkkMk 21

112 ()(

(4,3)Super-Decryption

Algorithm

(0,1)4(4,3) )

MkkM 2

12 ()(

Massey-Omura Protocol [cont.]Integer Point on Elliptic Curve

encode to want weinteger positive a be Let m99100100 m x m )E(F(x,y) p that such Find

BAxxsyx 32 that such Find1212 )/(p-

p syys if some for F.4mod3 41)/(psyp , If

Point on Elliptic Curve

Integer

100

)(),(

xm

Eyx p

to

decoded is F

zzvvz

vv-zvvz

vv-xx

yyyy

x

yxx,y p

pp

pp

p

p

p

p

)/(p

p

24/)1(2

22

2

24/)1(

2/)1(

222/)1(

21

2

,

1

1

4mod3

thatShow , all for Suppose (g)

some for thatshow all for Suppose (f)

all for thatShow (e)

thatShow (d)

thatShow (c)

thatShow (b)

thatShow (a)

Suppose . number, prime a be Let

Z

ZZZ

FExercise 4 Exercise 5

xx )/(p 21 thatShow (a)

pF

pF

pF

Overview

Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

Digital Signature Algorithm

(DSA)

Public Key Cryptography

Private Key Cryptography

Key Agreement

Protocol

k k

M

Encryption

Algorithm

Ek(M) Ek(M)

Decryption

Algorithm

Dk(Ek(M)) = M

Public Key Cryptography

kpub,kpri

Certificate Authority

(CA)

kpub

M

Encryption

Algorithm

Ekpub(M) Ekpub (M)

Decryption

Algorithm

Dkpri (Ekpub (M)) = M

ElGamal Public Key Encryption [ElGamal 1985]

Public Key Cryptography

kpub,kpri

Certificate Authority

(CA)

kpub

M

Encryption

Algorithm

Ekpub(M) Ekpub (M)

Decryption

Algorithm

Dkpri (Ekpub (M)) = M

sksPBPksEP

pripub

p

,,

),( ZF

Certificate Authority

(CA)

sPBPkpub ,

)( pEM FZk

Encryption

Algorithm

Ekpub(M) = M1,M2

M1 = kP, M2 = M + kB

Ekpub(M) = M1,M2

Decryption

Algorithm

Dkpri (Ekpub (M)) = M2-sM1 = M

ElGamal PKE

MskPSPkMkPskBMsMM )()()(12

ElGamal Public Key Encryption (cont.)

sksPBPksEP

pripub

p

,,

),( ZF

Certificate Authority

(CA)

sPBPkpub ,

)( pEM FZk

Encryption

Algorithm

Ekpub(M) = M1,M2

M1 = kP, M2 = M + kB

Ekpub(M) = M1,M2

Decryption

Algorithm

Dkpri (Ekpub (M)) = M2-sM1 =

M

ElGamal PKE

Example

9)()1,0( order withpEM F}xx{(x,y)|y}{)E( 132

5 F

)1,3()1,0(5)1,0(

),(

5,5

sPBP

BPksks

pub

pri))1,3(),1,0(( BPkpub

)()2,4( pEM F7k

Encryption

Algorithm

Ekpub(M) = M1,M2

M1 = kP = 7(0,1) = (4,3),

M2 = M + kB = (4,2)+7(3,1)

= (0,1)

Ekpub(M) = M1,M2

M1 = (4,3)

M2 = (0,1)

Decryption

Algorithm

Dkpri (Ekpub (M)) = M2-sM1 = (0,1)-

5(4,3)

= (4,2)

ElGamal Public Key Encryption (cont.)

sksPBPksEP

pripub

p

,,

),( ZF

Certificate Authority

(CA)

sPBPkpub ,

)( pEM FZk

Encryption

Algorithm

Ekpub(M) = M1,M2

M1 = kP, M2 = M + kB

Ekpub(M) = M1,M2

Decryption

Algorithm

Dkpri (Ekpub (M)) = M2-sM1 = M

ElGamal PKE

Given P, sP (public key), kP, M + skP,

Find M.

ElGamal Problem Ver. I

Given P, sP

Find s.

Discrete Log.

Overview

Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

Digital Signature Algorithm

(DSA)

Digital Signature [Diffie, Hellman 1976]

Alice is sending a message M to Bob

1. Bob can be sure that the sender is really Alice.

2. Alice cannot refuse that she did send the message

3. No one can send a message claiming that they are Alice.

Objective

Digital Signature

kpri,kpub

Certificate Authority

(CA)

kpub

M

Signing

Algorithm

M,Skpri(M) M, Skpri(M)

Verification

Algorithm

Vkpub (Skpri(M)) = M ?

Public Key Cryptography

kpub,kpri

Certificate Authority

(CA)

kpub

M

Encryption

Algorithm

Ekpub(M) Ekpub (M)

Decryption

Algorithm

Dkpri (Ekpub (M)) = M

ElGamal Digital Signatures [ElGamal 1985]

Digital Signature

kpri,kpub

Certificate Authority

(CA)

kpub

M

Signing

Algorithm

M,Skpri(M) M, Skpri(M)

Verification

Algorithm

Skpri(M)) is

signed by Alice???

ElGamal’s Protocol

),(,

)(,

aABAkakEAa

pubpri

p

FZ

Certificate Authority

(CA)

kpub=(A,B)

km

Integer Random Message Z

Signing

Algorithm

kaxms

yxkAR

R

RR

),(

),()(, sRMSMprik ),()(, sRMSM

prik

Verification

Algorithm

???mAsRBxR

mAAaxmaAxkAsaAxsRBx RRRR )()(

ElGamal Digital Signatures (cont.)ElGamal’s Protocol

),(,

)(,

aABAkakEAa

pubpri

p

FZ

Certificate Authority

(CA)

kpub=(A,B)

km

Integer Random Message Z

Signing

Algorithm

kaxms

yxkAR

R

RR

),(

),()(, sRMSmprik ),()(, sRMSm

prik

Verification

Algorithm

???mAsRBxR

Example

9)()1,0( order withpEM F}xx{(x,y)|y}{)E( 132

5 F

)2,4())1,0(2

),(

2

),()1,0(,2

aABBAk

akEAa

pub

pri

p

where

F

75

km

Integer Random Message

Signing

Algorithm

6(-3)(4)

7425

4)3,4(7

kaxms

xAkAR

R

R

)6),3,4((

),()(,5

sRMSm

prik

Verification

Algorithm

), ( ), () , (

sRBxR

134240)3,4(6)2,4(4

ElGamal Digital Signatures (cont.)ElGamal’s Protocol

),(,

)(,

aABAkakEAa

pubpri

p

FZ

Certificate Authority

(CA)

kpub=(A,B)

km

Integer Random Message Z

Signing

Algorithm

kaxms

yxkAR

R

RR

),(

),()(, sRMSmprik ),()(, sRMSm

prik

Verification

Algorithm

???mAsRBxR

Given A, B=aA (public key), m (message),

m‘ (forged message)

Find R,s such that

ElGamal Problem Ver. II

Given P, sP

Find s.

Discrete Log.

AmsRBxR '

ExerciseGiven A, B=aA (public key), m (message),

m‘ (forged message)

Find R,s such that

ElGamal Problem Ver. II

Given P, sP

Find s.

Discrete Log.

AmsRBxR '

message. signed valid a is thatShow

Let Assume withinteger an be Let . message signed valid the

produce to used is scheme signature ElGamal the that Suppose

(m',R',s')

NxmxmNhxsxshRyxR

NxNhh),s),y(x(m,R

RR

RRRR

R

RR

).(mod)('

),(mod)(',),('

.1),gcd(.1),gcd(

1'

11'''

Exercise 6

Overview

Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

Digital Signature Algorithm

(DSA)

Digital Signature Algorithm [Vanstone 1992]

ElGamal’s Protocol

),(,

)(,

aABAkakEAa

pubpri

p

FZ

Certificate Authority

(CA)

kpub=(A,B)

km

Integer Random Message Z

Signing

Algorithm

kaxms

yxkPR

R

RR

),(

),()(, sRMSMprik ),()(, sRMSM

prik

Verification

Algorithm

???mAsRBxR

DSA’s Protocol

),(,

)(,

aABAkakEAa

pubpri

p

FZ

Certificate Authority

(CA)

kpub=(A,B)

km

Integer Random Message Z

Signing

Algorithm

kaxms

yxkPR

R

RR

),(

),()(, sRMSMprik ),()(, sRMSM

prik

Verification

Algorithm

???

???

ARmsB

mx

mAsRBx

R

R

3 Scalar Multiplications

2 Scalar Multiplications

Exercise

. that Prove and 33, is order the whichin curveelliptic on point a be Let (a)

P}P,P,{Z}kP|kP{Q QPP,Q

26154114,62

Exercise 4

1

11 mod1

,),gcd(,

abc}ZkP|kdN{cPQ

dNbbb

dNbbQaPNP,Q

where that Prove

that such integer an is

, is order the whichin curveelliptic on point a be Let (b)

zzvvz

vv-zvvz

vv-xx

yyyy

x

yxx,y p

pp

pp

p

p

p

p

)/(p

p

24/)1(2

22

2

24/)1(

2/)1(

222/)1(

21

2

,

1

1

4mod3

thatShow , all for Suppose (g)

some for thatshow all for Suppose (f)

all for thatShow (e)

thatShow (d)

thatShow (c)

thatShow (b)

thatShow (a)

Suppose . number, prime a be Let

Z

ZZZ

FExercise 4 Exercise 5

xx )/(p 21 thatShow (a)

pF

pF

pF

Exercise

message. signed valid a is thatShow

Let Assume withinteger an be Let . message signed valid the

produce to used is scheme signature ElGamal the that Suppose

(m',R',s')

NxmxmNhxsxshRyxR

NxNhh),s),y(x(m,R

RR

RRRR

R

RR

).(mod)('

),(mod)(',),('

.1),gcd(.1),gcd(

1'

11'''

Exercise 6

Pairing-Based Cryptography

G)E()e:E( pp FF FunctionBilinear Function

abQPebQaPe ),(),( QP, If 1),( QPe

Diffie-Hellman Exchange Protocol

1. Generate P 2 E(F)

2. Generate positive

integers a

3. Receive Q = bP

4. Compute aQ = abP

1. Receive P

2. Receive S = aP

3. Generate positive

integer b

4. Compute bS = abP

P

aP

bP

A

L

I

C

E

B

O

B

Three-Parties DHE

ALICE

B

O

B

C

H

A

L

I

E

a, aP

b, bP c, cP

bPaP

cP

ALICE

B

O

B

C

H

A

L

I

E

a, aP, bP

b, bP

cP

c, cP

aP

bcPabP

acP

Three-Parties DHE with Pairing

ALICE

B

O

B

C

H

A

L

I

E

a, aP

b, bP c, cP

bPaP

cP

bP

cP

aP abcabc

bc

PPePPePPecPbPe

),()),((

),(),(

Thank you for your attentionPlease feel free to ask questions or comment.