Vorapong Suppakitpaisarn mr_t_dtone

Discrete Methods in Mathematical InformaticsLecture 2: Elliptic Curve Cryptography

16th October 2012

Vorapong Suppakitpaisarnhttp://www-imai.is.s.u-tokyo.ac.jp/~mr_t_dtone/

[email protected], Eng. 6 Room 363

Download: Lecture 1: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture1.pptxLecture 2: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture2.pptx

Course Information (Many Changes from Last Week)

10/9 – Elliptic Curve I (2 Exercises)

(What is Elliptic Curve?)

10/16 – Elliptic Curve II (2 Exercises)

(Elliptic Curve Cryptography)

10/23 – Elliptic Curve III (2 Exercises)

(Primality Testing and Factoring)

10/30 – Cancelled

11/7 – Online Algorithm I (Prof. Han)

11/14 – Online Algorithm II (Prof. Han)

11/21 – Elliptic Curve IV (2 Exercises)

(ECC Implementation I)

11/28 – Elliptic Curve V (2 Exercises)

(ECC Implementation II)

12/4 – Cancelled

From 12/11 – To be Announced

Schedule

For my part, you need to submit 2 Reports.

- Report 1: Select 3 from 6 exercises in Elliptic Curve I –

III

Submission Deadline: 14 November

- Report 2: Select 2 from 4 exercises in Elliptic Curve IV –

V

Submission Deadline: TBD

- Submit your report at Department of Mathematical

Informatics’ office

[1st

floor of this building]

Grading

From Last Lecture…

Point Addition Point Double

Weierstrass Equation:

A = -4, B = 4 A = -4, B = 4

-

BAxxy 32

1133

212

3

12

12

33

2211

)(

),(

),(),,(

yxxmy

xxmx

xx

yym

yxQP

yxQyxP

where

1133

12

3

21

33

11

)(

2

2

3

),(2

),(

yxxmy

xmx

y

Axm

yxPPP

yxP

where

Cryptography• Methods or Algorithms for Secure Communication

Alice BobM

E(M)

Encryption

Algorithm

E(M)

E(M)Decryption

Algorithm

M

Slow

Memory

Usage

RSA

(the most

popular

algorithm)

Elliptic

Curve

Crypto-

graphy

Optimize

and Analyze

FastFaster Algorithms Using Less

Memory

(assuming the same key size)

Some Progress on Elliptic Curve Cryptography

1976 Introduction of Elliptic Curve Cryptography (ECC)

2000’s Researchers Began to Interest in ECC Because of Its Memory Consumption is better than RSA

2002 Implementation of ECC in OpenSSL

2008 Publication of Standard Defining the Use of ECC

http://tools.ietf.org/html/rfc5246#ref-ECDSA

2011 Google Introduce ECC to be the default algorithm for its

https web page

2012 Joux and Vitse successfully break 151 bits

of ECC

[Joux, Vitsa, EUROCRYPT2012, June 2012]

(While 768 bits of RSA is broken by Kleinjung et al. in 2010)

[Kleinjung et al., CRYPTO2010, 2010]

Overview

Basics

Prime Field & Elliptic CurveDiffie-Hellman Key Exchange

Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

Digital Signature Algorithm

(DSA)

Overview

Basics


Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

ElGamal Digital

Signatures

Prime Field Fp• p is prime number. [Let p = 7 in this slide]• Consider a set {0, 1, …, p – 1}

Addition

37mod1055

321

)(

f

f

f pbaba

:Example

mod

Subtraction

67mod121

055

)(

f

f

f pbaba

:Example

mod

Multiplication

47mod2555

221

)(

f

f

f pabba

:Example

mod

Exponentiation

27mod625)4,5(exp

17mod2)3,2(exp

)(),(exp

3

f

f

kf paka

k

:Example

mod

number natural a be Let

Theorem] Little sFermat'

exp

any For:Note

f

[

1)1,(

110

pa

},...,p-,{a

Prime Field Fp(cont.)

Multiplicative

Inverse

1

)(

ba

bainv

f

f

if

• p is prime number. [Let p = 7 in this slide]• Consider a set {0, 1, …, p – 1}

Real Number?

5 of

inverse tivemultiplica the

is 5

1 Then, 2.0

15

15

Prime Field F7

17mod3666

17mod1535

17mod824

17mod1553

17mod842

17mod111

f

f

f

f

f

f

6)6(,3)5(

2)4(,5)3(

4)2(,1)1(

ff

ff

ff

InvInv

InvInv

InvInvTheorem

1121

121

ba} ,...,n-,{b

},...,n-,{a

f that such

oneexactly exists there , all For

Proof

equation. the satisfying integers

exists there then ,

:Existence

b,k

(a,p)

ab - pk

pk ab

pab

1gcd

1

1

mod1

pa(b-c)

ppcbpa

pcbaacab

pab,ac

cb

by divided not is

and Since

and Let :Uniqueness

},0{]1,1[]1,1[

mod0)(

mod1

Prime Field Fp(cont.)

Multiplicative

Inverse

1

)(

ba

bainv

f

f

if

Real Number?

5 of

inverse tivemultiplica the

is 5

1 Then, 2.0

15

15

Prime Field F7

17mod3666

17mod1535

17mod824

17mod1553

17mod842

17mod111

f

f

f

f

f

f

6)6(,3)5(

2)4(,5)3(

4)2(,1)1(

ff

ff

ff

InvInv

InvInv

InvInv

Division

)(binvaba ff

Real Number?

2.15

16)5(656 inv

Prime Field F7

47mod18

36)5(656

ffff inv

Elliptic Curve with Prime Field

B}Axx|y{(x,y)}{)E( ppp 32FFF

Elliptic Curve

Example, p = 5, A = 1, B = 1

13 xxx

35mod31 15mod112 15mod313 45mod694

2yy

15mod11 45mod42 45mod93 15mod164

(0,1),(0,4)

15mod10 05mod00

(2,1),(2,4) (3,1),(3,4) (4,2),(4,3)

||E(Fp)||=9

Hasse’s Theorem (Hasse 1936)

ppFEpp p 2)1(||)(||2)1(

Elliptic Curve with Prime Field (cont.)

1133

12

3

21

33

11

)(

2

2

3

),(2

),(

yxxmy

xmx

y

Axm

yxPPP

yxP

where

B}Axx|y{(x,y)}{)E( ppp 32FFF

Elliptic Curve

Example, p = 5, A = 1, B = 1

25mod13

5mod)1)04(3(

45mod9

5mod)023(

3)2(112

103

)1,0(

3

23

2

y

x

Invm

P

)2,4()1,0(2)1,0()1,0(

Point Double

Scalar Multiplication• Scalar Multiplication on Elliptic Curve

S = P + P + … + P = rP

when r1 is positive integer, S,P is a member of the curve• Double-and-add method• Let r = 14 = (01110)2

Compute rP = 14P r = 14 = (0 1 1 1 0)2

P 3P 7P 14P

6P2P 14P

3 – 1 = 2 Point Additions

4 – 1 = 3 Point Doubles

r times

O

) If :(Hint

)E( 2.

(2,1)3(0,1) 1.

that Prove

CurveElliptic Given

5

L)||, k | ||E(kP

kk

}xx|y{(x,y)}{)E(

}91|)1,0({

132555

F

FFFExercise 3

Overview

Basics


Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

ElGamal Digital

Signatures

Private Key Cryptography


Key Agreement

Protocol

k k

M

Encryption

Algorithm

Ek(M) Ek(M)

Decryption

Algorithm

Dk(Ek(M)) = M

Data Encryption Scheme (DES) (Developed by IBM in 1970’s)

Advanced Encryption Scheme (AES)

(Daemen, Rijmen 2002)

Diffie-Hellman

Key Exchange (Diffie, Hellman

1976)

One-Time Pad

k = 01101 k = 01101

M = 10100

Encryption

Algorithm

11001

1010001101

M k (M) Ek 11001 (M)Ek

Decryption

Algorithm

M

k(M) E(M)) (ED kkk

10100

1100101101

Diffie-Hellman Key Exchange

1. Generate P 2 E(F)

2. Generate positive integers a

3. Receive Q = bP

4. Compute aQ = abP

1. Receive P

2. Receive S = aP

3. Generate positive integer b

4. Compute bS = abP

P

aP

bP

Key

A

L

I

C

E

B

O

B

Eve knows P, aP, bP,

but not abP

Given P, aP, and bP,

Compute abP.

Diffie-Hellman Problem

Given P, aP

Compute a.

Discrete Logarithm Problem

Overview

Basics


Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

ElGamal Digital

Signatures

Baby Step, Giant Step[Shanks 1971]

Given P, Q = aP compute a.

Discrete Logarithm Problem

0 1 2 …

…

………

………

………

………

………

… … N-1

1-N

N 1N 2N 1-N2

NN )1( 1 )1(NN

Baby Step, Giant Step

table. hash in points all Store

all for all Compute

N

NiiP 0.1

table. hash the in

some match point the until

for Compute

iP

PNQ-j

NjPNQ-j 0.2

Pre-Computation

Q

iNja .3

curveelliptic of order the is N

)(

)(

NO

NO

:Memory

:Time

Baby Step

Giant Step

Example

54}12|),{()( 324141 NxxyyxE ,FF

a

aPQP

Find

)40,30(),1,0(

)9,26(7),28,20(6),23,23(5),38,38(4

)23,8(3),39,1(2),1,0(1,0

8

PPPP

PPPP

N

)9,26(82),25,9(81),40,30(80 PQPQPQ

PQ

PPQ

23

782

Pollard’s Method [Pollard 1978]

12110 )(,...,)(,)(

kk

pp

PPfPPfPPf

)E():E(f FF Function Random

0P1P2P3P4P

56P

57P

58P

)( NO[Teske, 1998]

(Semi-)Objective

lk PPlk that such Find

)E(PPRS pF 00.1 random for

(Semi-) Algorithm

1) or until times for

Do

mm

kk

kk

PPRSm

RffPffPR

SfPfPS

(21

)1(22

1

))(())((

)()(.2

)( NOm(Real-)Objective

aaPP,Q Find , Given

Function f for Discrete Log

jinp SSnSSSFE ,20,...)( 21

ii

iii

ii

SRMRRf

QbPaM

,bn, ai

if

Define

integer, positive random a be 1 Let

)(

00000.1 ,baQbPaPRS random for (Real-)Algorithm

00 , bddacc RSRS

bbd,daacc

,S,f(R)SR

bddaccSS

f(f(R))RSfS

jiRRjiRR

ji

iSSiSSi

If

If

, Do

,,

)(.2

]QdPcRQdPcS RRSS ,[

RS until

Pdd

ccQ

PccQdd

QdPcQdPc

RS

SR

SRRS

RRSS

)()(

.3

Examples

QbPaPRS 000.1 00 , bddacc RSRS

bbd,daacc

,S,f(R)SR

bddaccSS

f(f(R))RSfS

jiRRjiRR

ji

iSSiSSi

If

If

, Do

,,

)(.2

]QdPcRQdPcS RRSS ,[

RS until

Pdd

ccQ

PccQdd

QdPcQdPc

RS

SR

SRRS

RRSS

)()(

.3

Example

aaPQP

NxxyyxE

Find

,

),959,413(),1,0(

1067}1|),{()( 3210931093

FF

Algorithm

jinp SSnSSSFE ,20,...)( 21

ii

iii

ii

SRMRRf

QbPaM

,bn, ai

if

Define

integer, positive random a be 1 Let

)(

3mod),( ixSyx i if

QPM

QPMQPM

619

,179,34

2

10

.,3mod2326

)69,326(53

20

0

SP

QPP

Since

)589,727()2122(

)619()53()( 2001

QP

QPQPMPPfP

),...,938,523(),951,1006(),337,895(

),...,938,523(),951,1006(),903,473(

),260,1070(),365,560(),589,727(),69,326(

595857

654

3210

PPP

PPP

PPPP

QPPQPP 620685,4688 585

PQ 597574

PP-

Q 499574

597

Overview

Basics


Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

ElGamal Digital

Signatures

Three-Pass Protocol [Shamir 1980]


Key Agreement

Protocol

k k

M

Encryption

Algorithm

Ek(M) Ek(M)

Decryption

Algorithm

Dk(Ek(M)) = M

Three-pass Protocol

k1 k2

M

Ek1(M)

Encryption

Algorithm

Ek1 (M)

Super-Encryption

Algorithm

Ek2 ( Ek1 (M))Ek2 ( Ek1 (M))

Decryption

Algorithm

Ek2 (M)=Dk1 ( Ek2 ( Ek1 (M))) Ek2(M)

Super-Decryption

Algorithm

M

Massey-Omura Protocol [Massey, Omura 1986]

Three-pass Protocol

k1 k2

M

Ek1(M)

Encryption

Algorithm

Ek1 (M)

Super-Encryption

Algorithm

Ek2 ( Ek1 (M))Ek2 ( Ek1 (M))

Decryption

Algorithm

Ek2(M)

Super-Decryption

Algorithm

M

Massey-Omura Protocol

Encryption

Algorithm

Super-Encryption

Algorithm

Decryption

Algorithm

Ek2(M)

Super-Decryption

Algorithm

M

Z1k Z2k)( pEM F

Mk1 Mk1

)( 12 MkkMkk 21

)MkkkMk 211

12 ()(

Massey-Omura Protocol [cont.]

Given k1P, k2P, k1k2P,Compute P.

Massey-Omura ProblemMassey-Omura Protocol

Encryption

Algorithm

Super-Encryption

Algorithm

Decryption

Algorithm

Ek2(M)

Super-Decryption

Algorithm

M

Z1k Z2k)( pEM F

Mk1 Mk1

)( 12 MkkMkk 21

)MkkkMk 211

12 ()(

Given P, aP Compute a.

Discrete Log Problem

Integer Point on Elliptic Curve

encode to wantwe

integer positive a be Let m

99100100 m x m )E(F(x,y) p that such Find

BAxxsyx 32 that such Find

Point on Elliptic Curve Integer

100

)(),(x

mEyx p to decoded is F

1212 )/(p-p syys if some for F

.4mod3 41)/(psyp , If

ExerciseInteger Point on Elliptic Curve

encode to wantwe

integer positive a be Let m

99100100 m x m )E(F(x,y) p that such Find

BAxxsyx 32 that such Find1212 )/(p-

p syys if some for F

.4mod3 41)/(psyp , If

zzvvz

vv-zvvz

vv-

xx

yy

yy

x

yxx,y p

pp

pp

p

p

p

p

)/(p

p

24/)1(2

22

2

24/)1(

2/)1(

222/)1(

21

2

,

1

1

4mod3

thatShow , all for Suppose (g)

some for thatshow all for Suppose (f)

all for thatShow (e)

thatShow (d)

thatShow (c)

thatShow (b)

thatShow (a)

Suppose . number, prime a be Let

Z

ZZ

Z

FExercise 4 Exercise 5

xx )/(p 21 thatShow (a)

pF

pF

pF

Overview

Basics


Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

ElGamal Digital

Signatures

Public Key Cryptography


Key Agreement

Protocol

k k

M

Encryption

Algorithm

Ek(M) Ek(M)

Decryption

Algorithm

Dk(Ek(M)) = M


kpub,kpri

Certificate Authority

(CA)

kpub

M

Encryption

Algorithm

Ekpub(M) Ekpub (M)

Decryption

Algorithm

Dkpri (Ekpub (M)) = M

ElGamal Public Key Encryption [ElGamal 1985]


kpub,kpri


(CA)

kpub

M

Encryption

Algorithm

Ekpub(M) Ekpub (M)

Decryption

Algorithm


sksPBPk

sEP

pripub

p

,,

),( ZF


(CA)

sPBPkpub ,

)( pEM FZk

Encryption

Algorithm

Ekpub(M) = M1,M2

M1 = kP, M2 = M + kB

Ekpub(M) = M1,M2

Decryption

Algorithm

Dkpri (Ekpub (M)) = M2-sM1 = M

ElGamal PKE

MskPSPkMkPskBMsMM )()()(12

ElGamal Public Key Encryption (cont.)

sksPBPk

sEP

pripub

p

,,

),( ZF


(CA)

sPBPkpub ,

)( pEM FZk

Encryption

Algorithm

Ekpub(M) = M1,M2

M1 = kP, M2 = M + kB

Ekpub(M) = M1,M2

Decryption

Algorithm

Dkpri (Ekpub (M)) = M2-sM1 = M

ElGamal PKE

Given P, sP (public key), kP, M + skP,

Find M.

ElGamal Problem Ver. I

Given P, sP

Find s.

Discrete Log.

Overview

Basics


Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

ElGamal Digital

Signatures

Digital Signature [Diffie, Hellman 1976]

Alice is sending a message M to Bob

1. Bob can be sure that the sender is really Alice.

2. Alice cannot refuse that she did send the message

3. No one can send a message claiming that they are Alice.

Objective

Digital Signature

kpri,kpub


(CA)

kpub

M

Signing

Algorithm

M,Skpri(M) M, Skpri(M)

Verification

Algorithm

Vkpub (Skpri(M)) = M ?


kpub,kpri


(CA)

kpub

M

Encryption

Algorithm

Ekpub(M) Ekpub (M)

Decryption

Algorithm


ElGamal Digital Signatures [ElGamal 1985]

Digital Signature

kpri,kpub


(CA)

kpub

M

Signing

Algorithm

M,Skpri(M) M, Skpri(M)

Verification

Algorithm

Skpri(M)) is

signed by Alice???

ElGamal’s Protocol

),(,

)(,

aABAkak

EAa

pubpri

p

FZ


(CA)

kpub=(A,B)

k

M

Integer Random

Message Z

Signing

Algorithm

k

axms

yxkPR

R

RR

),(

),()(, sRMSMprik ),()(, sRMSM

prik

Verification

Algorithm

???mAsRBxR

mAAaxmaAxkAsaAxsRBx RRRR )()(

ElGamal Digital Signatures (cont.)ElGamal’s Protocol

),(,

)(,

aABAkak

EAa

pubpri

p

FZ


(CA)

kpub=(A,B)

k

m

Integer Random

Message Z

Signing

Algorithm

k

axms

yxkPR

R

RR

),(


prik

Verification

Algorithm

???mAsRBxR

Given A, B=aA (public key), m (message),

Find R,s such that

ElGamal Problem Ver. II

Given P, sP

Find s.

Discrete Log.

mAsRBxR

Overview

Basics


Discrete Logarithm

Problem

Massey-Omura

Encryption

ElGamal Public Key

Encryption

ElGamal Digital

Signatures

Digital Signature Algorithm

(DSA)

Digital Signature Algorithm [Vanstone 1992]

ElGamal’s Protocol

),(,

)(,

aABAkak

EAa

pubpri

p

FZ


(CA)

kpub=(A,B)

k

m

Integer Random

Message Z

Signing

Algorithm

k

axms

yxkPR

R

RR

),(


prik

Verification

Algorithm

???mAsRBxR

DSA’s Protocol

),(,

)(,

aABAkak

EAa

pubpri

p

FZ


(CA)

kpub=(A,B)

k

m

Integer Random

Message Z

Signing

Algorithm

k

axms

yxkPR

R

RR

),(


prik

Verification

Algorithm

???

???

ARm

sB

m

x

mAsRBx

R

R

3 Scalar Multiplications

2 Scalar Multiplications

Today’s Exercises

) If :(Hint

)E( 2.

(2,1)3(0,1) 1.

that Prove

CurveElliptic Given

5

L)||, k | ||E(kP

kk

}xx|y{(x,y)}{)E(

}91|)1,0({

132555

F

FFFExercise 3

zz

vv-zvvz

vv-

xx

yy

yy

x

yxx,y p

p

pp

p

p

p

p

)/(p

p

24/)1(

22

2

24/)1(

2/)1(

222/)1(

21

2

,

1

1

4mod3

thatShow (g)

some for thatshow all for Suppose (f)

all for thatShow (e)

thatShow (d)

thatShow (c)

thatShow (b)

thatShow (a)

Suppose . number, prime a be Let

ZZ

Z

FExercise 4

Course Information (Many Changes from Last Week)

10/9 – Elliptic Curve I (2 Exercises)

(What is Elliptic Curve?)

10/16 – Elliptic Curve II (2 Exercises)

(Elliptic Curve Cryptography)

10/23 – Elliptic Curve III (2 Exercises)

(Primality Testing and Factoring)

10/30 – Cancelled

11/7 – Online Algorithm I (Prof. Han)

11/14 – Online Algorithm II (Prof. Han)

11/21 – Elliptic Curve IV (2 Exercises)

(ECC Implementation I)

11/28 – Elliptic Curve V (2 Exercises)

(ECC Implementation II)

12/4 – Cancelled

From 12/11 – To be Announced

Schedule

For my part, you need to submit 2 Reports.

- Report 1: Select 3 from 6 exercises in Elliptic Curve I –

III

Submission Deadline: 14 November

- Report 2: Select 2 from 4 exercises in Elliptic Curve IV –

V

Submission Deadline: TBD

- Submit your report at Department of Mathematical

Informatics’ office

[1st

floor of this building]

Grading

Thank you for your attention

Please feel free to ask questions or comment.

Vorapong Suppakitpaisarn mr_t_dtone

Documents

Transcript of Vorapong Suppakitpaisarn mr_t_dtone