Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Elliptic Curve Cryptography
Kelly Bresnahan
March 24, 2016
Table Of Contents
1 Elliptic Curve Cryptography (ECC)
Introduction
Pros and Cons of Elliptic Curves
Definition of an Ellipt...
Introduction
Miller and Koblitz (independently) introduced elliptic
curves into cryptography in the mid-1980s
Elliptic Cur...
Why use ECC?
Pros
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit...
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit...
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit...
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit...
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit...
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit...
Definition of Elliptic Curves
Definition: An elliptic curve is the graph of the equation
E : y2
= x3
+ ax2
+ bx + c
where a,...
Examples of Elliptic Curves over R
Figure: y2
= x3
+ x Figure: y2
= x3
+ 73
Operations on Elliptic Curves
Point Addition
Operations on Elliptic Curves (cont)
Point Doubling
Operations on Elliptic Curves (cont)
How do we add a point P with ∞?
Operations on Elliptic Curves (cont)
How do we add a point P with ∞?
Operations on Elliptic Curves (cont)
Therefore, the points on E form an abelian group under
addition where
1 ∞ is the addi...
Elliptic Curve in R
Same Curve (mod p)
Adding Points on E
Suppose E is defined as y2 ≡ x3 + 4x + 4 (mod 5).
Let P1 = (1, 2) and P2 = (4, 3). Then
(1, 2) + (4, 3) ...
Doubling Points on P
Suppose E is defined as y2 ≡ x3 + 2x + 2 (mod 17).
Let P = (5, 1). Then
2P = (6, 3)
Addition Law
If E is given by E : y2 = x3 + bx + c (mod p) we define
(x3, y3) = (x1, y1) + (x2, y2)
as
x3 = s2
− x1 − x2 (m...
Cardinality
Question: What is the order of the group (E, +) (mod p), i.e.
how many point are on E?
Cardinality
Question: What is the order of the group (E, +) (mod p), i.e.
how many point are on E?
Hasse’s Bound: Given an...
Elliptic Curves (mod p)
The Discrete Logarithm Problem for Elliptic Curves:
Given an elliptic curve E and two points A and...
Elliptic Curves (mod p)
The Discrete Logarithm Problem for Elliptic Curves:
Given an elliptic curve E and two points A and...
Representing Plaintext
We need a method for encoding a message as point on an
elliptic curve.
Representing Plaintext
We need a method for encoding a message as point on an
elliptic curve.
The Bad News: Currently ther...
Representing Plaintext
We need a method for encoding a message as point on an
elliptic curve.
The Bad News: Currently ther...
Representing Plaintext
We need a method for encoding a message as point on an
elliptic curve.
The Bad News: Currently ther...
Representing Plaintext
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let
m be the message represented as a nu...
Representing Plaintext
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let
m be the message represented as a nu...
Representing Plaintext
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let
m be the message represented as a nu...
Representing Plaintext
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let
m be the message represented as a nu...
Representing Plaintext
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let
m be the message represented as a nu...
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let
m be the message represented as a number.
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let
m be the message represented as a number.
...
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let
m be the message represented as a number.
...
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let
m be the message represented as a number.
...
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let
m be the message represented as a number.
...
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let
m be the message represented as a number.
...
Koblitz’s Method
Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let
m be the message represented as a number.
...
Decoding
Note: Because x3 + bx + c is a square approximately half of
the time and we try x = mK + j at most K times, we ha...
Decoding
Note: Because x3 + bx + c is a square approximately half of
the time and we try x = mK + j at most K times, we ha...
Elliptic Curve Diffie-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
Elliptic Curve Diffie-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime ...
Elliptic Curve Diffie-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime ...
Elliptic Curve Diffie-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime ...
Elliptic Curve Diffie-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime ...
Elliptic Curve Diffie-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime ...
Elliptic Curve Diffie-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime ...
Elliptic Curve Diffie-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1 They agree on a prime ...
ElGamal Elliptic Curve Digital Signature Algorithm
(ECDSA)
Suppose that Alice wants to sign a message, m, for Bob to
verif...
ElGamal Elliptic Curve Digital Signature Algorithm
(ECDSA)
Suppose that Alice wants to sign a message, m, for Bob to
verif...
ElGamal Elliptic Curve Digital Signature Algorithm
(ECDSA)
Suppose that Alice wants to sign a message, m, for Bob to
verif...
ElGamal Elliptic Curve Digital Signature Algorithm
(ECDSA)
Suppose that Alice wants to sign a message, m, for Bob to
verif...
ElGamal Elliptic Curve Digital Signature Algorithm
(ECDSA)
Suppose that Alice wants to sign a message, m, for Bob to
verif...
ElGamal Elliptic Curve Digital Signature Algorithm
(ECDSA)
Suppose that Alice wants to sign a message, m, for Bob to
verif...
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1 chooses a random 1 ≤ k ≤ #E with gcd(k, #E...
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1 chooses a random 1 ≤ k ≤ #E with gcd(k, #E...
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1 chooses a random 1 ≤ k ≤ #E with gcd(k, #E...
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1 chooses a random 1 ≤ k ≤ #E with gcd(k, #E...
El Gamal ECDSA: Verifying a Message
To verify Alice’s message, Bob
El Gamal ECDSA: Verifying a Message
To verify Alice’s message, Bob
1 downloads Alice’s public info and (p, E, #E, A, B),
El Gamal ECDSA: Verifying a Message
To verify Alice’s message, Bob
1 downloads Alice’s public info and (p, E, #E, A, B),
2...
Why does this work?
We know that
v1 = xB + sR
Why does this work?
We know that
v1 = xB + sR
= xaA + (k−1
(m − ax))(kA)
Why does this work?
We know that
v1 = xB + sR
= xaA + (k−1
(m − ax))(kA)
= xaA + (m − ax)A
Why does this work?
We know that
v1 = xB + sR
= xaA + (k−1
(m − ax))(kA)
= xaA + (m − ax)A
= mA
Why does this work?
We know that
v1 = xB + sR
= xaA + (k−1
(m − ax))(kA)
= xaA + (m − ax)A
= mA
≡ v2
Identity-Based Encryption
In most public key systems, when Alice wants to send a
message to Bob, she looks up his public k...
Identity-Based Encryption
In most public key systems, when Alice wants to send a
message to Bob, she looks up his public k...
Setting up the Cryptosystem
First, let p be a prime of the form 6q − 1 where q is also prime.
Then for the elliptic curve ...
Setting up the Cryptosystem
First, let p be a prime of the form 6q − 1 where q is also prime.
Then for the elliptic curve ...
Setting up the Cryptosystem
First, let p be a prime of the form 6q − 1 where q is also prime.
Then for the elliptic curve ...
Setting up the Cryptosystem
First, let p be a prime of the form 6q − 1 where q is also prime.
Then for the elliptic curve ...
Setting up the Cryptosystem
First, let p be a prime of the form 6q − 1 where q is also prime.
Then for the elliptic curve ...
Setting up the Cryptosystem
First, let p be a prime of the form 6q − 1 where q is also prime.
Then for the elliptic curve ...
Setting up the Cryptosystem (cont)
We need two public hash functions:
Setting up the Cryptosystem (cont)
We need two public hash functions:
H1 : {arb. length binary string} −→ kP0
for k ∈ Z
H2...
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a s...
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a s...
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a s...
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a s...
Sending a Message
Suppose Alice wants to send a message m to Bob and suppose
that m is of binary length n.
Bob’s ID is bob...
Sending a Message
Suppose Alice wants to send a message m to Bob and suppose
that m is of binary length n.
Bob’s ID is bob...
Sending a Message
Suppose Alice wants to send a message m to Bob and suppose
that m is of binary length n.
Bob’s ID is bob...
Sending a Message
Suppose Alice wants to send a message m to Bob and suppose
that m is of binary length n.
Bob’s ID is bob...
Recovering the Message
Bob receives the pair (U, v) where U is a point on E and v is a
binary string of length n. Then he ...
Recovering the Message
Bob receives the pair (U, v) where U is a point on E and v is a
binary string of length n. Then he ...
Recovering the Message
Bob receives the pair (U, v) where U is a point on E and v is a
binary string of length n. Then he ...
Why does this work?
If encryption is performed correction, U = rP0 and
v = t = m ⊕ H2(g).
Why does this work?
If encryption is performed correction, U = rP0 and
v = t = m ⊕ H2(g).
Since DBob = sH1(bob@computer.co...
Why does this work?
If encryption is performed correction, U = rP0 and
v = t = m ⊕ H2(g).
Since DBob = sH1(bob@computer.co...
Why does this work?
If encryption is performed correction, U = rP0 and
v = t = m ⊕ H2(g).
Since DBob = sH1(bob@computer.co...
Why does this work?
If encryption is performed correction, U = rP0 and
v = t = m ⊕ H2(g).
Since DBob = sH1(bob@computer.co...
Why does this work?
If encryption is performed correction, U = rP0 and
v = t = m ⊕ H2(g).
Since DBob = sH1(bob@computer.co...
Why does this work?
If encryption is performed correction, U = rP0 and
v = t = m ⊕ H2(g).
Since DBob = sH1(bob@computer.co...
Any Questions?
Upcoming SlideShare
Loading in …5
×

Elliptic Curve Cryptography

5,057 views

Published on

Elliptic Curve Cryptography

  1. 1. Elliptic Curve Cryptography Kelly Bresnahan March 24, 2016
  2. 2. Table Of Contents 1 Elliptic Curve Cryptography (ECC) Introduction Pros and Cons of Elliptic Curves Definition of an Elliptic Curve Operations on Elliptic Curves Hasse’s Bound Representing Plaintext Elliptic Curve Diffie-Hellman Key Exchange ElGamal Digital Signatures using Elliptic Curves Identity-Base Encryption Using ECC
  3. 3. Introduction Miller and Koblitz (independently) introduced elliptic curves into cryptography in the mid-1980s Elliptic Curve Cryptography algorithms entered wide use between 2004 and 2005 Based on the discrete logarithm problem, i.e. determining an integer 1 ≤ k ≤ p − 1 such that gk = b (mod p)
  4. 4. Why use ECC? Pros
  5. 5. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system
  6. 6. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system 160-256 bit vs 1024-3072 bit
  7. 7. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system 160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison to other systems such as RSA and discrete logarithm (DL) schemes
  8. 8. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system 160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison to other systems such as RSA and discrete logarithm (DL) schemes ECDSA signature with a 256-bit key is over 20 times faster than an RSA signature with a 2,048-bit key
  9. 9. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system 160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison to other systems such as RSA and discrete logarithm (DL) schemes ECDSA signature with a 256-bit key is over 20 times faster than an RSA signature with a 2,048-bit key The energy needed to break an RSA key is much smaller than an ECC key
  10. 10. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system 160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison to other systems such as RSA and discrete logarithm (DL) schemes ECDSA signature with a 256-bit key is over 20 times faster than an RSA signature with a 2,048-bit key The energy needed to break an RSA key is much smaller than an ECC key Cons
  11. 11. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system 160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison to other systems such as RSA and discrete logarithm (DL) schemes ECDSA signature with a 256-bit key is over 20 times faster than an RSA signature with a 2,048-bit key The energy needed to break an RSA key is much smaller than an ECC key Cons Security is achieved only if cryptographically strong elliptic curves are used
  12. 12. Definition of Elliptic Curves Definition: An elliptic curve is the graph of the equation E : y2 = x3 + ax2 + bx + c where a, b, and c are elements from the base field K of characteristic not equal to 2. Note: We’ll also include the point (∞, ∞), denoted ∞
  13. 13. Examples of Elliptic Curves over R Figure: y2 = x3 + x Figure: y2 = x3 + 73
  14. 14. Operations on Elliptic Curves Point Addition
  15. 15. Operations on Elliptic Curves (cont) Point Doubling
  16. 16. Operations on Elliptic Curves (cont) How do we add a point P with ∞?
  17. 17. Operations on Elliptic Curves (cont) How do we add a point P with ∞?
  18. 18. Operations on Elliptic Curves (cont) Therefore, the points on E form an abelian group under addition where 1 ∞ is the additive identity 2 The inverse of the point P = (x, y) is −P = (x, −y) 3 P − Q = P + (−Q)
  19. 19. Elliptic Curve in R
  20. 20. Same Curve (mod p)
  21. 21. Adding Points on E Suppose E is defined as y2 ≡ x3 + 4x + 4 (mod 5). Let P1 = (1, 2) and P2 = (4, 3). Then (1, 2) + (4, 3) = (4, 2)
  22. 22. Doubling Points on P Suppose E is defined as y2 ≡ x3 + 2x + 2 (mod 17). Let P = (5, 1). Then 2P = (6, 3)
  23. 23. Addition Law If E is given by E : y2 = x3 + bx + c (mod p) we define (x3, y3) = (x1, y1) + (x2, y2) as x3 = s2 − x1 − x2 (mod p) and y3 = s(x1 − x3) − y1 (mod p) where s =    y2−y1 x2−x1 (mod p), if P = Q 3x1+b 2y1 (mod p), if P = Q
  24. 24. Cardinality Question: What is the order of the group (E, +) (mod p), i.e. how many point are on E?
  25. 25. Cardinality Question: What is the order of the group (E, +) (mod p), i.e. how many point are on E? Hasse’s Bound: Given an elliptic curve E modulo p, the number of points on E, denoted #E, is bounded by p + 1 − 2 √ p ≤ #E ≤ p + 1 + 2 √ p
  26. 26. Elliptic Curves (mod p) The Discrete Logarithm Problem for Elliptic Curves: Given an elliptic curve E and two points A and B on E, the discrete log problem for elliptic curves is finding an integer 1 ≤ d ≤ #E such that P + P + · · · + P d times = dP = T
  27. 27. Elliptic Curves (mod p) The Discrete Logarithm Problem for Elliptic Curves: Given an elliptic curve E and two points A and B on E, the discrete log problem for elliptic curves is finding an integer 1 ≤ d ≤ #E such that P + P + · · · + P d times = dP = T In cryptosystems d is the private key and T is the public key
  28. 28. Representing Plaintext We need a method for encoding a message as point on an elliptic curve.
  29. 29. Representing Plaintext We need a method for encoding a message as point on an elliptic curve. The Bad News: Currently there is no known polynomial time, deterministic algorithm for writing points on an arbitrary elliptic curve.
  30. 30. Representing Plaintext We need a method for encoding a message as point on an elliptic curve. The Bad News: Currently there is no known polynomial time, deterministic algorithm for writing points on an arbitrary elliptic curve. The Good News: There are fast probabilistic methods for finding points
  31. 31. Representing Plaintext We need a method for encoding a message as point on an elliptic curve. The Bad News: Currently there is no known polynomial time, deterministic algorithm for writing points on an arbitrary elliptic curve. The Good News: There are fast probabilistic methods for finding points With appropriately chosen parameters, the probability of failure can be made arbitrarily small.
  32. 32. Representing Plaintext Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number.
  33. 33. Representing Plaintext Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Idea: Embed m as the x-coordinate of a point on E
  34. 34. Representing Plaintext Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Idea: Embed m as the x-coordinate of a point on E The Bad News: There is only a 50% chance that m3 + bm + c is a square modulo p
  35. 35. Representing Plaintext Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Idea: Embed m as the x-coordinate of a point on E The Bad News: There is only a 50% chance that m3 + bm + c is a square modulo p Question: How can we guarantee a higher success rate?
  36. 36. Representing Plaintext Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Idea: Embed m as the x-coordinate of a point on E The Bad News: There is only a 50% chance that m3 + bm + c is a square modulo p Question: How can we guarantee a higher success rate? Answer: We’ll adjoin a few bits at the end of m and adjust them until we get a number x such that x3 + bx + c is a square (mod p)
  37. 37. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number.
  38. 38. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Let K ∈ Z be large enough such that a failure rate of 1/2K is acceptable
  39. 39. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Let K ∈ Z be large enough such that a failure rate of 1/2K is acceptable Assume that (m + 1)K < p and let x = mK + j
  40. 40. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Let K ∈ Z be large enough such that a failure rate of 1/2K is acceptable Assume that (m + 1)K < p and let x = mK + j For j = 0, 1, 2, . . . , K − 1,
  41. 41. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Let K ∈ Z be large enough such that a failure rate of 1/2K is acceptable Assume that (m + 1)K < p and let x = mK + j For j = 0, 1, 2, . . . , K − 1, - Compute x3 + bx + c and try to calculate the square root (mod p)
  42. 42. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Let K ∈ Z be large enough such that a failure rate of 1/2K is acceptable Assume that (m + 1)K < p and let x = mK + j For j = 0, 1, 2, . . . , K − 1, - Compute x3 + bx + c and try to calculate the square root (mod p) - If x3 + bx + c is a square, then we send m to Pm = (x, y), otherwise increment j by 1
  43. 43. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Let K ∈ Z be large enough such that a failure rate of 1/2K is acceptable Assume that (m + 1)K < p and let x = mK + j For j = 0, 1, 2, . . . , K − 1, - Compute x3 + bx + c and try to calculate the square root (mod p) - If x3 + bx + c is a square, then we send m to Pm = (x, y), otherwise increment j by 1 - If we reach j = K, then we have failed to map a message to a point on E
  44. 44. Decoding Note: Because x3 + bx + c is a square approximately half of the time and we try x = mK + j at most K times, we have about 1/2K chance of failure.
  45. 45. Decoding Note: Because x3 + bx + c is a square approximately half of the time and we try x = mK + j at most K times, we have about 1/2K chance of failure. To recover the original message from Pm = (x, y), we calculate m = x K Second Note: Decoding requires that (m + 1)K < p
  46. 46. Elliptic Curve Diffie-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key
  47. 47. Elliptic Curve Diffie-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E.
  48. 48. Elliptic Curve Diffie-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E. 2 Alice randomly chooses an integer ka and Bob randomly chooses an integer kb, which they keep secret
  49. 49. Elliptic Curve Diffie-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E. 2 Alice randomly chooses an integer ka and Bob randomly chooses an integer kb, which they keep secret 3 Alice publishes the point A = kaP and sends it to Bob
  50. 50. Elliptic Curve Diffie-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E. 2 Alice randomly chooses an integer ka and Bob randomly chooses an integer kb, which they keep secret 3 Alice publishes the point A = kaP and sends it to Bob 4 Bob publishes the point B = kbP and sends it to Alice
  51. 51. Elliptic Curve Diffie-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E. 2 Alice randomly chooses an integer ka and Bob randomly chooses an integer kb, which they keep secret 3 Alice publishes the point A = kaP and sends it to Bob 4 Bob publishes the point B = kbP and sends it to Alice 5 Alice takes Bob’s point B and computes ka(B)
  52. 52. Elliptic Curve Diffie-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E. 2 Alice randomly chooses an integer ka and Bob randomly chooses an integer kb, which they keep secret 3 Alice publishes the point A = kaP and sends it to Bob 4 Bob publishes the point B = kbP and sends it to Alice 5 Alice takes Bob’s point B and computes ka(B) 6 Similarly, Bob computes kb(A)
  53. 53. Elliptic Curve Diffie-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E. 2 Alice randomly chooses an integer ka and Bob randomly chooses an integer kb, which they keep secret 3 Alice publishes the point A = kaP and sends it to Bob 4 Bob publishes the point B = kbP and sends it to Alice 5 Alice takes Bob’s point B and computes ka(B) 6 Similarly, Bob computes kb(A) 7 Because the group (E, +) is abelian, ka(B) = ka(kbP) = kb(kaP) = kb(A), so Alice and Bob have the same key
  54. 54. ElGamal Elliptic Curve Digital Signature Algorithm (ECDSA) Suppose that Alice wants to sign a message, m, for Bob to verify.
  55. 55. ElGamal Elliptic Curve Digital Signature Algorithm (ECDSA) Suppose that Alice wants to sign a message, m, for Bob to verify. To set up the system, we 1 Fix an Elliptic Curve E (mod p) where p is large prime
  56. 56. ElGamal Elliptic Curve Digital Signature Algorithm (ECDSA) Suppose that Alice wants to sign a message, m, for Bob to verify. To set up the system, we 1 Fix an Elliptic Curve E (mod p) where p is large prime 2 Fix a base point A on E
  57. 57. ElGamal Elliptic Curve Digital Signature Algorithm (ECDSA) Suppose that Alice wants to sign a message, m, for Bob to verify. To set up the system, we 1 Fix an Elliptic Curve E (mod p) where p is large prime 2 Fix a base point A on E 3 Assume that the message represented as a number m satisfies 0 ≤ m ≤ #E
  58. 58. ElGamal Elliptic Curve Digital Signature Algorithm (ECDSA) Suppose that Alice wants to sign a message, m, for Bob to verify. To set up the system, we 1 Fix an Elliptic Curve E (mod p) where p is large prime 2 Fix a base point A on E 3 Assume that the message represented as a number m satisfies 0 ≤ m ≤ #E 4 Alice chooses a private integer a and computes B = aA
  59. 59. ElGamal Elliptic Curve Digital Signature Algorithm (ECDSA) Suppose that Alice wants to sign a message, m, for Bob to verify. To set up the system, we 1 Fix an Elliptic Curve E (mod p) where p is large prime 2 Fix a base point A on E 3 Assume that the message represented as a number m satisfies 0 ≤ m ≤ #E 4 Alice chooses a private integer a and computes B = aA Now (p, E, #E, A, B) are made public while a is private.
  60. 60. El Gamal ECDSA: Signing a Message Now Alice wants to sign the message, so she
  61. 61. El Gamal ECDSA: Signing a Message Now Alice wants to sign the message, so she 1 chooses a random 1 ≤ k ≤ #E with gcd(k, #E) = 1,
  62. 62. El Gamal ECDSA: Signing a Message Now Alice wants to sign the message, so she 1 chooses a random 1 ≤ k ≤ #E with gcd(k, #E) = 1, 2 computes kA ≡ R = (x, y),
  63. 63. El Gamal ECDSA: Signing a Message Now Alice wants to sign the message, so she 1 chooses a random 1 ≤ k ≤ #E with gcd(k, #E) = 1, 2 computes kA ≡ R = (x, y), 3 computes s ≡ k−1(m − ax) mod #E,
  64. 64. El Gamal ECDSA: Signing a Message Now Alice wants to sign the message, so she 1 chooses a random 1 ≤ k ≤ #E with gcd(k, #E) = 1, 2 computes kA ≡ R = (x, y), 3 computes s ≡ k−1(m − ax) mod #E, 4 sends the signed message (m, R, s) to Bob for verification,
  65. 65. El Gamal ECDSA: Verifying a Message To verify Alice’s message, Bob
  66. 66. El Gamal ECDSA: Verifying a Message To verify Alice’s message, Bob 1 downloads Alice’s public info and (p, E, #E, A, B),
  67. 67. El Gamal ECDSA: Verifying a Message To verify Alice’s message, Bob 1 downloads Alice’s public info and (p, E, #E, A, B), 2 computes v1 ≡ xB + sR and v2 ≡ mA The signature is valid only if v1 = v2
  68. 68. Why does this work? We know that v1 = xB + sR
  69. 69. Why does this work? We know that v1 = xB + sR = xaA + (k−1 (m − ax))(kA)
  70. 70. Why does this work? We know that v1 = xB + sR = xaA + (k−1 (m − ax))(kA) = xaA + (m − ax)A
  71. 71. Why does this work? We know that v1 = xB + sR = xaA + (k−1 (m − ax))(kA) = xaA + (m − ax)A = mA
  72. 72. Why does this work? We know that v1 = xB + sR = xaA + (k−1 (m − ax))(kA) = xaA + (m − ax)A = mA ≡ v2
  73. 73. Identity-Based Encryption In most public key systems, when Alice wants to send a message to Bob, she looks up his public key in a directory and then encrypts her message. However, how does she know that the information has not been modified by Eve and the public key listed for Bob is Eve’s key?!
  74. 74. Identity-Based Encryption In most public key systems, when Alice wants to send a message to Bob, she looks up his public key in a directory and then encrypts her message. However, how does she know that the information has not been modified by Eve and the public key listed for Bob is Eve’s key?! Wouldn’t it be nice to have a system where Bob’s public identification information (like his email address) serves as the public key?
  75. 75. Setting up the Cryptosystem First, let p be a prime of the form 6q − 1 where q is also prime. Then for the elliptic curve E : y2 = x3 + 1 (mod p), we know that
  76. 76. Setting up the Cryptosystem First, let p be a prime of the form 6q − 1 where q is also prime. Then for the elliptic curve E : y2 = x3 + 1 (mod p), we know that There is a point P0 = ∞ such that qP0 = ∞.
  77. 77. Setting up the Cryptosystem First, let p be a prime of the form 6q − 1 where q is also prime. Then for the elliptic curve E : y2 = x3 + 1 (mod p), we know that There is a point P0 = ∞ such that qP0 = ∞. There is a function ˜e such that - ˜e maps pairs of points (aP0, bP0) to qth roots of unity
  78. 78. Setting up the Cryptosystem First, let p be a prime of the form 6q − 1 where q is also prime. Then for the elliptic curve E : y2 = x3 + 1 (mod p), we know that There is a point P0 = ∞ such that qP0 = ∞. There is a function ˜e such that - ˜e maps pairs of points (aP0, bP0) to qth roots of unity - ˜e satisfies the bilinearity property ˜e(aP0, bP0) = ˜e(P0, P0)ab for all a and b
  79. 79. Setting up the Cryptosystem First, let p be a prime of the form 6q − 1 where q is also prime. Then for the elliptic curve E : y2 = x3 + 1 (mod p), we know that There is a point P0 = ∞ such that qP0 = ∞. There is a function ˜e such that - ˜e maps pairs of points (aP0, bP0) to qth roots of unity - ˜e satisfies the bilinearity property ˜e(aP0, bP0) = ˜e(P0, P0)ab for all a and b - Given P = kP0 and Q = mP0, ˜e(P, Q) can be computed quickly from the coordinates P and Q
  80. 80. Setting up the Cryptosystem First, let p be a prime of the form 6q − 1 where q is also prime. Then for the elliptic curve E : y2 = x3 + 1 (mod p), we know that There is a point P0 = ∞ such that qP0 = ∞. There is a function ˜e such that - ˜e maps pairs of points (aP0, bP0) to qth roots of unity - ˜e satisfies the bilinearity property ˜e(aP0, bP0) = ˜e(P0, P0)ab for all a and b - Given P = kP0 and Q = mP0, ˜e(P, Q) can be computed quickly from the coordinates P and Q - ˜e(P0, P0) = 1, so it is a nontrivial root of unity
  81. 81. Setting up the Cryptosystem (cont) We need two public hash functions:
  82. 82. Setting up the Cryptosystem (cont) We need two public hash functions: H1 : {arb. length binary string} −→ kP0 for k ∈ Z H2 : {qth root of unity} −→ {binary strings of length n} where n is the length of the message to be sent
  83. 83. Setting up the System To set up the system, we need a Trusted Authority, Arthur. Arthur does the following:
  84. 84. Setting up the System To set up the system, we need a Trusted Authority, Arthur. Arthur does the following: He chooses a secret integer s
  85. 85. Setting up the System To set up the system, we need a Trusted Authority, Arthur. Arthur does the following: He chooses a secret integer s He computes P1 = sP0, which is made public
  86. 86. Setting up the System To set up the system, we need a Trusted Authority, Arthur. Arthur does the following: He chooses a secret integer s He computes P1 = sP0, which is made public For each User, Arthur finds the user’s ID (written as a binary string) and computes DUser = sH1(ID), which is a point on E
  87. 87. Setting up the System To set up the system, we need a Trusted Authority, Arthur. Arthur does the following: He chooses a secret integer s He computes P1 = sP0, which is made public For each User, Arthur finds the user’s ID (written as a binary string) and computes DUser = sH1(ID), which is a point on E Arthur sends DUser to each user, who keeps it secret. He then discards DUser
  88. 88. Sending a Message Suppose Alice wants to send a message m to Bob and suppose that m is of binary length n. Bob’s ID is bob@computer.com, so Alice does the following:
  89. 89. Sending a Message Suppose Alice wants to send a message m to Bob and suppose that m is of binary length n. Bob’s ID is bob@computer.com, so Alice does the following: 1 She computes g ≡ ˜e(H1(bob@computer.com), P1), a qth root of unity
  90. 90. Sending a Message Suppose Alice wants to send a message m to Bob and suppose that m is of binary length n. Bob’s ID is bob@computer.com, so Alice does the following: 1 She computes g ≡ ˜e(H1(bob@computer.com), P1), a qth root of unity 2 She chooses a random integer r = 0 (mod q) and computes t ≡ m ⊕ H2(gr ) where ⊕ is the XOR cipher.
  91. 91. Sending a Message Suppose Alice wants to send a message m to Bob and suppose that m is of binary length n. Bob’s ID is bob@computer.com, so Alice does the following: 1 She computes g ≡ ˜e(H1(bob@computer.com), P1), a qth root of unity 2 She chooses a random integer r = 0 (mod q) and computes t ≡ m ⊕ H2(gr ) where ⊕ is the XOR cipher. 3 She sends Bob the ciphertext c ≡ (rP0, t), where rP0 on E and t is a binary string of length n
  92. 92. Recovering the Message Bob receives the pair (U, v) where U is a point on E and v is a binary string of length n. Then he does the following:
  93. 93. Recovering the Message Bob receives the pair (U, v) where U is a point on E and v is a binary string of length n. Then he does the following: 1 He computes h ≡ ˜e(DBob, U), which is a qth root of unity
  94. 94. Recovering the Message Bob receives the pair (U, v) where U is a point on E and v is a binary string of length n. Then he does the following: 1 He computes h ≡ ˜e(DBob, U), which is a qth root of unity 2 He recovers the message by m = v ⊕ H2(h)
  95. 95. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g).
  96. 96. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g). Since DBob = sH1(bob@computer.com), h ≡ ˜e(DBob, rP0) = ˜e(sH1(bob@computer.com), rP0) = ˜e(H1(bob@computer.com), P0)rs
  97. 97. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g). Since DBob = sH1(bob@computer.com), h ≡ ˜e(DBob, rP0) = ˜e(sH1(bob@computer.com), rP0) = ˜e(H1(bob@computer.com), P0)rs = ˜e(H1(bob@computer.com), sP0)r
  98. 98. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g). Since DBob = sH1(bob@computer.com), h ≡ ˜e(DBob, rP0) = ˜e(sH1(bob@computer.com), rP0) = ˜e(H1(bob@computer.com), P0)rs = ˜e(H1(bob@computer.com), sP0)r = ˜e(H1(bob@computer.com), P1)r
  99. 99. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g). Since DBob = sH1(bob@computer.com), h ≡ ˜e(DBob, rP0) = ˜e(sH1(bob@computer.com), rP0) = ˜e(H1(bob@computer.com), P0)rs = ˜e(H1(bob@computer.com), sP0)r = ˜e(H1(bob@computer.com), P1)r ≡ gr
  100. 100. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g). Since DBob = sH1(bob@computer.com), h ≡ ˜e(DBob, rP0) = ˜e(sH1(bob@computer.com), rP0) = ˜e(H1(bob@computer.com), P0)rs = ˜e(H1(bob@computer.com), sP0)r = ˜e(H1(bob@computer.com), P1)r ≡ gr Therefore,
  101. 101. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g). Since DBob = sH1(bob@computer.com), h ≡ ˜e(DBob, rP0) = ˜e(sH1(bob@computer.com), rP0) = ˜e(H1(bob@computer.com), P0)rs = ˜e(H1(bob@computer.com), sP0)r = ˜e(H1(bob@computer.com), P1)r ≡ gr Therefore, t ⊕ H2(h) = t ⊕ H2(gr ) = (m ⊕ H2(gr )) ⊕ H2(gr ) = m
  102. 102. Any Questions?

×