Successfully reported this slideshow.
Upcoming SlideShare
×

# Elliptic Curve Cryptography

5,057 views

Published on

• Full Name
Comment goes here.

Are you sure you want to Yes No
• Dating for everyone is here: ❤❤❤ http://bit.ly/2Qu6Caa ❤❤❤

Are you sure you want to  Yes  No
• Dating direct: ❤❤❤ http://bit.ly/2Qu6Caa ❤❤❤

Are you sure you want to  Yes  No
• Very informative, thank you!

Are you sure you want to  Yes  No

### Elliptic Curve Cryptography

1. 1. Elliptic Curve Cryptography Kelly Bresnahan March 24, 2016
2. 2. Table Of Contents 1 Elliptic Curve Cryptography (ECC) Introduction Pros and Cons of Elliptic Curves Deﬁnition of an Elliptic Curve Operations on Elliptic Curves Hasse’s Bound Representing Plaintext Elliptic Curve Diﬃe-Hellman Key Exchange ElGamal Digital Signatures using Elliptic Curves Identity-Base Encryption Using ECC
3. 3. Introduction Miller and Koblitz (independently) introduced elliptic curves into cryptography in the mid-1980s Elliptic Curve Cryptography algorithms entered wide use between 2004 and 2005 Based on the discrete logarithm problem, i.e. determining an integer 1 ≤ k ≤ p − 1 such that gk = b (mod p)
4. 4. Why use ECC? Pros
5. 5. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system
6. 6. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system 160-256 bit vs 1024-3072 bit
7. 7. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system 160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison to other systems such as RSA and discrete logarithm (DL) schemes
8. 8. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system 160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison to other systems such as RSA and discrete logarithm (DL) schemes ECDSA signature with a 256-bit key is over 20 times faster than an RSA signature with a 2,048-bit key
9. 9. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system 160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison to other systems such as RSA and discrete logarithm (DL) schemes ECDSA signature with a 256-bit key is over 20 times faster than an RSA signature with a 2,048-bit key The energy needed to break an RSA key is much smaller than an ECC key
10. 10. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system 160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison to other systems such as RSA and discrete logarithm (DL) schemes ECDSA signature with a 256-bit key is over 20 times faster than an RSA signature with a 2,048-bit key The energy needed to break an RSA key is much smaller than an ECC key Cons
11. 11. Why use ECC? Pros Smaller keys can be used to achieve the same security as an RSA or discrete logarithm system 160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison to other systems such as RSA and discrete logarithm (DL) schemes ECDSA signature with a 256-bit key is over 20 times faster than an RSA signature with a 2,048-bit key The energy needed to break an RSA key is much smaller than an ECC key Cons Security is achieved only if cryptographically strong elliptic curves are used
12. 12. Deﬁnition of Elliptic Curves Deﬁnition: An elliptic curve is the graph of the equation E : y2 = x3 + ax2 + bx + c where a, b, and c are elements from the base ﬁeld K of characteristic not equal to 2. Note: We’ll also include the point (∞, ∞), denoted ∞
13. 13. Examples of Elliptic Curves over R Figure: y2 = x3 + x Figure: y2 = x3 + 73
14. 14. Operations on Elliptic Curves Point Addition
15. 15. Operations on Elliptic Curves (cont) Point Doubling
16. 16. Operations on Elliptic Curves (cont) How do we add a point P with ∞?
17. 17. Operations on Elliptic Curves (cont) How do we add a point P with ∞?
18. 18. Operations on Elliptic Curves (cont) Therefore, the points on E form an abelian group under addition where 1 ∞ is the additive identity 2 The inverse of the point P = (x, y) is −P = (x, −y) 3 P − Q = P + (−Q)
19. 19. Elliptic Curve in R
20. 20. Same Curve (mod p)
21. 21. Adding Points on E Suppose E is deﬁned as y2 ≡ x3 + 4x + 4 (mod 5). Let P1 = (1, 2) and P2 = (4, 3). Then (1, 2) + (4, 3) = (4, 2)
22. 22. Doubling Points on P Suppose E is deﬁned as y2 ≡ x3 + 2x + 2 (mod 17). Let P = (5, 1). Then 2P = (6, 3)
23. 23. Addition Law If E is given by E : y2 = x3 + bx + c (mod p) we deﬁne (x3, y3) = (x1, y1) + (x2, y2) as x3 = s2 − x1 − x2 (mod p) and y3 = s(x1 − x3) − y1 (mod p) where s =    y2−y1 x2−x1 (mod p), if P = Q 3x1+b 2y1 (mod p), if P = Q
24. 24. Cardinality Question: What is the order of the group (E, +) (mod p), i.e. how many point are on E?
25. 25. Cardinality Question: What is the order of the group (E, +) (mod p), i.e. how many point are on E? Hasse’s Bound: Given an elliptic curve E modulo p, the number of points on E, denoted #E, is bounded by p + 1 − 2 √ p ≤ #E ≤ p + 1 + 2 √ p
26. 26. Elliptic Curves (mod p) The Discrete Logarithm Problem for Elliptic Curves: Given an elliptic curve E and two points A and B on E, the discrete log problem for elliptic curves is ﬁnding an integer 1 ≤ d ≤ #E such that P + P + · · · + P d times = dP = T
27. 27. Elliptic Curves (mod p) The Discrete Logarithm Problem for Elliptic Curves: Given an elliptic curve E and two points A and B on E, the discrete log problem for elliptic curves is ﬁnding an integer 1 ≤ d ≤ #E such that P + P + · · · + P d times = dP = T In cryptosystems d is the private key and T is the public key
28. 28. Representing Plaintext We need a method for encoding a message as point on an elliptic curve.
29. 29. Representing Plaintext We need a method for encoding a message as point on an elliptic curve. The Bad News: Currently there is no known polynomial time, deterministic algorithm for writing points on an arbitrary elliptic curve.
30. 30. Representing Plaintext We need a method for encoding a message as point on an elliptic curve. The Bad News: Currently there is no known polynomial time, deterministic algorithm for writing points on an arbitrary elliptic curve. The Good News: There are fast probabilistic methods for ﬁnding points
31. 31. Representing Plaintext We need a method for encoding a message as point on an elliptic curve. The Bad News: Currently there is no known polynomial time, deterministic algorithm for writing points on an arbitrary elliptic curve. The Good News: There are fast probabilistic methods for ﬁnding points With appropriately chosen parameters, the probability of failure can be made arbitrarily small.
32. 32. Representing Plaintext Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number.
33. 33. Representing Plaintext Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Idea: Embed m as the x-coordinate of a point on E
34. 34. Representing Plaintext Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Idea: Embed m as the x-coordinate of a point on E The Bad News: There is only a 50% chance that m3 + bm + c is a square modulo p
35. 35. Representing Plaintext Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Idea: Embed m as the x-coordinate of a point on E The Bad News: There is only a 50% chance that m3 + bm + c is a square modulo p Question: How can we guarantee a higher success rate?
36. 36. Representing Plaintext Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Idea: Embed m as the x-coordinate of a point on E The Bad News: There is only a 50% chance that m3 + bm + c is a square modulo p Question: How can we guarantee a higher success rate? Answer: We’ll adjoin a few bits at the end of m and adjust them until we get a number x such that x3 + bx + c is a square (mod p)
37. 37. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number.
38. 38. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Let K ∈ Z be large enough such that a failure rate of 1/2K is acceptable
39. 39. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Let K ∈ Z be large enough such that a failure rate of 1/2K is acceptable Assume that (m + 1)K < p and let x = mK + j
40. 40. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Let K ∈ Z be large enough such that a failure rate of 1/2K is acceptable Assume that (m + 1)K < p and let x = mK + j For j = 0, 1, 2, . . . , K − 1,
41. 41. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Let K ∈ Z be large enough such that a failure rate of 1/2K is acceptable Assume that (m + 1)K < p and let x = mK + j For j = 0, 1, 2, . . . , K − 1, - Compute x3 + bx + c and try to calculate the square root (mod p)
42. 42. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Let K ∈ Z be large enough such that a failure rate of 1/2K is acceptable Assume that (m + 1)K < p and let x = mK + j For j = 0, 1, 2, . . . , K − 1, - Compute x3 + bx + c and try to calculate the square root (mod p) - If x3 + bx + c is a square, then we send m to Pm = (x, y), otherwise increment j by 1
43. 43. Koblitz’s Method Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let m be the message represented as a number. Let K ∈ Z be large enough such that a failure rate of 1/2K is acceptable Assume that (m + 1)K < p and let x = mK + j For j = 0, 1, 2, . . . , K − 1, - Compute x3 + bx + c and try to calculate the square root (mod p) - If x3 + bx + c is a square, then we send m to Pm = (x, y), otherwise increment j by 1 - If we reach j = K, then we have failed to map a message to a point on E
44. 44. Decoding Note: Because x3 + bx + c is a square approximately half of the time and we try x = mK + j at most K times, we have about 1/2K chance of failure.
45. 45. Decoding Note: Because x3 + bx + c is a square approximately half of the time and we try x = mK + j at most K times, we have about 1/2K chance of failure. To recover the original message from Pm = (x, y), we calculate m = x K Second Note: Decoding requires that (m + 1)K < p
46. 46. Elliptic Curve Diﬃe-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key
47. 47. Elliptic Curve Diﬃe-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E.
48. 48. Elliptic Curve Diﬃe-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E. 2 Alice randomly chooses an integer ka and Bob randomly chooses an integer kb, which they keep secret
49. 49. Elliptic Curve Diﬃe-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E. 2 Alice randomly chooses an integer ka and Bob randomly chooses an integer kb, which they keep secret 3 Alice publishes the point A = kaP and sends it to Bob
50. 50. Elliptic Curve Diﬃe-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E. 2 Alice randomly chooses an integer ka and Bob randomly chooses an integer kb, which they keep secret 3 Alice publishes the point A = kaP and sends it to Bob 4 Bob publishes the point B = kbP and sends it to Alice
51. 51. Elliptic Curve Diﬃe-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E. 2 Alice randomly chooses an integer ka and Bob randomly chooses an integer kb, which they keep secret 3 Alice publishes the point A = kaP and sends it to Bob 4 Bob publishes the point B = kbP and sends it to Alice 5 Alice takes Bob’s point B and computes ka(B)
52. 52. Elliptic Curve Diﬃe-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E. 2 Alice randomly chooses an integer ka and Bob randomly chooses an integer kb, which they keep secret 3 Alice publishes the point A = kaP and sends it to Bob 4 Bob publishes the point B = kbP and sends it to Alice 5 Alice takes Bob’s point B and computes ka(B) 6 Similarly, Bob computes kb(A)
53. 53. Elliptic Curve Diﬃe-Hellman Key Exchange (ECDH) Suppose that Alice and Bob want to exchange a key 1 They agree on a prime p, the elliptic curve E : y2 ≡ x3 + ax + b (mod p), and a base point P on E. 2 Alice randomly chooses an integer ka and Bob randomly chooses an integer kb, which they keep secret 3 Alice publishes the point A = kaP and sends it to Bob 4 Bob publishes the point B = kbP and sends it to Alice 5 Alice takes Bob’s point B and computes ka(B) 6 Similarly, Bob computes kb(A) 7 Because the group (E, +) is abelian, ka(B) = ka(kbP) = kb(kaP) = kb(A), so Alice and Bob have the same key
54. 54. ElGamal Elliptic Curve Digital Signature Algorithm (ECDSA) Suppose that Alice wants to sign a message, m, for Bob to verify.
55. 55. ElGamal Elliptic Curve Digital Signature Algorithm (ECDSA) Suppose that Alice wants to sign a message, m, for Bob to verify. To set up the system, we 1 Fix an Elliptic Curve E (mod p) where p is large prime
56. 56. ElGamal Elliptic Curve Digital Signature Algorithm (ECDSA) Suppose that Alice wants to sign a message, m, for Bob to verify. To set up the system, we 1 Fix an Elliptic Curve E (mod p) where p is large prime 2 Fix a base point A on E
57. 57. ElGamal Elliptic Curve Digital Signature Algorithm (ECDSA) Suppose that Alice wants to sign a message, m, for Bob to verify. To set up the system, we 1 Fix an Elliptic Curve E (mod p) where p is large prime 2 Fix a base point A on E 3 Assume that the message represented as a number m satisﬁes 0 ≤ m ≤ #E
58. 58. ElGamal Elliptic Curve Digital Signature Algorithm (ECDSA) Suppose that Alice wants to sign a message, m, for Bob to verify. To set up the system, we 1 Fix an Elliptic Curve E (mod p) where p is large prime 2 Fix a base point A on E 3 Assume that the message represented as a number m satisﬁes 0 ≤ m ≤ #E 4 Alice chooses a private integer a and computes B = aA
59. 59. ElGamal Elliptic Curve Digital Signature Algorithm (ECDSA) Suppose that Alice wants to sign a message, m, for Bob to verify. To set up the system, we 1 Fix an Elliptic Curve E (mod p) where p is large prime 2 Fix a base point A on E 3 Assume that the message represented as a number m satisﬁes 0 ≤ m ≤ #E 4 Alice chooses a private integer a and computes B = aA Now (p, E, #E, A, B) are made public while a is private.
60. 60. El Gamal ECDSA: Signing a Message Now Alice wants to sign the message, so she
61. 61. El Gamal ECDSA: Signing a Message Now Alice wants to sign the message, so she 1 chooses a random 1 ≤ k ≤ #E with gcd(k, #E) = 1,
62. 62. El Gamal ECDSA: Signing a Message Now Alice wants to sign the message, so she 1 chooses a random 1 ≤ k ≤ #E with gcd(k, #E) = 1, 2 computes kA ≡ R = (x, y),
63. 63. El Gamal ECDSA: Signing a Message Now Alice wants to sign the message, so she 1 chooses a random 1 ≤ k ≤ #E with gcd(k, #E) = 1, 2 computes kA ≡ R = (x, y), 3 computes s ≡ k−1(m − ax) mod #E,
64. 64. El Gamal ECDSA: Signing a Message Now Alice wants to sign the message, so she 1 chooses a random 1 ≤ k ≤ #E with gcd(k, #E) = 1, 2 computes kA ≡ R = (x, y), 3 computes s ≡ k−1(m − ax) mod #E, 4 sends the signed message (m, R, s) to Bob for veriﬁcation,
65. 65. El Gamal ECDSA: Verifying a Message To verify Alice’s message, Bob
66. 66. El Gamal ECDSA: Verifying a Message To verify Alice’s message, Bob 1 downloads Alice’s public info and (p, E, #E, A, B),
67. 67. El Gamal ECDSA: Verifying a Message To verify Alice’s message, Bob 1 downloads Alice’s public info and (p, E, #E, A, B), 2 computes v1 ≡ xB + sR and v2 ≡ mA The signature is valid only if v1 = v2
68. 68. Why does this work? We know that v1 = xB + sR
69. 69. Why does this work? We know that v1 = xB + sR = xaA + (k−1 (m − ax))(kA)
70. 70. Why does this work? We know that v1 = xB + sR = xaA + (k−1 (m − ax))(kA) = xaA + (m − ax)A
71. 71. Why does this work? We know that v1 = xB + sR = xaA + (k−1 (m − ax))(kA) = xaA + (m − ax)A = mA
72. 72. Why does this work? We know that v1 = xB + sR = xaA + (k−1 (m − ax))(kA) = xaA + (m − ax)A = mA ≡ v2
73. 73. Identity-Based Encryption In most public key systems, when Alice wants to send a message to Bob, she looks up his public key in a directory and then encrypts her message. However, how does she know that the information has not been modiﬁed by Eve and the public key listed for Bob is Eve’s key?!
74. 74. Identity-Based Encryption In most public key systems, when Alice wants to send a message to Bob, she looks up his public key in a directory and then encrypts her message. However, how does she know that the information has not been modiﬁed by Eve and the public key listed for Bob is Eve’s key?! Wouldn’t it be nice to have a system where Bob’s public identiﬁcation information (like his email address) serves as the public key?
75. 75. Setting up the Cryptosystem First, let p be a prime of the form 6q − 1 where q is also prime. Then for the elliptic curve E : y2 = x3 + 1 (mod p), we know that
76. 76. Setting up the Cryptosystem First, let p be a prime of the form 6q − 1 where q is also prime. Then for the elliptic curve E : y2 = x3 + 1 (mod p), we know that There is a point P0 = ∞ such that qP0 = ∞.
77. 77. Setting up the Cryptosystem First, let p be a prime of the form 6q − 1 where q is also prime. Then for the elliptic curve E : y2 = x3 + 1 (mod p), we know that There is a point P0 = ∞ such that qP0 = ∞. There is a function ˜e such that - ˜e maps pairs of points (aP0, bP0) to qth roots of unity
78. 78. Setting up the Cryptosystem First, let p be a prime of the form 6q − 1 where q is also prime. Then for the elliptic curve E : y2 = x3 + 1 (mod p), we know that There is a point P0 = ∞ such that qP0 = ∞. There is a function ˜e such that - ˜e maps pairs of points (aP0, bP0) to qth roots of unity - ˜e satisﬁes the bilinearity property ˜e(aP0, bP0) = ˜e(P0, P0)ab for all a and b
79. 79. Setting up the Cryptosystem First, let p be a prime of the form 6q − 1 where q is also prime. Then for the elliptic curve E : y2 = x3 + 1 (mod p), we know that There is a point P0 = ∞ such that qP0 = ∞. There is a function ˜e such that - ˜e maps pairs of points (aP0, bP0) to qth roots of unity - ˜e satisﬁes the bilinearity property ˜e(aP0, bP0) = ˜e(P0, P0)ab for all a and b - Given P = kP0 and Q = mP0, ˜e(P, Q) can be computed quickly from the coordinates P and Q
80. 80. Setting up the Cryptosystem First, let p be a prime of the form 6q − 1 where q is also prime. Then for the elliptic curve E : y2 = x3 + 1 (mod p), we know that There is a point P0 = ∞ such that qP0 = ∞. There is a function ˜e such that - ˜e maps pairs of points (aP0, bP0) to qth roots of unity - ˜e satisﬁes the bilinearity property ˜e(aP0, bP0) = ˜e(P0, P0)ab for all a and b - Given P = kP0 and Q = mP0, ˜e(P, Q) can be computed quickly from the coordinates P and Q - ˜e(P0, P0) = 1, so it is a nontrivial root of unity
81. 81. Setting up the Cryptosystem (cont) We need two public hash functions:
82. 82. Setting up the Cryptosystem (cont) We need two public hash functions: H1 : {arb. length binary string} −→ kP0 for k ∈ Z H2 : {qth root of unity} −→ {binary strings of length n} where n is the length of the message to be sent
83. 83. Setting up the System To set up the system, we need a Trusted Authority, Arthur. Arthur does the following:
84. 84. Setting up the System To set up the system, we need a Trusted Authority, Arthur. Arthur does the following: He chooses a secret integer s
85. 85. Setting up the System To set up the system, we need a Trusted Authority, Arthur. Arthur does the following: He chooses a secret integer s He computes P1 = sP0, which is made public
86. 86. Setting up the System To set up the system, we need a Trusted Authority, Arthur. Arthur does the following: He chooses a secret integer s He computes P1 = sP0, which is made public For each User, Arthur ﬁnds the user’s ID (written as a binary string) and computes DUser = sH1(ID), which is a point on E
87. 87. Setting up the System To set up the system, we need a Trusted Authority, Arthur. Arthur does the following: He chooses a secret integer s He computes P1 = sP0, which is made public For each User, Arthur ﬁnds the user’s ID (written as a binary string) and computes DUser = sH1(ID), which is a point on E Arthur sends DUser to each user, who keeps it secret. He then discards DUser
88. 88. Sending a Message Suppose Alice wants to send a message m to Bob and suppose that m is of binary length n. Bob’s ID is bob@computer.com, so Alice does the following:
89. 89. Sending a Message Suppose Alice wants to send a message m to Bob and suppose that m is of binary length n. Bob’s ID is bob@computer.com, so Alice does the following: 1 She computes g ≡ ˜e(H1(bob@computer.com), P1), a qth root of unity
90. 90. Sending a Message Suppose Alice wants to send a message m to Bob and suppose that m is of binary length n. Bob’s ID is bob@computer.com, so Alice does the following: 1 She computes g ≡ ˜e(H1(bob@computer.com), P1), a qth root of unity 2 She chooses a random integer r = 0 (mod q) and computes t ≡ m ⊕ H2(gr ) where ⊕ is the XOR cipher.
91. 91. Sending a Message Suppose Alice wants to send a message m to Bob and suppose that m is of binary length n. Bob’s ID is bob@computer.com, so Alice does the following: 1 She computes g ≡ ˜e(H1(bob@computer.com), P1), a qth root of unity 2 She chooses a random integer r = 0 (mod q) and computes t ≡ m ⊕ H2(gr ) where ⊕ is the XOR cipher. 3 She sends Bob the ciphertext c ≡ (rP0, t), where rP0 on E and t is a binary string of length n
92. 92. Recovering the Message Bob receives the pair (U, v) where U is a point on E and v is a binary string of length n. Then he does the following:
93. 93. Recovering the Message Bob receives the pair (U, v) where U is a point on E and v is a binary string of length n. Then he does the following: 1 He computes h ≡ ˜e(DBob, U), which is a qth root of unity
94. 94. Recovering the Message Bob receives the pair (U, v) where U is a point on E and v is a binary string of length n. Then he does the following: 1 He computes h ≡ ˜e(DBob, U), which is a qth root of unity 2 He recovers the message by m = v ⊕ H2(h)
95. 95. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g).
96. 96. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g). Since DBob = sH1(bob@computer.com), h ≡ ˜e(DBob, rP0) = ˜e(sH1(bob@computer.com), rP0) = ˜e(H1(bob@computer.com), P0)rs
97. 97. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g). Since DBob = sH1(bob@computer.com), h ≡ ˜e(DBob, rP0) = ˜e(sH1(bob@computer.com), rP0) = ˜e(H1(bob@computer.com), P0)rs = ˜e(H1(bob@computer.com), sP0)r
98. 98. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g). Since DBob = sH1(bob@computer.com), h ≡ ˜e(DBob, rP0) = ˜e(sH1(bob@computer.com), rP0) = ˜e(H1(bob@computer.com), P0)rs = ˜e(H1(bob@computer.com), sP0)r = ˜e(H1(bob@computer.com), P1)r
99. 99. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g). Since DBob = sH1(bob@computer.com), h ≡ ˜e(DBob, rP0) = ˜e(sH1(bob@computer.com), rP0) = ˜e(H1(bob@computer.com), P0)rs = ˜e(H1(bob@computer.com), sP0)r = ˜e(H1(bob@computer.com), P1)r ≡ gr
100. 100. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g). Since DBob = sH1(bob@computer.com), h ≡ ˜e(DBob, rP0) = ˜e(sH1(bob@computer.com), rP0) = ˜e(H1(bob@computer.com), P0)rs = ˜e(H1(bob@computer.com), sP0)r = ˜e(H1(bob@computer.com), P1)r ≡ gr Therefore,
101. 101. Why does this work? If encryption is performed correction, U = rP0 and v = t = m ⊕ H2(g). Since DBob = sH1(bob@computer.com), h ≡ ˜e(DBob, rP0) = ˜e(sH1(bob@computer.com), rP0) = ˜e(H1(bob@computer.com), P0)rs = ˜e(H1(bob@computer.com), sP0)r = ˜e(H1(bob@computer.com), P1)r ≡ gr Therefore, t ⊕ H2(h) = t ⊕ H2(gr ) = (m ⊕ H2(gr )) ⊕ H2(gr ) = m
102. 102. Any Questions?