### Lecture 3

```Discrete Methods in Mathematical Informatics
Lecture 3: Other Applications of Elliptic Curve
23h October 2012
Vorapong Suppakitpaisarn
http://www-imai.is.s.u-tokyo.ac.jp/~mr_t_dtone/
[email protected], Eng. 6 Room 363
Course Information
(Many Changes from Last Week)
Schedule
10/9 – Elliptic Curve I (2 Exercises)
(What is Elliptic Curve?)
10/16 – Elliptic Curve II (1 Exercises)
(Elliptic Curve Cryptography[1])
10/23 – Elliptic Curve III (3 Exercises)
(Elliptic Curve Cryptography[2])
10/30 – Cancelled
11/7 – Online Algorithm I (Prof. Han)
11/14 – Online Algorithm II (Prof. Han)
11/21 – Elliptic Curve IV (2 Exercises)
(ECC Implementation I)
11/28 – Elliptic Curve V (2 Exercises)
(ECC Implementation II)
12/4 – Cancelled
From 12/11 – To be Announced
For my part, you need to submit 2
Reports.
- Report 1: Select 3 from 6
exercises in Elliptic Curve I – III
- Report 2: Select 2 from 4
exercises in Elliptic Curve IV – V
- Submit your report at Department of
Mathematical Informatics’ office
[1st floor of this building]
From Last Lecture…
•
Scalar Multiplication on Elliptic Curve
S = P + P + … + P = rP
r times
•
•
when r1 is positive integer, S,P is a member of the curve
Let r = 14 = (01110)2
Compute rP = 14P
r = 14 = (0
1
P
O
1
1
0)2
3P 7P 14P
2P 6P 14P
3 – 1 = 2 Point Additions
4 – 1 = 3 Point Doubles
Discrete Logarithm Problem
Given P, aP - Compute a.
Overview
Discrete
Logarithm
Problem
MasseyOmura
Encryption
ElGamal
Public Key
Encryption
Digital Signature
Algorithm (DSA)
ElGamal
Digital
Signatures
Pollard’s  Method [Pollard 1978]
Random Function f
:E(Fp )  E(Fp )
f (P0 )  P1 , f (P1 )  P2 ,...,f (Pk )  Pk 1
(Semi-)Objective
Find k  l such that Pk  Pl
(Real-)Algorithm
(Semi-) Algorithm
1.S  R  P0 for random P0  E(Fp )
2. Do S  Pk  f (Pk 1 )  f (S )
R  P2 k  f (f (P2( k 1) ))  f (f (R ))
for m times until S  R or Pm 1  P2 ( m 1)
(Real-)Objective
mO( N )
Given P,Q  aP, Find a
Function f for Discrete Log
E(Fp )  S1  S2 ... Sn , n  20, Si  Sj  
Let 1  i  n, ai ,bi be a random positive integer,
Define Mi  ai P  biQ
f (R )  R  Mi if R  Si
P58  P4
P57  P3
P2 P56
O( N )
P1
[Teske, 1998]
P0
1.S  R  P0  a0P  b0Q for random a0,b0
cS  cR  a0 , dS  dR  b0
2.Do S  f (S ), R  f(f(R))
If S  Si , cS  cS  ai , d S  d S  bi
If R  Si ,f(R) S j ,
cR  cR  ai  a j ,d R  d R  bi  b j
[S  cSP  dSQ, R  cRP  dRQ]
until S  R
3.cS P  dSQ  cR P  d RQ
(dS  d R )Q  (cR  cS )P
Q
c R  cS
P
dS  d R
Examples
Algorithm
E (F1093 )  {( x, y )  F1093 | y 2  x 3  x  1}, N  1067
P  (0,1),Q  aP  (413,959), Find a
E(Fp )  S1  S2 ... Sn , n  20, Si  Sj  
Let 1  i  n, ai ,bi be a random positive integer,
Define Mi  ai P  biQ
f (R )  R  Mi if R  Si
1.S  R  P0  a0P  b0Q
cS  cR  a0 , dS  dR  b0
2.Do S  f (S ), R  f(f(R))
If S  Si , cS  cS  ai , d S  d S  bi
Example
( x, y )  Si if x  i mod3
M0  4P  3Q, M1  9P  17Q,
M2  19P  6Q
P0  3P  5Q  (326,69)
Since 326  2 mod3, P0  S2 .
P1  f (P0 )  P0  M2  (3P  5Q)  (19P  6Q)
 (22P  21Q)  (727,589)
If R  Si ,f(R) S j ,
P0  (326,69), P1  (727,589), P2  (560,365), P3  (1070,260),
cR  cR  ai  a j ,d R  d R  bi  b j
P57  (895,337), P58  (1006,951), P59  (523,938),...,
[S  cSP  dSQ, R  cRP  dRQ]
until S  R
3.cS P  dSQ  cR P  d RQ
(dS  d R )Q  (cR  cS )P
Q
c R  cS
P
dS  d R
P4  (473,903), P5  (1006,951), P6  (523,938),...,
P5  88P  46Q, P58  685P  620Q
597 P  574Q
597aP  574aQ  (1067b  1)Q  Q
 574 a  1067 b  1 (a, b)  (764,411)
Q  597aP  597 764P
 (1067 427 499)P  499P
Exercise
Exercise 4
(a) Let P,Q be a point on elliptic curvein w hichthe order is 33,
and 2P  6Q,
Prove that Q  { 4P  11kP|k  Z}  { 4P,15P,26P}.
(b) Let P,Q be a point on elliptic curvein w hichthe order is N,
aP  b Q, gcd( b, N )  d ,
N
1
1
b is an integer such that b b  1 mod
d
N
Prove that Q  {cP  kP|k  Z  } w herec  ab 1
d
The Pohlig-Hellman Method
E (F599 )  {( x, y )  F599 | y 2  x 3  1}, N  600
P  (60,19),Q  aP  (277,239), Find a
600Q  
If a  0 mod3,
200Q  200aP  200(3b)P  600bP  
If a  1 mod3,
200Q  200aP  200(3b  1)P  600bP  200P  200P
If a  2 mod3,
200Q  200aP  200(3b  2)P  600bP  400P  400P
[Pohlig, Hellman 1978]
Let a  i mod5, Q1  Q  iP
Q1  cP, w herec  0 mod5
c  0 mod52 ,
24Q1  24cP  24( 25b)P  600bP  .
c  5 mod25,
24Q1  24cP  24(25b  5)P
 600bP  120P  120P
c  10mod52,24Q1  240P
If a  0 mod5,
120Q  120aP  120(5b)P  600bP  
If a  1 mod5,
120Q  120aP  120(5b  1)P  600bP  120P  120P
If a  2 mod5,120Q  240P
If a  3 mod5,120Q  360P
If a  4 mod5,120Q  480P
c  15mod52,24Q1  360P
c  20mod52,24Q1  480P
Suppose that a  i mod5,
and c  a  i  j mod25.
a  i  j mod25.
The Pohlig-Hellman Method [cont.]
|| E (Fp ) || N  p1 1 p2 2 ...pn
e
e
en
(Real-)Problem
Given P, Q = aP - Compute a.
(Semi-)Problem
Given P, Q = aP - Compute a mod pkek
Properties
1. If a  i mod pi ,
N

 pk

N
Q  

 pk

N
aP  

 pk

(b pk  i )P

N
N
 b NP  i  P  i  P
 pk 
 pk2 
2. If ek  1, c  a-i  pk j mod pk ,
Q1  Q  iP  aP  iP  cP
 N 
 N 
 N 
 2 Q1   2 cP   2 (b pk 2  pk j )P
p 
p 
p 
 k 
 k 
 k 
N
N
 b NP  j  P  j  P
 pk 
 pk 
Algorithm
N
1. For all 0  i  pk , compute i  P
 pk 
N
2. Compute  Q
 pk   N 
N
3. Find i such that  Q  i  P,
 pk 
 pk 
a  i mod pk
4. If ek  1 Terminate.
 N 
Let Q1  Q-iP, compute  2 Q1
p
 N  k  N
5. Find j such that  2 Q1  j 
 pk
 pk 

P,

a  pk j  i mod pk
6. If ek  2 Terminate.
2
 N 
Let Q2  Q  jpk P-iP, compute  3 Q1
 pk 
 N 
N
7. Find l such that  3 Q1  l  P,
 pk 
 pk 
a  pk l  pk j  i modpk
2
3
...
The Pohlig-Hellman Method [cont.]
E (F599 )  {( x, y )  F599 | y 2  x 3  1}, N  600
P  (60,19),Q  aP  (277,239), Find a
Given P, Q = aP - Compute a mod pkek
Algorithm
N
1. For all 0  i  pk , compute i 
 pk
N
2. Compute  Q
 pk 
N
3. Find i such that 
 pk
a  i mod pk

N
Q  i 

 pk

P


P,

4. If ek  1 Terminate.
 N 
5. Find j such that  2 Q1 
 pk 
2
N
j 
 pk
120P  (84,179),240P  (491,134),
360P  (491,465),480P  (84,420)
600
Q  120Q  (84,179 )
5
i  1, a  1 mod5
Q1  Q  1P  (130,129),
 N 
Let Q1  Q-iP, compute  2 Q1
 pk 
a  pk j  i mod pk
600  23  3  52
600
Q1  24Q1  (491,465)
2
5

P,

j  3, a  (3  5  1) mod52
a  16 mod25
Chinese Remainder Theorem
E (F599 )  {( x, y )  F599 | y 2  x 3  1}, N  600
Chinese Remainder
Theorem
P  (60,19),Q  aP  (277,239), Find a
Suppose that a  xi modmi for 1  i  n
(Semi-)Problem
Given P, Q = aP - Compute a mod pkek
such that gcd(mi , m j )  1 for all i  j
n
Let M   mi
600  23  3  52
i 1
a  2 mod2 , a  2 mod3, a  16mod5
3
2
a1  2, a2  2, a3  16
m1  23  8, m2  3, m3  52
M 600
M 600
M 600

 75,

 200,

 24.
m1
8
m2
3
m2
25
3  75  225  1mod8, b1  3
2  200  400  1mod3, b2  2
24 24  576  1mod25, b3  24
Find x such that a  x mod M
M
M
M 
  ...  an bn 

x  a1b1    a2b2 
 m1 
 m2 
 mn 
M 
  1 mod mi
where bi 
 mi 
x  2  3  75  2  2  200 16 24 24
x  10466 266mod600
Q  (277,239)  266P  266(60,19)
Three-Pass Protocol [Shamir 1980]
Private Key Cryptography
Key
Agreement
Protocol
k
M
Encryption
Algorithm
Ek(M)
k
Three-pass Protocol
k1
M
Encryption
Algorithm
Ek1(M)
Dk(Ek(M)) = M
Decryption
Algorithm
Ek(M)
k2
Ek2 ( Ek1 (M))
Decryption
Algorithm
Ek2 (M)=Dk1 ( Ek2 ( Ek1 (M)))
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))
Ek2(M)
Super-Decryption
Algorithm
M
Massey-Omura Protocol
[Massey, Omura 1986]
Massey-Omura Protocol
Three-pass Protocol
k1
M
k2
Encryption
Algorithm
Ek1(M)
Ek2 ( Ek1 (M))
Decryption
Algorithm
M  E (Fp ) w ithorder N
k2  co - prime of N
k1 - co - prime of N
Encryption
Algorithm
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))
Ek2(M)
Super-Decryption
Algorithm
M
k1M
k1k 2M
Decryption
Algorithm
k2M  (k1 )1 (k1k2M )
(k1 ) 1 is an integer such at
(k1 ) 1 k1  1 mod N
k1M
Super-Encryption
Algorithm
k 2 (k1M )
Ek2(M)
Super-Decryption
Algorithm
M  (k2 )1 (k2M )
Massey-Omura Protocol [cont.]
Massey-Omura Protocol
M  E (Fp ) w ithorder N
Example
k2  co - prime of N
k1 - co - prime of N
k1k 2M
Decryption
Algorithm
1
k2M  (k1 ) (k1k2M )
(k1 ) 1 is an integer such that
(k1 ) 1 k1  1 mod N
M  (0,1)  E(Fp ) w ithorder 9
k1  2
Encryption
Algorithm
k1M
E(F5 )  {}  {(x,y)|y2  x 3  x 1}
k1M
Super-Encryption
Algorithm
Encryption
Algorithm
k1M  2(0,1)  (4,2)
(3,1)
Super-Decryption
Algorithm
M  (k2 )1 (k2M )
(4,2)
Super-Encryption
Algorithm
k 2 (k1M )
Ek2(M)
k2  7
k 2 (k1M )  7(4,2)  (3,1)
Decryption
Algorithm
2  5  10  1mod9
2  (5) 1  (k1 ) 1
k 2M  (k1 ) 1 (k1k 2M )
 5(3,1)  (4,3)
(4,3)
Super-Decryption
Algorithm
M  (k 2 ) 1 (k 2M )
 4(4,3)  (0,1)
Massey-Omura Protocol [cont.]
Integer  Point on Elliptic Curve
Let m be a positive integer w ew antto encode
Find (x,y) E(Fp ) suchthat 100m  x  100m  99
Find x such that y 2  s  x 3  Ax  B
s  y 2 for some y Fp if s(p-1)/ 2  1
If p  3 mod4, y  s(p1)/ 4 .
Exercise 4
Point on Elliptic Curve
 Integer
( x , y )  E (Fp ) is decoded
 x 
to m  

100
Exercise 5
Let p  3 mod4 be a prime number, x,y  Fp . Suppose x  y 2
(a) Show that x (p 1 )/ 2  1 (a) Show that x(p1)/ 2  x

(b) Show that y ( p 1) / 2

2
 y2
(c) Show that y ( p 1) / 2   y

(d) Show that x ( p 1) / 4

2
x
(e) Show that -1  v 2 for all v  Z p  Fp
(f)Suppose z  v 2 for all v  Z p  Fp , show that -z  v 2 for some v  Z p

(g) Suppose z  v 2 for all v  Z p  Fp , Show that z ( p 1) / 4

2
 z
Public Key Cryptography
Private Key Cryptography
Key
Agreement
Protocol
k
M
Encryption
Algorithm
Ek(M)
Public Key Cryptography
Certificate
Authority
(CA)
kpub
k
Dk(Ek(M)) = M
Decryption
Algorithm
Ek(M)
M
Encryption
Algorithm
Ekpub(M)
kpub,kpri
Dkpri (Ekpub (M)) = M
Decryption
Algorithm
Ekpub (M)
ElGamal Public Key Encryption
Public Key Cryptography
ElGamal PKE
Certificate
Authority
(CA)
Certificate
Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M)
[ElGamal 1985]
P  E (Fp ), s  Z 
kpub,kpri
Dkpri (Ekpub (M)) = M
Decryption
Algorithm
Ekpub (M)
k pub  P , B  sP, k pri  s
kpub  P, B  sP
M  E (Fp )
k  Z
Encryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1
=M
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Decryption
Algorithm
Ekpub(M) = M1,M2
M2  sM1  (M  kB)  s(kP)  M  k (SP )  skP  M
ElGamal Public Key Encryption
Example
(cont.)
ElGamal PKE
E(F5 )  {}  {(x,y)|y2  x 3  x 1}
Certificate
Authority
(CA)
M  (0,1)  E(Fp ) w ithorder 9
P  E (Fp ), s  Z 
s  5, k pri  s  5
k pub  (P  (0,1),B  (3,1))
k pub  (P , B )
k pub  P , B  sP, k pri  s
kpub  P, B  sP
P  (0,1)
B  sP  5(0,1)  (3,1)
M  E (Fp )
k  Z
Encryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1
=M
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Decryption
Algorithm
Ekpub(M) = M1,M2
M  (4,2)  E(Fp )
k 7
Encryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1
= (0,1)-5(4,3)
= (4,2)
Ekpub(M) = M1,M2
M1 = kP = 7(0,1) = (4,3),
M2 = M + kB = (4,2)+7(3,1)
= (0,1)
Decryption
Algorithm
Ekpub(M) = M1,M2
M1 = (4,3)
M2 = (0,1)
ElGamal Public Key Encryption
(cont.)
ElGamal PKE
ElGamal Problem Ver. I
Certificate
Authority
(CA)
P  E (Fp ), s  Z 
k pub  P , B  sP, k pri  s
kpub  P, B  sP
M  E (Fp )
k  Z
Encryption
Algorithm
Given P, sP (public key),
kP, M + skP,
Find M.
Dkpri (Ekpub (M)) = M2-sM1
=M
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Decryption
Algorithm
Ekpub(M) = M1,M2
Discrete Log.
Given P, sP
Find s.
Digital Signature [Diffie, Hellman 1976]
Public Key Cryptography
Digital Signature
Certificate
Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M)
Certificate
Authority
(CA)
kpub,kpri
Dkpri (Ekpub (M)) = M
kpri,kpub
kpub
Decryption
Algorithm
Ekpub (M)
Objective
Alice is sending a message M to Bob
1. Bob can be sure that the sender is
really Alice.
2. Alice cannot refuse that she did
send the message
3. No one can send a message
claiming that they are Alice.
Vkpub (Skpri(M)) = M ?
M
Signing
Algorithm
Verification
Algorithm
M,Skpri(M)
M, Skpri(M)
ElGamal Digital Signatures
ElGamal’s Protocol
Digital Signature
Certificate
Authority
(CA)
Certificate
Authority
(CA)
kpri,kpub
M
Signing
Algorithm
M,Skpri(M)
[ElGamal 1985]
a  Z  , A  E (Fp )
k pri  a, k pub  ( A, B  aA)
kpub
Skpri(M)) is
signed by Alice???
Verification
Algorithm
M, Skpri(M)
kpub=(A,B)
Message m Z 
Random Integer k
Signing
Algorithm
R  kA  ( xR , y R )
m  axR
s
k
M, Skpri (M)  (R, s)
xRB  sR  mA ???
Verification
Algorithm
M, Skpri (M)  (R, s)
xRB  sR  xRaA  s(kA)  xRaA  (m  axR ) A  mA
ElGamal Digital Signatures (cont.)
Example
ElGamal’s Protocol
Certificate
Authority
(CA)
E(F5 )  {}  {(x,y)|y2  x 3  x 1}
M  (0,1)  E(Fp ) w ithorder 9

a  Z , A  E (Fp )
k pri  a, k pub  ( A, B  aA)
kpub=(A,B)
R  kA  ( xR , y R )
m  axR
s
k
m, Skpri (M)  (R, s)
k pri  a  2
k pub  ( A, B) w here
Message m Z 
Random Integer k
Signing
Algorithm
a  2, A  (0,1)  E (Fp ),
B  aA  2(0,1))  (4,2)
Message m  5
xRB  sR  mA ???
Verification
Algorithm
m, Skpri (M)  (R, s)
Random Integer k  7
Signing
Algorithm
R  kA  7 A  (4,3)
xR  4
m  axR 5  2  4

k
7
 (-3)(4) 6
s
xR B  sR  4(4,2)  6(4,3)
 ( 0,4 )  ( 2,4 )
 ( 3,1)
Verification
Algorithm
m  5,
Sk pri (M )  (R , s )
 ((4,3),6)
ElGamal Digital Signatures (cont.)
ElGamal’s Protocol
ElGamal Problem Ver. II
Certificate
Authority
(CA)
a  Z  , A  E (Fp )
k pri  a, k pub  ( A, B  aA)
kpub=(A,B)
xRB  sR  m' A
Message m Z 
Random Integer k
Signing
Algorithm
R  kA  ( xR , y R )
m  axR
s
k
m, Skpri (M)  (R, s)
Given A, B=aA (public
key), m (message),
m‘ (forged message)
Find R,s such that
xRB  sR  mA ???
Verification
Algorithm
m, Skpri (M)  (R, s)
Discrete Log.
Given P, sP
Find s.
Exercise
ElGamal Problem Ver. II
Given A, B=aA (public
key), m (message),
m‘ (forged message)
Find R,s such that
Discrete Log.
Given P, sP
Find s.
xRB  sR  m' A
Exercise 6
Suppose that the ElGamal signature scheme is used to produce
the valid signed message (m,R  (xR ,y R ),s). Let h be an integer w ith
gcd( h, N )  1. Assume gcd( xR , N )  1. Let
R '  ( xR ' , y R ' )  hR , s '  sxR ' ( xR ) 1 h 1 (modN ),
m'  mxR ' ( xR ) 1 (modN ).
Show that (m',R',s')is a valid signed message.
Digital Signature Algorithm
[Vanstone 1992]
ElGamal’s Protocol
DSA’s Protocol
Certificate
Authority
(CA)
Certificate
Authority
(CA)
a  Z  , A  E (Fp )
a  Z  , A  E (Fp )
k pri  a, k pub  ( A, B  aA)

Message m Z
Random Integer k
Signing
Algorithm
R  kP  ( xR , y R )
m  axR
s
k
M, Skpri (M)  (R, s)
kpub=(A,B)
k pri  a, k pub  ( A, B  aA)

3 Scalar
Multiplications
Message m Z
Random Integer k
xRB  sR  mA ???
Signing
Algorithm
Verification
Algorithm
M, Skpri (M)  (R, s)
R  kP  ( xR , y R )
m  axR
s
k
M, Skpri (M)  (R, s)
kpub=(A,B)
2 Scalar
Multiplications
xR B  sR  mA ???
xR
s
B  R  A ???
m
m
Verification
Algorithm
M, Skpri (M)  (R, s)
Exercise
Exercise 4
Exercise
Pairing-Based Cryptography
Three-Parties DHE
Diffie-Hellman Exchange Protocol
A
L
I
C
E
P
1. Generate P 2 E(F)
2. Generate positive
integers a
aP
ALICE
B
O
B
a, aP
bP
3. Generate positive
integer b
4. Compute aQ = abP
4. Compute bS = abP
bP
B
O b, bP
B
cP
aP
c, cP
Bilinear Function
C
H
A
L
I
E
Function e:E(Fp )  E(Fp )  G
e(aP, bQ)  e(P, Q)ab e(P , Q)  1 If P, Q  
ALICE
Three-Parties DHE with Pairing
a, aP, bP
ALICE
bcP
a, aP
aP
B
O b, bP
B
bP
cP
bP
cP
aP
c, cP
C
H
A
L
I
E
e(bP , cP )  e(P , P ) bc
(e(P , P ) bc ) a  e(P , P ) abc
B
O b, bP
B
cP
abP
acP c, cP
aP
C
H
A
L
I
E