Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
|
|
- Britney Blake
- 6 years ago
- Views:
Transcription
1 Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
2 Ciphering a message Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
3 The discrete log problem Given G and g, h G, ask What is α such that g α = h? If exponentiation is fast but the DLP is hard, this is a good problem for cryptography. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
4 Cryptography using DLP Preparation of receiver: Fix G, g G and k Z Publish G, g and h = g k Encryption of m by sender: Choose y Send c 1 = g y and c 2 = mh y Decryption by receiver: c 2 c k 1 = mh y g ky = mg ky g ky = m. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
5 The DLP and elliptic curves The group G is going to be E(F q ) for some elliptic curve, in which case g and h are points on E and we are trying to find an integer k with kg = h. One way of attacking a discrete log problem is simple brute force: try all possible values of k until one works. This is impractical when the answer k can be an integer of several hundred digits, which is a typical size used in cryptography. Therefore, better techniques are needed. One might wonder why elliptic curves are used in cryptographic situations. The reason is that elliptic curves provide security equivalent to classical systems while using fewer bits. For example, it is estimated that a key size of 4096 bits for RSA gives the same level of security as 313 bits in an elliptic curve system. This means that implementations of elliptic curve cryptosystems require smaller chip size, less power consumption, etc. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
6 Diffie-Hellman Key Exchange 1. Alice and Bob agree on an elliptic curve E over a finite field F q such that the discrete logarithm problem is hard in E(F q ). They also agree on a point P E(F q ) such that the subgroup generated by P has large order (usually, the curve and point are chosen so that the order is a large prime). 2. Alice chooses a secret integer a, computes P a = ap, and sends P a to Bob. 3. Bob chooses a secret integer b, computes P b = bp, and sends P b to Alice. 4. Alice computes ap b = abp. 5. Bob computes bp a = bap. 6. Alice and Bob use some publicly agreed on method to extract a key from abp. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
7 Diffie-Hellman Key Exchange For example, they could use the last 256 bits of the x-coordinate of abp as the key. Or they could evaluate a hash function at the x-coordinate. The only information that the eavesdropper Eve sees is the curve E, the finite field F q, and the points P, ap, and bp. She therefore needs to solve the following: DIFFIE-HELLMAN PROBLEM Given P, ap,and bp in E(F q ), compute abp. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
8 The Index-Calculus Let p be a prime and let g be primitive root mod p, which means that g is a generator for the cyclic group F p. In other words, every h 0 (mod p) can be written in the form h g k for some integer k that is uniquely determined mod p 1. Let k = L(h) denote the discrete logarithm of h with respect to g and p, so Suppose we have h 1 and h 2. Then g L(h) h (mod p). g L(h 1h 2 ) h 1 h 2 g L(h 1)+L(h 2 ) (mod p), which implies that L(h 1 h 2 ) L(h 1 ) + L(h 2 ) (mod p 1). Therefore, L changes multiplication into addition, just like the classical logarithm function. The index calculus is a method for computing values of the discrete log function L. The idea is to compute L(l) for several small primes l, then use this information to compute L(h) for arbitrary h. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
9 The Index-Calculus Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
10 The Index-Calculus Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
11 The Index-Calculus Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
12 The Index-Calculus The choice of the size of the factor base B is important. If B is too small, then it will be very hard to find powers of g that factor with primes in B. If B is too large, it will be easy to find relations, but the linear algebra needed to solve for the logs of the elements of B will be enormous. An example that was completed in 2001 by A. Joux and R. Lercier used the first 1 million primes to compute discrete logs mod a 120-digit prime. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
13 Baby Step - Giant Step We have elements P, Q G cyclic of order N, and we are trying to find k Z such that kp = Q. The Baby Step - Giant Step developed by Shanks goes as follows: Fix an integer m N and compute mp. Make and store a list of ip for 0 i < m. Compute the points Q jmp for j = 0, 1,..., m 1 until one matches an element from the stored list. If ip = Q jmp, we have Q = kp with k i + jm(mod (N)). we did not need to know the exact order N of G. We only required an upper bound for N. Therefore, for elliptic curves over F q, we could use this method with m 2 q q. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
14 Baby Step - Giant Step Example Let G = E(F 41 ), where E : y 2 = x 3 + 2x + 1. Let P = (0, 1) and Q = (30, 40). We know #G 54, so we let m = 8. The points ip for 1 i 7 are (0, 1), (1, 39), (8, 23), (38, 38), (23, 23), (20, 28), (26, 9). We calculate Q jmp for j = 0, 1, 2 and obtain (30, 40), (9, 25), (26, 9), at which point we stop since this third point matches 7P. Since j = 2 yielded the match, we have Therefore, k = 23. (30, 40) = ( )P = 23P. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
15 Pollard s ρ (Same time that Baby - Step, Giant - Step, but very little storage needed) Let G be a finite group of order N. Choose a function f : G G that behaves rather randomly. Then start with a random element P 0 and compute the iterations P i+1 = f (P i ). Since G is a finite set, there will be some indices i 0 < j 0 such that P i0 = P j0. Then P i0 +l = P j0 +l for all l 0. Therefore, the sequence P i is periodic with period j 0 i 0. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
16 Pollard s ρ (Same time that Baby - Step, Giant - Step, but very little storage needed) Let G be a finite group of order N. Choose a function f : G G that behaves rather randomly. Then start with a random element P 0 and compute the iterations P i+1 = f (P i ). Since G is a finite set, there will be some indices i 0 < j 0 such that P i0 = P j0. Then P i0 +l = P j0 +l for all l 0. Therefore, the sequence P i is periodic with period j 0 i 0. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
17 Pollard s ρ If f is a randomly chosen random function, then we expect to find a match with j 0 at most a constant times N. A naive implementation of the method stores all the points P i until a match is found. This takes around N storage, which is similar to Baby Step, Giant Step. However, it is possible to do much better at the cost of a little more computation. The key idea is that once there is a match for two indices differing by d, all subsequent indices differing by d will yield matches. This is just the periodicity mentioned above. Therefore, we can compute pairs (P i, P 2i ) for i = 1, 2,..., but only keep the current pair. The problem remains of how to choose a suitable function f. Besides having f act randomly, we need to be able to extract useful information from a match. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
18 Pollard s ρ Divide G into s disjoint subsets S 1, S 2,..., S s of approximately the same size. Choose 2s random integers a i, b i mod N. Let M i = a i P + b i Q. Finally, define f (g) = g + M i if g S i. Choose random integers a 0, b 0 and let P 0 = a 0 P + b 0 Q be the starting point for the random walk. While computing the points P j, we also record how these points are expressed in terms of P and Q. If P j = u j P + v j Q and P j+1 = P j + M i, then P j+1 = (u j + a i )P + (v j + b i )Q, so (u j+1, v j+1 ) = (u j, v j ) + (a i, b i ). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
19 Pollard s ρ When we find a match P j0 = P i0, then we have u j0 P + v j0 Q = u i0 P + v i0 Q, hence (u i0 u j0 )P = (v j0 v i0 )Q. If gcd(v j0 v i0, N) = d, we have k (v j0 v i0 ) 1 (u i0 u j0 )(mod N/d). This gives us d choices for k. Usually, d will be small, so we can try all possibilities until we have Q = kp. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
20 Pollard s ρ Let G = E(F 1093 ), with E : y 2 = x 3 + x + 1. We take s = 3 and P = (0, 1) and Q = (413, 959). The order of P is We want to find k such that kp = Q. Let P 0 = 3P + 5Q, M 0 = 4P + 3Q, M 1 = 9P + 17Q, and M 2 = 19P + 6Q. Let f : E(F 1093 ) E(F 1093 ) be defined by f (x, y) = (x, y) + Mi if x i(mod 3). If we compute P 0, P 1 = f (P 0 ), P 2 = f (P 1 ),..., we obtain... Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
21 Pollard s ρ P 0 = (326, 69), P 1 = (727, 589), P 2 = (560, 365), P 3 = (1070, 260), P 4 = (473, 903), P 5 = (1006, 951), P 6 = (523, 938),..., P 57 = (895, 337), P 58 = (1006, 951), P 59 = (523, 938),... The sequence starts repeating at P 5 = P 58. We find that P 5 = 88P + 46Q and P 58 = 685P + 620Q. Therefore, = P 58 P 5 = 597P + 574Q. Since P has order 1067 and (mod 1067), we get Q = 499P, so k = 499. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
22 The Pohlig-Hellman Method Let P, Q be elements in a group G and we want to find an integer k with Q = kp. We also know the order N of P and we know the prime factorization N = i of N. The idea of Pohlig-Hellman is to find k (mod q e i i ) for each i, then use the Chinese Remainder theorem to combine these and obtain k(mod N). Let q be a prime, and let q e be the exact power of q dividing N. Write k in its base q expansion as q e i i k = k 0 + k 1 q + k 2 q with 0 k i < q. We evaluate k (mod q e ) by successively determining k 0, k 1,..., k e 1. The procedure is as follows. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
23 The Pohlig-Hellman Method ( ) 1. Compute T = {j N q P 0 j q 1}. ( ) 2. Compute N q Q. This will be an element k N 0 q P of T. 3. If e = 1, stop. Otherwise, continue. 4. Let Q 1 = Q k 0 P. 5. Compute N q 2 Q 1. This will be an element k 1 ( N q P ) of T. 6. If e = 2, stop. Otherwise, continue. 7. Suppose we have computed k 0, k 1,..., k r 1, and Q 1,..., Q r Let Q r = Q r 1 k r 1 q r 1 P. 9. Determine k r such that N q r+1 Q r = k r ( N q P ). 10. If r = e 1, stop. Otherwise, return to step (7). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
24 The Pohlig-Hellman Method Then Why does this work? We have k k 0 + k 1 q k e 1 q e 1 (mod q e ). N q Q = N q (k N 0 + k 1 q +...)P = k 0 q P + (k N 1 + k 2 q +...)NP = k 0 q P, since NP =. Therefore, step (2) finds k 0. Then Q 1 = Q k 0 P = (k 1 q + k 2 q )P, so N q 2 Q 1 = (k 1 + k 2 q +...) N q P = = k 1 N q P + (k 2 + k 3 q +...)NP = k 1 N q P. Therefore, we find k 1. Similarly, the method produces k 2, k 3,... We have to stop after r = e 1. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
25 The Pohlig-Hellman Method Example. Let G = E(F 599 ), where E : y 2 = x Let P = (60, 19) and Q = (277, 239). P has order N = 600. We want to solve Q = kp for k. The factorization of N is 600 = We will compute k mod 8, mod 3, and mod 25, then recombine to obtain k mod 600. k mod 8. We compute T = {, (598, 0)}. Since ( ) N (N/2)Q = = 0 2 P, we have k 0 = 0. Therefore, Q 1 = Q 0P = Q. Since (N/4)Q 1 = 150Q 1 = (598, 0) = 1 N 2 P, we have k 1 = 1. Therefore, Q 2 = Q P = (35, 243). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
26 The Pohlig-Hellman Method Example. (Cont.) Since (N/8)Q 2 = 75Q 2 = = 0 N 2 P, we have k 2 = 0. Therefore, k = (mod 8). k mod 3. We have k 2 (mod 3). k mod 25. We have k = (mod 25). We now have the simultaneous congruences x 2 (mod 8) x 2 (mod 3) x 16 (mod 25). These combine to yield k 266 (mod 600), so k = 266. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
27 The MOV Attack One strategy for attacking a discrete logarithm problem is to reduce it to an easier discrete logarithm problem. This can often be done with pairings such as the Weil pairing, which reduce a discrete logarithm problem on an elliptic curve to one in the multiplicative group of a finite field. The MOV attack, named after Menezes, Okamoto, and Vanstone, uses the Weil pairing to convert a discrete log problem in E(F q ) to one in F q m. Since discrete log problems in finite fields can be attacked by index calculus methods, they can be solved faster than elliptic curve discrete log problems, as long as the field F q m is not much larger than F q. For supersingular curves, we can usually take m = 2, so discrete logarithms can be computed more easily for these curves than for arbitrary elliptic curves. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
28 The CM method Let E be an elliptic curve over a finite field F q. The number of points #E(F q ) = q + 1 t, where t is the trace of the Frobenius endormopshim φ q that satisfies φ 2 q tφ q + q = 0. The endomorphism ring End(E) Q is an imaginary quadratic field if E is not supersingular (otherwise it is a definite quaternion algebra). Let us write K = Q( d) = End(E) Q with d 0, 1 mod 4 and d or d/4 square-free. Then Disc(K) = d. On the other hand, φ q = a + b + 2 with: t = 2a + b, and q = a 2 + ab + b 2 2 /4 b 2 /4 Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
29 The CM method The lattice Λ = 1, τ with τ = + 2 defines an elliptic curve C/Λ with CM by End(E) = O K. The j invariant associated to it is j(q) = 1 q q q q q , where q = exp(2πiτ). This number is an algebraic integer (Shimura). Definition The Hilbert polynomial associated to an order O K is H O (x) = (x j(e)). Theorem (Shimura) The polynomial H O (x) Z[x]. E has CM by O Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
30 The CM method Let us take q = 59 and let us construct an elliptic curve with 48 = t points. We have t = 12, and we can take = 23 and a = 29 and b = 2. H 23 (X ) = X X X Modulo 59, we have H 23 (x) = (x 20)(x 42)(x 44). We take j = 20 and we get E : y 2 = x x This is the right twist. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 29
Elliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationElliptic Curve Cryptography with Derive
Elliptic Curve Cryptography with Derive Johann Wiesenbauer Vienna University of Technology DES-TIME-2006, Dresden General remarks on Elliptic curves Elliptic curces can be described as nonsingular algebraic
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationElliptic Curve Cryptosystems
Elliptic Curve Cryptosystems Santiago Paiva santiago.paiva@mail.mcgill.ca McGill University April 25th, 2013 Abstract The application of elliptic curves in the field of cryptography has significantly improved
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationPoints of High Order on Elliptic Curves ECDSA
! Independent thesis advanced level (degree of master (two years)) Points of High Order on Elliptic Curves ECDSA Author: Behnaz Kouchaki Barzi Supervisor: Per-Anders Svensson Examiner: Andrei Khrennikov
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationSignatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven
Signatures and DLP-I Tanja Lange Technische Universiteit Eindhoven How to compute ap Use binary representation of a to compute a(x; Y ) in blog 2 ac doublings and at most that many additions. E.g. a =
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationElliptic Curves: Theory and Application
s Phillips Exeter Academy Dec. 5th, 2018 Why Elliptic Curves Matter The study of elliptic curves has always been of deep interest, with focus on the points on an elliptic curve with coe cients in certain
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationDiscrete Logarithm Computation in Hyperelliptic Function Fields
Discrete Logarithm Computation in Hyperelliptic Function Fields Michael J. Jacobson, Jr. jacobs@cpsc.ucalgary.ca UNCG Summer School in Computational Number Theory 2016: Function Fields Mike Jacobson (University
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationElliptic curves: Theory and Applications. Day 3: Counting points.
Elliptic curves: Theory and Applications. Day 3: Counting points. Elisa Lorenzo García Université de Rennes 1 13-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 1 / 26 Counting points:
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationPUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS
PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS DELARAM KAHROBAEI, CHARALAMBOS KOUPPARIS, AND VLADIMIR SHPILRAIN Abstract. We offer a public key exchange protocol in the spirit of Diffie-Hellman, but
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationAttacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP)
Attacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP) Mrs.Santoshi Pote 1, Mrs. Jayashree Katti 2 ENC, Usha Mittal Institute of Technology, Mumbai, India 1 Information Technology,
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationCurves, Cryptography, and Primes of the Form x 2 + y 2 D
Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible.
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationSEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY
SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY OFER M. SHIR, THE HEBREW UNIVERSITY OF JERUSALEM, ISRAEL FLORIAN HÖNIG, JOHANNES KEPLER UNIVERSITY LINZ, AUSTRIA ABSTRACT. The area of elliptic curves
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More informationElGamal type signature schemes for n-dimensional vector spaces
ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationElliptic Curve Computations (1) View the graph and an elliptic curve Graph the elliptic curve y 2 = x 3 x over the real number field R.
Elliptic Curve Computations (1) View the graph and an elliptic curve Graph the elliptic curve y 2 = x 3 x over the real number field R. >> v = y^2 - x*(x-1)*(x+1) v = y^2 - x*(x-1)*(x+1) >> ezplot(v, [-1,3,-5,5])
More informationInformation Security
SE 4472 / ECE 9064 Information Security Week 12: Random Number Generators and Picking Appropriate Key Lengths Fall 2015 Prof. Aleksander Essex Random Number Generation Where do keys come from? So far we
More informationMath/Mthe 418/818. Review Questions
Math/Mthe 418/818 Review Questions 1. Show that the number N of bit operations required to compute the product mn of two integers m, n > 1 satisfies N = O(log(m) log(n)). 2. Can φ(n) be computed in polynomial
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationTi Secured communications
Ti5318800 Secured communications Pekka Jäppinen September 20, 2007 Pekka Jäppinen, Lappeenranta University of Technology: September 20, 2007 Relies on use of two keys: Public and private Sometimes called
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationAPA: Estep, Samuel (2018) "Elliptic Curves" The Kabod 4( 2 (2018)), Article 1. Retrieved from vol4/iss2/1
The Kabod Volume 4 Issue 2 Spring 2018 Article 1 February 2018 Elliptic Curves Samuel Estep Liberty University, sestep@liberty.edu Follow this and additional works at: http://digitalcommons.liberty.edu/kabod
More informationElliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography
Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Andrew Sutherland MIT Undergraduate Mathematics Association November 29, 2018 Creating a shared secret
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationElliptic Curve Cryptology. Francis Rocco
Elliptic Curve Cryptology By Francis Rocco Submitted in partial fulfillment of the requirements for Honors in the Department of Mathematics Union College March, 2017 ABSTRACT ROCCO, FRANCIS Elliptic Curve
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 17: Elliptic Curves and Applications Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline We previously looked at discrete
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More informationAN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM
AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM VORA,VRUSHANK APPRENTICE PROGRAM Abstract. This paper will analyze the strengths and weaknesses of the underlying computational
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationIsogenies in a quantum world
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationPublic Key Encryption
Public Key Encryption KG October 17, 2017 Contents 1 Introduction 1 2 Public Key Encryption 2 3 Schemes Based on Diffie-Hellman 3 3.1 ElGamal.................................... 5 4 RSA 7 4.1 Preliminaries.................................
More informationCPSC 467b: Cryptography and Computer Security
Outline Quadratic residues Useful tests Digital Signatures CPSC 467b: Cryptography and Computer Security Lecture 14 Michael J. Fischer Department of Computer Science Yale University March 1, 2010 Michael
More informationPublic Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.
Public Key Cryptography All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. The thing that is common among all of them is that each
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationExplicit Complex Multiplication
Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven,
More informationarxiv: v3 [cs.cr] 15 Jun 2017
Use of Signed Permutations in Cryptography arxiv:1612.05605v3 [cs.cr] 15 Jun 2017 Iharantsoa Vero RAHARINIRINA ihvero@yahoo.fr Department of Mathematics and computer science, Faculty of Sciences, BP 906
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationFinite Fields and Elliptic Curves in Cryptography
Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1 Overview Public-key vs. symmetric cryptosystem
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More information10 Modular Arithmetic and Cryptography
10 Modular Arithmetic and Cryptography 10.1 Encryption and Decryption Encryption is used to send messages secretly. The sender has a message or plaintext. Encryption by the sender takes the plaintext and
More informationElliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm Problem Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM October 19, 2009 Vanessa VITSE (UVSQ) Elliptic Curve Discrete Logarithm Problem October
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationCONTEMPORARY CRYPTOSYSTEMS
CONTEMPORARY CRYPTOSYSTEMS TIAN MA Abstract. This paper mainly focuses on contemporary cryptography principles and methods, and how number theory and elliptic cruves are used to establish the foundations
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationCourse Business. Homework 3 Due Now. Homework 4 Released. Professor Blocki is travelling, but will be back next week
Course Business Homework 3 Due Now Homework 4 Released Professor Blocki is travelling, but will be back next week 1 Cryptography CS 555 Week 11: Discrete Log/DDH Applications of DDH Factoring Algorithms,
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More information