CDH/DDH-Based Encryption. K&L Sections , 11.4.
|
|
- Eric Armstrong
- 5 years ago
- Views:
Transcription
1 CDH/DDH-Based Encrytion K&L Sections ,
2 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { q 1} In this case, G = g = g, g, g,, g ; G is said to be generated by g, and g is a generator. In any grou (not necessarily finite or cyclic), if g { q 1} of finite order q, then g = g, g, g,, g is a cyclic grou of order q. is an element Note: in general, g denotes the subgrou generated by g. Note: we imlicitly assume multilicative grous, and will write the identity of the grou as 1. Recall: For any element m a G, a = a m mod G. 2
3 Discrete logarithm roblem (DLP) Let G be a cyclic grou of order q, and let g be any generator. { q 1 g } So, G = g = g, g, g,, x For any h G, there is a unique x such that g = h. This integer x is called the discrete logarithm (or index) of with resect to base g. We write log h = x. q g h Standard logarithm rules still hold: log 1 = 0, ( ) ( ) k h h = h + h q h = ( k o h) log log log mod, log l g mod q. g 1 2 g 1 g 2 g g The DLP in G with base g is to comute log h for any h G. g g u 3
4 DLP in * Theorem: * If is rime, then is a cyclic grou of order 1. Let g be any generato * r of. * 1 { } { , 2,, 1 = g, g, g, g } = = {, 1, 2 2} 0,,.,. DLP: x * given g, comute x. There is a subexonential-time algorithm for DLP ( ( ) ) O nlog n Index Calculus, O 2, where n= log. in * 4
5 Frequently used grous = { g g g g },,,,, * where is a large rime, and g is a generator. * A subgrou of of rime order q, //less secure // { } q Gq = α = α, α, α,, α 1 * α q α g * ( 1)/ q where is an element of rime order (e.g. = ). The Index Calculus doesn't work., Ellitic curves defined over finite field s. //increasingly oular// In these grous, there is no olynomial-time algorithm known for DLP. 5
6 Examle 1 G = = {1, 2,..., 18}. * 19 { } 2 is a generator. = 2 = 2, 2, 2,, 2. * , 2 2, 2 4, 2 8, 2 16, 2 13, = = = = = = , 2 14, = = log 7 = 6 2 log 14 = 7 2 log 12 =? 2 6
7 Examle 2 G G 5 = = = 3 3 * 11 { } 1, 2,, 10. { } 3 = 1, 3, 9, 5, 4. 3 is a generator of G, but not a generator of Z. log 5 = 3 log 10 = not defined *
8 Examle 3 DLP in the additive grou. Every 0 g corime to N is a generator. DLP: given k g, comute k. N N 8
9 RSA vs. Discrete Logarithm RSA is a one-way tradoor function: x x RSA 1 x RSA e x 1 RSA d x x d e ( e ) (easy) (difficult) ( is a tradoor) Exonetiation is a one-way function without a tradoor: x x ex g log g g g x x (easy) (difficult) An encrytion scheme based on the difficulty of discrete log x will not simly encryt x as g. 9
10 Diffie-Hellman key agreement { q 1 } G = g, g, g,, g, a cyclic grou of order q. q = { q 1},,,,. Alice and Bob wish to set u a secret key. ( G g q) 1. They agree on,,. x 2. Alice Bob: g, where x. y 3. Alice Bob: g, where y. xy 4. The agreed-on key: g. ( G g q) Remark: in ractice,,, is standardized, and there is a maing between bit strings and the elements of G. u u q q 10
11 Diffie-Hellman key agreement using * = * { g g g g },,,,, a large rime. { 2 2} 1 = 0, 1,,,. Alice and Bob wish to set u a secret key. 1. Alice and Bob agree on a large rime and a g, g, not secret * generator. ( ) x 2. Alice Bob: g mod, where x. 1 y 3. Alice Bob: g mod, where y. xy 4. They agree on the key: g mod. u u 1 11
12 Diffie-Hellman roblems { q 1 } G = g, g, g,, g, a cyclic grou of order q. Z q = { q 1},,,,. Comutational Diffie-Hellman (CDH) Problem: x y x given g, g G, where xy, Z, comu te g Decisional Diffie-Hellman (DDH) u q Problem: x y given g, g, h G, where xy, Z, and xy g with robability 1 2 h = a random element in G with robability 1 2 determine if h= g xy. u q y. 12
13 Relationshis between DDH, CDH, DLP DDH CDH DLP. Oen question: Is CDH DLP? There are examle of grous (e.g., * ) in which CDH and DLP are believed to be hard, but DDH is easy. 13
14 ElGamal encrytion scheme { q 1 g g } q { } G = g, g,,,, =,,,, q. ( ) ( h) x Keys: sk = G, g, q, x, k = G, g, q, where x, h= g. To encryt a message m G : q Use Diffie-Hellman agreement to set u a "key" k G y xy choosing y and comuting k: = h ( = g ). u q Use k to encryt m as k m G. y y y The cihertext is g, k m = g, h m. by Decrytion: Dec ( c, c ) = c c. sk x
15 ElGamal encrytion in 1. Key generation (e.g. for Alice): g * choose a large rime and a generator, where 1 has a large rime factor. randomly choose a number x * 1 let sk = (, g, x) and k = (, g, h). x and comute h= g ; Enc m = g h m m y y y * 2. Encrytion: k ( ) (, ), where, u Decrytion: D ( c, c ) = c c. sk x i e ulo. * 4. Remarks: Multilications are done in,.., mod The encrytion scheme is randomized. 15
16 Security of ElGamal encrytion Theorem: If the DDH roblem is hard, then the ElGamal encrytion scheme is CPA-secure. ElGamal encrytion is not CCA-secure. homomorhic and thus 16
17 Homomorhism of ElGamal encrytion A function f : G G is homomorhic if f( xy) = f( x) f( y). ElGamal encrytion is homomorhic, Emm ( ) = Em ( ) Em ( ), in the following sense: ( y y = ) and ( y y E m = g mh ) If E( m) g, mh ( y y) ( y y ) Em ( ) Em ( ) = g, mh g, mh = = ( y y y y g g, mh m h ) ( y+ y y+ y g, mm h ) is a valid encrytion of mm. ( ),, then 17
18 Ellitic Curve Crytograhy K&L Section
19 Field A field, denoted by ( F, +, ), is a set F with two binary oerations, + and, such that 1. ( F, + ) is an abelian grou (with identity 0). 2. ( F \{0}, ) is an abelian grou (with identy 1). 3. For all elements a F, 0 a= a 0 = x, y, z F, x ( y+ z) = x y+ x z (distributive). Examle fields: (, +, ), (, +, ), (, +, ). + z z = 1 (,, ) is not a field, because (excet for 1). For any rime, (, +, ) is a field, denoted as F.
20 The equation of an ellitic curve An ellitic curve is a curve given by y2 x3 ax b It is required that the discrimin 0, the olynomial = + + and the curve is said to be nonsingular. x ant = When a + b has distinct roots, For reasons to be exlained later, we introduce an additional oint, O, called the oint at infinity, so the ellitic curve is the set + ax + b = { 2 3 (, ): } { } E = x y y = x + ax + b O 0 20
21 We are often interested in oints on the curve of secific coordinates: { 2 3 } { } E( ) = ( x, y) : y = x + ax + b O { 2 3 } { } E( ) = ( x, y) : y = x + ax + b O { 2 3 } { } E( ) = ( x, y) : y = x + ax + b O { 2 3 y = x + ax + b} { O} E( ) = ( xy, ) : { 2 3 } { } E( F ) = ( x, y) F F : y = x + ax + b O 21
22 Examle: 2 3 E: y x 4 x ( x y =, ) 22
23 Making an ellitic curve into a grou Amazing fact: we can use geometry to make the oints of an ellitic curve into a grou. Suose P Q. Then define P+ Q = R. Q -R=R P R 23
24 Suose P = Q. Then define P+ Q = 2 P = R. P=Q -R R=2P 24
25 What if P = ( x, y), Q = ( x, y), so that PQ is vertical? In this case, we define P+ Q = O. This is why we added the extra oint O into the curv e. P=(x,y) -P=(x,-y) Q=(x,-y) 25
26 Now having defined P+ Q for P, Q O, we still need to define P+ O. Let O lay the role of identity, and define P+ O = O+ P = P. Now every oint P = ( x, y) has an inverse: P = ( x, y). P=(x,y) -P=(x,-y) 26
27 Theorem. The addition law on E has these roerties: 1. P+ O= O+ P= P for all P E. 2. P+ ( P) = O for all P E. 3. P+ ( Q+ R) = ( P+ Q) + Rfor all PQR,, E. 4. P+ Q= Q+ Pfor all PQ, E. That is, ( E( ), + ) forms an abelian grou. All of these roerties are trivial to check excet the associative law (3), which can be verified by a lengthy comutation using exlicit formulas, or by using more advanced algebraic or analytic methods. 27
28 Formulas for Addition on E P = ( x, y ), Q = ( x, y ), P Q. R = P+ Q = ( x, y ) The curve E : y x ax b. The line PQ : = y y 1 2 λ ν 1 λ 1 x1 x y = ( x x ) λ y and x = λ x x = + + = λx+ ν, where y = y x. P Q 3 3 -R=R R 28
29 If P = Q = ( x, y ), with y 0, and R = P+ Q = 2 P = ( x, y ), then 3 3 λ = x 2 3x1 + a 2 y = λ 1 2x y = ( x x ) λ y P=Q -R R=2P 29
30 An imortant fact E : = y x ax b If a and b are in a field K and if P and Q have coordinates in K, then P+ Q and 2 P as comuted by the formulas also have coordinates in. K, or equal O. Thus, we can use the same addition laws to make the oints of an ellitic curve over a finite field into a grou, even though the addition laws will no longer have the geometric interretations. F 30
31 Theorem (Poincare, 19 00) Let K be a field, and suose that an ellitic curve E is given by an equation of the form 2 3 : with,. E y = x + ax + b a b K Let EK ( ) denote the set of oints of Ewith coordinates in K, lus O, { } { } EK ( ) = ( xy, ) E: xy, K O. Then EK ( ) is a grou. 31
32 What does EC ( ) look like? 2 3 : with,. E y = x + ax + b a b R Let E( ) denote the set of oints of E with coordinates in C, lus O, { 2 3 y x ax b} { O} E( ) = ( xy, ) C C: = + + An amazing fact: E( ) is isomorhic to a torus. 32
33 33
34 Ellitic curves defined over F Equation: = y x ax b over F > ab F a + b 3 2 where 3,,, (mod ). { 2 3 (, ) } : { } E = x y F F y = x + ax + b O Examle: E y = x + x F 2 3 : over 23 34
35 Examle E y = x + x+ F 2 3 : 6 over To find all oints ( xy, ) of E, for each x F 3 z x x 11 2 If so, solve in , comute = mod11 and determine whether z is a quadratic residue. EF ( ) 13. y = z F 11 x 3 x + x + 6 quad res? y 0 6 no 1 8 no 2 5 yes 4,7 3 3 yes 5,6 4 8 no 5 4 yes 2,9 6 8 no 7 4 yes 2,9 8 9 yes 3,8 9 7 no = 10 4 yes 2, 9 35
36 Examle (continued) There are 13 oints in the grou. So, it is cyclic and any oint other O is a generator. Let α = (2,7). We can comute 2 α = ( x, y ) as follows. 1 ( ) x a + 13 λ = = = = = = 2y x ( ) ( ) = λ 2x = = 5 ( mod11) ( ) ( mod y = ( x x ) λ y = = 2 ( mod11) 2 α = (5, 2) 11) 36
37 Examle (continued) Let 3 α = ( x, y ). Then, λ y x y x = = = ( mod11) x = λ x x = = 8 ( mod11) ( ) y = ( x x ) λ y = = 3 ( mod11) α = (2,7) 2 α = (5, 2) 3 α = (8,3) 4 α = (10, 2) 5 α = ( 3,6) 6 α = (7,9) 7 α = (7,2) 8 α = ( 3,5) 9 α = (10,9) 10 α = (8,8) 11 α = (5,9) 12 α = (2, 4) 13α = α + 12α = 2α + 11α = 3α + 10 α = =? 37
38 Point Counting Determining EF ( ) is an imortant roblem, called oint counting. Hasse's Theorem: EF ( ) There are olynomial time algorithms that recisely determin e EF ( ). In ractice, EF ( ) of rime order qis used. 38
39 DLP in g - reviewed { q 1 } Let g = g, g, g,, g be a grou of order q. DLP in g : given an element h g, find the x unique exonent x such that g = h. q 39
40 Ellitic Curve Discrete Logarithm Problem Consider an ellitic curve grou EF ( ). Let G EF ( ) be a oint of large rime order q. { } G = 0 G, 1 G, 2 G,, ( q 1) G is a subgrou of EF ( ). ECDLP : given a oint H x such that xg = H. q G, find the unique multilier 40
41 Diffie-Hellman key agreement g Alice b g Alice ab Agreed key: g Alice Alice Bob Bob Ellitic Curve Diffie-Hellman Agreed key: abg a ag bg Bob Bob 41
42 Ellitic Curve Diffie-Hellman key agreement Alice and Bob wish to agree on a secret key. 1. Alice and Bob agree on an ellitic curve EF ( ) and a oint G on the curve of large rime order 2. Alice Bob: ag, where a Z. 3. Alice Bob: bg, where b Z. 4. They agree on the key abg, which is a oint on EF ( ). They can now use x( abg), the x-coordinate of abg, as a secret key for, for examle, a symmetric encrytion scheme. u u q q q. 42
43 Key lengths recommended by NIST Effective key length n: brute-force search against an n-bit symmetric key encrytion scheme 43
Cryptography. Lecture 8. Arpita Patra
Crytograhy Lecture 8 Arita Patra Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous
More informationCryptography Assignment 3
Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some
More informationElliptic Curves and Cryptography
Ellitic Curves and Crytograhy Background in Ellitic Curves We'll now turn to the fascinating theory of ellitic curves. For simlicity, we'll restrict our discussion to ellitic curves over Z, where is a
More informationA Public-Key Cryptosystem Based on Lucas Sequences
Palestine Journal of Mathematics Vol. 1(2) (2012), 148 152 Palestine Polytechnic University-PPU 2012 A Public-Key Crytosystem Based on Lucas Sequences Lhoussain El Fadil Communicated by Ayman Badawi MSC2010
More informationMultiplicative group law on the folium of Descartes
Multilicative grou law on the folium of Descartes Steluţa Pricoie and Constantin Udrişte Abstract. The folium of Descartes is still studied and understood today. Not only did it rovide for the roof of
More informationx 2 a mod m. has a solution. Theorem 13.2 (Euler s Criterion). Let p be an odd prime. The congruence x 2 1 mod p,
13. Quadratic Residues We now turn to the question of when a quadratic equation has a solution modulo m. The general quadratic equation looks like ax + bx + c 0 mod m. Assuming that m is odd or that b
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationA secure approach for embedding message text on an elliptic curve defined over prime fields, and building 'EC-RSA-ELGamal' Cryptographic System
International Journal of Comuter Science an Information Security (IJCSIS), Vol. 5, No. 6, June 7 A secure aroach for embeing message tet on an ellitic curve efine over rime fiels, an builing 'EC-RSA-ELGamal'
More informationTanja Lange Technische Universiteit Eindhoven
Crytanalysis Course Part I Tanja Lange Technische Universiteit Eindhoven 28 Nov 2016 with some slides by Daniel J. Bernstein Main goal of this course: We are the attackers. We want to break ECC and RSA.
More informationAdvanced Cryptography Midterm Exam
Advanced Crytograhy Midterm Exam Solution Serge Vaudenay 17.4.2012 duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationCS 6260 Some number theory. Groups
Let Z = {..., 2, 1, 0, 1, 2,...} denote the set of integers. Let Z+ = {1, 2,...} denote the set of ositive integers and = {0, 1, 2,...} the set of non-negative integers. If a, are integers with > 0 then
More informationAN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction
J. Al. Math. & Comuting Vol. 20(2006), No. 1-2,. 485-489 AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES BYEONG-KWEON OH, KIL-CHAN HA AND JANGHEON OH Abstract. In this aer, we slightly
More informationImproved Hidden Vector Encryption with Short Ciphertexts and Tokens
Imroved Hidden Vector Encrytion with Short Cihertexts and Tokens Kwangsu Lee Dong Hoon Lee Abstract Hidden vector encrytion HVE) is a articular kind of redicate encrytion that is an imortant crytograhic
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationLattice Attacks on the DGHV Homomorphic Encryption Scheme
Lattice Attacks on the DGHV Homomorhic Encrytion Scheme Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmanenitaj@unicaenfr
More informationA Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem
A Modified Menezes-Vanstone Ellitic Curve Multi-Keys Crytosystem By K.H. Rahouma Electrical Technology Deartment Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationJacobi symbols and application to primality
Jacobi symbols and alication to rimality Setember 19, 018 1 The grou Z/Z We review the structure of the abelian grou Z/Z. Using Chinese remainder theorem, we can restrict to the case when = k is a rime
More informationQUADRATIC RECIPROCITY
QUADRATIC RECIPROCITY JORDAN SCHETTLER Abstract. The goals of this roject are to have the reader(s) gain an areciation for the usefulness of Legendre symbols and ultimately recreate Eisenstein s slick
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationMATH342 Practice Exam
MATH342 Practice Exam This exam is intended to be in a similar style to the examination in May/June 2012. It is not imlied that all questions on the real examination will follow the content of the ractice
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationCryptanalysis of Pseudorandom Generators
CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we
More informationElliptic Curve Cryptography with Derive
Elliptic Curve Cryptography with Derive Johann Wiesenbauer Vienna University of Technology DES-TIME-2006, Dresden General remarks on Elliptic curves Elliptic curces can be described as nonsingular algebraic
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Efficient Crytosystems From k -th Power Residue Symbols Fabrice Benhamouda, Javier Herranz, Marc Joye 3, and Benoît Libert 4, ENS Paris, CNRS, INRIA, and PSL 45 rue d Ulm, 7530 Paris Cedex 06, France fabrice.benhamouda@ens.fr
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More information1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings
Identity-based Digital Signature Scheme Without Bilinear Pairings He Debiao, Chen Jianhua, Hu Jin School of Mathematics Statistics, Wuhan niversity, Wuhan, Hubei, China, 43007 Abstract: Many identity-based
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationElliptic Curves Spring 2015 Problem Set #1 Due: 02/13/2015
18.783 Ellitic Curves Sring 2015 Problem Set #1 Due: 02/13/2015 Descrition These roblems are related to the material covered in Lectures 1-2. Some of them require the use of Sage, and you will need to
More informationQUADRATIC RECIPROCITY
QUADRATIC RECIPROCITY JORDAN SCHETTLER Abstract. The goals of this roject are to have the reader(s) gain an areciation for the usefulness of Legendre symbols and ultimately recreate Eisenstein s slick
More informationOn the Unpredictability of Bits of the Elliptic Curve Diffie Hellman Scheme
On the Unredictability of Bits of the Ellitic Curve Diffie Hellman Scheme Dan Boneh 1 and Igor E. Sharlinski 2 1 Deartment of Comuter Science, Stanford University, CA, USA dabo@cs.stanford.edu 2 Deartment
More informationRandomness Extraction in finite fields F p
Randomness Extraction in finite fields F n Abdoul Aziz Ciss École doctorale de Mathématiques et d Informatique, Université Cheikh Anta Dio de Dakar, Sénégal BP: 5005, Dakar Fann abdoul.ciss@ucad.edu.sn,
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Published in Journal of Crytology, 30(2:519 549, 2017. Efficient Crytosystems From 2 k -th Power Residue Symbols Fabrice Benhamouda 1, Javier Herranz 2, Marc Joye 3, and Benoît Libert 4, 1 ES Paris, CRS,
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013
18.782 Introduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013 In this lecture we lay the groundwork needed to rove the Hasse-Minkowski theorem for Q, which states that a quadratic form over
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationRECIPROCITY LAWS JEREMY BOOHER
RECIPROCITY LAWS JEREMY BOOHER 1 Introduction The law of uadratic recirocity gives a beautiful descrition of which rimes are suares modulo Secial cases of this law going back to Fermat, and Euler and Legendre
More informationIntroduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016
Introduction to Modern Cryptography Recitation 3 Orit Moskovich Tel Aviv University November 16, 2016 The group: Z N Let N 2 be an integer The set Z N = a 1,, N 1 gcd a, N = 1 with respect to multiplication
More informationOutline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding
Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationPublic Key Cryptosystems RSA
Public Key Crytosystems RSA 57 17 Receiver Sender 41 19 and rime 53 Attacker 47 Public Key Crytosystems RSA Comute numbers n = * 2337 323 57 17 Receiver Sender 41 19 and rime 53 Attacker 2491 47 Public
More informationOn the Rank of the Elliptic Curve y 2 = x(x p)(x 2)
On the Rank of the Ellitic Curve y = x(x )(x ) Jeffrey Hatley Aril 9, 009 Abstract An ellitic curve E defined over Q is an algebraic variety which forms a finitely generated abelian grou, and the structure
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More information(IV.D) PELL S EQUATION AND RELATED PROBLEMS
(IV.D) PELL S EQUATION AND RELATED PROBLEMS Let d Z be non-square, K = Q( d). As usual, we take S := Z[ [ ] d] (for any d) or Z 1+ d (only if d 1). We have roved that (4) S has a least ( fundamental )
More informationElliptic Curve Cryptosystems
Elliptic Curve Cryptosystems Santiago Paiva santiago.paiva@mail.mcgill.ca McGill University April 25th, 2013 Abstract The application of elliptic curves in the field of cryptography has significantly improved
More informationClass Field Theory. Peter Stevenhagen. 1. Class Field Theory for Q
Class Field Theory Peter Stevenhagen Class field theory is the study of extensions Q K L K ab K = Q, where L/K is a finite abelian extension with Galois grou G. 1. Class Field Theory for Q First we discuss
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationAn Overview of Witt Vectors
An Overview of Witt Vectors Daniel Finkel December 7, 2007 Abstract This aer offers a brief overview of the basics of Witt vectors. As an alication, we summarize work of Bartolo and Falcone to rove that
More informationSuper Congruences. Master s Thesis Mathematical Sciences
Suer Congruences Master s Thesis Mathematical Sciences Deartment of Mathematics Author: Thomas Attema Suervisor: Prof. Dr. Frits Beukers Second Reader: Prof. Dr. Gunther L.M. Cornelissen Abstract In 011
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationElliptic Curves: Theory and Application
s Phillips Exeter Academy Dec. 5th, 2018 Why Elliptic Curves Matter The study of elliptic curves has always been of deep interest, with focus on the points on an elliptic curve with coe cients in certain
More informationMATH 361: NUMBER THEORY ELEVENTH LECTURE
MATH 361: NUMBER THEORY ELEVENTH LECTURE The subjects of this lecture are characters, Gauss sums, Jacobi sums, and counting formulas for olynomial equations over finite fields. 1. Definitions, Basic Proerties
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationFrobenius Elements, the Chebotarev Density Theorem, and Reciprocity
Frobenius Elements, the Chebotarev Density Theorem, and Recirocity Dylan Yott July 30, 204 Motivation Recall Dirichlet s theorem from elementary number theory. Theorem.. For a, m) =, there are infinitely
More information(Workshop on Harmonic Analysis on symmetric spaces I.S.I. Bangalore : 9th July 2004) B.Sury
Is e π 163 odd or even? (Worksho on Harmonic Analysis on symmetric saces I.S.I. Bangalore : 9th July 004) B.Sury e π 163 = 653741640768743.999999999999.... The object of this talk is to exlain this amazing
More information2 Asymptotic density and Dirichlet density
8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime
More information2 Asymptotic density and Dirichlet density
8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime
More information.4. Congruences. We say that a is congruent to b modulo N i.e. a b mod N i N divides a b or equivalently i a%n = b%n. So a is congruent modulo N to an
. Modular arithmetic.. Divisibility. Given ositive numbers a; b, if a 6= 0 we can write b = aq + r for aroriate integers q; r such that 0 r a. The number r is the remainder. We say that a divides b (or
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationA CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract
A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS CASEY BRUCK 1. Abstract The goal of this aer is to rovide a concise way for undergraduate mathematics students to learn about how rime numbers behave
More information3 Properties of Dedekind domains
18.785 Number theory I Fall 2016 Lecture #3 09/15/2016 3 Proerties of Dedekind domains In the revious lecture we defined a Dedekind domain as a noetherian domain A that satisfies either of the following
More informationBilinear Entropy Expansion from the Decisional Linear Assumption
Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University luke@cs.columbia.edu Allison Bisho Lewko Columbia University alewko@cs.columbia.edu Abstract We develo
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM
ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM JOHN BINDER Abstract. In this aer, we rove Dirichlet s theorem that, given any air h, k with h, k) =, there are infinitely many rime numbers congruent to
More informationIntroduction to Group Theory Note 1
Introduction to Grou Theory Note July 7, 009 Contents INTRODUCTION. Examles OF Symmetry Grous in Physics................................. ELEMENT OF GROUP THEORY. De nition of Grou................................................
More informationElementary Analysis in Q p
Elementary Analysis in Q Hannah Hutter, May Szedlák, Phili Wirth November 17, 2011 This reort follows very closely the book of Svetlana Katok 1. 1 Sequences and Series In this section we will see some
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationMAT 311 Solutions to Final Exam Practice
MAT 311 Solutions to Final Exam Practice Remark. If you are comfortable with all of the following roblems, you will be very well reared for the midterm. Some of the roblems below are more difficult than
More informationSuppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:
Elliptic Curve Cryptography Jim Royer CIS 428/628: Introduction to Cryptography November 6, 2018 Suppose F is a field and a 1,..., a 6 F. Definition 1. An elliptic curve E over a field F is a curve given
More informationPredicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products
Predicate Encrytion Suorting Disjunctions, Polynomial Equations, and Inner Products Jonathan Katz jkatz@cs.umd.edu Amit Sahai sahai@cs.ucla.edu Brent Waters bwaters@csl.sri.com Abstract Predicate encrytion
More informationMA3H1 TOPICS IN NUMBER THEORY PART III
MA3H1 TOPICS IN NUMBER THEORY PART III SAMIR SIKSEK 1. Congruences Modulo m In quadratic recirocity we studied congruences of the form x 2 a (mod ). We now turn our attention to situations where is relaced
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More informationLecture 14: Hardness Assumptions
CSE 594 : Modern Cryptography 03/23/2017 Lecture 14: Hardness Assumptions Instructor: Omkant Pandey Scribe: Hyungjoon Koo, Parkavi Sundaresan 1 Modular Arithmetic Let N and R be set of natural and real
More informationMobius Functions, Legendre Symbols, and Discriminants
Mobius Functions, Legendre Symbols, and Discriminants 1 Introduction Zev Chonoles, Erick Knight, Tim Kunisky Over the integers, there are two key number-theoretic functions that take on values of 1, 1,
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationElliptic Curve Cryptography
AIMS-VOLKSWAGEN STIFTUNG WORKSHOP ON INTRODUCTION TO COMPUTER ALGEBRA AND APPLICATIONS Douala, Cameroon, October 12, 2017 Elliptic Curve Cryptography presented by : BANSIMBA Gilda Rech BANSIMBA Gilda Rech
More informationPredicate Privacy in Encryption Systems
Predicate Privacy in Encrytion Systems Emily Shen MIT eshen@csail.mit.edu Elaine Shi CMU/PARC eshi@arc.com December 24, 2008 Brent Waters UT Austin bwaters@cs.utexas.edu Abstract Predicate encrytion is
More information4. Score normalization technical details We now discuss the technical details of the score normalization method.
SMT SCORING SYSTEM This document describes the scoring system for the Stanford Math Tournament We begin by giving an overview of the changes to scoring and a non-technical descrition of the scoring rules
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCHAPTER 5 TANGENT VECTORS
CHAPTER 5 TANGENT VECTORS In R n tangent vectors can be viewed from two ersectives (1) they cature the infinitesimal movement along a ath, the direction, and () they oerate on functions by directional
More informationMATH 371 Class notes/outline October 15, 2013
MATH 371 Class notes/outline October 15, 2013 More on olynomials We now consider olynomials with coefficients in rings (not just fields) other than R and C. (Our rings continue to be commutative and have
More informationMATH 361: NUMBER THEORY EIGHTH LECTURE
MATH 361: NUMBER THEORY EIGHTH LECTURE 1. Quadratic Recirocity: Introduction Quadratic recirocity is the first result of modern number theory. Lagrange conjectured it in the late 1700 s, but it was first
More information