CDH/DDH-Based Encryption. K&L Sections , 11.4.

Transcription

1 CDH/DDH-Based Encrytion K&L Sections ,

2 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { q 1} In this case, G = g = g, g, g,, g ; G is said to be generated by g, and g is a generator. In any grou (not necessarily finite or cyclic), if g { q 1} of finite order q, then g = g, g, g,, g is a cyclic grou of order q. is an element Note: in general, g denotes the subgrou generated by g. Note: we imlicitly assume multilicative grous, and will write the identity of the grou as 1. Recall: For any element m a G, a = a m mod G. 2

3 Discrete logarithm roblem (DLP) Let G be a cyclic grou of order q, and let g be any generator. { q 1 g } So, G = g = g, g, g,, x For any h G, there is a unique x such that g = h. This integer x is called the discrete logarithm (or index) of with resect to base g. We write log h = x. q g h Standard logarithm rules still hold: log 1 = 0, ( ) ( ) k h h = h + h q h = ( k o h) log log log mod, log l g mod q. g 1 2 g 1 g 2 g g The DLP in G with base g is to comute log h for any h G. g g u 3

4 DLP in * Theorem: * If is rime, then is a cyclic grou of order 1. Let g be any generato * r of. * 1 { } { , 2,, 1 = g, g, g, g } = = {, 1, 2 2} 0,,.,. DLP: x * given g, comute x. There is a subexonential-time algorithm for DLP ( ( ) ) O nlog n Index Calculus, O 2, where n= log. in * 4

5 Frequently used grous = { g g g g },,,,, * where is a large rime, and g is a generator. * A subgrou of of rime order q, //less secure // { } q Gq = α = α, α, α,, α 1 * α q α g * ( 1)/ q where is an element of rime order (e.g. = ). The Index Calculus doesn't work., Ellitic curves defined over finite field s. //increasingly oular// In these grous, there is no olynomial-time algorithm known for DLP. 5

6 Examle 1 G = = {1, 2,..., 18}. * 19 { } 2 is a generator. = 2 = 2, 2, 2,, 2. * , 2 2, 2 4, 2 8, 2 16, 2 13, = = = = = = , 2 14, = = log 7 = 6 2 log 14 = 7 2 log 12 =? 2 6

7 Examle 2 G G 5 = = = 3 3 * 11 { } 1, 2,, 10. { } 3 = 1, 3, 9, 5, 4. 3 is a generator of G, but not a generator of Z. log 5 = 3 log 10 = not defined *

8 Examle 3 DLP in the additive grou. Every 0 g corime to N is a generator. DLP: given k g, comute k. N N 8

9 RSA vs. Discrete Logarithm RSA is a one-way tradoor function: x x RSA 1 x RSA e x 1 RSA d x x d e ( e ) (easy) (difficult) ( is a tradoor) Exonetiation is a one-way function without a tradoor: x x ex g log g g g x x (easy) (difficult) An encrytion scheme based on the difficulty of discrete log x will not simly encryt x as g. 9

10 Diffie-Hellman key agreement { q 1 } G = g, g, g,, g, a cyclic grou of order q. q = { q 1},,,,. Alice and Bob wish to set u a secret key. ( G g q) 1. They agree on,,. x 2. Alice Bob: g, where x. y 3. Alice Bob: g, where y. xy 4. The agreed-on key: g. ( G g q) Remark: in ractice,,, is standardized, and there is a maing between bit strings and the elements of G. u u q q 10

11 Diffie-Hellman key agreement using * = * { g g g g },,,,, a large rime. { 2 2} 1 = 0, 1,,,. Alice and Bob wish to set u a secret key. 1. Alice and Bob agree on a large rime and a g, g, not secret * generator. ( ) x 2. Alice Bob: g mod, where x. 1 y 3. Alice Bob: g mod, where y. xy 4. They agree on the key: g mod. u u 1 11

12 Diffie-Hellman roblems { q 1 } G = g, g, g,, g, a cyclic grou of order q. Z q = { q 1},,,,. Comutational Diffie-Hellman (CDH) Problem: x y x given g, g G, where xy, Z, comu te g Decisional Diffie-Hellman (DDH) u q Problem: x y given g, g, h G, where xy, Z, and xy g with robability 1 2 h = a random element in G with robability 1 2 determine if h= g xy. u q y. 12

13 Relationshis between DDH, CDH, DLP DDH CDH DLP. Oen question: Is CDH DLP? There are examle of grous (e.g., * ) in which CDH and DLP are believed to be hard, but DDH is easy. 13

14 ElGamal encrytion scheme { q 1 g g } q { } G = g, g,,,, =,,,, q. ( ) ( h) x Keys: sk = G, g, q, x, k = G, g, q, where x, h= g. To encryt a message m G : q Use Diffie-Hellman agreement to set u a "key" k G y xy choosing y and comuting k: = h ( = g ). u q Use k to encryt m as k m G. y y y The cihertext is g, k m = g, h m. by Decrytion: Dec ( c, c ) = c c. sk x

15 ElGamal encrytion in 1. Key generation (e.g. for Alice): g * choose a large rime and a generator, where 1 has a large rime factor. randomly choose a number x * 1 let sk = (, g, x) and k = (, g, h). x and comute h= g ; Enc m = g h m m y y y * 2. Encrytion: k ( ) (, ), where, u Decrytion: D ( c, c ) = c c. sk x i e ulo. * 4. Remarks: Multilications are done in,.., mod The encrytion scheme is randomized. 15

16 Security of ElGamal encrytion Theorem: If the DDH roblem is hard, then the ElGamal encrytion scheme is CPA-secure. ElGamal encrytion is not CCA-secure. homomorhic and thus 16

17 Homomorhism of ElGamal encrytion A function f : G G is homomorhic if f( xy) = f( x) f( y). ElGamal encrytion is homomorhic, Emm ( ) = Em ( ) Em ( ), in the following sense: ( y y = ) and ( y y E m = g mh ) If E( m) g, mh ( y y) ( y y ) Em ( ) Em ( ) = g, mh g, mh = = ( y y y y g g, mh m h ) ( y+ y y+ y g, mm h ) is a valid encrytion of mm. ( ),, then 17

18 Ellitic Curve Crytograhy K&L Section

19 Field A field, denoted by ( F, +, ), is a set F with two binary oerations, + and, such that 1. ( F, + ) is an abelian grou (with identity 0). 2. ( F \{0}, ) is an abelian grou (with identy 1). 3. For all elements a F, 0 a= a 0 = x, y, z F, x ( y+ z) = x y+ x z (distributive). Examle fields: (, +, ), (, +, ), (, +, ). + z z = 1 (,, ) is not a field, because (excet for 1). For any rime, (, +, ) is a field, denoted as F.

20 The equation of an ellitic curve An ellitic curve is a curve given by y2 x3 ax b It is required that the discrimin 0, the olynomial = + + and the curve is said to be nonsingular. x ant = When a + b has distinct roots, For reasons to be exlained later, we introduce an additional oint, O, called the oint at infinity, so the ellitic curve is the set + ax + b = { 2 3 (, ): } { } E = x y y = x + ax + b O 0 20

21 We are often interested in oints on the curve of secific coordinates: { 2 3 } { } E( ) = ( x, y) : y = x + ax + b O { 2 3 } { } E( ) = ( x, y) : y = x + ax + b O { 2 3 } { } E( ) = ( x, y) : y = x + ax + b O { 2 3 y = x + ax + b} { O} E( ) = ( xy, ) : { 2 3 } { } E( F ) = ( x, y) F F : y = x + ax + b O 21

22 Examle: 2 3 E: y x 4 x ( x y =, ) 22

23 Making an ellitic curve into a grou Amazing fact: we can use geometry to make the oints of an ellitic curve into a grou. Suose P Q. Then define P+ Q = R. Q -R=R P R 23

24 Suose P = Q. Then define P+ Q = 2 P = R. P=Q -R R=2P 24

25 What if P = ( x, y), Q = ( x, y), so that PQ is vertical? In this case, we define P+ Q = O. This is why we added the extra oint O into the curv e. P=(x,y) -P=(x,-y) Q=(x,-y) 25

26 Now having defined P+ Q for P, Q O, we still need to define P+ O. Let O lay the role of identity, and define P+ O = O+ P = P. Now every oint P = ( x, y) has an inverse: P = ( x, y). P=(x,y) -P=(x,-y) 26

27 Theorem. The addition law on E has these roerties: 1. P+ O= O+ P= P for all P E. 2. P+ ( P) = O for all P E. 3. P+ ( Q+ R) = ( P+ Q) + Rfor all PQR,, E. 4. P+ Q= Q+ Pfor all PQ, E. That is, ( E( ), + ) forms an abelian grou. All of these roerties are trivial to check excet the associative law (3), which can be verified by a lengthy comutation using exlicit formulas, or by using more advanced algebraic or analytic methods. 27

28 Formulas for Addition on E P = ( x, y ), Q = ( x, y ), P Q. R = P+ Q = ( x, y ) The curve E : y x ax b. The line PQ : = y y 1 2 λ ν 1 λ 1 x1 x y = ( x x ) λ y and x = λ x x = + + = λx+ ν, where y = y x. P Q 3 3 -R=R R 28

29 If P = Q = ( x, y ), with y 0, and R = P+ Q = 2 P = ( x, y ), then 3 3 λ = x 2 3x1 + a 2 y = λ 1 2x y = ( x x ) λ y P=Q -R R=2P 29

30 An imortant fact E : = y x ax b If a and b are in a field K and if P and Q have coordinates in K, then P+ Q and 2 P as comuted by the formulas also have coordinates in. K, or equal O. Thus, we can use the same addition laws to make the oints of an ellitic curve over a finite field into a grou, even though the addition laws will no longer have the geometric interretations. F 30

31 Theorem (Poincare, 19 00) Let K be a field, and suose that an ellitic curve E is given by an equation of the form 2 3 : with,. E y = x + ax + b a b K Let EK ( ) denote the set of oints of Ewith coordinates in K, lus O, { } { } EK ( ) = ( xy, ) E: xy, K O. Then EK ( ) is a grou. 31

32 What does EC ( ) look like? 2 3 : with,. E y = x + ax + b a b R Let E( ) denote the set of oints of E with coordinates in C, lus O, { 2 3 y x ax b} { O} E( ) = ( xy, ) C C: = + + An amazing fact: E( ) is isomorhic to a torus. 32

33 33

34 Ellitic curves defined over F Equation: = y x ax b over F > ab F a + b 3 2 where 3,,, (mod ). { 2 3 (, ) } : { } E = x y F F y = x + ax + b O Examle: E y = x + x F 2 3 : over 23 34

35 Examle E y = x + x+ F 2 3 : 6 over To find all oints ( xy, ) of E, for each x F 3 z x x 11 2 If so, solve in , comute = mod11 and determine whether z is a quadratic residue. EF ( ) 13. y = z F 11 x 3 x + x + 6 quad res? y 0 6 no 1 8 no 2 5 yes 4,7 3 3 yes 5,6 4 8 no 5 4 yes 2,9 6 8 no 7 4 yes 2,9 8 9 yes 3,8 9 7 no = 10 4 yes 2, 9 35

36 Examle (continued) There are 13 oints in the grou. So, it is cyclic and any oint other O is a generator. Let α = (2,7). We can comute 2 α = ( x, y ) as follows. 1 ( ) x a + 13 λ = = = = = = 2y x ( ) ( ) = λ 2x = = 5 ( mod11) ( ) ( mod y = ( x x ) λ y = = 2 ( mod11) 2 α = (5, 2) 11) 36

37 Examle (continued) Let 3 α = ( x, y ). Then, λ y x y x = = = ( mod11) x = λ x x = = 8 ( mod11) ( ) y = ( x x ) λ y = = 3 ( mod11) α = (2,7) 2 α = (5, 2) 3 α = (8,3) 4 α = (10, 2) 5 α = ( 3,6) 6 α = (7,9) 7 α = (7,2) 8 α = ( 3,5) 9 α = (10,9) 10 α = (8,8) 11 α = (5,9) 12 α = (2, 4) 13α = α + 12α = 2α + 11α = 3α + 10 α = =? 37

38 Point Counting Determining EF ( ) is an imortant roblem, called oint counting. Hasse's Theorem: EF ( ) There are olynomial time algorithms that recisely determin e EF ( ). In ractice, EF ( ) of rime order qis used. 38

39 DLP in g - reviewed { q 1 } Let g = g, g, g,, g be a grou of order q. DLP in g : given an element h g, find the x unique exonent x such that g = h. q 39

40 Ellitic Curve Discrete Logarithm Problem Consider an ellitic curve grou EF ( ). Let G EF ( ) be a oint of large rime order q. { } G = 0 G, 1 G, 2 G,, ( q 1) G is a subgrou of EF ( ). ECDLP : given a oint H x such that xg = H. q G, find the unique multilier 40

41 Diffie-Hellman key agreement g Alice b g Alice ab Agreed key: g Alice Alice Bob Bob Ellitic Curve Diffie-Hellman Agreed key: abg a ag bg Bob Bob 41

42 Ellitic Curve Diffie-Hellman key agreement Alice and Bob wish to agree on a secret key. 1. Alice and Bob agree on an ellitic curve EF ( ) and a oint G on the curve of large rime order 2. Alice Bob: ag, where a Z. 3. Alice Bob: bg, where b Z. 4. They agree on the key abg, which is a oint on EF ( ). They can now use x( abg), the x-coordinate of abg, as a secret key for, for examle, a symmetric encrytion scheme. u u q q q. 42

43 Key lengths recommended by NIST Effective key length n: brute-force search against an n-bit symmetric key encrytion scheme 43