Discrete Methods in Mathematical Informatics Lecture 3: Other Applications of Elliptic Curve 23h October 2012 Vorapong Suppakitpaisarn http://www-imai.is.s.u-tokyo.ac.jp/~mr_t_dtone/ vorapong@mist.i.u-tokyo.ac.jp, Eng. 6 Room 363 Download: Lecture 1: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture1.pptx Lecture 2: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture2.pptx Lecture 3: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture3.pptx
Course Information (Many Changes from Last Week) Schedule Grading 10/9 – Elliptic Curve I (2 Exercises) (What is Elliptic Curve?) 10/16 – Elliptic Curve II (1 Exercises) (Elliptic Curve Cryptography[1]) 10/23 – Elliptic Curve III (3 Exercises) (Elliptic Curve Cryptography[2]) 10/30 – Cancelled 11/7 – Online Algorithm I (Prof. Han) 11/14 – Online Algorithm II (Prof. Han) 11/21 – Elliptic Curve IV (2 Exercises) (ECC Implementation I) 11/28 – Elliptic Curve V (2 Exercises) (ECC Implementation II) 12/4 – Cancelled From 12/11 – To be Announced For my part, you need to submit 2 Reports. Report 1: Select 3 from 6 exercises in Elliptic Curve I – III Submission Deadline: 14 November Report 2: Select 2 from 4 exercises in Elliptic Curve IV – V Submission Deadline: TBD Submit your report at Department of Mathematical Informatics’ office [1st floor of this building]
Discrete Logarithm Problem From Last Lecture… Scalar Multiplication on Elliptic Curve S = P + P + … + P = rP when r1 is positive integer, S,P is a member of the curve Double-and-add method Let r = 14 = (01110)2 Compute rP = 14P r = 14 = (0 1 1 1 0)2 r times P 3P 7P 14P O 2P 6P 14P 3 – 1 = 2 Point Additions 4 – 1 = 3 Point Doubles Discrete Logarithm Problem Given P, aP - Compute a.
Overview Discrete Logarithm Problem Massey-Omura Encryption ElGamal Public Key Encryption Digital Signature Algorithm (DSA) ElGamal Digital Signatures
Overview Discrete Logarithm Problem Massey-Omura Encryption ElGamal Public Key Encryption Digital Signature Algorithm (DSA) ElGamal Digital Signatures
Pollard’s Method [Pollard 1978] (Semi-)Objective [Teske, 1998] (Real-)Algorithm (Semi-) Algorithm (Real-)Objective Function f for Discrete Log
Examples Algorithm Example
Exercise Exercise 4
The Pohlig-Hellman Method [Pohlig, Hellman 1978]
The Pohlig-Hellman Method [cont.] Algorithm (Real-)Problem Given P, Q = aP - Compute a. (Semi-)Problem Given P, Q = aP - Compute a mod pkek Properties
The Pohlig-Hellman Method [cont.] Given P, Q = aP - Compute a mod pkek Algorithm
Chinese Remainder Theorem (Semi-)Problem Given P, Q = aP - Compute a mod pkek
Overview Discrete Logarithm Problem Massey-Omura Encryption ElGamal Public Key Encryption Digital Signature Algorithm (DSA) ElGamal Digital Signatures
Three-Pass Protocol [Shamir 1980] Private Key Cryptography Three-pass Protocol k1 k2 M Key Agreement Protocol Encryption Algorithm k k Ek1(M) Ek1 (M) Super-Encryption Algorithm M Dk(Ek(M)) = M Ek2 ( Ek1 (M)) Encryption Algorithm Ek2 ( Ek1 (M)) Decryption Algorithm Decryption Algorithm Ek(M) Ek(M) Ek2 (M)=Dk1 ( Ek2 ( Ek1 (M))) Ek2(M) Super-Decryption Algorithm M
Massey-Omura Protocol [Massey, Omura 1986] Three-pass Protocol Massey-Omura Protocol k1 k2 M Encryption Algorithm Encryption Algorithm Ek1(M) Ek1 (M) Super-Encryption Algorithm Super-Encryption Algorithm Ek2 ( Ek1 (M)) Ek2 ( Ek1 (M)) Decryption Algorithm Decryption Algorithm Ek2(M) Ek2(M) Super-Decryption Algorithm Super-Decryption Algorithm M
Massey-Omura Protocol [cont.] Example Encryption Algorithm Encryption Algorithm Super-Encryption Algorithm Super-Encryption Algorithm Decryption Algorithm Ek2(M) Decryption Algorithm Super-Decryption Algorithm Super-Decryption Algorithm
Massey-Omura Protocol [cont.] Integer Point on Elliptic Curve Point on Elliptic Curve Integer Exercise 4 Exercise 5
Overview Discrete Logarithm Problem Massey-Omura Encryption ElGamal Public Key Encryption Digital Signature Algorithm (DSA) ElGamal Digital Signatures
Public Key Cryptography Private Key Cryptography Public Key Cryptography Certificate Authority (CA) Key Agreement Protocol kpub,kpri kpub k k Dkpri (Ekpub (M)) = M M M Dk(Ek(M)) = M Encryption Algorithm Encryption Algorithm Decryption Algorithm Decryption Algorithm Ekpub(M) Ekpub (M) Ek(M) Ek(M)
ElGamal Public Key Encryption [ElGamal 1985] Public Key Cryptography ElGamal PKE Certificate Authority (CA) Certificate Authority (CA) kpub,kpri kpub Dkpri (Ekpub (M)) = M2-sM1 = M Dkpri (Ekpub (M)) = M M Encryption Algorithm Encryption Algorithm Decryption Algorithm Decryption Algorithm Ekpub(M) = M1,M2 Ekpub(M) = M1,M2 Ekpub(M) Ekpub (M) M1 = kP, M2 = M + kB
ElGamal Public Key Encryption (cont.) Example ElGamal PKE Certificate Authority (CA) Dkpri (Ekpub (M)) = M2-sM1 = M Dkpri (Ekpub (M)) = M2-sM1 = (0,1)-5(4,3) = (4,2) Encryption Algorithm Encryption Algorithm Decryption Algorithm Decryption Algorithm Ekpub(M) = M1,M2 Ekpub(M) = M1,M2 Ekpub(M) = M1,M2 Ekpub(M) = M1,M2 M1 = (4,3) M2 = (0,1) M1 = kP, M2 = M + kB M1 = kP = 7(0,1) = (4,3), M2 = M + kB = (4,2)+7(3,1) = (0,1)
ElGamal Public Key Encryption (cont.) ElGamal PKE ElGamal Problem Ver. I Given P, sP (public key), kP, M + skP, Find M. Certificate Authority (CA) Dkpri (Ekpub (M)) = M2-sM1 = M Discrete Log. Given P, sP Find s. Encryption Algorithm Decryption Algorithm Ekpub(M) = M1,M2 Ekpub(M) = M1,M2 M1 = kP, M2 = M + kB
Overview Discrete Logarithm Problem Massey-Omura Encryption ElGamal Public Key Encryption Digital Signature Algorithm (DSA) ElGamal Digital Signatures
Digital Signature [Diffie, Hellman 1976] Public Key Cryptography Digital Signature Certificate Authority (CA) Certificate Authority (CA) kpub,kpri kpub kpri,kpub kpub Dkpri (Ekpub (M)) = M M Encryption Algorithm Decryption Algorithm Vkpub (Skpri(M)) = M ? M Ekpub(M) Ekpub (M) Signing Algorithm Objective Verification Algorithm Alice is sending a message M to Bob Bob can be sure that the sender is really Alice. Alice cannot refuse that she did send the message No one can send a message claiming that they are Alice. M,Skpri(M) M, Skpri(M)
ElGamal Digital Signatures [ElGamal 1985] ElGamal’s Protocol Certificate Authority (CA) Certificate Authority (CA) kpub=(A,B) kpri,kpub kpub Signing Algorithm Skpri(M)) is signed by Alice??? M Signing Algorithm Verification Algorithm Verification Algorithm M,Skpri(M) M, Skpri(M)
ElGamal Digital Signatures (cont.) Example ElGamal’s Protocol Certificate Authority (CA) kpub=(A,B) Signing Algorithm Signing Algorithm Verification Algorithm Verification Algorithm
ElGamal Digital Signatures (cont.) ElGamal’s Protocol ElGamal Problem Ver. II Given A, B=aA (public key), m (message), m‘ (forged message) Find R,s such that Certificate Authority (CA) kpub=(A,B) Signing Algorithm Discrete Log. Given P, sP Find s. Verification Algorithm
Exercise Given A, B=aA (public key), m (message), m‘ (forged message) ElGamal Problem Ver. II Given A, B=aA (public key), m (message), m‘ (forged message) Find R,s such that Discrete Log. Given P, sP Find s. Exercise 6
Overview Discrete Logarithm Problem Massey-Omura Encryption ElGamal Public Key Encryption Digital Signature Algorithm (DSA) ElGamal Digital Signatures
Digital Signature Algorithm [Vanstone 1992] ElGamal’s Protocol DSA’s Protocol Certificate Authority (CA) Certificate Authority (CA) kpub=(A,B) kpub=(A,B) 2 Scalar Multiplications 3 Scalar Multiplications Signing Algorithm Signing Algorithm Verification Algorithm Verification Algorithm
Exercise Exercise 4 Exercise 4 Exercise 5
Exercise Exercise 6
Pairing-Based Cryptography Diffie-Hellman Exchange Protocol Three-Parties DHE P 1. Generate P 2 E(F) 2. Generate positive integers a 3. Receive Q = bP 4. Compute aQ = abP 1. Receive P 2. Receive S = aP 3. Generate positive integer b 4. Compute bS = abP B O ALICE A L I C E aP a, aP bP aP C H A L I E bP B O b, bP cP c, cP Bilinear Function ALICE Three-Parties DHE with Pairing a, aP, bP ALICE abP C H A L I E bcP a, aP B O C H A L I E b, bP cP acP c, cP aP aP aP bP cP B O b, bP cP c, cP bP
Thank you for your attention Please feel free to ask questions or comment.