Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia

Lecture 7: Multi-Party Protocols and Interactive Proofs

February 19, 2002Practical Aspects of Modern Cryptography3 A bit more on certificates X.509 is not the only certificate standard – see also X9.55, X9.57, X9.59, Xcetera, Xcetera, Xcetera. Several “web of trust” designs exist – in particular, see SPKI/SDSI.

February 19, 2002Practical Aspects of Modern Cryptography4 Attribute Certificates Anyone who has the private key associated with the included public key has the right to …

February 19, 2002Practical Aspects of Modern Cryptography5 And now for something completely different.

February 19, 2002Practical Aspects of Modern Cryptography6 Multi-Party Protocols Thusfar, the protocols we’ve explored have dealt primary with two-party scenarios. Many scenarios concern fair agreement and computation with more players.

February 19, 2002Practical Aspects of Modern Cryptography7 Fair Selection Suppose that a group wants to make a fair choice between two or more options. How can this be done in an unbiased manner?

February 19, 2002Practical Aspects of Modern Cryptography8 Secret Sharing Suppose that I have some data that I want to share amongst three people such that any two can uniquely determine the data but any one alone has no information whatsoever about the data.

February 19, 2002Practical Aspects of Modern Cryptography9 Secret Sharing Some simple cases: “AND” I have a secret value z that I would like to share with Alice and Bob such that both Alice and Bob can together determine the secret at any time, but such that neither has any information individually.

February 19, 2002Practical Aspects of Modern Cryptography10 Secret Sharing – AND Let z  Z n = {0,1,…,m-1} be a secret value to be shared with Alice and Bob. Randomly and uniformly select values x and y from Z m subject to the constraint that (x + y) mod m = z.

February 19, 2002Practical Aspects of Modern Cryptography11 Secret Sharing – AND The secret value is z = (x + y) mod m. xy

February 19, 2002Practical Aspects of Modern Cryptography12 Secret Sharing – AND This trick easily generalizes to more than two shareholders. A secret S can be written as S = (s 1 + s 2 + … + s n ) mod m for any randomly chosen integer values s 1, s 2, …, s n in the range 0 ≤ s i < m.

February 19, 2002Practical Aspects of Modern Cryptography13 Secret Sharing Some simple cases: “OR” I have a secret value z that I would like to share with Alice and Bob such that either Alice or Bob can determine the secret at any time.

February 19, 2002Practical Aspects of Modern Cryptography14 Secret Sharing – OR zz The secret value is z.

February 19, 2002Practical Aspects of Modern Cryptography15 Secret Sharing – OR This case also generalizes easily to more than two shareholders.

February 19, 2002Practical Aspects of Modern Cryptography16 Secret Sharing More complex access structures … I want to share secret value z amongst Alice, Bob, and Carol such that any two of the three can reconstruct z. S = (A  B)  (A  C)  (B  C)

February 19, 2002Practical Aspects of Modern Cryptography17 Secret Sharing OR AND ABACBC z  Z m zzz z1z1 z2z2 z3z3 z4z4 z6z6 z5z5

February 19, 2002Practical Aspects of Modern Cryptography18 Threshold Schemes I want to distribute a secret datum amongst n trustees such that any k of the n trustees can uniquely determine the secret datum, but any set of fewer than k trustees has no information whatsoever about the secret datum.

February 19, 2002Practical Aspects of Modern Cryptography19 Threshold Schemes OR ANDn out of n 1 out of n

February 19, 2002Practical Aspects of Modern Cryptography20 Shamir’s Threshold Scheme Any k points in a field uniquely determine a polynomial of degree at most k-1. This not only works of the reals, rationals, and other infinite fields, but also over the finite field Z p = {0,1,…,p-1} where p is a prime.

February 19, 2002Practical Aspects of Modern Cryptography21 Shamir’s Threshold Scheme To distribute a secret value s  Z p amongst a set of n Trustees {T 1,T 2,…,T n } such that any k can determine the secret pick random coefficients a 1,a 2,…,a k-1  Z p let P(x) = a k-1 x k-1 + … + a 2 x 2 + a 1 x + s give P(i) to trustee T i. The secret value is s = P(0).

February 19, 2002Practical Aspects of Modern Cryptography22 Shamir’s Threshold Scheme The threshold 2 case: Example: Range = Z 11 = {0,1,…,10}, Secret = 9 (0,9) (1,7) (2,5) (3,3) Secret Share 1 Share 2 Share 3

February 19, 2002Practical Aspects of Modern Cryptography23 Shamir’s Threshold Scheme The threshold 2 case: Example: Range = Z 11 = {0,1,…,10} (0,8.5) (1,7) (3,4) Secret Share 1 Share 3 In Z 11, 8.5 ≡ 17÷2 ≡ 6×6 ≡ 36 ≡ 3

February 19, 2002Practical Aspects of Modern Cryptography24 Shamir’s Threshold Scheme Two methods are commonly used to interpolate a polynomial given a set of points. Lagrange interpolation Solving a system of linear equations

February 19, 2002Practical Aspects of Modern Cryptography25 Lagrange Interpolation For each point (i,P(i)), construct a polynomial P i with the correct value at i and a value of zero at the other given points. P i (x) = P(i) × ∏ (j≠i) (x-j) ÷ ∏ (j≠i) (i-j) P(x) = ∑ i P i (x)

February 19, 2002Practical Aspects of Modern Cryptography26 Solving a Linear System Regard the polynomial coefficents as unknowns. Plug in each known point to get a linear equation in terms of the unknown coefficients. Once there are as many equations as unknowns, use linear algebra to solve the system of equations.

February 19, 2002Practical Aspects of Modern Cryptography27 Verifiable Secret Sharing Secret sharing is very useful when the “dealer” of a secret is honest, but what bad things can happen if the dealer is potentially dishonest? Can measures be taken to eliminate or mitigate the damages?

February 19, 2002Practical Aspects of Modern Cryptography28 Homomorphic Encryption Recall that with RSA, there is a multiplicative homomorphism. E(x)E(y)  E(xy) Can we find an encryption function with an additive homomorphism?

February 19, 2002Practical Aspects of Modern Cryptography29 An Additive Homomorphism Can we find an encryption function for which the sum (or product) of two encrypted messages is the (an) encryption of the sum of the two original messages? E(x) ◦ E(y)  E(x+y)

February 19, 2002Practical Aspects of Modern Cryptography30 An Additive Homomorphism Recall the one-way function given by f(x) = g x mod m. For this function, f(x)f(y) mod m = g x g y mod m = g x+y mod m = f(x+y) mod m.

February 19, 2002Practical Aspects of Modern Cryptography31 Verifiable Secret Sharing Select a polynomial with secret a 0 as P(x) = a k-1 x k-1 + … + a 2 x 2 + a 1 x + a 0. Commit to the coefficients by publishing g a 0, g a 1, g a 2, …, g a k-1. Compute a commitment to P(i) from public values as g P(i) = g a 0 i 0 g a 1 i 1 g a 2 i 2 … g a k-1 i k-1.

February 19, 2002Practical Aspects of Modern Cryptography32 Verifiable Secret Sharing An important detail Randomness must be included to prevent small spaces of possible secrets and shares from being exhaustively searched.

February 19, 2002Practical Aspects of Modern Cryptography33 Secret Sharing Homomorphisms All of these secret sharing methods have an additional useful feature: If two secrets are separately shared amongst the same set of people in the same way, then the sum of the individual shares constitute shares of the sum of the secrets.

February 19, 2002Practical Aspects of Modern Cryptography34 Secret Sharing Homomorphisms OR Secret: a – Shares: a, a, …, a Secret: b – Shares: b, b, …, b Secret sum: a+b Share sums: a+b, a+b, …, a+b

February 19, 2002Practical Aspects of Modern Cryptography35 Secret Sharing Homomorphisms AND Secret: a – Shares: a 1, a 2, …, a n Secret: b – Shares: b 1, b 2, …, b n Secret sum: a+b Share sums: a 1 +b 1, a 2 +b 2, …, a n +b n

February 19, 2002Practical Aspects of Modern Cryptography36 Secret Sharing Homomorphisms THRESHOLD Secret: P 1 (0) – Shares: P 1 (1), P 1 (2), …, P 1 (n) Secret: P 2 (0) – Shares: P 2 (1), P 2 (2), …, P 2 (n) Secret sum: P 1 (0) + P 2 (0) Share sums: P 1 (1) + P 2 (1), P 1 (2) + P 2 (2), …, P 1 (n) + P 2 (n)

February 19, 2002Practical Aspects of Modern Cryptography37 In an election, each voter can cast a vote by sharing the vote with a set of election officials at a pre-determined threshold. The officials can read an individual’s vote only if a sufficiently large set conspire. Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography38 VoterVoteOfficial 1Official 2Official 3 AVAVA S A1 S A2 S A3 BVBVB S B1 S B2 S B3 CVCVC S C1 S C2 S C3 Total T=  V i T 1 =  S i1 T 2 =  S i2 T 3 =  S i3 Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography39 The sum of the shares of the votes constitute shares of the sum of the votes. Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography40 VoterVoteOfficial 1Official 2Official 3 AVAVA S A1 S A2 S A3 BVBVB S B1 S B2 S B3 CVCVC S C1 S C2 S C3 Total T=  V i T 1 =  S i1 T 2 =  S i2 T 3 =  S i3 Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography41 The shares of the votes can each be encrypted with an additively homomorphic encryption function. Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography42 VoterVoteOfficial 1Official 2Official 3 AVAVA S A1 S A2 S A3 BVBVB S B1 S B2 S B3 CVCVC S C1 S C2 S C3 Total T=  V i T 1 =  S i1 T 2 =  S i2 T 3 =  S i3 Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography43 VoterVoteOfficial 1Official 2Official 3 AVAVA E 1 (S A1 )E 2 (S A2 )E 3 (S A3 ) BVBVB E 1 (S B1 )E 2 (S B2 )E 3 (S B3 ) CVCVC E 1 (S C1 )E 2 (S C2 )E 3 (S C3 ) Total T=  V i T 1 =  S i1 T 2 =  S i2 T 3 =  S i3 Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography44 VoterVoteOfficial 1Official 2Official 3 AVAVA E 1 (S A1 )E 2 (S A2 )E 3 (S A3 ) BVBVB E 1 (S B1 )E 2 (S B2 )E 3 (S B3 ) CVCVC E 1 (S C1 )E 2 (S C2 )E 3 (S C3 ) Total T=  V i T 1 =  S i1 T 2 =  S i2 T 3 =  S i3 Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography45 To get encryptions of the sums, compute the products of the encryptions. Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography46 VoterVoteOfficial 1Official 2Official 3 AVAVA E 1 (S A1 )E 2 (S A2 )E 3 (S A3 ) BVBVB E 1 (S B1 )E 2 (S B2 )E 3 (S B3 ) CVCVC E 1 (S C1 )E 2 (S C2 )E 3 (S C3 ) Total T=  V i T 1 =  S i1 T 2 =  S i2 T 3 =  S i3 Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography47 VoterVoteOfficial 1Official 2Official 3 AVAVA E 1 (S A1 )E 2 (S A2 )E 3 (S A3 ) BVBVB E 1 (S B1 )E 2 (S B2 )E 3 (S B3 ) CVCVC E 1 (S C1 )E 2 (S C2 )E 3 (S C3 )  E 1 (S i1 )  E 2 (S i2 )  E 3 (S i3 ) Total T=  V i T 1 =  S i1 T 2 =  S i2 T 3 =  S i3 Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography48 VoterVoteOfficial 1Official 2Official 3 AVAVA E 1 (S A1 )E 2 (S A2 )E 3 (S A3 ) BVBVB E 1 (S B1 )E 2 (S B2 )E 3 (S B3 ) CVCVC E 1 (S C1 )E 2 (S C2 )E 3 (S C3 )  E 1 (S i1 )  E 2 (S i2 )  E 3 (S i3 ) E 1 (  S i1 )E 2 (  S i2 )E 3 (  S i3 ) Total T=  V i T 1 =  S i1 T 2 =  S i2 T 3 =  S i3 Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography49 Decrypt the products to determine the column sums. Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography50 VoterVoteOfficial 1Official 2Official 3 AVAVA E 1 (S A1 )E 2 (S A2 )E 3 (S A3 ) BVBVB E 1 (S B1 )E 2 (S B2 )E 3 (S B3 ) CVCVC E 1 (S C1 )E 2 (S C2 )E 3 (S C3 )  E 1 (S i1 )  E 2 (S i2 )  E 3 (S i3 ) E 1 (  S i1 )E 2 (  S i2 )E 3 (  S i3 ) Total T=  V i T 1 =  S i1 T 2 =  S i2 T 3 =  S i3 Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography51 VoterVoteOfficial 1Official 2Official 3 AVAVA E 1 (S A1 )E 2 (S A2 )E 3 (S A3 ) BVBVB E 1 (S B1 )E 2 (S B2 )E 3 (S B3 ) CVCVC E 1 (S C1 )E 2 (S C2 )E 3 (S C3 )  E 1 (S i1 )  E 2 (S i2 )  E 3 (S i3 ) E 1 (  S i1 )E 2 (  S i2 )E 3 (  S i3 ) Total T=  V i T 1 =  S i1 T 2 =  S i2 T 3 =  S i3 Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography52 Combine the shares to form the tally. Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography53 VoterVoteOfficial 1Official 2Official 3 AVAVA E 1 (S A1 )E 2 (S A2 )E 3 (S A3 ) BVBVB E 1 (S B1 )E 2 (S B2 )E 3 (S B3 ) CVCVC E 1 (S C1 )E 2 (S C2 )E 3 (S C3 )  E 1 (S i1 )  E 2 (S i2 )  E 3 (S i3 ) E 1 (  S i1 )E 2 (  S i2 )E 3 (  S i3 ) Total T=  V i T 1 =  S i1 T 2 =  S i2 T 3 =  S i3 Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography54 VoterVoteOfficial 1Official 2Official 3 AVAVA E 1 (S A1 )E 2 (S A2 )E 3 (S A3 ) BVBVB E 1 (S B1 )E 2 (S B2 )E 3 (S B3 ) CVCVC E 1 (S C1 )E 2 (S C2 )E 3 (S C3 )  E 1 (S i1 )  E 2 (S i2 )  E 3 (S i3 ) E 1 (  S i1 )E 2 (  S i2 )E 3 (  S i3 ) Total T=  V i T 1 =  S i1 T 2 =  S i2 T 3 =  S i3 Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography55 Verifiable Secret-Ballot Elections Product of Encryptions  Encryption of Sum Sum of Shares  Shares of Sum The product of the encryptions of the shares of the votes constitute encryptions of the shares of the sum of the votes.

February 19, 2002Practical Aspects of Modern Cryptography56 VoterVoteOfficial 1Official 2Official 3 AVAVA E 1 (S A1 )E 2 (S A2 )E 3 (S A3 ) BVBVB E 1 (S B1 )E 2 (S B2 )E 3 (S B3 ) CVCVC E 1 (S C1 )E 2 (S C2 )E 3 (S C3 )  E 1 (S i1 )  E 2 (S i2 )  E 3 (S i3 ) E 1 (  S i1 )E 2 (  S i2 )E 3 (  S i3 ) Total T=  V i T 1 =  S i1 T 2 =  S i2 T 3 =  S i3 Verifiable Secret-Ballot Elections

February 19, 2002Practical Aspects of Modern Cryptography57 Interactive Proofs There are non-traditional methods of convincing others that something is true without writing down a proof. These methods can be used to convince others of the veracity of partial information about a secret.

February 19, 2002Practical Aspects of Modern Cryptography58 Traditional Proofs I want to convince you that something is true. I write down a proof and give it to you.

February 19, 2002Practical Aspects of Modern Cryptography59 Interactive Proofs We engage in a dialogue at the conclusion of which you are convinced that my claim is true.

February 19, 2002Practical Aspects of Modern Cryptography60 Proving Something is a Square Suppose I want to convince you that Y is a square modulo N. [There exists an X such that Y = X 2 mod N.]

February 19, 2002Practical Aspects of Modern Cryptography61 Proving Something is a Square Suppose I want to convince you that Y is a square modulo N. [There exists an X such that Y = X 2 mod N.] First approach: I give you X.

February 19, 2002Practical Aspects of Modern Cryptography62 An Interactive Proof Y Y1Y1 Y3Y3 Y2Y2 Y4Y4 Y5Y5 Y 100

February 19, 2002Practical Aspects of Modern Cryptography63 An Interactive Proof Y Y1Y1 Y3Y3 Y2Y2 Y4Y4 Y5Y5 Y

February 19, 2002Practical Aspects of Modern Cryptography64 An Interactive Proof Y Y1Y1 Y3Y3 Y2Y2 Y4Y4 Y5Y5 Y √Y1√Y1 √Y4√Y4 √Y3√Y3

February 19, 2002Practical Aspects of Modern Cryptography65 An Interactive Proof Y Y1Y1 Y3Y3 Y2Y2 Y4Y4 Y5Y5 Y √(Y 2Y)√(Y 100Y)√(Y 3Y) √Y1√Y1 √Y4√Y4 √Y3√Y3

February 19, 2002Practical Aspects of Modern Cryptography66 An Interactive Proof In order for me to “fool” you, I would have to guess your exact challenge sequence. The probability of my successfully convincing you that Y is a square when it is not is This interactive proof is said to be “zero- knowledge” because the challenger received no information (beyond the proof of the claim) that it couldn’t compute itself.

February 19, 2002Practical Aspects of Modern Cryptography67 Proving Knowledge Suppose that we share a public key consisting of a modulus N and an encryption exponent E and that I want to convince you that I have the corresponding decryption exponent D. How can I do this?

February 19, 2002Practical Aspects of Modern Cryptography68 Proving Knowledge I can give you my private key D. You can encrypt something for me and I decrypt it for you. You can encrypt something for me and I can engage in an interactive proof with you to show that I can decrypt it.

February 19, 2002Practical Aspects of Modern Cryptography69 A Proof of Knowledge Y Y1Y1 Y3Y3 Y2Y2 Y4Y4 Y5Y5 Y 100

February 19, 2002Practical Aspects of Modern Cryptography70 A Proof of Knowledge Y Y1Y1 Y3Y3 Y2Y2 Y4Y4 Y5Y5 Y

February 19, 2002Practical Aspects of Modern Cryptography71 A Proof of Knowledge Y Y1Y1 Y3Y3 Y2Y2 Y4Y4 Y5Y5 Y Y1DY1D Y4DY4D Y3DY3D

February 19, 2002Practical Aspects of Modern Cryptography72 A Proof of Knowledge Y Y1Y1 Y3Y3 Y2Y2 Y4Y4 Y5Y5 Y Y1DY1D (Y 2Y) D Y4DY4D (Y 100Y) D (Y 5Y) D Y3DY3D

February 19, 2002Practical Aspects of Modern Cryptography73 A Proof of Knowledge By engaging in this proof, the prover has demonstrated its knowledge of Y D – without revealing this value. If Y is generated by a challenger, this is compelling evidence that the prover posseses D.

February 19, 2002Practical Aspects of Modern Cryptography74 Facts About Interactive Proofs Anything in PSPACE can be proven with an interactive proof. Anything in NP can be proven with a zero-knowledge interactive proof.

February 19, 2002Practical Aspects of Modern Cryptography75 Facts about Interactive Proofs It is frequently possible to simulate the interaction by substituting a one- way function for the challenges of a verifier.

February 19, 2002Practical Aspects of Modern Cryptography76 An Non-Interactive ZK Proof Y Y1Y1 Y3Y3 Y2Y2 Y4Y4 Y5Y5 Y 100

February 19, 2002Practical Aspects of Modern Cryptography77 An Non-Interactive ZK Proof Y Y1Y1 Y3Y3 Y2Y2 Y4Y4 Y5Y5 Y where the bit string is computed as xxx = SHA-1( Y 1, Y 2,…, Y 100 )

February 19, 2002Practical Aspects of Modern Cryptography78 An Non-Interactive ZK Proof Y Y1Y1 Y3Y3 Y2Y2 Y4Y4 Y5Y5 Y √Y1√Y1 √Y4√Y4 √Y3√Y3

February 19, 2002Practical Aspects of Modern Cryptography79 An Non-Interactive ZK Proof Y Y1Y1 Y3Y3 Y2Y2 Y4Y4 Y5Y5 Y √(Y 2Y)√(Y 100Y)√(Y 3Y) √Y1√Y1 √Y4√Y4 √Y3√Y3

February 19, 2002Practical Aspects of Modern Cryptography80 Elliptic Curve Cryptosystems An elliptic curve y 2 = x 3 + Ax + B

February 19, 2002Practical Aspects of Modern Cryptography81 Elliptic Curves y 2 = x 3 + Ax + B

February 19, 2002Practical Aspects of Modern Cryptography82 Elliptic Curves y = x 3 + Ax + B

February 19, 2002Practical Aspects of Modern Cryptography83 Elliptic Curves y = x 3 + Ax + B x y

February 19, 2002Practical Aspects of Modern Cryptography84 Elliptic Curves y 2 = x 3 + Ax + B x y

February 19, 2002Practical Aspects of Modern Cryptography85 Elliptic Curves y 2 = x 3 + Ax + B x y

February 19, 2002Practical Aspects of Modern Cryptography86 Elliptic Curves y 2 = x 3 + Ax + B x y

February 19, 2002Practical Aspects of Modern Cryptography87 Elliptic Curves y 2 = x 3 + Ax + B x y

February 19, 2002Practical Aspects of Modern Cryptography88 Elliptic Curves y 2 = x 3 + Ax + B x y

February 19, 2002Practical Aspects of Modern Cryptography89 Elliptic Curves y 2 = x 3 + Ax + B x y

February 19, 2002Practical Aspects of Modern Cryptography90 Elliptic Curves y 2 = x 3 + Ax + B x y

February 19, 2002Practical Aspects of Modern Cryptography91 Elliptic Curves y 2 = x 3 + Ax + B x y

February 19, 2002Practical Aspects of Modern Cryptography92 Elliptic Curves Intersecting Lines y 2 = x 3 + Ax + B x y y = ax + b

February 19, 2002Practical Aspects of Modern Cryptography93 Non-vertical Lines y 2 = x 3 + Ax + B y = ax + b (ax + b) 2 = x 3 + Ax + B x 3 + Ax 2 + Bx + C = 0 Elliptic Curves Intersecting Lines

February 19, 2002Practical Aspects of Modern Cryptography94 x 3 + Ax 2 + Bx + C = 0 x y Elliptic Curves Intersecting Lines

February 19, 2002Practical Aspects of Modern Cryptography95 Non-vertical Lines 1 intersection point(typical case) 2 intersection points(tangent case) 3 intersection points(typical case) Elliptic Curves Intersecting Lines

February 19, 2002Practical Aspects of Modern Cryptography96 Vertical Lines y 2 = x 3 + Ax + B x = c y 2 = c 3 + Ac + B y 2 = C Elliptic Curves Intersecting Lines

February 19, 2002Practical Aspects of Modern Cryptography97 Vertical Lines 0 intersection point(typical case) 1 intersection points(tangent case) 2 intersection points(typical case) Elliptic Curves Intersecting Lines

February 19, 2002Practical Aspects of Modern Cryptography98 Elliptic Groups y 2 = x 3 + Ax + B x y y = ax + b

February 19, 2002Practical Aspects of Modern Cryptography99 Elliptic Groups y 2 = x 3 + Ax + B x y y = ax + b

February 19, 2002Practical Aspects of Modern Cryptography100 Elliptic Groups y 2 = x 3 + Ax + B x y y = ax + b

February 19, 2002Practical Aspects of Modern Cryptography101 Elliptic Groups y 2 = x 3 + Ax + B x y x = c

February 19, 2002Practical Aspects of Modern Cryptography102 Elliptic Groups Add an “artificial” point I to handle the vertical line case. This point I also serves as the group identity value.

February 19, 2002Practical Aspects of Modern Cryptography103 Elliptic Groups y 2 = x 3 + Ax + B x y x = c

February 19, 2002Practical Aspects of Modern Cryptography104 Elliptic Groups (x 1,y 1 )  (x 2,y 2 ) = (x 3,y 3 ) x 3 = ((y 2 -y 1 )/(x 2 -x 1 )) 2 - x 1 - x 2 y 3 = -y 1 + ((y 2 -y 1 )/(x 2 -x 1 )) (x 1 - x 3 ) when x 1  x 2

February 19, 2002Practical Aspects of Modern Cryptography105 Elliptic Groups (x 1,y 1 )  (x 2,y 2 ) = (x 3,y 3 ) x 3 = ((3x 1 2 +A)/(2y 1 )) 2 - 2x 1 y 3 = -y 1 + ((3x 1 2 +A)/(2y 1 )) (x 1 - x 3 ) when x 1 = x 2 and y 1 = y 2  0

February 19, 2002Practical Aspects of Modern Cryptography106 Elliptic Groups (x 1,y 1 )  (x 2,y 2 ) = I when x 1 = x 2 but y 1  y 2 or y 1 = y 2 = 0 (x 1,y 1 )  I = (x 1,y 1 ) = I  (x 1,y 1 ) I  I = I

February 19, 2002Practical Aspects of Modern Cryptography107 The Fundamental Equation Z=Y X mod N

February 19, 2002Practical Aspects of Modern Cryptography108 The Fundamental Equation Z=Y X in E p (A,B)

February 19, 2002Practical Aspects of Modern Cryptography109 The Fundamental Equation Z=Y X in E p (A,B) When Z is unknown, it can be efficiently computed by repeated squaring.

February 19, 2002Practical Aspects of Modern Cryptography110 The Fundamental Equation Z=Y X in E p (A,B) When X is unknown, this version of the discrete logarithm is believed to be quite hard to solve.

February 19, 2002Practical Aspects of Modern Cryptography111 The Fundamental Equation Z=Y X in E p (A,B) When Y is unknown, it can be efficiently computed by “sophisticated” means.

February 19, 2002Practical Aspects of Modern Cryptography112 Diffie-Hellman Key Exchange Alice Randomly select a large integer a and send A = Y a mod N. Compute the key K = B a mod N. Bob Randomly select a large integer b and send B = Y b mod N. Compute the key K = A b mod N. B a = Y ba = Y ab = A b

February 19, 2002Practical Aspects of Modern Cryptography113 Diffie-Hellman Key Exchange Alice Randomly select a large integer a and send A = Y a in E p. Compute the key K = B a in E p. Bob Randomly select a large integer b and send B = Y b in E p. Compute the key K = A b in E p. B a = Y ba = Y ab = A b

February 19, 2002Practical Aspects of Modern Cryptography114 Why use Elliptic Curves? The best currently known algorithm for EC discrete logarithms would take about as long to find a 160- bit EC discrete log as the best currently known algorithm for integer discrete logarithms would take to find a 1024-bit discrete log. 160-bit EC algorithms are somewhat faster and use shorter keys than 1024-bit “traditional” algorithms.

February 19, 2002Practical Aspects of Modern Cryptography115 Why not use Elliptic Curves? EC discrete logarithms have been studied far less than integer discrete logarithms. Results have shown that a fundamental break in integer discrete logs would also yield a fundamental break in EC discrete logs, although the reverse may not be true. Basic EC operations are more cumbersome than integer operations, so EC is only faster if the keys are much smaller.