cryptography lecturenotes
TRANSCRIPT
-
8/16/2019 Cryptography LectureNotes
1/63
Elliptic Curve Cryptography
-
8/16/2019 Cryptography LectureNotes
2/63
Cryptography
• The fundamental objective of cryptography
is to enable two people, usually referred to asAlice and Bob, to communicate over an
insecure channel in such a way that an
opponent, Oscar, cannot understand what is being said.
-
8/16/2019 Cryptography LectureNotes
3/63
Elliptic Curve Crypto (ECC)
• “Elliptic curve” is not a cryptosystem
• Elliptic curves are a different way to do
the math in public key system
• Elliptic curve versions of DH, RSA, etc.
• Elliptic curves may be more efficient
– Fewer bits needed for same security
– But the operations are more complex
-
8/16/2019 Cryptography LectureNotes
4/63
What is an Elliptic Curve?
• An elliptic curve E is the graph ofan equation of the form
y2 = x3 + ax + b
• Also includes a “point at infinity”
• What do elliptic curves look like?
• See the following!
-
8/16/2019 Cryptography LectureNotes
5/63
Elliptic Curves
• Elliptic curves as algebraic/geometricentities have been studied extensively
for the past 150 years, and from these
studies has emerged a rich and deep
theory. Elliptic curve systems as applied
to cryptography were first proposed in
1985 independently by Neal Koblitz
from the University of Washington, and Victor Miller, who was then at IBM,
Yorktown Heights.
-
8/16/2019 Cryptography LectureNotes
6/63
• Many cryptosystems often require the use ofalgebraic groups. Elliptic curves may be usedto form elliptic curve groups. A group is a set
of elements with custom-defined arithmeticoperations on those elements. For elliptic curvegroups, these specific operations are definedgeometrically. Introducing more stringent
properties to the elements of a group, such aslimiting the number of points on such a curve,creates an underlying field for an elliptic curvegroup. Elliptic curves are first examined overreal numbers in order to illustrate thegeometrical properties of elliptic curve groups.Thereafter, elliptic curves groups are examined
with the underlying fields of F p (where p is a prime) and F2m (a binary representation with2m elements).
-
8/16/2019 Cryptography LectureNotes
7/63
Elliptic Curve Groups over Real
Numbers
• An elliptic curve over real numbers may be defined as theset of points (x,y) which satisfy an elliptic curve equation of the form:
• y2 = x3 + ax + b, where x, y, a and b are real numbers.
• Each choice of the numbers a and b yields a different ellipticcurve. For example, a = -4 and b = 0.67 gives the ellipticcurve with equation y2 = x3 - 4x + 0.67; the graph of thiscurve is shown below:
• If x3 + ax + b contains no repeated factors, or equivalently if 4a3 + 27b2 is not 0, then the elliptic curve y2 = x3 + a x + b
• can be used to form a group. An elliptic curve group over real numbers consists of the points on the correspondingelliptic curve, together with a special point O called the
point at infinity.
-
8/16/2019 Cryptography LectureNotes
8/63
• P + Q = R is the additive property defined geometrically.
-
8/16/2019 Cryptography LectureNotes
9/63
Elliptic Curve Addition: A
Geometric Approach
• Elliptic curve groups are additive groups;that is, their basic function is addition. Theaddition of two points in an elliptic curve isdefined geometrically.
The negative of a point P = (xP,yP) is itsreflection in the x-axis: the point -P is
(xP,-yP). Notice that for each point P on anelliptic curve, the point -P is also on the curve.
-
8/16/2019 Cryptography LectureNotes
10/63
Adding distinct points P and Q
• Suppose that P and Q are two distinct points on an elliptic curve, and the P is
not -Q. To add the points P and Q, a line
is drawn through the two points. This
line will intersect the elliptic curve in
exactly one more point, call -R. The
point -R is reflected in the x-axis to the
point R. The law for addition in an
elliptic curve group is P + Q = R. For
example:
-
8/16/2019 Cryptography LectureNotes
11/63
-
8/16/2019 Cryptography LectureNotes
12/63
Adding the points P and -P
• The line through P and -P is a verticalline which does not intersect the ellipticcurve at a third point; thus the points Pand -P cannot be added as previously. It
is for this reason that the elliptic curvegroup includes the point at infinity O.By definition, P + (-P) = O. As a resultof this equation, P + O = P in the ellipticcurve group . O is called the additiveidentity of the elliptic curve group; allelliptic curves have an additive identity.
-
8/16/2019 Cryptography LectureNotes
13/63
-
8/16/2019 Cryptography LectureNotes
14/63
Doubling the point P
• To add a point P to itself, a tangent lineto the curve is drawn at the point P. If yPis not O, then the tangent line intersectsthe elliptic curve at exactly one other
point, -R. -R is reflected in the x-axis toR. This operation is called doubling the
point P; the law for doubling a point onan elliptic curve group is defined by:
P + P = 2P = R.
-
8/16/2019 Cryptography LectureNotes
15/63
• The tangent from P is always vertical if yP = 0.
-
8/16/2019 Cryptography LectureNotes
16/63
Doubling the point P if yP = 0
• If a point P is such that yP = 0, then the tangentline to the elliptic curve at P is vertical anddoes not intersect the elliptic curve at any other
point.
By definition, 2P = O for such a point P.
If one wanted to find 3P in this situation, one
can add 2P + P. This becomes P + O = P Thus3P = P.
3P = P, 4P = O, 5P = P, 6P = O, 7P = P, etc.
-
8/16/2019 Cryptography LectureNotes
17/63
-
8/16/2019 Cryptography LectureNotes
18/63
Elliptic Curve Addition: An
Algebraic Approach
• Although the previous geometric
descriptions of elliptic curves
provides an excellent method of
illustrating elliptic curve arithmetic,
it is not a practical way to
implement arithmetic computations.
Algebraic formulae are constructed to efficiently compute the geometric
arithmetic.
-
8/16/2019 Cryptography LectureNotes
19/63
Adding distinct points P and Q
• When P = (xP, yP) and Q = (xQ, yQ) are notnegative of each other,
P + Q = R where
s = (yP - yQ) / (xP - xQ)
xR = s2 - xP - xQ and yR = -yP + s(xP - xR)
Note that s is the slope of the line through P
and Q.
-
8/16/2019 Cryptography LectureNotes
20/63
Doubling the point P
• When yP is not 0,
2P = R where
s = (3xP2 + a) / (2yP )
xR = s2 - 2xP and yR = -yP + s(xP - xR)
Recall that a is one of the parameters
chosen with the elliptic curve and that sis the tangent on the point P.
-
8/16/2019 Cryptography LectureNotes
21/63
Elliptic Curve Picture
• Consider elliptic curve
E: y2 = x3 - x + 1
• If P1 and P2 are on E, we can
define
P3 = P1 + P2
as shown in picture
• Addition is all we need
P1P2
P3
x
y
-
8/16/2019 Cryptography LectureNotes
22/63
Points on Elliptic Curve
• Consider y2 = x3 + 2x + 3 (mod 5)
x = 0 y2 = 3 no solution (mod 5)
x = 1 y2 = 6 = 1 y = 1,4 (mod 5)
x = 2 y2 = 15 = 0 y = 0 (mod 5)
x = 3 y2 = 36 = 1 y = 1,4 (mod 5)
x = 4 y2
= 75 = 0 y = 0 (mod 5)• Then points on the elliptic curve are
(1,1) (1,4) (2,0) (3,1) (3,4) (4,0)
and the point at infinity:
-
8/16/2019 Cryptography LectureNotes
23/63
Elliptic Curve Math
• Addition on: y2 = x3 + ax + b (mod p)
P1=(x1,y1), P2=(x2,y2)
P1 + P2 = P3 = (x3,y3) where
x3 = m2 - x1 - x2 (mod p)
y3 = m(x1 - x3) - y1 (mod p)
And m = (y2-y
1)(x
2-x
1)-1 mod p, if P
1P
2
m = (3x12+a)(2y1)
-1 mod p, if P1 = P2
Special cases: If m is infinite, P3 = , and
+ P = P for all P
-
8/16/2019 Cryptography LectureNotes
24/63
Elliptic Curve Addition
• Consider y2 = x3 + 2x + 3 (mod 5). Points
on the curve are (1,1) (1,4) (2,0) (3,1)
(3,4) (4,0) and
• What is (1,4) + (3,1) = P3 = (x3,y3)?
m = (1-4)(3-1)-1 = -32-1
= 2(3) = 6 = 1 (mod 5)
x3 = 1 - 1 - 3 = 2 (mod 5)
y3 = 1(1-2) - 4 = 0 (mod 5)
• On this curve, (1,4) + (3,1) = (2,0)
-
8/16/2019 Cryptography LectureNotes
25/63
ECC Diffie-Hellman
• Public: Elliptic curve and point (x, y) on curve• Secret: Alice’s A and Bob’s B
Alice, A Bob, B
A(x,y)
B(x,y)
• Alice computes A(B(x,y))• Bob computes B(A(x,y))
• These are the same since AB = BA
-
8/16/2019 Cryptography LectureNotes
26/63
Elliptic Curve Deffie-Hellmen
(ECDH)
• Consistency: K=n AQ B=n A n B P=n BQ A
• ECDH is vulnerable to the man-in-the-middle attack
-
8/16/2019 Cryptography LectureNotes
27/63
ECC Diffie-Hellman
• Public: Curve y2 = x3 + 7x + b (mod 37) and
point (2,5) b = 3
• Alice’s secret: A = 4• Bob’s secret: B = 7
• Alice sends Bob: 4(2,5) = (7,32)
• Bob sends Alice: 7(2,5) = (18,35)• Alice computes: 4(18,35) = (22,1)
• Bob computes: 7(7,32) = (22,1)
-
8/16/2019 Cryptography LectureNotes
28/63
-
8/16/2019 Cryptography LectureNotes
29/63
Elliptic Curve Groups over F pCalculations over the real numbers are slow and inaccurate
due to round-off error.
Cryptographic applications require fast and precisearithmetic; thus elliptic curve groups over the finite fields of F pand F2
m are used in practice.
Recall that the field F p uses the numbers from 0 to p - 1, and computations end by taking the remainder on division by p. For example, in F23 the field is composed of integers from 0 to 22,and any operation within this field will result in an integer also
between 0 and 22.
An elliptic curve with the underlying field of F p can formed bychoosing the variables a and b within the field of F p. Theelliptic curve includes all points (x, y) which satisfy the ellipticcurve equation modulo p (where x and y are numbers in F p).
-
8/16/2019 Cryptography LectureNotes
30/63
• For example: y2 m o d p = x3 + ax + b mod p hasan underlying field of Fp if a and b are in Fp.
If x3 + ax + b contains no repeating factors (or,equivalently, if 4a3 + 27b2 mod p is not 0), thenthe elliptic curve can be used to form a group.An elliptic curve group over F
pconsists of the
points on the corresponding elliptic curve,together with a special point O called the pointat infinity. There are finitely many points onsuch an elliptic curve.
-
8/16/2019 Cryptography LectureNotes
31/63
Example of an Elliptic Curve Group over F p
• As a very small example, consider an elliptic curve over thefield F23. With a = 1 and b = 0, the elliptic curve equation is
y2 = x3 + x. The point (9,5) satisfies this equation since:
y2 mod p = x3 + x mod p
25 mod 23 = 729 + 9 mod 23
25 mod 23 = 738 mod 23
2 = 2
The 23 points which satisfy this equation are:
(0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13) (13,5)
(13,18) (15,3) (15,20) (16,8) (16,15) (17,10) (17,13) (18,10)
(18,13) (19,1) (19,22) (20,4) (20,19) (21,6) (21,17)
These points may be graphed as below:
-
8/16/2019 Cryptography LectureNotes
32/63
-
8/16/2019 Cryptography LectureNotes
33/63
• Note that there is two points for every x value.Even though the graph seems random, there is stillsymmetry about y = 11.5. Recall that elliptic
curves over real numbers, there exists a negative point for each point which is reflected through thex-axis. Over the field of F23, the negativecomponents in the y-values are taken modulo 23,resulting in a positive number as a difference from23. Here -P = (xP, (-yP mod 23))
• Note that these rules are exactly the same as thosefor elliptic curve groups over real numbers, with
the exception that computations are performed modulo p.
-
8/16/2019 Cryptography LectureNotes
34/63
Arithmetic in an Elliptic Curve Group over F p
• There are several major differences between elliptic
curve groups over F p and over real numbers.• Elliptic curve groups over F p have a finite number of
points, which is a desirable property for cryptographic purposes. Since these curves consist of a few discrete points, it is not clear how to "connect the dots" to
make their graph look like a curve. It is not clear howgeometric relationships can be applied. As a result,the geometry used in elliptic curve groups over realnumbers cannot be used for elliptic curve groups over F p. However, the algebraic rules for the arithmetic can
be adapted for elliptic curves over F p. Unlike elliptic
curves over real numbers, computations over the field of F p involve no round off error - an essential propertyrequired for a cryptosystem.
-
8/16/2019 Cryptography LectureNotes
35/63
Adding distinct points P and Q
• The negative of the point P = (xP, yP) is the point -P = (xP, -yPmod p). If P and Q are distinct points such that P is not -Q, then
P + Q = R where
s = (yP - yQ) / (xP - xQ) mod p
xR = s2 - xP - xQ mod p and yR = -yP + s(xP - xR) mod p
Note that s is the slope of the line through P and Q.
-
8/16/2019 Cryptography LectureNotes
36/63
Doubling the point P
• Provided that yP is not 0,
2P = R where
s = (3xP2 + a) / (2yP ) mod p
xR = s2 - 2xP mod p and yR = -yP + s(xP - xR)mod p
Recall that a is one of the parameters chosenwith the elliptic curve and that s is the slope ofthe line through P and Q.
-
8/16/2019 Cryptography LectureNotes
37/63
Elliptic Curve Groups over F2m• Elements of the field F2
m are m-bit strings. The rules for arithmetic in F2
m can be defined by either polynomial
representation or by optimal normal basis re presentation.Since F2
m operates on bit strings, computers can performarithmetic in this field very efficiently.
• An elliptic curve with the underlying field F2m is formed by
choosing the elements a and b within F2m (the only condition
is that b is not 0). As a result of the field F2m having acharacteristic 2, the elliptic curve equation is slightlyadjusted for binary representation:
y2 + xy = x3 + ax2 + b
The elliptic curve includes all points (x, y) which satisfy theelliptic curve equation over F2m (where x and y are elements of
F2m ). An elliptic curve group over F2
m consists of the points onthe corresponding elliptic curve, together with a point atinfinity, O. There are finitely many points on such an ellipticcurve.
http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math9http://www.certicom.com/index.php?action=ecc_tutorial,math9http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math9http://www.certicom.com/index.php?action=ecc_tutorial,math8
-
8/16/2019 Cryptography LectureNotes
38/63
An Example of an Elliptic Curve Group
over F2m
• As a very small example, consider the field F24, defined by using polynomial
representation with the irreducible polynomial f(x) = x4 + x + 1.
The element g = (0010) is a generator for the field . The powers of g are:
g0 = (0001) g1 = (0010) g2 = (0100) g3 = (1000) g4 = (0011) g5 = (0110)
g6 = (1100) g7 = (1011) g8 = (0101) g9 = (1010) g10 = (0111) g11 = (1110)
g12 = (1111) g13 = (1101) g14 = (1001) g15 = (0001)
In a true cryptographic application, the parameter m must be large enough to preclude theefficient generation of such a table otherwise the cryptosystem can be broken. In today's practice, m = 160 is a suitable choice. The table allows the use of generator notation (ge)rather than bit string notation, as used in the following example. Also, using generatornotation allows multiplication without reference to the irreducible polynomial
f(x) = x4 + x + 1.
-
8/16/2019 Cryptography LectureNotes
39/63
• Consider the elliptic curve y2 + xy = x3 + g4x2 + 1. Here a =g4 and b = g0 =1. The point (g5, g3) satisfies this equationover F2
m :
y2 + xy = x3 + g4x2 + 1
(g3)2 + g5g3 = (g5)3 + g4g10 + 1
g6 + g8 = g15 + g14 + 1
(1100) + (0101) = (0001) + (1001) + (0001)
(1001) = (1001)
The fifteen points which satisfy this equation are:
(1, g13) (g3, g13) (g5, g11) (g6, g14) (g9, g13) (g10, g8) (g12, g12)
(1, g6) (g3, g8) (g5, g3) (g6, g8) (g9, g10) (g10, g) (g12, 0) (0, 1)
These points are graphed below:
-
8/16/2019 Cryptography LectureNotes
40/63
-
8/16/2019 Cryptography LectureNotes
41/63
Arithmetic in an Elliptic Curve
Group over F2m
• Elliptic curve groups over F2m have a
finite number of points, and their
arithmetic involves no round off error.
This combined with the binary nature of the field, F2
m arithmetic can be performed
very efficiently by a computer.
The following algebraic rules are applied for arithmetic over F2
m :
-
8/16/2019 Cryptography LectureNotes
42/63
Adding distinct points P and Q
• The negative of the point P = (xP, yP) is the point -P =(xP, xP + yP). If P and Q are distinct points such that Pis not -Q, then
P + Q = R wheres = (yP - yQ) / (xP + xQ)
xR = s2 + s + xP + xQ + a and yR = s(xP + xR) + xR +yP
As with elliptic curve groups over real numbers, P + (-P)= O, the point at infinity. Furthermore, P + O = P for all
points P in the elliptic curve group.
-
8/16/2019 Cryptography LectureNotes
43/63
Doubling the point P
• If xP = 0, then 2P = O
Provided that xP is not 0,
2P = R where
s = xP + yP / xP
xR = s2+ s + a and yR = xP2 + (s + 1) * xR
Recall that a is one of the parameters chosenwith the elliptic curve and that s is the slopeof the line through P and Q
-
8/16/2019 Cryptography LectureNotes
44/63
Elliptic Curve groups and the
Discrete Logarithm Problem
• At the foundation of every cryptosystem is a hardmathematical problem that is computationally infeasibleto solve. The discrete logarithm problem is the basis forthe security of many cryptosystems including the Elliptic
Curve Cryptosystem. More specifically, the ECC reliesupon the difficulty of the Elliptic Curve DiscreteLogarithm Problem (ECDLP).
Recall that we examined two geometrically definedoperations over certain elliptic curve groups. These twooperations were point addition and point doubling. By
selecting a point in a elliptic curve group, one candouble it to obtain the point 2P. After that, one can addthe point P to the point 2P to obtain the point 3P. Thedetermination of a point nP in this manner is referred toas Scalar Multiplication of a point. The ECDLP is basedupon the intractability of scalar multiplication products.
-
8/16/2019 Cryptography LectureNotes
45/63
Scalar Multiplication
• The following animation demonstrates scalar multiplication through the combination of pointdoubling and point addition.
• While it is customary to use additive notation to
describe an elliptic curve group (as has beendone previously in this classroom), some insightis provided by using multiplicative notation.Specifically, consider the operation called "scalar multiplication" under additive notation: that is,computing kP by adding together k copies of the
point P. Using multiplicative notation, thisoperation consists of multiplying together k copies of the point P, yielding the pointP*P*P*P*…*P = Pk.
Th Elli i C Di L i h
-
8/16/2019 Cryptography LectureNotes
46/63
The Elliptic Curve Discrete Logarithm
Problem
• In the multiplicative group Z p*, the discrete logarithm problem is:given elements r and q of the group, and a prime p, find a number k such that r = qk mod p. If the elliptic curve groups is described usingmultiplicative notation, then the elliptic curve discrete logarithm problem is: given points P and Q in the group, find a number that Pk =Q; k is called the discrete logarithm of Q to the base P. When theelliptic curve group is described using additive notation, the elliptic
curve discrete logarithm problem is: given points P and Q in thegroup, find a number k such that Pk = Q
• Example:
In the elliptic curve group defined by
y2 = x3 + 9x + 17 over F23,
What is the discrete logarithm k of Q = (4,5) to the base P = (16,5)?
-
8/16/2019 Cryptography LectureNotes
47/63
• One (naïve) way to find k is to computemultiples of P until Q is found. The first few
multiples of P are:
P = (16,5) 2P = (20,20) 3P = (14,14) 4P =(19,20) 5P = (13,10) 6P = (7,3) 7P = (8,7) 8P =(12,17) 9P = (4,5)
Since 9P = (4,5) = Q, the discrete logarithm of Q to the base P is k = 9.
In a real application, k would be large enoughsuch that it would be infeasible to determine k
in this manner.
A E l f th Elli ti C
-
8/16/2019 Cryptography LectureNotes
48/63
An Example of the Elliptic Curve
Discrete Logarithm Problem
• What is the discrete
logarithm of Q(-0.35,2.39)
to the base P(-1.65,-2.79) in
the elliptic curve group y2 =
x
3
- 5x + 4 over realnumbers?
-
8/16/2019 Cryptography LectureNotes
49/63
Diffie-Hellman
-
8/16/2019 Cryptography LectureNotes
50/63
Diffie-Hellman
• Invented by Williamson (GCHQ) and,
independently, by D and H (Stanford)
• A “key exchange” algorithm
– Used to establish a shared symmetric key
• Not for encrypting or signing
• Security rests on difficulty of discrete log
problem: given g, p, and gk mod p find k
-
8/16/2019 Cryptography LectureNotes
51/63
Diffie-Hellman
• Let p be prime, let g be a generator
– For any x {1,2,…,p-1} there is n s.t. x = gn mod p
• Alice selects secret value a• Bob selects secret value b
• Alice sends ga mod p to Bob
• Bob sends gb mod p to Alice
• Both compute shared secret gab mod p
• Shared secret can be used as symmetric key
-
8/16/2019 Cryptography LectureNotes
52/63
Diffie-Hellman
• Suppose that Bob and Alice use gab mod p
as a symmetric key
• Trudy can see ga mod p and gb mod p
• Note ga gb mod p = ga+b mod p gabmod p
• If Trudy can find a or b, system is broken
• If Trudy can solve discrete log problem,then she can find a or b
-
8/16/2019 Cryptography LectureNotes
53/63
Diffie-Hellman
• Public: g and p
• Secret: Alice’s exponent a, Bob’s exponent b
Alice, a Bob, b
ga mod p
gb mod p
• Alice computes (gb)a = gba = gab mod p• Bob computes (ga)b = gab mod p
• Could use K = gab mod p as symmetric key
-
8/16/2019 Cryptography LectureNotes
54/63
Diffie-Hellman
• Subject to man-in-the-middle (MiM) attack
Alice, a Bob, b
ga mod p
gb mod p
Trudy, t
gt mod p
gt mod p
• Trudy shares secret gat mod p with Alice• Trudy shares secret gbt mod p with Bob• Alice and Bob don’t know Trudy exists!
-
8/16/2019 Cryptography LectureNotes
55/63
Diffie-Hellman
• How to prevent MiM attack?
– Encrypt DH exchange with symmetric key
– Encrypt DH exchange with public key – Sign DH values with private key
– Other?
• You MUST be aware of MiM attack onDiffie-Hellman
-
8/16/2019 Cryptography LectureNotes
56/63
Public-key encryption
• Key generation algorithm: randomized algorithm that outputs
(pk, sk)
• Encryption algorithm: – Takes a public key and a message (plaintext), and outputs a
ciphertext; c E pk (m)
• Decryption algorithm:
– Takes a private key and a ciphertext, and outputs a message(or perhaps an error); m = Dsk (c)
• Correctness: for all (pk, sk), Dsk (E pk (m)) = m
-
8/16/2019 Cryptography LectureNotes
57/63
El Gamal encryption
p, g
hA = gx mod p
hB = gy mod p
K AB = (hB)x K BA = (hA)
y
p, g, hA = gx
Receiver Sender
c = (K BA. m) mod p
hB, c
-
8/16/2019 Cryptography LectureNotes
58/63
• Alice signs a message M to Bob by computing – the hash m = H(M), 0
-
8/16/2019 Cryptography LectureNotes
59/63
use field GF(19) q 19 and a 10
• Alice computes her key:
A chooses xA=16 & computes yA=1016mod 19 = 4
• Alice signs message with hash m=14 as (3,4):
– choosing random K=5 which has gcd(18,5)=1
– computing S1 = 105mod 19 = 3
– finding K-1 mod (q-1) = 5-1 mod 18 = 11 – computing S2 = 11(14-16.3) mod 18 = 4
• any user B can verify the signature by computing
–
V1 = 10
14
mod 19 = 16– V2 = 4
3.34 = 5184 = 16 mod 19
– since 16 = 16 signature is valid
Elliptic Curve Digital Signature Algorithm
-
8/16/2019 Cryptography LectureNotes
60/63
p g g g
(ECDSA)
-
8/16/2019 Cryptography LectureNotes
61/63
RSA background
• N=pq, p and q distinct, odd primes
• (N) = (p-1)(q-1)
– Easy to compute (N) given the factorization of N – Hard to compute (N) without the factorization of N
• Fact: for all x Z N*, it holds that x(N) = 1 mod N
• If ed=1 mod (N), then for all x it holds that
(xe
)d
= x mod Ni.e., this is a way to compute eth roots
-
8/16/2019 Cryptography LectureNotes
62/63
RSA key generation
• Generate random p, q of sufficient length
• Compute N=pq and (N) = (p-1)(q-1)
• Compute e and d such that ed = 1 mod (N) – e must be relatively prime to (N)
• Public key = (N, e); private key = (N, d)
• To encrypt a message m Z N*, compute
c = me
mod N• To decrypt a ciphertext c, compute m = cd mod N
-
8/16/2019 Cryptography LectureNotes
63/63
Hardness of computing eth roots?
• The RSA problem:
– Given N, e, and c, compute c1/e mod N
• If factoring is easy, then the RSA problem is
easy• We know of no other way to solve the RSA
problem besides factoring N
– But we do not know how to prove that the
RSA problem is as hard as factoring• The upshot: we believe factoring is hard, and
we believe the RSA problem is hard