1
CSIS 0327 Computer & Network Security
September 2006
Public Key CryptoSystems:RSA and Others
Dr Lucas Hui(CYC307, 28592190, [email protected])
2
Problem of Symmetric Encryption• A key is owned by more than one person• No ‘nonrepudiation’ property
– A third party cannot determine whether a message is generated by the message sender or receiver
• Key management problem is complicate– N persons needs N(N1) pair of keys– E.g. 5 persons (15), Ki,j is the key for communication of i and j
• Person 1 keeps K1,2 , K1,3 , K1,4 and K1,5
• Person 2 keeps K1,2 , K2,3 , K2,4 and K2,5
• Person 3 keeps K1,3 , K2,3 , K3,4 and K3,5
• Person 4 keeps K1,4 , K2,4 , K3,4 and K4,5
• Person 5 keeps K1,5 , K2,5 , K3,5 and K4,5
– Complicate procedures exist for • A new coming subject, • An exiting subject• Subjects renewing their keys
3
Symmetric Encryption CryptoSystem
Secure channel
• Y = EK(X), X = DK(Y)
Decryption Algo D
Cryptanalyst
Encryption Algo E
Key source
Mesg source
Mesg DestinationY
K
X
X’ , K’
X
Both A and B have K, and so either one alone can generate X !!
Person BPerson A
4
Public key system• A.k.a. asymmetric key system • Each party X has two keys, one private key Xprv, one public key
Xpub (E.g. A has private key Aprv and public key Apub)• The private key and public key together forms a key pair
– You cannot generate a random private key V, and a random public key U, and just call them a key pair
– You have to use a sophisticated ‘keygeneration’ procedure to generate a keypair
• Private key is secret to the owner, public key is open to public• Xpub(Xprv(M)) = Xprv(Xpub(M)) = M• Mathematically, given the public key, it is extremely difficult to find
the private key• Mathematically, given the private key, it is extremely difficult to find
the public key• Security strength always depends on key length• Can be used in digital signature, encryption, and other advanced
usage
5
• Data Encryption : A sends a confidential message M to B– A sends Bpub(M) to B, B decrypts with Bprv
• Digital Signature: A sends a signed message M to B– A sends Aprv(M) to B, B decrypts with Apub
• The ‘encryption’ and ‘signature’ functions can be used together, or just use one function.
• Often combined with hash functions and symmetric key systems
• Public Key Cryptosystem examples:– RSA– DSA (for digital signature only)– Elliptic curves
6
Public Key Cryptosystem• A has public key Apub, & private key Aprv• From Apub, almost impossible to find Aprv• From Aprv, almost impossible to find Apub• Apub is known to all; Aprv is secret to A
A : Aprv
Aprv
Apub
M M C’
Apub
Apub Aprv
M C” M
7
Data Encryption using Public Key Cryptosystems
• A sends a confidential message M to B– A sends Bpub(M) to B, B decrypts with Bprv– No other subjects can read M
• Provide no authenticity– Any other subject can pretend to be A, to send
Bpub(M) to B
A : M B C
Bprv
Bpub
M C B :
8
Confidentiality in Public Key Cryptosystem
Decryption Algo D
Cryptanalyst
Encryption Algo E
Key Pair source
Mesg source
Mesg DestinationY
Bpub
X
X’ , Bprv’
X
Bprv
Secret Channel
9
Symmetric Key Vs Pub Key SystemSymmetric Key Encryption• Needed to work
– Sender & receiver use same algo & same key for encryption & decryption
• Needed for security– Key must be kept secret– Practically impossible to
decipher a message– Knowledge of algo +
samples of ciphers must be insufficient to determine the key
Public Key Encryption• Needed to work
– One algo, a pair of keys, 1 for encryption, 1 for decryption. Sender & receiver must have a matched pair of keys
• Needed for security– One of the two keys must
be kept secret– Practically impossible to
decipher a message – Knowledge of algo + one
of the keys + samples of ciphers must be insufficient to determine the key
10
Digital Signature using Public Key Cryptosystems
• A sends a signed message M to B– A sends Aprv(M) to B, B decrypts with Apub– Only A has Aprv, so Aprv(M) must be generated
by A• No confidentiality
– Any one tapping Aprv(M) can decrypt it with Apub
A : M B C
Apub
Aprv
M C B :
M
11
Authenticity in Public Key Cryptosystem
Decryption Algo D
Cryptanalyst
Encryption Algo E
Key Pair source
Mesg source
Mesg DestinationY
Aprv
X
X’ , Aprv’
X
Apub
Secret Channel
12
Confidentiality & Authenticity in Public Key Cryptosystem
Dec Alg
Cryptanalyst
Enc Alg
Key Pair source
Mesg source
Mesg Destination
Y
Aprv
X
X’ , Aprv’, Bprv’
X
Apub
Secret Channel
Enc Alg
Dec Alg
Key Pair source
BprvBpub
13
Requirement of PKC• Practical publickey cryptosystem depends on
discovery of a suitable trapdoor oneway function fk
– Y = fk(X) computationally easy, if k and X are known
– X = fk1(Y) computationally easy, if k and Y are
known– X = fk
1(Y) computationally infeasible, if Y is known, k is unknown
– E.g. fk is using the public key, and fk1 is using the
private key
14
Modular Arithmetic I
• modular arithmetic is 'clock arithmetic' • a congruence a = b mod n says when divided by n
that a and b have the same remainder – 100 = 34 mod 11
• Note: the above expression is a common, but a bit relaxed way of writing “100 mod 11 = 34 mod 11”, or “100 =mod 11 34”
– usually have 0 <= b <= n1 – 12 mod 7 = 5 mod 7 = 2 mod 7 = 9 mod 7 – b is called the residue of a mod n
• can do arithmetic with integers modulo n with all results from 0 to n – 1
15
Modular Arithmetic II
• Addition– a+b mod n
• Subtraction – ab mod n = a+(b) mod n
• Multiplication – a . b mod n, derived from repeated addition, can get
a.b=0 where neither a,b=0 – Eg. 2 . 5 mod 10
• Division– a/b mod n, is multiplication by inverse of b: a/b = a .
b1 mod n. (If n is prime, b1 mod n exists s.t b.b1 = 1 mod n)
– Eg. 2 . 3=1 mod 5 hence 4/2 = 4 . 3 = 2 mod 5
16
Modular Arithmetic III• Integers modulo n with addition and multiplication
form a commutative ring with the laws of – Associative: (a+b)+c = a+(b+c) mod n – Commutative: a+b = b+a mod n – Distributive: (a+b).c = (a.c)+(b.c) mod n
• also can chose whether to do an operation and then reduce modulo n, or reduce then do the operation, since reduction is a homomorphism from the ring of integers to the ring of integers modulo n– a +/ b mod n = [ a mod n +/ b mod n] mod n – (the above laws also hold for multiplication)
• if n is constrained to be a prime number p then this forms a Galois Field modulo p denoted GF(p) and all the normal laws associated with integer arithmetic work
17
Exponentiation in GF(p)
• many encryption algorithms use exponentiation raising a number a (base) to some power b (exponent) mod p – b = ae mod p
• exponentiation is basically repeated multiplication, which take s O(n) multiples for a number n
• A better method is the squareandmultiply algorithm, only takes O(log2 n) multiples for a number n
18
Square & Multiply Exponentiation
• b = me mod p• Represents e in binary form (e.g. m20 be m10100)• Let e = ek e k1 e k2 … e1 (ek is the most significant bit, e1
is the least significant bit)– d = 1 – for j = k downto 1 do {– d = d * d mod p– if ej == 1 then {d = d * m mod p}– }– Return d
• E.g. compute m10100 (mod p), then – We have d = 1, 1, m1, m10, m100, m101, m1010, m10100.
• Need (n1) ‘squaring’ (n is number of bits in e) & (k – 1) ‘multiplication’ (k is number of ‘1bit’ in e)
19
Square & Multiply Exponentiation Examples(sq): squaring, (X): multiplying by m
To compute m10000 :
To compute m11111 :
m10 m100 m1000 m10000
m1 m10 m100 m1000 m10000
(sq)
m10 m100 m1010 m10100
m1 m10 m101 m1010 m10100
(sq)(X)
To compute m10100 :
m10 m110 m1110 m11110
m1 m11 m111 m1111 m11111
(sq)(X) (X) (X) (X)
1 0 1 0 0
20
Two Important Theorems∀ ϕ(n) is the Euler totient function (no. of positive numbers
< n and relatively prime to n)• Note that 1 is relatively prime to every other integer• Theorem (Euler's Generalization, Euler Totient Thm)
– let gcd(a,n)=1 then – aϕ(n) mod n = 1
• Fermat's Theorem – let p be a prime and gcd(a,p)=1 then – ap1 mod p = 1
21
Discrete Logarithm Problem
• The inverse problem to exponentiation is that of finding the discrete logarithm of a number modulo p – find x where ax = b mod p
• While exponentiation is relatively easy, finding discrete logarithms is generally a hard problem, with no easy way
• Note that talking logarithm in real number is very easy, so the modulo arithmetic plays an important role here
22
RSA• Invented by Ron Rivest, Adi Shamir, and Len
Adleman in MIT (1978)• reversible publickey system (can be used in both
encryption and digital signature)• security based on factorization• RSA key generation
– Generate large primes p, q.– Compute n (the modulus) = p * q– Compute ϕ(n) = (p1)(q1)– Generate e relatively prime to (p1)*(q1) (I.e. gcd(ϕ(n) ,
e)=1 )– Compute d = e1 mod ((p1)*(q1))– Public key is (e,n), Private key is (d,n)– 1024bit RSA means n has 1024 bits– the data must have value < n (since taking mod n).
23
RSA• Public key is (e,n), Private key is (d,n)• RSA Encryption basic scheme
– m (< n) is the message– use public key (e,n) to encrypt, compute c = m e
mod n– use private key (d,n) to decrypt, compute m = c d
mod n• Digital signature
– m (< n) is the message– use private key (d,n) to sign (“encrypt”), compute s
= m d mod n– use public key (d,n) to verify (“decrypt”), check
whether m ?= s e mod n
24
RSA• execution slower than block ciphers• Tricks to speed up RSA
– Mathematical technique : addition chain, Chinese Remainder Theorem
– Encryption hardware : cryptocard– Assembly code, microcode implementation for
software systems– Short exponent (for public key only) : e.g. 3, 216+1
• security based on factorization• Attack on RSA mainly on factorization• Patent issued Sep 29, 1983. Expired at 2000
25
Attack on RSA• Given (d,n), find e• by factorization
– Factor n into p and q– Compute e = d1 mod ((p1)*(q1))– prevent by using large n (standard in 1999 : more than 700
bit modulus, therefore using 1024bit RSA is popular)• Special mathematical attack on special cases, e.g.:
– if m e < n, then we can solve the equation directly– if p and q has some special property, the RSA system is
easier to break– usually prevented by checking in the key generation time
(when generating p and q)• Timing attack: depends on running time of decryption• Remark (by Shamir) : Cryptography is not broken,
only bypassed!!
26
Timing Attack on RSA• Find the private key (bit by bit) by the running time of decryption (only
need ciphertexts)• Square&multiply exponentiation : 1 square operation per key bit, and 1
multiply operations per key bit which is “1” (d = d * m)• [Simplified illustration] : for certain d & a, the operation “d = d * m” takes
a long time. So long that we can distinguish whether “d=d*m” is executed or not (use this to determine a “1” bit or a “0” bit in the exponent)
• Determine the private key bit by bit by above, from leftmost bit.• In real case, not that easy to achieve, but still a threat.• Countermeasures exists• Inspire other approaches like power consumption, sound generated by
machine (announced by Shamir, Dec 2004) etc.
27
Countermeasures of Timing Attack on RSA
• Constant exponentiation time : compute x=d*m in all cases
• Random delay• Blinding : transforming the message m to another
value before performing exponentiationBlinding example (compute m = cd mod n)5. Generate a secret random number r between 0 and
n16. Compute c’ = c * re mod n (e is the public key)7. Compute m’ = c’d mod n by exponentiation ( = cd rde
mod n = cd r mod n, since red mod n = r mod n)8. Compute m = m’ r 1 mod n
(= cd rde r –1 mod n = cd r r –1 mod n) = cd mod n
28
RSA Example (with small p,q)• RSA key generation
– Generate primes p, q. (say p = 7, q = 13)– Compute n (the modulus) = p * q ( n = 91)– Compute ϕ(n) = (p1)(q1) (ϕ(n)= 6*12 = 72)– Generate e relatively prime to (p1)*(q1) (say e = 5) – Compute d = e1 mod ((p1)*(q1)) (d = 29, since 5*29 = 145 =
2*72+1)– Public key is (e,n), Private key is (d,n) (public key is (5,91), private
key is (29, 91)– This is a 7bit RSA (and can only handle data up to 6bits, so nbit
RSA can only handle (n1)bit data objects)• RSA usage
– Let the message m = 5, for digital signature usage, the signed value is 5 29 mod 91 = 31. For verificaiton purpose, 31 5 mod 91 = 5
– Let the message m = 5, for data encryption usage, the cipher is 5 5 mod 91 = 31. For decryption, 31 29 mod 91 = 5
– Let the message be 14, for data encryption usage, the cipher is 14 5 mod 91 = 14. For decryption, 14 29 mod 91 = 14
29
Calculation of inverse • ‘Primitive’ method : try and error
– E.g. Inverse of 20 mod 33– Try : 33*1 + 1 , 33* 2 + 1 , 33* 3 + 1, etc– We get : 34, 67, 100, 133, ….– We knows that 20 * 5 = 100– So 20 –1 mod 33 = 5– Only work for small numbers
• Extended Euclid’s Algorithm– The General Solution
30
Euclid’s Algorithm • To find GCD (Greatest Common Divisor)• Divide C0 by C1, let Quotient = Q2, Rem = C2
14
31131
1612914517441193
5501769C (Remainder)Q (Quotient)
31
Euclid’s Algorithm• To find GCD of d and f (i.e. ? = gcd(d,f) )• Set up the table of Q and C• Initialize
– C0 = f– C1 = d
• Iterate– Divide Ci1 by Ci, let Quotient = Qi+1,
Remainder = Ci+1
• Until Ci is 0 • Answer is Ci1.
32
Extended Euclid’s Algorithm• To find multiplicative inverse (i.e. find d –1 (mod) f )• Principle : Try to set up equation of the form
– Ai f + Bi d = Ci (**)• Initially :
– A0 = 1, B0 = 0, C0 = f– A1 = 0, B1 = 1, C1 = d
• Iteratively :– Find A i+1, B i+1, C i+1 from A i, B i, C i (and C i1 ),
preserving condition (**)• Finally :
– Cn = 1, so An f + Bn d = 1– Which means (Bn) d = 1 + ( An) f,– Or B n = d 1 (mod f)
33
Calculation of inverse• To find multiplicative inverse (of 550 mod 1769)
? (Ans)
????55010
176901CBAQ
34
One Step• How to find A i+1, B i+1, C i+1 from A i, B i, C i ,C i
1?• E.g.
– A0 f + B0 d = Co
– A1 f + B1 d = C1
– To find : A2 f + B2 d = C2
– Divide C 0 by C 1, let Quotient = Q 2, Rem = C 2– Now C1 Q2 + C2 = C0
– So C2 = C0 (C1) (Q2)– Now, by ‘design’, let
• B2 = B0 – (B1 ) (Q2 )• A2 = A0 – (A1 ) (Q2 )
– We satisfy (**) : A2 f + B2 d = C2
35
Why satisfy (**) : A2 f + B2 d = C2
Since: A2 f + B2 d
= (A0 – A1 Q2) f + (B0 – B1 Q2) d
= A0 f + B0 d – A1 Q2 f – B1 Q2 d
= (A0 f + B2 d) – Q2 (A1 f + B1 d)
= C0 – C1 Q2
= C2
36
Calculation of inverse• Find inverse of 550 mod 1769
? (Ans)
119??355010
176901CBAQ
37
Calculation of inverse• Find inverse of 550 mod 1769
? (Ans)
1193 = 0 3*11 = (13*0)355010
176901CBAQ
38
Calculation of inverse• Find inverse of 550 mod 1769
? (Ans)
7413 = 1 4*(3)4 = 0 – 4*14
119313
55010
176901
CBAQ
39
E.g. Calculation of inverse• Completed table (550 1 mod 1769 = 550)
1550 (Ans)1714
311937113742311645141292991
45165174134411931355010
176901CBAQ
40
Summary of Extended Euclid’s Algorithm
• To find the inverse of d mod f• Set up the table of Q,A,B,C• Initialize
– A0 = 1, B0 = 0, C0 = f– A1 = 0, B1 = 1, C1 = d
• Iterate– Divide Ci1 by Ci, let Quotient = Qi+1, Rem = Ci+1
– Compute Bi+1 = Bi1 – (Bi) (Qi+1)– Compute Ai+1 = Ai1 – (A1) (Qi+1)
• Until Ci is 1 (if Ci goes to 0 without equal to1, that means GCD(d,f) is not 1, and there is no answer)
• Answer is Bi.
41
Why RSA works?Proof of med = m (mod n) in RSA
• Known facts: n = p * q where p, q are primes d = e 1 mod (p1)(q1) or: e d = k(p1)(q1) + 1 for integer k
• Proof 1: (a simple and incomplete proof)For message m, m ed (mod n)= m k(p1)(q1)+ 1 (mod n)= ( m (p1)(q1) ) k * m 1 (mod n)= ( 1 ) k * m (mod n) (if gcd(m,n) =1)= m (mod n)
(This proof does not cover cases where m is a multiple of p or q)
42
Why RSA works? : Proof of med = m (mod n) in RSA (2)
• Known facts: n = p * q where p, q are primes d = e 1 mod (p1)(q1) or: e d = k(p1)(q1) + 1 for integer k
• Proof 2: (a complete proof)Step 1: Try to prove: for message m, m ed = m (mod p)Observe p is a prime, so gcd (m,p) = 1 or p[Case 1.1:] If gcd(m,p) = 1, we have m ed (mod p) = m k(p1)(q1)+ 1 (mod p) = ( m (p1) ) (q1)k * m 1 (mod p) = ( 1 ) (q1)k * m (mod p) = m (mod p)[Case 1.2:] gcd(m,p) = p, so m is a multiple of p, thus m ed (mod p) = 0 = m (mod p)In both cases, we have proven that m ed = m (mod p).
43
Why RSA works? : Proof of med = m (mod n) in RSA (3)
• Known facts: n = p * q where p, q are primes d = e 1 mod (p1)(q1) or: e d = k(p1)(q1) + 1 for integer k
• Proof 2: (a complete proof cont’d)Step 1: we have proven: for message m, m ed = m (mod p).Step 2: by similar arguments, we can prove m ed = m (mod q).Step 3: Try to prove: m ed = m (mod n):From step 1: m ed – m = 0 (mod p), so m ed – m is a multiple of p.From step 2: m ed – m = 0 (mod q), so m ed – m is a multiple of q.Since p and q are different primes, so m ed – m must be a multiple of
p*q = n.So we have proven m ed – m = 0 (mod n), or m ed = m (mod n).
44
Blind Signature : achieve anonymity• In ecash systems, let the customer to generate an e
cash note number, without letting the bank to know the number. But the bank can still sign on it.
• To establish the secret identity of a spy• To protect RSA from timing attack, etc.
45
Anonymity of Ecash
• Usually achieved by cryptographic techniques.• Idea : Bank (B) does not know the Customer’s (C)
identification, when an ecash token is issued.• Example :
– C receives a “ecash request software” from B– C uses the software to generate a ‘note number’ X
(can have more details)– C sends a request to B, asking B to sign on X– B, after authenticating the request, knowing that the
request is generated from a valid software, sign on X, the result is a valid ecash token (with number X)
– B issue the token to C, and deduce C’s money– But B does not know X!!! How?
46
Idea of Blind Signature
This is a document
Normal Signing This is a document
James Ho
‘Blinding’
This is a document
This is a document
James Ho
Blind Signing
‘Unblinding’
The
“blind signer”
47
Using ‘blindsignature’ in Ecash• Example :
– C receives a “ecash request software” from B– C uses the software to generate a ‘note number’ X (can
have more details)– C transforms X into another number Y– C sends a request to B, asking B to sign on Y– B, after authenticating the request, knowing that the
request is generated from a valid software, sign on Y, the result is a transformed valid ecash token
– B issue the transformed token to C, & deduce C’s money– C extract the valid token (with note number X) from the
transformed token– In some “notso anonymous’ schemes, C’s identification
can be opened. The scheme is very complicated.
48
Blind Signature Scheme Eg.Customer C wants B to sign on a ‘note number’ X• RSA scheme is used, (d,n) is B’s private key, (e,n) is B’s
public key• C generates a ‘blinding factor’ R• C computes Y = (X Re) mod n, and sends to B• B signs on Y : compute Z =
Yd mod n = (XRe)d mod n = (Xd Red) mod n.
(Since R ed = R mod n, so Z = (Xd R) mod n.)• B sends Z = (Xd R) mod n to C, C multiplies Z by R1
(mod n), and obtain Xd mod n, which is the signed ‘note number’ by B.
• Problem how can B knows that C are not presenting meaningful message (like ‘B owes C one million’) for B to sign?
Reference: “Frontiers of Electronic Commerce”, Kalakota & Winston, 1996, AddisonWesley.
49
Blind Signature Scheme: Secret ID establishment
• C is a spy, B is head of the government treasury department
• C wants to use a secret ID (say “Little sparrow”)• C wants B to sign a message like
– “The government agrees to pay Little sparrow 1 million dollars”
• But, C does not want B to know the fact that Little Sparrow is his secret identity
• Solution 1: use a blind signature scheme.• Problem of solution 1: B wants to know that the
document to be signed is of the correct content.
50
Blind Signature Scheme: Secret ID establishment (2)
• Solution 2: To protect the blind signer B, and C as well.• C generates 10 different secret IDs, each one make the
message “The government agrees to pay XXX 1 million dollars” where XXX is the secret ID.
• C blinds every message with different blinding factor, and send to B for blind signatures
• B randomly chooses 9 messages, and asks C to supply the blinding factors.
• C gives the 9 blinding factors.• B retrieves the plain text of the 9 message by the 9 blinding
factors received from C. If all 9 messages are normal request of the correct format, then B can believe (with high probability) that the remaining unopened message is a normal request
• B blindly sign on the unopened message, and send it to C.• Key idea: C does not know B’s choices!!
51
El Gamal Signature Scheme• Key generation:
– Generate a prime p, a random number g (often known as ‘generator’), and a random number x
– Private key is x– Compute y = gx mod p, the public key is (y,g,p)
• To sign a message m:– Choose a random number k such that gcd (k, p1) = 1– Compute a = gk mod p– Find k1 mod p1, and compute b = (m – x*a) k1 mod p1.
This means find b such that m = x*a + k*b (mod p1)– The signer keeps k in secret– The signature is (a,b)– Note: the signature size is double as the message size
52
El Gamal Signature Scheme (2)• To sign a message m:
– Choose a random number k such that gcd (k, p1) = 1– Compute a = gk mod p– Find k1 mod p1, and compute b = (m – x*a) k1 mod
p1. The signature is (a,b)• To verify a signature (a,b):
– Check whether ya * ab = gm (mod p). Iff yes, the signature is correct.
• The El Gamal Encryption scheme is different from the El Gamal signature scheme
53
DSA (Digital Signature Algorithm)• Designed by NIST and NSA, and is the US federal
standard signature scheme (used with SHA hash alg.)• Based on variant on the El Gamal and Schnorr
algoirthm• Have to work together with a hash function (designed to
be SHA)• A ‘signature only’ algorithm, cannot be used as an
encryption engine.• The DSA routine can be used to perform RSA and El
Gamal encryption! (Most likely not intended by the designer)
54
Elliptic Curve Cryptography (simplified illustration)
• Elliptic Curve (E.C.):– y2 + axy + by = x3 + cx2 + dx + e
• Consider an E.C. over a finite field (e.g. “mod p” where p is prime)• Consider operations of points on an E.C. + O (a point of “infinity”)• Two points P(x,y) & Q(x,y) can be added together: R = P + Q• P + O = P• P(x,y), then –P = (x, y)• For “mod p” finite field, R(x3,y3) = P(x1,y1) + Q(x2,y2) is given by
– x3 = L2 – x1 – x2 (mod p)– y3 = L(x1x3) – y1 (mod p)– where L = (y2y1)/(x2x1) (mod p) if P != Q,– or L = (3(x1)2 + a)/(2 y1) (mod p) if P == Q.
• Scalar Multiplication– Repeated addition of the same point– 4P = P + P + P + P
55
Elliptic Curve Cryptography• ECDLP
– Elliptic Curve DL• Given P and G, and for some n: P = nG. n is called the elliptic
curve discrete logarithm of P. – Known P, G and P = nG, to find n is difficult.
• ECC– A publickey cryptosystem based on the structure of the group
of points of an elliptic curve– Suppose that the base point G on E has prime order r,
• The private key s is a integer modulo r.• The corresponding public key W is a point on E defined by W = sG
• Advantages– More complex math structure, so that the key is much shorter
than other public key cryptosystems’ such as RSA to achieve the same security level.