??sa???? st?? ???pt???af?a

1
??sa???? st?? ???pt???af?a

• ???e?pt???? ?aµp??e? ?a? ???pt???af?a
• (Elliptic Curve Cryptography - ECC)

2
Ge???? ?a?a?t???st???t?? ???pt???af?a?
???e?pt???? ?aµp????

• ? ???pt???af?a ???e?pt???? ?aµp???? (ECC)
  st????eta? st? ?t? de? ?p???e? ???st??
  ?p?-e??et???? a??????µ?? p?? ?a ???e? t? p??ß??µa
  t?? d?a???t?? ???a???µ?? se µ?a ?at?????a
  ep??e?µ??? e??e?pt??? ?aµp??? (ECDLP)
• Ta pa???s??s??µe
• ?pa?????? ?as???? e?????? ?epe?asµ???? S?µ?t??
  (Finite Fields)
• ??? ???sµ? t?? ???e?pt???? ?aµp????
• ???t?????a ???pt???af?a? ???e?pt???? ?aµp????
• ?a?ade??µata p??? st?? e??e?pt???? ?aµp??e?

3
???eß???? ?µ?da (algebraic group)

• M?a ?µ?da e??a? ??a a??eß???? s?st?µa
  ap?te???µe?? ap? ??a s????? G ?a? µ?a p???? ?
  t?t??a ?ste ??a ??a ta st???e?a a, b ?a? c st? G
  ??a??p?????ta? ?? a??????e? s?????e?
• ??e?st?t?ta (Closure) a ? b p??pe? ?a a???e? st?
  G
• ???seta???st??? ?d??t?ta (Associativity)
• a ? (b ? c) (a ? b) ? c
• ??d?te?? st???e?? a ? e e ? a a
• ??t?st??f? st???e?? a ? a' a' ? a e
• ??t?µeta?et???t?ta (Commutativity)
• a ? b b ? a (?ße??a?? ?µ?da - Abelian
  Group)
• ?a?ade??µata
• ???s?es? ltR, gt e 0 , a' -a
• ????ap?as?asµ?? ltR-0, gt e 1 , a' a-1
  

4
?epe?asµ??a S?µata Finite Fields

• ??a pepe?asµ??? s?µa (finite field) e??a? ??a
  a??eß???? s?st?µa p?? ap?te?e?ta? ap? ??a
  pepe?asµ??? s????? F µa?? µe d?? d?ad???? p???e??
  ?a? , ???sµ??e? st? F, ?a? ??a??p??e? ta
  a??????a a???µata
• ?? F e??a? µ?a aße??a?? ?µ?da µe t?? p????
• ?? F e??a? µ?a aße??a?? ?µ?da µe t?? p????
• ?p?µe??st??? ?d??t?ta
• ?p???e? ??a pepe?asµ??? s?µa µe q st???e?a ped???
  e?? ?a? µ??? e?? t? q e??a? d??aµ? e??? p??t??,
  ?a? ??a ???e t?t??? q ?p???e? a???ß?? ??a
  pepe?asµ??? s?µa.
• ?epe?asµ??? s?µa µe q st???e?a Fq ? GFq
• Ta as???????µe µe d?? t?p??? pepe?asµ???? s?µ?t??
  Fq p?? ???s?µ?p?????ta? st?? ???pt???af?a
• Fp, p pe??tt?? p??t?? prime finite fields
• F2m ??a ??p??? m ? 1 binary finite fields
  (?a?a?t???st??? 2)
• ?????ta? ?a?a?t???st??? pepe?asµ??a s?µata
  (characteristic finite fields).

5
?epe?asµ??a s?µata - Fp

• ?????? t??p?? a?apa??stas?? t?? st???e??? t?? Fp.
• s????? ap? a?e?a???? 0, 1, 2, , p-1 µe
• ???s?es? p??s?es? modulo p
• ????ap?as?asµ?? p???ap?as?asµ?? modulo p
• ?????? ?a ???st???
• ?fa??es? p??s?et???? a?t?st??f?? (additive
  inverse) (a???t??? st???e??)
• ??a??es? p???ap?as?ast???? a?t?st??f??
  (multiplicative inverse)
• t?? st???e??? t?? s?µat??

6
????ap?as?asµ?? c a?b st? GF11
??e? ta x µe x2 5 mod 11
??s? x1 4, x2 7
??e? t? 8/2
??s? 8/2486
??e? t? 2/8
??s? 2/8 273
7
?epe?asµ??a s?µata - F2m

• ?a?a?t???st??? 2, pe????e? 2m elements.
• ?????? t??p?? a?apa??stas?? t?? st???e??? t??
  F2m.
• ??ad??? p??????µa, ßa?µ?? ? m-1
• ?? p???e?? p??s?es?? ?a? p???ap?as?asµ??
  ??????ta? ??a t?? p??????µ??? a?apa??stas? modulo
  a?????? p??????µ? f(x) (?rreducible polynomial )
• ?????? ?a? ed? ?a ???st???
• ?fa??es? p??s?et???? a?t?st??f?? (additive
  inverse) (a???t??? st???e??)
• ??a??es? p???ap?as?ast???? a?t?st??f??
  (multiplicative inverse
• m ? 113,131,163,193,233,239,283,409,571

8
?epe?asµ??a S?µata (Galois Fields) (I)

• ???e pepe?asµ??? s?µa ??e? pn st???e?a (GF(pn)),
  ?p?? p p??t?? a???µ?? (? p?? s?????sµ???
  pe??pt?s? p2).
• Se ???e s?µa GF(2n) ?p???e? t??????st?? ??a
  p??????µ? f(x) µe s??te?est?? st? GF(2) t? ?p???
  ??e? t?? e??? ?d??t?te?
• ???a? a?????? (irreducible)
• ? µ????te??? a???µ?? k p?? ??e? t?? ?d??t?ta t?
  f(x) ?a d?a??e? t? xk1 e??a? ? 2n-1.
• ??te t? f(x) ???µ??eta? p??ta????? p??????µ?
• (primitive).

9
?epe?asµ??a S?µata (Galois Fields) (I?)

• ??a st???e?? p?? e??a? ???a p??ta??????
  p??????µ?? ???µ??eta? p??ta?????.
• ?a??de??µa st? GF(24), t? p??????µ? f(x)x4x1
  e??a? p??ta?????. ??a, a? a t? p??ta?????
  st???e??, t?te ?s??e? a4a1
• ??t? ? s??s? ?a?????e? ??a ta st???e?a t??
  s?µat??. ?ts?, a5a a4 a2 a ?.?.?
• ?e ß?s? t? pa?ap???, ??a ta st???e?a t?? s?µat??
  µp????? ?a ??aft??? st? µ??f? c0 c1a c2a2
  c3a3 ?p?? ta ci, i0,1,2,3 e??a? e?te 0 e?te 1.
• ? pa?ap??? a?apa??stas? ???eta? p??????µ???
  a?apa??stas?. ? tet??da c0c1c2c3 s???st? t?
  d?a??sµat??? a?apa??stas? t?? ped???.

10
???e?pt???? ?aµp??e?

• ?? e??e?pt???? ?aµp??e? ??????ta? ?e???? p??? se
  s?µata F.
• G?a ???pt???af?a ?e????µe e??e?pt???? ?aµp??e?
  p?? ??????ta? p??? se pepe?asµ??a ? Galois s?µata
  (Fq ? GFq), d??., ?? p???e?? e??a? mod q
• ? µ??f? t?? e??s?s?? p?? ????e? µ?a e??e?pt???
  ?aµp??? p??? st? Fq e?a?t?ta? ap? t? e?? t? s?µa
  e??a? prime finite field ? characteristic 2
  finite field.

11
???e?pt???? ?aµp??e? se s?µa F

• Ge????? ???sµ?? ??a e??e?pt??? ?aµp??? p??? se
  ??a s?µa F e??a? µ?a ?µa?? ?aµp??? st? ?e??µe??
  µ??f? Weierstrass
• ?e ?(F) s?µß??????µe t? s????? t?? s?µe??? (x,
  y) ? F2 p?? ??a??p????? t?? e??s?s? ?? ?a? ??a
  s?µe?? st? ?pe??? p?? s?µß??????µe µe ?.
• St? ???pt???af?a ?e????µe µ??? pepe?asµ??a ped?a
  ?a? µ???sta ta Fp ?a? F2m

12
???e?pt???? ?aµp??e? st? Fp

• ?st? ? ?e???? µ??f?
• ???????µe µe Fp , p gt 3 ?a? ?????µe t??
  a??????e? a??a??? st?? µetaß??t??
• 
  ?a?
• ??? a?t??atast?s??µe t? ? st? a??ste?? µ????
  t?? e??s?s?? Weierstrass a?t? ???eta?
• ???., ?? ???? XY ?a? ? ????? e?afa??ste?, ?p?te
  ?? s??te?est?? ?a? p??pe? ?a
  ?s???ta? µe t? µ?d??. ??a t? a??ste?? µ????
  ???eta? µ???

13
???e?pt???? ?aµp??e? st? Fp

• ??? ?????µe a?t??at?stas? ?a? st? ? st? de???
  µ???? ????µe
• T?t??ta? ?a?
  t? de???
  µ????
• ???eta?
• ?p?te ? ??? e??s?s? ???eta?
• G?a t?? ?µa??t?ta a?t?? t?? e??s?s?? a?
  ?e???s??µe t?? µe???? pa?????? t?? e??s?s??
  p?? e??a?
  
• ?? e??a? a???st? st? e??
  ?a? µ??? e??
• ?e ???a ????a ? p??pe? ?a ??e?
  p???ap?? ???a st? s?µe?? .
• St?? pe??pt?s? t??
  s?µa??e? ?t? ?a p??pe?

14
???e?pt???? ?aµp??e? st? Fp
Ge???? µ??f?
y2 x3 ax b a,b ? Fp
S?????? ??a d?a???t?? ???e?
4a3 27b2 ? 0(mod p)
?a??de??µa y2 x3 ? 4x x(x ?2)(x 2)
15
??d?te?? ?a? a?t?st??f? st???e??
??t?st??f? st???e?? P' t?? P(x,y) P'
(x,-y) ?s?d??aµa P'(x,-y) P(x,y) p??ß???eta?
st?? x-????a
???s?es? s?µe??? µe t? a?t?st??f? t?? P ? P'
O (? ?) e??a? t? ??d?te?? st???e?? O(x,?) st?
?pe???
??d?te?? st???e?? P ? O P
16
S?µe?a P(x,y) se µ?a e??e?pt??? ?aµp???
??a ta s?µe?a P(x,y) a?????? st?? ?aµp???
?e?t?????a ???s?es? S?µe???
R P ? Q
17
??p?as?asµ?? s?µe??? p??s?es? s?µe??? st?? ea?t?
t??
R P ? P
??p?as?asµ?? s?µe??? S?ed?ase t?? efapt?µ???
st? s?µe?? P(x,y)
?? R ?? ???feta? e?te ?? P2 ? ?? 2?
18
?pa?????? s?µe??? (???s?es? k-1 f???? st??
ea?t? t??)? Scalar multiplication
Epa?????? s?µe???
Pk P ? P ? ... ? P
?p?s?? ???feta? ?a? ?? kP
19
?a??µat??? pe????af? t?? ?e?µet?????
µetas??µat?sµ?? st? Fp
g
R(xR, yR)
P(xP , yP)
Q (xQ , yQ)
??µ? µe ?aµp??? (sxy0)2 x3 axb
S??teta?µ??e? s?µe??? R
R' (xR, -yR)
20
?a??µat??? pe????af? t?? ?e?µet?????
µetas??µat?sµ?? (P Q) st? Fp ??p?as?asµ??
s?µe???
g
P(xP , yP)
R (xR, yR)
??µ? µe ?aµp??? (s? xy0)2 x3 axb
R' (xR, -yR)
21
???es? t?? p?????? t?? s?µe??? se µ?a e??e?pt???
?aµp??? st? Fp (?a????ta? ??t? s?µe?a)

• ?e????? G?a ???e x st? Fp e??????µe e?? ?p???e?
  a?t?st???? y p??? st?? ?aµp???, d??., e??????µe
  e?? t? f(x) x3axb e??a? tet?a?????? ?p????p?
  st? Fp
• ??t? t? e??????µe µe t? s?µß??? Legendre (a
  f(x))
• e?? p a
• e?? a
  e??a? tet?a?????? ?p????p? (??)
• e?? a
  de? e??a? tet?a?????? ?p????p?
• ? t?µ? t?? s?µß???? Legendre ?p??????eta? e????a
  ap? t? s??s?
• ??? f(x) e??a? ?? t?te ?p?????? d?? s?µe?a (x,
  y) ?a? (x,-y), y ? a(p1)/4 mod p
• ??? f(x) de? e??a? ?? t?te de? ?p?????? s?µe?a
• ??? f(x) p t?te ?p???e? µ??? ??a s?µe?? (x,0)
• O s???????? a???µ?? s?µe??? e??a? s??ep?? ?s?? µe
  (µe qp)

22
?a??de??µa 1 e??e?pt???? ?aµp???? st? F11

• ?a??de??µa ECC y2x3 x6 / Z11
• ???es? S?µe???
• G?a x0,1,..,10, ?p?????sµ?? z x3 x6
• mod 11.
• ??e???? a? t? z e??a? tet?a?????? ?p????p?
• z(p-1)/2 mod p z5 mod p.
• ??? e??a? , ?p?????sµ?? t?? 2 ??se?? y
• ? z(p1)/4 mod p ? z3 mod p.
• ?a s?µe?a (2,4),(2,7), (3,5),(3,6), (5,2),(5,9),
  (7,2),(7,9), (8,3),(8,8), (10,2),(10,9), O.

23
???es? ??t?? s?µe??? (2)
y2 x3 x 6 mod 11

• 
  

n13 s?µe?a µa?? µe t? ? ?? n ?a?e?ta? t???
(order) t?? ?µ?da? t?? e??e?pt???? ?aµp???? ?a?
e?a?t?ta? ap? t?? ep????? t?? pa?aµ?t??? t??
?aµp???? a ?a? b.
24
?pa?????? s?µe??? p??? se e??e?pt??? ?aµp??? -
?a??de??µa

• ?pa?????? t?? s?µe??? P(2,4) p??? st?? ?aµp???
• y2x3 x 6 mod 11
• ?p?????sµ?? P2 P ? P µe d?p?as?asµ? t?? s?µe???
  P (??e? ?? p???e?? ?p????????ta? st? GF11)

P2(5,9)
25
?pa?????? s?µe??? p??? se e??e?pt??? ?aµp??? -
?a??de??µa

• ?p?????sµ?? P3 P ? P ? P P2 ? P µe p??s?es?
  t?? s?µe??? P(2,4) ?a?

P2(5,9)
P3(8,8)
26
?a??de??µa 2 e??e?pt???? ?aµp???? st? Fp

• ?a??de??µa EC ? y2x3 x1 / Z23
• ??te E(F23 ) 28, t? s????? t?? s?µe??? E(F23 )
  t?? E e??a? ??????? ?a? ??a? ?e???t??a? t?? e??a?
  t? s?µe?? ?(0,1).
• ?a s?µe?a t?? E(F23 ) e?f?asµ??a ?? p???ap??s?a
  t?? ? e??a?

27
???e?pt???? ?aµp??e? st? F2m

• ?st? ? ?e???? µ??f?
• ???????µe µe F2m , ?a? ?????µe t?? a??????e?
  a??a??? st?? µetaß??t??, ?e????ta? µ??? ?aµp??e?
  µe
• 
  ?a?
• ?p?te p????pte? ? ?e???? µ??f? t?? ?e??µe???
  nonsupersingular e??e?pt???? ?aµp????

28
???e?pt???? ?aµp??e? st? F2m

• Ge???? µ??f? µe a,b ? F2m , b ? 0
• ??d?te?? st???e?? P ? O P
• ??t?st??f? st???e?? P' t?? P (x, y) P'
  (x,xy)
• PP' O e??a? t? ??d?te?? st???e?? O(x,?) st?
  ?pe???
• p??s?es? s?µe??? st? F2m
• d?p?as?asµ?? s?µe??? R P ? P

y2xy x3 ax b
29
?a??de??µa 1 ???e?pt???? ?aµp???? st? F2m

• ?st? ? e??e?pt??? ?aµp??? ? y2 xy x3 x2
  1 st? F23
• ?? F23 ?atas?e???eta? µe t? ???s? t?? a???????
  p??ta?????? p??????µ?? f(x) x3 x 1 ?a? t??
  ???a? a.
• ??te E(F23 ) 14 ?a? t? s????? E(F23 ) t??
  s?µe??? t?? ? e??a? ???????.
• ??a? ?e???t??a? t?? E(F23 ) e??a? t? ? (a,a5)
• ?a s?µe?a t?? ? e?f?asµ??a ?? p???ap??s?a t?? ?
  e??a? ta e???

30
?a??de??µa 2 ???e?pt???? ?aµp???? st? F2m

• ?st? ? e??e?pt??? ?aµp??? ? y2 xy x3 ax2
  b st? F24
• ?? F24 ?atas?e???eta? µe t? ???s? t?? a???????
  p??ta??????
• p??????µ?? f(x) x4 x 1
• t? st???e?? g(0010) e??a? ??a? ?e???t??a? t??
  F24
• ta st???e?a t?? F24 ?? d???µe?? t?? g e??a?
• g0 (0001) g1 (0010) g2 (0100) g3
  (1000) g4 (0011) g5 (0110)
• g6 (1100) g7 (1011) g8 (0101) g9
  (1010) g10 (0111) g11 (1110)
• g12 (1111) g13 (1101) g14 (1001) g15
  (0001)
• ?st? a g4 ?a? b g0 1
• ?? s?µe?? (g5, g3) ??a??p??e? t?? e??s?s? st?
  F24. ????µat?
• y2 xy x3 g4x2 1 ? (g3)2 g5g3
  (g5)3 g4g10 1 g6 g8 g15 g14 1 ?
  (1100) (0101) (0001) (1001) (0001)
• ??a (1001) (1001)
• ??te E(F24 ) 16 ?a? ta s?µe?a e??a? ta
  e???
• (1, g13) (g3, g13) (g5, g11) (g6,
  g14) (g9, g13) (g10, g8) (g12, g12)
  (1, g6) (g3, g8) (g5, g3) (g6, g8) (g9, g10)
  (g10, g) (g12, 0) (0, 1), ?

31
ECDLP Elliptic Curve Discrete Logarithm Problem
?st? ? e??e?pt??? ?aµp??? y2 x3 x 6
mod 11 ?a? ??a s?µe?? P(2,4), t?te ?a
?p?????s??µe Q Pk µ?s? k-1
epa?a?aµßa??µe??? p??s??se?? s?µe???. ?p??????
a??et?? ???????? a??????µ??
???t?s? ??? ?p??????eta? t? k ?ta? e??a? ???st?
t? s?µe?? Q ? Ap??t?s? ??t? e??a? ??a d?s????
p??ß??µa ???st? sa? Elliptic Curve Discrete
Logarithm Problem ? a??????µ?? Pollard-? apa?te?
(?pn)/2 e??e?pt???? p??s??se??.
32
???pt???af?a ???e?pt???? ?aµp???? (ECC)

• ?p?? p???? s?µßat??? s?st?µata ???pt???af?a?, ?
  ECC ßas??eta? st? a??f??t? t?? ?p?????sµ?? t??
  d?a???t?? ???a???µ?? st?? p???ap?as?ast??? ?µ?da
  e??? pepe?asµ???? s?µat?? µ?a? e??e?pt????
  ?aµp????.
• ???S??S ??? ? e??a? µ?a e??e?pt??? ?aµp??? st?
  Fq, ?a? ? ??a s?µe?? t?? ?, t?te t? p??ß??µa t??
  d?a???t?? a??????µ?? st?? ? (µe ß?s? t? ?) e??a?
  t? p??ß??µa, d????t?? e??? s?µe??? P ? E, ?a
  ß?e?e? a???a??? x ? Z t?t???? ?ste xB P, e??
  t?t???? a???a??? ?p???e?.
• ?? a??f??t? t?? p??ß??µat?? de? ?s??e? ??a
  ??p??e? ?aµp??e?, ?p?? ??a t?? ?e??µe?e?
  supersingular e??e?pt???? ?aµp??e? ??t? ap?
  ??p??e? s?????e?.
• ????? s?µßat??? ???pt?s?st?µata ????? ta
  a?t?st???? t??? ßas?sµ??a se e??e?pt???? ?aµp??e?.

33
?a??µet??? ???pt???af?a? ???e?pt????
?aµp????

• ?e?????f??ta? ap? µ?a ept?da T ( q, FR, a, b,
  G, n, h)
• q (qp ? q2m )
• FR ??de??? t?? µe??d?? a?apa??stas?? t??
  st???e??? t?? s?µat?? Fq (p.?., p??????µ???,
  ?a?????? ß?s?, ??p.)
• a, b ? Fq ?a???????? t?? e??s?s? t?? e??e?pt????
  ?aµp???? E st? Fq
• G (xG, yG) ??a s?µe?? ß?s?? µe t? µe?a??te??
  t??? n (nG O)
• n µe????? p??t?? p?? e??a? ? t??? t?? G. ??
  p????? t?? st???e??? ?(Fq) d?a??e?ta? µe t? n
• h µ????? a???a??? p?? e??a? ? ????? ?(Fq) / n

34
S?????e? t?? pa?aµ?t??? ??a t?? asf??e?a t??
???pt???af?a? ???e?pt???? ?aµp????

• G?a ??p??e? ep???se?? ?? pa??µet??? p??pe? ?a
  ??a??p????? ??p??e? s?????e?
• ?(Fq) p??pe? ?a ??e? ??a epa???? µe???? p??t?
  pa?????ta n ??a ?a a?t?st??eta? se pa???????
  ep??es? Pollard-?.
• ?(Fq) ? q ??a ?a a?t?st??eta? ep???se?? t??
  Semaev, SmartSatoh-Araki ??a a??µa?e? ?aµp??e?.
• N ?a µ? d?a??e? t? qk - 1 ??a 1 ? k ? 30, ??a ?a
  a?t?st??eta? se MOV ep??es?.
• St?? pe??pt?s? t?? F2m, t? m p??pe? ?a e??a?
  p??t?? ??a ?a a?t?st??eta? se ??p??e? ep???se??
  se e??e?pt???? ?aµp??e? st? F2m ?ta? t? m e??a?
  s???et??.

35
G????s? t?? ?e????? ??e?d???

• ??a ta ???pt???af??? s??µata d?µ?s??? ??e?d???
  ???s?µ?p????? ?e??? ??e?d???, ???st? sa? ?e???
  ??e?d??? e??e?pt???? ?aµp????.
• ??a ?e???? ??e?d??? (d,Q) µ?a? e??e?pt????
  ?aµp???? s?s?et?sµ???? µe t?? ept?da T, pe????e?
• ??a ?d??t??? ??e?d? d t?? e??e?pt???? ?aµp???? E,
  p?? e??a? ??a? t??a??? a???a??? st? d??st?µa
  1,n-1 ?a?
• ??a d?µ?s?? ??e?d? Q(xQ,yQ) t?? e??e?pt????
  ?aµp???? p?? ?p??????eta? ?? t? s?µe?? QdG

36
??e???? t?? ??µ?s??? ??e?d???ap? t?? pa?a??pt?
a?t??

• 1. ??e??e ?t? Q ? ?.
• 2. ??e??e ?t? ?? s??teta?µ??e? t?? s?µe??? Q
  e??a? xQ yQ ? Fq.
• 3. ??e??e ?t? t? Q e??a? p??? st?? e??e?pt???
  ?aµp???.
• 4. ??e??e ?t? nQ ? (nQ ndG dnG d? ?,
  d??t? ? t??? t?? G e??a? n).
• ? ??e???? ????? a?t? t?? ß?µat?? 4 ?a?e?ta?
  µe????? ??e????, d??t? t?te ?p??e?ta? se ep??es?.
  ?µ?? p??se?t??? ep????? t?? pa?aµ?t??? h µe???e?
  t?? ???d???.

37
???t?????a ???e?pt???? ?aµp????

• S??µata s?µf???a? ?????? ??e?d???
• ECDH (Elliptic Curve Diffie-Hellman)
• Elliptic Curve Cofactor Diffie-Hellman
• S??µata ???pt????f?s??
• ECAES (Elliptic Curve Authenticated Encryption
  Scheme)
• EC-ElGamal
• S??µata ?p???af??
• ECDSA (Elliptic Curve Digital Signature Algorithm)

38
S??µata s?µf???a? ??e?d???

• Elliptic Curve Diffie-Hellman (ECDH)
• Elliptic Curve Cofactor Diffie-Hellman
• ?as??? ?d?a ? pa?a???? µ?a? ?????? µ?st????
  t?µ??, ap? ??a ?d??t??? ??e?d? p?? ??e? µ?a
  ??t?t?ta A ?a? ??a d?µ?s?? ??e?d? p?? ??e? µ?a
  ??t?t?ta B, t?t??a ?ste a? ?a? ?? d?? ??t?t?te?
  e?te??s??? t? s??µa µe ta a?t?st???a ??e?d?? sa?
  e?s?d?, ?a a?a?t?s??? t?? ?d?a ????? µ?st??? t?µ?
• ??s?ast??? d?af?????
• Elliptic Curve Diffie-Hellman a?????? t??
  µe??d?? s?µf???a? ??e?d??? Diffie-Hellman.
• Elliptic Curve Cofactor Diffie-Hellman
  e?s?µat??e? t? ???? h st?? ?p?????sµ? t?? ??????
  µ?st???? t?µ??, pa?????ta? p?? ap?te?esµat???
  a?t?stas? se ep???se??.

39
Elliptic Curve Diffie-Hellman (ECDH)

• ? ? ?a? ? ? ???s?µ?p????? ???pt???af?a d?µ?s???
  ??e?d???, ßas?sµ??? se ????? e??e?pt??? ?aµp???
  ?(q,FR,a,b,G,n,h) ??a ?a e??a??d??s??? ??a ?????
  µ?st??? ??e?d? ?.
• (d?, Q? ) ?a? (d?, Q? ) e??a? ta a?t?st????
  ?e??? ??e?d???, ?d??t??? ?a? d?µ?s??.
• ?a d?µ?s?a ??e?d?? Q? ?a? Q? p??pe? ?a e??a?
  t??????st?? µe???? ??????.
• ?a? p??pe? ?a e?te??s??? a?t?st???a t??
  a??????? d?ad??as?a ??a t?? ?p?????sµ? t?? ??????
  µ?st???? t?µ?? ?.
• ??ad??as?a t?? ?
• 1. ?p?????sµ?? t?? s?µe??? t?? ?aµp???? P
  (xP,yP) dAQB .
• 2. ??e???? a? P ? O. ?? P O, ???d?? ?????.
• 3. ???d?? ? xP sa? t? ????? µ?st??? st???e??
  t?? s?µat??.
• ??ad??as?a t?? ?
• 1. ?p?????sµ?? t?? s?µe??? t?? ?aµp???? P?
  d?Q?
• ?µ??, P? d?Q? d?d?G dAdBG
  dAQB P (xP,yP) .
• 2. ??e???? a? P ? O. ?? P O, ???d?? ?????.
• 3. ???d?? ? xP sa? t? ????? µ?st??? st???e??
  t?? s?µat??.
• ??? t? ß?µa 1 ?p??????eta? sa? P (xP,yP)
  hdAQB t?te t? s??µa ?a?e?ta? Elliptic Curve
  Cofactor Diffie-Hellman.
• .

40
S??µata d?µ?s?a? ???pt????f?s?? EC-AES /1

• EC-AES ???a? µ?a pa?a??a?? t?? ElGamal d?µ?s???
  ??e?d??? ???pt???af???? s??µat??, p?? p??t????e
  ap? t??? Abdalla, ?ellare ?a? Rogaway .
• O ap?st???a? ? ???e? ?a ste??e? ???pt???af?µ??a
  t? µ???µa m st?? ?
• ? pa?a??pt?? B ??e? pa?aµ?t????
  T(q,FR,a,b,G,n,h), ?d??t??? ??e?d? t? dB ?a?
  d?µ?s?? ??e?d? t? QB
• ? ap?st???a? A ??e? a??e?t??? a?t???afa t?? T ?a?
  QB.
• ?st? MAC (p.?., SHA-1)??a? a??????µ?? ??a
  a??e?t???t?ta t?? µ???µat?? (Message
  Authentication Code), ENC (p.?., ?ES-128) ??a
  s??µa ???pt????f?s??, ?a? KDF µ?a s????t?s?
  pa?a????? ??e?d??? (Key Derivation Function)
  ???p???µ??? µe t? ???s? µ?a? hash s????t?s??.

41
EC-AES /2

• G?a t?? ???pt????f?s? e??? µ???µat?? m, ? ?
  e?te?e? ta pa?a??t?
• ?p????? e??? t??a??? a?e?a??? r st? d??st?µa
  1,n-1
• ?p?????sµ?? t?? R rG
• ?p?????sµ?? t?? K hrQB (Kx, Ky). ??e???? a?
  K??
• ?p?????sµ?? t?? k1 k2 KDF(Kx)
• ?p?????sµ?? t?? c ENCk1(m)
• ?p?????sµ?? t?? t MACk2(c)
• ?p?st??? t?? ???pt????µµat?? (R,c,t) st?? B.
• G?a t?? ap????pt????f?s? t?? ???pt????µµat??, ? ?
  e?te?e? ta pa?a??t?
• ??t??es? µe????? p?st?p???s? e?????t?ta? ??e?d???
  st? R
• ?p?????sµ?? t?? K hdBR hdB rG hrQB (Kx,
  Ky). ??e???? a? K??
• ?p?????sµ?? t?? k1 k2 KDF(Kx)
• ?p?ßeßa??s? t?? t MACk2(c)
• ?p?????sµ?? t?? m ENCk1-1(c)

42
S??µata d?µ?s?a? ???pt????f?s???C- ElGamal /1

• ?a?a???? ??e?d??? H ??t?t?ta ? ep????e? ??a
  t??a?? a???a?? dB ap? t? d??st?µa 1, n-1 ??
  ?d??t??? ??e?d? ?a? d?µ?s??p??e? t? QB dBG
• ???pt????f?s? t?? µ???µat?? m ap? t?? ?
• ?a??stas? t?? µ???µat?? m ?? ??a s?µe?? ? ?
  ?(Fq),
• ?p????? e??? t??a??? a?e?a??? r st? d??st?µa
  1,n-1 ?a? ?p?????sµ?? t?? C1 rG
• ?p?????sµ?? t?? C2 rQB M
• (C1, C2) e??a? t? ???pt???aµµa ??a t?? ?
• ?p????pt????f?s?
• ? C2 dBC1, d??t? C2 dBC1 rQB M dBrG
  rdBG M -dBrG
• ??????? t? m ap? t? ?
• S?µe??s? ?? s??µa a?t? ???s?µ?p??e? t? Q rG
  ??a ?a ape?????se? ta st???e?a t?? Zn\0 sta
  st???e?a t?? ?(Fq). ?p?s?? ??e?a??µaste µ?a
  ape?????s? I 0,1 m ? ?(Fq), ?? ?a? t??
  a?t?st??f? t??.

43
?a??de??µa ?C- ElGamal /2

• ?aµp??? y2 x3 x 6 mod 11
• ?a??µet???
• G (2,7), dB 7, Qb dBG 7 (2,7),
  (7,2).
• ????µa ? (10,9) (s?µe?? t?? ?aµp???? E)
• ?p??????µe t??a?a r 3, C1 rG 3(2,7) (8,3).
• C2 r Q? M
• 3(7,2) (10,9) (3,5) (10,9)
  (10,2)
• ???pt???aµµa ( (8,3), (10,2) )
• ?p????pt????f?s?
• C2 - dB C1 (10,2) 7(8,3)
• (10,2) (3,5)
• (10,2) (3,6)
• (10,9).

44
?C- ElGamal st?? p????(???stas?a ??e?µat????
???a??µ?t??)

• S?µa Fp µe
• p 7859631023794288223766947894468973962
  07498568951
• ???e?pt??? ?aµp???
• y2 x3 3176890812513255034763174764138276
  93272746955927x
• 790528966078787587181205720
  25718535432100651934
• ?????? s?µe???
• E(k) 785963102379428822376693024881714957
  612686157429
• Ge???t??a?
• B (7715072162626498261706482685655798
  89907769254176,
• 39015751024655662852527945926651
  4995562533196655)

45
S??µata ?p???af?? /1(?pe???µ?s?)

• S?ed?????ta? ??a ?a ???s?µ?p??????? ap? d??
  ??t?t?te? ??a? ?p????f??ta (signer) ? ?a? ??a?
  epa???e?t? (verifier) B ?ta? ? ? ???e? ?a
  ste??e? ??a µ???µa m µe a??e?t??? t??p? ?a? ? ?
  ???e? ?a ep?ßeßa??se? t?? a??e?t???t?ta t?? m.
• ???a? d?s???? ??a ??a? ep?t???µe?? p?? de? ???e?
  t? µ?st??? ??e?d? t?? ?, ?a p?ast???af?se? ?????a
  ?p??e??aµµ??a µ???µata, µe ap?t??esµa ta s??µata
  ?a pa?????? a?e?a??t?ta ded?µ????, a??e?t???t?ta
  p????e?s?? ded?µ????, ?a? µ? ap?p???s? t???.
• ECDSA t? µ??? s??µa ?p???af?? p?? ?p?st????eta?
  s?µe?a.
• S?stat??? µ??? µ?a p???? ?p???af??, µ?a p????
  ep?ßeßa??s??, ?a? d?e??as?e? e?????s?? (setup)
  ?a? µet?d?s?? ??e?d??? (key deployment).

46
S??µata ?p???af?? /2 (?pe???µ?s?)

• ???ta ? ? ?a? ? ? p??pe? ?a ???s?µ?p???s??? t??
  d?e??as?a e?????s?? ??a ?a ???s??? t?? ep??????
  µe t?? ?p??e? ?a ???s?µ?p???s??? t? s??µa
• ? ? p??pe? ?a efa?µ?se? t? d?e??as?a e??a??d??s??
  ??e?d??? ??a t?? ep????? e??? ?e????? ??e?d???
  ?a? ? ? p??pe? ?a p??e? t? d?µ?s?? ??e?d? t?? ?
  ? ? ?a ???s?µ?p???se? t? ?e???? ??e?d??? ??a ?a
  e????e? t?? p???? t?? ?p???af?? ?a? ? ? ?a
  ???s?µ?p???se? t? d?µ?s?? ??e?d? ??a ?a e????e?
  t?? p???? t?? ep?ßeßa??s??.
• ???e f??? p?? ? ? ???e? ?a ste??e? ??a µ???µa M,
  p??pe? ?a efa?µ?se? t?? p???? t?? ?p???af?? st? M
  µe t? ?e???? ??e?d??? t?? ??a ?a p??e? t??
  ?p???af? S ??a t? M, ?a d?µ??????se? ??a
  ?p??e??aµµ??? µ???µa, ?a? ?a t? ste??e? st?? ?.
• ?ta? ? ? ??ße? t? ?p??e??aµµ??? µ???µa, p??pe? ?a
  efa?µ?se? t?? p???? t?? epa???e?s?? t?? ?p???af??
  µe t? d?µ?s?? ??e?d? t?? ?, ??a ?a ep?ßeßa??se?
  t?? a??e?t???t?ta. ??? ap?ße? ??????, ? ?
  d?ap?st??e? ?t? ??t?? t? µ???µa e??a? a??e?t???.
• ?p?????? d?? s??µata ?p???af??
• ? ? p??pe? ?a ste??e? ?a? t? m ?a? t? S st?? ?
  (??f?a?? ?p???af? µe pa???t?µa)
• ? ? p??pe? ?a ste??e? µ??? t? t? S st?? ?,
  (??f?a?? ?p???af? µe a???t?s? µ???µat?? )

47
ECDSA /3

• ??e??as?a ??????s??
• ? A p??pe? ?a ???se? p??a s????t?s?
  ?ata?e?µat?sµ?? (SHA-1) ?a? p??e? pa?aµ?t???? T
  ?a ???s?µ?p???se?
• ? B µe a??e?t??? t??p? ?a ??ße? t? s????t?s?
  ?ata?e?µat?sµ?? ?a? t?? pa?aµ?t???? ? p?? ???se ?
  ?
• ???a??d??s? ??e?d???
• ? A p??pe? ?a ???se? ??a ?e???? ??e?d??? (dA, QA)
  s?s?et?sµ??? µe t? T
• ? B µe a??e?t??? t??p? ?a ??ße? t? d?µ?s?? ??e?d?
  QA p?? ep??e?e ? ?

48
ECDSA /4

• ?p???af?
• ??s?d?? t? µ???µa M p?? ?a ?p???afe?
• ???d?? M?a ?p???af? S (r,s) st? M, ?p?? r, s
  a???a???
• ?????e?e? ? ? ???e? ta pa?a??t?
• ?p????? e??? t??a??? a?e?a??? a???µ?? st?
  d??st?µa 1,n-1
• ?p?????sµ?? t?? kG (x1,y1) ?a? t?? r x1 mod
  n. ?? r 0 p??a??e st? ß?µa 1
• ?p?????sµ?? t?? k-1mod n
• ?p?????sµ?? t?? e SHA-1(m)
• ?p?????sµ?? t?? s k-1 (e dAr) mod n.
• ??? s 0,p??a??e st? ß?µa 1
• ? ?p???af? t?? A ??a t? µ???µa e??a? (r,s)

49
ECDSA /5

• ?pa???e?s?
• ??s?d?? t? µ???µa m ?a? ? ?p???af? S (r,s)
  t?? ?
• ???d?? ??de??? ??a ap?d??? t?? ?p???af??
• ?????e?e? ? ? e?te?e? ta a??????a
• ?p?ßeßa??s? ?t? r, s ?a? e??a? a???a??? st?
  d??st?µa 1,n-1
• ?p?????sµ?? t?? e SHA-1(M)
• ?p?????sµ?? t?? w s-1 mod n
• ?p?????sµ?? t?? u1 ew mod n ?a? u2 rw mod n
• ?p?????sµ?? t?? u1G u2QA (x1,y1)
• ?p?????sµ?? t?? v x1 mod n
• ?p?d??? t?? ?p???af?? a? ?a? µ??? a? v r

50
ECDSA /5

• ?p?de??? ????t?ta?
• u1G u2QA u1G u2 dA G (u1 u2 dA )G.
• ??? (u1 u2 dA )G k mod n t?te t? s??µa e??a?
  s?st?, d??t? t? n e??a? ? t??? t?? G.
• e ks - dAr mod n
• u1 u2 dA ew dArw es-1 dAr w k - dAr w
  dAr w k mod n

51
T?s? t?? ???e?pt???? ?aµp???? st?? ???pt???af?a
???t?????a ?sfa???? ???t???
???e?t???t?ta
?µp?ste?t???t?ta
??e?a??t?ta ded?µ????
?? ap?p???s?
???pt????f?s?
ChallengeResponse
MACsMICs
SmartCards
??f?a??? ?p???af??
???pt???af?a S?µµet????? ??e?d???
IVs
Digests µ???µat??
Nonces
??st??? ??e?d??
???pt???af?a ??µ?s??? ??e?d???
BlockCiphers
Stream Ciphers
HashFunctions
PseudoRandom
???a?e? ?????
DHRSA
???e?pt???? ?aµp??e?
IVs d????sµa a?????p???s?? (initialization
vector) t?? s?µµet????? a??????µ?? ???pt????f?s??
Nonce t??a??? a???µ??, ???s?µ?p???e?ta? sta
p??t?????a challenge-response MIC a??????µ?? ??a
a?e?a??t?ta µ???µat?? (Message Integrity Code)
s?????µ? t?? MAC
52
S?????s? ???pt???af???? ???aµ??
G?a t? ?d?? ep?ped? asf??e?a? apa?t???ta? p???
µ????te?a se µ??e??? ??e?d?? st? ECC se s??s? µe
t? RSA