Practical Aspects of Modern Cryptography - PowerPoint PPT Presentation

About This Presentation
Title:

Practical Aspects of Modern Cryptography

Description:

Title: An Introduction to Cryptography Author: Josh Benaloh Last modified by: Fred Videon Created Date: 1/7/1999 11:01:52 PM Document presentation format – PowerPoint PPT presentation

Number of Views:86
Avg rating:3.0/5.0
Slides: 170
Provided by: JoshB213
Category:

less

Transcript and Presenter's Notes

Title: Practical Aspects of Modern Cryptography


1
Practical Aspects of Modern Cryptography
  • Josh Benaloh
  • Brian LaMacchia
  • John Manferdelli

2
Public-Key History
  • 1976 New Directions in Cryptography
  • Whit Diffie and Marty Hellman
  • One-Way functions
  • Diffie-Hellman Key Exchange
  • 1978 RSA paper
  • Ron Rivest, Adi Shamir, and Len Adleman
  • RSA Encryption System
  • RSA Digital Signature Mechanism

3
The Fundamental Equation
  • ZYX mod N

4
Diffie-Hellman
  • ZYX mod N
  • When X is unknown, the problem is known as the
    discrete logarithm and is generally believed to
    be hard to solve.

5
Diffie-Hellman Key Exchange
  • Alice
  • Randomly select a large integer a and send A
    Ya mod N.
  • Compute the key K Ba mod N.
  • Bob
  • Randomly select a large integer b and send B
    Yb mod N.
  • Compute the key K Ab mod N.

Ba Yba Yab Ab
6
One-Way Trap-Door Functions
  • ZYX mod N
  • Recall that this equation is solvable for Y if
    the factorization of N is known, but is believed
    to be hard otherwise.

7
RSA Public-Key Cryptosystem
  • Alice
  • Select two large random primes P Q.
  • Publish the product NPQ.
  • Use knowledge of P Q to compute Y.
  • Anyone
  • To send message Y to Alice, compute ZYX mod
    N.
  • Send Z and X to Alice.

8
Some RSA Details
  • When NPQ is the product of distinct primes,
  • YX mod N Y
  • whenever
  • X mod (P-1)(Q-1) 1 and 0 ?Y?N.
  • Alice can easily select integers E and D such
    that ED mod (P-1)(Q-1) 1.

9
Remaining RSA Basics
  • Why is YX mod PQ Y whenever
  • X mod (P-1)(Q-1) 1, 0 ?Y?PQ,
  • and P and Q are distinct primes?
  • How can Alice can select integers E and D such
    that ED mod (P-1)(Q-1) 1?

10
Fermats Little Theorem
  • If p is prime,
  • then x p-1 mod p 1 for all 0 lt x lt p.
  • Equivalently
  • If p is prime,
  • then x p mod p x mod p for all integers x.

11
Proof of Fermats Little Theorem
  • The Binomial Theorem
  • (x y) p x p ( )x p-1y ( )xy p-1
    y p
  • where ( )

p 1
p p1
p i
p! i!(p i)!
12
Proof of Fermats Little Theorem
  • The Binomial Theorem
  • (x y) p x p ( )x p-1y ( )xy p-1
    y p
  • where ( )
  • If p is prime, then ( ) mod p 0 for 0 lt i lt p.

p 1
p p1
p i
p! i!(p i)!
p i
13
Proof of Fermats Little Theorem
  • The Binomial Theorem
  • (x y) p x p ( )x p-1y ( )xy p-1
    y p
  • where ( )
  • If p is prime, then ( ) mod p 0 for 0 lt i lt p.
  • Thus, (x y) p mod p (x p y p) mod p.

p 1
p p1
p i
p! i!(p i)!
p i
14
Proof of Fermats Little Theorem
15
Proof of Fermats Little Theorem
  • By induction on x

16
Proof of Fermats Little Theorem
  • By induction on x
  • Basis

17
Proof of Fermats Little Theorem
  • By induction on x
  • Basis
  • If x 0, then x p mod p 0 x mod p.

18
Proof of Fermats Little Theorem
  • By induction on x
  • Basis
  • If x 0, then x p mod p 0 x mod p.
  • If x 1, then x p mod p 1 x mod p.

19
Proof of Fermats Little Theorem
20
Proof of Fermats Little Theorem
  • Inductive Step

21
Proof of Fermats Little Theorem
  • Inductive Step
  • Assume that x p mod p x mod p.

22
Proof of Fermats Little Theorem
  • Inductive Step
  • Assume that x p mod p x mod p.
  • Then (x 1) p mod p (x p 1p) mod p

23
Proof of Fermats Little Theorem
  • Inductive Step
  • Assume that x p mod p x mod p.
  • Then (x 1) p mod p (x p 1p) mod p
  • (x 1) mod p.

24
Proof of Fermats Little Theorem
  • Inductive Step
  • Assume that x p mod p x mod p.
  • Then (x 1) p mod p (x p 1p) mod p
  • (x 1) mod p.
  • Hence, x p mod p x mod p for integers x 0.

25
Proof of Fermats Little Theorem
  • Inductive Step
  • Assume that x p mod p x mod p.
  • Then (x 1) p mod p (x p 1p) mod p
  • (x 1) mod p.
  • Hence, x p mod p x mod p for integers x 0.
  • Also true for negative x, since (-x) p (-1) px
    p.

26
Proof of RSA
27
Proof of RSA
  • We have shown

28
Proof of RSA
  • We have shown
  • YP mod P Y whenever 0 Y lt P

29
Proof of RSA
  • We have shown
  • YP mod P Y whenever 0 Y lt P
  • and P is prime!

30
Proof of RSA
  • We have shown
  • YP mod P Y whenever 0 Y lt P
  • and P is prime!
  • You will show

31
Proof of RSA
  • We have shown
  • YP mod P Y whenever 0 Y lt P
  • and P is prime!
  • You will show
  • YK(P-1)(Q-1)1 mod PQ Y when 0 Y lt PQ

32
Proof of RSA
  • We have shown
  • YP mod P Y whenever 0 Y lt P
  • and P is prime!
  • You will show
  • YK(P-1)(Q-1)1 mod PQ Y when 0 Y lt PQ
  • P and Q are distinct primes and K 0.

33
Finding Primes
34
Finding Primes
  • Euclids proof of the infinity of primes

35
Finding Primes
  • Euclids proof of the infinity of primes
  • Suppose that the set of all primes were finite.

36
Finding Primes
  • Euclids proof of the infinity of primes
  • Suppose that the set of all primes were finite.
  • Let N be the product of all of the primes.

37
Finding Primes
  • Euclids proof of the infinity of primes
  • Suppose that the set of all primes were finite.
  • Let N be the product of all of the primes.
  • Consider N1.

38
Finding Primes
  • Euclids proof of the infinity of primes
  • Suppose that the set of all primes were finite.
  • Let N be the product of all of the primes.
  • Consider N1.
  • The prime factors of N1 are not among the finite
    set of primes multiplied to form N.

39
Finding Primes
  • Euclids proof of the infinity of primes
  • Suppose that the set of all primes were finite.
  • Let N be the product of all of the primes.
  • Consider N1.
  • The prime factors of N1 are not among the finite
    set of primes multiplied to form N.
  • This contradicts the assumption that the set of
    all primes is finite.

40
The Prime Number Theorem
41
The Prime Number Theorem
  • The number of primes less than N is approximately
    N/(ln N).

42
The Prime Number Theorem
  • The number of primes less than N is approximately
    N/(ln N).
  • Thus, approximately 1 out of every n randomly
    selected n-bit integers will be prime.

43
Testing Primality
  • Recall Fermats Little Theorem
  • If p is prime, then a(p-1) mod p 1 for all a in
    the range 0 lt a lt p.

44
The Miller-Rabin Primality Test
45
The Miller-Rabin Primality Test
  • To test an integer N for primality, write N1 as
    N1 m2k where m is odd.

46
The Miller-Rabin Primality Test
  • To test an integer N for primality, write N1 as
    N1 m2k where m is odd.
  • Repeat several (many) times

47
The Miller-Rabin Primality Test
  • To test an integer N for primality, write N1 as
    N1 m2k where m is odd.
  • Repeat several (many) times
  • Select a random a in 1 lt a lt N1

48
The Miller-Rabin Primality Test
  • To test an integer N for primality, write N1 as
    N1 m2k where m is odd.
  • Repeat several (many) times
  • Select a random a in 1 lt a lt N1
  • Compute am, a2m, a4m, , a(N1)/2 all mod N.

49
The Miller-Rabin Primality Test
  • To test an integer N for primality, write N1 as
    N1 m2k where m is odd.
  • Repeat several (many) times
  • Select a random a in 1 lt a lt N1
  • Compute am, a2m, a4m, , a(N1)/2 all mod N.
  • If am 1 or if some a2im -1, then N is
    probably prime continue.

50
The Miller-Rabin Primality Test
  • To test an integer N for primality, write N1 as
    N1 m2k where m is odd.
  • Repeat several (many) times
  • Select a random a in 1 lt a lt N1
  • Compute am, a2m, a4m, , a(N1)/2 all mod N.
  • If am 1 or if some a2im -1, then N is
    probably prime continue.
  • Otherwise, N is composite stop.

51
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
52
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
53
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
54
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
55
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
56
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
57
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
58
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

3
Sieving out multiples of
59
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

3
Sieving out multiples of
60
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

3
Sieving out multiples of
61
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

3
Sieving out multiples of
62
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

3
Sieving out multiples of
63
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

5
Sieving out multiples of
64
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

5
Sieving out multiples of
65
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

5
Sieving out multiples of
66
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

5
Sieving out multiples of
67
Sieving for Primes
  • Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

5
Sieving out multiples of
Only a few good candidate primes will survive.
68
Remaining RSA Basics
69
Remaining RSA Basics
  • Why is YX mod PQ Y whenever
  • X mod (P-1)(Q-1) 1, 0 ?Y?PQ,
  • and P and Q are distinct primes?

70
Remaining RSA Basics
  • Why is YX mod PQ Y whenever
  • X mod (P-1)(Q-1) 1, 0 ?Y?PQ,
  • and P and Q are distinct primes?
  • How can Alice can select integers E and D such
    that ED mod (P-1)(Q-1) 1?

71
Modular Arithmetic
72
Modular Arithmetic
  • To compute (AB) mod N,
  • compute (AB) and take the result mod N.

73
Modular Arithmetic
  • To compute (AB) mod N,
  • compute (AB) and take the result mod N.
  • To compute (A-B) mod N,
  • compute (A-B) and take the result mod N.

74
Modular Arithmetic
  • To compute (AB) mod N,
  • compute (AB) and take the result mod N.
  • To compute (A-B) mod N,
  • compute (A-B) and take the result mod N.
  • To compute (AB) mod N,
  • compute (AB) and take the result mod N.

75
Modular Arithmetic
  • To compute (AB) mod N,
  • compute (AB) and take the result mod N.
  • To compute (A-B) mod N,
  • compute (A-B) and take the result mod N.
  • To compute (AB) mod N,
  • compute (AB) and take the result mod N.
  • To compute (AB) mod N,

76
Modular Division
77
Modular Division
  • What is the value of (12) mod 7?
  • We need a solution to 2x mod 7 1.

78
Modular Division
  • What is the value of (12) mod 7?
  • We need a solution to 2x mod 7 1.
  • Try x 4.

79
Modular Division
  • What is the value of (12) mod 7?
  • We need a solution to 2x mod 7 1.
  • Try x 4.
  • What is the value of (75) mod 11?
  • We need a solution to 5x mod 11 7.

80
Modular Division
  • What is the value of (12) mod 7?
  • We need a solution to 2x mod 7 1.
  • Try x 4.
  • What is the value of (75) mod 11?
  • We need a solution to 5x mod 11 7.
  • Try x 8.

81
Modular Division
82
Modular Division
  • Is modular division always well-defined?

83
Modular Division
  • Is modular division always well-defined?
  • (13) mod 6 ?

84
Modular Division
  • Is modular division always well-defined?
  • (13) mod 6 ?
  • 3x mod 6 1 has no solution!

85
Modular Division
  • Is modular division always well-defined?
  • (13) mod 6 ?
  • 3x mod 6 1 has no solution!
  • Fact
  • (AB) mod N always has a solution when gcd(B,N)
    1.

86
Modular Division
  • Fact
  • (AB) mod N always has a solution when gcd(B,N)
    1.


87
Modular Division
  • Fact
  • (AB) mod N always has a solution when gcd(B,N)
    1.
  • There is no solution if gcd(A,B) 1 and
    gcd(B,N) ? 1.


88
Greatest Common Divisors
89
Greatest Common Divisors
  • gcd(A , B) gcd(B , A B)

90
Greatest Common Divisors
  • gcd(A , B) gcd(B , A B)
  • since any common factor of A and B is also a
    factor of A B.

91
Greatest Common Divisors
  • gcd(A , B) gcd(B , A B)
  • since any common factor of A and B is also a
    factor of A B.
  • gcd(21,12) gcd(12,9) gcd(9,3)
  • gcd(6,3) gcd(3,6) gcd(3,3)
  • gcd(3,0) 3

92
Greatest Common Divisors
  • gcd(A , B) gcd(B , A B)

93
Greatest Common Divisors
  • gcd(A , B) gcd(B , A B)
  • gcd(A , B) gcd(B , A kB) for any integer k.

94
Greatest Common Divisors
  • gcd(A , B) gcd(B , A B)
  • gcd(A , B) gcd(B , A kB) for any integer k.
  • gcd(A , B) gcd(B , A mod B)

95
Greatest Common Divisors
  • gcd(A , B) gcd(B , A B)
  • gcd(A , B) gcd(B , A kB) for any integer k.
  • gcd(A , B) gcd(B , A mod B)
  • gcd(21,12) gcd(12,9) gcd(9,3)
  • gcd(3,0) 3

96
Extended Euclidean Algorithm
  • Given integers A and B, find integers X and Y
    such that AX BY gcd(A,B).

97
Extended Euclidean Algorithm
  • Given integers A and B, find integers X and Y
    such that AX BY gcd(A,B).
  • When gcd(A,B) 1, solve AX mod B 1, by
    finding X and Y such that
  • AX BY gcd(A,B) 1.

98
Extended Euclidean Algorithm
  • Given integers A and B, find integers X and Y
    such that AX BY gcd(A,B).
  • When gcd(A,B) 1, solve AX mod B 1, by
    finding X and Y such that
  • AX BY gcd(A,B) 1.
  • Compute (CA) mod B as C(1A) mod B.

99
Extended Euclidean Algorithm
  • gcd(35, 8)
  • gcd(8, 35 mod 8) gcd(8, 3)
  • gcd(3, 8 mod 3) gcd(3, 2)
  • gcd(2, 3 mod 2) gcd(2, 1)
  • gcd(1, 2 mod 1) gcd(1, 0) 1

100
Extended Euclidean Algorithm
  • 35 8 ? 4 3

101
Extended Euclidean Algorithm
  • 35 8 ? 4 3
  • 8 3 ? 2 2

102
Extended Euclidean Algorithm
  • 35 8 ? 4 3
  • 8 3 ? 2 2
  • 3 2 ? 1 1

103
Extended Euclidean Algorithm
  • 35 8 ? 4 3
  • 8 3 ? 2 2
  • 3 2 ? 1 1
  • 2 1 ? 2 0

104
Extended Euclidean Algorithm
  • 35 8 ? 4 3 3 35 8 ? 4
  • 8 3 ? 2 2 2 8 3 ? 2
  • 3 2 ? 1 1 1 3 2 ? 1
  • 2 1 ? 2 0

105
Extended Euclidean Algorithm
  • 3 35 8 ? 4
  • 2 8 3 ? 2
  • 1 3 2 ? 1

106
Extended Euclidean Algorithm
  • 3 35 8 ? 4
  • 2 8 3 ? 2
  • 1 3 2 ? 1 (35 8 ? 4) (8 3 ? 2) ? 1

107
Extended Euclidean Algorithm
  • 3 35 8 ? 4
  • 2 8 3 ? 2
  • 1 3 2 ? 1 (35 8 ? 4) (8 3 ? 2) ? 1
    (35 8 ? 4) (8 (35 8 ? 4) ? 2) ? 1

108
Extended Euclidean Algorithm
  • 3 35 8 ? 4
  • 2 8 3 ? 2
  • 1 3 2 ? 1 (35 8 ? 4) (8 3 ? 2) ? 1
    (35 8 ? 4) (8 (35 8 ? 4) ? 2) ? 1
    35 ? 3 8 ? 13

109
Extended Euclidean Algorithm
  • Given A,B gt 0, set x11, x20, y10, y21, a1A,
    b1B, i1.
  • Repeat while bigt0 i i 1
  • qi ai-1 div bi-1 bi ai-1-qbi-1 ai
    bi-1
  • xi1xi-1-qixi yi1yi-1-qiyi.
  • For all i Axi Byi ai. Final ai gcd(A,B).

110
Digital Signatures
  • Recall that with RSA,
  • D(E(Y)) YED mod N Y
  • E(D(Y)) YDE mod N Y
  • Only Alice (knowing the factorization of N) knows
    D. Hence only Alice can compute D(Y) YD mod N.
  • This D(Y) serves as Alices signature on Y.

111
The Digital Signature Algorithm
  • In 1991, the National Institute of Standards and
    Technology published a Digital Signature Standard
    that was intended as an option free of
    intellectual property constraints.

112
The Digital Signature Algorithm
  • DSA uses the following parameters
  • Prime p anywhere from 512 to 1024 bits
  • Prime q 160 bits such that q divides p-1
  • Integer h in the range 1 lt h lt p-1
  • Integer g h(p-1)/q mod p
  • Secret integer x in the range 1 lt x lt q
  • Integer y gx mod p

113
The Digital Signature Algorithm
  • To sign a 160-bit message M,

114
The Digital Signature Algorithm
  • To sign a 160-bit message M,
  • Generate a random integer k with 0 lt k lt q,

115
The Digital Signature Algorithm
  • To sign a 160-bit message M,
  • Generate a random integer k with 0 lt k lt q,
  • Compute r (gk mod p) mod q,

116
The Digital Signature Algorithm
  • To sign a 160-bit message M,
  • Generate a random integer k with 0 lt k lt q,
  • Compute r (gk mod p) mod q,
  • Compute s ((Mxr)/k) mod q.

117
The Digital Signature Algorithm
  • To sign a 160-bit message M,
  • Generate a random integer k with 0 lt k lt q,
  • Compute r (gk mod p) mod q,
  • Compute s ((Mxr)/k) mod q.
  • The pair (r,s) is the signature on M.

118
The Digital Signature Algorithm
  • A signature (r,s) on M is verified as follows

119
The Digital Signature Algorithm
  • A signature (r,s) on M is verified as follows
  • Compute w 1/s mod q,

120
The Digital Signature Algorithm
  • A signature (r,s) on M is verified as follows
  • Compute w 1/s mod q,
  • Compute a wM mod q,

121
The Digital Signature Algorithm
  • A signature (r,s) on M is verified as follows
  • Compute w 1/s mod q,
  • Compute a wM mod q,
  • Compute b wr mod q,

122
The Digital Signature Algorithm
  • A signature (r,s) on M is verified as follows
  • Compute w 1/s mod q,
  • Compute a wM mod q,
  • Compute b wr mod q,
  • Compute v (gayb mod p) mod q.

123
The Digital Signature Algorithm
  • A signature (r,s) on M is verified as follows
  • Compute w 1/s mod q,
  • Compute a wM mod q,
  • Compute b wr mod q,
  • Compute v (gayb mod p) mod q.
  • Accept the signature only if v r.

124
Elliptic Curve Cryptosystems
125
Elliptic Curve Cryptosystems
  • An elliptic curve

126
Elliptic Curve Cryptosystems
  • An elliptic curve
  • y2 x3 Ax B

127
Elliptic Curves
  • y2 x3 Ax B

128
Elliptic Curves
  • y x3 Ax B

129
Elliptic Curves
  • y x3 Ax B

y
x
130
Elliptic Curves
  • y2 x3 Ax B

y
x
131
Elliptic Curves
  • y2 x3 Ax B

y
x
132
Elliptic Curves
  • y2 x3 Ax B

y
x
133
Elliptic Curves
  • y2 x3 Ax B

y
x
134
Elliptic Curves
  • y2 x3 Ax B

y
x
135
Elliptic Curves
  • y2 x3 Ax B

y
x
136
Elliptic Curves
  • y2 x3 Ax B

y
x
137
Elliptic Curves
  • y2 x3 Ax B

y
x
138
Elliptic Curves Intersecting Lines
  • y2 x3 Ax B

y
x
y ax b
139
Elliptic Curves Intersecting Lines
  • Non-vertical Lines
  • y2 x3 Ax B
  • y ax b
  • (ax b)2 x3 Ax B
  • x3 A?x2 B?x C? 0

140
Elliptic Curves Intersecting Lines
  • x3 A?x2 B?x C? 0

y
x
141
Elliptic Curves Intersecting Lines
  • Non-vertical Lines
  • 1 intersection point (typical case)
  • 2 intersection points (tangent case)
  • 3 intersection points (typical case)

142
Elliptic Curves Intersecting Lines
  • Vertical Lines
  • y2 x3 Ax B
  • x c
  • y2 c3 Ac B
  • y2 C

143
Elliptic Curves Intersecting Lines
  • Vertical Lines
  • 0 intersection point (typical case)
  • 1 intersection points (tangent case)
  • 2 intersection points (typical case)

144
Elliptic Groups
  • y2 x3 Ax B

y
x
y ax b
145
Elliptic Groups
  • y2 x3 Ax B

y
x
y ax b
146
Elliptic Groups
  • y2 x3 Ax B

y
x
y ax b
147
Elliptic Groups
  • y2 x3 Ax B

y
x
x c
148
Elliptic Groups
  • Add an artificial point I to handle the
    vertical line case.
  • This point I also serves as the group identity
    value.

149
Elliptic Groups
  • y2 x3 Ax B

y
x
x c
150
Elliptic Groups
  • (x1,y1) ? (x2,y2) (x3,y3)
  • x3 ((y2y1)/(x2x1))2 x1 x2
  • y3 -y1 ((y2y1)/(x2x1)) (x1x3)
  • when x1 ? x2

151
Elliptic Groups
  • (x1,y1) ? (x2,y2) (x3,y3)
  • x3 ((3x12A)/(2y1))2 2x1
  • y3 -y1 ((3x12A)/(2y1)) (x1x3)
  • when x1 x2 and y1 y2 ? 0

152
Elliptic Groups
  • (x1,y1) ? (x2,y2) I
  • when x1 x2 but y1? y2 or y1 y2 0
  • (x1,y1) ? I (x1,y1) I ? (x1,y1)
  • I ? I I

153
The Fundamental Equation
  • ZYX mod N

154
The Fundamental Equation
  • ZYX in Ep(A,B)

155
The Fundamental Equation
  • ZYX in Ep(A,B)
  • When Z is unknown, it can be efficiently computed
    by repeated squaring.

156
The Fundamental Equation
  • ZYX in Ep(A,B)
  • When X is unknown, this version of the discrete
    logarithm is believed to be quite hard to solve.

157
The Fundamental Equation
  • ZYX in Ep(A,B)
  • When Y is unknown, it can be efficiently computed
    by sophisticated means.

158
Diffie-Hellman Key Exchange
  • Alice
  • Randomly select a large integer a and send
    A Ya mod N.
  • Compute the key K Ba mod N.
  • Bob
  • Randomly select a large integer b and send
    B Yb mod N.
  • Compute the key K Ab mod N.

Ba Yba Yab Ab
159
Diffie-Hellman Key Exchange
  • Alice
  • Randomly select a large integer a and send
    A Ya in Ep.
  • Compute the key K Ba in Ep.
  • Bob
  • Randomly select a large integer b and send
    B Yb in Ep.
  • Compute the key K Ab in Ep.

Ba Yba Yab Ab
160
DSA on Elliptic Curves
161
DSA on Elliptic Curves
  • Almost identical to DSA over the integers.

162
DSA on Elliptic Curves
  • Almost identical to DSA over the integers.
  • Replace operations mod p and q with operations in
    Ep and Eq.

163
Why use Elliptic Curves?
164
Why use Elliptic Curves?
  • The best currently known algorithm for EC
    discrete logarithms would take about as long to
    find a 160-bit EC discrete log as the best
    currently known algorithm for integer discrete
    logarithms would take to find a 1024-bit discrete
    log.

165
Why use Elliptic Curves?
  • The best currently known algorithm for EC
    discrete logarithms would take about as long to
    find a 160-bit EC discrete log as the best
    currently known algorithm for integer discrete
    logarithms would take to find a 1024-bit discrete
    log.
  • 160-bit EC algorithms are somewhat faster and use
    shorter keys than 1024-bit traditional
    algorithms.

166
Why not use Elliptic Curves?
167
Why not use Elliptic Curves?
  • EC discrete logarithms have been studied far less
    than integer discrete logarithms.

168
Why not use Elliptic Curves?
  • EC discrete logarithms have been studied far less
    than integer discrete logarithms.
  • Results have shown that a fundamental break in
    integer discrete logs would also yield a
    fundamental break in EC discrete logs, although
    the reverse may not be true.

169
Why not use Elliptic Curves?
  • EC discrete logarithms have been studied far less
    than integer discrete logarithms.
  • Results have shown that a fundamental break in
    integer discrete logs would also yield a
    fundamental break in EC discrete logs, although
    the reverse may not be true.
  • Basic EC operations are more cumbersome than
    integer operations, so EC is only faster if the
    keys are much smaller.
Write a Comment
User Comments (0)
About PowerShow.com