Beruflich Dokumente
Kultur Dokumente
, University of Windsor
XB
mod q
Which is
k
K= ( k ) X B mod q = ( X B )k mod q = (YB ) mod q
Oct. 15, 03
(b) Compute
M=(C2K-1) mod q
Where K-1 is the multiplicative inverse of K.
Therefore:
(C2K-1) mod q=(KMK-1) mod q
=MKK-1 mod q
=M mod q
Note 1 This scheme is sometimes referred to as DSA stands for Digital
Signature Algorithm.
Note 2 The plaintext M is usually a digest of a message. It is seen that DSS
does not encrypt the digest. The input to the algorithm is the digest of the data
to sign, M, the key, YB and a random number, k. The output is a pair of numbers
C1, and C2, as shown in Fig. 1. There will be many ciphertexts that are
encryptions of the same digest, since the output depends on both the digest M
and on the random value k chosen by Alice.
Data to
sign
M
DSS
Algorithm
C1 :
Key, YB
C2 :
Random "k"
Fig. 1 DSS takes in three inputs and gives two numbers as a result
Oct. 15, 03
Note 3 To defeat this scheme and infer the values of X B and k givenC1, C2 and
M, the intrude, Oscar, could find a means of computing a discrete logarithm to
solve
YB =
XB
and C1=k
Solution
K=(YB)k mod q=32 mod 71=9
(a)
Oct. 15, 03
k
as past of the ciphertext. Bob who knows the private key, X B, can compute YB
k
from C1. Then he can remove the mask by dividing C 2 by YB to obtain M.
C2=x YB mod q
For C1 and C2Zq , define
X 1
k(C1, C2)=C2 (C1 B ) mod q
(b)
(c)
The algorithm uses a hash value instead of the full message plaintext M.
(d)
p d c 2 / 3
q e cd / 3 2c 3 / 27
Solutions of the original cubic are then in terms of the canonical cubic roots. The
three roots of the canonical cubic are:
X1 = (A)1/3 + B1/3
X2 = W (A)1/3 + W2 (B)1/3
X3 = W2 (A)1/3 + W (B)1/3
Where
A ( 1 / 2) q 1 / 6 (4 p 3 27 q 2 ) / 3
B ( 1 / 2) q 1 / 6 (4 p 3 27 q 2 ) / 3
W (1 i 3 ) / 2, W 2 (1 i 3 ) / 2
R be constants
such that 4a3 + 27b20. A non-singular elliptic curve is the set E of solutions (x, y)
R x R to the equation
y2 = x3 + ax + b
Oct. 15, 03
together with a special point called the point at infinity denoted
easily regarded as sitting at the top of the y-axis.
6
which is most
P
R
Q
x
-2
R
-P
x2
x1
dx
x 3 ax b
and
x2
x1
xdx
x 3 ax b
and arise
To find the coordinates of R, (x3, y3), which are the intersection of line L and
curve E, we substitute equation for line L into the equation for E:
L:
E:
y = x +
y2 = x3 + ax + b
(x + )2 = x3 + ax + b
x3 - 2x2 + (a - 2)x + (b - 2) = 0
The roots are x-coordinates of points in L
Therefore
E, i.e., P, Q, and R.
x1 + x2 + x3 = 2
x 3 = 2 - x 1 - x 2
To find y3, note that slope of line L, i.e. can be determined by any two points on
this line. We will denote the y-coordinate of R by y3, so the y-coordinate of R
will be y3. If we use the points (x1, y1) and (x3, -y3) to compute this slope, we
get
= (-y3-y1)/(x3-x1)
y3 = (x1-x3) y1
Thus, we have derived a formula for P+Q in case 1, when x1x2, for
(x1, y1) + (x2, y2) = (x3, y3) as:
x3 2 x1 x2
y3 ( x1 x3 ) y1
( y y ) /( x x )
2
1
2
1
Case 2:
x1 = x2 and y1 = -y2
If we try to add P , we get a line through and P, which is vertical. It
intersects E in P(x1, y1) and also in P in (x1, -y1), (see Fig. 2). When we reflect
(x1,-y1) across the x-axis, we get back P (x1,y1). Therefore, P P . Now, try to
add P and P. The line through (x1,y1) and (x1,-y1) is vertical, so the third point of
intersection with E is . The reflection across the x-axis is still . Therefore, in
this case, we define
Oct. 15, 03
P E
P + (-P) =
Case 3:
x1 = x2, y1 = y2
That is adding a point P to itself. In this case, the line L in case 1 is to be tangent
to E at the point E. The slope L can be computed using implicit differentiation of
equation of E:
2y dy/dx = 3x2 + a
Substituting x = x1, y=y1, we get the slope of the line L as:
= (3x12 + a) / 2y1
The rest is identical to case 1.
Def. Addition Law Let E be given by y 2 x 3 ax b and Let P(x1,y1) and let
Q(x2,y2) be on E. Then:
P Q R ( x3 , y 3 )
where
x3 2 x1 x2
y3 ( x2 x3 ) y1
(y2-y1)/(x2-x1) if P Q
=
(3x12+a)/(2y1) if P = Q
Oct. 15, 03
If the slop is infinite, then R (point at the infinity). There is one additional
law:
P P
P E
Note 4 -
( P Q ) R P (Q R )
PQ Q P
3- Elliptic Curves Modulo a Prime
Associative Law
Commutative Law
(6, 9)
(2, 1)
(8, 4)
(4, 2)
(9, 5)
(4, 9)
(9, 6)
infinity
10
11
Note 7 To form a cryptographic system using elliptic curves, we need to have a hard
problem corresponding to factoring the product of two primes or taking the
discrete logarithm. For example consider the equation Q = kP, where Q, P
E and k < p. It is relatively easy to calculate Q given k and P, but it is
relatively hard to determine k given Q and P.
4- The ECC DiffieHellman Algorithm
Step 1 Pick a prime number p and elliptic curve parameters a and b for equation
y2 3 + a + b ( mod p )
Pick a generator point P = (1, y1) in E.
The integers a and b, prime number p, and generator point P are parameters of
the cryptosystem known to all participants.
Step 2 Alice selects an integer dA and generates a public key QA = dA x P. The key QA is
a point in E. dA is Alices private key.
Step 3 Similarly, Bob selects a private key dB and computes a public key QB = dB x P.
Step 4 Alice generates the secret key K as
K = dA x QB = dA x dB x P
Independently, Bob also generates the secret key K as
K = dB x QA = dB x dA x P
That is the same thing Alice computed.
Note 8 Since that secret key K is another point on the elliptic curve, and we need just a
number,. Alice and Bob need to decide beforehand which coordinates of or y
to use. The most common way is to use the x-coordinate, and ignore the ycoordinate.
Example 2 Take p = 211, a = 0, b = -4, and P = ( 2, 2 ). Alice selects dA = 121 as her
private key. So her public key is :
QA = dA x P 121 x ( 2, 2 ) mod 211 = ( 115 , 48 )
Bob picks dB = 203 as his private key. His public key can be computed as:
QB = dB x P = 203 x (2, 2) mod 211 ( 130, 203 ).
Therefore the shared secret key K is
K = dA x QB = dB x QA = 121 x ( 130 , 203 ) = 203 x ( 115, 48 ) = (161, 169).
Oct. 15, 03
12
Note 9 The security of ECC depends on how difficult it is to determine k given kP and
P. This is referred to as the elliptic curve logarithm problem. It can be shown
that a considerably smaller key size can be used for ECC compared to RSA.
Furthermore, for equal key lengths, the computational efforts required for ECC
and RSA is comparable. Thus it appears that there is a computational
advantage to using ECC with a shorter key length than a comparably secure
RSA.
Oct. 15, 03
13