# A new probabilistic public key algorithm based on elliptic logarithms

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 A new probabilistic public key algorithm based on elliptic logarithms Afonso Comba de Araujo Neto, Raul Fernando Weber 1 Instituto de Informática Universidade Federal do Rio Grande do Sul (UFRGS) Caixa Postal Porto Alegre RS Brasil Abstract. This paper introduces a new probabilistic public key algorithm based on elliptic curves and show that it is secure. The security of the scheme is solely based on the difficulty of the elliptic curve discrete logarithm problem while at the same time it has a constant message expansion for one encryption of a plaintext of any practical size. In the alternative algorithms, like Cramer-Shoup and PSEC, for a large plaintext, either the message expansion is proportional to its size or an additional security assumption is needed. Although some restrictions are posed on the public part of the key, we show how to easily find the needed parameters, and also suggest ways to make the public key as small as possible. 1. Introduction The concept of probabilistic encryption was first introduced in 1984 by Goldwasser and Micali [5]. The main idea behind probabilistic encryption is to obtain semantic security. In essence, for a semantically secure encryption, no polynomially bounded adversary can obtain any partial information about the plaintext from the ciphertext. The fundamental property of a probabilistic algorithm is that, for any given plaintext, there is a huge number of possible ciphertexts. For example, suppose someone wants to send one bit using a deterministic public key algorithm. The problem is that the message space is small enough so that an attacker can encrypt all the possibilities, in this case the bits 1 and 0, and just compare the ciphertext that was sent. Under probabilistic encryption, there are enough different ciphertexts for both 1 an 0, and that makes it unfeasible for an attacker to use that strategy. And even though the algorithm has this property, all ciphertexts are uniquely decipherable. Between probabilistic encryption and deterministic encryption, given the same security and efficiency requisites, the former would be preferable. It is widely known that one major topic of research on the field of cryptography today is the use of elliptic curves for public key cryptography. The points of a carefully chosen elliptic curve over a finite field provide a group structure where the discrete logarithm over it has no known sub-exponential algorithm. That fact allows much smaller fields and keys than other approaches, such as those based on the difficulty of the discrete logarithm over the multiplicative group of a finite field or those based on the difficulty of factoring, both which have sub-exponential algorithms. The problem of calculating logarithms over elliptic curves is often called Elliptic Curve Discrete Logarithm Problem, ECDLP for short. More information about the basics of elliptic curve applications in cryptography can be found in [1].

2 Our objective is to propose a new efficient probabilistic public key encryption algorithm over the smaller fields allowed by elliptic logarithms. There exists at least two other probabilistic schemes based on elliptic curves. The first one is named PSEC (Provably Secure Elliptic Curve Encryption Scheme), which was a submission to the standard IEEE P1363 [8], and the second one is the Cramer-Shoup public key scheme [4], which was designed for arbitrary groups and therefore can be used with elliptic curves. Both schemes, however, suffer from a fundamental disadvantage when used over a large plaintext: either the user encodes several small parts of it as points of an elliptic curve and encrypt them separately or he encrypts everything at once using a random secret key and a block cipher and use the scheme to encrypt only the key. The problem is that the first choice incurs in a huge message expansion (and requires a proportional number of truly random bits) and the second one adds another security assumption to the scheme: now both the elliptic curve problem and the block cipher must be unconditionally secure. The scheme proposed in this paper offers a third choice of encryption which demands only one security assumption and has a constant message expansion for any plaintext. The assumption is that the Elliptic Curve Diffie-Hellman Problem (ECDHP) over group of points of a carefully chosen elliptic curve is hard on average against all polynomially bounded adversaries. The ECDHP is conjectured to be equivalent to the ECDLP, and will be explained in section 7. In the next section we ll introduce briefly the algorithm proposed and explain how the paper is structured. 2. Overview of the algorithm Much like the Blum-Goldwasser probabilistic scheme [2], which relies on the pseudorandom bit generator Blum-Blum-Schub, our scheme relies on the elliptic curve based pseudorandom bit generator by Burton Kaliski [6], which will be explained in detail later in section 5. Here s a summary of the full algorithm (logarithms are always taken base 2): 1. Public parameters. Find a pair of elliptic curves, E and its twist E t, over a finite field F p (with characteristic greater than 3) where the number of points of both curves is prime. In section 3 we show how to quickly find such pair, using the theory of Complex Multiplication. Our method has the useful advantage that a single integer with about log p bits is enough to uniquely identify the prime field, 4 the coefficients of both curves (up to F p -isomorphism), both orders and to easily find base points which are generators of both curves. 2. Key pair. Consider n E and G E the order and generator of the first curve and n E t and G E t the order and generator of the twist. Choose uniformly secret keys 0 < s E < n E and 0 < s E t < n E t and calculate the public key using scalar multiplication over the curves, that is the points P E = s E G E and P E t = s E tg E t. 3. Encryption. Select uniformly a secret, discardable seed a [0, 2p + 1]. As a preliminary step, using the curves, generators, orders and public keys, the algorithm computes 3 points, namely M, T E and T E t and also a scalar value r [0, 2p + 1]. Using r as a seed, and the points T E and T E t as generators of the curves E and E t, run the Kaliski pseudorandom bit generator, creating a keystream of the size of the plaintext. The ciphertext is created XOR ing the keystream and the plaintext. Send the ciphertext along with the point M. Using point compression on M, the size of the complete ciphertext is the size of the plaintext plus log p + 1 bits.

3 4. Decryption. Having M, the secret keys s E and s E t and the ciphertext, the objective is to reconstruct the keystream and recover the plaintext by XOR ring the ciphertext with it. The algorithm, therefore, using the point M and the secret keys recalculates the points T E, T E t and the value r, allowing the inverse procedure of the encryption. The fact that the ciphertext depends both on the plaintext and also on the initial seed provided for encryption implies that, for the same plaintext, an exponential number of ciphertexts are possible. That s the property that makes this a probabilistic public key encryption algorithm, instead of a deterministic one. One interesting advantage comes from the restriction that both curves must have prime orders. As we ll show later, that implies that any point has order of same magnitude as the order of the finite field itself. In the end it means that when you select the bit length of the characteristic of the finite field, you are automatically determining the security level of the elliptic logarithms. It is important to notice that the necessity of a prime order twisted pair as a public key is a strong restriction. Although it s not that hard to find one curve with a prime number of points, it s not obvious how to efficiently find a prime order elliptic curve such that its twist also has prime order. For the algorithm to be usable, it is important to show that it is easy to find such pairs and that there are enough of them. Our method also allows a considerable compression of the public parameters, which uncompressed are clearly a lot of information. Section 3 explains how to find such pairs and section 4 explains the compression techniques. The algorithm itself is pretty straightforward. Given a public key and a seed, a point is generated such that, along with the private key, parameters for the Kaliski pseudorandom bit generator are calculated and a keystream is created. Kaliski showed that this pseudorandom bit generator is cryptographically secure under the assumption that the ECDLP is hard. That means that its period is at least superexponential in p (p being the characteristic of the finite field where the curves are defined) and it s forward and backward unpredictable against all polynomially bounded adversaries. The encryption with this keystream is, therefore, equivalent to a One-Time-Pad against all polynomial attacks, if the seed is never disclosed or repeated. Section 5 presents a comprehensive explanation of the Kaliski generator, which will be necessary for understanding the details of the full algorithm described in section Generating prime order twisted pairs An elliptic curve over a finite field F p with characteristic greater than 3 can be defined by an equation with variables x and y, that has the form with a, b F p and having 4a b 2 0 mod p. y 2 = x 3 + ax + b, (1) Given any elliptic curve, we call a quadratic twist (hereafter only called twist) of this curve another curve with coefficients related in the following way. Take any quadratic

4 non-residue β modulo p. The twist of the curve with coefficients a and b is the curve with coefficients a t = aβ 2 and b t = bβ 3. In other words, if equation 2 is an elliptic curve, then, y 2 = x 3 + aβ 2 x + β 3 b, (2) is its twist, for any quadratic non-residue β. Although they have different structure over F p, an elliptic curve and its twist are isomorphic over the extension field F p 2. By a famous theorem due to Helmut Hasse, it is known that the number of points #E of any elliptic curve over a finite field F p satisfies the following equation #E = p + 1 t, (3) where t 2 p. The value t is known as the trace of Frobenius at p of the curve. An interesting and useful fact is that if the number of points of a curve is #E = p + 1 t, then the number of points of its twist is exactly #E t = p t. That means that the calculation of the number of points of any curve automatically gives the number of points of the twist. In order to find the prime order twisted pair, we need to find an elliptic curve over some prime field F p with trace of Frobenius t such that p t and p + 1 t are both prime. The problem is that the determination of the trace of an arbitrary curve is a really hard problem. By inspection of equation 3, it becomes clear that the determination of t and the order of the curve are actually the same problem, as they are related by a linear equation. There is a polynomial time algorithm for counting the number of points of a curve, known as Schoof-Elkies-Atkin algorithm. A naive approach would be to randomly choose a prime p and the coefficients a and b, count the number of points of the curve, and, if it s prime, check if #E t = 2p + 2 #E is also prime. Although that method works, it is in fact too slow for use in practice. To solve the problem efficiently, we must turn it upside down, using the theory of Complex Multiplication of elliptic curves. Even though the determination of the trace of Frobenius of a given curve is a hard problem, the creation of a curve with a specific trace is a lot easier. The theory of Complex Multiplication is deep, so we ll only provide the absolute necessary to understand the ideas being presented. We urge the reader to turn to [3] for a comprehensive explanation of the theory. Take D as a negative integer congruent to 0 or 1 modulo 4 and squarefree, that is, it s not divisible by any squares. Then D is a fundamental discriminant of an imaginary quadratic field Q( D). We need to solve the following equation: t 2 = 4p Dy 2 (4) The value p will be the characteristic of a finite field, so it must be prime. Given p, t will be the trace of Frobenius of a curve defined over F p. The variable y can be any integer. We ll explain how to calculate the curve coefficients later. Consider D as a constant for the moment. Our approach to solve this equation is to use the idea of families of curves. That means, rearrange the equation so that the right

5 part of it depends only on one variable, and that for any given integer it generates possible primes and traces with our necessary needs. It essentially becomes a polynomial in one variable. The equation won t produce all possible curves, but will produce a family of related curves. We choose to fix y = 1. That automatically gives one less variable to work with. Second, we need odd traces. By inspection of equation 3 we can see that even traces won t ever produce prime number of points. So replace t by t(x) = 2x 2 2x + 1, (5) which is odd for any x. After rearranging the terms and making the substitutions, the equation now becomes p(x) = (2x2 2x + 1) 2 + D 4 = x 4 2x 3 + 2x 2 x D 4 (6) (7) Notice that, after the rearrangements, D becomes positive. For the independent term, we need 1+D integer. That will happen for all D 3 mod 4. But one more 4 constraint is needed. We want p to be prime, and that will never happen if the constant term of the equation is even. That is solved by having D 3 mod 8. To actually find the curves, we run a sequential search replacing x by integers, positive or negative, and checking if p(x) is prime using some probabilistic primality algorithm like a Miller-Rabin test. When a p prime is found, we set t = 2x 2 2x + 1 and check the orders of the curves. Notice that if you want primes with about log p bits, we must use integers with about log p bits. 4 On a 1.3GHz Athlon, using D = 163 and looking for primes with 160 bits, this search produces a prime order twisted pair in about fifteen seconds. And more improvements can be made. For example, take D { 11, 19, 43, 67, 163} and for each integer calculate a base value p(x) = x 4 2x 3 + 2x 2 x. Now, for each base value, we can add five different constants generating five different prime candidates, which will be faster than moving to the next value of x. Notice that, by equation 3, the order of both curves are of the same magnitude as the finite field, give or take a factor of 2 p. The fact that both groups have prime orders implies they are cyclic, and all points are generators (a famous group theory theorem by Joseph Lagrange). That means that the security level of the discrete logarithm in that group, measured as bit length, is the same as the order of the finite field. Therefore, choosing the bit length of p is the same as choosing the security level of the system Calculating the curve parameters At this point we can assume to have a prime p, and a trace t which defines a prime order twisted pair. With these numbers, and using the value of D that allowed to find them,

6 D H D (x) -11 x x x x x Table 1. Hilbert polynomials for some discriminants D. we can construct the curves. To do that, we should get back to the theory of complex multiplication. Jumping ahead on the theory, D is a number that defines uniquely what is called a Hilbert polynomial H D (x). The degree of this polynomial is the class number of the imaginary quadratic order with discriminant D. For some values of D this polynomial has degree one, but for higher values it quickly escalates, not only in degree, but also in the size of its coefficients. For example, the discriminants -11, -19, -43, -67, -163 all have class number one and are more or less simple. On the other hand, has class number 328, and the coefficients of H (x), in ASCII representation, sum up to 130 kilobytes. The calculation in real time of H D (x) for a given D is not easy, and probably should be avoided. Therefore we suggest to define in advance the values of D you want to use and precompute these polynomials. In table 1 we present H D (x) for five values of D having class number one, all with D 3 mod 8, which makes them suitable for our techniques. Another concept that must be introduced is that of the j-invariant of an elliptic curve. The j-invariant of a curve is a number that is equal to all curves that are isomorphic over the algebraic closure F p. So, as twisted pairs are isomorphic over F p 2, they have the same j-invariant. It turns out that the j-invariant of the curve and its twist, with trace of Frobenius respectively t and t, is the root, modulo p, of the Hilbert polynomial H D (x) of the value of D that gave the respective traces on equation 4. Given a j-invariant j and a quadratic non-residue β, the curves coefficients are computed in two steps. j c = mod p (8) 1728 j E : y 2 = x 3 + 3cx + 2c mod p (9) E t : y 2 = x 3 + 3cβ 2 x + 2cβ 3 mod p (10) Finding roots of polynomials can be costly, but for polynomials with degree one it s just one subtraction Full example of the algorithm For simplicity take D = 43 and we ll restrict our prime search to primes p 3 mod 4, which gives us some nice properties, for instance, p 1 is a quadratic non-residue modulo p, (p 1) 2 1 mod p and (p 1) 3 p 1 mod p. Also, for any a F p,

7 a(p 1) p a mod p. Half the primes are on that form, so that won t be a real problem. The trace is always t(x) = 2x 2 2x + 1. For D = 43 the equation 7 becomes p(x) = x 4 2x 3 + 2x 2 x + 11 (11) A quick search find x = 332 with p = prime. The trace is t = , which makes p t = and p + 1 t = both prime. We found our curves. Using the Hilbert polynomial for D = 43 we have j = p mod , and so j = is the j-invariant. The constant c of equation 8 is c = mod (12) c = (13) And here is the prime order twisted pair: E : y 2 = x x (14) E t : y 2 = x x (15) On this example, p has 34 bits, which is considered weak. But in the very same way, x = and D = 43 give a prime order twisted pair with p having about 160 bits which is considered secure Brief analysis of the generation process One could ask about the security implication of three fundamental choices made on the algorithm proposed in the last section. We now consider and discuss each one. The first thing that could be questioned is about the D value used. We are in fact suggesting the use of D values with class number one, even though nothing rules out using higher class numbers. The fact is that, although there is no proof of that, many researchers think that someday it will be possible to mount attacks over curves defined using D with a low class number. The real question is, what a D with a high class number is protecting exactly? Clearly, the polynomial H D (x) is a lot more complex, but it s still easily constructible from any practical value of D, otherwise we couldn t find the curve parameters. Other fact is that this polynomial has a lot of other roots, but these other roots just define isomorphic curves over the field, which are easier to find using other techniques. Another possibility is that it would probably be harder to find the specific D of a given curve, which would allow to find all values of equation 4, so it could be used somehow. But the algorithm uses D as a public parameter anyway (they are pre-computed), so that is given. And probably

8 no implementation of curve construction using CM today is worried about hiding the D value used. All these arguments carry out to the conclusion that we shouldn t avoid the benefits of using a low class number just because of that general feeling. Any attack that distinguishes CM curves over random curves would probably be polynomially extendable to all class numbers at the limit of the method anyway. In that case, the CM method itself would have to be avoided, not just some curves. The second aspect one could wonder about the generation process is about fixing the value y = 1 in equation 4. By similar arguments to the ones just used, that would be a fundamental security disadvantage if and only if the CM method itself was at risk. What could be argued is that if you use more than one value for y you would get more candidate primes. The problem is that varying y would nullify the property that D 3 mod 8 always gives odd values in equation 7, so that isn t an obvious conclusion. Anyway, it would be interesting to investigate different values for y. What should hold is that y is fixed. The last point that could be discussed is the choice for the polynomial equation of the trace, as in equation 5. The only real restriction it must obey is to generate odd numbers and have 1 as the independent term. Clearly one could have chose a cubic equation, like 2x 3 2x 2 2x + 1 or a linear one like 2x + 1. In practice, the choice of this polynomial is a compromise between compression (explained in the following section) and the number of curves you skip when increasing the x value of the trial to find the curves. Using the cubic, the parameters can represented by a value with log p 6 bits, but, in return, it would be slower to find a twisted pair (you ll skip more curves). On the other hand, with the linear equation you would need log p 2 bits to represent that value, with the benefit of finding the curves a little faster. As both properties are useful in different stages of the algorithm, we conclude that a compromise of both options would be better, choosing a quadratic polynomial. 4. Public parameters compression If the process of finding the curves was understood, it s easy to see that the value x used to calculate the prime field in equation 7, along with D, deterministically define a lot of information. Assuming that p 3 mod 4 (and p 1 as quadratic non-residue where necessary), these values uniquely define p, the orders and the coefficients of both curves. One information that they don t define directly is which curve has positive trace and which has negative trace, so to associate each order to the right curve. Fortunately, this determination is easy since all points of each curve are generators and the scalar multiplication of any generator with the order of the curve gives the point at infinity. What is left to determine are the base point generators. One of them can be found very quickly using a property of twisted pairs. For all i F p, either there is a point with coordinate x = i in one curve, or a point with x = iβ on the twist, β being the quadratic non-residue used to calculate the twist. This property implies that the independent term b of one of the curves is a quadratic residue modulo p, and the points (0, ± b) are on that curve. Testing quadratic residuosity and extracting roots modulo a prime are relatively simple algorithms. For more details, refer to [7]. We define the base point generator of this curve by using the positive root of b (the one which is less than p 1 ) as y coordinate. 2 The generator of the other curve is a little trickier, and there s is no known polynomial-

9 time deterministic algorithm to find a point on that curve. We must define a generic algorithm that, for a given curve, will always find the same point. For x starting from 1 (zero, for sure, is not on that curve) and increasing by 1 each time, calculate the expression of right side of the equation (take as reference the equation 2) and, for the first value that the expression generates a quadratic residue, take that as x coordinate, calculate the square root of the result and take the positive root as y coordinate. That s the base generator of the second curve. Notice that both procedures combined will always produce the same points, so it is safe to define the public keys based on those points, and omit them whenever it is easier. For the second point, by the distribution of quadratic residues, the expected number of trials you ll have to make is two, so it is fast enough to use in practice. Summarizing the ideas, let s consider that the public parameters consist of the explicitation of the twisted pair, the orders, the prime number p, the generators and the public points. Using point compression, for a security factor k = log p these all sums up to 11k + 4 bits of information. Using the techniques just presented, it gets down to about 2.25k + 2 bits, with a minimal overhead. One last remark about the value of D used. In the previous examples we assumed that D has class number one, and that makes the Hilbert polynomial have only one root. If a D with class number two or higher is used, then the polynomials can have more than one root, and the exact same root must be selected every time we reconstruct the curve parameters. There are two ways to solve that: 1) define a rule of what root is used (for example always the one with lower absolute value) or 2) send the root used along in the public key, which will add k bits to it, but it s still a lot less than expliciting all parameters. 5. The Kaliski pseudorandom bit generator The Kaliski pseudorandom bit generator is based on the very same property we used to find generators of the curves. That is, for all integers i F p, if i is not on the first curve, then iβ is on the twist, β being the quadratic non-residue used to define the twist. Also, for each i value, there are two points over that curve, with positive and negative y value. That allows one to construct a mapping between the points on both curves and the integer values in the set [0, 2p + 1]. The function χ : E E t [0, 2p + 1] is defined as the following. A superscripted t indicates that the point is from the twist, and the sign(y) : F p {0, 1} function returns 0 if the y is less then or equal p 1 and 1 otherwise. 2 2x ( + sign(y) ) if P = (x, y), y 0; x 2 mod p + sign(y) if P = (x, y) t, y 0; β χ[e, E t 2x if P = (x, 0); ](P ) = ) 2 mod p + 1 if P = (x, 0) t ; ( x β 2p if P = ; 2p + 1 if P = t. This function is also used in the main algorithm. Although the χ function is really simple, there is one possible improvement. Notice that the multiplicative inverse of (p 1) is always itself. In case p 3 mod 4, the division on the χ function turns into a subtraction. For example, x β mod p p x. (16)

10 Given a twisted pair, its orders and generators (namely E, E t, n E, n E t, and G E, G E t as seen in the overview), the generator works iteratively. For a given seed i [0, 2p + 1] it checks if i is less than the order of E, and in that case it calculates the point ig E using scalar multiplication. In case it is greater or equal, then it calculates (i n E )G E t. Notice that if i > n E then, i n E < n E t. Using the result point on the function χ just defined, it generates another number in the same interval and iterates. At each iteration, the algorithm provides the log log p higher bits of the logarithm of the point calculated. These higher bits are defined based on halving intervals as follows. The most significant bit of c with respect to the interval n is η(c, n) defined as { 0, if c mod n < n η(c, n) = 2 1, if c mod n n (17) 2 In other words, the most significant bit η(c, n) is 1 if the value is higher than half the interval in which it lies, otherwise it is 0. The bth most significant bit is defined recursively as the following η b (c, n) = η b 1 (2c, n) = η 1 (2 b 1 c, n). Therefore, the algorithm return, at each iteration, the bits of η b (i, n E ) if i < n E and η b (i n E, n E t) otherwise, for all 0 b log log p. 6. The main algorithm By now, it should be clear how to find the public key, the ninetuple < p, E, E t, n E, n E t, G E, G E t, P E, P E t > that are respectively the prime field, the twisted pair, its orders, base generators and the public points, which are the scalar multiplication of the secret keys s E, s E t with the base point of each curve. Also, it should be clear how the Kaliski generator works. What is left to explain in more detail is the full process of encryption and decryption Encryption As seen in the overview, given a secret discardable seed a [0, 2p + 1] the algorithm generates three points, M, T E and T E t and another scalar value r [0, 2p + 1]. T E is a point and generator of E and T E t is a point and generator of E t. Using these points as base generators of the curves, along with the seed r, the Kaliski pseudorandom bit generator is executed and a keystream with the size of the plaintext is generated. The actual encryption occurs by calculating the exclusive-or of this keystream with the plaintext. The χ function is once more used extensively, exactly as defined on equation 16. Remember it takes a point on either curve and return a number in the set [0, 2p + 1]. The three points and the r value are calculated using the following algorithm: If (a < n E ) M = ag E T E = ap ( E ) χ(te ) n E t T E t = P E t 2p + 1 r = χ(t E t)

11 else End if. M = (a n E )G E t T E t = (a n E )P E t ( χ(te t) n E T E = 2p + 1 r = χ(t E ) ) P E The expression used to calculate the point T E t in the if branch generates uniformly all values in the interval [0, n E t 1] with high probability, as we ll show later. The same follows for the else branch Decryption The decryption process is quite trivial, once one notices that if M is on E and T E = ap E = s E ag E = s E M T E t = (a n E )P E t = s E t(a n E )G E t = s E tm if M is on E t. Having T E or T E t, the decryption is straightforward. To check whether M lies on E or E t, it suffices to evaluate the right side of the curve equations for the x value of M. Due to the properties of twisted pairs, either x 3 + ax + b or x 3 + aβ 2 x + bβ 3, but not both, will be a quadratic residue modulo p. That tells if M is on E or E t. The idea translates to the following algorithm (QR stands for Quadratic Residue): Make z equal the x coordinate of M If (z 3 + az + b is a QR. mod p) else End if. T E = s E M ( ) χ(te ) n E t T E t = P E t 2p + 1 r = χ(t E t) T E t = s E tm ( χ(te t) n E T E = 2p + 1 r = χ(t E ) ) P E After that, the algorithm proceeds exactly like the encryption. Using the calculated points and the value r, the exact same keystream can be generated. By the properties of the exclusive-or operator, operating the keystream with the ciphertext results in the plaintext.

12 7. Security analysis In this section, we ll analyze the encryption process and show that it is secure. In order to make the analysis, we initially give a mathematical definition of the ECDLP in our context. Then we define the Elliptic Curve Diffie Hellman Problem. Definition 1 Let P and Q be two points of the elliptic curve E with prime order n E. The ECDLP is to find the unique scalar value r n E such that, by scalar multiplication, the equation P = rq is true. Definition 2 Let P, ap and bp points of the elliptic curve E with prime order n E such that the values a and b are not known. The ECDHP is to calculate the point abp. Obviously, given an algorithm for the ECDLP it s easy to solve the ECDHP. Although the inverse has not yet been proved, the following conjecture is widely accepted, and assumed in this paper: Conjecture 1 The ECDHP is equivalent to the ECDLP. Now we proceed to the analysis. First, we consider that the pseudorandom bit generator is secure with the assumption that the ECDLP is hard as proved by Kaliski in [6]. Therefore, for a polynomially bounded adversary, deriving patterns in the ciphertext is equivalent to a One-Time-Pad against an unbounded adversary. The only advantage one can get is by distinguishing the parameters used to generate the pseudorandom bit stream from a random distribution. We ll see that any advantage over that, with high probability, is equivalent to solve the ECDLP. By inspecting the decryption process, it becomes clear that, for any encryption, the attacker breaks the system if he obtains the point T E if a < n E and the point T E t otherwise. Let s first understand what happens if a < n E (the first branch), as clearly the else part is very similar. This first comparison ensures that a is within the order of the curve E. We claim and prove the following lemmas: Lemma 1 Let a [0, 2p + 1] be the encryption seed and s E [0, n E 1] be the private key over E. If a and s E are selected uniformly within its intervals, and a < n E, then the probability that M = T E is negligible. Proof By the algorithm, all points are generators and n E is the order of any point. M = ag E and T E = ap E = as E G E. So M = T E if and only if a s E a mod n E. As both a and s E are less then n E, this congruence is true only when s E is the unit or a = 0. So, the probability of this congruence to hold is at most 2 n E = 2 p p = Ω(p 1 ) Lemma 2 T E is any point of the curve E with the same probability for each point. Proof If a and s E are uniformly selected and less then n E, then the congruence s E a mod n E has the exact same probability of being any value of the interval [0, n E 1]. As that is the exact value of the index of T E at base G E, then its index has the probability of 1 n E of being any value. Relatively to a given generator, each index defines uniquely one point. So T E is any point of the curve with same probability.

13 Lemma 3 Let A = {χ(p ) P E} be set of values generated by the χ function over all the points of the curve E. Then, the distribution of the values in the set A over the interval [0, 2p + 1] is uniform with high probability. Proof The worst case occurs with the curve having positive trace. This curve has at least p p points. The first thing to notice is that p p 2p + 2 = 1 2, which gives one point (consequently one value) for each two values of the set. In [9], Peralta shows that half the elements of a finite field are quadratic residues, and they are all uniformly distributed over all the values of the field, with high probability. That implies the values of x which evaluates the expression x 3 + ax + b mod p to a quadratic residue are also uniform over [0, p 1]. The χ function is, on average, two times the x value of the points of the curves. If these values x are uniform over [0, p 1] then, the values 2x, plus the points at infinity defined as the upper limit of the interval, are uniform over [0, 2p + 1]. Lemma 4 If the secret key 0 < s E t < n E t is uniformly selected, then, the point T E t is uniformly any point of the curve E t with almost uniform probability. Proof By lemma 2, T E is any point. So the possible values for χ(t E ) is any such that the points of E can generate. By lemma 3, this set of values is uniform over [0,2p+1]. That means that the expression ( ) χ(te ) n E t 2p + 1 is a uniform reduction from the set of values in the interval [0,2p+1] (the χ function over E) to the set of values [0, n E 1] which is almost the same as [0, p 1]. Therefore, the expression is diving by two the values over [0,2p+1] and, consequently, generating uniformly all values in the interval [0, n E t 1] with high probability. If that s true and if s E t is uniformly selected, then, by an argument similar to lemma 1 over E t, T E t is any point of E t with almost uniform probability. Theorem 1 If a [0, 2p + 1], 0 < s E < n E and 0 < s E t then, if a < n E, the scheme is as secure as the ECDLP. < n E t are uniformly selected, Proof Clearly, M and P E are uniformly any points of E. As the index of T E is the product of their indexes, then finding T E is the ECDHP, which is as hard as the ECDLP by conjecture 1. Also, by lemmas 3 and 4 the distribution probability of r = χ(t E t) is uniform over [0, 2p + 1] and any advantage of finding r implies the same advantage of finding T E t, as the χ function is easily invertible. The point T E t is uniformly any point of E t and its index is the product of the secret key s E t and the value of the χ function over the point T E, uniformly reduced to the interval [0, n E t 1]. As T E is uniformly any point of E and s E t is uniformly selected, then calculating T E t is as difficult as calculating T E, which was already established to be as hard as the ECDLP. All the proofs carry out in the exactly the same way for the case when a n E. In that case, a n E is a uniform value in the interval [0, n E t 1]. That implies that M and

14 T E t are uniformly any points of E t and so on. Finally, as both branches of the encryption algorithm can be proved to be secure, then, all the algorithm is secure. We also claim that the scheme is semantically secure, hence, probabilistic. Semantic security is achievable by proving that no polynomially bounded adversary can obtain any advantage of distinguishing from a random ensemble the set of possible ciphertexts of any given plaintext. Theorem 2 The scheme is semantically secure. Proof The sequences generated by any two distinct group generators, by operating them with itself until the result is, are different. So, each triple T E, T E t, r defined by each value a generate a different pseudorandom bit stream on the Kaliski generator. This triple can be reduced to the tuple T E, T E t because r = χ(t E ) or r = χ(t E t). For each possible value of a, at least one of the points of the tuple will be different. If a is uniformly selected and the Kaliski generator is cryptographically secure, then, any advantage of distinguishing the ciphertext from a random stream is, at most, References 1 p p = p 1. [1] I. F. Blake, G. Seroussi and N. P. Smart, Elliptic Curves in Cryptography, London Mathematical Society. Lecture Notes Series 265. Cambridge University Press., 1999; [2] M. Blum and S. Goldwasser, An Efficient Probabilistic Public-key Encryption Scheme Which Hides All Partial Information, Advances in Cryptology - CRYPTO 84, vol. 196, Springer Verlag, pp , 1985; [3] H. Cohen, A course in computational algebraic number theory, Graduate Texts in Mathematics 138. Springer-Verlag., 1993; [4] R. Cramer and V. Shoup, A practical public key crypto system provably secure against adaptive chosen ciphertext attack, proceedings of Crypto 1998, LNCS 1462, p.13ff, 1998; [5] S. Goldwasser and S. Micali, Probabilistic encryption, JCSS, vol. 28, pp , April 1948; [6] B. S. Kaliski, Jr. Elliptic Curves and Cryptography: A Pseudorandom Bit Generator and Other Tools, PhD Thesis, MIT EECS Dept., January 1988; [7] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996; [8] T. Okamoto, E. Fujisaki and H. Morita, PSEC: Provably Secure Elliptic Curve Encryption Scheme, Submission to IEEE P1363a., March 1999; [9] R. Peralta, On the distribution of quadratic residues and non-residues modulo a prime number, Mathematics of Computation, Vol. 58, pp , 1992.

### The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

### U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Elements of Applied Cryptography Public key encryption

Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let

### Faster deterministic integer factorisation

David Harvey (joint work with Edgar Costa, NYU) University of New South Wales 25th October 2011 The obvious mathematical breakthrough would be the development of an easy way to factor large prime numbers

Advanced Maths Lecture 3 Next generation cryptography and the discrete logarithm problem for elliptic curves Richard A. Hayden rh@doc.ic.ac.uk EC crypto p. 1 Public key cryptography Asymmetric cryptography

### Integer Factorization using the Quadratic Sieve

Integer Factorization using the Quadratic Sieve Chad Seibert* Division of Science and Mathematics University of Minnesota, Morris Morris, MN 56567 seib0060@morris.umn.edu March 16, 2011 Abstract We give

### A Factoring and Discrete Logarithm based Cryptosystem

Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

### Cryptography: RSA and the discrete logarithm problem

Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:

### Revised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)

Chapter 23 Squares Modulo p Revised Version of Chapter 23 We learned long ago how to solve linear congruences ax c (mod m) (see Chapter 8). It s now time to take the plunge and move on to quadratic equations.

### NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,

### MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

MATH 168: FINAL PROJECT Troels Eriksen 1 Introduction In the later years cryptosystems using elliptic curves have shown up and are claimed to be just as secure as a system like RSA with much smaller key

### MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins

MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins The RSA encryption scheme works as follows. In order to establish the necessary public

### Study of algorithms for factoring integers and computing discrete logarithms

Study of algorithms for factoring integers and computing discrete logarithms First Indo-French Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department

### The van Hoeij Algorithm for Factoring Polynomials

The van Hoeij Algorithm for Factoring Polynomials Jürgen Klüners Abstract In this survey we report about a new algorithm for factoring polynomials due to Mark van Hoeij. The main idea is that the combinatorial

### SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

### Mathematics of Cryptography

CHAPTER 2 Mathematics of Cryptography Part I: Modular Arithmetic, Congruence, and Matrices Objectives This chapter is intended to prepare the reader for the next few chapters in cryptography. The chapter

### A SOFTWARE COMPARISON OF RSA AND ECC

International Journal Of Computer Science And Applications Vol. 2, No. 1, April / May 29 ISSN: 974-13 A SOFTWARE COMPARISON OF RSA AND ECC Vivek B. Kute Lecturer. CSE Department, SVPCET, Nagpur 9975549138

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

### Comparative Analysis for Performance acceleration of Modern Asymmetric Crypto Systems

J. of Comp. and I.T. Vol. 3(1&2), 1-6 (2012). Comparative Analysis for Performance acceleration of Modern Asymmetric Crypto Systems RAJ KUMAR 1 and V.K. SARASWAT 2 1,2 Department of Computer Science, ICIS

### Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

### Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10

with Embedding Degree 10 University of California, Berkeley, USA ANTS-VII, 2006 Outline 1 Introduction 2 The CM Method: The Basic Construction The CM Method: Generating Families of Curves 3 Outline 1 Introduction

### Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

Is n a Prime Number? Manindra Agrawal IIT Kanpur March 27, 2006, Delft Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 1 / 47 Overview 1 The Problem 2 Two Simple, and Slow, Methods

### Notes on Factoring. MA 206 Kurt Bryan

The General Approach Notes on Factoring MA 26 Kurt Bryan Suppose I hand you n, a 2 digit integer and tell you that n is composite, with smallest prime factor around 5 digits. Finding a nontrivial factor

### Notes on Network Security Prof. Hemant K. Soni

Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications

### On prime-order elliptic curves with embedding degrees k = 3, 4 and 6

On prime-order elliptic curves with embedding degrees k = 3, 4 and 6 Koray Karabina and Edlyn Teske University of Waterloo ANTS VIII, Banff, May 20, 2008 K. Karabina and E. Teske (UW) Prime-order elliptic

### Integer roots of quadratic and cubic polynomials with integer coefficients

Integer roots of quadratic and cubic polynomials with integer coefficients Konstantine Zelator Mathematics, Computer Science and Statistics 212 Ben Franklin Hall Bloomsburg University 400 East Second Street

### IMPLEMENTATION OF ELLIPTIC CURVE CRYPTOGRAPHY ON TEXT AND IMAGE

IMPLEMENTATION OF ELLIPTIC CURVE CRYPTOGRAPHY ON TEXT AND IMAGE Mrs. Megha Kolhekar Assistant Professor, Department of Electronics and Telecommunication Engineering Fr. C. Rodrigues Institute of Technology,

### Elliptic Curve Cryptography

Elliptic Curve Cryptography Elaine Brow, December 2010 Math 189A: Algebraic Geometry 1. Introduction to Public Key Cryptography To understand the motivation for elliptic curve cryptography, we must first

### Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Arithmetic algorithms for cryptology 5 October 2015, Paris Sieves Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Sieves 0 / 28 Starting point Notations q prime g a generator of (F q ) X a (secret) integer

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### ECE 842 Report Implementation of Elliptic Curve Cryptography

ECE 842 Report Implementation of Elliptic Curve Cryptography Wei-Yang Lin December 15, 2004 Abstract The aim of this report is to illustrate the issues in implementing a practical elliptic curve cryptographic

### CHAPTER 3 THE NEW MMP CRYPTO SYSTEM. mathematical problems Hidden Root Problem, Discrete Logarithm Problem and

79 CHAPTER 3 THE NEW MMP CRYPTO SYSTEM In this chapter an overview of the new Mixed Mode Paired cipher text Cryptographic System (MMPCS) is given, its three hard mathematical problems are explained, and

### CONTINUED FRACTIONS, PELL S EQUATION, AND TRANSCENDENTAL NUMBERS

CONTINUED FRACTIONS, PELL S EQUATION, AND TRANSCENDENTAL NUMBERS JEREMY BOOHER Continued fractions usually get short-changed at PROMYS, but they are interesting in their own right and useful in other areas

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

### Network Security: Cryptography CS/SS G513 S.K. Sahay

Network Security: Cryptography CS/SS G513 S.K. Sahay BITS-Pilani, K.K. Birla Goa Campus, Goa S.K. Sahay Network Security: Cryptography 1 Introduction Network security: measure to protect data/information

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Modern/Public-key cryptography started in 1976 with the publication of the following paper. W. Diffie

### OSTROWSKI FOR NUMBER FIELDS

OSTROWSKI FOR NUMBER FIELDS KEITH CONRAD Ostrowski classified the nontrivial absolute values on Q: up to equivalence, they are the usual (archimedean) absolute value and the p-adic absolute values for

### The Dirichlet Unit Theorem

Chapter 6 The Dirichlet Unit Theorem As usual, we will be working in the ring B of algebraic integers of a number field L. Two factorizations of an element of B are regarded as essentially the same if

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC

An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC Laxminath Tripathy 1 Nayan Ranjan Paul 2 1Department of Information technology, Eastern Academy of Science and

### Problem Set 7 - Fall 2008 Due Tuesday, Oct. 28 at 1:00

18.781 Problem Set 7 - Fall 2008 Due Tuesday, Oct. 28 at 1:00 Throughout this assignment, f(x) always denotes a polynomial with integer coefficients. 1. (a) Show that e 32 (3) = 8, and write down a list

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### Outline. Cryptography. Bret Benesh. Math 331

Outline 1 College of St. Benedict/St. John s University Department of Mathematics Math 331 2 3 The internet is a lawless place, and people have access to all sorts of information. What is keeping people

### Yale University Department of Computer Science

Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Michael S. Paterson Ewa Syta YALEU/DCS/TR-1466 October

### Primality - Factorization

Primality - Factorization Christophe Ritzenthaler November 9, 2009 1 Prime and factorization Definition 1.1. An integer p > 1 is called a prime number (nombre premier) if it has only 1 and p as divisors.

### A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0

A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 James Manger Telstra Research Laboratories, Level 7, 242 Exhibition Street, Melbourne 3000,

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

### Implementation of Elliptic Curve Digital Signature Algorithm

Implementation of Elliptic Curve Digital Signature Algorithm Aqeel Khalique Kuldip Singh Sandeep Sood Department of Electronics & Computer Engineering, Indian Institute of Technology Roorkee Roorkee, India

### Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

### LUC: A New Public Key System

LUC: A New Public Key System Peter J. Smith a and Michael J. J. Lennon b a LUC Partners, Auckland UniServices Ltd, The University of Auckland, Private Bag 92019, Auckland, New Zealand. b Department of

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

### A New Approach for Algebraically Homomorphic Encryption

A New Approach for Algebraically Homomorphic Encryption Joint work with Ahmad Reza Sadeghi, supported by the EU project SPEED Frederik Armknecht Group for Cryptographic Mechanisms and Security Models Horst

### Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

### (x + a) n = x n + a Z n [x]. Proof. If n is prime then the map

22. A quick primality test Prime numbers are one of the most basic objects in mathematics and one of the most basic questions is to decide which numbers are prime (a clearly related problem is to find

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### Homework 5 Solutions

Homework 5 Solutions 4.2: 2: a. 321 = 256 + 64 + 1 = (01000001) 2 b. 1023 = 512 + 256 + 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = (1111111111) 2. Note that this is 1 less than the next power of 2, 1024, which

### ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS. Carl Pomerance

ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS Carl Pomerance Given a cyclic group G with generator g, and given an element t in G, the discrete logarithm problem is that of computing an integer l with g l

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### Elliptic Curve Hash (and Sign)

Elliptic Curve Hash (and Sign) (and the 1-up problem for ECDSA) Daniel R. L. Brown Certicom Research ECC 2008, Utrecht, Sep 22-24 2008 Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 1 / 43

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

### Cryptography and Network Security Chapter 10

Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 10 Other Public Key Cryptosystems Amongst the tribes of Central

### 1 Pseudorandom Permutations

Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of

### FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z DANIEL BIRMAJER, JUAN B GIL, AND MICHAEL WEINER Abstract We consider polynomials with integer coefficients and discuss their factorization

### Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 12 Block Cipher Standards

### SECURITY EVALUATION OF EMAIL ENCRYPTION USING RANDOM NOISE GENERATED BY LCG

SECURITY EVALUATION OF EMAIL ENCRYPTION USING RANDOM NOISE GENERATED BY LCG Chung-Chih Li, Hema Sagar R. Kandati, Bo Sun Dept. of Computer Science, Lamar University, Beaumont, Texas, USA 409-880-8748,

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### Applied Cryptography Public Key Algorithms

Applied Cryptography Public Key Algorithms Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Public Key Cryptography Independently invented by Whitfield Diffie & Martin

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### CS Asymmetric-key Encryption. Prof. Clarkson Spring 2016

CS 5430 Asymmetric-key Encryption Prof. Clarkson Spring 2016 Review: block ciphers Encryption schemes: Enc(m; k): encrypt message m under key k Dec(c; k): decrypt ciphertext c with key k Gen(len): generate

### An Approach to Shorten Digital Signature Length

Computer Science Journal of Moldova, vol.14, no.342, 2006 An Approach to Shorten Digital Signature Length Nikolay A. Moldovyan Abstract A new method is proposed to design short signature schemes based

### Computing Cubic Fields in Quasi-Linear Time

Computing Cubic Fields in Quasi-Linear Time K. Belabas Département de mathématiques (A2X) Université Bordeaux I 351, cours de la Libération, 33405 Talence (France) belabas@math.u-bordeaux.fr Cubic fields

### In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc

Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane

### A Study on Asymmetric Key Cryptography Algorithms

A Study on Asymmetric Key Cryptography Algorithms ASAITHAMBI.N School of Computer Science and Engineering, Bharathidasan University, Trichy, asaicarrier@gmail.com Abstract Asymmetric key algorithms use

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### Chapter 9. Computational Number Theory. 9.1 The basic groups Integers mod N Groups

Chapter 9 Computational Number Theory 9.1 The basic groups We let Z = {..., 2, 1,0,1,2,...} denote the set of integers. We let Z + = {1,2,...} denote the set of positive integers and N = {0,1,2,...} the

### Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890

Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890 Why are Elliptic Curves used in Cryptography? The answer to this question is the following: 1) Elliptic Curves provide security equivalent

### On the largest prime factor of x 2 1

On the largest prime factor of x 2 1 Florian Luca and Filip Najman Abstract In this paper, we find all integers x such that x 2 1 has only prime factors smaller than 100. This gives some interesting numerical

### UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 6 Introduction to Public-Key Cryptography Israel Koren ECE597/697 Koren Part.6.1

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### Notes for Recitation 5

6.042/18.062J Mathematics for Computer Science September 24, 2010 Tom Leighton and Marten van Dijk Notes for Recitation 5 1 Exponentiation and Modular Arithmetic Recall that RSA encryption and decryption

### Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Kommunikationssysteme (KSy) - Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 2000-2001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem

### Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

Number Theory Divisibility and Primes Definition. If a and b are integers and there is some integer c such that a = b c, then we say that b divides a or is a factor or divisor of a and write b a. Definition

### Runtime and Implementation of Factoring Algorithms: A Comparison

Runtime and Implementation of Factoring Algorithms: A Comparison Justin Moore CSC290 Cryptology December 20, 2003 Abstract Factoring composite numbers is not an easy task. It is classified as a hard algorithm,

### On Factoring Integers and Evaluating Discrete Logarithms

On Factoring Integers and Evaluating Discrete Logarithms A thesis presented by JOHN AARON GREGG to the departments of Mathematics and Computer Science in partial fulfillment of the honors requirements

### THE FUNDAMENTAL THEOREM OF ALGEBRA VIA PROPER MAPS

THE FUNDAMENTAL THEOREM OF ALGEBRA VIA PROPER MAPS KEITH CONRAD 1. Introduction The Fundamental Theorem of Algebra says every nonconstant polynomial with complex coefficients can be factored into linear

### JUST THE MATHS UNIT NUMBER 1.8. ALGEBRA 8 (Polynomials) A.J.Hobson

JUST THE MATHS UNIT NUMBER 1.8 ALGEBRA 8 (Polynomials) by A.J.Hobson 1.8.1 The factor theorem 1.8.2 Application to quadratic and cubic expressions 1.8.3 Cubic equations 1.8.4 Long division of polynomials

### Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

MODULAR ARITHMETIC KEITH CONRAD. Introduction We will define the notion of congruent integers (with respect to a modulus) and develop some basic ideas of modular arithmetic. Applications of modular arithmetic

### Elementary Number Theory We begin with a bit of elementary number theory, which is concerned

CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,