26
Methods of Public-Key Cryptography ´ Emilie Wheeler December 10, 2012
Methods of Public-Key Cryptography
Emilie Wheeler
December 10, 2012
Contents
1 Introduction 2
2 Cryptosystems based on Elementary Number Theory 3
2.1 Elementary Number Theory Background . . . . . . . . . . . . 3
2.1.1 The Euler Function and Primitive Roots . . . . . . . . 3
2.1.2 Important Algorithms . . . . . . . . . . . . . . . . . . 4
2.1.3 A Key Observation . . . . . . . . . . . . . . . . . . . . 5
2.2 Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . 6
2.3 ElGamal Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4 RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . 10
2.4.1 Proof of Proposition 2.13 . . . . . . . . . . . . . . . . . 12
3 Cryptosystems based on Elliptic Curves 16
3.1 Elliptic Curve Background . . . . . . . . . . . . . . . . . . . . 16
3.2 Elliptic Diffie-Hellman Key Exchange . . . . . . . . . . . . . . 18
3.3 Elliptic ElGamal Protocol . . . . . . . . . . . . . . . . . . . . 19
3.4 Elliptic Curve Variation on the RSA Cryptosystem . . . . . . 22
4 Conclusion 23
5 References 24
1
1 Introduction
Secret codes have been around for thousands of years, the earliest form be-ing observed in non-standard hieroglyphs carved into monuments of the OldKingdom of Egypt circa 1900 BC. For some reason or another, humans havealways been desperate for a means of secure communication, in which theirsecret message cannot be intercepted and interpreted by adversaries. Thepractice and study of techniques for secure communication in the presenceof these adversaries is called cryptography. The ancient Greeks and Romansknew of ciphers and cryptography, but the latter’s true claim to fame camethousands of years later, during the first and second World Wars. Manycountries used cryptographic methods to exchange secret information overnon-secure radio waves. The science of attempting to decrypt these secretmessages is called cryptanalysis. Since WWII, cryptography and cryptanal-ysis have come a long way, with technological and mathematical advancesleading to a vast array of cryptographic methods and protocols. Moderncryptography can be divided into two large branches: Private-Key Cryptog-raphy and Public-Key Cryptography.
Private-key cryptography, also known as symmetric-key cryptography, is amethod in which the two parties wishing to communicate over a non-securechannel first agree on a key k, which they keep secret. To send a plaintextmessage m to the other party, one encrypts m by using the encryption algo-rithm E and the shared key k, to obtain the ciphertext c:=E(k;m), whichis sent to the other party. The second party uses the decryption algorithmD and the same key k to recover the plaintext m:=D(k;c). The encryptionand decryption algorithms E and D are publicly known, which means thatanyone can decrypt the ciphertext if he or she knows the key k. Therefore,k must remain secret. The biggest problem with symmetric cryptographyis exactly how the two parties can agree on a shared key k in a secure andefficient way.
In 1976, Whitfield Diffie and Martin E. Hellman published their paper enti-tled New Directions in Cryptography, and introduced the notion of Public-Key Cryptography (or asymmetric cryptography), which describes a solutionto this problem. Their paper proposes that it is possible for two parties toexchange secret messages over a public channel and using publicly knownalgorithms. Public-key cryptography uses a public key (known by all) for en-cryption and a private key (known only by one party) for decryption. Belowis a proper definition of public-key cryptosystems taken from [3].
2
Definition 1.1: A cryptosystem consisting of a set of enciphering trans-formations {Ee} and a set of deciphering transformations {Dd} is called aPublic-Key Cryptosystem or an Asymmetric Cryptosystem if, for each pair(e,d), the enciphering key e, called the public key, is made publicly available,while the deciphering key d, called the private key, is kept secret. The cryp-tosystem must satisfy the property that it is computationally infeasible tocompute d from e.
In the following report, I will present examples of public-key cryptographyas well as the reasoning for their security.
2 Cryptosystems based on Elementary Num-
ber Theory
2.1 Elementary Number Theory Background
To help with the description of the specific cryptographic protocols in thisreport, I will first present some important number theory notions.
2.1.1 The Euler Function and Primitive Roots
Definition 2.1: The Euler function φ : N→ N is a mapping associating toeach positive integer n the number φ(n) of elements of Zn (integers modulon) relatively prime to n, i.e. φ(n) is the number of integers k ∈ Zn for whichgcd(n, k) = 1.
The following are facts about φ:• For a prime p and k ≥ 1, φ(pk) = pk−1(p− 1).• For integers m, n with gcd(m,n) = 1, φ(mn) = φ(m)φ(n).
Using the above, we can prove that if n = pa11 pa22 · · · parr , where pi are distinct
primes and ai > 0, then
φ(n) = pa1−11 (p1 − 1)pa2−1
2 (p2 − 1) · · · par−1r (pr − 1).
3
Definition 2.2: Given an integer a and a positive integer n with gcd(a, n)=1,the multiplicative order of a (mod n) is defined to be the smallest positiveinteger k such that ak ≡ 1 (mod n).
Definition 2.3: A primitive root modulo an integer n is an element a suchthat aφ(n) ≡ 1 (mod n) but no smaller power of a is congruent to 1 (mod n).
Theorem 2.4: There is a primitive root modulo any prime p. In particular,the group Z∗p is cyclic.
The proof of this theorem can be found in [2], as well as a proof for thefollowing:• If there are any primitive roots (mod n), then there are exactly φ(φ(n)) ofthem.
For example, the powers of 3 mod 7 are
31 ≡ 3, 32 ≡ 2, 33 ≡ 6, 34 ≡ 4, 35 ≡ 5, 36 ≡ 1 (mod 7)
so that 3 is a primitive root of 7.
Definition 2.5: Carmichael’s lambda-function λ(n) is defined to be the leastnumber m such that am ≡ 1 (mod n) for all a such that gcd(a, n) = 1.
The following are facts about λ:•λ(N) always divides φ(N) (but it may be strictly smaller).• For p prime, λ(p) = p− 1.• If n = pa11 p
a22 · · · parr , where pi are distinct primes and ai > 0, then
λ(n) = lcm{λ(pa11 ), · · · , λ(parr )}.
Note: The multiplicative order of a primitive root mod p is λ(p) = p− 1.
2.1.2 Important Algorithms
Theorem 2.6: (The Division Algorithm) If a ∈ N and b ∈ Z, then thereexist unique integers q, r ∈ Z with 0 ≤ r < a, and b = aq + r.
4
The proof of this theorem, as well as the next, can be found in [6].
Theorem 2.7: (The Euclidean Algorithm) Let a, b ∈ Z (a ≥ b > 0),and set a = r−1, b = r0. By repeatedly applying the Division Algorithm, weget rj−1 = rjqj+1 + rj+1 with 0 < rj+1 < rj for all 0 ≤ j < n, where n is theleast nonnegative number such that rn+1 = 0, in which case gcd(a, b) = rn.
By reversing the Euclidean algorithm calculation, if gcd(a, b) = 1, we findthat a has a multiplicative inverse mod b, i.e. 1 = λa + µb. That is, λa ≡ 1(mod b).
2.1.3 A Key Observation
We will use the following observation to prove Theorem 2.12 in Section 2.4.
Observation 2.8: Suppose that N is the product of two distinct primes.Then, from any one of the following pieces of information, we can computethe others:(1) the prime factors of N ;(2) φ(N);(3) λ(N).
Proof. Suppose we know (1), i.e. we know primes p and q such that N = pq.Then we can calculate φ(N) = (p− 1)(q − 1) and
λ(N) = lcm(p− 1, q − 1)
=(p− 1)(q − 1)
gcd(p− 1, q − 1),
where we can find gcd(p− 1, q − 1) by using the Euclidean algorithm.
Now suppose we know (2), i.e. we know
φ(N) = (p− 1)(q − 1)
= pq − p− q + 1
= N − (p+ q) + 1
⇒ p+ q = N − φ(N) + 1
5
Let’s say p+ q = N − φ(N) + 1 = α for convenience.
p+ q = α
⇒ p = α− q⇒ N = pq = (α− q)q = αq − q2
⇒ q2 − αq +N = 0
⇒ q2 − (N − φ(N) + 1)q +N = 0,
for which we can find the roots using the quadratic formula. Substitute qinto p = α− q to find p. Knowing p and q, we can calculate λ(N) as above.
Now suppose we know (3), i.e. we know λ(N) and N .Without loss of generality, suppose p is the larger prime factor. Then λ(N) =lcm(p− 1, q − 1) is a multiple of p− 1, and divides φ(N). Let r ≡ N (modλ(N)) be the remainder on dividing N by λ(N). Then
•N − φ(N) ≡ r (mod λ(N)), since λ(N)|φ(N); and
•N − φ(N) = p + q − 1 < 2λ(N), since λ(N) ≥ p − 1 > q (assuming thatN > 6).
So N − φ(N) = r or N − φ(N) = r + λ(N). We can solve the quadratic foreach of these two possible values of φ(N); one of them will give us the factorsof N . (Since p and q must be real, distinct roots.)
We will use these notions in the following sections of this report.
2.2 Diffie-Hellman Key Exchange
In their 1976 paper, Diffie and Hellman presented a method of key agreementover an insecure channel in which the two parties never had to meet. Theshared key which results from the exchange is for use in a symmetric cipher.The following is the first proposed protocol in modern cryptography.
Suppose Alice wants to send a secret message to Bob. Let p be a sufficientlylarge prime, such that it is infeasible to compute discrete logarithms in Zp∗.Let g be a primitive root in Zp∗. These two values are publicly known, so aneavesdropper, Eve, has access to them.
6
First, Alice chooses a secret integer a at random, such that 0 ≤ a ≤ p − 2.Alice then computes A ≡ ga (mod p). Alice sends A to Bob. Meanwhile, Bobchooses a secret integer b at random, such that 0 ≤ b ≤ p− 2, and computesB ≡ ga (mod p). Bob sends this B to Alice. Receiving B, Alice computesBa (mod p), using her secret integer a. With A, Bob computes Ab (mod p),using his secret integer b. Thus the shared secret value is
Ba ≡ (gb)a ≡ gab ≡ (ga)b ≡ Ab (mod p)
This is the key to be used in symmetric ciphers in order to send and receivemessages over an insecure communication channel.
Table 1 provides a clear overview of the protocol.
Table 1: Diffie-Hellman Key ExchangeSteps to follow Alice Eve Bob
1. A trusted party chooses andpublishes a prime p p, g p, g p, gand a primitive root g.
2. Alice chooses a secret integer a. a3. Alice calculates A ≡ ga (mod p) ↓
and sends A to Bob. A ≡ ga (mod p) 99K A 99K A
4. Bob chooses a secret integer b. b5. Bob calculates B ≡ gb (mod p) ↓
and sends B to Alice. B L99 B L99 B ≡ gb (mod p)
6. Alice and Bob compute theshared secret key k using their k ≡ Ba (mod p) k ≡ Ab (mod p)secret integers a and b.
Definition 2.9: The following problem is known as the Discrete LogarithmProblem (DLP): Given g, A, and a prime p such that A ≡ ga (mod p), find a.
This problem is believed to be at least as difficult as factorisation, althoughit is not known to be in P nor in NP-complete. (See [15].) If the order of g(mod p) is small, i.e. there are only a few distinct powers of g (mod p), then acan be found by exhaustive search. Therefore, in order to make the problemhard, and ensure the security of the cryptosystem, we should take the orderof g to be as large as possible, which is the reason we take g to be a prim-itive root mod p in the above protocol (g is an element of order λ(p) = p−1).
The eavesdropper Eve knows: p, g, A ≡ ga (mod p), and B ≡ gb (mod p). IfEve can solve the DLP on A ≡ ga (mod p) (or respectively on B ≡ gb (mod
7
p)), then she can find a (resp. b), and thus can compute the shared key Ba
(mod p) (resp. Ab (mod p)).
Definition 2.10: Let p be a prime and g be an integer. The Diffie-HellmanProblem (DHP) is the problem of computing gab (mod p) from ga (mod p)& gb (mod p).
It is not known whether an algorithm that efficiently solves the DHP canalso be used to solve the DLP.
2.3 ElGamal Protocol
In his 1985 paper entitled A Public Key Cryptosystem and a Signature SchemeBased on Discrete Logarithms, Taher Elgamal described an asymmetric keyencryption algorithm based on the Diffie-Hellman key exchange. Contraryto Diffie-Hellman, which simply produces a shared secret key, the ElGamalprotocol proposes a method to transmit messages over an insecure channel.
First, Bob chooses a prime p, a primitive root g (mod p), and an integera ∈ {1, · · · , p − 2}, where a is random. Bob then computes h ≡ ga (modp). So Bob’s public key is (p, g, h). (Bob keeps a secret.)
Now, if Alice wants to send a plaintext message x to Bob, encoded as aninteger in the range {1, · · · , p− 1}, she chooses a number k ∈ {1, · · · , p− 1}at random. (k is called the ephemeral key.) Alice then computes y1 ≡ gk
(mod p), and y2 ≡ xhk (mod p). Alice sends the ciphertext (y1, y2) to Bob.
Bob, receiving this ciphertext pair, can decipher the message by computing(y1)−a ≡ (gk)−a ≡ (gk)p−1−a (mod p), since Bob knows a, y1 was sent byAlice, and g is a primitive root mod p, i.e. gp−1 ≡ 1 (mod p). He can thenfind x by computing
(gk)p−1−ay2 ≡ 1k · (gk)−axhk ≡ (gk)−ax(ga)k ≡ xgak−ak ≡ x (mod p)
The exponent {p − 1 − a} is positive and non-zero because 1 ≤ a ≤ p − 2.Therefore, g being chosen as a primitive root mod p facilitates the computa-tion of x. Note that x could also be calculated by using Euclid’s algorithmon hk.
8
hk → [Euclid’s algorithm] → (hk)−1y2 ≡ (hk)−1xhk ≡ x (mod p)
Table 2 demonstrates the steps of the protocol.
Table 2: ElGamal CryptosystemSteps to follow Alice Eve Bob
1. Key Creation: Bob choosesprime p, primitive root g p, g, a(mod p), and random secret ↓integer 1 ≤ a ≤ p− 2.
2. Bob computes h ≡ ga (mod p). h ≡ ga (mod p)3. Bob publishes (p, g, h). p, g, h L99 p, g, h L99 p, g, h
4. Encryption: Alice choosesplaintext 1 ≤ x ≤ p− 1.
5. Alice chooses random x, kephemeral key 1 ≤ k ≤ p− 1. ↓
6. Alice uses Bob’s public key tocompute y1 ≡ gk (mod p) and y1 ≡ gk (mod p)y2 ≡ xhk (mod p). y2 ≡ xhk (mod p)Alice sends (y1, y2) to Bob. y1, y2 99K y1, y2 99K y1, y2
7. Decryption: Bob computes (y1)p−1−a
(gk)−a (mod p) using y1 and a. ≡ (gk)−a (mod p)8. Bob finds x using the above ↓
and y2. (gk)−ay2≡ (gk)−ax(ga)k
≡ x (mod p)
Eve knows p, g, h, y1 and y2. If Eve solves the Discrete Logarithm Problem(DLP) on h ≡ ga (mod p), then she can find a, and hence hk ≡ (y1)a (modp). Knowing hk, she can decipher x. If Eve solves the DLP on y1 ≡ gk (modp), then she can find k, and hence hk. Again, she could decipher x. Hence,the security of the ElGamal protocol depends on the difficulty of the DLP.
Proposition 2.11: Fix a prime p and primitive root g to use for ElGamalencryption. Suppose that Eve has access to an oracle that decrypts arbitraryElGamal ciphertexts encrypted using arbitrary ElGamal public keys. Thenshe can use the oracle to solve the Diffie-Hellman Problem.
The proof of this proposition is given in [4].
This proposition shows that the ElGamal system is secure if one assumes theDiffie-Hellman Problem is hard.
9
2.4 RSA Cryptosystem
In 1977, the MIT team of computer scientists Ron Rivest and Adi Shamir,and mathematician Leonard Adleman described an algorithm for public-keycryptography based on the presumed difficulty of the factorization of largeintegers. This cryptosystem, named RSA after the creators, is widely usedand consists of the following three steps:
Key creation begins with one user, say Bob, choosing two large, randomprimes p 6= q of roughly the same size, and calculating n = pq and φ(n) =(p − 1)(q − 1). Bob then chooses e such that gcd(e, φ(n)) = 1. (e is calledthe encryption exponent.) Bob publishes n and e.
In the encryption step, Alice chooses a plaintext encoded as an integer m inthe range {1, · · · , n− 1} that she wants to send to Bob. Using Bob’s publickey (n, e), Alice computes c ≡ me (mod n). Alice sends the ciphertext c toBob.
In the final step, decryption, Bob computes d ≡ e−1 (mod φ(n)) using theEuclidean algorithm. This is possible because gcd(e, φ(n)) = 1. Bob thenuses this d (called the decryption exponent) to compute m ≡ cd (mod n).
Table 3 demonstrates the steps clearly.
Table 3: RSA CryptosystemSteps to follow Alice Eve Bob
1. Key Creation: Bob chooses p, qlarge, distinct primes p and q ↓and computes n = pq and n = pq,φ(n). φ(n) = (p− 1)(q − 1)
2. Bob chooses encryption eexponent e such that ↓gcd(e, φ(n)) = 1.Bob publishes (n, e). n, e L99 n, e L99 n, e
3. Encryption: Alice choosesplaintext m. m
4. Alice uses Bob’s public key ↓to compute c ≡ me (mod n).Alice sends c to Bob. c ≡ me (mod n) 99K c 99K c
5. Decryption: Bob computes d ≡ e−1 (mod φ(n))d ≡ e−1 (mod φ(n)). ↓
6. Bob computes m using d. m ≡ cd (mod n)
10
Eve knows n, e and c. So if Eve knows d, she can compute m from the factthat m ≡ cd (mod n). Obtaining d requires knowledge of φ(n), since d is theinverse of e mod φ(n). Knowledge of φ(n) requires in turn knowledge of pand q. If n is large, no good algorithms for finding factors p and q exist asof yet, thus the security of the RSA, at this time, is guaranteed.
Theorem 2.12: The secret components of the RSA protocol for each userare (p, q), φ(n) and d. If Eve obtains any one of these three values, she cancalculate the others. Thus, the security of the system for that user will bedestroyed.
Proof. Suppose Eve knows (p, q). Then she can calculate φ(n) = (p−1)(q−1).With φ(n), she can find d ≡ e−1 (mod φ(n)).
If Eve knows φ(n), she can compute d. From Observation 2.8, Eve can alsofind (p, q).
Finally, if Eve knows d ≡ e−1 (mod φ(n)), she can compute (p, q), and thusφ(n), in the following way:
(Denote φ(n) by φ for convenience.) We know that ed ≡ 1 (mod φ). Hence∃k ∈ Z such that ed− 1 = kφ. Euler’s theorem states that if n and a are rel-atively prime integers (i.e. gcd(n, a) = 1), then aφ ≡ 1 (mod n). Therefore,akφ ≡ aed−1 ≡ 1k ≡ 1 (mod n), for all a relatively prime to n, i.e. ∀a ∈ Z∗n (ais invertible mod n). Let ed− 1 = 2st, where t is an odd integer. Thereforea2st ≡ 1 (mod n). We need the following proposition:
Proposition 2.13: ∃ 1 ≤ i ≤ s such that• a2i−1t 6≡ ±1 (mod n) for exactly half of a ∈ Z∗n; and• a2it ≡ 1 (mod n) for all a ∈ Z∗n.
The proof will be given in Section 2.4.1. Using this proposition, the proof ofTheorem 2.12 can be completed as follows: We therefore have kn = a2it−1 =(a2i−1t − 1)(a2i−1t + 1) 6= 0⇒ If we take gcd(n, a2i−1t − 1), this will be a non trivial factor p or q of n.
So Eve simply has to repeatedly select random a ∈ Z∗n and check if ani ∈ [1, s] satisfying the above claim exists. The expected number of trialsbefore a non-trivial factor of n is obtained is 2. Knowing p and q, Eve cancalculate φ.
11
This shows that these three values, (p, q), φ(n) and d ≡ e−1 (mod φ), mustremain secret in order for the cryptosystem to remain secure.
Remark 2.14: The cryptosystem also relies on the difficulty of factoringintegers, which means that if there is a significant advance in that direction,the RSA cryptosystem may be compromised. For example, using a quantumcomputer, Peter Shor discovered an algorithm in 1994 that solves the primenumber factorization problem in polynomial time. Shor’s algorithm takesonly O(b3) time and O(b) space on b-bit number inputs. In 2001, the firstseven-qubit quantum computer ran Shor’s algorithm and factored the num-ber 15. Some believe quantum computers will never reach a level in which thesecurity of the RSA is at risk, however if the technology in quantum comput-ers does advance, serious readjustments to the RSA cryptosystem will haveto be made.
2.4.1 Proof of Proposition 2.13
We give the proof in several steps.
Step 1: We prove that s > 0. If s = 0, then taking (−1) ∈ Z∗n,
(−1)de−1 ≡ (−1)20t ≡ (−1)t ≡ (−1) (mod n),
since t is odd. But a2st ≡ 1 (mod n). This is a contradiction. Therefore s > 0.
Step 2: Let us choose 0 ≤ i ≤ s as the smallest possible value such thata2it ≡ 1 (mod n). By the same argument as in Step 1, i > 0.
Step 3: We identify two isomorphisms and their mappings of +1 and −1.From the Chinese Remainder Theorem, we have Z∗n ' Z∗p×Z∗q ' Zp−1×Zq−1,where Z∗n, Z∗p and Z∗q are multiplicative groups, and Zp−1 and Zq−1 are addi-tive groups.
Consider the isomorphisms Z∗nΦ1−→ Z∗p × Z∗q
Φ2−→ Zp−1 × Zq−1. Φ1 maps theidentity element of Z∗n, 1, to the identity element of Z∗p×Z∗q, (1, 1). Φ2 mapsthis element (1, 1) to the identity element of Zp−1 × Zq−1, which is (0, 0),since Zp−1 × Zq−1 is additive.
Z∗nΦ1−→ Z∗p × Z∗q
Φ2−→ Zp−1 × Zq−1
12
1 7→ (1, 1) 7→ (0, 0)
We also have Φ1(−1) = (−1,−1) by uniqueness. Φ2 maps (−1,−1) to anelement (x, y) ∈ Zp−1 × Zq−1 such that
2x ≡ 0 (mod (p− 1)), (1)
since (−1)2 = 1, the identity element of Z∗p, and multiplication in Z∗p corre-sponds to addition in Zp−1. Therefore,
x = 0 or x = p−12
Similarly for y. Hence,
y = 0 or y = p−12
But Φ2 is an isomorphism (in particular, injective), so:
−1 7→ (−1,−1) 7→ (p−12, p−1
2)
Now, ∀a ∈ Z∗n, we have a2it ≡ 1 (mod n), the identity element in Z∗n.
So ∀(α, β) ∈ Zp−1 × Zq−1, we have (2itα, 2itβ) = (0, 0), the identity elementof Zp−1 × Zq−1, since, as mentioned above, multiplication in Z∗n correspondsto addition in Zp−1 × Zq−1.
Step 4: We define 3 maps using the above isomorphisms. Set m = 2it. Themap
f : Zp−1 × Zq−1x 7→mx−−−−→ Zp−1 × Zq−1
is thus the zero map. But i is the smallest value such that a2it ≡ 1 (mod n),∀a ∈ Z∗n, as seen in Step 2, therefore for m
2= 2i−1t, the map
f : Zp−1 × Zq−1
x 7→m2x
−−−−→ Zp−1 × Zq−1
13
is not the zero map.
We define f : Zp−1 × Zq−1
x 7→m2x
−−−−→ Zp−1 × Zq−1, and g : Zp−1 × Zq−1x 7→2x−−−→
Zp−1 × Zq−1.So g ◦ f(x) = g(f(x)) = g(m
2x) = m
22x = mx = (0, 0),∀x ∈ Zp−1 × Zq−1.
We observe that ker(g) = {(p−12, 0), (p−1
2, q−1
2), (0, q−1
2), (0, 0)} which we can
deduce from (1).
Step 5: We prove the following claim:
Claim: At least one of the following statements is true:(a) ∃x = (α, 0) ∈ Zp−1 × Zq−1 such that f(x) 6= (0, 0)(b) ∃x = (0, β) ∈ Zp−1 × Zq−1 such that f(x) 6= (0, 0).
Proof of the Claim: If both (a) and (b) are false, then
f(α, β) = f((α, 0) + (0, β)) [addition in Zp−1 × Zq−1]
= f(α, 0) + f(0, β) [f is a group homomorphism]
= (0, 0) + (0, 0)
= (0, 0)
But f is not the zero map. This is a contradiction.
Case 1: Suppose (a) is true and (b) is false. Then
f(α, β) = f((α, 0) + (0, β))
= f(α, 0) + f(0, β)
= f(α, 0) + (0, 0)
= f(α, 0)
= (m
2α, 0)
If α is even,
m
2α =
m
2(2k)
= mk,
for some k ∈ Z, is divisible by φ(n) = (p− 1)(q− 1) and thus (p− 1). So wehave
14
m2α = 0 in Zp−1.
If α is odd,
m
2α =
m
2(2k + 1), for some k ∈ Z,
= mk +m
2
= 0 +m
2in Zp−1
6= 0
⇒ m
2α =
p− 1
2
by the previous argument (1). Thus,
f(Zp−1 × Zq−1) = {(0, 0), (p−12, 0)}.
From group theory, we have: if f : G −→ H is a surjective group homomor-phism between finite groups, then |f−1({x})| = |G|
|H| , for x ∈ H. Hence,
|f−1((0, 0))| = |f−1((p−12, 0))|.
Therefore, exactly half of the elements of Zp−1×Zq−1 satisfy f(x) = (p−12, 0).
These x’s correspond to elements a ∈ Z∗p × Z∗q such that am2 6≡ ±1 (mod n).
Case 2: Suppose (a) is false and (b) is true. Similar to Case 1.
Case 3: Suppose both (a) and (b) are true.
f(α, β) = f((α, 0) + (0, β))
= f(α, 0) + f(0, β)
6= (0, 0)
⇒ f(Zp−1 × Zq−1) = {(0, 0), (0,q − 1
2), (
p− 1
2, 0), (
p− 1
2,q − 1
2)}.
Thus, as above,
|f−1((0, 0))| = |f−1((0, q−12
))| = |f−1((p−12, 0))| = |f−1((p−1
2, q−1
2))|.
Notice that f−1((p−12, 0))∪f−1((0, q−1
2)) corresponds to the set of a ∈ Z∗p×Z∗q
such that am2 6≡ ±1 (mod n), and therefore exactly half of the elements of
Zp−1 × Zq−1 satisfy f(x) = (p−12, 0) or f(x) = (0, q−1
2).
15
3 Cryptosystems based on Elliptic Curves
In 1985, Neal Koblitz and Victor S. Miller independently suggested using thealgebraic structure of elliptic curves over finite fields in public-key cryptosys-tems. Similar to Diffie-Hellman and ElGamal, elliptic curve cryptosystemsare based on the infeasibility of solving the discrete logarithm problem ofa random point on the elliptic curve with respect to a publicly-known basepoint. The following section presents the basic notions of elliptic curves aswell as an introduction to elliptic curve cryptosystems.
3.1 Elliptic Curve Background
Definition 3.1: Let F be a field. Assume that char(F) 6= 2. For crypto-graphic purposes, we take F to be finite (e.g. F = Fp = Zp for a prime p). Anelliptic curve over F is the set of points (x, y) ∈ F that satisfy an equationof the form
E : y2 = x3 + αx+ β (2)
where α and β are constants, together with one additional point, the pointat infinity, ∞. The constants α and β must satisfy 4α3 + 27β2 6= 0. (2) isknown as the Weierstrass equation for an elliptic curve. We have:
E(Fp) = {(x, y) | x, y ∈ Fp satisfy y2 = x3 + αx+ β} ∪ {∞}
Addition in Elliptic Curves: In order to “add” two points P and Q onan elliptic curve E to produce a third point R, we start by drawing a line Lthrough points P and Q. L intersects the elliptic curve E at 3 points, P , Qand R (possibly ∞). We reflect R across the x-axis (i.e. we multiply its ycoordinate by (−1)) to get the point R′. (Note that the reflection along thex-axis of ∞ is ∞.) R′ is the “sum of P and Q”, denoted R′ = P ⊕Q. (SeeFigure 1.) To add a point P to itself, we take L as the tangent line to E atpoint P . (See Figure 2.)
Theorem 3.2: Let E be an elliptic curve. Then the addition law on E hasthe following properties:
(a) P ⊕∞ =∞⊕ P = P for all P ∈ E. [Identity](b) P ⊕ (−P ) =∞ for all P ∈ E. [Inverse](c) (P ⊕Q)⊕R = P ⊕ (Q⊕R) for all P,Q,R ∈ E. [Associative](d) P ⊕Q = Q⊕ P for all P,Q ∈ E. [Commutative]
16
Figure 1: Addition of P ⊕Q, P 6= Q
Figure 2: Addition of P ⊕ P
Therefore, the addition law makes the points of E into an abelian group.
The proof of this theorem is given in [4].
Multiplication in Elliptic Curves: Elliptic curve point multiplication isthe operation of successively adding a point P along an elliptic curve E toitself. For a scalar n and P = (x, y) ∈ E:
n · P = P ⊕ P ⊕ P ⊕ · · · ⊕ P︸ ︷︷ ︸n times
The Double-and-Add Algorithm: In order to calculate Q = n · P for alarge n, we can use the “Double-and-Add” algorithm as follows:•Write n in binary expansion, i.e. n = n0 +n1 ·2+n2 ·4+n3 ·8+ · · ·+nr ·2r,ni ∈ {0, 1}. (Assume nr = 1.)
17
• Compute Q0 = P,Q1 = 2 ·Q0, Q2 = 2 ·Q1, · · · , Qr = 2 ·Qr−1. (Qi = 2i ·P )• Compute n · P = n0 ·Q0 + n1 ·Q1 + n2 ·Q2 + · · ·+ nr ·Qr, which is simplebecause ni ∈ {0, 1}.(⇒ The total time to compute n ·P is at most 2r point operations in E(Fp).)This algorithm and its proof are given in [4].
A fundamental result in the theory of elliptic curves is that elliptic curveshave many points. This is obtained from Hasse’s theorem:
Theorem 3.3: (Hasse’s Theorem) Let q = pn and E be an elliptic curveover Fq. Then the order (i.e. number of points) of E(Fq) is
#E(Fq) = q + 1− tq
where the trace of Frobenius tq satisfies |tq| ≤ 2√q.
The proof of Hasse’s theorem is given in [7].
3.2 Elliptic Diffie-Hellman Key Exchange
The following is a variation on the Diffie-Hellman Key Exchange using ellip-tic curves.
First, Alice and Bob agree on a large prime p, an elliptic curve E(Fp) and apoint P ∈ E(Fp). These values are made public. Then, Alice chooses a secretinteger nA and computes the point on the elliptic curve QA = nA ·P ∈ E(Fp).(She can do this using the “Double-and-Add” algorithm.) Bob respectivelychooses nB and computes QB = nB · P ∈ E(Fp). Alice and Bob exchangetheir respective QA and QB. Finally, using their secret values nA and nB,they compute the shared secret key
nA ·QB = nA(nB · P ) = nAnB · P = nB(nA · P ) = nB ·QA
This is illustrated in Table 4.
Definition 3.4: Let E be an elliptic curve over the finite field Fp and let Pand Q be points in E(Fp). The Elliptic Curve Discrete Logarithm Problem(ECDLP) is the problem of finding an integer n such that Q = n · P .
18
Table 4: Elliptic Diffie-Hellman Key ExchangeSteps to follow Alice Eve Bob
1. A trusted party chooses andpublishes a prime p, an p⇒ E(Fp),elliptic curve E(Fp) and P ∈ E(Fp) p,E(Fp), P p,E(Fp), Pa point P ∈ E(Fp).
2. Alice chooses a secret integer nA. nA
3. Alice calculates QA = nA · P ↓and sends QA to Bob. QA = nA · P 99K QA 99K QA
4. Bob chooses a secret integer nB . nB
5. Bob calculates QB = nB · P ↓and sends QB to Alice. QB L99 QB L99 QB = nB · P
6. Alice and Bob compute theshared secret key k using their k = nA ·QB k = nB ·QA
secret integers nA and nB .
So the eavesdropper Eve knows p, E(Fp), P,QA and QB. If Eve can solve theECDLP on QA = nA · P , she can find nA, and also on QB = nB · P , she canfind nB. With these two values, she can then compute k = nAnB · P .
The fastest known algorithm to solve the ECDLP in E(Fp) takes approx-imately
√p steps (see [4]), which makes the ECDLP appear much more
difficult than the DLP, whose fastest known algorithm (a number field sieve
algorithm) takes approximately e(log p)1/3(log(log p))2/3 time (see [14]).
Definition 3.5: Let E(Fp) be an elliptic curve over a finite field and letP ∈ E(Fp). The Elliptic Curve Diffie-Hellman Problem (ECDHP) is theproblem of computing the value of nAnB ·P from the known values of nA ·Pand nB · P .
Remark 3.6: It is possible for Alice and Bob to only send each other thex-coordinate of their respective QA, QB, and use only the x-coordinate ofk = nAnB · P as the shared secret key, since the y-coordinate is related tox by y2
Qi= x3
Qi+ αxQi
+ β in Fp (i ∈ {A,B}) and contains little additionalinformation. This allows them to send fewer bits over the insecure channel,and thus reduces the risk of an eavesdropper Eve to be able to decrypt thesecret key.
3.3 Elliptic ElGamal Protocol
An elliptic curve variation on the ElGamal cryptosystem was also developedas follows ([7]).
19
Suppose Bob wants to send a message M to Alice. Alice and Bob first agreeon a large prime p, an elliptic curve E over Fp, and a point P in E(Fp). Alicethen chooses a private key nA and computes QA = nA · P in E(Fp). Shesends this QA to Bob. Bob then chooses a plaintext M encoded as a pointon E(Fp) and an ephemeral key k (a scalar) at random. Bob then computesthe points C1 = k ·P and C2 = M +k ·QA in E(F), and sends this ciphertextpair (C1, C2) to Alice. Alice decrypts the ciphertext by computing
C2 − nAC1 = (M + k ·QA)− nA(k · P )
= M + k(nA · P )− (nAk) · P= M + (nAk) · P − (nAk) · P= M ∈ E(Fp).
Table 5 illustrates the protocol clearly.
Table 5: Elliptic ElGamal CryptosystemSteps to follow Alice Eve Bob
1. Key Creation: A trusted partychooses prime p, an elliptic curve p,E(Fp), P p, E(Fp), P p,E(Fp), PE over Fp, and a point P ∈ E(Fp),and makes these public.
2. Alice chooses a secret private nA
key nA. ↓3. Alice computes QA = nA · P in
E(Fp). QA = nA · PAlice sends QA to Bob. QA 99K QA 99K QA
4. Encryption: Bob choosesplaintext M ∈ E(Fp).
5. Bob chooses random M,kephemeral key k, a scalar. ↓
6. Bob uses Alice’s public key tocompute C1 = k · P ∈ E(Fp) and C1 = k · PC2 = M + k ·QA ∈ E(Fp). C2 = M + k ·QA
Bob sends (C1, C2) to Alice. C1, C2 L99 C1, C2 L99 C1, C2
7. Decryption: Alice uses nA tocompute C2 − nA · C1 C2 − nA · C1
= M ∈ E(Fp). = M
So Eve can obtain p, E(Fp), P,QA, C1 and C2. Therefore, if she can solve theECDLP on QA = nA ·P , she can find nA and thus calculate C2−nA ·C1 = M .Or, if she could solve the ECDLP on C1 = k ·P , she could find k and computeC2 − k · QA = M . However, if Eve cannot solve the ECDLP, it is infeasiblefor her to compute M , as shown in [7].
20
A natural question which we have not yet addressed is how to encode a mes-sage as a point on an elliptic curve. We will present two methods proposedby Neal Koblitz, one probabilistic and one non-probabilistic.
Probabilistic Representation of a Message on E(Fp):Suppose E is an elliptic curve over Fp given by y2 = x3 + αx+ β, and let Mbe a message expressed as a number 0 ≤ M ≤ p/100. Let xj = 100M + jfor 0 ≤ j < 100. For j = 0, 1, 2, . . . , 99, compute sj = x3
j + αxj + β. If
s(p−1)/2j ≡ 1 (mod p), then sj is a square mod p, so we do not have to try
any more values of j. We take the square root of sj as our y-coordinate forM , and the xj used as our x-coordinate. When p ≡ 3 (mod 4), Lagrange
showed that a square root of sj is given by yj ≡ s(p+1)
4j (mod p). So we take
M = (xj, yj) as above. The point (xj, yj) is on E. Since sj is essentially arandom element of F∗p, which is cyclic of even order, the probability that sjis a square is about 1/2, and thus the probability of not finding a point forM after trying 100 values of j is about 2−100.
Non-Probabilistic Representation of a Message on E(Fpn):Suppose p is arbitrary (e.g., 2) and n = 2n′ is even. Suppose the plaintextis an integer m, 0 ≤ m < pn
′written in the form m = m0 + m1p + · · · +
mn′−1pn′−1, 0 ≤ mj < p; and let {b0, . . . , bn′−1} be a convenient vector space
basis of Fpn′ over Fp. Set x(m) = m0b0 + m1b1 + · · · + mn′−1bn′−1, and lety(m) ∈ Fpn be either solution of the quadratic equations
y2 = x3 + αx+ β (α, β ∈ Fpn); ory2 + γxy + δy = x3 + αx+ β (α, β, γ, δ ∈ Fpn),
defining points on E. There may not necessarily exist a solution y(m) inFpn′ , but there is guaranteed to be a solution y(m) in Fpn , since n = 2n′ andtherefore Fpn is an extension of Fpn′ . So we set Pm = (x(m), y(m)) ∈ E.Even though such a solution y(m) is guaranteed to exist, the most efficientalgorithms for solving quadratic equations over finite fields are probabilistic,such as the algorithm described above.
Koblitz has proposed other probabilistic methods as well, which can be foundin [8].
21
3.4 Elliptic Curve Variation on the RSA Cryptosystem
In 1991, K. Koyama, U. Maurer, T. Okamoto and S. Vanstone proposedan elliptic curve analogue of the RSA cryptosystem, which was named theKMOV cryptosystem after its creators. KMOV is based on elliptic curvesE(Zn), where n = pq for two distinct primes p, q.
First, we must introduce new notation and a lemma.
Notation: Let p ≥ 3 be a prime. For an elliptic curve over the finite fieldFp, we will use the following notation for the Weierstrass equation:
Ep(a, b) : y2 = x3 + ax+ b, a, b ∈ Fp, 4a3 + 27b2 6= 0,
Lemma 3.7: Let p ≥ 3 be a prime satisfying p ≡ 2 (mod 3) and 0 < b < p.Then Ep(0, b) is a cyclic group of order
#Ep(0, b) = p+ 1. (3)
The proof of this lemma is given in [9].
We will now describe the KMOV protocol.
In the first step, key creation, Bob chooses two large primes p 6= q suchthat p ≡ q ≡ 2 (mod 3), and computes n = pq. Bob also computesNn = lcm(#Ep(0, b),#Eq(0, b)) = lcm(p + 1, q + 1) (by (3)) (He could useNn = (p+ 1)(q + 1) in place of lcm(p+ 1, q + 1)). Bob then chooses integerse, d such that gcd(e,Nn) = 1 and ed ≡ 1 (mod Nn). Bob publishes his publickey (n, e) and keeps private key d, (p, q,#Ep(0, b),#Eq(0, b), Nn) secret.
Next, in the encryption step, Alice represents the plaintext message (m1,m2) ∈Zn ×Zn as a point M ∈ En(0, b), where E : y2 = x3 + b (mod n), and whereb = m2
2 −m31 (mod n). (Note that b does not have to be computed for the
purpose of the cryptosystem, since addition over elliptic curves is indepen-dent of b.) Alice computes C = e ·M = (c1, c2) ∈ En(0, b) and sends theciphertext C to Bob.
In the final step, decryption, Bob computes the point
22
M = d · C = d · (e ·M) = (ed) ·M = M ∈ En(0, b).
Table 6 summarizes the KMOV cryptosystem.
Table 6: KMOV CryptosystemSteps to follow Alice Eve Bob
1. Key Creation: Bob chooses p, qlarge, distinct primes p and q ↓such that p ≡ q ≡ 2 (mod 3) n = pqand computes n = pq.
3. Bob computes Nn Nn
= lcm(#Ep(0, b),#Eq(0, b)) = lcm(#Ep(0, b),#Eq(0, b))= lcm(p+ 1, q + 1) (by (3)). = lcm(p+ 1, q + 1)
2. Bob chooses e, d ∈ Z such that e, dgcd(e,Nn) = 1 and ed ≡ 1 (mod Nn)ed ≡ 1 (mod Nn). ↓Bob publishes (n, e). n, e L99 n, e L99 n, e
3. Encryption: Alice encodes (m1,m2)her message (m1,m2) ∈ Zn × Zn ↓as a point M ∈ En(0, b), M ∈ En(0, b)where E : y2 = x3 + b (mod n);b = m2
2 −m31 (mod n). ↓
4. Alice computes C = e ·M= (c1, c2). Alice sends C to Bob. C = e ·M 99K C 99K C
5. Decryption: Bob computesM = d · C using private key d. M = d · C
Hence Eve knows the public key (n, e) and the ciphertext C. As in the RSAcryptosystem, the difficulty of solving the order #E(Fp)#E(Fq) as well asthe difficulty of solving the secret key d are computationally equivalent tofactoring a composite number n (see [10]).
Other elliptic curve variations on the RSA cryptosystem include the De-mytko cryptosystem ([11]), Meyer and Muller’s cryptosystem ([12]), and thePaillier-Galbraith encryption scheme ([13]).
4 Conclusion
In conclusion, we have described six public-key cryptographic protocols andexamined the reasoning for their security. The Diffie-Hellman key exchangeis based on the infeasibility of computing discrete logarithms in Z∗p, and pro-duces a shared secret key which can be used for decryption in a symmetriccryptosystem. The ElGamal cryptosystem provides a method to exchange
23
messages over an insecure channel, and is also based on the infeasibility ofsolving the Discrete Logarithm Problem. These two protocols are thus se-cure, since no algorithm currently exists which solves the DLP in polynomialtime. The RSA cryptosystem is widely used to exchange messages betweenparties. Unlike Diffie-Hellman and ElGamal, RSA is based on the difficultyof factoring large integers. This cryptosystem is also secure, because no ef-ficient algorithms exist which factor such numbers. Next, we explored theelliptic curve analogues of these three protocols. The Elliptic Diffie-HellmanKey Exchange, instead of taking the powers of public keys, takes the pointmultiplication along the elliptic curve. It is secured by the Elliptic CurveDiscrete Logarithm Problem, which appears more difficult than the DLP.The Elliptic ElGamal protocol is also identical to its non-elliptic curve coun-terpart, using elliptic curve point multiplication and addition as opposed toexponents and multiplication in Zp, and is also guaranteed by the hardnessof the ECDLP. We also looked at the KMOV cryptosystem, an elliptic curvevariation on the RSA protocol. KMOV depends on the prime factorizationof n (for elliptic curve E(Zn)), and again uses the point multiplication asexponents. While the prime factorization problem is difficult, certain at-tacks have been proposed on the KMOV protocol, proving that it is insecureunder certain conditions. (For an example of such an attack, see [9].) Thismakes the KMOV protocol much less widely implemented than the RSA. Allof these cryptographic protocols (with perhaps the exception to the KMOVprotocol) remain secure so long as no algorithmic advances are made in theareas of the DLP or prime factorization. Until then, they will continue to beimplemented in order to make sharing secret messages over insecure channelsnot only possible, but efficient and resolute.
5 References
[1] Cameron, Peter J. Notes on Cryptography. Queen Mary, University ofLondon, London, 2003.
[2] Stein, William. Elementary Number Theory: Primes, Congruences, andSecrets. Springer, London, 2008.
[3] Mollins, Richard. RSA and Public-Key Cryptography. CRC Press LLC,2003.
24
[4] Hoffstein, Jeffrey, Pipher, Jill, Silverman, J.H. An Introduction to Math-ematical Cryptography. Springer, 2008.
[5] Biggs, N. L. An Introduction to Information Communication and Cryp-tography. Springer-Verlag London Limited, 2008.
[6] Mollins, Richard. Fundamental Number Theory with Applications. CRCPress LLC, 1998.
[7] Washington, Lawrence. Elliptic Curves: Number Theory and Cryptogra-phy. CRC Press LLC, 2003.
[8] Koblitz, Neal. Elliptic Curve Cryptosystems. Mathematics of Computa-tion, Vol. 48, No. 177, 1987, 203-209.
[9] Nitaj, A. A New Attack on the KMOV Cryptosystem. Universite de Caen,Laboratoire de Mathematiques Nicolas Oresme, France, 2011.
[10] Koyama, K., Maurer, U.M., Okamoto, T., Vanstone, S.A. New public-keyschemes based on elliptic curves over the ring Zn. Advances in Cryptology -Crypto’91, Lecture Notes in Computer Science, Springer-Verlag, pp. 252-266.
[11] Demytko, N. A new elliptic curve based analogue of RSA. Advances inCryptology - EUROCRYPT ’93, Springer-Verlag, New York, 1994, 40-49.
[12] Meyer, B., Muller, V. A public key cryptosystem based on elliptic curvesover Zn equivalent to factoring. Advances in Cryptology - EUROCRYPT’96, LNCS 1070, 1996, 49-59.
[13] Galbraith, S. Elliptic Curve Paillier Schemes. J. of Cryptology, 15, no.2, 2002, 129-138.
[14] Holden, Joshua. A Tour of Public Key Cryptography (and of NumberTheory). Rose-Hulman Institute of Technology, Lecture - March 17, 2001.
[15] Tazawa, S. Integer Factorization and Discrete Logarithm problem areneither in P nor NP-complete. University of Tokyo, Japan, July 12, 2012.
25
