DOCSLIB.ORG

Elliptic Curves

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Elliptic Curves Elliptic Curves Guilhem Castagnos September – December 2020 last updated: August 29, 2020 Contents I The Discrete Logarithm Problem 1 1 Bibliography . 1 2 Asymmetric and Symmetric Cryptography . 1 3 The Discrete Logarithm Problem . 2 3.1 Definitions . 2 3.2 Algorithms for Computing Discrete Logarithms . 3 II First Cryptographic Applications 9 1 Diffie-Hellman (76) . 9 2 Elgamal Encryption (84) . 9 3 Digital Signature . 10 3.1 Definition . 10 3.2 Elgamal Signature (84) . 10 4 Elliptic Curve Cryptography . 11 4.1 ECDSA. 11 4.2 EC-Schnorr . 12 4.3 How to generate an elliptic curve suitable for cryptography . 12 III Pairings for Cryptography 15 1 Weil and Tate Pairings . 15 2 MOV Attack . 17 3 Pairing Friendly curves . 18 IV Some Pairing-based Cryptographic Protocols 19 – iii – CONTENTS – iv – Chapter I The Discrete Logarithm Problem 1. Bibliography • In French: Courbes elliptiques - Une présentation élémentaire pour la cryptographie, Philippe Guillot, Édi- tions Hermes-Lavoisier, (2010) • Elliptic Curves and Their Applications to Cryptography — An Introduction, Andreas Enge, Kluwer Aca- demic Publishers (1999), Bilinear pairings on elliptic curves, Andreas Enge, L’Enseignement Mathéma- tique, https://hal.inria.fr/hal-00767404/ (2015) • Handbook of Elliptic and Hyperelliptic Curve Cryptography, Henri Cohen, Gerhard Frey, Chapman & Hall/CRC (2006) • ThearithmeticofEllipticCurves, Joseph H. Silverman, Springer, 2nd Edition (2009), in particular chap- ter XI, Algorithmic Aspects of Elliptic Curves • Mathematics of Public Key Cryptography, Steven Galbraith, Cambridge University Press (2012), in par- ticular Part II Algebraic Groups and Part V Cryptography Related to Discrete Logarithms 2. Asymmetric and Symmetric Cryptography In cryptography, Elliptic Curves are mainly used for asymmetric cryptography. Differences between Symmetric and Asymmetric Cryptography: For example, encryption Schemes : to protect confidentiality between Alice and Bob. – 1 – Chapitre I : The Discrete Logarithm Problem Symmetric Encryption Scheme Oscar Alice Bob 푠푘 푠푘 Encrypt Decrypt 푠푘(푚A) = 푐A 푠푘(푐A) = 푚A Encrypt Decrypt 푠푘(푚B) = 푐B 푠푘(푐B) = 푚B 푚A, 푚B: plaintexts (messages clairs), 푐A, 푐B: ciphertexts (messages chiffrés), Encrypt : encryption scheme (Algorithme de chiffrement), Decrypt : decryption scheme (Algorithme de déchiffrement), 푠푘: secret or private key Asymmetric Encryption Scheme Bob Alice 푝푘, 푠푘 Encrypt (푚) = 푐 Decrypt 푝푘 푠푘(푐) = 푚 푝푘: public key, 푠푘: private key Symmetric vs Asymmetric Symmetric cryptography: security is based on the size of the key (only attack must be exhaustive search: 푘 bits key, 2푘 operations), Fast, Encryption (e.g. AES), MAC (for integrity and authentication), Hash Functions (for integrity, e.g. the SHA family),… Asymmetric cryptography: security is based on the difficulty of on algorithmic problem. Key size is chosen in order to make this problem intractable. Slower than symmetric cryptography, Key exchange (e.g. Diffie-Hellman), Encryption (e.g. RSA), Digital Signature (e.g. DSA, for integrity, authentication and non repudiation). Security of cryptosystems based on elliptic curves mostly rely on algorithmic problems related to the discrete logarithm problem. 3. The Discrete Logarithm Problem 3.1. Definitions 2 3 푛 We consider a cyclic group of order 푛, (G, ×) generated by 푔 ∈ G, i.e., ⟨푔⟩ = {푔, 푔 , 푔 , … , 푔 = 1} = G. In general, 푛 will be a prime number (cf. Pohlig–Hellman Algorithm). – 2 – 3. The Discrete Logarithm Problem Examples × × For example a subgroup of (Z/푝Z) with 푝 prime. (Z/푝Z) is cyclic of order 푝 − 1. If 푛 divides 푝 − 1, there × 푑 × exists 푔 ∈ (Z/푝Z) of order 푛. More generally, a subgroup of a finite field F푞 (푞 = 푝 ) as (F푞) is cyclic of order 푞 − 1. The group of points of an Elliptic Curve. Order is by Hasse: |E(F푞) − (푞 + 1)| ⩽ 2√푞, then we consider a subgroup of prime order 푛. In this case, we will use additive notations: (G, +) with G = {P, 2P, 3P, … , 푛P = O}. The Discrete Logarithm Problem Let ℎ ∈ 푔. Weknow that ℎ = 푔푥 for some 푥. Finding 푥 is solving the Discrete Logarithm Problem. Wewill denote 푥 = log푔(ℎ). We can define 푥 modulo 푛: Let us consider the group morphism 푒푥푝푔 ∶ (Z/푛Z, +) → 푎 푎 푏 (G, ×), 푎 ↦ 푔 . It is well-defined: if 푎 = 푏 + 푘푛, 푒푥푝푔(푎) = 푔 = 푔 = 푒푥푝푔(푏). It is a morphism : 푒푥푝푔(푎 + 푏) = 푒푥푝푔(푎) × 푒푥푝푔(푏). It is an isomorphism (a bijective morphism): same number of elements and injective: 푒푥푝푔(푎) = 1, 푛 ∣ 푎, so 푎 = 0. The discrete logarithm is the inverse function, so it is a morphism from (G, ×) to (Z/푛Z, +). Properties If 푔 and 푔′ are two generators then 푔′ = 푔푎 with 푎 invertible modulo 푛: indeed, there exits also 푏 such that 푏 푔 = 푔′ = 푔푎푏, so 푎푏 ≡ 1 mod 푛. Conversely, if ℎ = 푔푎 with 푎 invertible then ℎ is a generator: if ℎ푏 = 1 then 푔푎푏 = 1 so 푎푏 ≡ 0 and 푏 ≡ 0. ′ 푎 ′푏 Change of generator: If 푔, 푔 are two generators, ℎ = 푔 et ℎ = 푔 , i.e., log푔(ℎ) = 푎 and log푔′ (ℎ) = 푏. We ′ ′ 푐 푏푐 푎 ′ denote 푐 = log푔 푔 . Then 푔 = 푔 so ℎ = 푔 = 푔 and 푎 ≡ 푏푐. As a result, log푔(푔) = log푔′ (ℎ) × log푔 푔 , or ′−1 ′ log푔′ (ℎ) ≡ log푔(푔) log푔 푔 where this last term is invertible because 푔 is a generator. As a result, if we know how to compute discrete logarithms in basis 푔 then we can do it in basis 푔′. The difficulty of computing discrete logarithms only depends on the group and not on the generator chosen. Remark that the discrete logarithm problem can be easy: For example in G = (Z/푛Z, +). 푔 is a generator if and only if gcd(푔, 푛) = 1. Indeed, we know that 1 is a generator as G = {1, 2, 3, … , 푛 = 0} = {1, 2 × 1, 3 × 1, 푛 × 1 = 0}. From what we saw, the others generators are the 푎 × 1 with 푎 invertible modulo 푛. Then −1 (Z/푛Z, +) = G = 푔, 2푔, 3푔, … 푛푔 = 0. If ℎ ∈ Z/푛Z, ℎ ≡ 푥푔, 푥 ≡ ℎ푔 computable in polynomial time with a simple extended Euclidean algorithm. 3.2. Algorithms for Computing Discrete Logarithms First we see some generic algorithms that work for all cyclic group G of order 푛: the naive algorithm, The Baby Step Giant Step method , the ρ method of Pollard, and the Pohlig–Hellman algorithm that reduce computing discrete logarithm in a group of order 푛 to computing logarithm in subgroups of order 푝 where 푝 is prime and 푝 divides 푛. By a theorem of Shoup (97), an algorithm that solve the discrete logarithm in G must do at least 풪 (√푛) operations in G. The Naive Algorithm ℎ = 푔푥, 푥? Compute 푔, 푔2, 푔3,… . Complexity, 풪 (푛) multiplications in G With memory: We pre-compute all the (푔푖, 푖) and store them in a list, sorted we respect to the 푔푖 (by using a binary representation of the elements of G for instance). Complexity: 풪 (푛) multiplications in G, 풪 (푛) elements of G in memory, sorting algorithm complexity : 풪 (푛 log(푛)) Then to compute 푥 s.t. ℎ = 푔푥, we look for ℎ in the list: complexity: 풪 (log(푛)) – 3 – Chapitre I : The Discrete Logarithm Problem Baby Step/Giant Step Usually credited to Shanks 1971. Time-memory trade-off. ℎ = 푔푥 푥? 푥 푚 푗 푖 −1 푖 푚 푗 Let 푚 = ⌈√푛⌉ and 푥 = 푖 + 푚푗 with 0 ⩽ 푖, 푗 < 푚. We have ℎ = 푔 = (푔 ) 푔 . So ℎ(푔 ) = (푔 ) . 푚 푗 Pre-computations: a list of ((푔 ) , 푗) with 푗 < 푚 sorted with respect to the first coordinate: 풪 (√푛) memory, and 풪 (√푛 log(푛)) for the sorting algorithm. −1 −1 2 Then we compute ℎ, ℎ푔 , ℎ(푔 ) , ... and look for this element in the list. Worst case: 풪 (√푛) multipli- cations and complexity for 풪 (√푛 log(푛)) the searches. Pollard ρ Pollard 1978 Same time complexity but quasi no memory. Probabilistic Algorithm: Sometimes no result is found. ′ ′ ′ ′ We look for integers modulo 푛 s.t. 푔푖ℎ푗 = 푔푖 ℎ푗 . Then 푔푖−푖 = ℎ푗 −푗. So 푖 − 푖′ ≡ 푥(푗′ − 푗) and if (푗′ − 푗) is invertible modulo 푛, we find 푥. To find these integers, one can store all the tuples (푔푖ℎ푗, 푖, 푗) sorted with respect to the first coordinates, with random 푖 and 푗. If one finds two times the same element of G (a collision), the discrete logarithm can be extracted as above. By the birthday paradox with a good probability,there will be a collision for around √푛 random choices. Wedraw uniformly 푘 elements in a set of 푛 elements. Let 푝(푘) the probability that there is a collision. The probability that all the elements are different is 1 2 푘 − 1 푘−1 푖 1 − 푝(푘) = ￶1 −  ￶1 −  … ￶1 −  = ゚ ￶1 −  푛 푛 푛 푖=1 푛 −푥 ∏푘−1 −푖/푛 −푘(푘−1)/2푛 −(푘−1)2/2푛 As 1 − 푥 ⩽ 푒 for all 푥 ∈ R, 1 − 푝(푘) ⩽ 푖=1 푒 = 푒 ⩽ 푒 . As a result, there is a collision −(푘−1)2/2푛 with probability at least 푓(푘) ∶= 1 − 푒 . For 푘0 = 1 + √−2푛 log(1 − A), one has A = 푓(푘0). So for 푘 ⩾ 푘0, one has 푝(푘) ⩾ 푓(푘) ⩾ 푓(푘0) = A. As a result, for the probability to be at least 1/2, one must draw 1 + √2푛 log 2 ≈ 1.177√푛 elements (for a probability greater than 0.99, this gives 3.03√푛 elements). For the classical birthday problem, 푛 = 365, and we have a probability 1/2 of having two people with the same birthday for a set of 1 + √2 × 365 log 2 ≈ 23.49 people (In fact 23 is sufficient). More generally, one can show that the expected number of elements to be drawn until a collision is found is less than √π푛/2 + 2 ≈ 1.253√푛.
Load more

Recommended publications
  • Jeffrey Hoffstein Jill Pipher Joseph H. Silverman
    Undergraduate Texts in Mathematics Je rey Ho stein Jill Pipher Joseph H. Silverman An Introduction to Mathematical Cryptography Second Edition Undergraduate Texts in Mathematics Undergraduate Texts in Mathematics Series Editors: Sheldon Axler San Francisco State University, San Francisco, CA, USA Kenneth Ribet University of California, Berkeley, CA, USA Advisory Board: Colin Adams, Williams College, Williamstown, MA, USA Alejandro Adem, University of British Columbia, Vancouver, BC, Canada Ruth Charney, Brandeis University, Waltham, MA, USA Irene M. Gamba, The University of Texas at Austin, Austin, TX, USA Roger E. Howe, Yale University, New Haven, CT, USA David Jerison, Massachusetts Institute of Technology, Cambridge, MA, USA Jeffrey C. Lagarias, University of Michigan, Ann Arbor, MI, USA Jill Pipher, Brown University, Providence, RI, USA Fadil Santosa, University of Minnesota, Minneapolis, MN, USA Amie Wilkinson, University of Chicago, Chicago, IL, USA Undergraduate Texts in Mathematics are generally aimed at third- and fourth- year undergraduate mathematics students at North American universities. These texts strive to provide students and teachers with new perspectives and novel approaches. The books include motivation that guides the reader to an appreciation of interre- lations among different aspects of the subject. They feature examples that illustrate key concepts as well as exercises that strengthen understanding. More information about this series at http://www.springer.com/series/666 Jeffrey Hoffstein • Jill Pipher Joseph
    [Show full text]
  • 11 Digital Signatures
    This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has granted the following specific permissions for the electronic version of this book: Permission is granted to retrieve, print and store a single copy of this chapter for personal use. This permission does not extend to binding multiple chapters of the book, photocopying or producing copies for other than personal use of the person creating the copy, or making electronic copies available for retrieval by others without prior permission in writing from CRC Press. Except where over-ridden by the specific permission above, the standard copyright notice from CRC Press applies to this electronic version: Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press for such copying. c 1997 by CRC Press, Inc. Chapter 11 Digital Signatures Contents in Brief 11.1 Introduction :::::::::::::::::::::::::::::425 11.2 A framework for digital signature mechanisms ::::::::::426 11.3 RSA and related signature schemes :::::::::::::::::433 11.4 Fiat-Shamir signature schemes :::::::::::::::::::447 11.5 The DSA and related signature schemes ::::::::::::::451 11.6 One-time digital signatures :::::::::::::::::::::462 11.7 Other signature schemes ::::::::::::::::::::::471 11.8 Signatures with additional functionality ::::::::::::::474 11.9 Notes and further references ::::::::::::::::::::481 11.1 Introduction This chapter considers techniques designed to provide the digital counterpart to a handwrit- ten signature.
    [Show full text]
  • Fault Analysis of the Ntrusign Digital Signature Scheme
    Cryptogr. Commun. (2012) 4:131–144 DOI 10.1007/s12095-011-0061-3 Fault analysis of the NTRUSign digital signature scheme Abdel Alim Kamal · Amr M. Youssef Received: 11 December 2010 / Accepted: 14 December 2011 / Published online: 6 January 2012 © Springer Science+Business Media, LLC 2012 Abstract We present a fault analysis of the NTRUSign digital signature scheme. The utilized fault model is the one in which the attacker is assumed to be able to fault a small number of coefficients in a specific polynomial during the signing process but cannot control the exact location of the injected transient faults. For NTRUsign with parameters (N, q = pl, B, standard, N ), when the attacker is able to skip the norm-bound signature checking step, our attack needs one fault, ≈ − 1 (( )t) succeeds with probability 1 p and requires O qN steps when the number of faulted polynomial coefficients is upper bounded by t. The attack is also applicable to NTRUSign utilizing the transpose NTRU lattice but it requires double the number of fault injections. Different countermeasures against the proposed attack are investigated. Keywords Side channel attacks · Lattice-based public key cryptosystems · Fault analysis and countermeasures · Digital signature schemes · NTRU Mathematics Subject Classification (2010) 94A60 1 Introduction NTRUSign [1–4] is a parameterized family of lattice-based public key digital signa- ture schemes that is currently under consideration for standardization by the IEEE P1363 working group. It was proposed after the original NTRU signature scheme (NSS) [5] was broken [6, 7]. Similar to the GGH cryptosystem [8], the security of A. A.
    [Show full text]
  • Subliminal Channels in High-Speed Signatures
    Die approbierte Originalversion dieser Diplom-/ Masterarbeit ist in der Hauptbibliothek der Tech- nischen Universität Wien aufgestellt und zugänglich. http://www.ub.tuwien.ac.at institute of telecommunications The approved original version of this diploma or master thesis is available at the main library of the Vienna University of Technology. http://www.ub.tuwien.ac.at/eng Subliminal Channels in High-Speed Signatures Master’s Thesis for obtaining the academic degree Diplom-Ingenieur as part of the study Electrical Engineering and Information Technology carried out by Alexander Hartl student number: 01125115 Institute of Telecommunications at TU Wien Supervision: Univ. Prof. Dipl.-Ing. Dr.-Ing. Tanja Zseby Dipl.-Ing. Robert Annessi, B.Sc Acknowledgments I want to express my gratitude for everyone who assisted or encouraged me in various ways during my studies. In particular, I would like to thank Prof. Tanja Zseby and Dipl.-Ing. Robert Annessi for giving me the opportunity to write this thesis, for supporting me actively while I was working on it and for many valuable comments and suggestions. I owe special thanks to my family, especially my parents Edith and Rudolf, for their endless support during all these years. Thank you, Sabrina, for encouraging me and for so many cheerful hours in my life. Abstract One of the fundamental building blocks for achieving security in data networks is the use of digital signatures. A digital signature is a bit string which allows the receiver of a message to ensure that the message indeed originated from the apparent sender and has not been altered along the path.
    [Show full text]
  • Public-Key Cryptography
    Public-key Cryptogra; Theory and Practice ABHIJIT DAS Department of Computer Science and Engineering Indian Institute of Technology Kharagpur C. E. VENIMADHAVAN Department of Computer Science and Automation Indian Institute ofScience, Bangalore PEARSON Chennai • Delhi • Chandigarh Upper Saddle River • Boston • London Sydney • Singapore • Hong Kong • Toronto • Tokyo Contents Preface xiii Notations xv 1 Overview 1 1.1 Introduction 2 1.2 Common Cryptographic Primitives 2 1.2.1 The Classical Problem: Secure Transmission of Messages 2 Symmetric-key or secret-key cryptography 4 Asymmetric-key or public-key cryptography 4 1.2.2 Key Exchange 5 1.2.3 Digital Signatures 5 1.2.4 Entity Authentication 6 1.2.5 Secret Sharing 8 1.2.6 Hashing 8 1.2.7 Certification 9 1.3 Public-key Cryptography 9 1.3.1 The Mathematical Problems 9 1.3.2 Realization of Key Pairs 10 1.3.3 Public-key Cryptanalysis 11 1.4 Some Cryptographic Terms 11 1.4.1 Models of Attacks 12 1.4.2 Models of Passive Attacks 12 1.4.3 Public Versus Private Algorithms 13 2 Mathematical Concepts 15 2.1 Introduction 16 2.2 Sets, Relations and Functions 16 2.2.1 Set Operations 17 2.2.2 Relations 17 2.2.3 Functions 18 2.2.4 The Axioms of Mathematics 19 Exercise Set 2.2 20 2.3 Groups 21 2.3.1 Definition and Basic Properties . 21 2.3.2 Subgroups, Cosets and Quotient Groups 23 2.3.3 Homomorphisms 25 2.3.4 Generators and Orders 26 2.3.5 Sylow's Theorem 27 Exercise Set 2.3 29 2.4 Rings 31 2.4.1 Definition and Basic Properties 31 2.4.2 Subrings, Ideals and Quotient Rings 34 2.4.3 Homomorphisms 37 2.4.4
    [Show full text]
  • Efficient Implementations of Attribute-Based Credentials on Smart Cards
    Efficient Implementations of Attribute-based Credentials on Smart Cards Pim Vullers Copyright c 2014 Pim Vullers IPA Dissertation Series: 2014-15 ISBN: 978-94-6259-376-3 NUR: 980 Typeset using LATEX 2ε (TEXLive 2013) Cover design by Koen Vullers Printed by Ipskamp Drukkers (http://proefschriften.net/) The work in this thesis has been carried out under the auspices of the research school IPA (Institute for Programming research and Algorithmics). The author was employed at the Radboud University Nijmegen. This research was sponsored by Trans Link Systems / Open Ticketing. This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International license. To view a copy of this license, please visit http://creativecommons.org/licenses/by-sa/4.0/. Efficient Implementations of Attribute-based Credentials on Smart Cards Proefschrift ter verkrijging van de graad van doctor aan de Radboud Universiteit Nijmegen op gezag van de rector magnificus prof. dr. Th.L.M. Engelen, volgens besluit van het college van decanen in het openbaar te verdedigen op vrijdag 28 november 2014 om 10.30 uur precies. door Pim Vullers geboren op 20 juni 1986 te Venlo Promotor: Prof. dr. B.P.F. Jacobs Manuscriptcommissie: Prof. dr. E.R. Verheul Prof. dr. S. Mauw Université du Luxembourg, Luxemburg Prof. dr. ir. B. de Decker KU Leuven, België Dr. G. Neven IBM Research Zürich, Zwitserland Dr. ir. E. Poll Samenvatting We leven in een wereld waarin computers een steeds grotere rol spelen. Daarom wordt het alsmaar belangrijker om gebruikers en objecten digitaal te kunnen iden- tificeren. Om dit te bereiken gebruiken veel bestaande systemen unieke nummers, denk bijvoorbeeld aan je burgerservicenummer (BSN).
    [Show full text]
  • User Manual V.1.3 (“NTRU Release”) 1 What Is Goldbug?
    Secure Instant Messenger User Manual v.1.3 (“NTRU Release”) http://goldbug.sf.net 1 What is GoldBug? GoldBug is a secure Instant Messenger. You can be sure with using GoldBug (GB), that no third party can look into your chat communication. Private user-to-user communication remains private. GoldBug therefore uses strong multi-encryption with different layers of modern encryption technologies of well known and revised crypto libraries (like libgcrypt (GnuPG) and OpenSSL). For example it generates more than 8 public / private encryption keys based on RSA or NTRU or ElGamal. The app offers as well decentral and encrypted Email and decentral public E*IRC-Chat. As in every Messenger, you can share and transfer files. With tools like Rosetta Cryptopad and/or the File-Encryption tool you can convert text and files into ciphertext. 2 Why encryption matters: Today mostly every WIFI is protected with a password. In a few years as well every plaintext message or email to friends over the internet will be encrypted too. It is not a question to have something to hide or not, • it is a question to control by yourself the security of your communications - or having it controled by others. • It‘ s a question of free thinking and • taking away the presumption of innocence.*) • Democracy requires the thinking and debate of alternatives in private and public. "The question is not 'do you have something to hide?' Strong-Multi-Encryption ensures the The question is whether we control declaration of human rights in broad constitutional consensi and is a digital or they controls us." - Oliver Stone self-defense, everyone needs to learn http://www.youtube.com/watch?v=0U37hl0n9mY and utilize.
    [Show full text]
  • Flaws in Applying Proof Methodologies to Signature Schemes
    Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern1?, David Pointcheval1, John Malone-Lee2, and Nigel P. Smart2 1 D´ept d'Informatique, ENS { CNRS, 45 rue d'Ulm, 75230 Paris Cedex 05, France. E-mail: fJacques.Stern,[email protected] URL: http://www.di.ens.fr/~fstern,pointcheg 2 Computer Science Dept, Woodland Road, University of Bristol, BS8 1UB, UK. E-mail: fmalone, [email protected] URL: http://www.cs.bris.ac.uk/~fmalone,nigelg Abstract. Methods from provable security, developed over the last twenty years, have been recently extensively used to support emerging standards. However, the fact that proofs also need time to be validated through public discussion was somehow overlooked. This became clear when Shoup found that there was a gap in the widely believed security proof of OAEP against adaptive chosen-ciphertext attacks. We give more examples, showing that provable security is more subtle than it at first appears. Our examples are in the area of signature schemes: one is related to the security proof of ESIGN and the other two to the security proof of ECDSA. We found that the ESIGN proof does not hold in the usual model of security, but in a more restricted one. Concerning ECDSA, both examples are based on the concept of duplication: one shows how to manufacture ECDSA keys that allow for two distinct messages with identical signatures, a duplicate signature; the other shows that from any message-signature pair, one can derive a second signature of the same message, the malleability. The security proof provided by Brown [7] does not account for our first example while it surprisingly rules out malleabil- ity, thus offering a proof of a property, non-malleability, that the actual scheme does not possess.
    [Show full text]
  • 1 Review: Message Authentication Codes (Macs)
    EE 418 Network Security and Cryptography Lecture #15 November 22, 2016 Message Authentication Codes (MACs). Digital Signatures. Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Outline: 1. Review: Message Authentication Codes (MACs) { Review: MAC from Block Cipher: CBC-MAC 2. Introduction to Digital Signatures 3. RSA digital signature scheme 4. ElGamal digital signature scheme 5. Schnoor Digital signature scheme 6. The Digital signature algorithm 1 Review: Message Authentication Codes (MACs) Last time, we started our discussion about message authentication codes (MACs), and we defined a MAC as a code that is appended to a message in order to provide message integrity1. In MACs, communicating parties share a secret key that is used to generate the code, and if a MAC is well-designed, then only a user with the shared key can compute a valid MAC for a given message. Two parties Alice and Bob who share a key K can use a MAC for message integrity as follows (illustrated in Figure 1): 1. Alice computes a MAC for message m as y = MAC(K; m), and sends pair (m; y) through the channel to Bob. 2. Bob receives (m; y). Using the secret key, Bob computes MAC(K; m) and checks y =? MAC(K; m). 3. If y = MAC(K; m), then Bob accepts the message. Otherwise, Bob rejects the message, since the message and MAC are inconsistent. Alice Bob MAC Generation Computes y = MAC(K,m) from secret key K and message m [m, y] MAC Verification Extracts m, computes y’=MAC(K,m) If y + y’ =0, accept the message If y + y’≠ 0, discard the message Fig.
    [Show full text]
  • Pairing Cryptography and Verifiable Secret Sharing Scheme
    GROUP KEY ESTABLISHMENT PROTOCOLS: PAIRING CRYPTOGRAPHY AND VERIFIABLE SECRET SHARING SCHEME A Thesis Submitted to the Graduate School of Engineering and Science of İzmir Institute of Technology in Partial Fulfillment of the Requirements for the Degree of MASTER OF SCIENCE in Computer Engineering by Rabia ASLANOĞLU July 2013 İZMİR We approve the thesis of Rabia ASLANOĞLU Examining Committee Members: Assist. Prof. Dr. Serap ŞAHİN Department of Computer Engineering, İzmir Institute of Technology Assist. Prof. Dr. Kaan KURTEL Department of Software Engineering, İzmir University of Economics Assist. Prof. Dr. Selma TEKİR Department of Computer Engineering, İzmir Institute of Technology 1 July 2013 Assist. Prof. Dr. Serap ŞAHİN Supervisor, Department of Computer Engineering, İzmir Institute of Technology Prof. Dr. İ. Sıtkı AYTAÇ Prof. Dr. R. Tuğrul SENGER Head of the Department of Dean of the Graduate School of Computer Engineering Engineering and Sciences ACKNOWLEDGEMENTS I would like to express my deep appreciation to my thesis advisor Assist. Prof. Dr. Serap Şahin for her motivation, patience, enthusiasm and immense knowledge. She has provided invaluable suggestions and encouragement from the beginning of my research. Her wisdom always will guide me in the rest of my life. It is impossible to achieve my work without her support. I would also like to state my gratitude to my lecturer in İzmir Institute of Technology, Assist. Prof. Dr. Selma Tekir for her deepest kindness and support. It has been a pleasure to know and work with her. Finally, I would like to dedicate my thesis to my epic hero; my mum, Hatice Nurcan Aslanoğlu. She is the main character of my life journey and beyond the all human titles that I carry, I am honored to have the title of being of her daughter.
    [Show full text]
  • A Survey of Elliptic Curve Cryptosystems, Part I: Introductory San C
    NAS Technical Report - NAS-03-012 August 2003 -------------------------------------------------------------------------------------------------------------------------------- A Survey of Elliptic Curve Cryptosystems, Part I: Introductory San C. Vo NASA Advanced Supercomputing (NAS) Division – Research Branch (INR) Information Sciences & Technology Directorate NASA Ames Research Center, Moffett Field, CA 94043 Introduction The theory of elliptic curves is a classical topic in many branches of algebra and number theory, but recently it is receiving more attention in cryptography. An elliptic curve is a two-dimensional (planar) curve defined by an equation involving a cubic power of coordinate x and a square power of coordinate y. One class of these curves is elliptic curves over finite fields, also called Galois fields. These elliptic curves are finite groups with special structures, which can play naturally, and even more flexibly, the roles of the modulus groups in the discrete logarithm problems. Elliptic curves have been used actively in designing many mathematical, computational and cryptographic algorithms, such as integer factoring, primality proving, public key cryptosystems and pseudo-random number generators, etc. Essentially, elliptic curve cryptosystems promise a better future for cryptography: more security against powerful attacks in the era of computing capability. Many research papers in Elliptic Curve Cryptography (ECC) have been published by researchers all over the world. However, the idea of using elliptic curves in cryptography is still considered a difficult concept and is neither widely accepted nor understood by typical technical people. The problem may stem from the fact that there is a large gap between the theoretical mathematics of elliptic curves and the applications of elliptic curves in cryptography. A large amount of ECC literature was collected and organized in the development of this survey on ECC.
    [Show full text]
  • Elgamal Type Signature Schemes for N-Dimensional Vector Spaces
    ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursmay and Seung Kook Parky Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional vector spaces. The higher dimensional version is based on the untractability of the vector decomposition problem (VDP). Yoshida has shown that under certain conditions, the VDP on a two-dimensional vector space is at least as hard as the computational Di±e-Hellman problem (CDHP) on a one-dimensional subspace. 1 Introduction Intractable mathematical problems such as the integer factorization problem, the dis- crete logarithm problem (DLP), and the computational Di±e-Hellman problem (CDHP) are being used to provide secure protocols for cryptosystems. A new hard problem which is called the vector decomposition problem (VDP) was proposed in [8]. Yoshida [7] states the conditions that are required for the VDP on a two-dimensional vector space to be at least as hard as the CDHP on a one-dimensional subspace. The VDP on a two-dimensional vector space can serve as the underlying intractable problem for cryptographic protocols but the only protocol presented so far that uses the VDP is watermarking [7]. In this paper we present a signature scheme based on VDP and we generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n- dimensional vector spaces. Algorithms of the generalized ElGamal signature scheme, DSA and ECDSA are given in Section 2. In Section 3 we state the de¯nitions of CDHP and VDP. Yoshida's conditions for the VDP on a two-dimensional vector space to be at least as hard as the CDHP on a one-dimensional subspace are stated without proof.
    [Show full text]