cryptology marion scheepers boise state university boise , idaho sept 24 – 26, 2002
DESCRIPTION
Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002. DAAD 2002. Information Security. Information Security = Safeguarding information during storage or transmission . Some objectives of information security: Confidentiality Data integrity Authentication - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/1.jpg)
Cryptology
Marion ScheepersBoise State University
Boise , Idaho
Sept 24 – 26, 2002
DAAD 2002
![Page 2: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/2.jpg)
Information Security
Information Security = Safeguarding information during storage or transmission.
Some objectives of information security:•Confidentiality•Data integrity•Authentication•Non-repudiation
![Page 3: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/3.jpg)
Cryptology = The mathematics of information security
The idea:
Use mathematics to secure the information Security is mathematically compromised when some
specific mathematical problem is solved No known method solves the mathematical problem
in a reasonable amount of time
![Page 4: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/4.jpg)
Cryptographic Primitives
Encryption schemas Digital signatures schemas Hash functions Random number generators
![Page 5: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/5.jpg)
Crypto-system evaluation criteria
Security levels [How many bit operations are needed to defeat the security objective?]
Performance[How many bit operations are needed to carry out the security objective?]
Ease of implementation[How “easy” is it to create the crypto-system based on existing technology?]
![Page 6: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/6.jpg)
Some Number Theory
Theorem [Euclidean Algorithm] :
For all natural numbers a and b, there are
integers m and n such that gcd(a,b) = ma + nb.
Theorem:
ax mod b =1 has a solution if, and only if,
gcd(a,b) = 1.
![Page 7: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/7.jpg)
Euler’s phi function
Definition phi(n) = |{a< n: gcd(a,n) = 1}|.
Theorem [Euler - Fermat] For any a <n with gcd(a,n) = 1, we have aphi(n) mod n = 1.
![Page 8: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/8.jpg)
Chinese Remainder Theorem
Theorem Let m and n be numbers with gcd(m,n) =1. Then for all a<m and b<n there are a unique x<mn with a = x mod m and b = x mod n.
![Page 9: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/9.jpg)
Dirichlet’s Theorem
Theorem If gcd(a,b) = 1, then the set {an + b: n=1, 2, 3, …}
contains infinitely many prime numbers.
Riemann Hypothesis (RH): For all e>0: pi(x) = li(x)+O(x(1/2 + e))
Extended Riemann Hypothesis (ERH):For all e>0: pi(x,n,a) = li(x)/phi(n)+O(x(1/2 + e))
![Page 10: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/10.jpg)
Miller-Rabin Primality test
Theorem If n is an odd prime, write n-1 = r 2s where r is odd. For any a with gcd(a,n) = 1, 1. either ar mod n = 1, or else
2. there is a j = 0, 1, .., s-1 with a(r 2^j) mod n = n-1
Theorem For n > 9 odd and composite, at most phi(n)/4 positive numbers a < n satisfy clauses 1 or 2 modulo n.
![Page 11: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/11.jpg)
Primitive roots
Definition: g < n is a primitive root of n if gcd(g,n) = 1 and there is for each i<n with gcd(i,n) = 1, a k with i = gk mod n.
Theorem [Gauss] n has a primitive root if, and only if, n = 1, 2, 4, pe or 2pe where p is some odd prime.
Theorem For any M>0 the set {p: p a prime number and M < least primitive root of p < p-M} is infinite.
Theorem [Burgess] For each e>0 there is a p(e) such that for each prime p > p(e) the least primitive root of p < p(1/4 + e)
![Page 12: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/12.jpg)
Computational Complexity I
For f and g sequences of natural numbers: f = O(g): there are an N and C with: for all n>N, f(n) <
Cg(n). f = o(g): lim(f(n)/g(n)) = 0. length(n) = 1 + [log2(n)]. Ln(g,c) = O( e(c (ln(n)^g) (ln(ln(n))^ (1-g)))NOTE: Ln(0,c) = O((ln(n))c) is “polynomial in length of n” Ln(1,c) = O(e(c ln(n))) is “exponential in length of n” Ln(g,c) for 0 < g < 1 is “subexponential and
superpolynomial in length of n”
![Page 13: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/13.jpg)
Computational Complexity 2
Computation Bit operations
m+n O(max{ln(m),ln(n)})
mn O(ln(m)ln(n))
Solve(mu+nv = b) O(ln(m)ln(n))
Solve(a*x mod m =1) O(ln(m)2)
b^n mod m O(ln(n) ln(m)2)
![Page 14: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/14.jpg)
RSA on a finite group G
fn(a) = an
Theorem. If gcd(n,|G|) = 1, then fn is one-to-one. Moreover, if m is a solution for nx mod |G| = 1, then fm is an inverse for fn.
![Page 15: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/15.jpg)
RSA Keys
Public keys: The group G and the function fn.
Coding function: F maps messages in ordinary text into the group G.
Private key: The function fm.
![Page 16: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/16.jpg)
Alice encrypts to Bob
Look up Bob’s public key (G,fn) and coding function F.
With M = F(message), compute E = fn(M). [Then E is the encrypted version of M]
Send E to Bob.
![Page 17: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/17.jpg)
Bob decrypts
Compute D = fm(E).
Compute the inverse of D under the coding function F.
![Page 18: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/18.jpg)
RSA signatures
Public keys: The group G and the function fn.Private key: fm.
Bob signs an item, a, known to Alice: s = fm(a)
Alice checks if s is Bob’s signature on a: b = fn(s) If b = a, then Alice accepts s as Bob’s signature on
a.
![Page 19: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/19.jpg)
Classical RSA
To construct the public and private keys: Choose two prime numbers p and q. Put R = pq. And put G = {a<R: gcd(a,R) = 1} with
operation multiplication mod R. NOTE: |G| = phi(R). Choose n so that gcd(n,phi(R)) = 1. This n specifies
the encryption function fn. Compute m = 1/n mod phi(R). This specifies the
private key fm. Coding Function: ASCIIPad
Example
![Page 20: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/20.jpg)
RSA key generation efficiency
Selection of prime numbers. prime numbers must be large. Issue 1: How to test if a large number is prime?
Issue 2: What is the probability that a large number be prime?
Computing R. O(ln(p)ln(q)). Polynomial time. Selecting n. n must be odd. Issue: Probability(gcd(n,phi(R)) = 1)?
phi(phi(R))/phi(R). Computing m. O(ln(phi(R))2). Polynomial time.
![Page 21: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/21.jpg)
RSA operations - efficiency
Coding computation: polynomial time.
Encryption: fn(M) = Mn mod R. O(ln(n) ln(R)2) polynomial time.
Decryption: fm(E) = Em mod R. O(ln(m)ln(R)2) ~ O(ln(R)3) – polynomial time.
![Page 22: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/22.jpg)
RSA security
Use the factorization of R to compute phi(R) in polynomial time in the length of R. From phi(R) and fn compute fm in polynomial time in the length of phi(R).
Issue: How hard is it to factor R? The best factoring algorithms (Lenstra’s Number Field Sieve) has super polynomial time LR(1/3,c) for some constant c. This is subexponential.
Fermat factoring [Stopped here: Sept 24] Pollard p-1 method
![Page 23: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/23.jpg)
RSA signature issues
If enough small primes have been signed, these can be used to construct forged signatures on specific messages.Example
If items signed are first padded, and n is small, certain signatures can be forged.
![Page 24: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/24.jpg)
El-Gamal crypto system
(G,*): a finite group, g: element of large order.
Private key: a natural number N < |<g>|.
Public keys: G, g and y (=gN)
Coding function: A bijective function F which maps messages in ordinary text into G.
![Page 25: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/25.jpg)
Alice encrypts for Bob
Compute M:= F(message) Choose a random natural number R<|<g>| Compute: z:= yR and d:=gR in G. Compute E:=M*z in G. Send (E,d) to Bob.
![Page 26: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/26.jpg)
Bob Decrypts
Compute x = dN.
Compute the inverse, X, of x in G.
Compute D:= X*E in G.
Compute the inverse of F’s value on D.
![Page 27: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/27.jpg)
Signature Schema
Items to be signed: elements of {0, 1, …, |G|-1}.
Given: Bijection f from G to {0, 1, … , |G|-1}.
The public signature key is (G,g,y,f)
![Page 28: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/28.jpg)
Bob signs m
Choose a random number k in {1, …, |G|-1}
Compute t = gk
Compute a solution, s, to the equation m = N f(t) + sk mod |<g>|
The signature is (t,s)
![Page 29: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/29.jpg)
Alice verifies Bob’s signature
Verify that both y and s are less than |<g>|.
Then verify if yf(t)ts (= g Nf(t) + sk) = gm
If both are true: Accept (t,s) as signature of the owner of public key (G,g,y) on m.
![Page 30: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/30.jpg)
Classical El-Gamal
Choose a large prime number p. Put G = {1,2, …, p-1} with operation
multiplication mod p. NOTE: |G| = p-1. Choose a primitive root g of p. Choose N in {1,2,…,p-1} randomly. This
specifies the private key. Compute y = gN mod p Coding Function: ASCIIPad
![Page 31: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/31.jpg)
El-Gamal key generation
Selection of prime numbers. Issue 1: How to test if a large number is prime? Issue 2: probability that a large number is prime?
Selection of a primitive root. Theoretical estimate: There are primitive roots < p¼ + o(1). Exhaustive search can be exponential time (O(e(¼+o(1)) ln(p))). ERH implies: Least primitive root is O(ln(p)6). Issue: How to test if g is a primitive root of p?
Selecting N. N must be large, but not easy to guess. Issue: What is a good way to choose N “randomly”?
Computing y. O(ln(p)2). Polynomial time in length of p.
![Page 32: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/32.jpg)
El-Gamal operations
Encryption: z and d: O(ln(p)2) – polynomial time. E: O(ln(p)2) - polynomial time.
Decryption: x = yN mod p: O(ln(p)2) – polynomial time.X= x-1 mod p: O(ln(p) 2) – polynomial time. X*E mod p: O(ln(p)2) – polynomial time.
![Page 33: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/33.jpg)
El-Gamal Security level
For discrete logarithms in this group:super polynomial time Lp(1/3,C), some constant C.
This is subexponential, and compares to the estimates for factoring classical RSA moduli
Hellman-Pohlig-Silver Algorithm [Stopped here: Sept. 25 (no signatures)]
![Page 34: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/34.jpg)
Classical El-Gamal signatures
To sign message m: Choose, randomly, k with 0 < k < p-1. Compute t = gk mod p. Solve m = Nt+ks mod (p-1) for s Signature is (t,s)
NOTE: s = (m- Nt)/k mod (p-1) if gcd(k,p-1) = 1.
![Page 35: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/35.jpg)
Security threats for signatures
1. Hellman Pohlig Silver algorithm.
2. Covert channels used to leak private keys.
3. Signature trapdoors by the key designers.
4. Careless choice of the primitive root.
![Page 36: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/36.jpg)
a = x2 mod p, p prime and 0 < a<p:
Definition: a is a quadratic residue of p if a = x^2 mod p
has a solution. Else, a is a non-quadratic residue of p.
Definition: Legendre(a,p) = 1 if a is a quadratic residue of p, -1 otherwise.
![Page 37: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/37.jpg)
Quadratic Reciprocity
Theorem: If Legendre(a,p) =1 then a = x^2 mod p has exactly two solutions. If p mod 4 =3, then exactly one of these two solutions is also a quadratic residue of p.
Theorem [Quadratic Reciprocity] For odd prime numbers p and q,Legendre(p,q)*Legendre(q,p) = (-1)(p-1)(q-1)/4
![Page 38: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/38.jpg)
Solving a = x2 mod p
Theorem [Euler] If p mod 4 = 3 and Legendre(a,p) = 1, then b = a(p+1)/4 mod p solves a = x2 mod p, and b is a quadratic residue for p.
For p mod 4 =1, the Tonelli-Shanks algorithm can be used to compute solutions when they exist. This algorithm depends on finding first a quadratic nonresidue of p.
Theorem For each M there are infinitely many primes p such that M < least quadratic nonresidue of p < p-M
Theorem For each prime p, the least quadratic nonresidue of p is below 1 + p1/2.
Theorem [ERH] For each prime p there is a quadratic nonresidue of p of size O(ln(p)2).
![Page 39: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/39.jpg)
Tonnelli-Shanks algorithm
1. Given a quadratic nonresidue, the algorithm finds a square root in time O(ln(p)4).
2. There is no known deterministic polynomial time algorithm for finding a quadratic nonresidue.
3. For each e>0 there is a polynomial time algorithm that finds a nonresidue with probability > 1-e:a. Randomly choose n<p [50% chance nonresidue]. b. Check in O(ln(p)3) time if n is a nonresidue.
This is a non-deterministic polynomial time algorithm. ERH indicates a deterministic polynomial time algorithm.
![Page 40: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/40.jpg)
Elliptic Curves over Zp, p>3
Consider equations of form
y2 = x3 + ux2 +vx +w and u, v, w in Zp Examples over real line
With appropriate substitutions equivalent to:
E: y2 = x3 + a*x + b, and a, b in Zp .
If 4a3+27b2 mod p is nonzero we say: “E is an elliptic curve over Zp”.
![Page 41: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/41.jpg)
E/Zp for 4a3+27b2 mod p nonzero
Solutions in Zp x Zp of E: y2 = x3 + ax + b, and a, b in Zp, together with extraneous point O is denoted E/Zp.
There is an Abelian group operation on E/Zp.
For A = [x1,y1] and B = [x2,y2] in E/Zp define:If A = B: L = (3x1
2 + a)/2y1
Else: L = (y2-y1)/(x2-x1)
![Page 42: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/42.jpg)
Group operation
A+O = A = O+A
If x1 = x2 but y1 is not y2: A+B = O.
Else: A+B = [x3,y3] wherex3 = L2 – x1 – x2.y3 = y1 – L(x1 – x3).
![Page 43: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/43.jpg)
Trace of Frobenius
t = || E/Zp | - (p+1)|Definition: If t = 1: E/Zp is anomalous.
If t mod p = 0: E/Zp is supersingular.
Theorem[Hasse] t < 2sqrt(p)+1.
Theorem:
1. p mod 4 = 3: E/Zp supersingular exactly if b = 0.
2. p mod 4 = 1: E/Zp supersingular exactly if a = 0.
![Page 44: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/44.jpg)
The structure of E/Zp
Theorem E/Zp is isomorphic to Zd x Ze where d divides gcd(e,p-1). (d = 1 is possible).
Definition E/Zp[m] = {a in E/Zp:m*a = O}.
Theorem If m mod p > 0 then E/Zp[m] is isomorphic to Zm x Zm.
![Page 45: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/45.jpg)
Computational Complexity and E/Zp
Group operation: O(ln(p)2) – polynomial time
Group order: O(ln(p)8) – polynomial time(Schoof’s algorithm)
Finding a point in E/Zp : Opr(ln(p)4) – probabilistic polynomial time
Examples
![Page 46: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/46.jpg)
Discrete logarithms and E/Zp
Anomalous: O(ln(p)) – polynomial time.
Supersingular: Lk(1/3, c) wherec = (64/9)1/3) and k = pn, some “small” n.Subexponential but superpolynomial time.
General: O(eCln(p)) – exponential time.
Hellman-Pohlig-Silver algorithm also applies to E/Zp.
![Page 47: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/47.jpg)
Koblitz embedding for E/Zp
Probabilistic parameter k: 30 < k < 51 Embedding F into Zp: range-values below p/k To embed m: Search x in [mk,(m+1)k) with
[x,y] in E/Zp for some y. This is image of m. Probability of failure about (1/2)k.
![Page 48: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/48.jpg)
Recovering m from Koblitz point
m = floor(x/k).
.
![Page 49: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/49.jpg)
El-Gamal on Elliptic Curve Groups
Public Key: E/Zp, g in E/Zp, y (= N*g)
(Specify p, a, b for E/Zp)
Private Key: N with 0 < N < |<g>|
![Page 50: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/50.jpg)
EC El-Gamal Key Generation
Selection of prime number p Selection of parameters a and b Selection of point g: Opr(ln(p)4) Selection of private key N Computation of y: O(ln(N)ln(p)3)
![Page 51: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/51.jpg)
EC-El Gamal Crypto-computations
Coding function: Opr(ln(p)4)
All other computations: O(ln(p)4) or better.
Example
![Page 52: Cryptology Marion Scheepers Boise State University Boise , Idaho Sept 24 – 26, 2002](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815a17550346895dc75f79/html5/thumbnails/52.jpg)
EC-El Gamal vs RSA Security Level
General Elliptic curves E/Zp: O(eCln(p)).
General RSA parameter R: LR(1/3,c).
From Cln(p) = c(ln(R))1/3(ln(ln(R)))2/3:
Consider the graph of y3 = kxln(x)2