elliptic curve. p2. outline ec over z p ec over gf(2 n )
Post on 20-Dec-2015
222 views
TRANSCRIPT
Elliptic Curve
p2.
Outline
EC over Zp
EC over GF(2n)
EC over Zp
p4.
Let a, b in Zp and 4a3+27b2!=0 mod p
Define:
where O is an identity point at infinity Ex:
{O}} xxy:Zy){(x,)( 322p, baZE pba
Elliptic Curve Over Zp (P>3):
}{}:),{()(
0 ,1 ,23322
23230,1 OxxyZyxZE
bap
p5.
Define operation +
Assume
define P+Q:
)Z(E)y,x(Q),y,x(P pb,a 2211
PPOOPOQP then ,yy and xx if
1212
Elliptic Curve Over Zp (cont.)
P
-P
p6.
QPif,y
ax
QPif,xx
yy
wherey-)x-(xy
x-xx
)y,x(QP otherwise, )y,(xQ),.y(xP
2
1313
212
3
3
2211
1
21
12
1
3
23
Elliptic Curve Over Zp (cont.)
PQ
P+Q
)'y,x( 33
)y,x( 33
y
ax'yax'yybaxxy
23
322
232
p7.
0
02
321
2223
32
32
)xx)(xx)(xx(
)b(x)a(x)(x
baxx)x(
baxxy
xy
Elliptic Curve Over Zp (cont.)
13133
1133
13
13
212
3
2321
y)xx('yyy)xx('y
xx
y'yxxx
)xxx(
Comparing coefficient of x2 :P
Q
P+Q
)'y,x( 33
)y,x( 33
p8.
Example: 0123 b,a,p
}O{}xxy:Z)y,x{()Z(E b,a 3222323
P
-P
Q
P+Q
p9.
Hasse’s Theorem
Over a finite field Zp , the order of E(Zp) is denoted by #E(Zp).
Hasse’s Theorem
p+1-2p0.5 <= #E(Zp) <= p+1+2p0.5
p10.
Theorem (Group structure of E(Zp) )
Let E be an elliptic curve defined over Zp
and p>3. Then there exist positive integers
n1 and n2 such that (E,+) is isomorphic to
Zn1 x Zn2. Further, n2|n1 and n2|(p-1).
p11.
Define a singular point on elliptic curves: We write the equation as the form:
If there exists a point , which is on the curve, and such that
then we call P is a singular point on the curve.
baxx)x(fre whe)x(fy)y,x(F 32
02
0
0
0
yPy
F
)x('fPx
F
)y,x(P 00
yy
))x(fy(
y
F
)x('fx
))x(fy(
x
F
22
2
}O{}baxxy:Z)y,x{()Z(E ppb,a 322
p mod ba 0274 23 The reason for
)y,x(P 00
p12.
The singular point on the curve will make the tangent line at that point not well-define.
---destroy the group structure on the elliptic curve.
Py
F
Px
F
y
)x('f
y
ax
baxxycurve the on )y,x(P 2
1
1
1
21
311
223
)x(xy 122 32 xy
)y,x( 00 )y,x( 00
p13.
Lemma:If there is a singular point on is a double root of pf:
f(x) of rootdouble a is x
)x(fy
)x(fycurve the on point a also is P because and
yyPy
F
)x('f)x('fPx
F
)x(fycurve the on point singular a is )y,x(P
)(
0
0
2
2
0
002
00
02
00
00
00
)x(fy 2
)y,x(P 00
)x(f0x
p14.
)x(fycurve the on point singular a is P
yPy
Fy)x(fy
curvethe in point a is P because
)x('fPx
F
0)(xf')f(x
f(x) of rootduble a is x)(
2
0
00
02
00
0
0
002
0
0
p15.
02744
272
3
22
3
2
222
20222
2332
23
31
31
21
12
122
1
112
1212
1
1221
22
1212
12
213
22
1
3
baa)b
(a)b
(
bxbx
ax
b)x(xbxx
a)x(xxaxxx
xxxx
)xx(x)xxx(x)xx(x
)xx()xx(
baxx
Consider f(x) has a double root x1 and another root x2:)x(fbaxxy 32
p16.
Example:Find all (x,y)’s and O:1.fix x and determine y.2. O is an artificial point.12 (x,y) pairs plus O andhave #E=13
{O}} 6xxy:Zy){(x,)(Z 32211116,1 E
9,2410
79
8,398
9,247
86
9,245
84
6,533
7,452
81
60
res? quad63
yes
no
yes
yes
no
yes
no
yes
yes
no
no
yxxx
p17.
There are 13 points on the group E1,6(Z11) and so any non-identity point (i.e. not the point at infinity,
noted as O) is a generator of E1,6(Z11) . Choose generator α=(2,7).
α=(2,7) 2α=(5,2) 3α=(8,3) 4α=(10,2) 5α=(3,6) 6α=(7,9) 7α=(7,2) 8α=(3,5) 9α=(10,9) 10α=(8,8) 11α=(5,9) 12α=(2,4) 13α=O
p18.
Recall the ElGamal encryption scheme
Parameters p : a large prime α: a primitive number in GF(p) a : a private key, a [1, p-1] β : a public key , β = αa (mod p) m : a message to be signed , m [1, p-1] k : a random integer that is privately selected, k [0,
p-2] K = (p, α, a, β) : public key + private key
Encryption eK(m, k)=(y1, y2)
where y1 = αk mod p and y2=mβk mod p Decryption
m = dK(y1, y2) = y2(y1a)-1 mod p
p19.
Let’s modify ElGamal encryption by using the elliptic curve E1,6(Z11).
Suppose that α=(2,7) and Bob’s private key is 7,
so β= 7α=(7,2) Thus the encryption operation is eK(x,k)=(k(2,7), x+k(7,2)),
where x is in E and 0<=k<=12, and the decryption operation is
dK(y1,y2)=y2-7y1
p20.
Suppose that Alice wishes to encrypt the plaintext x=(10,9) (which is a point on E).
if she chooses the random value k=3, then y1=3(2,7)=(8,3) and
y2=(10,9)+3(7,2) =(10,9)+(3,5)=(10,2)
Hence y=((8,3),(10,2)). Now, if Bob receives
the ciphertext y, he decrypts it as follows: x=(10,2)-7(8,3) =(10,2)-(3,5) =(10,2)+(3,6) =(10,9).
EC over GF(2n)
p22.
Galois Field
Z2[x] is the set of polynomials with coefficient
over Z2 and p(x) is an irreducible polynomial of
degree n in Z2[x]. Ex:
has elements {0,1,x,x+1 ……..,x3+x2+x+1}.
)(/][)2( 2 xpxZGF n
1)(,4 4 xxxpn
)(/][)2( 2 xpxZGF n
p23.
The elements of Z2[x]/x4+x+1 :
0 x9=x8x=x3+x x0 = 1 x10=x9x=x4+x2=x2+x+1 x1 = x x11=x10x=x3+x2+x x2 = x2 x12=x4+x3+x2=x3+x2+x+1 x3 = x3 x13=x4+x3+x2+x=x3+x2+1 x4 = x4=x+1 x14 =x4+x3+x=x3+1 x5 = x4x=x2+x x15 =1=x0
x6 = x5x=x3+x2
x7 = x6x=x4+x3=x3+x+1 x8 = x7x=x4+x2+x=x2+1
x is a generator.
p24.
GF(2n) in Vector Form
Rewrite a3x3+a2x2+a1x1+a0x0 in vectorform (a3a2a1a0) , g=x is a generator.
(0000)0
g1 = (0010)x
g2 = (0100)x2
g3 = (1000)X3
g4 = (0011)x+1
g5 = (0110)x2+x
g6 = (1100)x3+x2
g7 = (1011)x3+x+1
g8 = (0101)x2+1
g9 = (1010)x3+x
g10 = (0111)
x2+x+1
g11 = (1110)
x3+x2+x
g12 = (1111)
x3+x2+x+1
g13 = (1101)
x3+x2+1
g14 = (1001)x3+1
g15 = (0001)
1
jijij
i
jiji
gggg
g
ggg
note
:
p25.
Elliptic Curve over GF(2n)
Over GF(2n) , Elliptic Curve can be written in the form:
Points on Elliptic Curve E/ GF(2n) :
0 , : 232 bbaxxxyyE
}{}),2(,|),{(
))2((232 ObaxxxyyGFyxyx
GFEn
n
O is an identity point at infinity
p26.
Example (1)
1)(, 4 xxxp)(/][)2( 2 xpxZGF n
1 : 2432 xgxxyyE
)0001(1
)0011(0
4
g
g
p27.
Example (1)
3 2 5 3 5 3 4 5 2
6 8 15 14 0
( ) ( ) ( ) 1g g g g g g
g g g g g
1100+0101=0001+1001+0001
1001=1001
( , )x y
baxxxyyE 232 :),(),( 35 ggyx
(0001) g1 = (0010)
g2 = (0100)
g3 = (1000)
g4 = (0011)
g5 = (0110)
g6 = (1100)
g7 = (1011)
g8 = (0101)
g9 = (1010)
g10 = (0111)
g11 = (1110)
g12 = (1111)
g13 = (1101)
g14 = (1001)
g15 =g0 (0001)
p28.
Adding Formula
O(-P)P
)(P- ; ))2(( P 111 11
x,yxthenGF E),y (xLet n
Def:
Define P+Q :
), where,y(xQ then P
andGFEyxIf n
33
22 -PQ ))2((),(Q
, O is an identity point at infinity
)(
a
1313
212
3
3 yxxxy
xxx
{
QP ,
QP ,
1
121
12
12
x
yx
xx
yy
Go
Go Go
p29.
Example (2)
1 : 2432 xgxxyyE
)(
g
13133
2142
3
yxxxy
xxx
,
1110
1101
),,(),,(
211
13
35
83
8335
gg
g
gg
gg
QPFindggQggPLet
(0001) g1 =
(0010)g2 =
(0100)g3 =
(1000)
g4 = (0011)
g5 = (0110)
g6 = (1100)
g7 = (1011)
g8 = (0101)
g9 = (1010)
g10 = (0111)
g11 = (1110)
g12 = (1111)
g13 = (1101)
g14 = (1001)
g15 =g0 (0001)
p30.
Example (2)
2 2 2 3 5 43
4 9
2 3 9 9 83
10
( )
2 0100 1000 0110 1010
( )
(0100)(1000 1010) 1010 0101
1000+1111=0111=
x g g g g g
g g
y g g g g g
g
(0001) g1 = (0010)
g2 = (0100)
g3 = (1000)
g4 = (0011)
g5 = (0110)
g6 = (1100)
g7 = (1011)
g8 = (0101)
g9 = (1010)
g10 = (0111)
g11 = (1110)
g12 = (1111)
g13 = (1101)
g14 = (1001)
g15 =g0 (0001)
p31.
baxxyxxyyxx
baxxyxxyx
yxxQ
baxxyxy
GFEyxP n
21
3111
21
2111
21
21
31111
211
111
21
3111
21
11
2
)()(
),(
))2((),(
Check –P is on Curve.
Back
:232 baxxxyy
E
p32.
111333
11311313
1
212
3
212
32
321
22223
232
232
)('
)()(''
0.....
)()(
xyxxyxy
yxxyxxyxx
yy
xxax
xxaxaxxx
axxxx
baxxxxx
baxxxyy
xy
Back
(x1,y1)
(x2,y2)
(x3,y3)
(x3,y’)
p33.
The Slope when P=Q
x
yx
xy
yaxxy
yaxxxyy
axxyxyyy
22
2
2
2
23'
23)2('
23''2
: 232 baxxxyyE
Back