1

CDH/DDH-Based Encryption

K&L Sections 8.3.1-8.3.3, 11.4.

2

{ }0 1 2 1

A finite group of order is if it has an element of .

In this case, , , , , ; is said to be

gener

ated by , and is a .

In any

cyclic

generato

r

Cyclic groups

q

G q g q

G g g g g g G

g g

−=

•

•

=

{ }0 1 2 1

group (not necessarily finite or cyclic), if is an element

of finite order , then , , , ,

is a cyclic group of order .

Note: in general, denotes the subgroup generated by

q

g

q g g g g g

q

g

−

•

=

mod

.

Note: we implicitly assume multiplicative groups, and will write t

Recall: For

he identity of t

any element

he group

,

as 1.

. m Gma G a a

g

∈

•

=•

3

{ }0 1 2 1

Let be a group of order , and let be any generator.

So, , , , ,

For any , there is a unique such that .

cyclic

This in

Discrete logarithm problem (DLP)

xq

q

G q g

G g g g g

gh G x h

g −= =

∈ ∈

•

=•

( ) ( ) ( )1 2 1 2

discrete logarithmlo

teger is called the (or index) of with respect to base . We write .

Standard logarithm rules still hold: log 1 0,

log log log mod , log l g m

o

g

g

kg

g

g g g g

x hg

h h h h q

h

h k h

x=

=

⋅ = + =

•

od .

The DLP in with base is to compute log for any . g u

q

G g h h G←•

4

{ } { }{ }

*

*

*

0 1 2 2*

1

If is prime, then is a cyclic group of order 1.

Let be any generato

Theor

r of .

1, 2, , 1 , , ,

em:

, .

, ,0 , , .

2 2

DLP:

1

DLP in

p

p

p

p

p

p

p p

g

p g g g g

p

−

−

−

=• −

=

•

•

•

−

=

( )( )

*

g

*

lo

given , compute .

There is a subexponential-time algori

Index Calculu

thm for DLP

s

in

, 2 , where log .

p

O n n

p

xg

O

x

n p

•

∈

=

5

{ }* 0 1 2 2

*

0 1 2

, , , , ,

where is a large prime, and is a generator.

A subgroup of of prime order ,

,

//less

,

secu

,

re /

/

,

Frequently used groups p

p

p

qq

g g g g

p g

q

G α α α α α

−

−

• =

•

= =

{ }1 *

* ( 1)/

,

where is an element of prime order (e.g. ).

The doesn't work.

Elliptic curves defined over finite field //increas

In

s.

In these

i

gro

ngl

dex Calculus

y popular

up

//

s

p

p qp q gα α −

⊂

∈ =

•

•

, there is no polynomial-time algorithm known for DLP.

6

{ }

*19

* 0 1 2 1719

0 1 2 3 4 5

6 7

2

2

2

{1, 2, ..., 18}.

2 is a generator. 2 2 , 2 , 2 , , 2 .

2 1, 2 2, 2 4, 2 8, 2 16, 2 13, 2 7, 2 14, log 7 6log 14 7log 12 ?

Example 1

G = =

= =

= = = = = =

= ====

7

{ }

{ }

*11

5

*5 11

3

3

1, 2, , 10 .

3 = 1, 3, 9, 5, 4 .

3 is a generator of , but not a generator of .log 5 3log 10 not defined

Example 2

G

G

G Z

= =

=

==

8

DLP in the additive group .

Every 0 coprime to is a generator.

DLP: given , compute .

Example 3

N

Ng N

k g k

≠ ∈

⋅

9

( )

1

1

RSA

RSA

RSA

RSA is a one-way function: (easy)

(difficult)

trapdo

( is a trapdoor)

Expon

or

RSA vs. Discrete Logarithm

e

e

de

x x

x x

x x d

−

−

•

→

←

←

•exp

log

etiation is a one-way function :

(easy)

(difficult)

An encryption

without a tr

scheme based

apdoor

on the difficulty of discrete log

g

g

x

x

x g

x g

→

←

•

will simply encrypt as .not xx g

10

{ }{ }

( )

0 1 2 1 , , , , , a cyclic group of order .

, , , , .

Alice and Bob wish to set u

0 1 2 1

secretp a key. 1. They agree on , , .

2. Alice B

Diffie-Hellman key agreement q

q

G g g g g q

G

q

g q

−

−

• =

=

•

→

( )

ob: , where .

3. Alice Bob: , where .

4. The agreed-on key: .

Remark: in practice, , , is standardized, and there is a mapping between bit strings and the eleme

xu q

yu q

x y

g x

g y

g

G g q

⋅

←

← ←

•

nts of .G

11

{ }{ }

0 1 2

*

2*

1 0 1

, , , , , a large prime.

, , , , .

Alice and Bob wish to set up a key. 1. Alice and Bob agree on a large p

2 2

secret

Diffie-Hellman key agreement using p

p

p

pg g g g

p

p−

− −

• =

=

•

*

1

1

rime and a generator . ( )

2. Alice Bob: mod , where .

3. Alice Bob: mod , wher

, , not secret

e .

4. They agree on the key: mod .

p

xu p

yu p

xy

pg

g p x

g p y

g

p g

p

−

−

∈

→ ←

← ←

12

{ }{ }

0 1 2 1 , , , , , a cyclic group of order .

, , , , .

Computational Diffie-Hellman Problem: given , , where

(

C,

D

0

H, compu

1

t)

e

1 2

Diffie-Hellman problemsq

q

x y xu q

q

G g g g g q

Z

g g G x y Z g ⋅

−• =

=

•

−

∈ ←

.

Decisional Diffie-Hellman Problem: given , , , where , , and

with probability 1 2

a random element in with probability 1 2

determine if

(DDH

.

)

y

x yu q

x y

x y

g g h G x y Z

gh

G

h g

⋅

⋅

•

∈ ←

=

=

13

*

DDH CDH DLP.

Open question: Is CDH DLP?

There are example of groups (e.g., ) in which

CDH and DLP are believed to be hard, but DDH is easy.

Relationships between DDH, CDH, DLP

p

• ≤ ≤

• ≥

•

14

{ } { }

( ) ( )

0 1 2 1

, , , , , , , , , .

Keys: , , , , , , , where , .

To encrypt a message :

Use Diff

0 1

ie-H

2 1

ellman agreemen

ElGamal encryption schemeq

x

q

q

G g g q

sk x pk

g g

G g q G g q xh

G

h g

m

−= =

• ←

−

= = =

• ∈

1 2 2 1

t to set up a "key" by choosing and computing : ( ).

Use to encrypt as .

The ciphertext is , , .

Decryption: ( , ) .

y x yu q

y y y

xsk

k Gy k h g

k m k m G

g k m g h m

Dec c c c c

⋅

−

∈

← = =

⋅ ∈

⋅ = ⋅

• = ⋅

15

*

*

1

1. Key generation (e.g. for Alice): choose a large prime and a generator ,

where 1 has a large prime factor. randomly choose a number and co

ElGamal encryption in p

p

p

p gp

x −

• ∈

−

• ∈

*1

1 2 2 1*

mpute ;

let ( , , ) and ( , , ).2. Encryption: ( ) ( , ), where , .

3. Decryption: ( , ) .

4. Remarks: Multiplications are done in , . ., mod

x

y ypk p u p

xsk

p

h gp g p gEnc m g h m m y

D c c c

sk

ci

k

e

x p h

−

−

=

• = =

= ⋅ ∈ ←

= ⋅

ulo .

The encryption ra nsc doheme mize is d.

p

16

If the DDH problem is hard, then

the ElGamal encryption scheme is CPA-secure.

ElGamal encryption is n

homomorphic and thus CCA-s

The

ecure.

orem:

ot

Security of ElGamal encryption

•

•

17

( )

ElGamal enc

A function : is if ( ) ( ) ( ).

( ) ( ) ( ), in the following sense:

ryptio

h

n

If ( ) ,

is homo

o

m

an

or

momor

phic

p ic

,

h

d

Homomorphism of ElGamal encryption

y y

f G G f xy f x f y

E mm E m E m

E m g mh

′• → =

′ ′• = ⋅

= ( )( ) ( )( )( )

( ) , , then

( ) ( ) , ,

,

,

is a valid encryption of .

y y y

y y

y y y y

y y y y

y

E m g m h

E m E m g mh g m h

g g mh

mm

m

h

h

m

m

g ′ ′+

′ ′

′ ′

′ ′

+

′ ′=

′ ′⋅ =

=

=

′

′

′

⋅

18

Elliptic Curve Cryptography

K&L Section 8.3.4

A field, denoted by ( , , ), is a set with two binary operations, and , such that 1. ( , ) is an abelian group (with identity 0). 2. ( \{0}, ) is an abelian group (with identy 1).

FieldF F

FF

• + ×+ ×

+×

1

3. For all elements , 0 0 0. 3. , , , ( ) (distributive).

Example fields: ( , , ), ( , , ), ( , , ).

( , , ) is not a field, because (except for 1).

For

a F a ax y z F x y z x y x z

z z−

∈ × = × =∀ ∈ × + = × + ×

• + × + × + ×

• + × ∉ =

•

any prime , ( , , ) is a field, denoted as .p pp F+ ×

20

3

3

2

2 3 An is a curve given by

It is required that the discrimin

elliptic c

ant =4 27 0. When 0, the polynomial

urve

The equation of an elliptic curve

x axa b

y x ax b∆ + ≠

∆ ≠

•

•

+ +

= + +

has distinct roots, and the curve is said to be nonsingular. For reasons to be explained later, we introduce an

additional point, , call the point at infinityed , so the elliptic curve

0

O

b =

•

{ } { }2 3

is the set

( , ) :E x y y x ax b O= = + +

21

{ } { }

{ } { }

{ } { }

2 3

2 3

2 3

We are often interested in points on the curve of specific coordinates:

( ) ( , ) :

( ) ( , ) :

( ) ( , ) :

( ) ( , ) :

E x y y x ax b O

E x y y x ax b O

E x y y x ax b O

E x y

•

= ∈ × = + +

= ∈ × = + +

= ∈ × = + +

= ∈ ×

{ } { }

{ } { }

2 3

2 3

( ) ( , ) : p p p

y x ax b O

E F x y F F y x ax b O

= + +

= ∈ × = + +

22

2 3: 4 Examp

(le:

, ) E y x x x y= − ∈

23

Amazing fact: we can use geometry to make the points of an elliptic curve into a group.

Suppose . Then def

ine .

Making an elliptic curve into a group

P Q P Q R

•

• ≠ + =

P

Q

R

-R=R’

24

Suppose . Then define

2 .P Q

P Q P R=

+ = =•

P=Q

R=2P

-R

25

What if ( , ), ( , ), so that is vertical? In this case, we define .

This is why we added the extra point into the cu e

rv .

P x y Q x y PQP Q O

O

• = = −+ =

•

P=(x,y)

-P=(x,-y)Q=(x,-y)

26

Now having defined for , , we still need to define .

Let play the role

of identity, and define .

Now every point ( , ) has an inverse: ( , ).

P Q P Q OP O

OP O O P P

P x y P x y

+ ≠+

+ = + == − = −

•

•

•

P=(x,y)

-P=(x,-y)

27

The addition law on has these properties: 1. for all . 2. ( ) for all . 3. ( ) ( ) for all , , . 4. for all

The

( ( )

, .

That , )

ore

fis

m.

,

EP O O P P P EP P O P EP Q R P Q R P Q R EP Q Q P P Q E

E

+ = + = ∈+ − = ∈+ + = + + ∈+ = +

+

∈

•

All of these properties are trivial to check except the associative law (3), which can be verified by a lengthy computation usin explicit formul

orms an a

g , or by

belian grou

using m

as

p.

ore

•

advanced algebraic or analytic methods.

28

1 1 22 3

3 3

23 1

2

1 21 1

1

2

3 1 3

2

1

( , ), ( , ), . .

The curve : .

The line :

( , )

( )

, where

and

Formulas fo

.

r Addition on

E

y x ax b

y x

P x y Q x y P Q R P Q x y

x x xy x x

E

PQy y y x

y

x x

λ

λ

λ ν λ

ν

λ

= = ≠

•

=• + =

= − −=

−=

= + +

= −−

•

=

− −

•

+

P

Q

R

-R=R’

29

P=Q

R=2P

-R

3 3

23 1

1 1 1

21

1

3 1 3 1

If ( , ), with 0, and2 , th en

( , )

2

3

(

2

)

P Q x y yP Q P

x ay

R x y

x xy x x y

λ

λλ

= = ≠•

= −= −

= =

+=

−

+ =

30

2 3: If and are in a field and if and have coordinates

in , then and 2 as computed by the formulas also have coordinates in

.

, or equal .Thu

s

An important fact

Ea b K P QK P Q P

K

y x x b

O

a• = + +•

•

+

, we can use the same addition laws to make the points of an elliptic curve over a finite field into a group, even

though the addition laws will no longer have the geometric interpretation

pF

s.

31

2 3

Let be a field, and suppose that an elliptic curve is givenby an equation of the form : with , .Let ( ) denote the set of points of with coordi

Theorem (Poincare, 19 ) 00K E

E y x ax b a b KE K E

= + + ∈

≈

{ } { }

nates in ,plus , ( ) ( , ) : , .Then ( ) is a group.

KOE K x y E x y K O

E K= ∈ ∈ ∪

32

{ } { }

2 3

2 3

: with , .

Let ( ) denote the set of points of with coordinates in ,plus ,

( ) is isomorph

( ) ( , ) :

An amazing fact: ic

What does ( ) look like?

E y x ax b a b R

E E CO

E x y C C

E

y x ax b O

E C

= + + ∈

= ∈ × = + + ∪

to a torus.

33

34

{ } { }

2 3

3 2

2 3

2 323

Equation: over

where 3, , , 4 27 0 (mod ).

( , ) :

: over Example:

Elliptic curves defined over

p

p

p p

p

y x ax b F

p a b F a b p

E x y F F y x ax b O

E y x x F

F

= + +

> ∈ + ≠

= ∈ × = + + ∪

= +

35

2 311

113

211

11

: 6 over

To find all points ( , ) of ,for each , compute

6mod11 anddetermine whether is aquadratic residue. If so, solve in .

( ) 13.

ExampleE y x x F

x y Ex F

z x xz

y z FE F

= + +

∈

= + +

=

= 9,241079

8,3989,247

869,245

846,5337,452

8160

res? quad63

yesnoyesyesnoyesnoyesyesnono

yxxx ++

36

( )2 2

2211

1

There are 13 points in the group.

So, it is cyclic and any point other is a generator.

Let (2,7). We can compute 2 ( , ) as follows.

3 2 13 13 2 3 2 4 8 ( mod2 2 7 14

Example (continued)

O

x y

x ay

α α

λ −

= =

++= = = = × = × =

×

( ) ( )( )

222 1

2 1 2 1

11)

2 8 2 2 5 ( mod11)

( ) 2 5 8 7 2 ( mod11)

2 (5,2)

x x

y x x y

λ

λ

α

= − = − × =

= − − = − × − =

=

37

( )

3 3

2 1

2 12 2

3 1 2

3 1 3 1

Let 3 ( , ). Then,2 7 2 ( mod11)5 2

2 2 5 8 ( mod11) ( ) 2 8

Ex

2 7 3 ( mod11)

(2,7) 2 (5,2) 3 (8,3)4 (10,2) 5 (

ample (continued

3,6) 6 (7,9)7 (7,2) 8 (

)x y

y yx x

x x xy x x y

α

λ

λλ

α α αα α αα α

=− −

= = =− −

= − − = − − =

= − − = − × − =

= = == = == = 3,5) 9 (10,9)

10 (8,8) 11 (5,9) 12 (2,4)

13 12 2 11 3 10 ?

αα α α

α α α α α α α

== = =

= + = + = + = =

38

Hasse's Theor

Determining ( ) is an important problem,

called point counting.

1 2 ( ) 1 2 .

There are polynomial time algorithms that

precisely determi

m:

e

e

n

Point Counting

p

p

E F

p p E F p p+ − ≤ ≤ + +

•

•

•

( ) .

In practice, ( ) of prime order is used.

p

p

E F

E F q•

39

{ }0 1 2 1 Let , , , , be a group of order .

DLP in : given an element , find the

unique exponent such that .

DLP in - reviewedq

xq

g g g g g q

g h g

x h

g

g

−• =

• ∈

∈ =

40

{ }

Consider an elliptic curve group ( ).

Let ( ) be a point of large prime order .

0 , 1 , 2 , , ( 1) is a subgroup of ( ).

ECDLP : given

Elliptic Curve Discrete Logarithm Problem

p

p

p

E FG E F q

G G G G q G E F

•

•

•

•

∈

= −

a point , find the unique multiplier such that .q

H Gx xG H

∈

∈ =

41

Alice Bob

Alice Bob Agreed key:

Alice Bob

Diffie-Hellman key agreement

Elliptic Curve Diffie-Hellman

a

b

g

g

ab

aG

g

→

←

→

Alice Bob Agreed key:

bG

abG←

42

Alice and Bob wish to agree on a key. 1. Alice and Bob agree on an elliptic curve ( )

and a point on the curve of large p

secret

rime order

Elliptic Curve Diffie-Hellman key agreement

pE FG

•

. 2. Alice Bob: , where .

3. Alice Bob: , where b .

4. They agree on the key , which is a point on ( ).

They can now use ( ), the -coordinate of , as a secret

u q

u q

p

qaG a ZbG Z

E F

x abG

G

x

a

abG

b

→ ←

← ←

•key for, for example, a symmetric encryption

scheme.

43

Key lengths recommended by NIST

Effective key length n: brute-force search against an n-bit symmetric key encryption scheme