Fundamentals of Cryptography

an interactive tutorial
EIDMA-Stieltjes week 22 September 2003 Leiden

Henk van Tilborg Eindhoven University of Technology

Introduction
Confidentiality (or Privacy)

What are the reasons to use cryptographic algorithms?

When transmitting data, one does not want an eavesdropper to understand the contents of the transmitted messages. The same is true for stored data that should be protected against unauthorized access, for instance by hackers. Authentication

This property is the equivalent of a signature. The receiver of a message wants proof that a message comes from a certain party and not from somebody else (even if the original party later wants to deny it). Integrity

This means that the receiver of certain data has evidence that no changes have been made by a third party.

EIDMA_Stieltjes.nb

Symmetric Systems

2.1

Classical Systems

2.1.1

Caesar Cipher

Shift each letter in the text cyclicly over k places. So, with k = 7 one gets the following encryption of the word cleopatra (note that the letter z is mapped to a): cleopatra dmfpqbusb engqrcvtc fohrsdwud gpistexve hqjtufywf irkuvgzxg jslvwhayh To do this in Mathematica, we need modular arithmetic (replace a by 0, b by 1,,z by 25 and make your calculations modulo 26).
+1 +1 +1 +1 +1 +1 +1

19 20 21 18 2 17 s t u v w 2 r

5 0 1 2 4 2 a 2 b c 3 3 y z 2 d x

e
7 8 5 6 9 f g h i j
10 k

CaesarCipher@plaintext_, key_D := FromCharacterCode@ Mod@ ToCharacterCode@plaintextD 97 + key, 26D + 97D

12 13 14 15 11 n o p 16 l m q

EIDMA_Stieltjes.nb

plaintext = "cleopatraisanegyptianqueeen"; key = 7; CaesarCipher@plaintext, keyD An easy way to break the system is to try out all possible keys. This method is called exhaustive key search. The cryptanalysis of the ciphertext "xyuysuyifvyxi". ciphertext = "xyuysuyifvyxi"; Table@8key, CaesarCipher@ciphertext, keyD<, 8key, 0, 4<D TableForm

So, the key k was -4 22 Hmod 26L.

2.2

Block Ciphers

2.2.1

Some General Principles

Block ciphers handle n bits at a time (like n = 64, 128). They have no memory (to store previous input). There can operate at very high speeds.

key

64 bits ciphertext 64 bits

plaintext 64 bits

Block Cipher

Often, the same device can be used for encryption and decryption. Typically, the block cipher consists of a sequence of identical looking rounds each operating under a round key that is computed from the key k .

EIDMA_Stieltjes.nb

Each round is designed to realize "confusion" and "diffusion" in order to obscure dependencies and other statistical properties of the plaintext.

plain text

>

k1

>

k2

>

>

k8

cipher text

>

Round 1

Round 2

Round 8

Note that the same plaintext will result in the same ciphertext as long as the key has not been changed. To avoid this situation feedback is introduced. Examples are given below.

2.2.2

Advanced Encryption Standard (AES), Rijndael

Like most modern block ciphers, Rijndael is an iterated block cipher: it specifies a transformation, also called the round function, and the number of times this function is iterated on the data block to be encrypted/decrypted, also referred to as the number of rounds. The block size is 128, 192 or 256. The round function consists of the following operations: ByteSub (affects individual bytes), ShiftRow (shifts rows), MixColumn (affects each column), RoundKey addition (overall XOR).

These are applied to the intermediate cipher result, also called the State: a 4 4, 4 6, resp. 4 8 matrix of which the entries consist of 8 bits, i.e. one byte. Below the block length will be 192. One gets a0,0 a1,0 a2,0 a3,0 a0,1 a1,1 a2,1 a3,1 a0,2 a1,2 a2,2 a3,2 a0,3 a1,3 a2,3 a3,3 a0,4 a1,4 a2,4 a3,4 a0,5 a1,5 a2,5 a3,5

EIDMA_Stieltjes.nb

Sometimes, we use the one-dimensional ordering (columnwise) i.e. a0,0 , a1,0 , a2,0 , a3,0 , a0,1 , , a3,5 .
One Round

where each ai, j consists of 8 bits, so it has the form 8Hai, j L0 , Hai, j L1 , , Hai, j L7 <. For example, a0,0 = 81, 0, 1, 1, 0, 0, 0, 1<.

ByteSub This is the only non-linear part in each round. Apply to each byte ai, j two operations: 1) Interpret ai, j as element in GFH28 L and replace it by its multiplicative inverse, if it is not 0, otherwise leave it the same. 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 Replace the resulting 8-tuple, say Hx0 , x1 , , x7 L by y i x0 y i 1 y z j z zj zj z j z z j x1 z j 1 z z j z zj z j z zj z j z zj zj z j z z j x2 z j 0 z z j z zj z j z zj z j z zj zj z j x3 z j 0 z z j z zj z j z z j z zj z j z zj zj z j x4 z + j 0 z . z j z zj z j z z j z zj z j z zj zj zjx z j1z zj 5z j z z j z z j z zj z j z zj zj zjx z j1z z j z zj 6z j z z j z zj z j z zj z j z zj { k x7 { k 0 {

2)

The finite field GFH28 L is made by means of the irreducible polynomial mHaL = 1 + a + a3 + a4 + a8 . This polynomial is not primitive! Note that both operations are invertible. Instead of performing these calculations, one can also replace them by one substitution table: the ByteSub S-box. ShiftRow The rows of the State are shifted cyclically to the left using different offsets: do not shift row 0, shift row 1 over c1 bytes, row 2 over c2 bytes, and row 3 over c3 bytes, where c1 128 1 192 1 256 1 So c2 2 2 3 c3 3 . 3 4

i1 j j j1 j j j j j1 j j j j j1 j j j j j1 j j j j j0 j j j j j0 j j j j k0

EIDMA_Stieltjes.nb

a0,0 a1,0 a2,0 a3,0 becomes a0,0 a1,1 a2,2 a3,3 MixColumn

a0,1 a1,1 a2,1 a3,1

a0,2 a1,2 a2,2 a3,2

a0,3 a1,3 a2,3 a3,3

a0,4 a1,4 a2,4 a3,4

a0,5 a1,5 a2,5 a3,5

a0,1 a1,2 a2,3 a3,4

a0,2 a1,3 a2,4 a3,5

a0,3 a1,4 a2,5 a3,0

a0,4 a1,5 a2,0 a3,1

a0,5 a1,0 a2,1 a3,2

Interpret each column as a polynomial of degree 3 over GFH28 L and multiply it with modulo x4 + 1.
H1 + aL x3 + x2 + x + a

Note that the above polynomial is invertible modulo x4 + 1. <<Algebra`FiniteFields` f128 = GF@2, 81, 1, 0, 1, 1, 0, 0, 0, 1<D; one = f128@81, 0, 0, 0, 0, 0, 0, 0<D = f128@80, 1, 0, 0, 0, 0, 0, 0<D g@x_D = H1 + L x3 + one x2 + one x +

Suppose that the first column looks like

col = 8100, 255, 200, <; col TableForm

colpol@x_D = col@@1DD + col@@2DD x + col@@3DD x2 + col@@4DD x3

pr@x_D = ownexpand@colpol@xD g@xDD prod@x_D = PolynomialMod@pr@xD, x4 1D

EIDMA_Stieltjes.nb

The inverse operation is a multiplication by h@x_D = H1 + + 3 L x3 + H1 + 2 + 3 L x2 + H1 + 3 L x + H + 2 + 3 L ; ownexpand@PolynomialMod@g@xD h@xD, x4 1DD ownexpand@PolynomialMod@prod@xD h@xD, x4 1DD Round Key Addition XOR the whole matrix with a similar sized matrix (i.e. the Round Key) obtained from the cipher key in a way that depends on the round index. Note that the XOR applied to a byte, really is an XOR applied to the 8 bits in the byte. For example, if a0,0 a1,0 a2,0 a3,0 a0,1 a1,1 a2,1 a3,1 a0,2 a1,2 a2,2 a3,2 a0,3 a1,3 a2,3 a3,3 a0,4 a1,4 a2,4 a3,4 a0,5 a1,5 a2,5 a3,5

k0,0 k1,0 k2,0 k3,0

k0,1 k1,1 k2,1 k3,1

k0,2 k1,2 k2,2 k3,2

k0,3 k1,3 k2,3 k3,3

k0,4 k1,4 k2,4 k3,4

k0,5 k1,5 k2,5 k3,5

u0,0 u0,1 u0,2 u0,3 u0,4 u0,5 = u1,0 u1,1 u1,2 u1,3 u1,4 u1,5 u2,0 u2,1 u2,2 u2,3 u2,4 u2,5 u3,0 u3,1 u3,2 u3,3 u3,4 u3,5 with u0,0 = a0,0 k0,0 , the coordinate-wise exclusive or. a0,0 = 81, 1, 1, 1, 0, 0, 0, 0<; k0,0 = 81, 1, 0, 0, 1, 0, 1, 0<; Mod@a0,0 + k0,0 , 2D .

There is also an initial Round Key addition and one final round that differs slightly from the others (the MixColumn is omitted) .

EIDMA_Stieltjes.nb

The Principle of Public Key Cryptography

Alice and Bob want a method for encryption that does not involve a common secret key k A,B that has been agreed upon beforehand. They also want techniques for authentication and integrity.

3.1

Setting It Up
public algorithm PubAlgP, secret algorithm SecAlgP.

Every participant P makes two matching algorithms:

Because PubAlgP is public, it should not be possible to compute SecAlgP out of PubAlgP.

3.2

Encryption

Encryption of message m by Alice to Bob. Alice sends: c =PubAlgBobHmL.

Bob decrypts c as follows:

Question: Is it possible that the plaintext remains secret while you know the ciphertext and how is was encrypted?

SecAlgBobHcL=SecAlgBob(PubAlgBobHmL) = m .

It should be against your intuition that this works. If you know c and PubAlgBob then you should be able to find m. In the worst case, you can find m by encrypting out all possible plaintexts until you will find c. Computationally, the above system is possible! The number of possibilities to check should be too much even when many computers work together for many hours.

EIDMA_Stieltjes.nb

Mathematical Principles

4.1

Different Complexities

Exponentiation goes very easy:

To compute 64371 Hmod 99991L, we make the following table 61 62 64 68 616 632 664 6128 6256 6512 61024 6 36 1296 79760 30198 1284 48800 54344 36151 12431 43666

62048 91168 So, 64371 64096 6256 616 62 61 52331 36151 30198 36 6 34455 Hmod 99991L. Mod@52331 36151 30198 36 6, 99991D Mod@64371, 99991D 64096 52331

The answer 34455 can be checked with the Mod function.

Faster is the PowerMod function which uses the method above. PowerMod@6, 4371, 99991D So, for a fast exponentiation one uses the binary expansion of the exponent to compute 64371 . The binary expansion of the exponent can be found with the IntegerDigits function.

10

EIDMA_Stieltjes.nb

IntegerDigits@4371, 2D From this we can also compute 64371 on the fly as follows (all calculations are modulo 99991):
iiii 2 2 2 jjjjii jjjjjj jjjjjjJJIIHH1 6L2 L2 M2 M2 6N2 N y y z z jjjjj z z jjjjj z jjj z jj j kkk { { k kk y z z 6z z z {
2 2 y2

A more formal verification:

The Paul Kocher's timing attack is based on the difference in time needed for taking the square and for multiplying. The "opposite" operations of exponentiation are intractable for large moduli (unless they have a special form). a) Determine e such that 6e 34455 (mod 99991).
Since e can be written as log6 34455 , the problem of computing e is called the logarithm problem.

2 2 2 y iii 2 jjjii y y y z jjjjjii 2 2 y2 y 2 z z z z z jjjjjj jjjjjjj z z z z z z z jjjjjjjJJIHH1 xL2 L2 M2 N xN y z z xz z z xz x z z z z z z z jjjjjjj z z z z z z z jjjj z z z z z z jjjj jj z z j kkkk { { { z z z z { { { z k kk { 2

y z z z z z z {

z z y z z z 6z 6 z z z z z z z z z { {
2

This observation is at the base of the Diffie-Hellman system.

Compare the difference in the following two plots: p = 541; Plot@Log@xD, 8x, 1, p<D ListPlot@Table@8j, Mod@2j , pD<, 8j, 1, p<DD
Take the 4371th modular root of 34455.

b) Determine m such that m4371 34455 (mod 99991).

This observation is at the base of the RSA system.

Compare the difference in the following two plots:

EIDMA_Stieltjes.nb

11

What is the complexity of a modular exponentiation? The table above has length log2 m. Since m < p, this length is at most log2 p. So, it takes at most log2 p multiplications to make the table. In the worst case, all these elements have to be multiplied. This takes another log2 p multiplications. The overal complexity is 2 log2 p. Theorem 4.1 The complexity of an exponentiation in * is at most 2 log2 p. p

n = 541; Plot@x13 , 8x, 1, n<D ListPlot@Table@8j, Mod@j3 , nD<, 8j, 1, n<DD

Discrete Logarithm Based Systems

5.1

The Diffie-Hellman Key-Exchange System

5.1.1

Setting It Up

Consider the prime number p = 99991 and take g = 6. The multiplicative order of 6 is 99990. This means the following: The number 6 has the property that all powers 1, 6, 62 , 63 , , 699989 are different modulo 99991 and that 699990 1 Hmod 99991L. PowerMod@6, 99990, 99991D FactorInteger@99990D

12

EIDMA_Stieltjes.nb

PowerMod@6, PowerMod@6, PowerMod@6, PowerMod@6, PowerMod@6,

Such an element is called a generator of * or primitive element in * . p p Alice chooses as random secret exponent SAlice = 12345 and Bob as random secret exponent SBob = 11111. Next, Alice and Bob compute their public key:
612345 (mod 99991), resp. 611111 (mod 99991).

99990 2, 99991D 99990 3, 99991D 99990 5, 99991D 99990 11, 99991D 99990 101, 99991D

PAlice = PowerMod@6, 12345, 99991D PBob = PowerMod@6, 11111, 99991D So, PAlice=33190 and PBob=61056. These public keys are made public by them.

5.1.2

The Key Determination

Alice can compute the common key k A,B (with Bob) by raising the publicly known PBob=61056 of Bob to the power SAlice=12345, which she only knows. She gets: PowerMod@61056, 12345, 99991D Bob gets the same common key k A,B by raising PAlice=33190 of Alice to the power SBob. Indeed, he gets: PowerMod@33190, 11111, 99991D Note that PBobSAlice = H6SBob L

SAlice

= 6SBobSAlice

just as

PAliceSBob = H6SAliceL

SBob

= 6SAliceSBob

EIDMA_Stieltjes.nb

13

Remember from high school that

n Hg L = gm gm gm = gm+m++m = gmn = Hgn Lm .

m n

If Eve can find SAlice from PAlice, she can also determine k A,B , just like Bob did. To this end, she has to solve the logarithm problem
6?? 33190 (mod 99991).

In Sept. 2001, a logarithm in GFH2521 L was determined. N@2521, 10D Time involved: sieving 21 days, linear algebra 10 days, final step 12 hours.

5.2

How to Take Discrete Logarithms

5.2.1

Exhaustive Search

Try SBob = 1, 2, 3, until you find that gSBob PBob (mod p). Complexity is p.

5.2.2

Baby-step Giant-step

Complexity of the baby-step giant-step method is pa in computer time and p1-a in memory space, where a can be chosen freely in between 0 and 1. EXAMPLE : a=4/5

Consider the equation 6m 55555 Hmod 99991L and assume that we can only store a table with 10 field elements. We make a table of 6i Hmod 99991L for i = 0, 1, , 9.

powers = Table@PowerMod@6, i, 99991D, 8i, 0, 9<D

14

EIDMA_Stieltjes.nb

This gives the table: i 0 1 2 6

i

1 6 36 216 1296 7776 46656 79954 79760 78596

Now note that either 0 m 9 or 0 m - 10 9or 0 m - 2.10 9 or 0 m - 3.10 9 or etc.

The idea is to make (giant) steps of size 10 by checking if 55555, 55555 610 , 55555 62.10 , is in the table.

Instead of having to divide by 610 , we rather multiply by something else. We use the PowerMod function to find 6-10 mod 99991.

PowerMod@6, 10, 99991D

This means that 1 610 12339 Hmod 99991L, i.e. dividing by 610 amounts to the same as multiplying by 12339 modulo 99991

So, we check if 55555, 5555512339, 55555 123392 , 55555 123393 , is in the table above. We use the function MemberQ.

try = Mod@55555 123391 , 99991D MemberQ@powers, tryD We better make a program. j = 0; try = Mod@55555, 99991D; While@Not@MemberQ@powers, tryDD, j = j + 1; try = Mod@try 12339, 99991DD; j try
We conclude that j = 7972. Indeed, 1296 is the element in the table above corresponding to i = 4. This means that m - 7972 10 = 4, i.e. m = 79724. Indeed, 679724 55555 mod 99991, as can be easily checked with:

EIDMA_Stieltjes.nb

15

PowerMod@6, 79724, 99991D Note that the maximum number of tries is `99991 10p = 1000 p45 and that the length of the table is 10 p15 . 5.2.3 Pollard-

The time complexity of the Pollard-r method is the same as that of the !!!! Baby-Step-Giant-Step, so p . The advantage lies in the minimal memory requirements.
The Method

We shall explain the Pollard-r method for the special case of a multiplicative subgroup G of GFH pL of prime order. So, we want to solve m, 0 m < q, from the equation c = gm , where g GFH pL has order q, q prime, and where c GFHqL is some given q-th root of unity. EXAMPLE (Part I): 121m 3435 Hmod 4679L

We consider p = 4679. Note that p - 1 = 2 2339. The number 11 is a primitive element of GFH4679L and thus g = 11Hq-1L2339 = 112 = 121 is the generator of a multiplicative subgroup of order 2339.

p = 4679; PrimeQ@pD MultiplicativeOrder@11, pD MultiplicativeOrder@121, pD

We want to solve the equation

121m 3435 Hmod 4679L.

Note that this equation must have a solution, since 3435 is indeed a 2339-th root of unity in GFH4679L. Indeed, all 2339-th roots of unity are a zero of x2339 - 1 and this polynomial can not have more zeros. PowerMod@3435, 2339, 4679D In order to solve c = gm , we partition the multiplicative subgroup G of GFH pL of order q, in three subsets Gi , i = 0, 1, 2, as follows:

16

EIDMA_Stieltjes.nb

So, G0 = 80, 3, <, G1 = 81, 4, <, and G2 = 82, 5, <. xi+1

l xi2 Hmod pL, o o o o = f Hxi L = m c.xi Hmod pL, o o o o g.x Hmod pL, i n

x Gi

We define a sequence 8xi <i0 in GFH pL recursively by x0 = 1 and if xi G0 , if xi G1 , if xi G2.

x i Hmod 3L.

(5.1)

With the sequence 8xi <i0 we associate two other sequences 8ai <i0 and 8bi <i0 in such a way that for all i 0
xi = gai cbi .

Clearly, the sequence 8xi <i0 will eventually cycle. This behaviour explains the name r-method.

To this end, take a0 = b0 = 0 and use the recursions

l 2 ai Hmod qL, o o ai , ai+1 = m o o n ai + 1 Hmod qL, l 2 bi Hmod qL, o o bi+1 = m bi + 1 Hmod qL, o o bi , n
2

if xi G0 , if xi G1 , if xi G2. if xi G0 , if xi G1 , if xi G2.

Note that by induction

xi+1 = xi2 = Hgai cbi L = g2 ai c2 bi = gai+1 cbi+1 , if xi G0 , xi+1 = c.xi = c.gai cbi = gai cbi +1 = gai+1 cbi+1 , if xi G1 , xi+1 = g.xi = g.gai cbi = gai +1 cbi = gai+1 cbi+1 , if xi G2 .

As soon as we have two distinct indices i and j with xi = x j we are done. Indeed, if gai cbi = ga j cb j , i < j, then gai -a j = cb j -bi . Provided that bi b j , we have found the solution
m Ha j - ai L Hbi - b j L Hmod qL.

If bi = b j (with negligible probability), put c ' = c.g and solve c ' = gm' , where m ' = m + 1.

EIDMA_Stieltjes.nb

17

To find indices i and j with xi = x j , we follow Floyd's cycle-finding algorithm: find an index i such that xi = x2 i (so, take j = 2 i). To this end, we start with the pair Hx1 , x2 L, calculate Hx2 , x4 L, then Hx3 , x6 L, and so on, each time calculating Hxi+1 , x2 i+2 L from the previously calculated Hxi , x2 i L by the defining rules
xi+1 = f Hxi L, x2 i+2 = f H f Hx2 i LL.

In this way, huge storage requirements can be avoided. EXAMPLE (Part II): 121m 3435 Hmod 4679L

We want to solve the equation:

The recurrence relation for the 8xi <i 0 sequence can be evaluated by means of the Which and Mod functions. RecX@x_, g_, c_, p_D := Which@ Mod@x, 3D == 0, Mod@x2 , pD, Mod@x, 3D == 1, Mod@c x, pD, Mod@x, 3D == 2, Mod@g x, pD D

121m 3435 Hmod 4679L.

The smallest index i, i 1, satisfying xi = x2 i can be found with the help of the While function. g = 121; c = 3435; p = 4679; x1 = RecX@1, g, c, pD; x2 = RecX@x1, g, c, pD; i = 1; While@x1 != x2, x1 = RecX@x1, g, c, pD; x2 = RecX@RecX@x2, g, c, pD, g, c, pD; i = i + 1D; i

So, x76 = x152 and m Ha152 - a76 L Hb76 - b152 L Hmod 2339L. However, above we did not update the values of the sequences ai and bi . We will do that now.

18

EIDMA_Stieltjes.nb

RecurrDef@8x_, a_, b_<D := Which@Mod@x, 3D == 0, 8Mod@x2 , pD, Mod@2 a, qD, Mod@2 b, qD<, Mod@x, 3D == 1, 8Mod@c x, pD , a, Mod@b + 1, qD<, Mod@x, 3D == 2, 8Mod@g x, pD, Mod@a + 1, qD, b<D

g = 121; c = 3435; p = 4679; q = 2339; x1 = 1; a1 = 0; b1 = 0; x2 = 1; a2 = 0; b2 = 0; 8x1, a1, b1< = RecurrDef@8x1, a1, b1<D; i = 1; 8x2, a2, b2< = RecurrDef@RecurrDef@8x2, a2, b2<DD; While@x1 != x2, 8x1, a1, b1< = RecurrDef@8x1, a1, b1<D; 8x2, a2, b2< = RecurrDef@RecurrDef@8x2, a2, b2<DD; i = i + 1D; Print@"i=", iD Print@"xi=", x1, ", ai=", a1, ", bi=", b1D; Print@"x2i=", x2, ", a2i=", a2, ", b2i=", b2D; Indeed, the relation a ai cbi gives the same value for i = 76 and i = 2 76: Mod@PowerMod@g, a1, pD PowerMod@c, b1, pD, pD Mod@PowerMod@g, a2, pD PowerMod@c, b2, pD, pD The solution m of 121m 3435 Hmod 4679L can now be determined from m H286 - 84L H2191 - 915L Hmod 2339L. m = Mod@Ha2 a1L PowerMod@b1 b2, 1, qD, qD That m = 1111 is indeed the solution can be checked with PowerMod@g, 1111, pD == c The r in the name of this algorithm reflects the shape of the 8xi <i0 -sequence: after a while it starts cycling around. The memory requirements of Floyd's cycle finding algorithm are !!! indeed minimal. The expected running time is q .

EIDMA_Stieltjes.nb

19

5.2.4

Pohlig-Hellman

Complexity of the Pohlig-Hellman method depends on factorization of p - 1. It can be much !!!! faster than p operations, if p - 1 has only small prime divisors. but is, in general, still exponential in behaviour.
Special Case: p - 1 = 2n

Examples of prime numbers that are a power of 2 plus one are given by p = 17, p = 257, and p = 216 + 1. n = 16; PrimeQ@2n + 1D So, let g be a generator (primitive element) in * . The problem is to find m, 0 m q - 2, p satisfying
gm c Hmod pL

for given value of c.

Let m0 , m1 , , mn-1 be the binary representation of the unknown m, i.e.

m = m0 + m1 .2 + + mn-1 .2n-1 , mi 80, 1<, 0 i n - 1.

Of course, it suffices to compute the unknown mi 's. Since g is a generator of * we know p that
g p-1 1 Hmod pL and gi T 1 Hmod pL for 0 < i < p - 1.

It also follows that gH p-1L2 -1 Hmod pL, because

the square of gH p-1L2 is 1, gH p-1L2 T 1 Hmod pL.

We also use here that the quadratic equation x2 1 Hmod pL has 1 as only roots. Hence cH p-1L2 Hgm LH p-1L2 gmH p-1L2 gHm0 +m1 .2++mn-1 .2
g prim.

gm0 H p-1L2 9

+1, -1,

if m0 = 0, if m0 = 1.

n-1 L H p-1L2

20

EIDMA_Stieltjes.nb

Therefore, the evaluation of cH p-1L2 modulo p, which takes at most 2. `log2 pp multiplications, as we have seen in Section 4.4), yields m0 . Compute c1 = c.g-m0 = gm1 .2+m2 .2
2 ++m n-1 n-1 .2

Now m1 can be determined in the same way as above from cH p-1L4 gHm1 2+m2 .2 1
2 ++m n-1 L H p-1L4 n-1 .2

Compute c2 = c1 .g-2 m1 = c.g-Hm0 +m1 .2L and determine m2 from Hc2 LH p-1L8 . Repeat this process until also mn-1 (and thus m) has been determined. EXAMPLE
Consider the equation 3m 7 mod 17. So, p = 17, g = 3, and c = 7 . Note that g-1 = 6. Writing m = m0 + 2 m1 + 4 m2 + 8 m3 , we find m0 by evaluating cH p-1L2 Hmodulo pL.

gm1 H p-1L2 9

1, -1,

if m1 = 0, if m1 = 1.

PowerMod@7, 8, 17D

Again this is -1, so m1 = 1. Compute c2 c1 32 62 .c1 16 mod 17. Then m2 can be found from c2 H p-1L8 Hmodulo pL: PowerMod@16, 2, 17D Since the outcome is 1, we have m2 = 0. So, c3 = c2 and m3 can be found from c3 H p-1L16 Hmodulo pL: PowerMod@16, 1, 17D We now also have m3 = 1 and thus m = 1.20 + 1.21 + 0.22 + 1.23 = 11. We can check this with: PowerMod@3, 11, 17D The above algorithm finds m from c in at most

Since this is -1 we know that m0 = 1. Compute c1 c 3 6. c 8 mod 17. Then m1 can be found from c1 H p-1L4 Hmodulo pL: PowerMod@8, 4, 17D

EIDMA_Stieltjes.nb

21

operations, where the term +2 comes from the evaluation of the ci 's (one squaring and possibly one multiplication to compute ci- 1 ) and the n from the number of exponentiations. Comparing with the complexity of an exponentiation (see Theorem 4.3), we observe that for p = 2n + 1,
using the Diffie-Hellman scheme takes 2 n multiplications

n.H2. `log2 pp + 2L 2. Hlog2 pL2 2 n2 ,

breaking it takes 2 n2 multiplications

A quadratic relation, which is not significant enough to make the system secure. The method above can be generalized to prime numbers p with the property that p - 1 only contains small primefactors.

5.2.5

The Index-Calculus Method

!!!!!!!!!!!!!!!! !! !!!! ln n lnln n ,

Complexity of the index-calculus method is subexponential! Depending on the implementation it may look like e multiplicative group.
GFH pL

where n is the size of the

EXAMPLE:

p=99991, g=6

* Consider 99991 with generator g = 6 and say that we want to solve

Next, we try to write all the elements in the factor base as powers of 6 mod 99991, i.e. we need to solve the logarithm problem for all the elements in the factor base. We achieve this by finding powers of 6 that reduced modulo 99991 can be expressed as product of elements in 82, 3, 5, 7, 11, 13, 17, 19, 23, 29<.

As factor base S we take the set of prime numbers 82, 3, 5, 7, 11, 13, 17, 19, 23, 29<.

6m 55555 Hmod 99991L

22

EIDMA_Stieltjes.nb

A number with this property is called smooth with respect to this factorbase. (Here, we shall use the function FactorInteger, but that does function does much more than is needed.)

p = 99991; try = PowerMod@6, 812, pD FactorInteger@tryD After some trial and error we find the following five succesful attempts. FactorInteger@PowerMod@6, FactorInteger@PowerMod@6, FactorInteger@PowerMod@6, FactorInteger@PowerMod@6, FactorInteger@PowerMod@6, FactorInteger@PowerMod@6, FactorInteger@PowerMod@6, FactorInteger@PowerMod@6, FactorInteger@PowerMod@6, FactorInteger@PowerMod@6,
Write 2 6m1 Hmod 99991L, 3 6m2 Hmod 99991L, m3 5 6 Hmod 99991L, 7 6m4 Hmod 99991L, 11 6m5 Hmod 99991L 13 6m6 Hmod 99991L, m7 m8 17 6 Hmod 99991L, 19 6 Hmod 99991L, 23 6m9 Hmod 99991L 29 6m10 Hmod 99991L .

219, pDD 813, pDD 2150, pDD 2151, pDD 7003, pDD 10028, pDD 12067, pDD 20019, pDD 30042, pDD 30057, pDD

We get ten congruence relations modulo 99990.

For example, 6813 17986 21 .171 .232 Hmod 99991L can be rewritten as Comparing the exponents on both sides gives the relation 813 m1 + m7 + 2 m9 Hmod 99990L. 6813 H6m1 L1 .H6m7 L1 .H6m9 L2 6m1 +m7 +2 m9 Hmod 99991L.

The ten congruence relations modulo 99990 that we get are

EIDMA_Stieltjes.nb

23

The above system of relations can now easily be solved:

219 m4 + m6 + m8 + m9 Hmod 99990L, 813 m1 + m7 + 2 m9 Hmod 99990L, 2150 m3 + m8 + m10 Hmod 99990L, 2151 m1 + m2 + m3 + m8 + m10 Hmod 99990L, 7003 3 m2 + m4 + 2 m7 Hmod 99990L, 10028 3 m1 + m4 + m8 + m10 Hmod 99990L, 12067 2 m4 + m6 + m8 Hmod 99990L, 20019 m1 + 2 m3 + m6 + m10 Hmod 99990L, 30042 6 m1 + 2 m9 Hmod 99990L, 30057 3 m1 + 2 m5 + m6 Hmod 99990L.

So, we know that

Solve@8m4 + m6 + m8 + m9 219 , m1 + m7 + 2 m9 == 813, m3 + m8 + m10 == 2150, m1 + m2 + m3 + m8 + m10 == 2151, 3 m2 + m4 + 2 m7 7003, 3 m1 + m4 + m8 + m10 10028, 2 m4 + m6 + m8 12067, m1 + 2 m3 + m6 + m10 20019, 6 m1 + 2 m9 30042, 3 m1 + 2 m5 + m6 30057, Modulus p 1<, 8m1, m2, m3, m4, m5, m6, m7, m8, m9, m10<D
2 622146 Hmod 99991L, 5 668986 Hmod 99991L, 11 677314 Hmod 99991L 17 681501 Hmod 99991L 23 698568 Hmod 99991L 3 677845 Hmod 99991L, 7 610426 Hmod 99991L, 13 68971 Hmod 99991L 19 682234 Hmod 99991L 29 650910 Hmod 99991L.

From

Let us now find a solution of 6m 55555 Hmod 99991L.

FactorInteger@55555D FactorInteger@Mod@613 55555, 99991DD

we see that 55555 can not be expressed as product of elements of S , but 613 55555 35 131 171 H6m2 L5 H6m6 L1 H6m7 L1 65 m2 6m6 6m7 Hmod 99991L.

24

EIDMA_Stieltjes.nb

Since we are trying to solve 6m 55555 Hmod 99991L we conclude that 613+m 65 m2 +m6 +m7 Hmod 99991L. 13 + m 5. m2 + m6 + m7 5 77845 + 8971 + 81501 Hmod 99990L.

We conclude that m is given by

Mod@5 77845 + 8971 + 81501 13, p 1D So m 79724 Hmod 99990L. PowerMod@6, 79724, 99991D

This can easily be checked with

Elliptic Curve Based Systems

6.1

The Definition of an Elliptic Curve

Elliptic curves are defined by the so-called Weierstrass equation: y2 + u.x.y + v.y = x3 + a.x2 + b.x + c. The coefficients will be in p or in GFH2m L. Here we only consider the p case. y2 = x3 + a.x + b. (6.1)

For p r 5 one can simplify this equation by means of elementary transformations: (6.2)

Definition 6.1 An elliptic curve over GFHqL is defined as the set of points Hx, yL satisfying (7.1) together we single element O, called the point at infinity.

EIDMA_Stieltjes.nb

25

<< Graphics`ImplicitPlot` elliptic = ImplicitPlot@ y2 == x3 5 x + 3, 8x, 3, 3<D

y2 = x3 + a.x + b.

Substitute a random value for x in

On the average, half of time the right hand side will be a quadratic residue (=perfect square) modulo p, leading to two values for y. p = 31; Solve@ 8y2 == x3 5 x + 3, x == 3, Modulus == p<, 8y<D

6.2

Substitute y = u.x + v in

Consider two points on an elliptic curve, say P = Hx1 , y1 L and Q = Hx2 , y2 L, with different x-coordinates. Let y = u.x + v be the line through them.
y2 = x3 + a.x + b.

Lines Intersecting Elliptic Curves

One gets a third degree equation in x:

Hu.x + vL2 = x3 + a.x + b

This third degree equation has x1 and x2 as roots, i.e. it contains the factors x - x1 and x - x2 . So, there must be a third root x3 . It can easily be computed by comparing the coefficient of x2 in:
x3 + a.x + b - Hu.x + vL2 = Hx - x1 L Hx - x2 L Hx - x3 L.

Conclusion: the line through Hx1 , y1 L and Hx2 , y2 L will intersect the curve in a third point!

Compute y3 = u.x3 + v. Then Hx3 , y3 L is also on the curve.

26

EIDMA_Stieltjes.nb

Block@8$DisplayFunction = Identity<, elliptic = ImplicitPlot@ y2 == x3 5 x 3, 8x, 3, 4<D; linea = Plot@ x + 2, 8x, 3, 4<DD; Show@linea, ellipticD NSolve@ 8y2 == x3 5 x 3, y == x + 2<, 8x, y<D

The same is true for tangent lines. They will also intersect the curve in another point (except when it is a double tangent). Block@8$DisplayFunction = Identity<, elliptic = ImplicitPlot@ y2 == x3 5 x 3, 8x, 3, 4<D; linea = Plot@ x, 8x, 3, 4<D;D; Show@linea, ellipticD

Also modulo a prime number, lines through two points of an elliptic curve will intersect it in a third point. Solve@ 8y2 == x3 5 x + 3, y == x 5, Modulus == 11<, 8x, y<D

6.3

Adding Two Points on the Curve

We are now ready to define an addition on . To add points P1 and P2 , both not at infinity, execute the following two steps:
1) Compute the line through P1 and P2 (or tangent line though P1 , if P1 = P2 ) and find the third point of intersection with . Let this be Q.

2) The sum P1 + P2 is defined as P3 := -Q.

EIDMA_Stieltjes.nb

27

6 4 2 -3 -2 -1 -2 -4 -6 P+Q Q 1 2 3 4

6 4 P -3 -2 -1 -2 -4 -6 2 1 2 3 4 2P

Interpret the point O at infinity as the intersection point of all vertical lines. Consistent with the above definition of addition we get
O + P = P + O = P, if P = Hx, yL, then -P = Hx, - yL.

28

EIDMA_Stieltjes.nb

-2 -1 -2

-4

-6

With this addition we have a group structure on . It is in general non-trivial to determine the order of this group. We quote: Theorem 6.1 Hasse Let N be the number of points on an elliptic curve over GFHqL. Then N - Hq + 1L 2 !!! q

Theorem 6.2 The additive group of an elliptic curve over GFHqL is isomorphic to n1 n2 , where n2 divides both n1 and (q-1) and where n2 can be 1.

6.4

The Logarithm System on Elliptic Curves

6.4.1

The Discrete Logaritm Problem over Elliptic Curves

We have just seen how to to add points on an elliptic curve . This is an operation with relatively low complexity. To compute scalar multiples of a point P

EIDMA_Stieltjes.nb

29

P+P++P

for some integer n, we can copy the ideas of Section 4.4. EXAMPLE:
The binary expansion of 171 is given by

n=171

IntegerDigits@171, 2D So, to compute 171 P , it suffices to compute

2 P = P + P, 4 P = 2 P + 2 P, 8 P = 4 P + 4 P, 64 P = 32 P + 32 P , 128 P = 64 P + 64 P

and add the suitable terms. This can be done on the fly as follows: P =.; 2 H2 H2 H2 H2 H2 H2 PL + PLL + PLL + PL + P
- addition of a point to itself - addition of P to a point.

Note that we only needed:

The opposite problem is much harder.

Definition 6.2 Let be an elliptic curve over GFHqL. Let P be a point on and let Q be a scalar multiple of P . The discrete logarithm problem over an elliptic curve is to determine the solution n of n.P = Q.

Remember that the (additive) order of a point P is defined as the smallest positive integer m such that m P = O.

30

EIDMA_Stieltjes.nb

It turns out that all the methods to solve the discrete logarithm problem over elliptic curves have a complexity of the form ma , for some a > 0. So, they are exponentially slower than the (logarithmic) complexity of computing scalar multiples of P .

6.4.2

The Diffie-Hellman System over Elliptic Curves

As system parameters one needs

- an elliptic curve over a finite field GFHqL , - a point P on of high order.

To Each user U of the system, selects a secret scalar mU , computes the point QU = mU P and makes QU public. Alice and Bob can now agree on the common key
K A,B = m A mB P .

Alice can find this common key by computing m A QB with her secret scalar m A and Bob's public QB . Bob can do likewise. This system is summarized in the following table. system parameters elliptic curve P of high order mU QU = mU P KA,B = mA mB P mA QB mB QA

secret key of U public point of U common key of A and B Alice computes Bob computes

The Diffie-Hellman Key Exchange System over Elliptic Curves Table 6.1

EIDMA_Stieltjes.nb

31

At the time of this writing, it is advised to take the order of P about 150-180 digits long. EXAMPLE
Consider the elliptic curve over 863 defined by y2 = x3 + 100 x2 + 10 x + 1. The point P = 8121, 517< lies on it as can be checked with the Mathematica function Mod.

The order of P is 432. To check this we make use of the factorization of 432 and use the ECScalarMultiplication function defined in Section 7.8. FactorInteger@432D P = 8121, 517<; R = ECScalarMultiply@p, a, b, c, 432, PD

p = 863; a = 100; b = 10; c = 1; x = 121; y = 517; Mod@y2 Hx3 + a x2 + b x + cL, pD == 0

Suppose that Alice has chosen m A = 130 and Bob mB = 258. Then Q A = H162, 663L and QB = H307, 674L, as can be checked with the ECScalarMultiply function. QAlice = ECScalarMultiply@p, a, b, c, 130, PD QBob = ECScalarMultiply@p, a, b, c, 258, PD Alice can compute the common key K A,B with the calculation K A,B = m A QB , where m A = 130 is her secret key. She finds ECScalarMultiply@p, a, b, c, 130, QBobD Likewise, Bob can compute the common key K A,B with the calculation K A,B = mB Q A , where mB = 258 is his secret key. He also finds ECScalarMultiply@p, a, b, c, 258, QAliceD Now that the Diffie-Hellman key exchange system over elliptic curves has been described, it really is a straightforward exercise to show the ElGamal protocol and the other systems, described in Section 5.2, can be rewritten in the language of elliptic curves.

32

EIDMA_Stieltjes.nb

6.5

Why is it Attractive?

In Section 5.2, various methods are described to take the discrete logarithm over a finite field. Exhaustive search, the Pohlig-Hellman algorithm, the baby-step giant-step method, and the Pollard- method can all be directly translated into elliptic curve terminology. Use modular arithmetic multiplication exponentiation on an elliptic curve addition scalar multiplication

Exhaustive Search

Obviously, one can can try n = 1, 2, until n P = Q. The workfactor is upperbounded by the order m of P .
Baby-Step Giant-Step Method

For instance, if one wants to store only 10 elements, one makes a table of 8O, P, 2 P, , 9 P<, but sorted in a suitable way for easy access. To solve n P = Q, one looks for the first time that in the list
Q, Q - 10 P, Q - 20 P, Q - 30 P,

Also here the generalization from Section 5.3.2 is obvious.

Note that is better to compute P = -10 P once and look in the list Q, Q + P , Q + 2 P , Q + 3 P , for a match with the table.
Index-calculus method

an element of the table is found. Suppose that Q - 10 s P occurs as r P , 0 r 9, in the table, then Q = H10 s + rL P , i.e. n = 10 s + r.

The index-calculus method has defeated any attempt to transfer it efficiently to the elliptic curve setting.

EIDMA_Stieltjes.nb

33

That is of great cryptographic significance, because the index-calculus method was the only one with a subexponential complexity. This means that in regular discrete-logarithm-like systems the index-calculus method is the governing factor in determining the size of its parameters (to keep the system computationally secure).
Consequences

Since the index-calculus method is no longer around in the elliptic curve setting, one can afford much smaller parameters to achieve the same level of security. Compare the complexity of Pollard-r with that of the index calculus for k -bits long numbers: !!!!!!!!!!!!!!!!!!!! ! TableA9k, NA Pi 2k 2 , 3E, NAExpA1.923 TableForm
3 # # !!!!!!!!!!!!!!!!!! "################################### 3 Log@2k D HLog@Log@2k DDL2 E, 3E=,

For instance, in Sept. 1999 a group of 200 international researchers led by INRIA broke the 97 bits EEC challenge from Certicom. The computing power used by them was twice as much as the 512 bits RSA challenge broken a few weeks earlier. There are special attacks on discrete logarithm based elliptic curve cryptosystems. For instance, sometimes one can translate the discrete logarithm problem for elliptic curves to the standard discrete logarithm problem! These attacks make it necessary to avoid special classes of elliptic curves. In particular, one should not use.
singular curves, supersingular curves, anomalous curves.

8k, 100, 300, 50<E

34

EIDMA_Stieltjes.nb

6.6

Elliptic Addition and Scalar Multiplication Functions

ECAdd@p_, a_, b_, c_, P_List, Q_ListD := Module@8lam, x3, y3, P3<, Which@ P == 8O<, Q, Q == 8O<, P, P@@1DD != Q@@1DD, lam = Mod@ HQ@@2DD P@@2DDL PowerMod@Q@@1DD P@@1DD, p 2, pD, pD; x3 = Mod@lam2 a P@@1DD Q@@1DD, pD; y3 = Mod@Hlam Hx3 P@@1DDL + P@@2DDL, pD; 8x3, y3<, HP == QL HP@@2DD == 0L, 8O<, HP == QL HP != 8O<L, lam = Mod@ H3 P@@1DD2 + 2 a P@@1DD + bL PowerMod@2 P@@2DD, p 2, pD, pD; x3 = Mod@lam2 a P@@1DD Q@@1DD, pD; y3 = Mod@Hlam Hx3 P@@1DDL + P@@2DDL, pD; 8x3, y3<, HP@@1DD == Q@@1DDL HP@@2DD != Q@@2DDL, 8O<DD ECScalarMultiply@p_, a_, b_, c_, 0, P_ListD := 8O<; ECScalarMultiply@p_, a_, b_, c_, 1, P_ListD := Mod@P, pD ECScalarMultiply@p_, a_, b_, c_, n_ ? EvenQ, P_ListD := Module@8pn2 = ECScalarMultiply@p, a, b, c, n 2, PD<, ECAdd@p, a, b, c, pn2, pn2DD; ECScalarMultiply@p_, a_, b_, c_, n_ ? OddQ, P_ListD := Module@8pn1 = ECScalarMultiply@p, a, b, c, n 1, PD<, ECAdd@p, a, b, c, pn1, PDD;