Practical Aspects of Modern Cryptography

1
Practical Aspects of Modern Cryptography

• Josh Benaloh
• Brian LaMacchia
• John Manferdelli

2
Public-Key History

• 1976 New Directions in Cryptography
• Whit Diffie and Marty Hellman
• One-Way functions
• Diffie-Hellman Key Exchange
• 1978 RSA paper
• Ron Rivest, Adi Shamir, and Len Adleman
• RSA Encryption System
• RSA Digital Signature Mechanism

3
The Fundamental Equation

• ZYX mod N

4
Diffie-Hellman

• ZYX mod N
• When X is unknown, the problem is known as the
  discrete logarithm and is generally believed to
  be hard to solve.

5
Diffie-Hellman Key Exchange

• Alice
• Randomly select a large integer a and send A
  Ya mod N.
• Compute the key K Ba mod N.

• Bob
• Randomly select a large integer b and send B
  Yb mod N.
• Compute the key K Ab mod N.

Ba Yba Yab Ab
6
One-Way Trap-Door Functions

• ZYX mod N
• Recall that this equation is solvable for Y if
  the factorization of N is known, but is believed
  to be hard otherwise.

7
RSA Public-Key Cryptosystem

• Alice
• Select two large random primes P Q.
• Publish the product NPQ.
• Use knowledge of P Q to compute Y.

• Anyone
• To send message Y to Alice, compute ZYX mod
  N.
• Send Z and X to Alice.

8
Some RSA Details

• When NPQ is the product of distinct primes,
• YX mod N Y
• whenever
• X mod (P-1)(Q-1) 1 and 0 ?Y?N.
• Alice can easily select integers E and D such
  that ED mod (P-1)(Q-1) 1.

9
Remaining RSA Basics

• Why is YX mod PQ Y whenever
• X mod (P-1)(Q-1) 1, 0 ?Y?PQ,
• and P and Q are distinct primes?
• How can Alice can select integers E and D such
  that ED mod (P-1)(Q-1) 1?

10
Fermats Little Theorem

• If p is prime,
• then x p-1 mod p 1 for all 0 lt x lt p.
• Equivalently
• If p is prime,
• then x p mod p x mod p for all integers x.

11
Proof of Fermats Little Theorem

• The Binomial Theorem
• (x y) p x p ( )x p-1y ( )xy p-1
  y p
• where ( )

p 1
p p1
p i
p! i!(p i)!
12
Proof of Fermats Little Theorem

• The Binomial Theorem
• (x y) p x p ( )x p-1y ( )xy p-1
  y p
• where ( )
• If p is prime, then ( ) mod p 0 for 0 lt i lt p.

p 1
p p1
p i
p! i!(p i)!
p i
13
Proof of Fermats Little Theorem

• The Binomial Theorem
• (x y) p x p ( )x p-1y ( )xy p-1
  y p
• where ( )
• If p is prime, then ( ) mod p 0 for 0 lt i lt p.
• Thus, (x y) p mod p (x p y p) mod p.

p 1
p p1
p i
p! i!(p i)!
p i
14
Proof of Fermats Little Theorem
15
Proof of Fermats Little Theorem

• By induction on x

16
Proof of Fermats Little Theorem

• By induction on x
• Basis

17
Proof of Fermats Little Theorem

• By induction on x
• Basis
• If x 0, then x p mod p 0 x mod p.

18
Proof of Fermats Little Theorem

• By induction on x
• Basis
• If x 0, then x p mod p 0 x mod p.
• If x 1, then x p mod p 1 x mod p.

19
Proof of Fermats Little Theorem
20
Proof of Fermats Little Theorem

• Inductive Step

21
Proof of Fermats Little Theorem

• Inductive Step
• Assume that x p mod p x mod p.

22
Proof of Fermats Little Theorem

• Inductive Step
• Assume that x p mod p x mod p.
• Then (x 1) p mod p (x p 1p) mod p

23
Proof of Fermats Little Theorem

• Inductive Step
• Assume that x p mod p x mod p.
• Then (x 1) p mod p (x p 1p) mod p
• (x 1) mod p.

24
Proof of Fermats Little Theorem

• Inductive Step
• Assume that x p mod p x mod p.
• Then (x 1) p mod p (x p 1p) mod p
• (x 1) mod p.
• Hence, x p mod p x mod p for integers x 0.

25
Proof of Fermats Little Theorem

• Inductive Step
• Assume that x p mod p x mod p.
• Then (x 1) p mod p (x p 1p) mod p
• (x 1) mod p.
• Hence, x p mod p x mod p for integers x 0.
• Also true for negative x, since (-x) p (-1) px
  p.

26
Proof of RSA
27
Proof of RSA

• We have shown

28
Proof of RSA

• We have shown
• YP mod P Y whenever 0 Y lt P

29
Proof of RSA

• We have shown
• YP mod P Y whenever 0 Y lt P
• and P is prime!

30
Proof of RSA

• We have shown
• YP mod P Y whenever 0 Y lt P
• and P is prime!
• You will show

31
Proof of RSA

• We have shown
• YP mod P Y whenever 0 Y lt P
• and P is prime!
• You will show
• YK(P-1)(Q-1)1 mod PQ Y when 0 Y lt PQ

32
Proof of RSA

• We have shown
• YP mod P Y whenever 0 Y lt P
• and P is prime!
• You will show
• YK(P-1)(Q-1)1 mod PQ Y when 0 Y lt PQ
• P and Q are distinct primes and K 0.

33
Finding Primes
34
Finding Primes

• Euclids proof of the infinity of primes

35
Finding Primes

• Euclids proof of the infinity of primes
• Suppose that the set of all primes were finite.

36
Finding Primes

• Euclids proof of the infinity of primes
• Suppose that the set of all primes were finite.
• Let N be the product of all of the primes.

37
Finding Primes

• Euclids proof of the infinity of primes
• Suppose that the set of all primes were finite.
• Let N be the product of all of the primes.
• Consider N1.

38
Finding Primes

• Euclids proof of the infinity of primes
• Suppose that the set of all primes were finite.
• Let N be the product of all of the primes.
• Consider N1.
• The prime factors of N1 are not among the finite
  set of primes multiplied to form N.

39
Finding Primes

• Euclids proof of the infinity of primes
• Suppose that the set of all primes were finite.
• Let N be the product of all of the primes.
• Consider N1.
• The prime factors of N1 are not among the finite
  set of primes multiplied to form N.
• This contradicts the assumption that the set of
  all primes is finite.

40
The Prime Number Theorem
41
The Prime Number Theorem

• The number of primes less than N is approximately
  N/(ln N).

42
The Prime Number Theorem

• The number of primes less than N is approximately
  N/(ln N).
• Thus, approximately 1 out of every n randomly
  selected n-bit integers will be prime.

43
Testing Primality

• Recall Fermats Little Theorem
• If p is prime, then a(p-1) mod p 1 for all a in
  the range 0 lt a lt p.

44
The Miller-Rabin Primality Test
45
The Miller-Rabin Primality Test

• To test an integer N for primality, write N1 as
  N1 m2k where m is odd.

46
The Miller-Rabin Primality Test

• To test an integer N for primality, write N1 as
  N1 m2k where m is odd.
• Repeat several (many) times

47
The Miller-Rabin Primality Test

• To test an integer N for primality, write N1 as
  N1 m2k where m is odd.
• Repeat several (many) times
• Select a random a in 1 lt a lt N1

48
The Miller-Rabin Primality Test

• To test an integer N for primality, write N1 as
  N1 m2k where m is odd.
• Repeat several (many) times
• Select a random a in 1 lt a lt N1
• Compute am, a2m, a4m, , a(N1)/2 all mod N.

49
The Miller-Rabin Primality Test

• To test an integer N for primality, write N1 as
  N1 m2k where m is odd.
• Repeat several (many) times
• Select a random a in 1 lt a lt N1
• Compute am, a2m, a4m, , a(N1)/2 all mod N.
• If am 1 or if some a2im -1, then N is
  probably prime continue.

50
The Miller-Rabin Primality Test

• To test an integer N for primality, write N1 as
  N1 m2k where m is odd.
• Repeat several (many) times
• Select a random a in 1 lt a lt N1
• Compute am, a2m, a4m, , a(N1)/2 all mod N.
• If am 1 or if some a2im -1, then N is
  probably prime continue.
• Otherwise, N is composite stop.

51
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
52
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
53
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
54
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
55
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
56
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
57
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

2
Sieving out multiples of
58
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

3
Sieving out multiples of
59
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

3
Sieving out multiples of
60
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

3
Sieving out multiples of
61
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

3
Sieving out multiples of
62
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

3
Sieving out multiples of
63
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

5
Sieving out multiples of
64
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

5
Sieving out multiples of
65
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

5
Sieving out multiples of
66
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

5
Sieving out multiples of
67
Sieving for Primes

• Pick a random starting point N.

N N1 N2 N3 N4 N5 N6 N7 N8 N9 N10 N11

5
Sieving out multiples of
Only a few good candidate primes will survive.
68
Remaining RSA Basics
69
Remaining RSA Basics

• Why is YX mod PQ Y whenever
• X mod (P-1)(Q-1) 1, 0 ?Y?PQ,
• and P and Q are distinct primes?

70
Remaining RSA Basics

• Why is YX mod PQ Y whenever
• X mod (P-1)(Q-1) 1, 0 ?Y?PQ,
• and P and Q are distinct primes?
• How can Alice can select integers E and D such
  that ED mod (P-1)(Q-1) 1?

71
Modular Arithmetic
72
Modular Arithmetic

• To compute (AB) mod N,
• compute (AB) and take the result mod N.

73
Modular Arithmetic

• To compute (AB) mod N,
• compute (AB) and take the result mod N.
• To compute (A-B) mod N,
• compute (A-B) and take the result mod N.

74
Modular Arithmetic

• To compute (AB) mod N,
• compute (AB) and take the result mod N.
• To compute (A-B) mod N,
• compute (A-B) and take the result mod N.
• To compute (AB) mod N,
• compute (AB) and take the result mod N.

75
Modular Arithmetic

• To compute (AB) mod N,
• compute (AB) and take the result mod N.
• To compute (A-B) mod N,
• compute (A-B) and take the result mod N.
• To compute (AB) mod N,
• compute (AB) and take the result mod N.
• To compute (AB) mod N,

76
Modular Division
77
Modular Division

• What is the value of (12) mod 7?
• We need a solution to 2x mod 7 1.

78
Modular Division

• What is the value of (12) mod 7?
• We need a solution to 2x mod 7 1.
• Try x 4.

79
Modular Division

• What is the value of (12) mod 7?
• We need a solution to 2x mod 7 1.
• Try x 4.
• What is the value of (75) mod 11?
• We need a solution to 5x mod 11 7.

80
Modular Division

• What is the value of (12) mod 7?
• We need a solution to 2x mod 7 1.
• Try x 4.
• What is the value of (75) mod 11?
• We need a solution to 5x mod 11 7.
• Try x 8.

81
Modular Division
82
Modular Division

• Is modular division always well-defined?

83
Modular Division

• Is modular division always well-defined?
• (13) mod 6 ?

84
Modular Division

• Is modular division always well-defined?
• (13) mod 6 ?
• 3x mod 6 1 has no solution!

85
Modular Division

• Is modular division always well-defined?
• (13) mod 6 ?
• 3x mod 6 1 has no solution!
• Fact
• (AB) mod N always has a solution when gcd(B,N)
  1.

86
Modular Division

• Fact
• (AB) mod N always has a solution when gcd(B,N)
  1.

87
Modular Division

• Fact
• (AB) mod N always has a solution when gcd(B,N)
  1.
• There is no solution if gcd(A,B) 1 and
  gcd(B,N) ? 1.

88
Greatest Common Divisors
89
Greatest Common Divisors

• gcd(A , B) gcd(B , A B)

90
Greatest Common Divisors

• gcd(A , B) gcd(B , A B)
• since any common factor of A and B is also a
  factor of A B.

91
Greatest Common Divisors

• gcd(A , B) gcd(B , A B)
• since any common factor of A and B is also a
  factor of A B.
• gcd(21,12) gcd(12,9) gcd(9,3)
• gcd(6,3) gcd(3,6) gcd(3,3)
• gcd(3,0) 3

92
Greatest Common Divisors

• gcd(A , B) gcd(B , A B)

93
Greatest Common Divisors

• gcd(A , B) gcd(B , A B)
• gcd(A , B) gcd(B , A kB) for any integer k.

94
Greatest Common Divisors

• gcd(A , B) gcd(B , A B)
• gcd(A , B) gcd(B , A kB) for any integer k.
• gcd(A , B) gcd(B , A mod B)

95
Greatest Common Divisors

• gcd(A , B) gcd(B , A B)
• gcd(A , B) gcd(B , A kB) for any integer k.
• gcd(A , B) gcd(B , A mod B)
• gcd(21,12) gcd(12,9) gcd(9,3)
• gcd(3,0) 3

96
Extended Euclidean Algorithm

• Given integers A and B, find integers X and Y
  such that AX BY gcd(A,B).

97
Extended Euclidean Algorithm

• Given integers A and B, find integers X and Y
  such that AX BY gcd(A,B).
• When gcd(A,B) 1, solve AX mod B 1, by
  finding X and Y such that
• AX BY gcd(A,B) 1.

98
Extended Euclidean Algorithm

• Given integers A and B, find integers X and Y
  such that AX BY gcd(A,B).
• When gcd(A,B) 1, solve AX mod B 1, by
  finding X and Y such that
• AX BY gcd(A,B) 1.
• Compute (CA) mod B as C(1A) mod B.

99
Extended Euclidean Algorithm

• gcd(35, 8)
• gcd(8, 35 mod 8) gcd(8, 3)
• gcd(3, 8 mod 3) gcd(3, 2)
• gcd(2, 3 mod 2) gcd(2, 1)
• gcd(1, 2 mod 1) gcd(1, 0) 1

100
Extended Euclidean Algorithm

• 35 8 ? 4 3

101
Extended Euclidean Algorithm

• 35 8 ? 4 3
• 8 3 ? 2 2

102
Extended Euclidean Algorithm

• 35 8 ? 4 3
• 8 3 ? 2 2
• 3 2 ? 1 1

103
Extended Euclidean Algorithm

• 35 8 ? 4 3
• 8 3 ? 2 2
• 3 2 ? 1 1
• 2 1 ? 2 0

104
Extended Euclidean Algorithm

• 35 8 ? 4 3 3 35 8 ? 4
• 8 3 ? 2 2 2 8 3 ? 2
• 3 2 ? 1 1 1 3 2 ? 1
• 2 1 ? 2 0

105
Extended Euclidean Algorithm

• 3 35 8 ? 4
• 2 8 3 ? 2
• 1 3 2 ? 1

106
Extended Euclidean Algorithm

• 3 35 8 ? 4
• 2 8 3 ? 2
• 1 3 2 ? 1 (35 8 ? 4) (8 3 ? 2) ? 1

107
Extended Euclidean Algorithm

• 3 35 8 ? 4
• 2 8 3 ? 2
• 1 3 2 ? 1 (35 8 ? 4) (8 3 ? 2) ? 1
  (35 8 ? 4) (8 (35 8 ? 4) ? 2) ? 1

108
Extended Euclidean Algorithm

• 3 35 8 ? 4
• 2 8 3 ? 2
• 1 3 2 ? 1 (35 8 ? 4) (8 3 ? 2) ? 1
  (35 8 ? 4) (8 (35 8 ? 4) ? 2) ? 1
  35 ? 3 8 ? 13

109
Extended Euclidean Algorithm

• Given A,B gt 0, set x11, x20, y10, y21, a1A,
  b1B, i1.
• Repeat while bigt0 i i 1
• qi ai-1 div bi-1 bi ai-1-qbi-1 ai
  bi-1
• xi1xi-1-qixi yi1yi-1-qiyi.
• For all i Axi Byi ai. Final ai gcd(A,B).

110
Digital Signatures

• Recall that with RSA,
• D(E(Y)) YED mod N Y
• E(D(Y)) YDE mod N Y
• Only Alice (knowing the factorization of N) knows
  D. Hence only Alice can compute D(Y) YD mod N.
• This D(Y) serves as Alices signature on Y.

111
The Digital Signature Algorithm

• In 1991, the National Institute of Standards and
  Technology published a Digital Signature Standard
  that was intended as an option free of
  intellectual property constraints.

112
The Digital Signature Algorithm

• DSA uses the following parameters
• Prime p anywhere from 512 to 1024 bits
• Prime q 160 bits such that q divides p-1
• Integer h in the range 1 lt h lt p-1
• Integer g h(p-1)/q mod p
• Secret integer x in the range 1 lt x lt q
• Integer y gx mod p

113
The Digital Signature Algorithm

• To sign a 160-bit message M,

114
The Digital Signature Algorithm

• To sign a 160-bit message M,
• Generate a random integer k with 0 lt k lt q,

115
The Digital Signature Algorithm

• To sign a 160-bit message M,
• Generate a random integer k with 0 lt k lt q,
• Compute r (gk mod p) mod q,

116
The Digital Signature Algorithm

• To sign a 160-bit message M,
• Generate a random integer k with 0 lt k lt q,
• Compute r (gk mod p) mod q,
• Compute s ((Mxr)/k) mod q.

117
The Digital Signature Algorithm

• To sign a 160-bit message M,
• Generate a random integer k with 0 lt k lt q,
• Compute r (gk mod p) mod q,
• Compute s ((Mxr)/k) mod q.
• The pair (r,s) is the signature on M.

118
The Digital Signature Algorithm

• A signature (r,s) on M is verified as follows

119
The Digital Signature Algorithm

• A signature (r,s) on M is verified as follows
• Compute w 1/s mod q,

120
The Digital Signature Algorithm

• A signature (r,s) on M is verified as follows
• Compute w 1/s mod q,
• Compute a wM mod q,

121
The Digital Signature Algorithm

• A signature (r,s) on M is verified as follows
• Compute w 1/s mod q,
• Compute a wM mod q,
• Compute b wr mod q,

122
The Digital Signature Algorithm

• A signature (r,s) on M is verified as follows
• Compute w 1/s mod q,
• Compute a wM mod q,
• Compute b wr mod q,
• Compute v (gayb mod p) mod q.

123
The Digital Signature Algorithm

• A signature (r,s) on M is verified as follows
• Compute w 1/s mod q,
• Compute a wM mod q,
• Compute b wr mod q,
• Compute v (gayb mod p) mod q.
• Accept the signature only if v r.

124
Elliptic Curve Cryptosystems
125
Elliptic Curve Cryptosystems

• An elliptic curve

126
Elliptic Curve Cryptosystems

• An elliptic curve
• y2 x3 Ax B

127
Elliptic Curves

• y2 x3 Ax B

128
Elliptic Curves

• y x3 Ax B

129
Elliptic Curves

• y x3 Ax B

y
x
130
Elliptic Curves

• y2 x3 Ax B

y
x
131
Elliptic Curves

• y2 x3 Ax B

y
x
132
Elliptic Curves

• y2 x3 Ax B

y
x
133
Elliptic Curves

• y2 x3 Ax B

y
x
134
Elliptic Curves

• y2 x3 Ax B

y
x
135
Elliptic Curves

• y2 x3 Ax B

y
x
136
Elliptic Curves

• y2 x3 Ax B

y
x
137
Elliptic Curves

• y2 x3 Ax B

y
x
138
Elliptic Curves Intersecting Lines

• y2 x3 Ax B

y
x
y ax b
139
Elliptic Curves Intersecting Lines

• Non-vertical Lines
• y2 x3 Ax B
• y ax b
• (ax b)2 x3 Ax B
• x3 A?x2 B?x C? 0

140
Elliptic Curves Intersecting Lines

• x3 A?x2 B?x C? 0

y
x
141
Elliptic Curves Intersecting Lines

• Non-vertical Lines
• 1 intersection point (typical case)
• 2 intersection points (tangent case)
• 3 intersection points (typical case)

142
Elliptic Curves Intersecting Lines

• Vertical Lines
• y2 x3 Ax B
• x c
• y2 c3 Ac B
• y2 C

143
Elliptic Curves Intersecting Lines

• Vertical Lines
• 0 intersection point (typical case)
• 1 intersection points (tangent case)
• 2 intersection points (typical case)

144
Elliptic Groups

• y2 x3 Ax B

y
x
y ax b
145
Elliptic Groups

• y2 x3 Ax B

y
x
y ax b
146
Elliptic Groups

• y2 x3 Ax B

y
x
y ax b
147
Elliptic Groups

• y2 x3 Ax B

y
x
x c
148
Elliptic Groups

• Add an artificial point I to handle the
  vertical line case.
• This point I also serves as the group identity
  value.

149
Elliptic Groups

• y2 x3 Ax B

y
x
x c
150
Elliptic Groups

• (x1,y1) ? (x2,y2) (x3,y3)
• x3 ((y2y1)/(x2x1))2 x1 x2
• y3 -y1 ((y2y1)/(x2x1)) (x1x3)
• when x1 ? x2

151
Elliptic Groups

• (x1,y1) ? (x2,y2) (x3,y3)
• x3 ((3x12A)/(2y1))2 2x1
• y3 -y1 ((3x12A)/(2y1)) (x1x3)
• when x1 x2 and y1 y2 ? 0

152
Elliptic Groups

• (x1,y1) ? (x2,y2) I
• when x1 x2 but y1? y2 or y1 y2 0
• (x1,y1) ? I (x1,y1) I ? (x1,y1)
• I ? I I

153
The Fundamental Equation

• ZYX mod N

154
The Fundamental Equation

• ZYX in Ep(A,B)

155
The Fundamental Equation

• ZYX in Ep(A,B)
• When Z is unknown, it can be efficiently computed
  by repeated squaring.

156
The Fundamental Equation

• ZYX in Ep(A,B)
• When X is unknown, this version of the discrete
  logarithm is believed to be quite hard to solve.

157
The Fundamental Equation

• ZYX in Ep(A,B)
• When Y is unknown, it can be efficiently computed
  by sophisticated means.

158
Diffie-Hellman Key Exchange

• Alice
• Randomly select a large integer a and send
  A Ya mod N.
• Compute the key K Ba mod N.

• Bob
• Randomly select a large integer b and send
  B Yb mod N.
• Compute the key K Ab mod N.

Ba Yba Yab Ab
159
Diffie-Hellman Key Exchange

• Alice
• Randomly select a large integer a and send
  A Ya in Ep.
• Compute the key K Ba in Ep.

• Bob
• Randomly select a large integer b and send
  B Yb in Ep.
• Compute the key K Ab in Ep.

Ba Yba Yab Ab
160
DSA on Elliptic Curves
161
DSA on Elliptic Curves

• Almost identical to DSA over the integers.

162
DSA on Elliptic Curves

• Almost identical to DSA over the integers.
• Replace operations mod p and q with operations in
  Ep and Eq.

163
Why use Elliptic Curves?
164
Why use Elliptic Curves?

• The best currently known algorithm for EC
  discrete logarithms would take about as long to
  find a 160-bit EC discrete log as the best
  currently known algorithm for integer discrete
  logarithms would take to find a 1024-bit discrete
  log.

165
Why use Elliptic Curves?

• The best currently known algorithm for EC
  discrete logarithms would take about as long to
  find a 160-bit EC discrete log as the best
  currently known algorithm for integer discrete
  logarithms would take to find a 1024-bit discrete
  log.
• 160-bit EC algorithms are somewhat faster and use
  shorter keys than 1024-bit traditional
  algorithms.

166
Why not use Elliptic Curves?
167
Why not use Elliptic Curves?

• EC discrete logarithms have been studied far less
  than integer discrete logarithms.

168
Why not use Elliptic Curves?

• EC discrete logarithms have been studied far less
  than integer discrete logarithms.
• Results have shown that a fundamental break in
  integer discrete logs would also yield a
  fundamental break in EC discrete logs, although
  the reverse may not be true.

169
Why not use Elliptic Curves?

• EC discrete logarithms have been studied far less
  than integer discrete logarithms.
• Results have shown that a fundamental break in
  integer discrete logs would also yield a
  fundamental break in EC discrete logs, although
  the reverse may not be true.
• Basic EC operations are more cumbersome than
  integer operations, so EC is only faster if the
  keys are much smaller.