# Notes, Chapter 14

notes14.txt — Plain Text, 9 KB (9560 bytes)

## File contents

14 El Gamal and elliptic curve cryptography ------------------------------------------- The El Gamal cryptosystem is based on the DDH assumption and is provably secure under the assumption of the latter. Just like DH-key exchange it is parametrised by a group (generating algorithm) G(n) and works as follows: Gen(n) : (G,q,g) = G(n) x <- Z_q h <- g^x pk = (G,q,g,h) sk = (G,q,g,x) output (pk,sk) Enc_(G,q,g,h)(m) : check that m:G y <- Z_q c = (g^y,h^y*m) output c Dec_(G,q,g,g,x)(c1,c2) : m = c2 / c1^x output m Let us first see that this scheme is correct: If c1=g^y and c2=h^y*m where h=g^x then c2 / c1^x= g^(xy) * m / g^(xy) = m We also notice that messages and ciphertexts are actually elements of the group G which must therefore by somehow encoded as binary strings. This can be done in various ways for the various groups, see KL for details. Theorem: If the DDH assumptions holds for a group (generating algorithm) G() then the El Gamal cryptosystem basd on G() is semantically secure. Proof: Let A be an adversary against the El Gamal system and let its success probability be 1/2+eps(n). We must show that eps(n) is negligible. We construct from A an adversary A' as in the DDH assumption. Suppose that A' receives g^x, g^y, u where u is either g^(xy) or g^z for random z and A' is to decide which of the two. We forward (G,q,g,g^x) as "public key" to A and wait for it to output m0,m1:G. We choose a random bit b and build c = (g^y,u*m_b) and let b' be the bit that A returns. If u=g^(xy) then A is played with according to the rules of the El Gamal cryptosystem and therefore b'=b with probability 1/2+eps(n). If u=g^z for random z then u*m0 is also uniformly random (since x|->x*m0 is a bijection G->G) and therefore the probability that b'=b is exactly 1/2. The difference between the two probabilities is precisely eps(n) which under the DDH assumption will be negligible. QED Elliptic curve cryptography - - - - - - - - - - - - - - As already mentioned, elliptic curves furnish a large reservoir of cyclic groups for which taking discrete logarithms, CDH, and DDH are believed to be hard. With existing algorithms, solving these problems on elliptic curve groups is consistently harder than doing so for groups of invertible elements mod p or in a finite field. Recall that an elliptic curve over some field F of characteristic =/= 2,3 is defined by two constants a, b and comprises the points (x,y) that solve the equation y^2 = x^3 + ax + b Here, one assumes that the *discriminant* 4a^3+27b^2 =/= 0 for otherwise the curve might be *singular*, i.e. contain anomalies like isolated points, sharp bends ("cusps") or similar. When viewed over the reals such a curve looks roughly as follows: | | | / - | - / / | \ _ - | | --------------------------------------------------------------------- | | - _ \ | / \ -| - \ | | Depending on the parameters the knob to the left may also become detached and form a closed loop sitting to the right. In either case whenever a line intersects the curve in two points it meets it again in a third point except when the line is parallel to the y-axis in which case we say that the third point of intersection is at infinity, here denoted O. This property also holds for curves over other fields, in particular finite ones which are of interest for cryptography. There is an explicit formula for obtaining the third point of intersection. To wit, if (x1,y1) and (x2,y2) lie on the curve then the line through them is y=m(x-x1)+y1 where m=(y2-y1)/(x2-x1). Plugging this into the curve yields (m(x-x1)+y1)^2 = x^3+ax+b The three solutions of this equation are x=x1, x=x2, x=m^2-x1-x2, so the last one is the desired third point of intersection. Now, it is a remarkable fact that the points on the curve together with O form an abelian group, traditionally written additively, where the sum of points P and Q is obtained by first taking the third curve point on the line through P and Q, call it R=(x_R,y_R), and then reflecting R on the x-axis, i.e. P+Q=(x_R,-y_R). This, however, only applies when P=/=Q and when P and Q do not have the same x-coordinate. In the latter case, one has P+Q=O, the special point at infinity. In the former case, i.e. when P=Q, one must take the tangent through P and intersect it with the curve. One can show using implicit differentiation that the coordinates of that point are given by (((3x_1^2+a)/2y_1)^2 - 2x1, -y1+((3x_1^2+a)/2y_1)^2(x1-x2)) and this formula, just as the one above for the general case, also makes sense for finite fields where there are no "tangents". Yet another special case is when P or Q is O. One simply puts O+P=P+O=P. Curves over fields of characteristic 2 or 3 are also possible, but then both the defining equations and the formulas for addition of points become slightly different (notice e.g. that in the formula above we divide by 2). We refer to the literature, but stress that it is very important not to make mistakes with the implementation of the addition formulas and that doing so has lead to security flaws. We have already seen that addition of points is well-defined and commutative. It is also clear that the inverse of a point (x,y) is given by (x,-y), i.e. reflection on the x-axis. Associativity of addition follows from nontrivial results, e.g. the Weierstrass p-function, but can in principle also be validated "by hand" on the basis of the above formulas. For integer n and point P on a curve we use the notation n.P for P+P+...+P with summands. This is the same as the exponent notation in multiplicatively written groups. Therefore, the "repeated squaring" method can be used here as well: 100.P = 4.P+32.P+64.P = 2.(2.(P + 2.(2.(2.(P+2.P))))) Now, the plan is to use the groups coming from elliptic curves for cryptosystems like Diffie-Hellman key exchange or El Gamal. For this to work, a couple more considerations are in order: we need to encode plaintexts as points on the group and we need to ascertain that the group is cyclic or else move to a cyclic subgroup. In order to find a cyclic group one can rely on one of the publicly available and recommended curves. Many of them have a prime number of points and hence are cyclic with any element other than O being a generator. Alternatively, one can try out random coefficients a and b until one finds a curve with a prime number of points. To do this, one needs to invoke Schoof's algorithm which allows one to determine the number of points on a given elliptic curve. If one would like to use a curve with a nonprime number, say N, of points, then one must factor N and it is then important that N has a large prime factor p, i.e. p>sqrt(N). In this case, by the representation theorem for finite(ly generated) abelian groups there is a subgroup of order p and any of its nonzero elements are generators. Moreover, the remaining subgroups have smaller order. To check whether a point P is in the subgroup of order p it suffices to check that p.P = O. To obtain a point in that subgroup one can pick a random point P and if Q := N/p.P =/= O then p.Q is in the subgroup, hence Q can serve as a generator. For the most, however, one uses one of the already publicised elliptic curves such as those recommended by the NIST "for government use". See http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf There is no need to choose a "fresh" curve for every application and on the other hand, some curves are "weak" and should be avoided. In order to encode plaintexts as points we can proceed as follows. First, we note that it suffices to store the x-coordinate of a point and a single bit telling whether the y-coordinate is above or below the x-axis, i.e., which of the two square roots of x^3 +ax+b are meant. This is known as point compression. As for the x-coordinates one fixes a bijection alpha between bitstrings of length l=log(q) and field elements. Now one puts t=l-k where k is chosen sufficiently large. Then, to encode message x of length t one searches for a string z of length k so that alpha(x||z) has a square root y over GF(q), i.e., is a quadratic residue. At that point, (alpha(x||z),y) can be taken as the desired encoding of x as a curve point. For random padding z the chance for alpha(x||z) to be a quadratic residue is about 1/2, so after a short number of iterations one is almost sure to find an appropriate encoding. We also remark that there exist efficient algorithms for testing whether a given field element is a quadratic residue and if so to compute its square root. With all this machinery in place, the Diffie-Hellman and El Gamal cryptosystems can be used with elliptic curve groups without any change, bearing in mind, of course, that instead of exponentiation g^x, we now use multiplication x.P and instead of multiplication we use addition, so that, e.g. the encryption of message m encoded as a point M becomes (y.P,y.Q+M) where P is the generator and Q=x.P We close by remarking that since the early 2000 elliptic curve cryptography (ECC) has become more and more common. Also the bitcoin cryptocurrency uses it.

Document Actions