Discrete Methods in Mathematical Informatics
Lecture 3: Other Applications of Elliptic Curve
23h October 2012
Vorapong Suppakitpaisarn
http://www-imai.is.s.u-tokyo.ac.jp/~mr_t_dtone/
[email protected], Eng. 6 Room 363
Download:
Lecture 1: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture1.pptx
Lecture 2: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture2.pptx
Lecture 3: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture3.pptx
Course Information
(Many Changes from Last Week)
Schedule
10/9 – Elliptic Curve I (2 Exercises)
(What is Elliptic Curve?)
10/16 – Elliptic Curve II (1 Exercises)
(Elliptic Curve Cryptography[1])
10/23 – Elliptic Curve III (3 Exercises)
(Elliptic Curve Cryptography[2])
10/30 – Cancelled
11/7 – Online Algorithm I (Prof. Han)
11/14 – Online Algorithm II (Prof. Han)
11/21 – Elliptic Curve IV (2 Exercises)
(ECC Implementation I)
11/28 – Elliptic Curve V (2 Exercises)
(ECC Implementation II)
12/4 – Cancelled
From 12/11 – To be Announced
Grading
For my part, you need to submit 2
Reports.
- Report 1: Select 3 from 6
exercises in Elliptic Curve I – III
Submission Deadline: 14 November
- Report 2: Select 2 from 4
exercises in Elliptic Curve IV – V
Submission Deadline: TBD
- Submit your report at Department of
Mathematical Informatics’ office
[1st floor of this building]
From Last Lecture…
•
Scalar Multiplication on Elliptic Curve
S = P + P + … + P = rP
r times
•
•
when r1 is positive integer, S,P is a member of the curve
Double-and-add method
Let r = 14 = (01110)2
Compute rP = 14P
r = 14 = (0
1
P
O
1
1
0)2
3P 7P 14P
2P 6P 14P
3 – 1 = 2 Point Additions
4 – 1 = 3 Point Doubles
Discrete Logarithm Problem
Given P, aP - Compute a.
Overview
Discrete
Logarithm
Problem
MasseyOmura
Encryption
ElGamal
Public Key
Encryption
Digital Signature
Algorithm (DSA)
ElGamal
Digital
Signatures
Overview
Discrete
Logarithm
Problem
MasseyOmura
Encryption
ElGamal
Public Key
Encryption
Digital Signature
Algorithm (DSA)
ElGamal
Digital
Signatures
Pollard’s  Method [Pollard 1978]
Random Function f
:E(Fp )  E(Fp )
f (P0 )  P1 , f (P1 )  P2 ,..., f (Pk )  Pk 1
(Semi-)Objective
Find k  l such that Pk  Pl
1.S  R  P0 for random P0  E(Fp )
2. Do S  Pk  f (Pk 1 )  f (S )
R  P2k  f (f (P2( k 1) ))  f (f (R ))
for m times until S  R or Pm 1  P2( m 1)
m  O( N )
Given P,Q  aP, Find a
Function f for Discrete Log
E (Fp )  S1  S2  ...  Sn , n  20, Si  S j  
Let 1  i  n, a i ,bi be a random positive integer,
Define Mi  ai P  bi Q
f (R )  R  Mi if R  Si
4
P57  P3
P2 P56
O( N )
P1
[Teske, 1998]
P0
(Real-)Algorithm
(Semi-) Algorithm
(Real-)Objective
P58  P
1.S  R  P0  a0P  b0Q for random a0,b0
cS  cR  a0 , dS  dR  b0
2.Do S  f (S ), R  f(f(R))
If S  Si , cS  cS  ai , d S  d S  bi
If R  Si ,f(R)  S j ,
cR  cR  ai  a j ,d R  d R  bi  b j
[S  cS P  dSQ, R  cR P  dRQ]
until S  R
3.cS P  d SQ  c R P  d RQ
(d S  d R )Q  (c R  cS )P
Q
c R  cS
P
dS  dR
Examples
Algorithm
E (F1093)  {( x , y )  F1093 | y 2  x 3  x  1}, N  1067
P  (0,1), Q  aP  (413,959), Find a
E (Fp )  S1  S2  ...  Sn , n  20, Si  S j  
Let 1  i  n, a i ,bi be a random positive integer,
Define Mi  ai P  bi Q
f (R )  R  Mi if R  Si
1.S  R  P0  a0P  b0Q
cS  cR  a0 , dS  dR  b0
2.Do S  f (S ), R  f(f(R))
If S  Si , cS  cS  ai , d S  d S  bi
Example
( x, y )  Si if x  i mod 3
M0  4P  3Q, M1  9P  17Q,
M 2  19P  6Q
P0  3P  5Q  (326,69)
Since 326  2 mod 3, P0  S2 .
P1  f (P0 )  P0  M 2  (3P  5Q)  (19P  6Q)
 (22P  21Q)  (727,589)
If R  Si ,f(R)  S j ,
P0  (326,69), P1  (727,589), P2  (560,365), P3  (1070,260),
cR  cR  ai  a j ,d R  d R  bi  b j
P57  (895,337), P58  (1006,951), P59  (523,938),...,
[S  cS P  dSQ, R  cR P  dRQ]
until S  R
3.cS P  d SQ  c R P  d RQ
(d S  d R )Q  (c R  cS )P
Q
c R  cS
P
dS  dR
P4  (473,903), P5  (1006,951), P6  (523,938),...,
P5  88P  46Q, P58  685P  620Q
597P  574Q
597aP  574aQ  (1067b  1)Q  Q
 574a 1067b  1 (a, b)  (764,411)
Q  597aP  597  764P
 (1067  427  499)P  499P
Exercise
Exercise 4
(a) Let P,Q be a point on elliptic curve in which the order is 33,
and 2P  6Q,
Prove that Q  { 4P  11kP|k  Z}  { 4P,15P,26P}.
(b) Let P,Q be a point on elliptic curve in which the order is N,
aP  bQ, gcd( b, N )  d ,
b 1 is an integer such that bb 1  1 mod
Prove that Q  {cP 
N
d
N
kP|k  Z  } where c  ab 1
d
The Pohlig-Hellman Method
E (F599 )  {( x , y )  F599 | y 2  x 3  1}, N  600
P  (60,19), Q  aP  (277,239), Find a
[Pohlig, Hellman 1978]
600Q  
Let a  i mod 5, Q1  Q  iP
Q1  cP, where c  0 mod 5
200Q  200aP  200(3b)P  600bP  
c  0 mod 52 ,
If a  0 mod 3,
If a  1 mod 3,
24Q1  24cP  24( 25b)P  600bP  .
200Q  200aP  200(3b  1)P  600bP  200P  200P
c  5 mod 25,
If a  2 mod 3,
24Q1  24cP  24(25b  5)P
200Q  200aP  200(3b  2)P  600bP  400P  400P
 600bP  120P  120P
c  10 mod 52 ,24Q1  240P
If a  0 mod 5,
120Q  120aP  120(5b)P  600bP  
c  15 mod 52 ,24Q1  360P
c  20 mod 52 ,24Q1  480P
If a  1 mod 5,
120Q  120aP  120(5b  1)P  600bP  120P  120P
If a  2 mod 5,120Q  240P
If a  3 mod 5,120Q  360P
If a  4 mod 5,120Q  480P
Suppose that a  i mod 5,
and c  a  i  j mod 25.
a  i  j mod 25.
The Pohlig-Hellman Method [cont.]
|| E (Fp ) || N  p1 1 p2 2 ...pn
e
e
en
(Real-)Problem
Given P, Q = aP - Compute a.
(Semi-)Problem
Given P, Q = aP - Compute a mod pkek
Properties
1. If a  i mod pi ,
N

 pk

N
Q  

 pk

N
aP   (bpk  i )P

 pk 
N
N
 bNP  i  P  i  P
 pk 
 pk2 
2. If ek  1, c  a-i  pk j mod pk ,
Q1  Q  iP  aP  iP  cP
 N 
 N 
 N 
 2 Q1   2 cP   2 (bpk 2  pk j )P
p 
p 
p 
 k 
 k 
 k 
N
N
 bNP  j  P  j  P
 pk 
 pk 
Algorithm
N
1. For all 0  i  pk , compute i  P
 pk 
N
2. Compute  Q
 pk   
N
N
3. Find i such that  Q  i  P,
 pk 
 pk 
a  i mod pk
4. If ek  1 Terminate.
 N 
Let Q1  Q-iP , compute  2 Q1
p
 N  k  N
5. Find j such that  2 Q1  j 
 pk
 pk 

P,

a  pk j  i mod pk
6. If ek  2 Terminate.
2
 N 
Let Q2  Q  jpk P-iP, compute  3 Q1
 pk 
 N 
N
7. Find l such that  3 Q1  l  P,
 pk 
 pk 
a  pk l  pk j  i mod pk
2
3
...
The Pohlig-Hellman Method [cont.]
E (F599 )  {( x , y )  F599 | y 2  x 3  1}, N  600
P  (60,19), Q  aP  (277,239), Find a
Given P, Q = aP - Compute a mod pkek
Algorithm
N
1. For all 0  i  pk , compute i 
 pk
N
2. Compute  Q
 pk 
N
3. Find i such that 
 pk
a  i mod pk

N
Q  i 

 pk

P


P,

4. If ek  1 Terminate.
 N 
5. Find j such that  2 Q1 
 pk 
2
N
j 
 pk
120P  (84,179),240P  (491,134),
360P  (491,465),480P  (84,420)
600
Q  120Q  (84,179)
5
i  1, a  1 mod 5
Q1  Q  1P  (130,129),
 N 
Let Q1  Q-iP , compute  2 Q1
 pk 
a  pk j  i mod pk
600  23  3  52
600
Q1  24Q1  (491,465)
2
5

P,

j  3, a  (3  5  1) mod 52
a  16 mod 25
Chinese Remainder Theorem
E (F599 )  {( x , y )  F599 | y 2  x 3  1}, N  600
Chinese Remainder
Theorem
P  (60,19), Q  aP  (277,239), Find a
Suppose that a  xi mod mi for 1  i  n
(Semi-)Problem
Given P, Q = aP - Compute a mod pkek
such that gcd( mi , m j )  1 for all i  j
n
Let M   mi
600  23  3  52
a  2 mod 2 , a  2 mod 3, a  16 mod 5
3
i 1
2
a1  2, a2  2, a3  16
m1  23  8, m2  3, m3  52
M 600
M 600
M 600

 75,

 200,

 24.
m1
8
m2
3
m2
25
3  75  225  1 mod 8, b1  3
2  200  400  1 mod 3, b2  2
24  24  576  1 mod 25, b3  24
Find x such that a  x mod M
M
M
M 
  ...  an bn 

x  a1b1    a2b2 
 m1 
 m2 
 mn 
M
where bi    1 mod mi
 mi 
x  2  3  75  2  2  200  16  24  24
x  10466  266 mod 600
Q  (277,239)  266P  266(60,19)
Overview
Discrete
Logarithm
Problem
MasseyOmura
Encryption
ElGamal
Public Key
Encryption
Digital Signature
Algorithm (DSA)
ElGamal
Digital
Signatures
Three-Pass Protocol [Shamir 1980]
Private Key Cryptography
Key
Agreement
Protocol
k
M
Encryption
Algorithm
Ek(M)
k
Three-pass Protocol
k1
M
Encryption
Algorithm
Ek1(M)
Dk(Ek(M)) = M
Decryption
Algorithm
Ek(M)
k2
Ek2 ( Ek1 (M))
Decryption
Algorithm
Ek2 (M)=Dk1 ( Ek2 ( Ek1 (M)))
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))
Ek2(M)
Super-Decryption
Algorithm
M
Massey-Omura Protocol
[Massey, Omura 1986]
Massey-Omura Protocol
Three-pass Protocol
k1
M
k2
Encryption
Algorithm
Ek1(M)
Ek2 ( Ek1 (M))
Decryption
Algorithm
M  E (Fp ) with order N
k1 - co - prime of N
k2  co - prime of N
Encryption
Algorithm
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))
Ek2(M)
Super-Decryption
Algorithm
M
k1M
k1k2M
Decryption
Algorithm
k 2M  (k1 ) 1 (k1k 2M )
(k1 ) 1 is an integer such at
(k1 ) 1 k1  1 mod N
k1M
Super-Encryption
Algorithm
k2 (k1M )
Ek2(M)
Super-Decryption
Algorithm
M  (k 2 ) 1 (k 2M )
Massey-Omura Protocol [cont.]
Massey-Omura Protocol
M  E (Fp ) with order N
k1 - co - prime of N
Example
k2  co - prime of N
k1k2M
Decryption
Algorithm
1
k 2M  (k1 ) (k1k 2M )
(k1 ) 1 is an integer such that
(k1 ) 1 k1  1mod N
M  (0,1)  E (Fp ) with order 9
k1  2
Encryption
Algorithm
k1M
E(F5 )  {}  {(x,y)|y 2  x 3  x  1}
k1M
Super-Encryption
Algorithm
Encryption
Algorithm
k1M  2(0,1)  (4,2)
(3,1)
Super-Decryption
Algorithm
M  (k 2 ) 1 (k 2M )
(4,2)
Super-Encryption
Algorithm
k2 (k1M )
Ek2(M)
k2  7
k2 (k1M )  7(4,2)  (3,1)
Decryption
Algorithm
2  5  10  1 mod 9
2  (5) 1  (k1 ) 1
k 2M  (k1 ) 1 (k1k 2M )
 5(3,1)  (4,3)
(4,3)
Super-Decryption
Algorithm
M  (k 2 ) 1 (k 2M )
 4(4,3)  (0,1)
Massey-Omura Protocol [cont.]
Integer  Point on Elliptic Curve
Let m be a positive integer we want to encode
Find (x,y)  E(Fp ) such that 100m  x  100m  99
Find x such that y 2  s  x 3  Ax  B
s  y 2 for some y Fp if s(p-1)/ 2  1
If p  3 mod 4, y  s (p 1)/ 4 .
Exercise 4
Point on Elliptic Curve
 Integer
( x , y )  E (Fp ) is decoded
 x 
to m  

100 
Exercise 5
Let p  3 mod 4 be a prime number, x,y  Fp . Suppose x  y 2
(a) Show that x (p 1 )/ 2  1 (a) Show that x (p 1)/ 2  x

(b) Show that y ( p 1) / 2

2
 y2
(c) Show that y ( p 1) / 2   y

(d) Show that x

( p 1) / 4 2
x
(e) Show that -1  v 2 for all v  Z p
 Fp
(f) Suppose z  v 2 for all v  Z p  Fp , show that -z  v 2 for some v  Z p

(g) Suppose z  v 2 for all v  Z p  Fp , Show that z ( p 1) / 4

2
 z
Overview
Discrete
Logarithm
Problem
MasseyOmura
Encryption
ElGamal
Public Key
Encryption
Digital Signature
Algorithm (DSA)
ElGamal
Digital
Signatures
Public Key Cryptography
Private Key Cryptography
Key
Agreement
Protocol
k
M
Encryption
Algorithm
Ek(M)
Public Key Cryptography
Certificate
Authority
(CA)
kpub
k
Dk(Ek(M)) = M
Decryption
Algorithm
Ek(M)
M
Encryption
Algorithm
Ekpub(M)
kpub,kpri
Dkpri (Ekpub (M)) = M
Decryption
Algorithm
Ekpub (M)
ElGamal Public Key Encryption
Public Key Cryptography
ElGamal PKE
Certificate
Authority
(CA)
Certificate
Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M)
[ElGamal 1985]
P  E (Fp ), s  Z 
kpub,kpri
Dkpri (Ekpub (M)) = M
Decryption
Algorithm
Ekpub (M)
k pub  P , B  sP , k pri  s
k pub  P , B  sP
M  E (Fp )
k  Z
Encryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1
=M
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Decryption
Algorithm
Ekpub(M) = M1,M2
M2  sM1  (M  kB)  s(kP )  M  k (SP)  skP  M
ElGamal Public Key Encryption
Example
(cont.)
ElGamal PKE
E(F5 )  {}  {(x,y)|y 2  x 3  x  1}
Certificate
Authority
(CA)
M  (0,1)  E (Fp ) with order 9
P  E (Fp ), s  Z 
s  5, k pri  s  5
k pub  (P  (0,1), B  (3,1))
k pub  (P , B )
k pub  P , B  sP , k pri  s
k pub  P , B  sP
P  (0,1)
B  sP  5(0,1)  (3,1)
M  E (Fp )
k  Z
Encryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1
=M
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Decryption
Algorithm
Ekpub(M) = M1,M2
M  (4,2)  E (Fp )
k 7
Encryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1
= (0,1)-5(4,3)
= (4,2)
Ekpub(M) = M1,M2
M1 = kP = 7(0,1) = (4,3),
M2 = M + kB = (4,2)+7(3,1)
= (0,1)
Decryption
Algorithm
Ekpub(M) = M1,M2
M1 = (4,3)
M2 = (0,1)
ElGamal Public Key Encryption
(cont.)
ElGamal PKE
ElGamal Problem Ver. I
Certificate
Authority
(CA)
P  E (Fp ), s  Z 
k pub  P , B  sP , k pri  s
k pub  P , B  sP
M  E (Fp )
k  Z
Encryption
Algorithm
Given P, sP (public key),
kP, M + skP,
Find M.
Dkpri (Ekpub (M)) = M2-sM1
=M
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Decryption
Algorithm
Ekpub(M) = M1,M2
Discrete Log.
Given P, sP
Find s.
Overview
Discrete
Logarithm
Problem
MasseyOmura
Encryption
ElGamal
Public Key
Encryption
Digital Signature
Algorithm (DSA)
ElGamal
Digital
Signatures
Digital Signature [Diffie, Hellman 1976]
Public Key Cryptography
Digital Signature
Certificate
Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M)
Certificate
Authority
(CA)
kpub,kpri
Dkpri (Ekpub (M)) = M
kpri,kpub
kpub
Decryption
Algorithm
Ekpub (M)
Objective
Alice is sending a message M to Bob
1. Bob can be sure that the sender is
really Alice.
2. Alice cannot refuse that she did
send the message
3. No one can send a message
claiming that they are Alice.
Vkpub (Skpri(M)) = M ?
M
Signing
Algorithm
Verification
Algorithm
M,Skpri(M)
M, Skpri(M)
ElGamal Digital Signatures
ElGamal’s Protocol
Digital Signature
Certificate
Authority
(CA)
Certificate
Authority
(CA)
kpri,kpub
[ElGamal 1985]
a  Z  , A  E (Fp )
k pri  a, k pub  ( A, B  aA)
kpub
kpub=(A,B)
Message m  Z 
Random Integer k
M
Signing
Algorithm
M,Skpri(M)
Skpri(M)) is
signed by Alice???
Verification
Algorithm
M, Skpri(M)
Signing
Algorithm
R  kA  ( xR , y R )
s
m  axR
k
M, Sk pri (M )  (R, s)
xRB  sR  mA???
Verification
Algorithm
M, Sk pri (M )  (R, s)
xRB  sR  xRaA  s(kA)  xRaA  (m  axR ) A  mA
ElGamal Digital Signatures (cont.)
Example
ElGamal’s Protocol
Certificate
Authority
(CA)
E(F5 )  {}  {(x,y)|y 2  x 3  x  1}
M  (0,1)  E (Fp ) with order 9

a  Z , A  E (Fp )
k pri  a, k pub  ( A, B  aA)
kpub=(A,B)
a  2, A  (0,1)  E (Fp ),
k pri  a  2
Message m  Z 
k pub  ( A, B ) where
Random Integer k
B  aA  2(0,1))  (4,2)
Message m  5
Signing
Algorithm
R  kA  ( xR , y R )
m  axR
s
k
m, Sk pri (M )  (R, s)
xRB  sR  mA???
Verification
Algorithm
m, Sk pri (M )  (R, s)
Random Integer k  7
Signing
Algorithm
R  kA  7 A  (4,3)
xR  4
m  axR 5  2  4

k
7
 (-3)(4)  6
s
xR B  sR  4(4,2)  6(4,3)
 ( 0,4 )  ( 2,4 )
 ( 3,1)
Verification
Algorithm
m  5,
Sk pri (M )  (R , s )
 (( 4,3),6)
ElGamal Digital Signatures (cont.)
ElGamal’s Protocol
ElGamal Problem Ver. II
Certificate
Authority
(CA)
a  Z  , A  E (Fp )
k pri  a, k pub  ( A, B  aA)
kpub=(A,B)
xRB  sR  m' A
Message m  Z 
Random Integer k
Signing
Algorithm
R  kA  ( xR , y R )
m  axR
s
k
m, Sk pri (M )  (R, s)
Given A, B=aA (public
key), m (message),
m‘ (forged message)
Find R,s such that
xRB  sR  mA???
Verification
Algorithm
m, Sk pri (M )  (R, s)
Discrete Log.
Given P, sP
Find s.
Exercise
ElGamal Problem Ver. II
Given A, B=aA (public
key), m (message),
m‘ (forged message)
Find R,s such that
Discrete Log.
Given P, sP
Find s.
xRB  sR  m' A
Exercise 6
Suppose that the ElGamal signature scheme is used to produce
the valid signed message (m,R  (x R ,y R ),s). Let h be an integer with
gcd( h, N )  1. Assume gcd( xR , N )  1. Let
R '  ( xR ' , y R ' )  hR , s '  sxR ' ( xR ) 1 h 1 (mod N ),
m'  mxR ' ( xR ) 1 (mod N ).
Show that (m',R',s') is a valid signed message.
Overview
Discrete
Logarithm
Problem
MasseyOmura
Encryption
ElGamal
Public Key
Encryption
Digital Signature
Algorithm (DSA)
ElGamal
Digital
Signatures
Digital Signature Algorithm
[Vanstone 1992]
ElGamal’s Protocol
DSA’s Protocol
Certificate
Authority
(CA)
Certificate
Authority
(CA)
a  Z  , A  E (Fp )
a  Z  , A  E (Fp )
k pri  a, k pub  ( A, B  aA)
Message m  Z

Random Integer k
Signing
Algorithm
R  kP  ( xR , y R )
m  axR
s
k
M, Sk pri (M )  (R, s)
kpub=(A,B)
3 Scalar
Multiplications
xRB  sR  mA???
Verification
Algorithm
M, Sk pri (M )  (R, s)
k pri  a, k pub  ( A, B  aA)
Message m  Z

Random Integer k
Signing
Algorithm
R  kP  ( xR , y R )
m  axR
s
k
M, Sk pri (M )  (R, s)
kpub=(A,B)
2 Scalar
Multiplications
xR B  sR  mA ???
xR
s
B  R  A ???
m
m
Verification
Algorithm
M, Sk pri (M )  (R, s)
Exercise
Exercise 4
(a) Let P,Q be a point on elliptic curve in which the order is 33, and 2P  6Q,
Prove that Q  { 4P  11kP|k  Z}  { 4P,15P,26P}.
(b) Let P,Q be a point on elliptic curve in which the order is N, aP  bQ, gcd( b, N )  d ,
b 1 is an integer such that bb 1  1 mod
Prove that Q  {cP 
N
d
N
kP|k  Z  } where c  ab 1
d
Exercise 4
Exercise 5
Let p  3 mod 4 be a prime number, x,y  Fp . Suppose x  y 2
(a) Show that x (p 1 )/ 2  1 (a) Show that x (p 1)/ 2  x

(b) Show that y ( p 1) / 2

2
 y2
(c) Show that y ( p 1) / 2   y

(d) Show that x ( p 1) / 4

2
x
(e) Show that -1  v 2 for all v  Z p
 Fp
(f) Suppose z  v 2 for all v  Z p  Fp , show that -z  v 2 for some v  Z p

(g) Suppose z  v 2 for all v  Z p  Fp , Show that z ( p 1) / 4

2
 z
Exercise
Exercise 6
Suppose that the ElGamal signature scheme is used to produce
the valid signed message (m,R  (x R ,y R ),s). Let h be an integer with
gcd( h, N )  1. Assume gcd( xR , N )  1. Let
R '  ( xR ' , y R ' )  hR , s '  sxR ' ( xR ) 1 h 1 (mod N ),
m'  mxR ' ( xR ) 1 (mod N ).
Show that (m',R',s') is a valid signed message.
Pairing-Based Cryptography
Three-Parties DHE
Diffie-Hellman Exchange Protocol
A
L
I
C
E
P
1. Generate P 2 E(F)
2. Generate positive
integers a
aP
1. Receive P
2. Receive S = aP
ALICE
B
O
B
a, aP
bP
3. Receive Q = bP
3. Generate positive
integer b
4. Compute aQ = abP
4. Compute bS = abP
bP
B
O b, bP
B
cP
aP
c, cP
Bilinear Function
C
H
A
L
I
E
Function e:E(Fp )  E(Fp )  G
e(aP , bQ)  e(P , Q)ab e(P , Q)  1 If P, Q  
ALICE
Three-Parties DHE with Pairing
a, aP, bP
ALICE
bcP
a, aP
aP
B
O b, bP
B
bP
cP
bP
cP
aP
c, cP
C
H
A
L
I
E
e(bP , cP )  e(P , P )bc
(e(P , P ) bc )a  e(P , P )abc
B
O b, bP
B
cP
abP
acP c, cP
aP
C
H
A
L
I
E
Thank you for your attention
Please feel free to ask questions or comment.