Discrete Methods in Mathematical Informatics
Lecture 3: Other Applications of Elliptic Curve
23h October 2012
Vorapong Suppakitpaisarn
http://www-imai.is.s.u-tokyo.ac.jp/~mr_t_dtone/
vorapong@mist.i.u-tokyo.ac.jp, Eng. 6 Room 363
Download:
Lecture 1: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture1.pptx
Lecture 2: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture2.pptx
Lecture 3: http://misojiro.t.u-tokyo.ac.jp/~vorapong/Lecture3.pptx
Course Information
(Many Changes from Last Week)
Schedule
10/9 – Elliptic Curve I (2 Exercises)
(What is Elliptic Curve?)
10/16 – Elliptic Curve II (1 Exercises)
(Elliptic Curve Cryptography[1])
10/23 – Elliptic Curve III (3 Exercises)
(Elliptic Curve Cryptography[2])
10/30 – Cancelled
11/7 – Online Algorithm I (Prof. Han)
11/14 – Online Algorithm II (Prof. Han)
11/21 – Elliptic Curve IV (2 Exercises)
(ECC Implementation I)
11/28 – Elliptic Curve V (2 Exercises)
(ECC Implementation II)
12/4 – Cancelled
From 12/11 – To be Announced
Grading
For my part, you need to submit 2
Reports.
- Report 1: Select 3 from 6
exercises in Elliptic Curve I – III
Submission Deadline: 14 November
- Report 2: Select 2 from 4
exercises in Elliptic Curve IV – V
Submission Deadline: TBD
- Submit your report at Department of
Mathematical Informatics’ office
[1st floor of this building]
From Last Lecture…
•
Scalar Multiplication on Elliptic Curve
S = P + P + … + P = rP
r times
•
•
when r1 is positive integer, S,P is a member of the curve
Double-and-add method
Let r = 14 = (01110)2
Compute rP = 14P
r = 14 = (0
1
P
O
1
1
0)2
3P 7P 14P
2P 6P 14P
3 – 1 = 2 Point Additions
4 – 1 = 3 Point Doubles
Discrete Logarithm Problem
Given P, aP - Compute a.
Overview
Discrete
Logarithm
Problem
MasseyOmura
Encryption
ElGamal
Public Key
Encryption
Digital Signature
Algorithm (DSA)
ElGamal
Digital
Signatures
Overview
Discrete
Logarithm
Problem
MasseyOmura
Encryption
ElGamal
Public Key
Encryption
Digital Signature
Algorithm (DSA)
ElGamal
Digital
Signatures
Pollard’s  Method [Pollard 1978]
Random Function f
:E(Fp )  E(Fp )
f (P0 )  P1 , f (P1 )  P2 ,...,f (Pk )  Pk 1
(Semi-)Objective
Find k  l such that Pk  Pl
(Real-)Algorithm
(Semi-) Algorithm
1.S  R  P0 for random P0  E(Fp )
2. Do S  Pk  f (Pk 1 )  f (S )
R  P2 k  f (f (P2( k 1) ))  f (f (R ))
for m times until S  R or Pm 1  P2 ( m 1)
(Real-)Objective
mO( N )
Given P,Q  aP, Find a
Function f for Discrete Log
E(Fp )  S1  S2 ... Sn , n  20, Si  Sj  
Let 1  i  n, ai ,bi be a random positive integer,
Define Mi  ai P  biQ
f (R )  R  Mi if R  Si
P58  P4
P57  P3
P2 P56
O( N )
P1
[Teske, 1998]
P0
1.S  R  P0  a0P  b0Q for random a0,b0
cS  cR  a0 , dS  dR  b0
2.Do S  f (S ), R  f(f(R))
If S  Si , cS  cS  ai , d S  d S  bi
If R  Si ,f(R) S j ,
cR  cR  ai  a j ,d R  d R  bi  b j
[S  cSP  dSQ, R  cRP  dRQ]
until S  R
3.cS P  dSQ  cR P  d RQ
(dS  d R )Q  (cR  cS )P
Q
c R  cS
P
dS  d R
Examples
Algorithm
E (F1093 )  {( x, y )  F1093 | y 2  x 3  x  1}, N  1067
P  (0,1),Q  aP  (413,959), Find a
E(Fp )  S1  S2 ... Sn , n  20, Si  Sj  
Let 1  i  n, ai ,bi be a random positive integer,
Define Mi  ai P  biQ
f (R )  R  Mi if R  Si
1.S  R  P0  a0P  b0Q
cS  cR  a0 , dS  dR  b0
2.Do S  f (S ), R  f(f(R))
If S  Si , cS  cS  ai , d S  d S  bi
Example
( x, y )  Si if x  i mod3
M0  4P  3Q, M1  9P  17Q,
M2  19P  6Q
P0  3P  5Q  (326,69)
Since 326  2 mod3, P0  S2 .
P1  f (P0 )  P0  M2  (3P  5Q)  (19P  6Q)
 (22P  21Q)  (727,589)
If R  Si ,f(R) S j ,
P0  (326,69), P1  (727,589), P2  (560,365), P3  (1070,260),
cR  cR  ai  a j ,d R  d R  bi  b j
P57  (895,337), P58  (1006,951), P59  (523,938),...,
[S  cSP  dSQ, R  cRP  dRQ]
until S  R
3.cS P  dSQ  cR P  d RQ
(dS  d R )Q  (cR  cS )P
Q
c R  cS
P
dS  d R
P4  (473,903), P5  (1006,951), P6  (523,938),...,
P5  88P  46Q, P58  685P  620Q
597 P  574Q
597aP  574aQ  (1067b  1)Q  Q
 574 a  1067 b  1 (a, b)  (764,411)
Q  597aP  597 764P
 (1067 427 499)P  499P
Exercise
Exercise 4
(a) Let P,Q be a point on elliptic curvein w hichthe order is 33,
and 2P  6Q,
Prove that Q  { 4P  11kP|k  Z}  { 4P,15P,26P}.
(b) Let P,Q be a point on elliptic curvein w hichthe order is N,
aP  b Q, gcd( b, N )  d ,
N
1
1
b is an integer such that b b  1 mod
d
N
Prove that Q  {cP  kP|k  Z  } w herec  ab 1
d
The Pohlig-Hellman Method
E (F599 )  {( x, y )  F599 | y 2  x 3  1}, N  600
P  (60,19),Q  aP  (277,239), Find a
600Q  
If a  0 mod3,
200Q  200aP  200(3b)P  600bP  
If a  1 mod3,
200Q  200aP  200(3b  1)P  600bP  200P  200P
If a  2 mod3,
200Q  200aP  200(3b  2)P  600bP  400P  400P
[Pohlig, Hellman 1978]
Let a  i mod5, Q1  Q  iP
Q1  cP, w herec  0 mod5
c  0 mod52 ,
24Q1  24cP  24( 25b)P  600bP  .
c  5 mod25,
24Q1  24cP  24(25b  5)P
 600bP  120P  120P
c  10mod52,24Q1  240P
If a  0 mod5,
120Q  120aP  120(5b)P  600bP  
If a  1 mod5,
120Q  120aP  120(5b  1)P  600bP  120P  120P
If a  2 mod5,120Q  240P
If a  3 mod5,120Q  360P
If a  4 mod5,120Q  480P
c  15mod52,24Q1  360P
c  20mod52,24Q1  480P
Suppose that a  i mod5,
and c  a  i  j mod25.
a  i  j mod25.
The Pohlig-Hellman Method [cont.]
|| E (Fp ) || N  p1 1 p2 2 ...pn
e
e
en
(Real-)Problem
Given P, Q = aP - Compute a.
(Semi-)Problem
Given P, Q = aP - Compute a mod pkek
Properties
1. If a  i mod pi ,
N

 pk

N
Q  

 pk

N
aP  

 pk

(b pk  i )P

N
N
 b NP  i  P  i  P
 pk 
 pk2 
2. If ek  1, c  a-i  pk j mod pk ,
Q1  Q  iP  aP  iP  cP
 N 
 N 
 N 
 2 Q1   2 cP   2 (b pk 2  pk j )P
p 
p 
p 
 k 
 k 
 k 
N
N
 b NP  j  P  j  P
 pk 
 pk 
Algorithm
N
1. For all 0  i  pk , compute i  P
 pk 
N
2. Compute  Q
 pk   N 
N
3. Find i such that  Q  i  P,
 pk 
 pk 
a  i mod pk
4. If ek  1 Terminate.
 N 
Let Q1  Q-iP, compute  2 Q1
p
 N  k  N
5. Find j such that  2 Q1  j 
 pk
 pk 

P,

a  pk j  i mod pk
6. If ek  2 Terminate.
2
 N 
Let Q2  Q  jpk P-iP, compute  3 Q1
 pk 
 N 
N
7. Find l such that  3 Q1  l  P,
 pk 
 pk 
a  pk l  pk j  i modpk
2
3
...
The Pohlig-Hellman Method [cont.]
E (F599 )  {( x, y )  F599 | y 2  x 3  1}, N  600
P  (60,19),Q  aP  (277,239), Find a
Given P, Q = aP - Compute a mod pkek
Algorithm
N
1. For all 0  i  pk , compute i 
 pk
N
2. Compute  Q
 pk 
N
3. Find i such that 
 pk
a  i mod pk

N
Q  i 

 pk

P


P,

4. If ek  1 Terminate.
 N 
5. Find j such that  2 Q1 
 pk 
2
N
j 
 pk
120P  (84,179),240P  (491,134),
360P  (491,465),480P  (84,420)
600
Q  120Q  (84,179 )
5
i  1, a  1 mod5
Q1  Q  1P  (130,129),
 N 
Let Q1  Q-iP, compute  2 Q1
 pk 
a  pk j  i mod pk
600  23  3  52
600
Q1  24Q1  (491,465)
2
5

P,

j  3, a  (3  5  1) mod52
a  16 mod25
Chinese Remainder Theorem
E (F599 )  {( x, y )  F599 | y 2  x 3  1}, N  600
Chinese Remainder
Theorem
P  (60,19),Q  aP  (277,239), Find a
Suppose that a  xi modmi for 1  i  n
(Semi-)Problem
Given P, Q = aP - Compute a mod pkek
such that gcd(mi , m j )  1 for all i  j
n
Let M   mi
600  23  3  52
i 1
a  2 mod2 , a  2 mod3, a  16mod5
3
2
a1  2, a2  2, a3  16
m1  23  8, m2  3, m3  52
M 600
M 600
M 600

 75,

 200,

 24.
m1
8
m2
3
m2
25
3  75  225  1mod8, b1  3
2  200  400  1mod3, b2  2
24 24  576  1mod25, b3  24
Find x such that a  x mod M
M
M
M 
  ...  an bn 

x  a1b1    a2b2 
 m1 
 m2 
 mn 
M 
  1 mod mi
where bi 
 mi 
x  2  3  75  2  2  200 16 24 24
x  10466 266mod600
Q  (277,239)  266P  266(60,19)
Overview
Discrete
Logarithm
Problem
MasseyOmura
Encryption
ElGamal
Public Key
Encryption
Digital Signature
Algorithm (DSA)
ElGamal
Digital
Signatures
Three-Pass Protocol [Shamir 1980]
Private Key Cryptography
Key
Agreement
Protocol
k
M
Encryption
Algorithm
Ek(M)
k
Three-pass Protocol
k1
M
Encryption
Algorithm
Ek1(M)
Dk(Ek(M)) = M
Decryption
Algorithm
Ek(M)
k2
Ek2 ( Ek1 (M))
Decryption
Algorithm
Ek2 (M)=Dk1 ( Ek2 ( Ek1 (M)))
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))
Ek2(M)
Super-Decryption
Algorithm
M
Massey-Omura Protocol
[Massey, Omura 1986]
Massey-Omura Protocol
Three-pass Protocol
k1
M
k2
Encryption
Algorithm
Ek1(M)
Ek2 ( Ek1 (M))
Decryption
Algorithm
M  E (Fp ) w ithorder N
k2  co - prime of N
k1 - co - prime of N
Encryption
Algorithm
Ek1 (M)
Super-Encryption
Algorithm
Ek2 ( Ek1 (M))
Ek2(M)
Super-Decryption
Algorithm
M
k1M
k1k 2M
Decryption
Algorithm
k2M  (k1 )1 (k1k2M )
(k1 ) 1 is an integer such at
(k1 ) 1 k1  1 mod N
k1M
Super-Encryption
Algorithm
k 2 (k1M )
Ek2(M)
Super-Decryption
Algorithm
M  (k2 )1 (k2M )
Massey-Omura Protocol [cont.]
Massey-Omura Protocol
M  E (Fp ) w ithorder N
Example
k2  co - prime of N
k1 - co - prime of N
k1k 2M
Decryption
Algorithm
1
k2M  (k1 ) (k1k2M )
(k1 ) 1 is an integer such that
(k1 ) 1 k1  1 mod N
M  (0,1)  E(Fp ) w ithorder 9
k1  2
Encryption
Algorithm
k1M
E(F5 )  {}  {(x,y)|y2  x 3  x 1}
k1M
Super-Encryption
Algorithm
Encryption
Algorithm
k1M  2(0,1)  (4,2)
(3,1)
Super-Decryption
Algorithm
M  (k2 )1 (k2M )
(4,2)
Super-Encryption
Algorithm
k 2 (k1M )
Ek2(M)
k2  7
k 2 (k1M )  7(4,2)  (3,1)
Decryption
Algorithm
2  5  10  1mod9
2  (5) 1  (k1 ) 1
k 2M  (k1 ) 1 (k1k 2M )
 5(3,1)  (4,3)
(4,3)
Super-Decryption
Algorithm
M  (k 2 ) 1 (k 2M )
 4(4,3)  (0,1)
Massey-Omura Protocol [cont.]
Integer  Point on Elliptic Curve
Let m be a positive integer w ew antto encode
Find (x,y) E(Fp ) suchthat 100m  x  100m  99
Find x such that y 2  s  x 3  Ax  B
s  y 2 for some y Fp if s(p-1)/ 2  1
If p  3 mod4, y  s(p1)/ 4 .
Exercise 4
Point on Elliptic Curve
 Integer
( x , y )  E (Fp ) is decoded
 x 
to m  

100
Exercise 5
Let p  3 mod4 be a prime number, x,y  Fp . Suppose x  y 2
(a) Show that x (p 1 )/ 2  1 (a) Show that x(p1)/ 2  x

(b) Show that y ( p 1) / 2

2
 y2
(c) Show that y ( p 1) / 2   y

(d) Show that x ( p 1) / 4

2
x
(e) Show that -1  v 2 for all v  Z p  Fp
(f)Suppose z  v 2 for all v  Z p  Fp , show that -z  v 2 for some v  Z p

(g) Suppose z  v 2 for all v  Z p  Fp , Show that z ( p 1) / 4

2
 z
Overview
Discrete
Logarithm
Problem
MasseyOmura
Encryption
ElGamal
Public Key
Encryption
Digital Signature
Algorithm (DSA)
ElGamal
Digital
Signatures
Public Key Cryptography
Private Key Cryptography
Key
Agreement
Protocol
k
M
Encryption
Algorithm
Ek(M)
Public Key Cryptography
Certificate
Authority
(CA)
kpub
k
Dk(Ek(M)) = M
Decryption
Algorithm
Ek(M)
M
Encryption
Algorithm
Ekpub(M)
kpub,kpri
Dkpri (Ekpub (M)) = M
Decryption
Algorithm
Ekpub (M)
ElGamal Public Key Encryption
Public Key Cryptography
ElGamal PKE
Certificate
Authority
(CA)
Certificate
Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M)
[ElGamal 1985]
P  E (Fp ), s  Z 
kpub,kpri
Dkpri (Ekpub (M)) = M
Decryption
Algorithm
Ekpub (M)
k pub  P , B  sP, k pri  s
kpub  P, B  sP
M  E (Fp )
k  Z
Encryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1
=M
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Decryption
Algorithm
Ekpub(M) = M1,M2
M2  sM1  (M  kB)  s(kP)  M  k (SP )  skP  M
ElGamal Public Key Encryption
Example
(cont.)
ElGamal PKE
E(F5 )  {}  {(x,y)|y2  x 3  x 1}
Certificate
Authority
(CA)
M  (0,1)  E(Fp ) w ithorder 9
P  E (Fp ), s  Z 
s  5, k pri  s  5
k pub  (P  (0,1),B  (3,1))
k pub  (P , B )
k pub  P , B  sP, k pri  s
kpub  P, B  sP
P  (0,1)
B  sP  5(0,1)  (3,1)
M  E (Fp )
k  Z
Encryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1
=M
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Decryption
Algorithm
Ekpub(M) = M1,M2
M  (4,2)  E(Fp )
k 7
Encryption
Algorithm
Dkpri (Ekpub (M)) = M2-sM1
= (0,1)-5(4,3)
= (4,2)
Ekpub(M) = M1,M2
M1 = kP = 7(0,1) = (4,3),
M2 = M + kB = (4,2)+7(3,1)
= (0,1)
Decryption
Algorithm
Ekpub(M) = M1,M2
M1 = (4,3)
M2 = (0,1)
ElGamal Public Key Encryption
(cont.)
ElGamal PKE
ElGamal Problem Ver. I
Certificate
Authority
(CA)
P  E (Fp ), s  Z 
k pub  P , B  sP, k pri  s
kpub  P, B  sP
M  E (Fp )
k  Z
Encryption
Algorithm
Given P, sP (public key),
kP, M + skP,
Find M.
Dkpri (Ekpub (M)) = M2-sM1
=M
Ekpub(M) = M1,M2
M1 = kP, M2 = M + kB
Decryption
Algorithm
Ekpub(M) = M1,M2
Discrete Log.
Given P, sP
Find s.
Overview
Discrete
Logarithm
Problem
MasseyOmura
Encryption
ElGamal
Public Key
Encryption
Digital Signature
Algorithm (DSA)
ElGamal
Digital
Signatures
Digital Signature [Diffie, Hellman 1976]
Public Key Cryptography
Digital Signature
Certificate
Authority
(CA)
kpub
M
Encryption
Algorithm
Ekpub(M)
Certificate
Authority
(CA)
kpub,kpri
Dkpri (Ekpub (M)) = M
kpri,kpub
kpub
Decryption
Algorithm
Ekpub (M)
Objective
Alice is sending a message M to Bob
1. Bob can be sure that the sender is
really Alice.
2. Alice cannot refuse that she did
send the message
3. No one can send a message
claiming that they are Alice.
Vkpub (Skpri(M)) = M ?
M
Signing
Algorithm
Verification
Algorithm
M,Skpri(M)
M, Skpri(M)
ElGamal Digital Signatures
ElGamal’s Protocol
Digital Signature
Certificate
Authority
(CA)
Certificate
Authority
(CA)
kpri,kpub
M
Signing
Algorithm
M,Skpri(M)
[ElGamal 1985]
a  Z  , A  E (Fp )
k pri  a, k pub  ( A, B  aA)
kpub
Skpri(M)) is
signed by Alice???
Verification
Algorithm
M, Skpri(M)
kpub=(A,B)
Message m Z 
Random Integer k
Signing
Algorithm
R  kA  ( xR , y R )
m  axR
s
k
M, Skpri (M)  (R, s)
xRB  sR  mA ???
Verification
Algorithm
M, Skpri (M)  (R, s)
xRB  sR  xRaA  s(kA)  xRaA  (m  axR ) A  mA
ElGamal Digital Signatures (cont.)
Example
ElGamal’s Protocol
Certificate
Authority
(CA)
E(F5 )  {}  {(x,y)|y2  x 3  x 1}
M  (0,1)  E(Fp ) w ithorder 9

a  Z , A  E (Fp )
k pri  a, k pub  ( A, B  aA)
kpub=(A,B)
R  kA  ( xR , y R )
m  axR
s
k
m, Skpri (M)  (R, s)
k pri  a  2
k pub  ( A, B) w here
Message m Z 
Random Integer k
Signing
Algorithm
a  2, A  (0,1)  E (Fp ),
B  aA  2(0,1))  (4,2)
Message m  5
xRB  sR  mA ???
Verification
Algorithm
m, Skpri (M)  (R, s)
Random Integer k  7
Signing
Algorithm
R  kA  7 A  (4,3)
xR  4
m  axR 5  2  4

k
7
 (-3)(4) 6
s
xR B  sR  4(4,2)  6(4,3)
 ( 0,4 )  ( 2,4 )
 ( 3,1)
Verification
Algorithm
m  5,
Sk pri (M )  (R , s )
 ((4,3),6)
ElGamal Digital Signatures (cont.)
ElGamal’s Protocol
ElGamal Problem Ver. II
Certificate
Authority
(CA)
a  Z  , A  E (Fp )
k pri  a, k pub  ( A, B  aA)
kpub=(A,B)
xRB  sR  m' A
Message m Z 
Random Integer k
Signing
Algorithm
R  kA  ( xR , y R )
m  axR
s
k
m, Skpri (M)  (R, s)
Given A, B=aA (public
key), m (message),
m‘ (forged message)
Find R,s such that
xRB  sR  mA ???
Verification
Algorithm
m, Skpri (M)  (R, s)
Discrete Log.
Given P, sP
Find s.
Exercise
ElGamal Problem Ver. II
Given A, B=aA (public
key), m (message),
m‘ (forged message)
Find R,s such that
Discrete Log.
Given P, sP
Find s.
xRB  sR  m' A
Exercise 6
Suppose that the ElGamal signature scheme is used to produce
the valid signed message (m,R  (xR ,y R ),s). Let h be an integer w ith
gcd( h, N )  1. Assume gcd( xR , N )  1. Let
R '  ( xR ' , y R ' )  hR , s '  sxR ' ( xR ) 1 h 1 (modN ),
m'  mxR ' ( xR ) 1 (modN ).
Show that (m',R',s')is a valid signed message.
Overview
Discrete
Logarithm
Problem
MasseyOmura
Encryption
ElGamal
Public Key
Encryption
Digital Signature
Algorithm (DSA)
ElGamal
Digital
Signatures
Digital Signature Algorithm
[Vanstone 1992]
ElGamal’s Protocol
DSA’s Protocol
Certificate
Authority
(CA)
Certificate
Authority
(CA)
a  Z  , A  E (Fp )
a  Z  , A  E (Fp )
k pri  a, k pub  ( A, B  aA)

Message m Z
Random Integer k
Signing
Algorithm
R  kP  ( xR , y R )
m  axR
s
k
M, Skpri (M)  (R, s)
kpub=(A,B)
k pri  a, k pub  ( A, B  aA)

3 Scalar
Multiplications
Message m Z
Random Integer k
xRB  sR  mA ???
Signing
Algorithm
Verification
Algorithm
M, Skpri (M)  (R, s)
R  kP  ( xR , y R )
m  axR
s
k
M, Skpri (M)  (R, s)
kpub=(A,B)
2 Scalar
Multiplications
xR B  sR  mA ???
xR
s
B  R  A ???
m
m
Verification
Algorithm
M, Skpri (M)  (R, s)
Exercise
Exercise 4
(a) Let P,Q be a point on elliptic curvein w hichthe order is 33, and 2P  6Q,
Prove that Q  { 4P  11kP|k  Z}  { 4P,15P,26P}.
(b) Let P,Q be a point on elliptic curvein w hichthe order is N, aP  b Q, gcd( b, N )  d ,
N
b 1 is an integer such that b b1  1 mod
d
N
Prove that Q  {cP  kP|k  Z  } w herec  ab 1
d
Exercise 4
Exercise 5
Let p  3 mod4 be a prime number, x,y  Fp . Suppose x  y 2
(a) Show that x (p 1 )/ 2  1 (a) Show that x(p1)/ 2  x

(b) Show that y ( p 1) / 2

2
 y2
(c) Show that y ( p 1) / 2   y

(d) Show that x ( p 1) / 4

2
x
(e) Show that -1  v 2 for all v  Z p  Fp
(f)Suppose z  v 2 for all v  Z p  Fp , show that -z  v 2 for some v  Z p

(g) Suppose z  v 2 for all v  Z p  Fp , Show that z ( p 1) / 4

2
 z
Exercise
Exercise 6
Suppose that the ElGamal signature scheme is used to produce
the valid signed message (m,R  (xR ,y R ),s). Let h be an integer w ith
gcd( h, N )  1. Assume gcd( xR , N )  1. Let
R '  ( xR ' , y R ' )  hR , s '  sxR ' ( xR ) 1 h 1 (modN ),
m'  mxR ' ( xR ) 1 (modN ).
Show that (m',R',s')is a valid signed message.
Pairing-Based Cryptography
Three-Parties DHE
Diffie-Hellman Exchange Protocol
A
L
I
C
E
P
1. Generate P 2 E(F)
2. Generate positive
integers a
aP
1. Receive P
2. Receive S = aP
ALICE
B
O
B
a, aP
bP
3. Receive Q = bP
3. Generate positive
integer b
4. Compute aQ = abP
4. Compute bS = abP
bP
B
O b, bP
B
cP
aP
c, cP
Bilinear Function
C
H
A
L
I
E
Function e:E(Fp )  E(Fp )  G
e(aP, bQ)  e(P, Q)ab e(P , Q)  1 If P, Q  
ALICE
Three-Parties DHE with Pairing
a, aP, bP
ALICE
bcP
a, aP
aP
B
O b, bP
B
bP
cP
bP
cP
aP
c, cP
C
H
A
L
I
E
e(bP , cP )  e(P , P ) bc
(e(P , P ) bc ) a  e(P , P ) abc
B
O b, bP
B
cP
abP
acP c, cP
aP
C
H
A
L
I
E
Thank you for your attention
Please feel free to ask questions or comment.