|
|
|
|
|
Josh Benaloh & Brian LaMacchia |
|
|
|
|
|
|
We know how Alice and Bob can communicate
securely if they share a strong (128-bit) private key or if one has a
public key known to the other. |
|
Suppose that Alice and Bob share only a short
(potentially searchable) password. |
|
Rather than using just this weak password, Alice
and Bob can use this weak password to bootstrap a strong key. |
|
|
|
|
Alice and Bob share weak password P. |
|
Let C be a symmetric cipher agreed upon by Alice
and Bob. |
|
Alice begins by generating a public/private key
pair (E,D). |
|
Alice sends Bob CP(E). |
|
Bob generates a random symmetric key K and sends
Alice CP(E(K)). |
|
|
|
|
Alice and Bob can then demonstrate to each other
their knowledge of K as an authentication step. |
|
Alice generates a random nonce A and sends CK(A)
to Bob. |
|
Bob generates a random nonce B and sends CK(A,B)
to Alice. |
|
Alice sends CK(B) to Bob. |
|
|
|
|
|
|
In 1991, the National Institute of Standards and
Technology published a Digital Signature Standard that was intended as an
option free of intellectual property constraints. |
|
|
|
|
DSA uses the following parameters |
|
Prime p – anywhere from 512 to 1024 bits |
|
Prime q – 160 bits such that q divides p-1 |
|
Integer h in the range 1 < h < p-1 |
|
Integer g = h(p-1)/q
mod p |
|
Secret integer x in the range 1 < x < q |
|
Integer y = gx mod p |
|
|
|
|
To sign a 160-bit message M, |
|
Generate a random integer k with 0 < k < q, |
|
Compute r = (gk mod p) mod q, |
|
Compute s = ((M+xr)/k) mod q. |
|
|
|
The pair (r,s) is the signature on M. |
|
|
|
|
A signature (r,s) on M is verified as follows: |
|
Compute w = 1/s mod q, |
|
Compute a = wM mod q, |
|
Compute b = wr mod q, |
|
Compute v = (gayb mod p)
mod q. |
|
|
|
Accept the signature only if v = r. |
|
|
|
|
|
|
An elliptic curve |
|
|
|
y2 = x3 + Ax + B |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Non-vertical Lines |
|
y2 = x3 + Ax +
B |
|
y = ax + b |
|
(ax + b)2 = x3 + Ax +
B |
|
x3 + A¢x2 + B¢x + C¢ = 0 |
|
|
|
|
|
|
Non-vertical Lines |
|
|
|
1 intersection point (typical case) |
|
2 intersection points (tangent case) |
|
3 intersection points (typical case) |
|
|
|
|
Vertical Lines |
|
y2 = x3 + Ax +
B |
|
x = c |
|
y2 = c3 + Ac + B |
|
y2 = C |
|
|
|
|
Vertical Lines |
|
|
|
0 intersection point (typical case) |
|
1 intersection points (tangent case) |
|
2 intersection points (typical case) |
|
|
|
|
|
|
|
|
|
|
|
|
Add an “artificial” point I to handle the
vertical line case. |
|
|
|
This point I also serves as the group identity
value. |
|
|
|
|
|
|
(x1,y1) ´ (x2,y2)
= (x3,y3) |
|
|
|
x3 = ((y2-y1)/(x2-x1))2
- x1 - x2 |
|
y3 = -y1 + ((y2-y1)/(x2-x1))
(x1 - x3) |
|
|
|
when x1 ¹ x2 |
|
|
|
|
(x1,y1) ´ (x2,y2)
= (x3,y3) |
|
|
|
x3 = ((3x12+A)/(2y1))2
- 2x1 |
|
y3 = -y1 + ((3x12+A)/(2y1))
(x1 - x3) |
|
|
|
when x1 = x2
and y1 = y2 ¹ 0 |
|
|
|
|
(x1,y1) ´ (x2,y2)
= I |
|
when x1= x2
but y1¹ y2 or y1= y2=
0 |
|
|
|
(x1,y1) ´ I = (x1,y1)
= I ´ (x1,y1) |
|
|
|
I ´ I = I |
|
|
|
|
|
|
|
|
|
|
Z=YX in Ep(A,B) |
|
When Z is unknown, it can be efficiently
computed by repeated squaring. |
|
|
|
|
|
|
Z=YX in Ep(A,B) |
|
When X is unknown, this version of the discrete
logarithm is believed to be quite hard to solve. |
|
|
|
|
|
|
Z=YX in Ep(A,B) |
|
When Y is unknown, it can be efficiently
computed by “sophisticated” means. |
|
|
|
|
Alice |
|
Randomly select a large integer a and send A = Ya mod N. |
|
Compute the key K = Ba mod N. |
|
Bob |
|
Randomly select a large integer b and
send B = Yb mod N. |
|
Compute the key K = Ab mod N. |
|
|
|
|
|
|
Alice |
|
Randomly select a large integer a and send A = Ya in Ep. |
|
Compute the key K = Ba in Ep. |
|
Bob |
|
Randomly select a large integer b and
send B = Yb in Ep. |
|
Compute the key K = Ab in Ep. |
|
|
|
|
|
|
|
|
Almost identical to DSA over the integers. |
|
|
|
Replace operations mod p and q with operations
in Ep and Eq. |
|
|
|
|
The best currently known algorithm for EC
discrete logarithms would take about as long to find a 160-bit EC discrete
log as the best currently known algorithm for integer discrete logarithms
would take to find a 1024-bit discrete log. |
|
160-bit EC algorithms are somewhat faster and
use shorter keys than 1024-bit “traditional” algorithms. |
|
|
|
|
EC discrete logarithms have been studied far
less than integer discrete logarithms. |
|
Results have shown that a fundamental break in
integer discrete logs would also yield a fundamental break in EC discrete
logs, although the reverse may not be true. |
|
Basic EC operations are more cumbersome than
integer operations, so EC is only faster if the keys are much smaller. |
|
|
|
|
Euclid’s proof of the infinity of primes |
|
Suppose that the set of all primes were finite. |
|
Let N be the product of all of the primes. |
|
Consider N+1. |
|
The prime factors of N+1 are not among the
finite set of primes multiplied to form N. |
|
This contradicts the assumption that the set of
all primes is finite. |
|
|
|
|
|
|
The number of primes less than N is
approximately N/(ln N). |
|
|
|
Thus, approximately 1 out of every n randomly
selected n-bit integers will be prime. |
|
|
|
|
|
|
Recall Fermat’s Little Theorem |
|
|
|
If p is prime, then a(p-1)
mod p = 1 for all a in the range 0 < a < p. |
|
|
|
|
To test an integer N for primality, write N-1 as
N-1 = m2k where m is odd. |
|
Repeat several (many) times |
|
Select a random a in 1 < a < N-1 |
|
Compute am, a2m,
a4m, …, a(N-1)/2 all mod N. |
|
If am = ±1 or if some a2im
= -1, then N is probably prime – continue. |
|
Otherwise, N is composite – stop. |
|
|
|
|
Pick a random starting point N. |
|
Notes