MATH 470 Lecture 26

« previous | Tuesday, April 23, 2013 | next »

Encoding Plain-Text on Elliptic Curves

Using ${\displaystyle \mathbb {Z} /n\mathbb {Z} }$ for ${\displaystyle n}$ large makes it easy to encode messages:

if ${\displaystyle n=p\,q}$ for primes ${\displaystyle p<q}$, then

${\displaystyle \mathbb {Z} /n\mathbb {Z} =\{1,\ldots ,p-1,p+1,\ldots ,q-1,q+1,\ldots ,n-1\}}$

You'd like to do the same on an elliptic curve. e.g.

• 1 ⟼ first point on curve
• 2 ⟼ second point on curve
• …

Unfortunately, there is no known poly-time algorithm for enumerating points on an elliptic curve over a finite field.

N. Koblitz came up with the following trick:

To transmit ${\displaystyle m}$, add a few digits and use square roots.

Consider ${\displaystyle y^{2}=x^{3}-9x+1}$ over ${\displaystyle \mathbb {F} _{p}}$, where ${\displaystyle p=1,159,531}$.

According to Hasse's Theorem, The number of points ${\displaystyle n}$ on ${\displaystyle E}$ satisfies ${\displaystyle \left|n-(p+1)\right|\leq 2{\sqrt {p}}}$, so there are about a million points on this curve.

Can we efficiently encode ${\displaystyle \{1,\ldots ,10^{5}-1\}}$ as points on ${\displaystyle E}$? What about ${\displaystyle 19312}$?

Koblitz proposed adding a few (${\displaystyle z}$) digits:

${\displaystyle 19312=19312*10^{z}+d_{1}\cdot 10^{z-1}+d_{2}\cdot 10^{z-2}+\dots +d_{z}}$

In our cose, let's just add a single digit 0:

${\displaystyle 19312\to 193120}$

Now is there a ${\displaystyle y\in \mathbb {F} _{p}}$ with ${\displaystyle y^{2}=(193120)^{3}-9(193120)+1{\pmod {p}}}$? Compute legendre symbol ${\displaystyle \left({\frac {(193120)^{3}-9(193120)+1}{p}}\right)=1}$: YES

Decoding: If you see ${\displaystyle (x,y)\in E}$, then your message is just ${\displaystyle \left\lfloor {\frac {x}{10}}\right\rfloor }$.

Note, when encoding ${\displaystyle \{1,\ldots ,n\}}$ as elements of ${\displaystyle \mathbb {Z} /n\mathbb {Z} }$ for ${\displaystyle n=p\,q}$, there were just 2 failures. When encoding on an elliptic curve, how many failures are there?

Koblitz's Heuristic

Since exactly half the elements of ${\displaystyle \mathbb {F} _{p}^{*}}$ are squares, a random ${\displaystyle x}$ results in ${\displaystyle \left({\frac {x^{3}+b\,x+c}{p}}\right)=1}$ with probability approx. 50%

So then, among all 193120–193129, we'll find at least one with probability ${\displaystyle 1-{\frac {1}{2^{10}}}}$

Thus, the general trick is to encode ${\displaystyle \{1,\ldots ,n\}}$ as points on ${\displaystyle E/\mathbb {F} _{p}}$ with ${\displaystyle p>10^{k}\,n}$, add on ${\displaystyle k}$ extra digits, and pick the last ${\displaystyle k}$ digits randomly

with probability at least ${\displaystyle 1-{\frac {1}{2^{10^{k}}}}}$, you've encoded successfully.

Elliptic Curve Analogues of Cryptosystems

El Gamal

Formerly worked over ${\displaystyle \left(\mathbb {Z} /p\mathbb {Z} \right)^{*}}$ and was based on the discrete log problem.

Elliptic Curve El Gamal is defined over ${\displaystyle E(\mathbb {F} )}$ and is based on the elliptic curve discrete log, an even harder problem than discrete log! Thus the fancier cryptosystem allows for smaller keys

Public	Private
${\displaystyle p}$ = large prime	${\displaystyle a\in \{1,\ldots ,n-1\}}$
${\displaystyle E}$ = (nonsingular) elliptic curve
${\displaystyle n}$ = number of points on ${\displaystyle E}$
${\displaystyle A}$ = point on ${\displaystyle E}$
${\displaystyle B=[a]\,A}$

To sign a message (or message hash) ${\displaystyle m}$, the signer does this:

1. pick a random ${\displaystyle k\in \{1,\ldots ,n-1\}}$ with ${\displaystyle \mathrm {gcd} (k,n)=1}$ and compute ${\displaystyle R=[k]\,A=(x,y)}$.
2. compute ${\displaystyle s=k^{-1}(m-a\,x){\pmod {n}}}$
3. send ${\displaystyle (m,R,s)}$

Note: step 1 performed an elliptic curve operation, namely computing ${\displaystyle x}$ as a point on the elliptic curve. Everyithing else is integer arithmetic

To verify the signature, the verifier does this:

1. downloads ${\displaystyle (p,E,n,A,B)}$ and ${\displaystyle (m,R,s)}$
2. compute ${\displaystyle V_{1}=[x]\,B\oplus [s]\,R}$ and ${\displaystyle V_{2}=[m]\,A}$
3. Accept if ${\displaystyle V_{1}=V_{2}}$.

Bracket arithmetic is mod ${\displaystyle n}$ because ${\displaystyle E}$ has ${\displaystyle n}$ points, and thus forms a group of order ${\displaystyle n}$ Therefore, the points eventually wrap around if multiplied by a number greater than ${\displaystyle n}$: ${\displaystyle [n+17]A=[17]A}$.

Proof. Check that a valid signature indeed implies ${\displaystyle V_{1}=V_{2}}$:

${\displaystyle {\begin{aligned}V_{1}&=[x]\,B\oplus [s]\,R\\&=[x][a]A\oplus [k^{-1}(m-a\,x{\pmod {n}})][k]A\\&=[x\,a{\pmod {n}}]A\oplus [m-a\,x{\pmod {n}}]A\\&=[{\cancel {x\,a}}+m{\cancel {-a\,x}}{\pmod {n}}]A\\&=[m]A=V_{2}\end{aligned}}}$

Now if an evil party knew ${\displaystyle a}$, they could forge signatures. However, finding ${\displaystyle a}$ appears to boild down to solving ${\displaystyle B=[a]A}$ for ${\displaystyle a}$, which is the elliptic curve discrete log problem.

Practice final is up on the course website!