Singhalese(锡兰人)

EllipticCurveCryptography,Jen-ChangLiu,2004AdaptedfromlectureslidesbyLawrieBrownRef:RSASecuritysOfficialGuidetoCryptography,NoSinghalese(錫蘭人),whethermanorwoman,wouldventureoutofthehousewithoutabunchofkeysinhishand,forwithoutsuchatalisman(護身符)hewouldfearthatsomedevilmighttakeadvantageofhisweakstatetoslipintohisbody.TheGoldenBough,SirJamesGeorgeFrazer,Review:Requirementforpublic-keycryptography,DiffieandHellman(1976)proposedthepublic-keycryptographyrequirement:ItiscomputationallyeasytogenerateapairofkeysItiscomputationallyeasyforasendertoencryptItiscomputationallyeasyforareceivertodecryptItiscomputationallyinfeasibleforanopponent,knowingthepublickey,todeterminetheprivatekeyItiscomputationallyinfeasibleforanopponent,knowingthepublickeyandciphtertext,torecovertheplaintext,=Trap-doorone-wayfunction,Review:one-wayfunction,1968,R.M.Needhamssystem1974,G.Purdypublishedthefirstdetaildescriptionofsuchaone-wayfunctionOne-wayfunctionComputationinZp,Hardtoinvert!,Review:(trapdoor)one-wayfunction,domain,target,Y=f(X):easy,X=f-1(Y):infeasible(polynomialtime),X=fK-1(Y):easyiftrap-doorKisknown(polynomialtime),Thenotionof“computationallyinfeasible”playsanimportantrole,Aencipheringtransformationthatcansafelyberegardedasa(trapdoor)one-wayfunctionin1994mightloseitsone-wayortrapdoorstatusin2004or2994,EllipticCurveCryptography(ECC),majorityofpublic-keycrypto(RSA,D-H)useeitherintegerorpolynomialarithmeticwithverylargenumbers/polynomialsimposesasignificantloadinstoringandprocessingkeysandmessagesanalternativeistouseellipticcurvesofferssamesecuritywithsmallerbitsizes,Outline,Operationsoverabeliangroups(可換群)EllipticcurvesovertherealsEllipticcurvesoverthefinitefieldsEllipticcurvecryptography,Abeliangroup,GroupwithcommunicativepropertyGroup:G,G:asetofelements:binaryoperationtoeachpair(a,b)inGobeys:closure:abisalsoinGassociativelaw:(ab)c=a(bc)hasidentitye:ea=ae=ahasinversesa-1:aa-1=e,Publicciphersbasedonanabeliangroup,Exponentiation(repeatedmultiplication)inRSAandD-HalgorithmIdea:Findanotherabeliangroup!Inellipticcurves,wedefinetheadditionoperationsuchthatitformsanabeliangroup,ktimes,hardproblem,ktimes,Classesofellipticcurvesusedbycryptographers,Outline,Operationsoverabeliangroups(可換群)EllipticcurvesovertherealsEllipticcurvesoverthefinitefieldsEllipticcurvecryptography,RealEllipticCurves,Ellipticcurvesarenotellipsesanellipticcurveisdefinedbyanequationintwovariablesx2P=(20,20);3P=(14,14);4P=(19,20),5P=(13,10);6P=(7,3);7P=(8,7);8P=(12,17);9P=(4,5),ECCDiffie-Hellman,candokeyexchangeanalogoustoD-HusersselectasuitablecurveEp(a,b)selectbasepointG=(x1,y1)withlargeorderns.t.nG=OA&BselectprivatekeysnAn,nBncomputepublickeys:PA=nAG,PB=nBGcomputesharedkey:K=nAPB,K=nBPAsamesinceK=nAnBG,ProtocolofD-Hkeyexchange,Public:Ep(a,b)G=(x1,y1),nAnPA=nAG,nBnPB=nBG,K=nAPB,K=nBPA,PA,PB,Thesamesecretkey:K=nAnBG,ECCEncryption/Decryption,severalalternatives,willconsidersimplestmustfirstencodeanymessageMasapointontheellipticcurvePmProblem:notalldiscretepointsaredefinedinECselectsuitablecurve&pointGasinD-HeachuserchoosesprivatekeynAnandcomputespublickeyPA=nAGtoencryptPm:Cm=kG,Pm+kPA,krandomdecryptCmcompute:Pm+kPAnA(kG)=Pm+k(nAG)nA(kG)=Pm,Example:ECCencryption,ECcurveonZp:y2=x3-x+188G=(0,376),p=751AspublickeyPA=(201,5)PlaintextPm=(562,201)Bselectsrandomk=386,thenencrytPmas,Cm=kG,Pm+kPA=386(0,